Cyber Security December 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

You are also free to post related links.


  1. Tomi Engdahl says:

    New Facebook Bug Exposed 6.8 Million Users Photos to Third-Party Apps

  2. Tomi Engdahl says:

    Malaysian government targeted with mash-up espionage toolkit

    An interview with ESET researchers Tomáš Gardoň and Filip Kafka on their research of a malware toolkit used in espionage against the Malaysian government

  3. Tomi Engdahl says:

    Justice Department accuses Chinese spies of hacking into dozens of US tech and industry giants

    The Justice Department has unsealed a damning indictment that links to spies working for the Chinese government an aggressive campaign to hack into U.S. tech and industry giants.

  4. Tomi Engdahl says:

    Idiots with drones shut down the UK’s second largest airport — again

    A new ‘suspected drone sighting’ briefly shut down air traffic at Gatwick Airport yet again, diverting more flights.

  5. Tomi Engdahl says:

    Will Oremus / Slate:
    Facebook has forfeited our trust to the point that we see nefarious motives in any misstep, as some overblown reactions to Spotify and Netflix integrations show

    What the NYT’s Facebook Investigation Really Tells Us

    Facebook may or may not have lost its handle on our data. But it has definitely lost its handle on the public narrative—and the benefit of the doubt.

    There were many important and troubling revelations in the New York Times’ latest investigation into Facebook’s privacy practices. There were others that seem less sinister the closer you look at them.

    Perhaps more important than either, however, was how the story resonated and what people took from it—which, in many cases, was far more than it actually proved. People didn’t just get mad; they got not-gonna-take-this-anymore mad.

    Above all, what the story and its fallout tell us is this: Any benefit of the doubt that Facebook once enjoyed—from the media, the government, the tech-savvy public—is long gone. And that’s a bigger blow than any EU penalty or FTC fine the social network could incur.

    For instance, the Times reported that Facebook struck deals with several companies that allowed for the sharing of users’ contact lists and address books, partly to enhance Facebook’s shady “People You May Know” recommendation engine. One of those partners was the Chinese firm Huawei, which the U.S. government views as a national cybersecurity risk.

    Facebook also had a partnership with the Russian tech firm Yandex, which is suspected of Kremlin ties, that gave it access to Facebook user IDs. And not only did it sling user data around, the company failed to reel it back in once its partners no longer needed it.

    All of which is deeply disconcerting, even if the concrete harms remain speculative at this point. (No evidence has yet surfaced that Facebook’s partners misused the data, though it’s certainly possible.)

    We now know that Facebook’s carelessness with users’ information, highlighted in March by the Cambridge Analytica scandal

    the most alarming new details in the New York Times story, such as agreements that allowed Netflix and Spotify to “read, write, and delete users’ private messages,” appear to have been wildly overblown.

    A response from Facebook on Wednesday evening explained that these permissions were about allowing Facebook users to read, write, and delete their own Facebook messages from within Netflix and Spotify once they linked their accounts and logged in.

    Such nuance did not come across clearly in the Times story and was often lost completely in the public conversation that swirled around it

  6. Tomi Engdahl says:

    To be clear, Facebook has earned this mistrust, even if it hasn’t earned all of the specific outrages that have been levied against it.

  7. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:
    Blind, an anonymous chat app used by staff at companies like Apple, Facebook, Google, and Uber, left one database server exposed from Nov. 1 to Dec. 19 — One of the company’s servers was exposed without a password for weeks

    At Blind, a security lapse revealed private complaints from Silicon Valley employees

    One of its servers storing user data and messages was exposed without a password

    Blind left one of its database servers exposed without a password, making it possible (for anyone who knew where to look) to access each user’s account information and identify would-be whistleblowers.

    The exposed server was found by a security researcher, who goes by the name Mossab H, who informed the company of the security lapse.

    Blind said the exposure only affects users who signed up or logged in between November 1 and December 19

    Blind only pulled the database after TechCrunch followed up by email a week later. The company began emailing its users on Thursday after we asked for comment.

    Kim said there is “no evidence” that the database was misappropriated or misused, but did not say how it came to that conclusion.

    At its core, the app and anonymous social network allows users to sign up using their corporate email address, which is said to be linked only to Blind’s member ID. Email addresses are “only used for verification”

    But after reviewing a portion of the exposed data, some of the company’s claims do not stand up.

    We found that the database provided a real-time stream of user logins, user posts, comments and other interactions, allowing anyone to read private comments and posts.

    Blind claims on its website that its email verification “is safe, as our patented infrastructure is set up so that all user account and activity information is completely disconnected from the email verification process.”

    Many records did, however, contain plain text email addresses.

    The database also contained passwords, which were stored as an MD5 hash, a long-outdated algorithm that is nowadays easy to crack. Many of the passwords were quickly unscrambled using readily available tools

    “The MD5 keys were a log and it does not represent how we are managing data. We use more advanced methods like salted hash and SHA2 on securing users’ data in our database.”

    login records in the database also stored user account access tokens — the same kind of tokens that recently put Microsoft and Facebook accounts at risk.

  8. Tomi Engdahl says:

    Pranav Dixit / BuzzFeed News:
    Indian government downplays its order that seemingly authorizes ten government agencies to monitor, intercept, and decrypt data on all computers in the country — India’s Ministry of Home Affairs, a federal government authority that controls the country’s internal security …

    India’s Government Denies Telling Federal Agencies They Can Snoop On Every Computer, Despite An Order That Seemingly Says They Can
    “Welcome to 1984.”

    An uproar broke out in India’s parliament on Friday after the Ministry of Home Affairs, a federal government authority that controls the country’s internal security, seemingly authorized 10 government agencies — including federal intelligence and law enforcement agencies — to monitor, intercept, and decrypt all data on all computers in the country.

    The governmental order detailing the powers immediately drew strong criticism from both India’s privacy activists and its opposition parties, who said it enabled blanket state surveillance and violated the fundamental right to privacy that India’s 1.3 billion citizens are constitutionally guaranteed.

    India’s Information Security Act has allowed agencies to invoke surveillance measures in the interest of national security since 2008

    “George Orwell’s Big Brother is here,” tweeted Asaduddin Owaisi

  9. Tomi Engdahl says:

    An Apology and an Update

    Two days ago, we updated our system for applying location information to comply with U.S. trade embargoes and economic sanctions regulations.

    Soon after updating, we discovered that we made a series of mistakes and inadvertently deactivated a number of accounts that we shouldn’t have.

  10. Tomi Engdahl says:

    WhatsApp has an encrypted child porn problem
    Facebook fails to provide enough moderators

    WhatsApp chat groups are being used to spread illegal child pornography, cloaked by the app’s end-to-end encryption. Without the necessary number of human moderators, the disturbing content is slipping by WhatsApp’s automated systems.

  11. Tomi Engdahl says:

    Facebook has a plan to track you offline

    This week a plan for a future Facebook app feature was revealed in a patent for “Office Trajectories” by the USPTO. In this patent, Facebook detailed a method for determining the current location of an individual – even when their phone is turned off and/or their GPS is deactivated. How might Facebook achieve this, you might scream? They’ll just use all the information you’ve already given them, jam it all in a computer with Machine Learning, and spit out the most likely location – it’s easy, really!

    we can go right on ahead and file the fact that this exists under our “We’re Being Tracked” file. Yes, Uncle Jimmy, you are being tracked, just like you always thought you were – but not by the government. You’re being tracked by the companies you use to share and communicate with friends and family.

    Facebook has filed patents to predict our future locations

    Facebook filed a patent, titled “Offline Trajectories,” last week in which it proposes predicting users’ “location trajectories” – in other words, where we’re likely headed. Knowing when we’re about to hurtle into a no-WiFi-connection limbo means Facebook can “prefill” our phones with content and ads.

    It knows enough to know a lot more

  12. Tomi Engdahl says:

    Nest camera hacker threatens to kidnap baby, spooks parents

    “I’m in your baby’s room,” the hacker said. But the baby was alone and safe.

  13. Tomi Engdahl says:

    Electric Vehicle Charging Stations Open to IoT Attacks

    Flaws could allow an attacker to stop or start a home charging station, or even change the current in order to start a fire.

    Given that creating proof-of-concept (PoC) cyberattacks for the Internet of Things (IoT) is essentially like shooting fish in a barrel these days, perhaps it’s not exactly surprising that a new niche category has proven to present a fresh attack surface: electric vehicle (EV) charging stations.

    The danger is physical in this case: Research demonstrates that a savvy attacker could hack into the station and prevent a car from charging – or, in a much worse scenario, could even start a fire.

  14. Tomi Engdahl says:

    A foul-mouthed parrot uses Amazon’s Alexa to order things when his owner is away

    A parrot that was kicked out of an animal sanctuary for swearing too much is in trouble again, but this time, for a different reason.

    He enjoys chatting with Alexa on his owner’s Amazon Echo so much so that he keeps using it to order things.

    According to the Sun, Rocco has ordered strawberries, watermelon, raisins, broccoli and ice cream, as well as a kite, kettle and light bulbs.

  15. Tomi Engdahl says:

    Mathematicians Seal Back Door to Breaking RSA Encryption

    Digital security depends on the difficulty of factoring large numbers. A new proof shows why one method for breaking digital encryption won’t work.

    Does this mean RSA encryption is in trouble? Actually, no. The reason for this has to do with the new proof about polynomials. The mathematicians Emmanuel Breuillard and Péter Varjú of the University of Cambridge proved that as polynomials with only 0 and 1 as coefficients get longer, they’re less and less likely to be factorable at all. And if a polynomial can’t be factored, it can’t be used to identify the prime factors of the number it’s based on.

  16. Tomi Engdahl says:

    Huawei Router Flaw Leaks Default Credential Status

    It makes it simple for attackers to find devices to take over and add to botnets.

    A vulnerability in some Huawei routers used for carrier ISP services allows cybercriminals to identify whether the devices have default credentials or not – without ever connecting to them.

    CVE-2018-7900 exists in the router panel and allows credentials information to leak – so attackers can simply perform a ZoomEye or Shodan IoT search to find list of the devices having default passwords – no need for bruteforcing or running the risk of running into a generic honeypot.

  17. Tomi Engdahl says:

    Using Facebook’s latest privacy stumble, lawmakers push for strong FTC oversight

    Lawmakers are again unhappy with Facebook after the latest big story again portraying Facebook’s failure to protect the private data of its users.

    Yesterday, the New York Times reported that the company had special relationships with a handful of major tech companies, including Amazon, Microsoft and Spotify.

  18. Tomi Engdahl says:

    Phone repair shop employees accused of stealing nude photos

    Ever broken your phone screen? Had your computer fritz? Ever taken a device to a repair shop? Ever been asked for your password when you hand it over? Ever wonder whether the shop workers lift the lid to rifle through your little treasure chest of personal data?

  19. Tomi Engdahl says:

    Amazon’s Creepy Facial Recognition Doorbell Will Surveil Entire Neighborhood From People’s Front Doors

    At first glance of Amazon’s new patent application, one would be tempted to think it no more than a built-in “smart” security system.

    But no, this facial recognition surveillance doorbell does a lot more than record would-be thieves.

    Amazon is dreaming of a dangerous future, with its technology at the center of a massive decentralized surveillance network, running real-time facial recognition on members of the public using cameras installed in people’s doorbells. –Jacob Snow, ACLU

  20. Tomi Engdahl says:

    Chrome OS to block USB access while the screen is locked

    Google takes steps to protect Chromebooks from some types of physical access attacks.

  21. Tomi Engdahl says:

    Chinese websites have been under attack for a week via a new PHP framework bug

    PoC for ThinkPHP security flaw sparks furious scans for vulnerable sites, most of which are based in China.

    The attacks have targeted websites built with ThinkPHP, a Chinese-made PHP framework that is very popular among the local web development scene.

    All attacks started after Chinese cyber-security firm VulnSpy posted a proof-of-concept exploit for ThinkPHP on ExploitDB, a website popular for hosting free exploit code.

    “The PoC was published on December 11, and we saw internet-wide scans less than 24 hours later,” Troy Mursch, co-founder of Bad Packets LLC told ZDNet today.

    Four other security firms –F5 Labs, GreyNoise, NewSky Security, and Trend Micro– have also reported similar scans

  22. Tomi Engdahl says:

    UK police release airport drone suspects and admit there may not have been any drones after all

    Less than a week after mystery drones grounded flights at the U.K’s second largest airport, wreaking havoc on as many as 140,000 people’s travel plans for the Christmas period, police have admitted that there may in fact not have been any drones at all.

    “always a possibility that there may not have been any genuine drone activity in the first place.”

    Indeed, the police are reliant on eyewitness accounts — 67 of them

    it remains unclear exactly what did take place.

  23. Tomi Engdahl says:


    Apple approved more than 25,000 government requests to access customer data in the first half of 2018, according to its own figures.

  24. Tomi Engdahl says:

    German cybersecurity chief: Anyone have any evidence of Huawei naughtiness?

    We won’t be having a word with local firms until then

    Germany’s top cybersecurity official has said he hasn’t seen any evidence for the espionage allegations against Huawei.

  25. Tomi Engdahl says:

    DNA, genetic genealogy made 2018 the year of the cold case: ‘Biggest crime-fighting breakthrough in decades’

    Law enforcement’s new partnership with genetic genealogy made 2018 a year of profound impact in how years-old cold case murders and rapes are investigated and solved.

    Detectives across the country said they were able to locate suspects in 28 cold cases this year after uploading crime scene DNA to, a public genealogy website, obtaining a match and then letting a genealogist create family trees through painstaking research that ultimately led to a suspect.

  26. Tomi Engdahl says:

    Two-factor authentication can save you from hackers

    If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts.

    In all, it usually only adds a few extra seconds to your day.

  27. Tomi Engdahl says:

    Disable SSID Broadcast to Hide Your Wi-Fi Network

    Does turning off SSID Broadcast improve your home network security?

    Most broadband routers and other wireless access points (APs) automatically transmit their network name (SSID) into the open air every few seconds. You can choose to disable this feature on your Wi-Fi network but before you do, be aware of the pros and cons.

    while it’s technically a better decision to keep your SSID hidden away, it’s not a fool-proof security measure. A hacker with the right tools and enough time, can sniff out the traffic coming from your network, find the SSID and continue on their hacking way.

    Should You Disable SSID Broadcast On Your Home Network?
    Home networks don’t require the use of a visible SSID unless it’s using multiple access points that devices are roaming between.

    If your network uses a single router, deciding whether to turn off this features boils down to a trade-off between the potential security benefits and a loss of convenience in setting up new home network clients

  28. Tomi Engdahl says:

    How to protect your cell phone number and why you should care

    Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.

    You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. But unlike your Social Security number, you’re far less likely to keep your cell phone number a secret — otherwise nobody can contact you!

    Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.

  29. Tomi Engdahl says:

    Ooops, Did We Just Close An Airport Over A UFO Sighting?

    an airport worker at Gatwick — London’s second international airport — sees something fly past in the gloom above the floodlights. The weather and darkness makes it difficult to see what the object was, but the report is phoned in to security. What was it?

    Thousands of people across the site are put on alert, watching for the drone. And of course, the drone reports roll in, and the story takes on a life of its own. People who have no idea what a drone looks like in the air are now expecting to see one

    There follows three days of airport closure drama. No photos emerge despite almost every one of the many thousands of people on the site having a camera phone from which they are Tweeting about the queues in the terminal. There is a grainy video, but it is indistinct, and crucially it doesn’t have anything in it that is identifiable as Gatwick. Meanwhile the police are frustrated in their search for the drone operators, who like their drone, prove difficult to pinpoint

    You might imagine that this was the fictional plot of a thriller novel, but sadly not. All of the above is a tale of the last few days of events in the British news

    There are reports of drone wreckage, but since readers with long memories will recall UK police once identified RepRap parts as a 3D printed gun we’ll wait until we see it before we call it that.

    When a Drone Report Comes In, We Need a Reliable Way to Evaluate It

    Competent Police Investigations and Responsible Journalism on Drone Reports

    Once an incident has started and news of it emerges there is a consequent effect upon members of our community. Legitimate drone fliers away from the airport will find themselves under more scrutiny

    Gatwick shutdown: Is this the drone that caused the chaos?

    Gatwick airport, the UK’s second busiest airport, is still experiencing delays and cancellations after a drone appeared in airspace on Thursday.

  30. Tomi Engdahl says:

    Raymond Zhong / New York Times:
    As Huawei comes under government scrutiny worldwide, a look at the company’s aggressive culture that encouraged employees to bend the rules, up to a point — SHENZHEN, China — Earthquakes, terrorist attacks and low oxygen levels on Mount Everest could not hold them back.

    Huawei’s ‘Wolf Culture’ Helped It Grow, and Got It Into Trouble

    As the Chinese tech giant Huawei expanded around the globe, supplying equipment to bring mobile phone and data service to the planet’s farthest reaches, its employees were urged on by a culture that celebrated daring feats in pursuit of new business.

    They worked grueling hours. They were encouraged to bend certain company rules, as long as doing so enriched the company and not employees personally

    Employees at the company and people who have studied it have a name for its hard-charging corporate spirit: “wolf culture.”

    Now, the company’s aggressive ways have been cast in a new light. The United States has accused Meng Wanzhou, a top Huawei executive and daughter of its founder, of committing bank fraud to help the company’s business in Iran.

    It is not clear precisely how Huawei’s culture shaped its dealings in Iran.

    Huawei workers have been accused of bribing government officials to win business in Africa, copying an American competitor’s source code and even stealing the fingertip of a robot in a T-Mobile lab in Bellevue, Wash. In 2015

    Mr. Ren said in 2015 that Huawei had toughened its safeguards against employee misconduct. But the following year, in a speech that was emailed to employees, he acknowledged that many workers did not pay attention to internal rules and controls

    Mr. Ren said that it was important to enforce internal standards, but that this should not become a hindrance.

    “If it blocks the business from producing grain, then we all starve to death,” he said, according to a transcript of his comments on a Huawei website.

    Ms. Meng’s arrest this month has darkened China’s relations with the United States

    Security concerns about Huawei and other Chinese equipment providers are mounting among traditional allies of the United States.

    At the annual meeting of spy chiefs of the so-called Five Eyes countries, Huawei was among the topics discussed by senior intelligence officers from Britain, Australia, New Zealand, Canada and the United States

    The pressure on the business is building. In Germany last week, Deutsche Telekom said it was taking seriously the “global discussion about the security of network elements from Chinese manufacturers.” On Monday, the Czech intelligence agency warned against the country working with Huawei and ZTE, another Chinese technology company.

    Abrar Al-Heeti / CNET:
    Despite challenges in penetrating the US market, Huawei says it has shipped over 200M smartphones in 2018 globally, up from last year’s 153M units

    Huawei exceeds 200 million smartphone shipments, setting company record

    It credits the success of its P20 and Honor 10 phones, among others.

  31. Tomi Engdahl says:

    18 Months Later, WannaCry Still Lurks on Infected Computers

    Eighteen months after the initial outbreak of the WannaCry Ransomware infection, the malware continues to rear its head on thousands, if not hundreds of thousands, of infected computers.
    When the WannaCry infection was first unleashed, security researcher Marcus Hutchins of Kryptos Logic registered a domain that acted as

    a kill switch for the ransomware component of the infection. If the infection was able to connect to this kill switch domain, the ransomware component would not activate. The infection, though, would continue to run silently in the background, while routinely connecting to the kill switch domain to check if it was still live.

  32. Tomi Engdahl says:

    Two Android apps used in combat by US troops contained severe vulnerabilities

    Apps were meant for training, never approved for combat. Whistleblower’s efforts helped shed light on vulnerabilities, despite leadership reprisals.

    US military troops used two Android apps that contained severe vulnerabilities in live combat scenarios, a Navy Inspector General report revealed today.

    The two apps are named KILSWITCH (Kinetic Integrated Low-Cost Software Integrated Tactical Combat Handheld) and APASS (Android Precision Assault Strike Suite).

    Both apps work by showing satellite imagery of surroundings, including objectives, mission goals, nearby enemy and friendly forces.

    The two apps work as a modern-day replacement for radios and paper maps and allow troops to use a real-time messaging client to coordinate with other military branches, and even call in air-strike support with a few simple screen taps, according to a DARPA press release and accompanying YouTube video.

    both apps contained vulnerabilities that could have allowed enemy forces access to troops’ information.

    The report says that the two apps, KILSWITCH and APASS, were never meant or approved to be deployed in live combat zones.

    “Cybersecurity was not a concern for the [apps'] developers,” the report said, because developers initially expected the apps to be used for troop training and military exercises primarily.

    But the two apps, because of their flashy features and easier to use interface, became wildly popular among US troops, but also other military branches, including foreign allied forces.

  33. Tomi Engdahl says:

    Idaho Lab Protects US Infrastructure From Cyber Attacks

    It’s called the “Dark Side” because the 50 workers there prefer to keep the lights low so they can dim the brightness on their computer screens.

    Or maybe it’s because of what they do in cyber research and development.

    Questions about exactly what goes on at the heart of one of the United States’ primary cybersecurity facilities at the Idaho National Laboratory aren’t always answered, and photos by outsiders aren’t allowed.

  34. Tomi Engdahl says:

    Android 9 Brings Significant Security Advancements, Google Says

    The latest Android iteration brings along a great deal of security improvements, including better encryption and authentication, Google says.

  35. Tomi Engdahl says:

    BevMo Warns of Customer Credit Card Data Breach

    BevMo is warning that a data breach may have allowed a hacker to steal credit card numbers and other information from more than 14,000 customers who used the alcohol-seller’s website.

  36. Tomi Engdahl says:

    OVERRULED: Containing a Potentially Destructive Adversary

    FireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. Public reporting indicates this activity may be related to recent destructive attacks.

  37. Tomi Engdahl says:

    New Tech Support Scam Causes Chrome Browser to Use 100% of the CPU

    A new tech support scam has been discovered that uses JavaScript to create a loop that ultimately causes Google Chrome to use up all of the CPU resources on the computer and freeze the browser.

    This new tech support scam variant was reported in a Google Chrome bug report that states that once a user visits the page, the CPU utilization quickly goes to 100%. This makes it impossible to close the tab, the browser, or properly use the computer until the Chrome process is killed.

    When visiting the listed url, you are brought to a tech support scam page that has a title of “Important Information”. This page pretends to be a Windows error title “Internet Security Alert! Code: 055BCCAC9FEC” that states your computer has been infected and that you should call the listed support number for help.

    This high CPU utilization will ultimately cause the browser to freeze and your computer to become barely usable. At this point, the only way to close the browser will be to close the offending Chrome.exe process using a tool like the Windows Task Manager.

  38. Tomi Engdahl says:

    APT10 Indictments Show Expansion of MSP Targeting, Cloud Hopper Campaign

    US brings more indictments against the APT10 cyber espionage group operating in China for its Operation Cloud Hopper campaign against managed service providers, but what will those indictments accomplish?

    Security experts wonder, however, what impact the indictments will really make.

  39. Tomi Engdahl says:

    126 Arrests: The Emergence of India’s Cyber Crime Detectives Fighting Call Center Scams

    The scammers had rented four floors of a building being operated by two scammers from Gurgaon, Narendra Pahuja and Jimmy Ashija. Their boss, who was not named by the police, allegedly operates at least five call centers. In the raid this week, 126 employees were arrested and police seized 312 workstations, as well as Rs 20 lakh in cash (about $28,500 USD).

  40. Tomi Engdahl says:

    Phishing Attempts That Bypass 2FA

    In today’s world, we all try to do as much as we can to be secure while online. Most have learned the signs to try to spot phishing attempts: misspelled words, broken english, urgent requests etc. We even implement 2FA to help prove that someone is who they say they are when they are authenticating to a site. As we try to up our security game, the bad guys up their tactics too. shared an interesting write up about phishing attacks that are bypassing 2FA.

  41. Tomi Engdahl says:

    Now Mirai Malware Attack as Miori delivered via Delivered via Remote Code Execution Exploit

    Most Destructive IoT malware Mirai now being delivered as Miori and its spreading via dangerous remote code execution exploits.

    Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms.

  42. Tomi Engdahl says:

    How 3ve’s BGP hijackers eluded the Internet—and made $29M
    3ve used addresses of unsuspecting owners—like the US Air Force.

    Over the past decade, many attackers have exploited design weaknesses in the Internet’s global routing system. Most commonly, the Border Gateway Protocol (BGP) is abused to divert gigabytes, or possibly even petabytes, of high-value traffic to ISPs inside Russia or China, sometimes for years at a time, so that the data can be analyzed or manipulated. Other times, attackers have used BGP hijackings more surgically to achieve specific aims, such as stealing cryptocurrency or regaining control of computers monitored in a police investigation.

    Late last month came word of a new scheme. In one of the most sophisticated uses of BGP hijacking yet, criminals used the technique to generate $29 million in fraudulent ad revenue, in part by taking control of IP addresses belonging to the US Air Force and other reputable organizations.


Leave a Comment

Your email address will not be published. Required fields are marked *