Security trends 2017

3,151 Comments

1. May 30, 2017 at 12:18 pm

   Tomi Engdahl says:

   Microsoft Patches Several Malware Protection Engine Flaws
   http://www.securityweek.com/microsoft-patches-several-malware-protection-engine-flaws

   Microsoft Fixes Several Antimalware Engine Vulnerabilities Found by Google Researchers

   Microsoft has released an out-of-band update for its Malware Protection Engine to patch several remote code execution and denial-of-service (DoS) vulnerabilities discovered by Google Project Zero researchers.

   Version 1.1.13804.0 of the Microsoft Malware Protection Engine, released on Thursday, addresses a total of eight vulnerabilities identified by various members of Google Project Zero, including Mateusz Jurczyk, Tavis Ormandy, Lokihart and Ian Beer.

   Jurczyk has been credited for finding four of the security holes, namely CVE-2017-8536, CVE-2017-8538, CVE-2017-8537 and CVE-2017-8535. The researcher used fuzzing to find heap-based buffer overflow, NULL pointer dereference and other memory corruption vulnerabilities that can lead to arbitrary code execution or a crash of the Malware Protection Engine (MsMpEng) service.

   Reply
2. May 30, 2017 at 12:19 pm

   Tomi Engdahl says:

   Researchers Release Patch for NSA-linked “EsteemAudit” Exploit
   http://www.securityweek.com/researchers-release-patch-nsa-linked-esteemaudit-exploit

   Security researchers at enSilo have released a patch to keep vulnerable systems protected from a recently released Windows exploit allegedly used by the National Security Agency (NSA)-linked Equation Group.

   Dubbed EsteemAudit, this exploit targets a remote desktop protocol (RDP) bug and can be abused to move laterally within a compromised organization’s network, as well as to infect victims with ransomware or backdoors, or to exfiltrate sensitive information.

   The exploit might not be as popular as the EternalBlue exploit, which fueled large infections such as WannaCry or Adylkuzz, but it could prove as devastating.

   EsteemAudit was made public last month when the hacking group known as the Shadow Brokers decided to release a new set of exploits and tools allegedly stolen from the NSA-linked Equation Group last year. Soon after, Microsoft said the vulnerabilities had been patched in March.

   Reply
3. May 30, 2017 at 12:19 pm

   Tomi Engdahl says:

   Russia’s Disinformation Efforts Hit 39 Countries: Researchers
   http://www.securityweek.com/russias-disinformation-efforts-hit-39-countries-researchers

   Russia’s campaign of cyberespionage and disinformation has targeted hundreds of individuals and organizations from at least 39 countries along with the United Nations and NATO, researchers said Thursday.

   A report by the Citizen Lab at the University of Toronto revealed the existence of “a major disinformation and cyber espionage campaign with hundreds of targets in government, industry, military and civil society,” lead researcher Ronald Deibert said.

   Reply
4. May 30, 2017 at 7:46 pm

   Tomi Engdahl says:

   Kbeneven / Check Point Blog:
   Researchers find 41 Android apps from a single developer with several million downloads that fraudulently click on ads, now removed from Play Store

   The Judy Malware: Possibly the largest malware campaign found on Google Play
   http://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/

   Check Point researchers discovered another widespread malware campaign on Google Play, Google’s official app store. The malware, dubbed “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it. The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads. Some of the apps we discovered resided on Google Play for several years, but all were recently updated. It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown.

   We also found several apps containing the malware, which were developed by other developers on Google Play.

   Reply
5. May 30, 2017 at 9:27 pm

   Tomi Engdahl says:

   Linux security alert: Bug in sudo’s get_process_ttyname() [ CVE-2017-1000367 ]
   https://www.cyberciti.biz/security/linux-security-alert-bug-in-sudos-get_process_ttyname-cve-2017-1000367/

   There is a serious vulnerability in sudo command that grants root access to anyone with a shell account. It works on SELinux enabled systems such as CentOS/RHEL and others too. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. Patch your system as soon as possible.

   http://www.openwall.com/lists/oss-security/2017/05/30/16

   Reply
6. May 31, 2017 at 4:54 am

   Tomi Engdahl says:

   Kimberly Kindy / Washington Post:
   Tech and advertiser trade groups helped Congress dismantle Obama-era internet privacy rules

   How Congress dismantled federal Internet privacy rules
   https://www.washingtonpost.com/politics/how-congress-dismantled-federal-internet-privacy-rules/2017/05/29/7ad06e14-2f5b-11e7-8674-437ddb6e813e_story.html?utm_term=.3aaab13ae47c

   Congressional Republicans knew their plan was potentially explosive. They wanted to kill landmark privacy regulations that would soon ban Internet providers, such as Comcast and AT&T, from storing and selling customers’ browsing histories without their express consent.

   On March 23, the measure passed on a straight party-line vote, 50 to 48. Five days later, a majority of House Republicans voted in favor of it, sending it to the White House, where President Trump signed the bill in early April without ceremony or public comment.

   “While everyone was focused on the latest headline crisis coming out of the White House, Congress was able to roll back privacy,” said former Federal Communications Commission chairman Tom Wheeler, who worked for nearly two years to pass the rules.

   The process to eliminate them took only a matter of weeks. The blowback was immediate.

   Constituents heckled several of the lawmakers at town halls. “You sold my privacy up the river!”

   Reply
7. May 31, 2017 at 7:46 am

   Tomi Engdahl says:

   LTE IMSI Catcher
   http://hackaday.com/2017/05/30/lte-imsi-catcher/

   GSM IMSI catchers preyed on a cryptographic misstep in the GSM protocol. But we have LTE now, why worry? No one has an LTE IMSI catcher, right? Wrong. [Domi] is here with a software-defined base transceiver station that will catch your IMSI faster than you can say “stingray” (YouTube video,

   Camp++ 0x7e0 // FOS LTE IMSI catcher by Domi
   https://www.youtube.com/watch?v=WXBk0XZqGf8

   Reply
8. May 31, 2017 at 11:54 am

   Tomi Engdahl says:

   Counterfeit Hardware May Lead To Malware and Failure
   http://hackaday.com/2017/05/31/counterfeit-hardware-may-lead-to-malware-and-failure/

   Counterfeit parts are becoming increasingly hard to tell the difference from the real deal, the technology used by the counterfeiters has come on leaps and bounds, so even the experts struggle to tell the real product from a good fake. Mere fake branding isn’t the biggest problem with a counterfeit though, as ieee.com reports, counterfeit parts could contain malware or be downright dangerous.

   Way back in 2014 the FBI charged [Marc Heera] with selling clones of the Hondata S300, a plugin engine module for Honda cars that reads sensors, and depending on their values can change idle speed, air-fuel mixture and a plethora of other car/engine related settings. What, might you ask, is the problem, except they are obviously not genuine parts? According to Honda they had a number of issues such as random limits on engine rpm and occasionally failure to start. While the fake Hondata S300 parts where just poor clones that looked the part, anything connected to an engine control unit brings up huge safety concerns and researchers have shown that through ECU access, they could hijack a car’s steering and brakes.

   Invasion of the Hardware Snatchers: Cloned Electronics Pollute the Market
   Fake hardware could open the door to malicious malware and critical failures
   http://spectrum.ieee.org/computing/hardware/invasion-of-the-hardware-snatchers-cloned-electronics-pollute-the-market

   And unlike counterfeit electronics of the past, modern clones are very sophisticated. Previously, counterfeiters would simply re-mark or repackage old or inferior components and then sell them as if they were new and top of the line; the main problem with these knockoffs was poor reliability. Cloned electronics these days are potentially more nefarious: The counterfeiters make their own components, boards, and systems from scratch and then package them into superficially similar products. The clones may be less reliable than the genuine product, having never undergone rigorous testing. But they may also host unwanted or even malicious software, firmware, or hardware—and the buyer may not know the difference, or even know what to look for.

   Installing cloned hardware into networks, for instance, could open the door to hackers: They could launch man-in-the-middle attacks or secretly alter a secure communication path between two systems in order to bypass security mechanisms, like integrity verification, encryption, and end-point authentication. Software hidden in a router could allow an attacker to take control of other systems on the network, rerouting data to remote servers or even disrupting critical systems, such as the flow of electricity through a smart grid. A cloner who succeeds in embedding malicious software or hardware into a combat drone could shut it down or retarget it when it reached preset GPS coordinates.

   Reply
9. May 31, 2017 at 9:23 pm

   Tomi Engdahl says:

   Emil Protalinski / VentureBeat:
   Gmail adds new security features for businesses, including malicious link and phishing detection, using machine learning techniques claimed to be 99.9% accurate

   Gmail enterprise users get earlier phishing detection, malicious link and external reply warnings
   https://venturebeat.com/2017/05/31/gmail-enterprise-users-get-earlier-phishing-detection-malicious-link-and-external-reply-warnings/

   Reply
10. May 31, 2017 at 9:41 pm

    Tomi Engdahl says:

    Dell Cameron / Gizmodo:
    Researcher finds 60K+ files from government consulting firm Booz Allen Hamilton on public Amazon server, including US government passwords, security credentials — Sensitive files tied to a US military project were leaked by a multi-billion dollar firm once described as the world’s most profitable spy operation, Gizmodo has confirmed.

    Top Defense Contractor Left Sensitive Pentagon Files on Amazon Server With No Password
    http://gizmodo.com/top-defense-contractor-left-sensitive-pentagon-files-on-1795669632

    Sensitive files tied to a US military project were leaked by a multi-billion dollar firm once described as the world’s most profitable spy operation, Gizmodo has confirmed.

    A cache of more than 60,000 files was discovered last week on a publicly accessible Amazon server, including passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton, one of the nation’s top intelligence and defense contractors. What’s more, the roughly 28GB of data contained at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance.

    The exposed credentials could potentially grant their holders further access to repositories housing similarly sensitive government data.

    Countless references are made in the leaked files to the US National Geospatial-Intelligence Agency (NGA), which in March awarded Booz Allen an $86 million defense contract.

    The NGA on Tuesday confirmed the leak to Gizmodo while stressing that no classified information had been disclosed.

    UpGuard cyber risk analyst Chris Vickery discovered the Booz Allen server last week while at his Santa Rosa home running a scan for publicly accessible s3 buckets (what Amazon calls its cloud storage devices). At first there was no reason to suspect it contained sensitive military data.

    Typically, US government servers hosted by Amazon are segregated into what’s called the GovCloud—a “gated community” protected by advanced cryptography and physical security. Instead, the Booz Allen bucket was found in region “US-East-1,” chiefly comprised of public and commercial data.

    Yet the files bore some hallmarks of a government project. First, Vickery spotted the public and private SSH keys of a Booz Allen employee, identified by his LinkedIn page as a lead senior engineer in Virginia—also home to the NGA’s Fort Belvoir campus. “Exposing a private key belonging to a Booz Allen IT engineer is potentially catastrophic for malicious intrusion possibilities,”he said.

    “Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment,” a Booz Allen spokesman told Gizmodo on Tuesday.

    “Oh, no. It’s Booz Allen again.”

    Zaid was referring to Edward Snowden, the former NSA contractor who worked for Booz Allen

    In addition to keys, the Booz Allen server contained master credentials to a datacenter operating system

    Spy Games
    A Secretive Intelligence Agency, A High-Flying Contractor — And A Big Data Breach
    https://cyberresilience.io/spy-games-39a4a2e8668a

    In what constitutes the latest in a series of blows to the US intelligence community’s reputation for stringent information security, UpGuard’s Cyber Resilience Team can now reveal the discovery by Cyber Risk Analyst Chris Vickery of a publicly exposed file repository containing highly sensitive US military data. Analysis of the exposed information suggests the overall project is related to the US National Geospatial-Intelligence Agency (NGA), a combat support and intelligence agency housed within the Department of Defense (DoD). While the precise identity of the owner of the unsecured Amazon Web Services “S3” bucket on which the data set was hosted remains murky, domain registrations and credentials within the data set point to private-sector defense firm Booz Allen Hamilton (BAH)

    The revelation of exposed and highly sensitive data involving an intelligence agency tasked with everything from battlefield imaging in Afghanistan to satellite surveillance of North Korea’s ballistic missile arsenal comes at a frighteningly tense time for international relations. Coming on the heels of contentious debate in Washington over a series of national security leaks

    In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level. Unprotected by even a password, the plaintext information in the publicly exposed Amazon S3 bucket contained what appear to be the Secure Shell (SSH) keys of a BAH engineer, as well as credentials granting administrative access to at least one data center’s operating system.

    After receiving no response from BAH to his initial notification, Vickery escalated his notification attempts by sending an email to the NGA

    Nine minutes later, at 10:42 AM PST, the file repository was secured — an impressively speedy response time from a major US intelligence agency.

    Later that day, at approximately 5 PM PST, BAH belatedly responded to Vickery’s initial notification

    Due to the diligent work of Chris Vickery on behalf of UpGuard, and the rapid response of the NGA to his notification, a potentially catastrophic breach of systems dealing with the most sensitive corners of the US military-industrial apparatus was averted.

    Lingering Questions

    That top secret geospatial intelligence was potentially accessible for anyone with an internet connection is perhaps not even among the more alarming revelations of this exposure.

    Unsecured Amazon S3 buckets have starred in previous massive government data breaches. In April 2016, Vickery discovered a publicly accessible database containing the voter registration records for 93.4 million Mexican citizens,

    information security is only as good as the weakest link in the chain

    Booz Allen Hamilton is already aware of this truth. This is not BAH’s first brush with data leakage — nor even its most consequential. Among its former analysts is one Edward Snowden, who later stated he had accepted a position with BAH with the specific goal of acquiring and leaking National Security Agency (NSA) data.

    As with IT operations, misconfigurations and mistakes tend to account for a far greater share of cyber risk than do vulnerabilities or insider attacks, while receiving far less attention as a threat vector.

    Vendor risk is as real as any internal risk, if the vendor is relied upon in any serious way. While it is not every day that such a risk might affect questions about international stability in East Asia, or warfare in the Middle East, the lessons of such failings of cyber resilience are relevant to any IT operation.

    Reply
11. May 31, 2017 at 9:53 pm

    Tomi Engdahl says:

    Larry Dignan / ZDNet:
    Cisco and IBM announce partnership to tackle cybercrime, will integrate security products, services, and threat intelligence

    Cisco, IBM forge security integration partnership
    http://www.zdnet.com/article/cisco-ibm-forge-security-integration-partnership/

    Both companies will integrate products, research and services as they aim to collaborate on cybersecurity.

    Cisco and IBM will integrate security products, services, and threat intelligence in a new partnership.

    Both companies have sizeable security businesses. Under the terms of the deal, Cisco’s security suite will integrate with IBM’s QRadar across networks, end points, and cloud.

    In addition, IBM Global Services will support Cisco products in managed security services. Cisco and IBM will also partner on security research as IBM X-Force and Cisco Talos teams collaborate on intelligence and coordinate on cybersecurity response.

    Cisco’s Next-Generation Firewall (NGFW), Next-Generation Intrusion Protection System (NGIPS) and Advanced Malware Protection (AMP) and Threat Grid will integrate with IBM’s platforms.
    IBM’s Resilient Incident Response Platform will integrate with Cisco’s Threat Grid.

    Reply
12. May 31, 2017 at 10:18 pm

    Tomi Engdahl says:

    Clinton: ’email account was turned into the biggest scandal since Lord knows when’
    https://techcrunch.com/2017/05/31/clinton-email-account-was-turned-into-the-biggest-scandal-since-lord-knows-when/

    Hillary Clinton appeared onstage at Code Conference on Wednesday in Rancho Palos Verdes, Calif. and reflected on why she lost the U.S. 2016 presidential election.

    Unsurprisingly, the widespread coverage of her unsecured email usage was a sour point. The “email account was turned into the biggest scandal since Lord knows when.” She griped that the “mainstream media covered that like Pearl Harbor.”

    “It was a mistake,” she acknowledged. But “the way that it was used was very damaging.”

    Clinton also felt that former FBI director James Comey had a lot to do with the perception that she was a criminal.

    Social media played a larger role than ever in the 2016 election and Clinton had some thoughts about Twitter and Facebook.

    “The vast majority of the news items posted were fake,” she said about Facebook.

    Clinton also spoke about the role that data played in “weaponizing” information on social media and other online platforms. She talked about how the RNC built a giant data trove after the loss of the 2012 presidential election.

    Clinton is also in favor of tech billionaires buying more newspapers, like Jeff Bezos did with the Washington Post. “Jeff Bezos saved the Washington Post,”

    Reply
13. May 31, 2017 at 10:23 pm

    Tomi Engdahl says:

    Sui-Lee Wee / New York Times:
    As China prepares to implement its new cybersecurity law that requires firms to store data in China and more, some experts and businesses worry about its scope
    https://www.nytimes.com/2017/05/31/business/china-cybersecurity-law.html?mtrref=www.techmeme.com&gwh=3F30AA567E3503D3B70A1918C7909C5B&gwt=pay

    Reply
14. June 1, 2017 at 8:32 am

    Tomi Engdahl says:

    Colin Lecher / The Verge:
    Hillary Clinton urges social media platforms to do more curating and editorial decision-making “instead of being overwhelmed by the challenge”

    Hillary Clinton urges platforms to ‘hurry up’ and fix moderation
    https://www.theverge.com/2017/5/31/15720544/hillary-clinton-code-conference

    In an interview today at Code Conference, Hillary Clinton urged social media platforms to figure out new ways to slow “the weaponization and manipulation” of information, admitting at the same time that it was a difficult problem to solve.

    “I have a lot of sympathy at this point… for people trying to make these decisions,” she said toward the end of her interview with Kara Swisher and Walt Mossberg. “I would just urge them to hurry up.”

    She encouraged platforms to err “more on the curating, editorial decision-making” side of the equation, “instead of being overwhelmed by the challenge.”

    Reply
15. June 1, 2017 at 9:30 am

    Tomi Engdahl says:

    Ethiopia Turns Off Internet Nationwide as Students Sit Exams
    https://tech.slashdot.org/story/17/05/31/1841245/ethiopia-turns-off-internet-nationwide-as-students-sit-exams

    Ethiopia shut down the internet yesterday ahead of a scheduled national examination that is underway in the country today. Social media users noted that the internet service was interrupted from around 7 pm on Tuesday — reportedly to prevent exam leaks. About 1.2 million students are taking the grade 10 national exams, with another 288,000 preparing for the grade 12 university entrance exams that will take place next week.

    Ethiopia turns off internet nationwide as students sit exams
    https://www.theguardian.com/technology/2017/may/31/ethiopia-turns-off-internet-students-sit-exams

    The country has closed its digital borders to prevent leaks during tests after papers were posted online by activists last year

    Ethiopia has shut off internet access to its citizens, according to reports from inside the country, apparently due leaked exam papers for the nation’s grade 10 examinations.

    Outbound traffic from Ethiopia was shutdown around 4pm UK time on Tuesday, according to Google’s transparency report, which registered Ethiopian visits to the company’s sites plummeting over the evening. By Wednesday afternoon, access still had not been restored.

    Reply
16. June 1, 2017 at 9:32 am

    Tomi Engdahl says:

    Security company finds unsecured bucket of US military images on AWS
    You’re only as secure as your suppliers and some military contractors look to be well leaky
    https://www.theregister.co.uk/2017/06/01/us_national_geospatial_intelligence_agency_leak/

    “Cyber resilience” company UpGuard claims to have found a publicly-accessible AWS S3 bucket full of classified US intelligence data.

    The company’s Dan O’Sullivan says colleague Chris Vickery found an “unsecured Amazon Web Services ‘S3′ bucket” and that the firm’s “Analysis of the exposed information suggests the overall project is related to the US National Geospatial-Intelligence Agency (NGA), a combat support and intelligence agency housed within the Department of Defense (DoD).”

    O’Sullivan’s post says “information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level.”

    Reply
17. June 1, 2017 at 9:33 am

    Tomi Engdahl says:

    Senators want FBI to vet FCC’s ‘cyberattack’ claims
    Dems want to get to the bottom of comment flood
    https://www.theregister.co.uk/2017/05/31/senators_want_fbi_to_vet_fcc_cyberattack_claim/

    A group of Senate Democrats is asking the FBI to take a close look at the reported “denial of service” the FCC blamed for the collapse of its comment system earlier this month.

    “A Congressional inquiry has already been sent to the FCC asking for details about the attack. We ask that the FBI prioritize this matter and investigate the source of this attack,” the letter reads.

    “Any cyberattack on a Federal network is very serious. This particular attack may have denied the American people the opportunity to contribute to what is supposed to be a fair and transparent process, which in turn may call into question the integrity of the FCC rulemaking proceedings.”

    The attack had been reported by the FCC on Monday, May 8, after the commission’s Electronic Comment Filing System (ECFS) went down late Sunday night.

    Reply
18. June 1, 2017 at 9:34 am

    Tomi Engdahl says:

    Sons of IoT: Bikers hack Jeeps in auto theft spree
    Gang used lifted codes, stolen logins to bypass onboard security
    https://www.theregister.co.uk/2017/05/31/bikers_hack_jeeps_in_auto_theft_spree/

    A Tijuana-based biker gang is accused of hacking hundreds of trucks over two and a half years as part of a multi-million-dollar auto theft ring.

    The San Diego offices of the US Department of Justice and the FBI said that nine members of the Hooligans Motorcycle Club used stolen dealer credentials and handheld diagnostic machines to cut and program duplicate keys for a targeted set of Jeep Wrangler trucks, which they later stole and stripped down for parts.

    According to the DoJ’s indictment, the group worked in small teams to identify specific models of Jeep Wranglers throughout the San Diego area. Once a target vehicle was identified, a member obtained the truck’s vehicle identification number (VIN), which is usually printed on the dashboard.

    The VIN was then passed to another member, who used database login credentials taken from a Jeep dealer in Cabo San Lucas, Mexico. The database, used by dealerships to perform repairs on the cars, contained the information needed to cut and program duplicate keys.

    Reply
19. June 1, 2017 at 9:45 am

    Tomi Engdahl says:

    Motorcycle Gang Busted for Hacking and Stealing Over 150 Jeep Wranglers
    https://www.bleepingcomputer.com/news/security/motorcycle-gang-busted-for-hacking-and-stealing-over-150-jeep-wranglers/

    The FBI has arrested members of a motorcycle gang accused to have hacked and stolen over 150 Jeep Wranglers from Southern California, which they later crossed the border into Mexico to have stripped down for parts.

    Authorities unsealed an indictment yesterday in a press conference held in San Diego.

    All thefts started with a scouting phase where gang members with the role of scout drove around South California to identify motorcycles and Jeep Wrangler models they wanted to steal.

    While the theft of motorcycles didn’t involve a key, with crooks bypassing the ignition switch, the theft of Jeep Wranglers was far more complex and involved quite a lot of high-tech gadgetry.

    Gang accessed database of Jeep replacement key codes

    US authorities say that after identifying a Jeep Wrangler, a scout would have to obtain the car’s Vehicle Identification Number (VIN), a code printed in the car’s dashboard, or another location on the car.

    Scouts would pass the VIN to their leader, who would then pass the code to a key cutter via Facebook. According to court documents, the key cutters had found a way to access a proprietary database containing replacement key codes for Jeep Wrangler models.

    Using the VIN, the key cutters would download two codes from this database. They would use the first code to as instructions to cut a physical replacement key.

    They would then pass the newly cut replacement key and the second code back to the leaders, which would hand them over to members tasked with stealing the vehicle.

    Court documents reveal that all the database queries for the stolen VIN codes came from a Jeep dealer in Cabo San Lucas, Mexico. Court documents don’t say if the dealer cooperated or gang members hacked its system.

    Reply
20. June 1, 2017 at 9:49 am

    Tomi Engdahl says:

    Silk Road Founder Loses Appeal and Will Serve Life
    https://yro.slashdot.org/story/17/05/31/2039237/silk-road-founder-loses-appeal-and-will-serve-life

    Ross Ulbricht, the founder of the darknet marketplace known as Silk Road, has lost his appeal of a 2015 conviction that has him serving a life sentence on drug trafficking and money laundering charges, according to a federal appeals court decision released Wednesday morning.

    Silk Road Founder Loses Appeal and Will Serve Life, but the Darknet Is Rising
    https://www.yahoo.com/news/silk-road-founder-loses-appeal-151531887.html

    Ross Ulbricht, the founder of the darknet marketplace known as Silk Road, has lost his appeal of a 2015 conviction that has him serving a life sentence on drug trafficking and money laundering charges, according to a federal appeals court decision released Wednesday morning.

    Ulbricht argued that the district court that convicted him violated the Fourth Amendment—which protects against unreasonable searches and seizures—by wrongly denying his motion to suppress evidence, and that he was deprived of his right to a fair trial.

    For example, much of the evidence the government used to convict Ulbricht, who went by the name Dread Pirate Roberts on Silk Road, came from the laptop he was using when he was arrested in a San Francisco public library in 2013.

    “Ulbricht moved to suppress the large quantity of evidence obtained from his laptop, challenging the constitutionality of that search warrant.”

    Reply
21. June 1, 2017 at 10:27 am

    Tomi Engdahl says:

    EFF Sues FBI For Records About Paid Best Buy Geek Squad Informants
    https://yro.slashdot.org/story/17/05/31/219209/eff-sues-fbi-for-records-about-paid-best-buy-geek-squad-informants

    The Electronic Frontier Foundation is suing the FBI for records “about the extent to which it directs and trains Best Buy employees to conduct warrantless searches of people’s devices.”

    Why We’re Suing the FBI for Records About Best Buy Geek Squad Informants
    https://www.eff.org/deeplinks/2017/02/FBI-tries-to-bypass-Fourth-Amendment-Safeguards-by-using-Geek-Squad

    Law Enforcement Should Not Be Able to Bypass the Fourth Amendment to Search Your Devices

    Sending your computer to Best Buy for repairs shouldn’t require you to surrender your Fourth Amendment rights. But that’s apparently what’s been happening when customers send their computers to a Geek Squad repair facility in Kentucky.

    Reply
22. June 1, 2017 at 11:21 am

    Tomi Engdahl says:

    Improving Linux Security with DevSecOps
    http://www.linuxjournal.com/content/improving-linux-security-devsecops

    Security experts lament the fact that most organizations, many of which have grown organically over time, haven’t taken the time to define standard rules for their systems that can be repeated and shared. For example, good baselines will include:

    Machine-level firewall rules: firewalls aren’t just for the edge. You should deploy them at the machine level for bare metal, VMs and containers that are off-premises and on. One size doesn’t fit all, either. Web server firewalls should look different from application server firewalls. If that sounds like an overwhelming challenge given the number of servers you manage, you need to think seriously about automation.

    More deliberate port rules: which ports are open and closed to whom and to where? Is port 22 open on all your systems? Does it need to be? If it is, is access limited to certain subnets?

    Limit access: which users and groups have access to which systems? Do developers need access to all your dev servers or just a subset? Which machines have access to each other? Web servers probably should be able to talk to your database servers, but do they need to talk to other application servers?

    By asking a few routine questions like this, you can begin to define and implement some solid baselines. Share them on a wiki using MediaWiki, TikiWiki or PmWiki to make updates a snap. Wikis make documentation easier, which makes adoption and use easier—and more effective.

    Machine-Level Firewalls

    You can deflect a lot of bad activity by setting a few good firewall rules—even on systems that don’t see the outside world. After all, not all security problems come from the outside.

    Iptables is robust, ubiquitous and relatively easy to manage, even from the command line

    If you’re running IPv6 (and many Linux distros do by default), be sure to install iptables-persistent and add the same rules. It doesn’t make sense to lock down one protocol and not the other

    Reply
23. June 1, 2017 at 3:22 pm

    Tomi Engdahl says:

    Fireball malware could spark ‘global catastrophe’ after infecting 250 million computers
    Check Point exposes ‘sophisticated’ malware allegedly spread by Chinese firm.
    http://www.ibtimes.co.uk/fireball-malware-could-spark-global-catastrophe-after-infecting-250-million-computers-already-1624286

    A massive malware campaign that has the power to “initiate a global catastrophe” has currently infected more than 250 million computers worldwide. The software, dubbed “Fireball”, can take control of internet browsers, spy on victim’s web use and potentially steal personal files.

    According to Check Point, a cybersecurity firm, the operation is linked to Rafotech, a Chinese firm claiming to provide digital marketing and game apps to 300 million customers. It is allegedly using Fireball to manipulate victim’s browsers, change search engines, and scoop up user data.

    But experts warn the malware has the potential to cause a major cybersecurity incident worldwide.

    Far from a legitimate service, it has the ability to run code, download files, install plug-ins, change computer configurations, spy on users and even act as an efficient malware dropper.

    “How severe is it? Try to imagine a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do much more,” Check Point researchers wrote in a blog post this week (1 June). “Many threat actors would like to have even a fraction of Rafotech’s power.”

    The experts said it observed 25.3 million of infections in India (10.1%), 24.1 million in Brazil (9.6%), 16.1 million in Mexico (6.4%), and 13.1 million in Indonesia (5.2%). In the US it witnessed 5.5 million infections (2.2%). They claimed 20% of all corporate networks globally may be impacted.

    FIREBALL – The Chinese Malware of 250 Million Computers Infected
    http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/

    KEY FINDINGS

    Check Point analysts uncovered a high volume Chinese threat operation which has infected over 250 million computers worldwide, and 20% of corporate networks.
    The malware, called Fireball, acts as a browser-hijacker but and can be turned into a full-functioning malware downloader. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
    Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user’s consent.
    The operation is run by Chinese digital marketing agency.
    Top infected countries are India (10.1%) and Brazil (9.6%)

    Reply
24. June 1, 2017 at 3:24 pm

    Tomi Engdahl says:

    Fireball malware infected 250 million computers worldwide
    https://www.helpnetsecurity.com/2017/06/01/fireball-malware/

    Check Point researchers discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware, named Fireball, takes over target web browsers, turning them into zombies.

    Fireball has two main functionalities: one is the ability to run any code on victims’ computers and downloading any file or malware; the other is hijacking and manipulating infected users’ web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware.

    Who is behind this operation?

    According to Check Point, this operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines which simply redirect the queries to either yahoo.com or Google.com.

    Walking along the edge of legitimacy

    Fireball and similar browser-hijackers are hybrid creatures, half seemingly legitimate software. Although Rafotech seemingly uses Fireball only for advertising and initiating traffic to its fake search engines, it actually can perform any action on the victims’ machines, which can have serious consequences.

    Rafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime like malware distribution is. Many companies provide software or services for free, and make their profits by harvesting data or presenting advertisements. Once a client agrees to the install of extra features or software to his/her computer, it is hard to claim malicious intent on behalf of the provider.

    This gray zone led to the birth of a new kind of monetizing method – bundling. Bundling is when a wanted program installs another program alongside it, sometimes with a user’s authorization and sometimes without. Rafotech uses bundling in high volume to spread Fireball.

    Reply
25. June 1, 2017 at 3:27 pm

    Tomi Engdahl says:

    Global Fireball adware epidemic infects nine percent of UK networks
    https://www.scmagazineuk.com/global-fireball-adware-epidemic-infects-nine-percent-of-uk-networks/article/665439/

    More than nine percent of corporate networks in the UK are infected with Fireball, an adware package that has infected 250 million computers worldwide, say Check Point researchers.

    A piece of malware, dubbed Fireball, has made its way on to 20 percent of corporate networks worldwide.

    Check Point researchers revealed today that the malware has infected over 250 million computers around the world by targeting and enslaving the computer’s web browsers, hijacking their traffic and showing its unfortunate victims advertisements.

    Fireball also installs plug-ins to boost its advertisements. That same functionality, though it has not yet been seen in the wild, could also be used to distribute additional malware.

    While Fireball could do a lot worse, all that has currently been witnessed is typical adware behaviour – perverting normal operation of the computer and taking over its search engine preferences to generate ad revenue for its masters.

    Reply
26. June 1, 2017 at 3:29 pm

    Tomi Engdahl says:

    Has WannaCry trashed reputations of leading cyber-security vendors?
    https://www.scmagazineuk.com/has-wannacry-trashed-reputations-of-leading-cyber-security-vendors/article/664386/

    During a recent chat, Ian Trump – also known as phat_hobbit on Twitter – said the cyber-security industry had some difficult questions to answer in the wake of WannaCry.

    There is no doubt that many organisations received an unwelcome penetration test of their security software in the form of the WannaCry ransomware attack. The question is, can security vendors survive with their reputations intact after what appears to be such a massive failure?

    By some measures,” Trump said, “the security software chosen to defend the organisation had a great deal to do with how successfully the storm was weathered.”

    He was both “surprised and disappointed” that what he refers to as a ‘softball cyber-attack’ was able to divide security vendors into two distinct camps: those that worked and nothing got through, and those that failed.

    “For those security products that worked, vendors seemed to respond by gleefully running virtual victory laps on social media,” Trump told SC Media. “For those that failed, it is going to be a rough journey for the brand.”

    Jamie Riden, security consultant at Pen Test Partners, points the finger at a fundamental disconnect in security between solutions and practice. “Vendors have to be prepared to assist organisations not just in plugging in their kit but in creating a responsive security culture,” he told SC. “Vendors have to step up to the mark and provide advice and assistance rather than simply hawking their latest wares.”

    IOActive’s EMEA VP, Owen Connolly, suggests that was not a security technology problem. “Security technology does not work in a vacuum,” he told SC. “It needs people and processes to make it effective.” Unfortunately, too many executives are listening to the hype and believing that buying a box will solve all your problems. “It still amazes me that in 2017 this attitude prevails that prioritises boxes or software products over good people and practical processes,” he concludes.

    Reply
27. June 1, 2017 at 3:59 pm

    Tomi Engdahl says:

    Trump administration approves tougher visa vetting, including social media checks
    http://www.reuters.com/article/us-usa-immigration-visa-idUSKBN18R3F8

    The Trump administration has rolled out a new questionnaire for U.S. visa applicants worldwide that asks for social media handles for the last five years and biographical information going back 15 years.

    Critics argued that the new questions would be overly burdensome, lead to long delays in processing and discourage international students and scientists from coming to the United States.

    Reply
28. June 1, 2017 at 8:27 pm

    Tomi Engdahl says:

    Andrew Higgins / New York Times:
    In a departure from previous denials, Putin says “patriotically minded” private Russian hackers could have been involved in US election cyberattacks — MOSCOW — Shifting from his previous blanket denials, President Vladimir V. Putin of Russia said on Thursday that …

    Putin Hints at U.S. Election Meddling by ‘Patriotically Minded’ Russians
    https://www.nytimes.com/2017/06/01/world/europe/vladimir-putin-donald-trump-hacking.html

    Shifting from his previous blanket denials, President Vladimir V. Putin of Russia said on Thursday that “patriotically minded” private Russian hackers could have been involved in cyberattacks last year to help the presidential campaign of Donald J. Trump.

    While Mr. Putin continued to deny any state role, his comments to reporters in St. Petersburg were a departure from the Kremlin’s previous position: that Russia had played no role whatsoever in the hacking of the Democratic National Committee and that, after Mr. Trump’s victory, the country had become the victim of anti-Russia hysteria among crestfallen Democrats.

    Raising the possibility of attacks by what he portrayed as free-spirited Russian patriots, Mr. Putin said that hackers “are like artists” who choose their targets depending how they feel “when they wake up in the morning.”

    All the same, Mr. Putin stuck firmly to earlier denials that Russian state bodies or employees had been involved, an accusation leveled by United States intelligence agencies.

    The boundary between state and private action, however, is often blurry, particularly in matters relating to the projection of Russian influence abroad.

    Reply
29. June 1, 2017 at 8:29 pm

    Tomi Engdahl says:

    Julia Fioretti / Reuters:
    After committing to EU to remove hate speech, Twitter, Facebook, YouTube, and Microsoft remove 59% of hate speech in 24 hours on average, up from 28% in Dec.

    Social media firms have increased removals of online hate speech: EU
    http://www.reuters.com/article/us-eu-hatespeech-idUSKBN18S3FO

    Social media companies like Facebook, Twitter and Google’s YouTube have stepped up both the speed and number of removals of hate speech on their platforms in response to pressure from the European Union to do more to tackle the issue, according to the results of an EU evaluation.

    “This … shows that a self-regulatory approach can work, if all actors do their part. At the same time, companies … need to make further progress to deliver on all the commitments,” Jourova said in a statement

    Reply
30. June 2, 2017 at 4:28 am

    Tomi Engdahl says:

    Zack Whittaker / ZDNet:
    Password manager OneLogin compromised, says hackers have ability to decrypt encrypted data and all users served by US data center are affected

    Password manager OneLogin hacked, exposing sensitive customer data
    UPDATED: The company said that hackers have ‘the ability to decrypt encrypted data’.
    http://www.zdnet.com/article/onelogin-hit-by-data-breached-exposing-sensitive-customer-data/

    Password manager and single sign-on provider OneLogin has been hacked.

    In a brief blog post, the company’s chief security officer Alvaro Hoyos said that it was aware of “unauthorized access to OneLogin data in our US data region,” and that it had reached out to customers.

    “OneLogin believes that all customers served by our US data center are affected and customer data was potentially compromised,” the email read.

    Later in the day, the company said in an update: “Our review has shown that a threat actor obtained access to a set of [Amazon Web Services, or AWS] keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US.”

    The company added that although it encrypts “certain sensitive data at rest,” it could not rule out the possibility that the hacker “also obtained the ability to decrypt data”.

    But a spokesperson did not say what kind of data is and isn’t encrypted.

    The company has advised customers to change their passwords, generate new API keys for their services, and create new OAuth tokens — used for logging into accounts — as well as to create new security certificates. The company said that information stored in its Secure Notes feature, used by IT administrators to store sensitive network passwords, can be decrypted.

    The company also hasn’t said how many customers were affected.

    OneLogin allows corporate users to access multiple web applications, sites, and services with just one password.

    May 31, 2017 Security Incident (UPDATED June 1, 2017)
    https://www.onelogin.com/blog/may-31-2017-security-incident

    Reply
31. June 2, 2017 at 10:53 am

    Tomi Engdahl says:

    Microsoft accidentally releases Windows 10 Mobile build that bricks your device
    https://mspoweruser.com/microsoft-accidentally-releases-windows-10-mobile-build-which-bricks-your-device/

    Microsoft accidentally released a new build of Windows 10 to Windows Insiders that you should probably avoid. The company released internal build 16212 for some PCs and Mobile devices to Windows Insiders. Build 16212 causes Windows 10 Mobile devices to enter a boot loop, requiring users to reset their device using the Windows Device Recovery Tool. Resetting your device will mean that you’ll have to get rid of all the files on your devices, and that’s something none of us probably want to do.

    The build is believed to be available to Windows Insiders in the Fast, Slow, and Release Preview rings. However, we’re also hearing that the build is rolling out to some regular users who aren’t part of the Windows Insider program and that’s certainly quite worrying.

    If you’re a Windows Insider, DO NOT install build 16212 on your Mobile or PC. Remember, this is an internal build that was never supposed to get released to users

    Reply
32. June 2, 2017 at 11:27 am

    Tomi Engdahl says:

    Social Security Administration Adopts What NIST is Deprecating
    http://www.securityweek.com/social-security-administration-adopts-what-nist-deprecating

    As of June 10 2017, users of the Social Security Administration (SSA) website will be required to use two-factor (2FA) authentication to gain access. Potentially, this could affect a vast number of American adults, who will be required to enter both their password and a separate code sent to them either by SMS or email text.

    What is surprising is that in July 2016, NIST deprecated SMS-based 2FA in special publication 800-63B: Draft Digital Identity Guidelines. It should be noted this is still a draft, and not yet a formal standard that government agencies are required to meet; but nevertheless, it specifically says, “OOB [2FA] using SMS is deprecated, and may no longer be allowed in future releases of this guidance.” It seems strange, then, that the SSA should introduce precisely what NIST deprecates.

    NIST has chosen to denounce SMS because it is flawed, and not just because there are stronger alternatives. Publication 800-63B stresses, “Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators” (section 5.1.3.2). This is not a hypothetical risk. German newspaper Suddeutsche Zeitung reported on May 3, 2017 that criminals had relied on Signaling System No. 7 (SS7) attacks to bypass two-factor authentication systems and conduct unauthorized wire transfers.

    Reply
33. June 2, 2017 at 11:29 am

    Tomi Engdahl says:

    Kmart Payment Systems Infected With Malware
    http://www.securityweek.com/kmart-payment-systems-infected-malware

    Big box department store chain Kmart informed customers on Wednesday that cybercriminals may have stolen their credit or debit card data after installing malware on the company’s payment processing systems.

    Kmart, a subsidiary of Sears Holdings, has not provided any information on which stores are affected and for how long hackers had access to its systems. The retailer operates more than 700 stores, but blogger Brian Krebs learned from his sources in the financial industry that the breach does not appear to impact all locations.

    It’s unclear what point-of-sale (PoS) malware has been used in the attack, but the retailer has described it as “a new form of malware” and “undetectable by current antivirus systems.”

    The company’s investigation showed that names, addresses, social security numbers, dates of birth, email addresses and other personally identifiable information (PII) have not been compromised. Kmart believes the attackers may have only accessed payment card numbers.

    “All Kmart stores were EMV ‘Chip and Pin’ technology enabled during the time that the breach occurred, and we believe the exposure to cardholder data that can be used to create counterfeit cards is limited,”

    Credit Card Breach at Kmart Stores. Again.
    https://krebsonsecurity.com/2017/05/credit-card-breach-at-kmart-stores-again/

    For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems.

    Asked to respond to rumors about a card breach, Kmart’s parent company Sears Holdings said some of its payment systems were infected with malicious software:

    “We recently became aware that Sears Holdings was a victim of a security incident involving unauthorized credit card activity following certain customer purchases at some of our Kmart stores. We immediately launched a thorough investigation and engaged leading third party forensic experts to review our systems and secure the affected part of our network.”

    “Our Kmart store payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls. Once aware of the new malicious code, we quickly removed it and contained the event. We are confident that our customers can safely use their credit and debit cards in our retail stores.”

    Sears spokesman Chris Brathwaite said the company is not commenting on how many of Kmart’s 735 locations nationwide may have been impacted or how long the breach is believed to have persisted, saying the investigation is ongoing.

    Reply
34. June 2, 2017 at 11:45 am

    Tomi Engdahl says:

    Google Quadruples Top Reward For Hacking Android To $200,000
    https://yro.slashdot.org/story/17/06/01/2011230/google-quadruples-top-reward-for-hacking-android-to-200000

    Google has paid security researchers millions of dollars since launching its bug bounty program in 2010. The company today expanded its Android Security Rewards program because “no researcher has claimed the top reward for an exploit chain in two years.” Right. Well, the program has only been around for two years — a Google spokesperson confirmed that nobody has ever claimed the top reward.

    The reward for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise has quadrupled from $50,000 to $200,000.

    After 0 successful submissions, Google quadruples top reward for hacking Android to $200,000
    https://venturebeat.com/2017/06/01/after-0-successful-submissions-google-quadruples-top-reward-for-hacking-android-to-200000/

    Reply
35. June 2, 2017 at 11:50 am

    Tomi Engdahl says:

    Identity management outfit OneLogin sugar coats impact of attack
    Blog reveals breach. Email warns of data compromise. Support page says crypto at risk
    https://www.theregister.co.uk/2017/06/01/onelogin_breached/

    The company blog describes only “unauthorized access”. In emails sent to customers seen by The Reg the company adds news that “customer data was potentially compromised.” And on a registration-required support page the threat is described as follows:

    “All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data.”

    Decrypt data? Woah! That’s a bit more than mere unauthorized access.

    That page offers a long list of things customers need to do, ASAP, namely:

    1. Force a OneLogin directory password reset for your users;
    2. Generate new certificates for your apps that use SAML SSO;
    3. Generate new API credentials and OAuth tokens;
    4. Generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors;
    5. Update the API or OAuth credentials you use to authenticate to third-party directories like G Suite (Google), Workday, Namely, and UltiPro;
    6. Generate and apply new Desktop SSO tokens;
    7. Recycle any secrets stored in Secure Notes;
    8. Update the credentials you use to authenticate to 3rd party apps for provisioning;
    9. Update the admin-configured login credentials for apps that use form-based authentication;
    10. Have your end-users update their passwords for the form-based authentication apps that they can edit, including personal apps;
    11. Replace your RADIUS shared secrets.

    That long list might perhaps be why OneLogin’s been a bit brief in public: it’s a lot of stuff to get done and could set tongues-a-wagging if the extent of the risk became widely known.

    Which was bound to happen anyway.

    The company says it is “working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident.”

    OneLogin offers a single sign-on and other authentication management services

    It’s not the only such outfit: The Register in no way suggests that the likes of Okta, VMware and Citrix have been attacked, but notes all offer single-sign-on across lots of cloudy apps and are therefore obviously a tasty target for criminals who want to get their hands on lots of credentials with one hit.

    Reply
36. June 2, 2017 at 11:52 am

    Tomi Engdahl says:

    UK trigger-happy over fines for data breaches compared with Europe
    Penalties double, but it’s nothing next to GDPR
    https://www.theregister.co.uk/2017/06/01/uk_issues_record_fines_for_data_protection_breaches_compared_with_europe/

    The UK is among the most fined nations in Europe for data protection breaches, doubling the amount of penalties to £3.2m (€3.6m) during 2016.

    According to an analysis by mega consultancy firm PwC, breaches of UK data protection laws last year were followed by 35 fines.

    It found that the UK Information Commissioner’s Office (ICO) also issued 23 enforcement notices in 2016 – a 155 per cent increase on the nine sent in 2015.

    Italy is the only other country in Europe to hand out comparable fines.

    However, under the the General Data Protection Regulation, which will come into force in May 2018, the penalties for a data breach will either be €20m (£17m) or 4 per cent of global annual revenue, whichever is highest.

    Stewart Room, PwC’s global cybersecurity bod, welcomed GDPR as a “force for good” by bringing the issue to much wider attention – no doubt while rubbing his hands together. “After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?”

    Reply
37. June 2, 2017 at 6:30 pm

    Tomi Engdahl says:

    OneLogin admits recent breach is pretty dang serious
    https://techcrunch.com/2017/06/01/onelogin-admits-recent-breach-is-pretty-dang-serious/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    OneLogin, a major access management service (think corporate-level password manager) alerted its users yesterday of “unauthorized access” to the data of its US-based users. That kind of thing isn’t always serious… but it turns out this one sure was. An update posted today reveals the hacker may have had very deep access indeed.

    All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data.

    Wow! That’s really bad! That indicates that the hacker obtained a level of access that some services don’t even create in the first place. End to end encryption and (nearly) zero knowledge systems exist to prevent this kind of hack in addition to the occasional National Security Letter.

    Reply
38. June 2, 2017 at 7:42 pm

    Tomi Engdahl says:

    Healthcare dev fined $155 MEEELLION for lying about compliance
    eCW body-slammed by Uncle Sam
    https://www.theregister.co.uk/2017/06/01/healthcare_dev_fined_155m_compliance/

    A health records software company will have to pay $155m to the US government to settle accusations it was lying about the data protection its products offered.

    The Department of Justice said that eClinicalWorks (eCW), a Massachusetts-based software company specializing in electronic health records (EHR) management, lied to government regulators when applying to be certified for use by the US Department of Health and Human Services (HHS).

    According to the DoJ, eCW and its executives lied to the HHS about the data protections its products use. At one point, it is alleged that the company configured the software specially to beat testing tools and trick the HHS into believing the products were far more robust and secure than they actually were.

    One cheatware trick involved hard-coding the software to produce drug codes from memory (rather than query a database and return the result), to create the illusion that the software was able to access large databases.

    In other cases, eCW was found to be lying about the software’s ability to transfer records between doctors and audit transfers. As a result, the DoJ says eCW’s software had been filing false claims with the federal government.

    Additionally, the DoJ charged that eCW staff had been giving kickback payments to customers who helped to promote the software.

    Reply
39. June 3, 2017 at 5:41 am

    Tomi Engdahl says:

    The Fireball malware already infected more than 250 million computers worldwide running both Windows and Mac OS
    http://securityaffairs.co/wordpress/59644/malware/fireball-malware-spreading.html

    Check Point have discovered a massive malware campaign spreading the Fireball malware, it has already infected more than 250 million computers running both Windows and Mac OS worldwide.

    The researchers associated the campaign with the operation of the Chinese firm Rafotech that is a company that officially offers digital marketing and game apps to 300 million customers.

    The company is accused of being using the Fireball malware for generating revenue by injecting advertisements onto the browsers, but experts highlighted that the malicious code can be used to comprise a large number of devices.

    The malware replaces the default search engines and home pages with fake search engines (trotux.com).

    The search engine redirects the victim’s queries to either Yahoo.com or Google.com and then includes tracking pixels to collect the victim’s information.

    “From a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure, and a flexible C&C– it is not inferior to a typical malware.” continues check Point

    Currently, cyber criminals use the Fireball adware to hijacking users’ web traffic to boost its advertisements

    “Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach,” researchers added.

    To uninstall the adware just remove the respective application from the machine and reset to default settings for your browser.

    Reply
40. June 3, 2017 at 6:48 am

    Tomi Engdahl says:

    Workplace App Trello Unwittingly Exposes Passwords Through Google
    http://www.vocativ.com/434560/trello-office-passwords-google/

    Offices that leave boards unlocked often forget that anyone can find them

    Some companies that use the project management application Trello have accidentally exposed their passwords to anyone who performs a Google search.

    Trello, which says it has one million daily users, works somewhat like an interactive, shared to-do list — a “board” — for a company or team.

    Reply
41. June 3, 2017 at 1:14 pm

    Tomi Engdahl says:

    Has Your Burrito Been Hacked?
    https://www.linkedin.com/pulse/has-your-burrito-been-hacked-matthew-rosenquist?trk=v-feed&lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3BmwRqCv0G1I6VTPxjwoFabw%3D%3D

    Chipotle has suffered a data breach. Yes, the beloved, yet recently beleaguered Chipotle restaurant chain has been hacked, exposing customer credit card information. At least 2250 locations were the source of the breach, between March and April of this year. Customer’s credit card numbers, names, verification codes, and transaction data were pilfered.

    This was a Point-of-Sale (POS) malware type of attack where transactional data was siphoned at the registers and exfiltrated to the criminals. We have seen this type of attack at retail outlets for some time. As cash registers have basically become Personal Computers, they are vulnerable to many of the same exploits that hackers are familiar with.

    Reply
42. June 3, 2017 at 2:44 pm

    Tomi Engdahl says:

    Dark Web users of a child porn website tracked after visiting file sharing site
    http://securityaffairs.co/wordpress/59632/cyber-crime/dark-web-child-porn.html

    The U.S. Department of Homeland Security has identified dark web users after they downloaded media through a file sharing services.

    The DHS obtained the IP addresses of several suspects that visited a child porn site hosted in the Tor network.

    Reply
43. June 4, 2017 at 7:35 pm

    Tomi Engdahl says:

    LINUX DISTROS PATCH DANGEROUS VULNERABILITY IN SUDO COMMAND
    http://www.securitynewspaper.com/2017/06/01/linux-distros-patch-dangerous-vulnerability-sudo-command/

    Several Linux distros have issued updates to fix a vulnerability in Sudo, a Linux app behind the “sudo” command, which can allow an unprivileged attacker to gain root privileges.

    The issue, tracked as CVE-2017-1000367, came to light two days ago when security researchers from Qualys published an advisory on the matter.

    Researchers say that an attacker that is in the position to run bash commands can create malformed sudo commands that will allow him to overwrite any file on the system, even root-owned content. In other words, the attacker gains the root-level privileges.

    Reply
44. June 4, 2017 at 10:41 pm

    Tomi Engdahl says:

    NewsUKUK Politics
    Theresa May says the internet must now be regulated following London Bridge terror attack

    http://www.independent.co.uk/news/uk/politics/theresa-may-internet-regulated-london-bridge-terror-attack-google-facebook-whatsapp-borough-security-a7771896.html

    The Prime Minister said terrorists had ‘safe spaces’ online

    New international agreements should be introduced to regulate the internet in the light of the London Bridge terror attack, Theresa May has said.

    The Prime Minister said introducing new rules for cyberspace would “deprive the extremists of their safe spaces online” and that technology firms were not currently doing enough.

    “We cannot allow this ideology the safe space it needs to breed – yet that is precisely what the internet, and the big companies that provide internet-based services provide,” Ms May said.

    The Conservative manifesto pledges regulation of the internet, including forcing internet providers to participate in counter-extremism drives and making it more difficult to access pornography.

    Reply
45. June 5, 2017 at 7:56 am

    Tomi Engdahl says:

    Symantec Conducts Company-wide CyberWar Games
    http://www.securityweek.com/symantec-conducts-company-wide-cyberwar-games

    CyberWar Games Highlight the Increasing Danger from and to an Interconnected World

    “The next significant cyber attack will likely involve targeting the connected ecosystem of a major business, municipality or nation state, setting off, whether on accident or on purpose, the ‘domino effect’ that forces a change in global power.”

    This is the conclusion of the latest annual Symantec CyberWar Games excercise.

    Each year Symantec builds a full kinetic representation of a new and emerging technology, and invites its 11,000-strong global workforce to attack it. Five years ago, it was ‘nation states’. This was followed by oil and gas and SCADA systems; then finserv; and then healthcare. This year the chosen target was the global supply chain; bringing together the various technologies that enable it (mobile devices, digital currencies, SCADA, autonomous vehicles, and commodities).

    The CyberWar Games tap into the collective IQ of one of the world’s largest security firms — and what comes out is often a new and fresh look at possible attack vectors and the discovery of new 0-day vulnerabilities within that environment.

    Reply
46. June 5, 2017 at 7:57 am

    Tomi Engdahl says:

    Stanford University Site Hosted Phishing Pages for Months
    http://www.securityweek.com/stanford-university-site-hosted-phishing-pages-months

    Hackers compromised the website of the Paul F. Glenn Center for the Biology of Aging at Stanford University to deploy phishing sites, hacking tools, and defacement pages since January, Netcraft has discovered.

    The website was compromised on Jan. 31, and multiple hackers exploited security gaps to deploy their malicious pages over the next several months. During the initial compromise, the hacker placed a rudimentary PHP web shell named wp_conffig.php into the top-level directory of the website, and the naming scheme allowed the shell to remain accessible for four months.

    Reply
47. June 5, 2017 at 7:58 am

    Tomi Engdahl says:

    Facebook Redesigns Security Settings Page
    http://www.securityweek.com/facebook-redesigns-security-settings-page

    Facebook this week announced the roll-out of a redesigned security settings page, meant to make it easier for users to understand the options provided to them.

    As part of the redesign, the social networking platform focused on making important settings easily identifiable and more visible to all users. The changes are based on the results of a research the company recently conducted in an effort to better understand how people use security settings on Facebook, Heidi Shin, product manager on the Protect and Care team, explains.

    Focused on clarity, Facebook redesigns security settings page
    https://www.facebook.com/notes/facebook-security/focused-on-clarity-facebook-redesigns-security-settings-page/10154455181905766/?fref=mentions&_fb_noscript=1

    Reply
48. June 5, 2017 at 7:58 am

    Tomi Engdahl says:

    Putin: Patriotic Russians Could Be Behind Election Hacks
    http://www.securityweek.com/putin-patriotic-russians-could-be-behind-election-hacks

    Russian President Vladimir Putin says patriotic citizens may have launched politically motivated cyberattacks against foreign countries, but denied any government involvement in such operations.

    Following accusations that Russian state-sponsored hackers interfered with the recent elections in the United States, Putin was asked on Thursday at the International Economic Forum in St. Petersburg about the possibility of Russian hackers influencing the upcoming elections in Germany. Putin responded by comparing hackers to artists.

    “If artists get up in the morning feeling good, all they do all day is paint,” Putin said. “The same goes for hackers. They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia.”

    Reply
49. June 5, 2017 at 9:17 am

    Tomi Engdahl says:

    Capturing Hackers Before They Go Dark
    http://www.securityweek.com/capturing-hackers-they-go-dark

    The good news is that the innate traits of Gen-Z kids make them a perfect fit for cybersecurity. To be an outstanding cybersecurity professional, you need to think outside of the box, be intellectually curious, self-sufficient and collaborative. The bad news is that the average age of hackers is reported to be 17 years old and many are captured by the dark side before they even understand that there is an alternative.

    To capture hackers before they go dark, we need to rethink our cyber education and training. Universities, high schools and, most importantly, middle schools, need to embrace the fact that the Internet is here to stay and therefore, so is cyber. It is imperative that we focus on enabling the aptitude and energy of elementary and middle school kids by providing them with the instructors necessary to teach them about ethics, discuss career paths and reinforce that they can be “the cool kid” in cyber. Imagine the bragging rights of being on the Varsity Cyber Team, commensurate with being on the Varsity Soccer Team. Imagine a cyber arena that is equally open to male and female students to explore and build confidence in a safe and engaging manner. This is not that far reaching of a vision.

    Cyber is a very interesting but difficult domain. It requires both technical and operational breadth and depth of skill at a very fundamental level because tools, tactics and adversaries evolve quickly. This field is perfect for Gen-Z kids but getting them involved requires an evolution of education and parenting because skills that can enable malicious activities must be taught at a very early age.

    I contend that if we don’t embrace cyber for the young Gen-Z and those that follow them, we will never be able to fill the estimated gap in the cybersecurity workforce – shown today by cyberseek.org as being approximately 350,000 openings in the U.S., while a 2015 report from Cisco estimated over 1 million openings.

    How do we close the gap? Gamification, defined rules, engaging team play, scoring, competitive awards and feedback are widely accepted as effective methods for attracting younger (and many times older) generations. These concepts provide the competitive elements of a cyber arena to a full spectrum of Gen-Z, Millennial and Baby-Boomer enthusiasts (yes, even for me).

    Reply
50. June 5, 2017 at 9:19 am

    Tomi Engdahl says:

    Head to the Cloud for a Head’s Up on Fraud
    http://www.securityweek.com/head-cloud-heads-fraud

    When it Comes to Finding Fraudsters, You Must Keep Your Head Above the Clouds.

    Modern online fraud attacks are enormous in scale. They are orchestrated by organized crime rings who control large “armies” of fake user accounts to do their bidding. These coordinated malicious user accounts, either created new or obtained via user hijacking, actively target the various features of modern online services for some type of real-world financial gain. This type of attack can include everything from fake reviews to boost business reputation, promotional credits abused to gain an unfair advantage within games, and stolen credit cards used in fraudulent online transactions. Such attacks can cause millions of dollars of loss to the service, in addition to severely degrading brand name reputation and platform integrity.

    In a recent analysis of more than 500 billion events collected from multiple global online services, 18% of user accounts that originated from cloud service IP ranges were fraudulent.

    The cloud can do more for the fraudsters than increase the number of attack campaigns they can conduct. It also helps them evade detection by traditional anti-fraud solutions. Traditional solutions rely on patterns or rules of known bad activities such as blacklisted IP address ranges or device fingerprints. However, there is little they can provide on new attack patterns, and fraudsters exploit this greatly to their advantage.

    To defeat device fingerprinting techniques, fraudsters leverage the computing power of cloud servers to create hundreds of thousands of unique “devices” using emulation software (after all, the cloud is built on virtualization). Each fake account now originates from a new, different “device,” making it ineffective to apply device fingerprint checks since those never-before-seen devices lack reputation history.

    Using public cloud services as traffic proxies is similar in functionality to using virtual private networks (VPN).

    With malicious activities being hosted on cloud services, a stopgap measure is to block all traffic from cloud service and/or VPN IP address ranges. However, while they can be abused for fraud and cyberattacks, not all traffic from the cloud is bad. There are many legitimate and productive uses of cloud computing, including business applications, content distribution, mobile communications and corporate VPNs. If online services were to implement such blocking policies, it would certainly be disruptive to the large majority of benign cloud users, not to mention driving away legitimate users and potential revenue.

    The rise of cloud-hosted attacks means that online services need to be prepared to handle attack campaigns that are bigger and more automated than ever before. Social network platforms are more likely to be targeted by these massive attacks, even more so than financial services.

    Reply