Security trends 2017

3,151 Comments

1. June 8, 2017 at 12:23 pm

   Tomi Engdahl says:

   Break crypto to monitor jihadis in real time? Don’t be ridiculous, say experts
   Former gov.UK advisor Rohan Silva branded ‘utterly clueless’
   https://www.theregister.co.uk/2017/06/06/break_e2e_crypto_fight_jihad_cunning_plan/

   Calls by a former special advisor to ex UK Prime Minister David Cameron to allow the circumvention of end-to-end encryption to monitor terrorist suspects have come under fire from security experts.

   Rohan Silva, government policy consultant turned co-founder at Shoreditch-based tech incubator/workspace startup Second Home, appeared on BBC Radio 4′s Today programme (segment starts at 1:19.20; requires presence in the UK) to argue that law enforcement needed real time access to communications of those on the terrorist watch list.

   The tech industry is “not engaging” with policy makers and pushing end-to-end encryption for profit (“worries about customers switching elsewhere”) rather than principle, according to Silva

   Jennifer Arcuri, a co-founder of cyber-security Hacker House, who debated with Silva on Today, pointed out that any government backdoor would necessarily weaken the security of an encrypted comms channel. “If you allow one backdoor for government, you’ve no idea who else is accessing or listening,” she said.

   The government has the capability to hack phones. It is possible to monitor and surveil people, argued Arcuri, who added that the authorities simply need to obtain a warrant under existing surveillance law – namely, the Investigatory Powers Act.

   Silva asserted that terrorists responsible for recent atrocities in Paris 2015 and more recently in April in Stockholm – “insofar as we can tell” – were using encrypted comms.

   “Even if you try to hack into someone’s device, you can’t tell what’s going on within those apps,” he claimed.

   Security experts were quick to say Silva was dead wrong on this point.
   Keys held on a secure element might be safe – but that’s not the scenario in play with WhatsApp or Telegram message exchanges.

   Silva clarified that he was not in favour of “banning encryption” but wants the tech industry to “lean in” and partner with law enforcement to offer real-time interception.

   In the wake of last weekend’s London Bridge terror attack, prime minister Theresa May claimed that tech firms are creating “safe spaces” for extremist ideology to thrive. Other UK cabinet ministers have called for tech companies to do more to help authorities in the fight against terrorism.
   Nobody is talking about putting restriction on hiring vans and buying knives
   Two of the suspects were known to the authorities and ought have been the targets of control orders and travel restrictions.

   Reply
2. June 8, 2017 at 12:30 pm

   Tomi Engdahl says:

   HPE ignored SAN failure warnings at Australian Taxation Office, had no recovery plan
   ‘Stressed fibre optical cabling’ crashed 3PAR box, then wide-striped disks went kaput
   https://www.theregister.co.uk/2017/06/08/ato_hpe_outage_report/

   Between November 2015 and May 2016 HPE’s people designed and implemented the SAN, butHPE:

   Did not include available, automated technical resilience and data/system recovery features (such as 3PAR Recovery Manager and Peer Persistence)
   Did not define or test “recovery procedures for applications in the event of a complete SAN outage”
   Did not define or verify “Processes for data reconciliation in the event of an outage of this nature”

   Once up and running, the SANs generated 159 alerts between May and November 2016. The report says that a contractor named Leidos that the ATO uses for “problem management” recorded 77 issues pertaining to the components that later failed. HPE escalated some of those incidents for further investigation at its US labs

   “indicated these actions did not resolve the potential SAN stability risk.” That risk was again made obvious on November 2016, when the SAN experienced a two-to-three-hour outage. But the ATO soldiered on until December 11th when it went down, hard.

   A dozen drives were later re-started and found to be in “erroneous states”, leaving the SAN without sufficient capacity to retain its desired n-1 parity.

   By now it was early on the 12th and the ATO felt this was a Priority 1 event. The report says HPE “did not make this categorisation at this time”

   Happily, all data was restored. But the ATO was not fully operational again for eight days because recovery tools were stored on the same SAN that had just failed so spectacularly. That decision also made failover to a spare SAN on another site impossible.

   HPE’s failure to heed its own SANs’ warnings may therefore cost it many clients who also decide the cloud is safer than any SAN.

   Reply
3. June 8, 2017 at 12:32 pm

   Tomi Engdahl says:

   Russian hackers and Britney Spears in one story. Are you OK, Reg?
   We’re fine. You might not be as Turla espionage-ware uses Britney’s Instagram for evil
   https://www.theregister.co.uk/2017/06/08/malicious_firefox_extension_reads_the_comments_to_get_its_cc_address/

   The malware scum behind the ongoing Turla campaign have been spotted experimenting with Instagram accounts as a C&C channel.

   The Russian-sourced (and allegedly state-backed) Turla espionage tool has repeatedly re-emerged since its discovery in 2014.

   ESET has turned up a Firefox extension that implements a simple backdoor on Windows targets.

   What’s clickbaity interesting about this is how the extension gets the address of its C&C: in the test run, it was posted to comments to Britney Spears’ Instagram account.

   “The extension will look at each photo’s comment and will compute a custom hash value”,

   The magic number is 183: if the hash matches, the comment is parsed with regex to get the C&C’s Bitly-shortened URL.

   Reply
4. June 8, 2017 at 12:36 pm

   Tomi Engdahl says:

   TSA May Recommend Stowing Laptops In Cargo For US Domestic Flights
   https://hardware.slashdot.org/story/17/06/07/1953229/tsa-may-recommend-stowing-laptops-in-cargo-for-us-domestic-flights

   According to WJZ in Baltimore, the TSA may force passengers to check laptops on domestic U.S. flights. Based on the common fear, uncertainty and doubt that supports the TSA’s security theater, the terror attacks in Great Britain could result in laptop bans in the U.S. TSA officer Camille Morris is quoted as saying, “A AA battery is fine. A AAA. A 9-volt battery is a huge power charge. The size of the battery that can take down a plane when attached to an explosive.”

   Terror Attacks In Britain Come As Summer Travel Season Kicks Off
   http://baltimore.cbslocal.com/2017/06/06/terror-attacks-in-britain-come-as-summer-travel-season-kicks-off/

   Finding and removing the everyday items that terrorists have turned into threats is a huge challenge,

   “Airplanes have been the common threat that we’ve seen over the past several years,” says Ben Yelin, of the University of Maryland Center for Health and Homeland Security.

   “A 9-volt battery,” says TSA officer Camille Morris. “A AA battery is fine. A AAA. A 9-volt battery is a huge power charge. The size of the battery that can take down a plane when attached to an explosive.”

   That kind of threat prompted a ban on laptop and computer pads from airplane cabins flying from seven African and Middle Eastern countries this past spring. It could spread to domestic flights.

   “The Department of Homeland Security is currently considering the possible expansion of that laptop ban,” says Lisa Farbstein, a TSA spokesperson. “No decision has been made.”

   Reply
5. June 8, 2017 at 12:43 pm

   Tomi Engdahl says:

   ‘Scam baiters’ get a kick out of conning the con artists
   http://www.bbc.com/news/technology-39884625

   Every year tens of thousands of people are conned by online scammers, but it is not only the authorities taking action: a network of tech-savvy volunteers is also working to expose them.

   “We waste scammers’ time, we waste their resources and we make them believe they are not as good as they think they are,” Jill – not her real name – explains to the BBC’s Victoria Derbyshire programme.

   She is part of a global network of so-called scam baiters, who spend their evenings trying to unearth online con artists by pretending to fall for their tricks.

   “Scammers are always going to be there but if we can take them down a peg and take a victim away from them any time we can, then we are doing something good,” Jill adds

   The scam baiters say they do not earn a penny from their work and that they have other reasons for taking on the con artists.

   Wayne says scam baiters do point people towards the official routes when they feel out of their depth.

   Death threat

   They often have other scam baiters on stand-by who can be brought in to play other characters in their facade, to confuse the scammer – and waste their time – for as long as they wish.

   Surprisingly, Jill considers her biggest success to be the time she received a death threat from a scammer she had targeted.

   “If you get a death threat you know you’ve really wound someone up. I had one scammer driving round Madrid for a day trying to find ‘Lynn’, who had gone to Madrid.

   “Of course, I hadn’t gone to Madrid,”

   “I take great care in protecting my online persona,” she says.

   “I bait with email addresses that aren’t traceable. I don’t use any of my real-life information. All of my characters are based somewhere 100 miles away from where I live.”

   Reply
6. June 8, 2017 at 6:42 pm

   Tomi Engdahl says:

   FinSMEs:
   Yubico, maker of YubiKey hardware authentication device, raises $30M from NEA, others
   http://www.finsmes.com/2017/06/yubico-raises-30m-in-funding.html

   Yubico enables secure access to computers, servers, and internet accounts via the YubiKey, which delivers strong hardware protection across systems and online services. The YubiHSM, its ultra-portable hardware security module, protects sensitive data inside standard servers.

   Reply
7. June 8, 2017 at 7:01 pm

   Tomi Engdahl says:

   Microsoft acquires Israeli security firm Hexadite, sources say for $100M
   https://techcrunch.com/2017/06/08/microsoft-confirms-its-acquired-hexadite-sources-say-for-100m/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

   Yet more activity in the world of cybersecurity. Microsoft today confirmed that it has acquired Hexadite, an Israeli startup that uses AI to identify and protect against attacks.

   The idea is to expand Microsoft’s existing security portfolio with an infusion of new technology based around new innovations in areas like AI and machine learning. “Our vision is to deliver a new generation of security capabilities that helps our customers protect, detect and respond to the constantly evolving and ever-changing cyberthreat landscape,”

   Reply
8. June 8, 2017 at 8:20 pm

   Tomi Engdahl says:

   Attackers Can Make It Impossible to Dial Emergency Services
   https://www.ecnmag.com/news/2017/01/attackers-can-make-it-impossible-dial-emergency-services?cmpid=horizontalcontent

   It’s not often that any one of us needs to dial 911, but we know how important it is for it to work when one needs it. It is critical that 911 services always be available – both for the practicality of responding to emergencies, and to give people peace of mind. But a new type of attack has emerged that can knock out 911 access – our research explains how these attacks occur as a result of the system’s vulnerablities. We show these attacks can create extremely serious repercussions for public safety.

   In recent years, people have become more aware of a type of cyberattack called “denial-of-service,”

   A similar attack is possible on 911 call centers. In October, what appears to be the first such attack launched from a smartphone happened in Arizona. An 18-year-old hacker was arrested on charges that he conducted a telephone denial-of-service attack on a local 911 service.

   Investigating the impact of an attack

   After we set up our simulation, we attacked it to find out how vulnerable it is. We found that it was possible to significantly reduce the availability of 911 service with only 6,000 infected mobile phones – just 0.0006 percent of the state’s population.

   Using only that relatively small number of phones, it is possbile to effectively block 911 calls from 20 percent of North Carolina landline callers, and half of mobile customers. In our simulation, even people who called back four or five times would not be able to reach a 911 operator to get help.

   Nationally, a similar percentage, representing just 200,000 hijacked smartphones, would have a similar effect. But this is, in a certain sense, an optimistic finding.

   Policy makes the threat worse

   These sorts of attacks could, potentially, be made less effective if malicious calls were identified and blocked at the moment they were placed.

   But federal rules to ensure access to emergency services mean this issue might be moot anyway. A 1996 Federal Communications Commission order requires mobile phone companies to forward all 911 calls directly to emergency dispatchers. Cellphone companies are not allowed to check whether the phone the call is coming from has paid to have an active account in service. They cannot even check whether the phone has a SIM card in place. The FCC rule is simple: If anyone dials 911 on a mobile phone, they must be connected to an emergency call center.

   The rule makes sense from a public safety perspective

   But the rule opens an vulnerability in the system, which attackers can exploit. A sophisticated attacker could infect a phone in a way that makes it dial 911 but report it does not have a SIM card. This “anonymized” phone reports no identity, no phone number and no information about who owns it. Neither the phone company nor the 911 call center could block this call without possibly blocking a legitimate call for help.

   9-1-1 DDoS: Threat, Analysis and Mitigation
   https://arxiv.org/ftp/arxiv/papers/1609/1609.02353.pdf

   Reply
9. June 8, 2017 at 8:43 pm

   Tomi Engdahl says:

   Max Greenwood / The Hill:
   Al Jazeera Media Network says it is under cyberattack, following Tuesday’s revelation that Russian hackers may have breached the Qatar state news agency

   Al Jazeera network reports being under cyberattack
   http://thehill.com/policy/cybersecurity/336959-al-jazeera-media-network-under-cyber-attack

   Al Jazeera Media Network was in the midst of a cyberattack on Thursday, according to Al Jazeera News.

   The organization reported that its websites and digital platforms were the victims of “continual hacking attempts,” though the platforms have not been compromised.

   According to Al Jazeera, the attempts to breach the organization’s digital properties are growing in intensity.

   The reported attack followed the revelation on Tuesday that U.S. investigators believe that Russian hackers may have been responsible for breaching Qatar’s state news agency and posting a fake news story that prompted several countries to cut diplomatic ties with Doha.

   The abrupt decision by several Arab countries, including Saudi Arabia, Egypt, Bahrain and the United Arab Emirates, to sever relations with Qatar sparked the worst diplomatic crisis among Gulf Arab states in decades.

   Reply
10. June 9, 2017 at 5:20 am

    Tomi Engdahl says:

    A new Linux Malware targets Raspberry Pi devices to mine Cryptocurrency
    http://securityaffairs.co/wordpress/59842/malware/linux-malware-raspberry-pi.html

    Malware researchers at the Russian antivirus maker Dr.Web have discovered a new Linux trojan, tracked as Kinux.MulDrop.14, that is infecting Raspberry Pi devices with the purpose of mining cryptocurrency.

    The Kinux.MulDrop.14 malware targets unsecured Raspberry Pi devices that have SSH ports open to external connections.

    Linux Trojan that is a bash script containing a mining program, which is compressed with gzip and encrypted with base64. Once launched, the script shuts down several processes and installs libraries required for its operation. It also installs zmap and sshpass.”

    Every time the Linux malware finds a Raspberry Pi device on the Internet it uses sshpass to attempt to log in using the default username “pi” and the password “raspberry.”

    Researchers at Dr. Web also analyzed a second Linux malware Linux.ProxyM that was used to create a proxy network.

    The malicious code starts a SOCKS proxy server on infected devices used to relay malicious traffic, disguising his real source.

    Reply
11. June 9, 2017 at 12:00 pm

    Tomi Engdahl says:

    EU Agency Offers Corrective for IoT Security ‘Market Failure’
    Urges standards, product labeling to promote consumer trust
    http://www.eetimes.com/document.asp?doc_id=1331869&

    LONDON – Products connected to the Internet of Things should meet a minimum defined level of security and should be labeled accordingly to promote consumer trust, according to the European Union Agency for Network and Information Security (ENISA). The agency worked with Infineon, NXP, and STMicroelectronics to produce a position paper that reflects the European semiconductor industry’s IoT security concerns and provides guidelines for policymakers.

    The paper warns of a current “market failure” for cybersecurity and privacy: Incorporating security measures increases cost, but buyers are reluctant to pay more for solutions with added security. There is thus “no basic level, no zero level defined for the security and privacy of connected and smart devices,” the authors state.

    The position paper urges the European Commission to ensure minimal security requirements for connected devices. It recommends establishing baseline requirements for security and privacy that would set reference levels for trusted IoT solutions depending on the complexity of the device. A third party should evaluate and certify devices, and those that meet the required security level should be identified with an EU Trust Label, the paper suggests.

    “Ideally, the use of the label should be mandatory as a symbol of trust for citizens, consumers and businesses in the connected world,” the paper states. “An obligatory reference framework and an associated label would ensure appropriate levels of security for products and services. This would further lead to a level playing field for the entire industry.”

    Another priority should be the development of reliable security processes and services, such as providing small and medium enterprises (SMEs) with information and training on security solutions, according to the paper.

    https://www.enisa.europa.eu/publications/enisa-position-papers-and-opinions/infineon-nxp-st-enisa-position-on-cybersecurity

    Reply
12. June 9, 2017 at 12:02 pm

    Tomi Engdahl says:

    Raspberry Pi Malware Mines BitCoin
    http://hackaday.com/2017/06/08/raspberry-pi-malware-mines-bitcoin/

    According to Russian security site [Dr.Web], there’s a new malware called Linux.MulDrop.14 striking Raspberry Pi computers. In a separate posting, the site examines two different Pi-based trojans including Linux.MulDrop.14. That trojan uses your Pi to mine BitCoins some form of cryptocurrency.

    https://vms.drweb.com/virus/?_is=1&i=15389228

    Reply
13. June 9, 2017 at 4:27 pm

    Tomi Engdahl says:

    Satellite Turla: APT Command and Control in the Sky
    How the Turla operators hijack satellite Internet links
    https://securelist.com/72081/satellite-turla-apt-command-and-control-in-the-sky/

    Some of the most advanced threat actors or users of commercial hacking tools have found a solution to the takedown problem — the use of satellite-based Internet links. In the past, we’ve seen three different actors using such links to mask their operations. The most interesting and unusual of them is the Turla group.

    Reply
14. June 10, 2017 at 10:02 am

    Tomi Engdahl says:

    “You simply cannot massively collect some digital data for some future use”

    Europe eyeing direct access to cloud services for police data requests
    https://techcrunch.com/2017/06/09/europe-eyeing-direct-access-to-cloud-services-for-police-data-requests/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    In the wake of a spate of terror attacks across Europe, regional interior ministers have been talking tough on tech. Encryption is one technology that’s been under fire from certain quarters.

    There also has been renewed discussion about ways to speed up how law enforcement agencies request data from tech companies — so called e-evidence — even when the requesting force is sited in a different EU country to where the tech firm is based.

    The original intent with e-evidence proposals was aimed at removing barriers to investigating cybercrime, although yesterday the EC’s Justice Commissioner Vera Jourová suggested such moves are important for counterterrorism efforts, too.

    In December, Europe’s top court ruled that governments in the region cannot place “general and indiscriminate” data retention requirements on communications service providers

    Reply
15. June 10, 2017 at 8:47 pm

    Tomi Engdahl says:

    Thailand jails man for 35 years for Facebook posts that insulted its royal family
    https://techcrunch.com/2017/06/09/thailand-jails-man-for-35-years-for-facebook-posts-that-insulted-its-royal-family/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    A man in Thailand has been sentenced to 35 years in prison after he was found guilty of insulting the country’s royal family on Facebook.

    Identified only as Wichai, he is alleged to have published 10 photos, videos and comments on the social network that violate Thailand’s strict lèse majesté regulations that outlaw criticism of the royal family, according to free speech group iLaw.

    Reply
16. June 11, 2017 at 2:10 pm

    Tomi Engdahl says:

    Johnny Lin / Medium:
    How scammers use deceptive security apps and abuse search ads in the App Store to trick users into expensive subscriptions — It’s far easier than you think. No luck or perseverance necessary. — At WWDC, Apple reported that they’ve paid out $70 billion to developers, with 30% of that ($21 billion!) in the last year.

    How to Make $80,000 Per Month on the Apple App Store
    It’s far easier than you think. No luck or perseverance necessary.
    https://medium.com/@johnnylin/how-to-make-80-000-per-month-on-the-apple-app-store-bdb943862e88

    At WWDC, Apple reported that they’ve paid out $70 billion to developers, with 30% of that ($21 billion!) in the last year. That’s a huge spike, and surprising to me because it didn’t seem like my friends and I were spending more on apps last year. But that’s anecdotal, so I wondered: Where are these revenues coming from? I opened App Store to browse the top grossing apps.

    Final Note

    App developers take pride in the fact that if their creation adds value, or improves peoples’ lives in some way, then people will be happy to pay for it, and everybody benefits. Not only that, but making good apps requires design, engineering, and sales skills, as well as a ton of dedication and hard work.

    So, aside from the obvious moral wrongs of exploiting the vulnerable for profit, it’s extremely disheartening to know that some developers are becoming financially successful the easy and unethical way — by making bogus apps that take a few hours to code, and whose functionality is purely to steal from the less well-informed.

    Reply
17. June 11, 2017 at 2:17 pm

    Tomi Engdahl says:

    Paul Mozur / New York Times:
    22 arrested in China for selling data like names, phone numbers of Apple customers; police say 20 worked for firms selling Apple devices or as Apple contractors

    Apple Customer Data in China Was Sold Illegally, Police Say
    https://www.nytimes.com/2017/06/09/business/china-apple-personal-data-sold.html

    To Apple’s mounting problems in China, add official scrutiny over privacy.

    The Chinese police said this week that they had arrested 22 people suspected of selling the personal data of an unspecified number of Apple customers. The police, in Cangnan County in the eastern province of Zhejiang, said the thieves had reaped 50 million renminbi, or about $7.3 million, over an unspecified period.

    Many of the details were unclear, including the identities of those involved and the severity of the breach.

    In a statement on Wednesday, the Cangnan police said they found that Apple employees had illegally acquired personal data, then later in the same statement said 20 of the 22 people worked for companies that sell Apple products or are Apple contractors.

    Reply
18. June 11, 2017 at 4:42 pm

    Tomi Engdahl says:

    Dvmap: the first Android malware with code injection
    https://securelist.com/78648/dvmap-the-first-android-malware-with-code-injection/

    In April 2017 we started observing new rooting malware being distributed through the Google Play Store. Unlike other rooting malware, this Trojan not only installs its modules into the system, it also injects malicious code into the system runtime libraries. Kaspersky Lab products detect it as Trojan.AndroidOS.Dvmap.a.

    This makes Dvmap the first Android malware that injects malicious code into the system libraries in runtime, and it has been downloaded from the Google Play Store more than 50,000 times. Kaspersky Lab reported the Trojan to Google, and it has now been removed from the store.

    To bypass Google Play Store security checks, the malware creators used a very interesting method: they uploaded a clean app to the store at the end of March, 2017, and would then update it with a malicious version for short period of time. Usually they would upload a clean version back on Google Play the very same day. They did this at least 5 times between 18 April and 15 May.

    Reply
19. June 11, 2017 at 10:16 pm

    Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    How a hacking group used comments on Britney Spears’ Instagram account to hide the location of their malware’s command and control servers — Turla uses social media and clever programming techniques to cover its tracks. — A Russian-speaking hacking group that, for years …

    You’ll never guess where Russian spies are hiding their control servers
    Turla uses social media and clever programming techniques to cover its tracks.
    https://arstechnica.com/security/2017/06/russian-hackers-turn-to-britney-spears-for-help-concealing-espionage-malware/

    A Russian-speaking hacking group that, for years, has targeted governments around the world is experimenting with a clever new method that uses social media sites to conceal espionage malware once it infects a network of interest.

    According to a report published Tuesday by researchers from antivirus provider Eset, a recently discovered backdoor Trojan used comments posted to Britney Spears’s official Instagram account to locate the control server that sends instructions and offloads stolen data to and from infected computers. The innovation—by a so-called advanced persistent threat group known as Turla—makes the malware harder to detect because attacker-controlled servers are never directly referenced in either the malware or in the comment it accesses.

    Turla is a Russian-speaking hacking group known for its cutting-edge espionage malware.

    Turla’s watering hole campaign: An updated Firefox extension abusing Instagram
    https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/

    Reply
20. June 11, 2017 at 10:16 pm

    Tomi Engdahl says:

    Nathaniel Popper / New York Times:
    Silk Road now has numerous successors, mostly Asia-based; AlphaBay, now the leading dark web market, has 21k+ opioid listings, 4,100 for fentanyl, related drugs — Anonymous online sales are surging, and people are dying. Despite dozens of arrests, new merchants — many based in Asia — quickly pop up.

    Opioid Dealers Embrace
    the Dark Web to Send
    Deadly Drugs by Mail
    https://www.nytimes.com/2017/06/10/business/dealbook/opioid-dark-web-drug-overdose.html?_r=0

    Anonymous online sales are surging, and people
    are dying. Despite dozens of arrests, new merchants
    — many based in Asia — quickly pop up.

    Reply
21. June 12, 2017 at 9:08 am

    Tomi Engdahl says:

    Default Account, Debug Tool Expose Cisco Prime Users to Attacks
    http://www.securityweek.com/default-account-debug-tool-expose-cisco-prime-users-attacks

    Cisco informed customers this week that its Prime Data Center Network Manager (DCNM) is affected by two critical vulnerabilities that can be exploited for remote code execution and to access the product’s administrative console.

    One of the flaws, tracked as CVE-2017-6639, is related to the lack of authentication and authorization for a debugging tool that was inadvertently left enabled.

    A remote, unauthenticated attacker can exploit the vulnerability to access sensitive information or execute arbitrary code with root privileges by connecting to the debugging tool via TCP.

    The security hole affects Cisco Prime DCNM releases 10.1(1) and 10.1(2) for Windows, Linux and virtual appliances.

    Reply
22. June 12, 2017 at 9:09 am

    Tomi Engdahl says:

    Thousands of IP Cameras Hijacked by Persirai, Other IoT Botnets
    http://www.securityweek.com/thousands-ip-cameras-hijacked-persirai-other-iot-botnets

    Thousands of IP cameras have been hijacked by Internet of Things (IoT) botnets and data from Trend Micro shows that the recently launched Persirai malware is responsible for a large percentage of infections.

    The Persirai backdoor is designed to target more than 1,000 IP camera models, and researchers said there had been roughly 120,000 devices vulnerable to this malware at the time of its discovery several weeks ago.

    The malware, which uses a recently disclosed zero-day vulnerability to spread from one hacked IP camera to another, allows its operators to execute arbitrary code on the targeted device and launch distributed denial-of-service (DDoS) attacks.

    Trend Micro has determined that of a total of 4,400 IP cameras it tracks in the United States, just over half have been infected with malware. The percentage of infected cameras spotted by the security firm in Japan is nearly 65 percent.

    New Persirai IoT Botnet Emerges
    http://www.securityweek.com/new-persirai-iot-botnet-emerges

    Reply
23. June 12, 2017 at 9:34 am

    Tomi Engdahl says:

    Qatar’s Al-Jazeera Says Battling Cyber Attack
    http://www.securityweek.com/qatars-al-jazeera-says-battling-cyber-attack

    Qatar-based broadcaster Al-Jazeera said Thursday that it was under a widescale cyber attack which had targeted “all systems”, according to a statement released on social media by the broadcaster.

    “Al Jazeera Media Network under cyber attack on all systems, websites & social media platforms,” it said on Twitter.

    The attack was also confirmed by a source at Al-Jazeera, who said the broadcaster was attempting to repel the hack.

    “An attempt has been made, and we are trying to battle it,” said the source.

    Following the initial reports of a cyber attack, some viewers in the region said they could no longer receive Al-Jazeera television.

    Long-running tensions broke out into the open last month after Qatar claimed its state news site was hacked by unknown parties who posted “false” statements attributed to the emir in which he speaks favorably of Iran and the Palestinian Islamist group Hamas.

    Reply
24. June 12, 2017 at 9:35 am

    Tomi Engdahl says:

    Experts, Microsoft Push for Global NGO to Expose Hackers
    http://www.securityweek.com/experts-microsoft-push-global-ngo-expose-hackers

    As cyberattacks sow ever greater chaos worldwide, IT titan Microsoft and independent experts are pushing for a new global NGO tasked with the tricky job of unmasking the hackers behind them.

    Dubbed the “Global Cyber Attribution Consortium”, according to a recent report by the Rand Corporation think-tank, the NGO would probe major cyberattacks and publish, when possible, the identities of their perpetrators, whether they be criminals, global hacker networks or states.

    “This is something that we don’t have today: a trusted international organization for cyber-attribution,” Paul Nicholas, director of Microsoft’s Global Security Strategy, told NATO’s Cycon cybersecurity conference in Tallinn last week.

    - Duping investigators -

    “In the absence of credible institutional mechanisms to contain hazards in cyberspace, there are risks that an incident could threaten international peace and the global economy,” the report’s authors conclude.

    They recommend the creation of an NGO bringing together independent experts and computer scientists that specifically excludes state actors, who could be bound by policy or politics to conceal their methods and sources.

    Rand experts suggest funding for the consortium could come from international philanthropic organisations, institutions like the United Nations, or major computer or telecommunications firms.

    Reply
25. June 12, 2017 at 9:36 am

    Tomi Engdahl says:

    Linux Malware Targets Raspberry Pi for Cryptocurrency Mining
    http://www.securityweek.com/linux-malware-targets-raspberry-pi-cryptocurrency-mining

    The malware, tracked by the company as Linux.MulDrop.14, has been described as a script that contains a compressed and encrypted cryptocurrency miner.

    The Trojan attempts to connect to a device via SSH using the default credentials – the username “pi” and the password “raspberry.” If the device is successfully infected, the miner is unpacked and executed. The Trojan then changes the device’s password and starts looking for other Raspberry Pi computers it can connect to via SSH over port 22.

    Reply
26. June 12, 2017 at 9:36 am

    Tomi Engdahl says:

    ICIT Calls for Legislation to Enforce Encryption on Government Agencies
    http://www.securityweek.com/icit-calls-legislation-enforce-encryption-government-agencies

    The starting point for a new study from the Institute for Critical Infrastructure Technology is not new: “There are only two types of networks, those that have been compromised and those that are compromised without the operator’s awareness.” Since it is impossible to defend the network, the solution is surely to defend the data. Here encryption can offer something more like a guarantee of security.

    The study (PDF) is primarily directed at government networks, where it suggests “federal government breaches have eroded the public’s confidence in the federal entities’ ability to secure sensitive systems and data against adversarial compromise.”

    http://icitech.org/wp-content/uploads/2017/06/ICIT-The-Necessity-of-Encryption-for-Preserving-Critical-Infrastruture-Integrity.pdf

    Reply
27. June 12, 2017 at 9:37 am

    Tomi Engdahl says:

    Microsoft Acquires Security Orchestration Firm Hexadite
    http://www.securityweek.com/microsoft-acquires-security-orchestration-firm-hexadite

    Microsoft announced on Thursday that it has agreed to acquire Boston-based security orchestration firm Hexadite for an undisclosed sum.

    Hexadite’s flagship Automated Incident Response Solution (AIRS™) solution is described by the company as a tool “modeled after the investigative and decision-making skills of top cyber analysts and driven by artificial intelligence.”

    “By eliminating the need to tune down alert volume, Hexadite allows your existing security investments to operate at full capacity and deliver maximum value,” Hexadite explains. “Hexadite AIRS integrates with any detection system via email, syslog or APIs to expedite deployment and investigate every alert.”

    https://www.hexadite.com/

    Reply
28. June 12, 2017 at 9:39 am

    Tomi Engdahl says:

    Arrest in NSA News Leak Fuels Debate on Source Protection
    http://www.securityweek.com/arrest-nsa-news-leak-fuels-debate-source-protection

    It was a major scoop for The Intercept — documents suggesting a concerted Russian effort to hack US election systems — but the online news site is drawing fire in media circles following the arrest of the alleged source of the leak.

    The Intercept, the investigative arm of the First Look Media organization created by eBay founder Pierre Omidyar, is being criticized for sharing information which may have led to the arrest this week of National Security Agency contractor Reality Leigh Winner.

    Winner, 25, was arrested and accused of mailing classified NSA documents to “a news outlet,” according to the US Justice Department, which said an investigation showed she had printed and shared the investigative report.

    Did the news organization unwittingly provide clues to the government that led authorities to Winner? Some media analysts say the journalists were careless at best.

    Some of the harshest criticism came from Washington Post reporter Barton Gellman, who called the case a “catastrophic failure of source protection” and argued that The Intercept “made egregious mistakes that doomed its source.”

    “It handed USG (US government) a color copy of original doc & told a clearance-holding contractor the doc was mailed from Augusta. Where source lived,” tweeted Gellman, a two-time Pulitzer Prize winner who was part of a team reporting from documents leaked by former NSA contractor Edward Snowden.

    Jake Swearingen, a technology writer for New York Magazine, said Winner made her own missteps by printing the documents in a way that could be tracked and mailing them to The Intercept.

    But Swearingen added that The Intercept may have sealed Winner’s fate by showing the document to a government official as part of an effort to verify its authenticity.

    “It’s quite reasonable for The Intercept to seek confirmation,” Swearingen wrote. “But revealing the Augusta, Georgia, postmark to the third-party source clearly helped the government build its case.”

    Reply
29. June 12, 2017 at 10:06 am

    Tomi Engdahl says:

    Cybersecurity and Teaching The Machine
    http://www.securityweek.com/cybersecurity-and-teaching-machine

    What is teaching the machine?

    While teaching the machine is not a formal term that I am aware of, what I mean by that is the process that people — data scientists — go through to convert their expertise of detecting anomalies in patterns of data to something that machines understand and learn. It’s a process by which machines learn how to detect these cybersecurity patterns on their own. And although a data scientist is not typically a subject matter expert on teaching cybersecurity, that person can be a great resource to convert human interpretations to computer algorithms.

    Apache Spot, collaboration between the good guys

    Apache Spot is in its early stages yet it already has all the potential to be the platform where the good guys collaborate, sharing models and algorithms to find the bad actors. Think of it as a foundation for detecting and preventing cybersecurity threats. And the good news is not everyone who collaborates on Apache Spot needs to be a data scientist. In fact, one of the best ways to support the effort is to download, install and run the platform on your own, then use the predefined algorithms and models to provide feedback on your results.

    You can be a force for change without having to learn how Latent Dirichlet Allocation or other algorithms work. Of course we already know the bad guys collaborate, share code, and share secrets. The good guys need to unite and do the same, and Apache Spot wants to — and can —be that uniting force.

    One Large Distributed System

    Cybersecurity should not be a competitive differentiator between organizations and services. Why should you be forced to choose Bank A instead of Bank B only because Bank A is more secure? Wouldn’t it be great if all banks, healthcare providers, telecommunication systems, and governments shared a common platform for cybersecurity with built-in and continually improving cybersecurity machine models? We should, in fact, be able to expect the best security processes and services regardless of the industry.

    Apache Spot at a Glance
    http://spot.incubator.apache.org/

    Apache Spot is a community-driven cybersecurity project, built from the ground up, to bring advanced analytics to all IT Telemetry data on an open, scalable platform. Spot expedites threat detection, investigation, and remediation via machine learning and consolidates all enterprise security data into a comprehensive IT telemetry hub based on open data models. Spot’s scalability and machine learning capabilities support an ecosystem of ML-based applications that can run simultaneously on a single, shared, enriched data set to provide organizations with maximum analytic flexibility. Spot harnesses a diverse community of expertise from Centrify, Cloudera, Cybraics, Endgame, Intel, Jask, Streamsets, and Webroot.

    Reply
30. June 12, 2017 at 10:09 am

    Tomi Engdahl says:

    For Defenders, Automation isn’t Automatic
    http://www.securityweek.com/defenders-automation-isnt-automatic

    time to detection (TTD) is a key indicator in the measure of security effectiveness

    As we improve our ability to quickly find and stop adversaries that have infiltrated our infrastructure in order to mitigate damage, adversaries are under pressure to accelerate their “time to evolve” (TTE). This is the time it takes for them to change their tactics, let alone adjust any malware they may be intending to utilize.

    Using automation, bad actors work nonstop to keep their tactics fresh, move with even more speed, and find ways to evade detection so that they can continue compromising users and systems for as long as possible. For example they use fast flux to rapidly change their IP addresses to quickly and easily mask their means of executing their attacks. They also use polymorphism to combine tried and true mechanisms with frequently changing file extensions and file content types to evolve how they deliver and hide malware. Automation is integral to their ability to shift tactics constantly.

    Unfortunately, when it comes to automation, most defenders are operating at a deficit. Automation isn’t a new concept in the cybersecurity industry.

    There are three main factors.

    1. Complexity: Most organizations face a daunting amount of complexity stemming from multiple, disparate point solutions that don’t, and often can’t, interoperate effectively. Because they aren’t integrated they can’t automatically share and correlate information and activity across networks and systems.

    2. Talent Shortage: Limited budgets and a lack of talent make hiring sprees unlikely. Various reports put the global cybersecurity talent shortage at one million climbing to one and half million in two years. Automation isn’t a matter of pushing a button and walking away – it is a continuous activity.

    3. Lack of Trust: Even though various groups within the organization are on the same team with the same end goal – to defend the organization – they often have competing priorities.

    Automation is essential to defeating cybercriminals who change their tactics frequently to keep their malware strong and profitable. It helps you understand what normal activity is in the network environment faster and more easily, so you can focus scarce resources on investigating and resolving true threats.

    Work with suppliers: To begin with, work with your suppliers and hold them accountable for compatibility, integration, and simplification.

    Align metrics: Use a common agreed set of metrics for internal teams and move away from traditional ways of measuring IT success. The ROI for IT is often measured in two- or three-year periods, whereas security ROI is shorter and evolves quickly. Aligning metrics and time frames will encourage communication, collaboration

    Engender trust: Establishing trust takes time and open communication. Individuals, technology, and processes need to build a reputation for reliability.

    In this complex landscape of rapid evolution, where bad actors have embraced automation to accelerate their TTE, human expertise and point solutions are not enough to identify and respond quickly to threats. Operationalizing people, process, and technology in an integrated way that allows for automation is essential for improving TTD and ensuring swift detection and remediation when infections occur.

    Reply
31. June 12, 2017 at 10:54 am

    Tomi Engdahl says:

    Most applications share your data with outsiders

    When you install a new app on your smartphone, it now asks for permission to use various data collected by the device. The IMDEA Networks Institute survey showed that 70 percent of all smartphone applications share user information about so-called ” For third parties.

    Generally, permission to use data collected by the device is justified.

    According to IMDEA, the problem is that when a license is granted to an application, data can be shared to all those whom the developer wanted to share.

    In practice, for example, Google and Facebook will get apps to know where the user is, how fast he moves and what he is doing. For example, a mapping application loads data to a server for calculating the direction and targets for which the user is going. This information can be utilized in many ways.

    Applications generally do not disclose what program libraries they use. Often this information is listed in user agreements, where no one reads them. IMDEA has a tool (Lumen Provacy Monitor) that reveals, for example, the risk created by shared libraries used by different applications for the user’s personal data.

    Based on statistics, 70% of applications sent user data to at least one service. 15 percent of the applications sent data to at least five data-gathering services.

    Source: http://www.etn.fi/index.php/13-news/6457-valtaosa-sovelluksista-jakaa-datasi-ulkopuolisille

    Reply
32. June 13, 2017 at 4:38 am

    Tomi Engdahl says:

    Andy Greenberg / Wired:
    Researchers say Crash Override, which took down Ukraine’s power grid, is the only known malware to have attacked physical infrastructure other than Stuxnet — AT MIDNIGHT, A week before last Christmas, hackers struck an electric transmission station north of the city of Kiev …

    ‘Crash Override’: The Malware That Took Down a Power Grid
    https://www.wired.com/story/crash-override-malware

    Reply
33. June 13, 2017 at 8:13 am

    Tomi Engdahl says:

    British Airways: Engineer accidentally cut data center power supply
    http://www.cablinginstall.com/articles/pt/2017/06/british-airways-engineer-accidentally-cut-data-center-power-supply.html

    An engineer had disconnected a power supply at a data center near London’s Heathrow airport, causing a surge that resulted in major damage when it was reconnected, Willie Walsh, chief executive officer of parent IAG SA, told reporters in Mexico.

    The incident led BA’s information technology systems to crash, causing hundreds of flights to be scrapped over three days as the airline re-established its communications.

    The engineer in question had been authorized to be on site, but not “ to do what he did,”

    Analysis: 70% of data center outages directly attributable to human error
    http://www.cablinginstall.com/articles/2013/08/apc-dc-human-error-paper.html

    A new white paper from APC-Schneider Electric contends that “a properly designed, implemented, and supported operations and maintenance (O&M) program will minimize risk, reduce costs, and even provide a competitive advantage for the overall business the data center serves. A poorly organized program, on the other hand, can quickly undermine the design intent of the facility putting its people, IT systems, and the business itself at risk of harm or interruption.”

    The paper’s executive summary states that 70% of data center outages are directly attributable to human error, according to the Uptime Institute’s analysis of their “abnormal incident” reporting (AIR) database. This figure highlights the critical importance of having an effective operations and maintenance (O&M) program, says APC-Schneider Electric.

    Reply
34. June 13, 2017 at 9:59 am

    Tomi Engdahl says:

    Rethinking the Model for Cybersecurity Technology Innovation
    http://www.securityweek.com/rethinking-model-cybersecurity-technology-innovation

    The cybersecurity industry is at an interesting point in its evolution. Business is booming (Gartner expects global information spending to hit $113 billion by 2020), and the cybersecurity technology ecosystem is thriving for both large, established vendors with extensive resources and nimble, innovative startups.

    For example, if you look in even the most advanced network SOC today, you’ll see the same point solutions (antivirus, firewall, IPS, etc.) that security teams have been using for over a decade.

    Traditional methods of creating, delivering and operationalizing security innovations have grown ever more complex due to a combination of several market factors:

    • Fragmented data stores: Even the best machine learning and artificial intelligence techniques rely on a critical mass of telemetry and threat intelligence to train their analytics engines, which is only available in bits and pieces from multiple sources, not to mention adding vendor sprawl, complexity and putting additional burdens on limited resources.

    • Increasing workflow complexity: Organizations must stitch together dozens of products to support use cases across threat identification, analysis, prevention and mitigation. Each new deployment increases complexity, restricts automation and puts a high burden on limited human resources, resulting in lower security outcomes.

    • Need to rapidly consume new security capabilities: Attackers constantly innovate, and organizations must be able to rapidly adjust their security capabilities to detect and prevent successful cyberattacks in a highly agile, automated and instrumented way, without deploying new infrastructure that needs to be purchased (Capex) and managed (Opex).

    We need to rethink the way we design, adopt and deploy new security innovations. We need security solutions that can support hundreds of use cases and applications, not just a few.

    Reply
35. June 13, 2017 at 11:17 am

    Tomi Engdahl says:

    Endpoint Security and the Internet of Things
    http://www.securityweek.com/endpoint-security-and-internet-things

    In 2016, the Mirai Botnet hijacked over half a million DVRs and IP cameras, redirecting traffic from these endpoints to some of the internet’s largest brands and taking many services offline. To those in the security community, the attack wasn’t surprising; typically, affordable, commodity internet devices are poorly secured. One unintended consequence of their rapid adoption is expansion of the digital attack surface. We’re on the brink of hypervulnerability in the connected world—put there, in part, by an unwitting accomplice: the endpoint.

    Today’s growing attack surface is dominated by non-traditional endpoints, ranging from something as innocuous as an internet-connected toy to something as critical as connected sensors controlling energy production in a nuclear plant. Emerging virtual endpoints, such as cloud microservices and containers that swarm by design, exacerbate the problem. According to Statista, by 2020, the number of connected devices in the internet of things (IoT) will grow to 31 billion. IoT includes embedded systems in retail, automotive, home automation and entertainment devices, as well as operational technology in the manufacturing and energy sectors. There are already proven hacks of these technologies, and as the population grows, it’s hard to imagine how any service pack program or standards body can keep up. As a result, IoT will likely contribute significantly to security vulnerabilities.

    Securing the “thing” is not the answer; there will always be too many to manage.

    Instead, observing and patrolling to increase visibility, coupled with analysis and tactical action when problems are spotted, have provided a pragmatic approach to reducing risks inherent in explosive endpoint growth.

    In practice, breaking down the process into three parts tempers what could be an overwhelming task.

    1. Focus on what you can see. Endpoints often have a control point, whether a physical gateway or router in a home or business, or a firewall or proxy at a network or cloud boundary. Get your visibility there and, when possible, control it ruthlessly.

    2. Simple analytics is your friend. Non-traditional endpoints share an often overlooked characteristic: their behavior is predictable. Applying machine learning for baseline modeling is extremely effective to profile risk, detect anomalous behavior and stop it on a large scale.

    3. Hire the best staff you can find, because we will never stop having to patrol, investigate and remediate—and with properly applied analytics you won’t need your army of employees to grow exponentially with the endpoint explosion.

    Success comes down to laying a foundation of monitoring and control to reduce your risk exposure and applying intelligent techniques to the growing endpoint populace. Embrace it, because these technologies make our lives better.

    Reply
36. June 13, 2017 at 11:18 am

    Tomi Engdahl says:

    Improve Incident Response with SOPs for Cyber Threat Intelligence
    http://www.securityweek.com/improve-incident-response-sops-cyber-threat-intelligence

    When it comes to improving cyber incident response, security teams can learn a valuable lesson from the military about the importance of standard operating procedures. “SOPs” document prescribed methods for carrying out an activity or responding to a difficult situation.

    The U.S. Army has SOPs for seemingly everything, and for good reason. Many SOPs help soldiers react to difficult situations with a clear head.

    SOPs for cybersecurity—and more specifically, those developed for cyber threat intelligence programs—can improve incident response. By establishing specific processes for conducting threat intelligence research, security teams can more quickly determine whether a compromise has occurred, and if so, its scope and impact.

    How to Establish SOPs for Threat Intelligence

    Threat intelligence typically consists of compromise indicators, which often take the form of IP addresses, domain names, URLs, file names and malware hashes.

    IP Addresses: Are some network devices more critical than others? Which ones? Do I have the visibility I need to quickly determine if those devices are routing traffic to or from suspicious IPs? Is there a documented process for conducting this kind of research? Do I understand my security technologies well enough to carry out this research under pressure?

    Domain Names: Do I have the ability to quickly look up domain traffic? Can I quickly “whois” those domains for registration info? Is there a documented process for conducting this research? Do I understand my security technologies well enough to do this under pressure?

    URLs: Can I quickly look up suspicious URLs and the end users who visited them? Is there a documented process for doing this kind of research? Do I understand my security technologies well enough to do this under pressure?

    File Names & Malware Hashes: Do I have the endpoint visibility I need to quickly determine if a particular file name or malware hash is present on any of my endpoints?

    Reply
37. June 13, 2017 at 11:19 am

    Tomi Engdahl says:

    Israeli Intelligence Discovered IS Plans for Laptop Bomb: Report
    http://www.securityweek.com/israeli-intelligence-discovered-plans-laptop-ban-report

    Israeli government spies hacked into the operations of Islamic State bombmakers to discover they were developing a laptop computer bomb to blow up a commercial aircraft, the New York Times reported Monday.

    The Times said the work by Israeli cyber operators was a rare success of western intelligence against the constantly evolving, encryption-protected and social-media-driven cyber operations of the extremist group.

    It said the Israeli hackers penetrated the small Syria-based cell of bombmakers months ago

    Reply
38. June 13, 2017 at 11:21 am

    Tomi Engdahl says:

    Thousands of Firms Fail to Update Software on Most Computers: Study
    http://www.securityweek.com/thousands-firms-fail-update-software-most-computers-study

    An analysis of 35,000 companies from more than 20 industries across the world showed that many of them are at risk of suffering a data breach due to their failure to ensure that the software running on their computers is up to date.

    The study conducted by cybersecurity ratings company BitSight focused on Apple and Microsoft operating systems, and the Firefox, Chrome, Safari and Internet Explorer web browsers.

    The research showed that more than 50 percent of computers in over 2,000 organizations run an outdated version of the operating system, and over 8,500 companies have failed to update Web browsers on more than half of their machines.

    The fact that public sector organizations have done a poor job at protecting their systems is not surprising, and even U.S. President Donald Trump called for government agencies to take measures in his recent cybersecurity executive order.

    At the other end of the chart we have the legal and energy sectors, which had the fewest devices running outdated software.

    “Given that the Energy sector provides critical infrastructure services, organizations in this sector should maintain their proactive approach to security,” BitSight said in its report.

    In the case of Windows, more than 60 percent of analyzed PCs were running Windows 7 or earlier, including XP and Vista, which no longer receive updates from Microsoft.

    A Growing Risk Ignored: Critical Updates
    https://cdn2.hubspot.net/hubfs/277648/Insights/BitSight%20Insights%20-%20A%20Growing%20Risk%20Ignored%20-%20Critical%20Updates.pdf?t=1496944784037&utm_campaign=Q217%20BitSight%20Insights&utm_source=hs_automation&utm_medium=email&utm_content=52515743&_hsenc=p2ANqtz–3taBHmLJ9mFDRlsz6fBuZDx51wqsvo_wJigWcGRXX-ETGymjI-cur–Wj3e8dvaXAoXBgmyZjWPaJWoFHFp_ixaHelA&_hsmi=52515743

    EXPLORING THE PREVALENCE OF OUTDATED SYSTEMS AND THEIR LINK TO DATA BREACHES

    Reply
39. June 13, 2017 at 11:27 am

    Tomi Engdahl says:

    Thousands of IP Cameras Hijacked by Persirai, Other IoT Botnets
    http://www.securityweek.com/thousands-ip-cameras-hijacked-persirai-other-iot-botnets

    Thousands of IP cameras have been hijacked by Internet of Things (IoT) botnets and data from Trend Micro shows that the recently launched Persirai malware is responsible for a large percentage of infections.

    The Persirai backdoor is designed to target more than 1,000 IP camera models, and researchers said there had been roughly 120,000 devices vulnerable to this malware at the time of its discovery several weeks ago.

    The malware, which uses a recently disclosed zero-day vulnerability to spread from one hacked IP camera to another, allows its operators to execute arbitrary code on the targeted device and launch distributed denial-of-service (DDoS) attacks.

    Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in custom http server
    https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html

    Vulnerabilities Summary

    The Wireless IP Camera (P2) WIFICAM is a camera overall badly designed with a lot of vulnerabilities. This camera is very similar to a lot of other Chinese cameras.

    It seems that a generic camera is being sold by a Chinese company in bulk (OEM) and the buyer companies resell them with custom software development and specific branding. Wireless IP Camera (P2) WIFICAM is one of the branded cameras.

    So, cameras are sold under different names, brands and functions. The HTTP interface is different for each vendor but shares the same vulnerabilities. The OEM vendors used a custom version of GoAhead and added vulnerable code inside.

    GoAhead stated that GoAhead itself is not affected by the vulnerabilities but the OEM vendor who did the custom and specific development around GoAhead is responsible for the cause of vulnerabilities.

    The summary of the vulnerabilities is:

    CVE-2017-8224 – Backdoor account
    CVE-2017-8222 – RSA key and certificates
    CVE-2017-8225 – Pre-Auth Info Leak (credentials) within the custom http server
    Authenticated RCE as root
    Pre-Auth RCE as root
    CVE-2017-8223 – Misc – Streaming without authentication
    CVE-2017-8221 – Misc – “Cloud” (Aka Botnet)

    Shodan lists 185 000 vulnerable cameras.

    Reply
40. June 13, 2017 at 11:27 am

    Tomi Engdahl says:

    SambaCry Flaw Exploited to Deliver Cryptocurrency Miner
    http://www.securityweek.com/sambacry-flaw-exploited-deliver-cryptocurrency-miner

    A recently patched Samba flaw known as EternalRed and SambaCry has been exploited in the wild to deliver a cryptocurrency miner to vulnerable machines, researchers warned.

    These attacks, observed by both Kaspersky and Cyphort, were launched shortly after the existence of the security hole was brought to light and proof-of-concept (PoC) exploits were made available.

    The vulnerability, tracked as CVE-2017-7494, affects all versions of Samba since 3.5.0 and it has been addressed with the release of versions 4.6.4, 4.5.10 and 4.4.14. The flaw allows a malicious client to upload a shared library to a writable share, and cause the server to execute the file.

    “The attacked machine turns into a workhorse on a large farm, mining crypto-currency for the attackers,” Kaspersky researchers said in a blog post. “In addition, through the reverse-shell left in the system, the attackers can change the configuration of a miner already running or infect the victim’s computer with other types of malware.”

    The Samba vulnerability has been found to affect many networking devices, including Cisco, Netgear, QNAP, Synology, Varitas and NetApp products.

    Reply
41. June 13, 2017 at 11:48 am

    Tomi Engdahl says:

    Qualys Launches Container Security Product
    http://www.securityweek.com/qualys-launches-container-security-product

    Cloud-based security and compliance solutions provider Qualys on Monday announced a new product designed for securing containers across cloud and on-premises deployments.

    Qualys Container Security, which the company expects to become available in beta starting in July 2017, aims to help organizations proactively integrate security into container deployments and DevOps processes by extending visibility, vulnerability detection and policy compliance checks.

    One of the main features of the initial release will allow users to discover containers and track changes in real time. Organizations can visualize assets and relationships, enabling them to identify and isolate exposed elements.

    The product also provides vulnerability analysis capabilities for images, registries and containers. These capabilities can be integrated via the Qualys API into an organization’s Continuous Integration (CI) and Continuous Development (CD) tool chains, allowing DevOps and security teams to scan container images for known flaws before they are widely distributed.

    “Containers are core to the IT fabric powering digital transformation,” said Philippe Courtot, chairman and CEO of Qualys. “Our new solution for containers enables customers on that journey to incorporate 2-second visibility and continuous security as a critical part of their agile development.”

    Reply
42. June 14, 2017 at 12:14 pm

    Tomi Engdahl says:

    Zack Whittaker / ZDNet:
    In wake of WannaCry, Microsoft fixes 3 flaws affecting unsupported OSes including Windows XP and Windows Server 2003 that it initially said it wouldn’t patch — The company previously said it would not fix three outstanding exploits, but reversed course following the ransomware attack in May.

    Microsoft: Latest security fixes thwart NSA hacking tools
    http://www.zdnet.com/article/microsoft-reverses-course-patches-three-remaining-nsa-exploits-targeting-windows-xp/

    The company previously said it would not fix three outstanding exploits, but reversed course following the ransomware attack in May.

    Microsoft has confirmed its latest round of security patches has fixed three remaining vulnerabilities built by the National Security Agency, which the company previously said it would not fix.

    The company confirmed to ZDNet that it had reversed course on releasing patches for the exploits, which Microsoft said earlier this year only affect older operating systems that have since been retired, notably Windows XP and Windows Server 2003.

    The release comes as the software giant warned of an “elevated risk for destructive cyberattacks” following last month’s ransomware-based cyberattack.

    It’s the latest twist in a cat and mouse game between the National Security Agency and Microsoft in recent months, after the intelligence lost control of its arsenal of hacking tools.

    Microsoft patched the vulnerabilities in all supported versions of Windows in the April update, but left three exploits remaining. The company said that the flaws only affected older versions of Windows, and users should upgrade.

    But after last month’s massive WannaCry outbreak which locked thousands of computers with ransomware, Microsoft is patching the rest of the exploits in an effort to avoid a repeat of the attack.

    A spokesperson said that the three Windows exploits — dubbed ENGLISHMANDENTIST, ESTEEMAUDIT, and EXPLODINGCAN (which was also independently discovered) — are now fixed in June’s security updates.

    “These vulnerabilities are quite serious and still widespread, even with the affected systems having been ‘out of service’ for some time,”

    Reply
43. June 14, 2017 at 12:16 pm

    Tomi Engdahl says:

    Reuters:
    US blames North Korean gov’t for cyber attacks since ’09 across media, aerospace, financial sectors and key infrastructure, mainly hitting old Microsoft systems

    U.S. blames North Korea for hacking spree, says more attacks likely
    http://www.reuters.com/article/us-northkorea-cyber-usa-idUSKBN1942MK

    The U.S. government on Tuesday issued a rare alert squarely blaming the North Korean government for a raft of cyber attacks stretching back to 2009 and warning that more were likely.

    The joint warning from the U.S. Department of Homeland Security and the Federal Bureau of Investigation said that “cyber actors of the North Korean government,” referred to in the report as “Hidden Cobra,” had targeted the media, aerospace and financial sectors, as well as critical infrastructure, in the United States and globally.

    Reply
44. June 14, 2017 at 12:45 pm

    Tomi Engdahl says:

    U.S. Cyberweapons, Used Against Iran and North Korea, Are a Disappointment Against ISIS
    https://www.nytimes.com/2017/06/12/world/middleeast/isis-cyber.html?smid=tw-share

    WASHINGTON — America’s fast-growing ranks of secret cyberwarriors have in recent years blown up nuclear centrifuges in Iran and turned to computer code and electronic warfare to sabotage North Korea’s missile launches, with mixed results.

    But since they began training their arsenal of cyberweapons on a more elusive target, internet use by the Islamic State, the results have been a consistent disappointment, American officials say. The effectiveness of the nation’s arsenal of cyberweapons hit its limits, they have discovered, against an enemy that exploits the internet largely to recruit, spread propaganda and use encrypted communications, all of which can be quickly reconstituted after American “mission teams” freeze their computers or manipulate their data.

    It has been more than a year since the Pentagon announced that it was opening a new line of combat against the Islamic State, directing Cyber Command, then six years old, to mount computer-network attacks. The mission was clear: Disrupt the ability of the Islamic State to spread its message, attract new adherents, pay fighters and circulate orders from commanders.

    But in the aftermath of the recent attacks in Britain and Iran claimed by the Islamic State, it has become clear that recruitment efforts and communications hubs reappear almost as quickly as they are torn down.

    Reply
45. June 14, 2017 at 12:46 pm

    Tomi Engdahl says:

    Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known
    https://www.bloomberg.com/politics/articles/2017-06-13/russian-breach-of-39-states-threatens-future-u-s-elections

    Attackers said to take measure of voting systems, databases
    A ‘red phone’ warning to the Kremlin from Obama White House

    Russia’s cyberattack on the U.S. electoral system before Donald Trump’s election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported.

    In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016, were provided by three people with direct knowledge of the U.S. investigation into the matter. In all, the Russian hackers hit systems in a total of 39 states, one of them said.

    Reply
46. June 14, 2017 at 12:48 pm

    Tomi Engdahl says:

    It’s 2017 and Microsoft is still patching Windows XP+ – to plug holes exploited by trio of leaked NSA weapons
    Bugs used by stolen tools fixed among 96 software holes
    https://www.theregister.co.uk/2017/06/13/windows_patch_tuesday_for_june/

    Reply
47. June 14, 2017 at 6:49 pm

    Tomi Engdahl says:

    Sam Levin / The Guardian:
    Report on cost of misinfo campaigns: $6K for about 40K “high-quality” likes, $5K for 20K comments, while creating and populating social media groups costs ~$40K

    Pay to sway: report reveals how easy it is to manipulate elections with fake news
    https://www.theguardian.com/media/2017/jun/13/fake-news-manipulate-elections-paid-propaganda

    Fake News Machine research comes amid increasing concern about hacking elections and the ways that fake news on social media has manipulated voters

    Political campaigns can manipulate elections by spending as little as $400,000 on fake news and propaganda, according to a new report that analyzes the costs of swaying public opinion through the spread of misinformation online.

    The report from Trend Micro, a cybersecurity firm, said it also costs just $55,000 to discredit a journalist and $200,000 to instigate a street protest based on false news, shining a light on how easy it has become for cyber propaganda to produce real-world outcomes.

    The Fake News Machine research paper comes at a time of increasing concern across the globe about the hacking of elections and the ways that fake news on social media has manipulated voters.

    Exploring the Online Economy that Fuels Fake News
    http://blog.trendmicro.com/trendlabs-security-intelligence/online-economy-fake-news/

    Reply
48. June 14, 2017 at 6:53 pm

    Tomi Engdahl says:

    Billion-Dollar Scams: The Numbers Behind Business Email Compromise
    https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/billion-dollar-scams-the-numbers-behind-business-email-compromise

    Over the past three years, Business Email Compromise (BEC) schemes have caused at least $5.3 billion in total losses to approximately 24,000 enterprises around the world, according to the latest figures from the FBI. Since January 2015, there has been a 2,370% increase in identified exposed losses, amounting to an average loss of $218,000 per victim. The potential damage and effectiveness of these campaigns compelled the FBI to issue a public service announcement detailing how BEC scams work and how much damage it can cause to targeted employees and companies.

    How do BEC Schemes work?

    The FBI defines Business Email Compromise as a sophisticated email scam that targets businesses working with foreign partners that regularly perform wire transfer payments. Formerly known as the Man-in-the-Email scam, BEC typically starts when business executives’ email accounts are compromised and spoofed, with the fraudster sending emails to an unknowing employee instructing them to wire large sums of money to foreign accounts.

    While some cases involve the use of malware, BEC schemes are known for relying purely on social engineering techniques, making them very hard to detect.

    BEC schemes bank on social engineering techniques that involve posing as an employee of the target company. Based on monitoring of emails used for BEC schemes, cybercriminals most often use the position of the CEO in their attacks. The cybercriminals send emails posing as the company CEO and instruct their target to make money transfers. Other company positions seen used for BEC schemes are the company president and managing director.

    What are the cybercriminal tools used in BEC Schemes

    The tools used in BEC schemes are also another indicator of how easy it is for cybercriminals to launch such an attack. Most malware used in BEC schemes are off-the-shelf variants, ones that can be easily purchased online for a cheap price. Some malware can be bought for as much as $50, while some are far cheaper, or even available for free.

    Reply
49. June 14, 2017 at 6:59 pm

    Tomi Engdahl says:

    Jacob Kastrenakes / The Verge:
    Google says it plans to launch its full desktop backup tool, called Backup and Sync, for Google Drive on June 28, available as an app

    Google Drive will soon back up your entire computer
    https://www.theverge.com/2017/6/14/15802200/google-backup-and-sync-app-announced-drive-feature

    Google is turning Drive into a much more robust backup tool. Soon, instead of files having to live inside of the Drive folder, Google will be able to monitor and backup files inside of any folder you point it to. That can include your desktop, your entire documents folder, or other more specific locations.

    The backup feature will come out later this month, on June 28th, in the form of a new app called Backup and Sync. It sounds like the Backup and Sync app will replace both the standard Google Drive app and the Google Photos Backup app, at least in some cases. Google is recommending that regular consumers download the new app once it’s out, but it says that business users should stick with the existing Drive app for now.

    It’s not clear exactly how much you’ll be able to do with the expanded backup feature.

    Reply
50. June 15, 2017 at 8:27 am

    Tomi Engdahl says:

    Jacob Kastrenakes / The Verge:
    Google says it plans to launch its full desktop backup tool, called Backup and Sync, for Google Drive on June 28, available as an app — Google is turning Drive into a much more robust backup tool. Soon, instead of files having to live inside of the Drive folder, Google will be able …

    Google Drive will soon back up your entire computer
    https://www.theverge.com/2017/6/14/15802200/google-backup-and-sync-app-announced-drive-feature

    Google is turning Drive into a much more robust backup tool. Soon, instead of files having to live inside of the Drive folder, Google will be able to monitor and backup files inside of any folder you point it to. That can include your desktop, your entire documents folder, or other more specific locations.

    The backup feature will come out later this month, on June 28th, in the form of a new app called Backup and Sync. It sounds like the Backup and Sync app will replace both the standard Google Drive app and the Google Photos Backup app, at least in some cases. Google is recommending that regular consumers download the new app once it’s out, but it says that business users should stick with the existing Drive app for now.

    Backup and Sync from Google available soon
    https://gsuiteupdates.googleblog.com/2017/06/backup-and-sync-from-google-available.html

    On June 28th, 2017, we will launch Backup and Sync from Google, a tool intended to help everyday users back up files and photos from their computers, so they’re safe and accessible from anywhere. Backup and Sync is the latest version of Google Drive for Mac/PC, which is now integrated with the Google Photos desktop uploader. As such, it will respect any current Drive for Mac/PC settings in the Admin console.

    Backup and Sync is primarily intended for consumer users. We recommend that our G Suite customers continue to use Drive for Mac/PC until our new enterprise-focused solution, Drive File Stream (currently in EAP), is made generally available to all G Suite Basic, Business, Enterprise, Education, and Nonprofit domains later this year.

    Reply