Cyber security June 2018

This posting is here to collect security alert news in June 2018.

I post links to security vulnerability news to comments of this article.


  1. Tomi Engdahl says:

    Tietomurto Helsinki-Vantaan lentokenttähotellin varausjärjestelmässä – satoja maksukorttitietoja voinut vuotaa vääriin käsiin

  2. Tomi Engdahl says:

    Ensi kuussa näet paljon virheilmoituksia – Chromeen iso muutos

  3. Tomi Engdahl says:

    The Wiretap Rooms
    The NSA’s Hidden Spy Hubs in Eight U.S. Cities

  4. Tomi Engdahl says:

    Yet another massive Facebook fail: Quiz app leaked data on ~120M users for years

    Facebook knows the historical app audit it’s conducting in the wake of the Cambridge Analytica data misuse scandal is going to result in a tsunami of skeletons tumbling out of its closet.

    It’s already suspended around 200 apps as a result of the audit — which remains ongoing, with no formal timeline announced for when the process (and any associated investigations that flow from it) will be concluded.

  5. Tomi Engdahl says:

    Cyber nasties downed NHS systems for 1,300 hours over 36 months
    FoI request reveals extent of attacks on UK healthcare

    NHS trusts across England experienced more than 1,300 hours of downtime in the last three years,

    Nearly a third of the trusts (25 out of 80) that responded to an FoI request from Intercity Technology admitted they had experienced outages across their IT systems between January 2015 and February 2018.

    Of the 25 trusts that endured a digi-blackout, 14 did so as a result of a security breach. In total, the trusts experienced 18 security breaches over the last three years, causing 18 days of downtime.

    These attacks included the infamous WannaCry ransomware outbreak in May 2017, while others fell victim to the Locky and Zepto malware

  6. Tomi Engdahl says:

    The Future of Cybersecurity Is the Quantum Random Number Generator

    In 1882, a banker in Sacramento, Calif., named Frank Miller developed an absolutely unbreakable encryption method.

    About 35 years after Miller’s book, Bell Labs engineer Gilbert S. Vernam and U.S. Army Capt. Joseph Mauborgne came out with essentially the same idea, which they called the one-time pad. And ever since, cryptographers have tried to devise a way to generate and distribute the unique and truly random numbers that the technique requires. That, it turns out, is incredibly hard to do.

    So instead, we’ve relied on less secure encryption methods

    Fortunately, researchers have made good progress in recent years in developing technologies that can generate and distribute truly random numbers. By measuring the unpredictable attributes of subatomic particles, these devices can use the rules of quantum mechanics to encrypt messages.

    And that means we’re finally getting close to solving one of cryptography’s biggest puzzles and realizing the unbreakable encryption envisioned by Miller so many years ago.

  7. Tomi Engdahl says:

    How a California Banker Received Credit for His Unbreakable Cryptography 130 Years Later

    Frank Miller was a banker, which makes it surprising that he made an important contribution to cryptography. Now credited as the first person to invent the one-time pad, a simple yet effective way to encrypt a message

  8. Tomi Engdahl says:

    Colin Lecher / The Verge:
    The California Consumer Privacy Act, one of the toughest data privacy bills in the US, has been signed into law and will go into effect in 2020

    California just passed one of the toughest data privacy laws in the country

    California lawmakers passed one of the toughest data privacy laws in the United States today, as they faced pressure from an even stronger ballot measure in the state.

    The California Consumer Privacy Act of 2018 is set to dramatically change how businesses handle data in the most populous state. Companies that store personal information — from major players like Google and Facebook, down to small businesses — will be required to disclose the types of data they collect, as well as allow consumers to opt out of having their data sold. The bill, which passed both chambers unanimously, was signed later in the day by Gov. Jerry Brown.

    The legislation, which is similar to Europe’s new GDPR protections, is the result of a last-minute attempt to head off a ballot measure that would have brought a slightly different set of privacy rules to the state.

  9. Tomi Engdahl says:

    Inti De Ceukelaire:
    Researcher: Facebook quiz maker NameTests exposed personal info of ~120M users for years, in a data leak that was fixed after the Cambridge Analytica scandal

    This popular Facebook app publicly exposed your data for years

    Ever took a personality test on Facebook? For years, anyone could have accessed your private information, friends, posts and photos.

  10. Tomi Engdahl says:

    Catalin Cimpanu / BleepingComputer:
    Norwegian agency report: Facebook and Google manipulate users to share personal data using “dark patterns” despite GDPR; Windows 10 gets a more favorable rating

    Facebook, Google Manipulate Users to Share Personal Data Despite GDPR

    Despite the new GDPR regulation entering into effect across Europe, Facebook and Google are manipulating users into sharing personal data by leveraging misleading wording and confusing interfaces, according to a report released today by the Norwegian Consumer Council (NCC).

    In its 44-page report, the Norwegian agency accuses Google and Facebook of using so-called “dark patterns” user interface elements into “nudging” users towards accepting privacy options.

    These dark patterns include misleading privacy-intrusive default settings, misleading wording, giving users an illusion of control, hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy-friendly option requires more effort for the users.


  11. Tomi Engdahl says:

    Every Android Device Since 2012 Impacted by RAMpage Vulnerability

    Almost all Android devices released since 2012 are vulnerable to a new vulnerability named RAMpage, an international team of academics has revealed today.

    The vulnerability, tracked as CVE-2018-9442, is a variation of the Rowhammer attack.

    RAMpage is the latest Rowhammer attack variation

    The first Rowhammer attack on Android devices was named DRammer, and it could modify data on Android devices and root Android smartphones. Today, researchers expanded on that initial work.

    According to a research paper published today, a team of eight academics from three universities and two private companies revealed a new Rowhammer-like attack on Android devices named RAMpage.

    “RAMpage breaks the most fundamental isolation between user applications and the operating system,” researchers said. “While apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device.”

    “This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents,” the research team said.

    RAMpage may also impact Apple devices, PCs, and VMs

    Research into the RAMpage vulnerability is still in its early stages, but the team says the attack can take over Android-based smartphones and tablets.

    The difference between the previous Drammer Rowhammer attack on Android devices and the newer RAMpage Rowhammer attack is that RAMpage specifically targets an Android memory subsystem called ION.

    In a simplified explanation, ION is a part of the Android OS that manages memory allocations between apps and for the OS. Google introduced ION in Android 4.0

    By attacking ION with a Rowhammer attack, RAMpage allows intruders to breake the boundaries that exist between Android apps and the underlying OS, hence give an attacker full control over the device and its data.

    Every Android device released in the past 6 years is affected

    While researchers reproduced a RAMpage attack only on an LG4 smartphone, they said that “every mobile device that is shipped with LPDDR2, LPDDR3, or LPDDR4 memory is potentially affected, which is effectively every mobile phone since 2012.”

    GuardION: Practical Mitigation of DMA-based Rowhammer Attacks on ARM

  12. Tomi Engdahl says:

    Catalin Cimpanu / BleepingComputer:
    Researchers find Rowhammer vulnerability variant, dubbed RAMpage, affecting all post-2012 Android devices that could allow full control of devices and data

    Every Android Device Since 2012 Impacted by RAMpage Vulnerability

  13. Tomi Engdahl says:

    Cisco ASA Flaw Exploited in the Wild After Publication of Two PoCs

    Exploitation started after the publication of PoC code

    Cisco patched CVE-2018-0296 at the start of the month, on June 6. But in an update to a security advisory the company published earlier this month, Cisco said it is “aware of customer device reloads related to this vulnerability.”

    The company hints that the publication of a public proof-of-concept (PoC) exploit might have started these exploitation attempts.

  14. Tomi Engdahl says:

    Exposing the Secret Office 365 Forensics Tool

    An ethical crisis in the digital forensics industry came to a head last week with the release of new details on Microsoft’s undocumented “Activities” API. A previously unknown trove of access and activity logs held by Microsoft allows investigators to track Office 365 mailbox activity in minute detail. Following a long period of mystery and rumors about the existence of such a tool, the details finally emerged, thanks to a video by Anonymous and follow-up research by CrowdStrike.

    Hiding in Plain Sight: Using the Office 365 Activities API to Investigate Business Email Compromises

    Business email compromises (BECs) are a big problem across a multitude of industries. Just last week, the FBI participated in an international BEC takedown, arresting 74 individuals across the United States, Nigeria, Canada, Mauritius and Poland. In 2016, the Internet Crime Complaint Center (IC3) named BEC “the $3.1 Billion Scam”, with some predicting losses to exceed $9 Billion in 2018.

    In the course of the CrowdStrike® Services team’s investigative work responding to BEC cases, we recently discovered a capability within Office 365 that allows for the retrieval of Outlook mailbox activity logs that far exceeds the granularity provided by existing, documented Office 365 log sources, such as the Unified Audit Log. This capability represents access to an always-on, mailbox activity recording system that is active by default for all users. This blog details CrowdStrike’s knowledge of and experience with this remarkable Office 365 logging capability.

    This capability consists of a web API that uses Exchange Web Services (EWS) to retrieve Office 365 Outlook mailbox activities. The API can be accessed by anyone with knowledge of the API endpoint and a specific HTTP header. Activities are recorded for all users and are retained for up to six months. There are many activity types, including logins, messages deliveries, message reads, and mailbox searches.

    Threat actors, such as Nigerian confraternities, often adhere to standardized playbooks when engaging in business email intrusions.

    The threat actors typically identify key executives and employees involved in financial transactions such as wire transfers, and monitor their activity for periods ranging from weeks to months.

    Once the threat actors feel comfortable, they insert themselves into email conversations to conduct fraud. They often start by initiating wire transfer requests starting with smaller dollar amounts and working their way up.

    Within the Outlook REST API, there is an undocumented API subset known as Activities.

  15. Tomi Engdahl says:

    Marketing firm Exactis exposes 340 million customer records online

    By Sead Fadilpašić 2018-06-28T11:00:55.178ZNews
    Major data breach affects millions, be its unknown how much information was leaked.

  16. Tomi Engdahl says:

    Some Spectre In-Browser Mitigations Can Be Defeated

    Some of the protections against the Spectre CPU vulnerability introduced in modern browsers can be defeated, security researchers revealed this week.

    According to research published by Aleph Security on Tuesday, the company’s researchers were able to put together proof-of-concept code that retrieves sensitive data from a browser’s protected memory.

    The browsers were running a version that received mitigations against such attacks, researchers said.

    Researchers bypass Spectre v1 in-browser protections

    Edge, Chrome, Safari protections defeated

    But Noam Hadad and Jonathan Afek, two security researchers with Aleph Security, said they were able to find a way around the index masking mitigation (1), data timing mitigations (3 & 4) and jittered timer outputs (5).

    The two put together proof-of-concept code —also shared on GitHub— that defeats the above mitigations and retrieves data from a browser’s protected memory —data that a malicious page should not be able to access under normal circumstances.

    Better mitigations needed

    The PoC exfiltrates data at very slow speeds, but researchers did not develop it for offensive purposes. The research only probed the effectiveness of the Spectre in-browser patches.

  17. Tomi Engdahl says:

    Those Harder to Mitigate UPnP-Powered DDoS Attacks Are Becoming a Reality

    Security researchers are continuing to see DDoS attacks that leverage the UPnP features of home routers to alter network packets and make DDoS attacks harder to detect and mitigate with classic solutions.

    The UPnP port masking technique is a new one and was first detailed last month by security researchers from Imperva.

    Imperva staff reported that some DDoS botnets had started using the UPnP protocol found on home routers to bounce DDoS traffic off the router, but alter the traffic’s source port to a random number.

    UPnP port masking spreads from DNS and NTP to SSDP

    Back in May, Imperva researchers said they’ve seen botnets executing DDoS attacks via the DNS and NTP protocols, but using UPnP to disguise the traffic as coming from random ports, and not port 53 (DNS) or port 123 (NTP).

    SSDP DDoS attacks that would have been easily mitigated by blocking incoming packets that originated from port 1900 were harder to spot as most of the traffic came from random ports instead of one.

    DDoS Attacks Leverage UPnP Protocol to Avoid Mitigation

  18. Tomi Engdahl says:

    Possible Data Breach at Adidas Could Impact Millions of U.S. Customers

    German sportswear company Adidas on Thursday revealed that it launched an investigation after learning of a potential data breach that could impact millions of its U.S. customers.

  19. Tomi Engdahl says:

    Hackers Plant Malicious Code on Gentoo Linux GitHub Page

    Developers of the Gentoo Linux distribution warned users on Thursday that one of the organization’s GitHub accounts was compromised and that malicious code had been planted by the attackers.

    “Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised,” Gentoo said on its website.

  20. Tomi Engdahl says:

    Ticketmaster Blames Third Party Over Data Breach

    Ticketmaster UK has had thousands of personal customer information compromised. This may include name, address, email address, telephone number, payment details and Ticketmaster login details, the company said.

    How many accounts have been compromised has not been specified, although the company says in a statement, “Less than 5% of our global customer base has been affected by this incident;” adding, “Customers in North America have not been affected.”

    Details of the hack have not yet been disclosed other than it involved ‘an unknown third-party’.

    Ticketmaster clearly feels that Inbenta is at fault. Inbenta takes a slightly different view.

    “Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability.” In other words, it is Ticketmaster that is at fault.

    James Romer, chief security architect at SecureAuth + Core Security, explains, “a customer service chatbot was compromised by malware and exported UK customers’ data to an unknown third-party.”

  21. Tomi Engdahl says:

    Russia Expert to Lead Canada’s Electronic Eavesdropping Agency

    A Russia expert was appointed Wednesday to lead Canada’s electronic eavesdropping agency, amid ongoing concerns of Russian hacking and meddling in Western elections.

    Shelly Bruce moves up from number two at the Communications Security Establishment (CSE) to replace her former boss, outgoing CSE head Greta Bossenmaier.

    Bruce studied Russia and Slavic languages at university before joining the CSE in 2004 as director of intelligence, and quickly moved up the ranks.

  22. Tomi Engdahl says:

    The Next Big Cyber-Attack Vector: APIs

    With cyber-attacks on enterprise networks becoming more sophisticated, organizations have stepped up perimeter security by investing in the latest firewall, data and endpoint protection, as well as intrusion prevention technologies. In response, hackers are moving to the path of least resistance and looking for new avenues to exploit. Many security experts believe the next wave of enterprise hacking will be carried out by exploiting Application Programming Interfaces (APIs).

    In fact, cyber adversaries are already targeting APIs when planning their attacks. The data breach at Panera Bread is a good example. The bakery-café chain left an unauthenticated API endpoint exposed on its website, allowing anyone to view customer information such as username, email address, phone number, last four digits of the credit card, birthdate, etc. Ultimately, data belonging to more than 37 million customers was leaked over an eight-month period. This raises the question on how to minimize the growing cyber security risk associated with APIs without hampering the benefits they provide in terms of agile development and expanded functionality.

    API usage in application development has become the new de facto standard, whereby developers take advantage of integrating functionality from third-party provided services rather than building all the capabilities they need from scratch. This allows for a more agile development process for new products and services.

    Common attack methods being used to exploit APIs include:

    ● API Parameter Tampering – Hackers are often use this technique to either reverse engineer an API or gain further access to sensitive data.

    ● Session Cookie Tampering – These attacks attempt to exploit cookies in order to bypass security mechanisms or send false data to application servers.

    ● Man-in-the-Middle Attacks – By eavesdropping on an unencrypted connection between an API client and server, hackers can access sensitive data.

    ● Content Manipulation – By injecting malicious content (e.g., poisoning JSON Web tokens), exploits can be distributed and executed in the background.

    ● DDoS Attacks – Poorly written code can be used to consume computer resources by sending invalid input parameters, subsequently causing a disruption to the API-supported Web application. Leaks Millions of Customer Records

  23. Tomi Engdahl says:

    Catalin Cimpanu / BleepingComputer:
    Report: 2,446 Android and 600 iOS apps using Google’s Firebase service found to have misconfigured databases exposing 100M+ records of a wide range of user data

    Thousands of Apps Leak Sensitive Data via Misconfigured Firebase Backends

    Thousands of iOS and Android mobile applications are exposing over 113 GBs of data via over 2,271 misconfigured Firebase databases, according to a report released this week by mobile security firm Appthority.

    Firebase is a Backend-as-a-Service offering from Google that contains a vast collection of services that mobile developers can use in the creation of mobile and web-based apps.

    The service is insanely popular with top Android devs, providing cloud messaging, push notifications, database, analytics, advertising, and a bunch more of other backends and APIs that they can easily plug into their projects and benefit from Google’s large-scale and high-performance systems within their apps.
    Appthority scanned over 2.7 million mobile apps

  24. Tomi Engdahl says:

    Danny Crichton / TechCrunch:
    Automated threat detection service JASK raises $25M Series B led by Kleiner Perkins, bringing total raised to $39M

    JASK nets $25M from Kleiner to build out autonomous security operations

    Cyberthreats are on the rise everywhere. Companies are facing a barrage of attacks from hackers near and far, and their security operations centers are struggling to keep up.

    That’s where JASK comes in. The startup offers an autonomous security operations platform to respond to this new security environment, and it’s a mission that is finding resonance among investors.

    an in-depth profile of JASK earlier this year, the startup is attempting to completely rebuild the modern security operations center from the ground up. Rather than building manual playbooks, it wants to create a hybrid human-artificial intelligence system that can learn and adapt to new threats while offering more engaging feedback to security analysts. The hope is that the platform will massively reduce the burden of security so that human analysts can spend more of their time on challenging cases rather than routine ones

    JASK and the future of autonomous cybersecurity

    Automated attacks have overwhelmed corporate security departments. This startup is helping to fight back

  25. Tomi Engdahl says:

    Ransomhack; a new attack blackmailing business owners using GDPR

    Hackers Are Threatening Companies To Leak Stolen User Data Online To Hurt Them Through GDPR Regulations – In Return They Are Demanding Ransom Money.

  26. Tomi Engdahl says:

    Researchers Devise Rowhammer Attacks Against Latest Android Versions

    A team of researchers from universities worldwide have devised a new set of DMA-based Rowhammer attacks against the latest Android OS, along with a lightweight defense to prevent such attacks on ARM-based devices.

    Rowhammer is a vulnerability impacting dynamic random-access memory (DRAM) chips that can be abused to gain kernel privileges on Linux systems. Discovered in 2012 but documented only in 2014, the bug can also be exploited remotely using JavaScript or via graphics processing units (GPUs).

    Last year, researchers from Graz University of Technology, the University of Pennsylvania (and University of Maryland), and University of Adelaide revealed a series of attack methods able to bypass existing defenses against Rowhammer.

    In a research paper (PDF), they also propose GuardION, lightweight defenses that mitigate Rowhammer exploitation on ARM systems by isolating DMA buffers with DRAM-level guard rows.

  27. Tomi Engdahl says:

    Clipboard Hijacker Malware Monitors 2.3 Million Bitcoin Addresses

    While cryptocurrency has seen tremendous growth over the past year, sending cryptocoins still requires users to send the coins to long and hard to remember addresses. Due to this, when sending cryptocoins, many users will simply copy the address into memory from one application and paste it into another application that they are using to send the coins.

    Attackers recognize that users are copying and pasting the addresses and have created malware to take advantage of this. This type of malware, called CryptoCurrency Clipboard Hijackers, works by monitoring the Windows clipboard for cryptocurrency addresses, and if one is detected, will swap it out with an address that they control. Unless a user double-checks the address after they paste it, the sent coins will go to an address under the attackers control instead the intended recipient.

    This infection was spotted as part of the All-Radio 4.27 Portable malware package that was distributed this week.

  28. Tomi Engdahl says:

    Typeform Announces Breach After Hacker Grabs Backup File

    Barcelona-based online survey and form building service Typeform announced a data breach today after an unknown attacker downloaded a backup file containing sensitive customer information.

    The backup file contained data gathered by Typeform customers through surveys and online forms up until May 3, 2018.

    The company said the incident happened after the attacker exploited a vulnerability, yet it did not reveal what vulnerability that was. Typeform did say they plugged the security hole.

    Server flaw plugged in 30 minutes

  29. Tomi Engdahl says:

    Facebook App Exposed Data of 120 Million Users

    A recently addressed privacy bug on resulted in the data of over 120 million users who took personality quizzes on Facebook to be publicly exposed.

    Patched as part of Facebook’s Data Abuse Bounty Program, the vulnerability resided in serving users’ data to any third-party that requested it, something that shouldn’t normally happen.

    Facebook launched its Data Abuse Bounty Program in April, as part of its efforts to improve user privacy following the Cambridge Analytica scandal. The company also updated its terms on privacy and data sharing, but also admitted to tracking people over the Internet, even those who are not Facebook users.

  30. Tomi Engdahl says:

    Two Arrested for Hacking 700,000 Accounts

    Russian law enforcement this week said two individuals were arrested for compromising accounts of loyalty program members from popular websites.

    The unnamed cybercriminals allegedly compromised around 700,000 accounts from companies such as PayPal, Ulmart, Biglion, KupiKupon, Groupon, and others. They are also said to have put 2,000 of these accounts up for sale for $5 each.

    “The detainees admitted on the spot that they had earned at least 500,000 rubles. However, the real amount of damage remains to be determined,” Group-IB, which aided with the investigation, says.


Leave a Comment

Your email address will not be published. Required fields are marked *