Cyber Security July 2018

This posting is here to collect security alert news in July 2018.

I post links to security vulnerability news to comments of this article.


  1. Tomi Engdahl says:

    Newsmaker Interview: Bruce Schneier on ‘Going Dark’ and the Crypto Arms Race

    Noted cryptographer waxes on the threats posed by physical cyber systems, ‘going dark’ and a crypto arms race.

    Bruce Schneier is a computer security expert who, for decades, has been a leading voice for cryptography and all things security. In this question-and-answer formatted interview, Schneier describes the disjunction of today’s abundance of encryption tools and a dearth of personal security. Schneier also touches on some of the dangers associated with “middle ground” compromises in encryption to placate law enforcement.

  2. Tomi Engdahl says:

    Can graphical passwords keep us secure online?

    People stink at text-based passwords. Is there a better way? What if we could simply tell a story only we know using pictures?

  3. Tomi Engdahl says:

    The EU Has Understood the Issue of IoT Security… Seriously

    As we have already described in previous articles, the topic of IoT security is something that is explosive. Of course, if we live in a functional smart home at some point, we would like the devices that know everything about us not to fall into the hands of the bad guys.

  4. Tomi Engdahl says:

    The Hackers Group Target Russian Bank Stole Around 1 Million Dollars

    The Hackers group Stole $1 Million from Russian Bank.
    Hacker attacks on Bank network through a vulnerable router.
    Russian Cyber Security Firm investigating the incident.

  5. Tomi Engdahl says:

    Half a Billion IoT Devices Vulnerable to DNS Rebinding Attacks

    Armis, the cyber-security firm that discovered the BlueBorne vulnerabilities in the Bluetooth protocol, warns that nearly half a billion of today’s “smart” devices are vulnerable to a decade-old attack known as DNS rebinding.

    DNS rebinding attacks are when an attacker tricks a user’s browser or device into binding to a malicious DNS server and then make the device access unintended domains.

    DNS rebinding attacks are normally used to compromise devices and use them as relay points inside an internal network.

    Almost all types of IoT devices are vulnerable
    Armis says that IoT and other smart devices are perfect for attackers to target via DNS rebinding, mainly due to their proliferation inside enterprise networks

    Don’t expect a massive patching effort
    Patching all these devices against DNS rebinding attacks is a colossal task that may never be done, requiring patches from vendors that can’t be bothered with security for trivial flaws like XSS and CSRF vulnerabilities, let alone complex attacks such as DNS rebinding.

    But Armis experts say that integrating IoT devices into current cyber-security monitoring products may be the easiest and cost-effective solution, rather than looking and auditing new devices to replace the old ones.

    there are now many firms that provide specialized platforms for monitoring IoT devices for enterprises which want to avoid nasty surprises.

    For example, just recently PIR Bank of Russia got a nasty surprise when discovered that hackers stole $1 million after they breached its network thanks to an outdated router

  6. Tomi Engdahl says:

    This old ransomware has been revamped as Bitcoin-stealing malware

    Jigsaw appears to be back with new malicious intentions, with a simple-but-effective trick to go after crypto-currency.

  7. Tomi Engdahl says:

    Surprise! Top sites still fail at encouraging non-terrible passwords

    You would think that Amazon, Reddit, Wikipedia and other highly popular websites would by now tell you that “password1” or “hunter2” is a terrible password — just terrible. But they don’t. A research project that has kept tabs on the top sites and their password habits for the last 11 years shows that most provide only rudimentary password restrictions and do little to help users.

    Although the university writeup notes that Google, Microsoft and Yahoo had the best password practices and Amazon, Reddit and Wikipedia had the worst, it diplomatically declined to go into specifics.

    The biggest failure is inarguably Amazon, which combines truly inadequate password controls with an incredibly valuable and personal service. Wikipedia and Reddit had fewer restrictions, but neither protects such important data; an Amazon account being accessed by malicious actors is a far greater danger.

  8. Tomi Engdahl says:

    Data breach exposes trade secrets of carmakers GM, Ford, Tesla, Toyota

    Security researcher UpGuard Cyber Risk disclosed Friday that sensitive documents from more than 100 manufacturing companies, including GM, Fiat Chrysler, Ford, Tesla, Toyota, ThyssenKrupp, and VW were exposed on a publicly accessible server belonging to Level One Robotics.

    The exposure via Level One Robotics, which provides industrial automation services, came through rsync, a common file transfer protocol that’s used to backup large data sets, according to UpGuard Cyber Risk. The data breach was first reported by the New York Times.

    According to the security researchers, restrictions weren’t placed on the rsync server. This means that any rsync client that connected to the rsync port had access to download this data.

    a publicly accessible server belonging to Level One Robotics, “an engineering service provider specialized in automation process and assembly for OEMs [original equipment manufacturers], Tier 1 automotive suppliers as well as our end users.” Among the companies with data exposed in the incident are divisions of VW, Chrysler, Ford, Toyota, GM, Tesla and ThyssenKrupp.

    The 157 gigabytes of exposed data include over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and ironically, non-disclosure agreements, detailing the sensitivity of the exposed information.

  9. Tomi Engdahl says:

    Electronic Frontier Foundation:
    “Confidential Mode” feature in Gmail is misleading because the emails are not end-to-end encrypted and “expired” messages can be retrieved via the sent folder

    Between You, Me, and Google: Problems With Gmail’s “Confidential Mode”

    With Gmail’s new design rolled out to more and more users, many have had a chance to try out its new “Confidential Mode.” While many of its features sound promising, what “Confidential Mode” provides isn’t confidentiality. At best, the new mode might create expectations that it fails to meet around security and privacy in Gmail. We fear that Confidential Mode will make it less likely for users to find and use other, more secure communication alternatives. And at worst, Confidential Mode will push users further into Google’s own walled garden while giving them what we believe are misleading assurances of privacy and security.

    With its new Confidential Mode, Google purports to allow you to restrict how the emails you send can be viewed and shared: the recipient of your Confidential Mode email will not be able to forward or print it. You can also set an “expiration date” at which time the email will be deleted from your recipient’s inbox, and even require a text message code as an added layer of security before the email can be viewed.

    Unfortunately, each of these “security” features comes with serious security problems for users.

    DRM for Email

    It’s important to note at the outset that because Confidential Mode emails are not end-to-end encrypted, Google can see the contents of your messages and has the technical capability to store them indefinitely, regardless of any “expiration date” you set. In other words, Confidential Mode provides zero confidentiality with regard to Google.

    But despite its lack of end-to-end encryption, Google promises that with Confidential Mode, you’ll be able to send people unprintable, unforwardable, uncopyable emails thanks to something called “Information Rights Management” (IRM), a term coined by Microsoft more than a decade ago. (Microsoft also uses the term “Azure Information Protection.”)

    Here’s how IRM works: companies make a locked-down version of a product that checks documents for flags like “don’t allow printing” or “don’t allow forwarding” and, if it finds these flags, the program disables the corresponding features. To prevent rivals from making their own interoperable products that might simply ignore these restrictions, the program encrypts the user’s documents, and hides the decryption keys where users aren’t supposed to be able to find them.

    This is a very brittle sort of security
    nothing prevents that person from taking a screenshot or a photo of their screen that can then be forwarded, printed, or otherwise copied.

  10. Tomi Engdahl says:

    Catalin Cimpanu / BleepingComputer:
    Android malware authors have been increasingly using “droppers”, which use a multiple-stage infection process, to sneak malicious apps into the Play Store

    Droppers Is How Android Malware Keeps Sneaking Into the Play Store

    For the past year, Android malware authors have been increasingly relying on a solid trick for bypassing Google’s security scans and sneaking malicious apps into the official Play Store.

    The trick relies on the use of a technique that’s quite common in desktop-based malware, but which in the last year is also becoming popular on the Android market.

    The technique involves the usage of “droppers,” a term denoting a dual or multiple-stage infection process in which the first stage malware is often a simplistic threat with limited capabilities, and its main role is to gain a foothold on a device in order to download more potent threats.
    Droppers are very effective on the mobile scene

    But while on desktop environments droppers aren’t particularly efficient, as the widespread use of antivirus software detects them and their second-stage payloads, the technique is quite effective on the mobile scene.

    This is because most mobile phones don’t use an antivirus, and there’s no on-device threat scanner to catch the second-stage payloads.

  11. Tomi Engdahl says:

    Stacy Cowley / New York Times:
    UpGuard: sensitive documents from 100+ companies including VW, Toyota, and Tesla were exposed on a publicly accessible server belonging to Level One Robotics — Automakers like Tesla, Toyota and Volkswagen go to great lengths to keep their technical information confidential.

    ‘Big Red Flag’: Automakers’ Trade Secrets Exposed in Data Leak

    Automakers like Tesla, Toyota and Volkswagen go to great lengths to keep their technical information confidential. Details about assembly line machinery and proprietary robotics are among the industry’s most closely guarded trade secrets.

    But this month, a security researcher came across tens of thousands of sensitive corporate documents — including many from nearly all of the largest auto manufacturers — on the open internet, unprotected. The trove included material from more than 100 companies that had interacted with a small Canadian company, Level One Robotics and Controls.

    Among the documents were detailed blueprints and factory schematics; client materials such as contracts, invoices and work plans; and even dozens of nondisclosure agreements describing the sensitivity of the exposed information.

    “That was a big red flag,” said Chris Vickery, the researcher who found the data. “If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available.”

    It was unclear whether anyone else had seen or downloaded the unguarded data, which included some personal information

    But the inadvertent exposure of customers’ data illustrates a problem confounding businesses: Some of their biggest security risks come from their suppliers and contractors.

    Many of the worst recent data breaches began with a vendor’s mistake.

    Fifty-six percent of the businesses polled last year by Ponemon Institute, a security research firm, said they had at some point experienced a data breach linked to a vendor. The exposure only grows as more third-party companies gain access: The survey’s respondents said an average of 470 outside companies had access to their sensitive corporate information, up from around 380 a year earlier.

    “It’s relatively recently that C-level executives have begun to acknowledge that some of their third-party relationships are creating unbelievable risk,”

    “No one wants their data outside of their own company,”

    Mr. Vickery, the director of cyber risk research at UpGuard,

    He’s a rarity in the industry: a security sleuth who doesn’t hack. Instead, he searches communication ports and the internet’s hive of connected devices to find information inadvertently made public. His discoveries have included medical records, airport security files, hotel bookings, a terrorist screening database and 87 million Mexican voter registration records. Once the sensitive information has been secured, he publicly discloses that the data had been revealed.

    Anyone who connected could download the material, which totaled at least 157 gigabytes and contained nearly 47,000 files filled with factory records and diagrams from companies including Fiat Chrysler, Ford, General Motors, Tesla, Toyota and Volkswagen.

    Officials from General Motors, Toyota and Volkswagen declined to comment on the data exposure. Fiat Chrysler, Ford and Tesla did not respond to requests for comment.

    “Nothing gets better in silence, as far as cybersecurity goes,” Mr. Vickery said. “Human nature is to try to sweep things under the rug. That hurts our society. We need better data security, and nothing improves unless people realize there’s a problem.”

  12. Tomi Engdahl says:

    Javed Anwer / India Today:
    Indian telecoms regulator mandates that all smartphone users should be able to install its anti-spam app by January; iPhone could be in breach of the regulation

    India may ban iPhone within 6 months if Apple keeps fighting TRAI and not allow DND App in iOS Store

    It’s a fight that is going on for some time. Apple, the maker of the iPhone, and TRAI, the agency that regulates telecom networks in India, are in middle of a bitter fight over the matter of SPAM calls and messages. Now, with a new regulatory policy TRAI has hinted that if Apple doesn’t step back and allows a TRAI app on the iPhone, it is possible that the agency may ask telecom companies like Airtel, Vodafone and Jio to delist and deregister the iPhone from their networks.

    The issue is related to an app that TRAI has created. The agency has made an app called DND — now called DND 2.0

    It is worth noting that Apple takes the privacy of iPhone users fairly seriously and tightly controls the access and data that apps want from users. Google, the maker of Android, has more loosely-created guidelines around the apps accessing private data of users. The DND app is available to Android users and can be downloaded from the Google Play Store, although it has a poor rating.

    On Thursday, TRAI published new regulations mandating that all smartphone users in the country should be able to install the DND 2.0 app on their phones, whether they are using an iPhone or an Android phone. The regulations, suprisingly, need to be followed by telecom companies and not the phone makers, who do not fall under the purview of TRAI.

    Ouch! In other words, if Apple continues to resist DND 2.0 app from TRAI, and does not permit it entry in the iOS App Store, all the iPhones in India may lose access to 3G, 4G or even basic telecom networks.

    The problem here is actually no problem, because whatever TRAI is trying to do and what Apple is proposing is basically same. They both seemingly want best for their users. TRAI wants to curb spam calls and messages on the phones, and Apple too is seemingly fighting for the same. But Apple also doesn’t want to dilute the kind of privacy — which is better than what Android phones offer to their users — that the iPhone users have. And the company is very clear that it cannot allow any app, even the one created by a government agency, to access call and message logs.

    But it is possible that the upcoming iOS 12 can be the middle ground. In the iOS 12, Apple has put in new features that use smart algorithms and machine learning to identify and block spam messages.

  13. Tomi Engdahl says:

    Greg Sandoval / Business Insider:
    Google Cloud to prevent its automated fraud-detection systems from suspending accounts with “established payment history” after a customer complaint went viral

    Google Cloud made big changes to its fraud-detection system in response to an angry customer complaint that went viral

    The Google Cloud Platform (GCP) has changed the way its abuse-prevention arm responds to suspicious activity, and from now on it won’t be so quick to shoot first and ask questions later.

    More importantly, Google has added more humans to its fraud-detection mix, so those overseeing accounts mistakenly accused of fraudulent activity can reach out for help, 24/7.

    A lot of criticism was directed at GCP earlier this month when a customer complaint posted to Medium went viral. Thepost was writtenby an anonymous administrator overseeing a system that monitors “hundreds of wind turbines and scores of solar plants.” The admin said Google blocked the system’s website, app, and other services on June 28 without warning because it had detected “potential suspicious activity.”

    The system admin wrote that Google then threatened to shut down the account for good unless the service could provide ID and other documents.

    Why you should not use Google Cloud.

  14. Tomi Engdahl says:

    Richard Chirgwin / The Register:
    Intel fixes longstanding Intel Management Engine flaws that let hackers on same subnet run arbitrary code; first 3 generations of Core chips won’t get patches — Check your computer makers for patches — In case you missed it, Chipzilla has gone public with more security updates for the Intel Management Engine.

    ME! ME! ME! – Intel’s management tech gets a quartet of security fixes
    Check your computer makers for patches

    In case you missed it, Chipzilla has gone public with more security updates for the Intel Management Engine.

    Now that Intel’s advisory is public, it’s clear that Chipzilla has known the particulars for some time, and has been privately working with computer manufacturers to push fixes ahead of disclosure. For example, Lenovo emitted firmware fixes in April, and Dell no later than June.

  15. Tomi Engdahl says:

    British Airways’ latest Total Inability To Support Upwardness of Planes* caused by Amadeus system outage
    Stuck on the ground awaiting a load sheet? Here’s why

    The British Airways IT system failure that caused the grounding of flights around the world yesterday was caused by an outage at third-party travel tech supplier Amadeus.

    Amadeus, a travel tech outsourcer best known for supplying flight booking software to low-cost airlines such as Easyjet, suffered an outage which meant BA’s ground-handling agents were unable to generate load sheets for airline flights.

    The load sheets are generated through Amadeus’s Altea Departure Control Flight Management suite.

    Load sheets contain vital flight safety information including the aircraft’s load and its trim, or centre of gravity. If pilots do not know how heavy their aircraft is or where its point of balance is, they cannot safely take off.

    Load sheets are completed by adding together the number and seat location of all passengers, cargo and fuel on the aircraft and doing some arithmetic to ensure everything is properly positioned within its permitted limits. Automating the process speeds this up considerably – when, that is, the automated systems haven’t gone TITSUP.

    Last year an Amadeus network outage smacked airports around the world, while before that Qantas was struck down by a similar booking software failure.

  16. Tomi Engdahl says:

    Alyza Sebenius / Bloomberg:
    Paul Nakasone, head of US Cyber Command and NSA, confirms he created Russia Small Group, a special task force to address Russian cyber threats

    NSA Chief Forms Group to Counter Russian Threat

    Paul Nakasone, U.S. cyber commander and director of the National Security Agency, confirmed that he’s created a special task force to address Russian threats in cyberspace.

    Russia has “great capabilities on which we will certainly be called upon,” Nakasone said late Saturday on the final day of the annual Aspen Security Forum in Colorado. “And if called upon, I think, no doubt we will ensure that we act.”

    Defining the Domain

    “We have to have some manner upon which we’re going to look at being able to contest them in places like cyber space,” he said.

    “If we decide that we’re going to stand on the sidelines, that we’re not going to bring the power of our nation against our adversaries in cyberspace — and that’s more than just cyber, it’s the whole capabilities that our nation has — I think again that we run the risk of our adversaries defining what they are going to do within this domain.”

    “They steal intellectual property, they steal P.I.I. or information on personnel, they cause discord within our social ranks or attempt to undermine our elections, all below the level of war,”

  17. Tomi Engdahl says:

    Internet Hoaxes Literally Killed 20 People In The Last Two Months

    Social media networks and messaging apps, for all their plus points, are the catalysts for fake news – the real kind of fake news, not the Trumpian kind. Some vague efforts have been made to tackle an admittedly monstrous and unprecedented problem, but as a grim tale about WhatsApp has highlighted, the war on viral lies can lead to casualties.

    The New York Times recently explained that, in India, false rumors regarding child abductions spread both easily and quickly. This has led to multiple murders – many conducted by mobs

    As reported by the Guardian, at least 20 people have been lynched in the country in the last two months as a result of such unfounded rumors.

    The Facebook-owned messaging service will now restrict people to being able to forward messages to just 20 people in an attempt to stop fake news from spreading. Gizmodo have spotted that, in India, the cap is set even lower, at just five people. This, of course, doesn’t mean you can’t communicate the news in others ways – by taking a screenshot or typing it out yourself anew, say.

  18. Tomi Engdahl says:

    Rebecca Smith / Wall Street Journal:
    DHS officials say “hundreds of victims”, not a few dozen, have been impacted by Russian hackers infiltrating control room networks of US electric utilities — Blackouts could have been caused after the networks of trusted vendors were easily penetrated

    Rebecca Smith / Wall Street Journal:
    DHS officials say “hundreds of victims”, not a few dozen, have been impacted by Russian hackers infiltrating control room networks of US electric utilities — Blackouts could have been caused after the networks of trusted vendors were easily penetrated

    Hackers working for Russia claimed “hundreds of victims” last year in a giant and long-running campaign that put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said. They said the campaign likely is continuing.

    The Russian hackers, who worked for a shadowy state-sponsored group previously identified as Dragonfly or Energetic Bear, broke into supposedly secure, “air-gapped” or isolated networks owned by utilities with relative ease by first penetrating the networks of key vendors who had trusted relationships with the power companies, said officials at the Department of Homeland Security.

    “They got to the point where they could have thrown switches” and disrupted power flows, said Jonathan Homer, chief of industrial-control-system analysis for DHS.

    DHS has been warning utility executives with security clearances about the Russian group’s threat to critical infrastructure since 2014.

    Russia has denied targeting critical infrastructure.

    The attackers began by using conventional tools—spear-phishing emails and watering-hole attacks, which trick victims into entering their passwords on spoofed websites—to compromise the corporate networks of suppliers, many of whom were smaller companies without big budgets for cybersecurity.

    Once inside the vendor networks, they pivoted to their real focus: the utilities. It was a relatively easy process, in many cases, for them to steal credentials from vendors and gain direct access to utility networks.

    They also familiarized themselves with how the facilities were supposed to work, because attackers “have to learn how to take the normal and make it abnormal” to cause disruptions, said Mr. Homer.

    Their goal, he said: to disguise themselves as “the people who touch these systems on a daily basis.”

    “You’re seeing an uptick in the way government is sharing threats and vulnerabilities,”

  19. Tomi Engdahl says:

    Stephen Shankland / CNET:
    Chrome 68, rolling out today, shows a “not secure” warning for any HTTP website; in October the warning’s color will change to red — Three and a half years ago, Google predicted the day would come when Chrome would warn us all of the security risks of using the web’s seminal HTTP technology …

    Chrome’s long-promised HTTP ‘not secure’ website warnings arrive

    Take note if you see the warning, but don’t panic.

  20. Tomi Engdahl says:

    Catalin Cimpanu / BleepingComputer:
    Encryption bug found in many Bluetooth implementations and OS drivers, affecting vendors including Apple, Broadcom, Intel, Qualcomm; some fixes are on way — A cryptographic bug affects the Bluetooth implementations and operating system drivers of Apple, Broadcom, Intel, Qualcomm, and possibly other hardware vendors.

    Many Bluetooth Implementations and OS Drivers Affected by Crypto Bug

    A cryptographic bug affects the Bluetooth implementations and operating system drivers of Apple, Broadcom, Intel, Qualcomm, and possibly other hardware vendors.

    This bug occurs because Bluetooth-capable devices do not sufficiently validate encryption parameters used during “secure” Bluetooth connections. More precisely, pairing devices do not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange.

    This results in a weak pairing that may allow a remote attacker to obtain the encryption key used by a device and recover data sent between two devices paired in a “secure” Bluetooth connection.

    Both Bluetooth and Bluetooth LE affected

    Both the Bluetooth standard’s “Secure Simple Pairing” process and Bluetooth LE’s “Secure Connections” pairing process are affected.

  21. Tomi Engdahl says:

    Brian Krebs / Krebs on Security:
    Google says none of its 85,000+ employees have been successfully phished since early 2017, when it required use of physical Security Keys in place of passwords

    Google: Security Keys Neutralized Employee Phishing

    Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).

    A Google spokesperson said Security Keys now form the basis of all account access at Google.

  22. Tomi Engdahl says:

    Venkat Ananth / The Economic Times:
    How WhatsApp is trying to use machine learning and metadata to detect organized spammers and fake users as it battles against fake news

    WhatsApp races against time to fix fake news mess ahead of 2019 general elections

    For WhatsApp, one of the key learnings from the Mexico elections was that it could look at the spam reports and categorise them as politics-related.

    On Friday, when WhatsApp announced that it would pilot a ‘five media-based forwards limit’ in India, the government came up with an unequivocal reminder.

    “When rumours and fake news get propagated by mischief mongers, the medium used for such propagation cannot evade responsibility and accountability. If they remain mute spectators, they are liable to be treated as abettors and thereafter face consequent legal action,” noted a ministry of electronics and information technology (MeitY) statement.

    The stand also poses an interesting dilemma for the messenger service. How can it act while protecting its privacy commitment?

    “It is practically impossible for WhatsApp to regulate content in the peer-to-peer encrypted environment it is set up in,” says Rahul Matthan, partner, Trilegal. “An encrypted platform is what we want. The government is trying to maintain a strict and difficult balance. The government tends to err on the side of violating civil liberties over offering privacy to innocent users. The WhatsApp case is going in that direction.”

    No longer low-key

    In India, its largest market, WhatsApp has benefitted from quietly operating in the shadows of its more popular parent, Facebook, growing to a currently active user base of 200 million.

    However, in the last six months, while it continues to be perceived as an asset by politicos for outreach and propaganda, WhatsApp is now increasingly being tapped by the bad guys to disseminate deliberate misinformation, rumour mongering and fake news.

    It is leading to loss of lives on the ground, through lynchings, kidnappings and related crimes. WhatsApp spokesperson Carl Woog says, “The recent acts of violence in India have been heartbreaking and reinforce the need for government, civil society and technology companies to work together to keep people safe.”

    But the general public and government perception — and, to some extent, concern — remains that WhatsApp has been slow to react to these situations.

    Interestingly, the government and ruling party realise WhatsApp could be pivotal to their fortunes in the next electoral cycle — in the run-up to Elections 2019.

    To counter organised political spamming, WhatsApp has now begun using machine learning tools. WhatsApp can trace the last few messages in a group and block it entirely from the platform. At the detection level, WhatsApp checks for familiarity. “Do the persons know each other, or have they interacted before?” through metadata it possesses through phone numbers.

    The second person quoted in the story says the company now focuses its detection “upstream,” that is, catching the user at the registration stage. “When you register on WhatsApp and immediately create a group, questions asked are, ‘Does this behaviour look like what a regular user does? Or does it look like users who have misused it in the past?’” he says.

    Civil society as a key layer

    WhatsApp also sees an enabling role for civil society, especially for digital literacy.

    “The level of responsibility for a platform is to not consciously cause — and, in fact, to take active measures to prevent — social harm,” says Gupta of IFF. “It has to be done without injury to end-to-end encryption, which offers safety and privacy to users.

  23. Tomi Engdahl says:

    Katso paljastava piilokameravideo – Ylen toimittaja testasi tärkeiden yritysten ja laitosten tilaturvallisuutta: Lähes kaikilla puutteita kulunvalvonnassa

  24. Tomi Engdahl says:

    Singapore disconnects healthcare computers from the Internet after cyber attack

    Singapore has disconnected computers from the internet at public healthcare centers to prevent cyberattacks of the kind that caused its worst breach of personal data, a government official said on Tuesday.

    Singapore started to cut web access for civil servants in 2016 to guard against cyberattacks

    In the most recent attack in June, hackers stole particulars of more than 1.5 million patients, including the prime minister’s drug prescriptions, in what the government has called “a deliberate, targeted and well-planned cyberattack”.

    “We could, and should, have implemented internet surfing separation on public healthcare systems, just as we have done on our public sector systems,”

  25. Tomi Engdahl says:

    “Big Star Labs” spyware campaign affects over 11,000,000 people

    This time, we discovered multiple browser extensions and mobile apps invisibly collecting users’ browsing history, with a total user count of over 11,000,000.

    Generally, I was not, and am not, surprised about what we found regarding browser extensions; the sad state of the extensions stores is a known issue. However, I was surprised to see the tricks used in order to grab the browsing history of Android and iOS users.

    The apps and extensions we discovered doing this belong to a newly registered Delaware company named “Big Star Labs”

  26. Tomi Engdahl says:

    Unimania: I Need Your Facebook Data, Location, And Your Browsing History

    Suspicious Chrome extensions
    I conducted an automated scan of all publicly available Chrome extensions. This scan flagged quite a few different privacy issues

  27. Tomi Engdahl says:

    Replay Attacks Can Be Used to Compromise Your Google Pay Account

    NFC (near-field communication) payments from smart phones are becoming increasingly popular, and both Android and iPhone users have well-supported options. The draw of an NFC payment is obvious: you don’t need to deal with wallets and credit cards, just tap the smart phone you already have with you and you can be on your way. But, like anything with money involved, bad people want to take advantage of that to steal from you, and Salvador Mendoza has exposed how that’s possible with Google Pay.

  28. Tomi Engdahl says:

    Chrome’s HTTP warning seeks to cut web surveillance, tampering

    FAQ: Starting Tuesday, you’re going to see a rash of “not secure” warnings thanks to a new version of the Google browser that flags unencrypted sites.

  29. Tomi Engdahl says:

    Stina Ehrensvard / Yubico:
    YubiKey maker Yubico says it does not manufacture Google’s security keys and that Bluetooth-based keys are not as secure as NFC and USB-based keys

    The Key to Trust

    As the principal inventor behind both the Security Key and U2F protocol, we are true supporters of open standards. To realize our mission of making secure login ubiquitous, we designed the original Security Key, and provided the majority of the open source code and test tools for FIDO U2F and the latest version of the standard, FIDO2, which offers a passwordless experience.

    Innovation is core to all we do, and as the ecosystem continues to mature, U2F and FIDO2 functionality will come in many different form factors, communications methods (USB/BLE/NFC) and features, from Yubico and others.

    Over the past several years, Google has deployed hundreds of thousands of FIDO U2F-enabled Yubico devices internally with amazing results. Today, Google released their own version of a security key

    Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.

    Yubico is a believer in NFC, and the YubiKey NEO design has proven at scale to deliver a superior contactless user experience for U2F.

    The FIDO U2F and FIDO2 standards work has been a long, challenging and inspiring journey convincing and engaging all leading platforms and browsers to subscribe to the Yubico mission: to make secure login easy and available for everyone.

    In addition to FIDO U2F, we offer smart card (PIV), Yubico OTP, OpenPGP, and OATH-HOTP/TOTP, in a single device, over both USB and NFC, as well as in USB-C form factors.

    Yubico continues to work closely with Microsoft, Google and the global open standards community on FIDO2, the passwordless evolution of U2F.

  30. Tomi Engdahl says:

    Putin’s Soccer Ball for Trump Had Transmitter Chip, Logo Indicates

    Russian President Vladimir Putin’s gift of a soccer ball to U.S. President Donald Trump last week set off a chorus of warnings — some of them only half in jest — that the World Cup souvenir could be bugged. Republican Senator Lindsey Graham even tweeted, “I’d check the soccer ball for listening devices and never allow it in the White House.”

    It turns out they weren’t entirely wrong. Markings on the ball indicate that it contained a chip with a tiny antenna that transmits to nearby phones.

    But rather than a spy device, the chip is an advertised feature of the Adidas AG ball.

  31. Tomi Engdahl says:

    The Blackmail Email Scam

    There have been many recent posts about the blackmail email scam

    The blackmail email scam is a spam campaign that is sent out to thousands of addresses at a time. The threats are lies and you do not have anything to worry about. In many cases the email will be addressed to your real name, but this does not matter and does not mean that the email is true. In some cases you’ll even see other information about yourself in the email, like a phone number or an old password.

  32. Tomi Engdahl says:

    Cyrus Farivar / Ars Technica:
    In a test conducted by the ACLU, Amazon’s Rekognition facial recognition tech erroneously matched 28 members of Congress, 6 of them black, to criminal mugshots — ACLU: “And running the entire test cost us $12.33—less than a large pizza.” — The American Civil Liberties Union …

    Amazon’s Rekognition messes up, matches 28 lawmakers to mugshots
    ACLU: “And running the entire test cost us $12.33—less than a large pizza.”

    The American Civil Liberties Union of Northern California said Thursday that in its new test of Amazon’s facial recognition system known as Rekognition, the software erroneously identified 28 members of Congress as people who have been arrested for a crime.

    According to Jake Snow, an ACLU attorney, the organization downloaded 25,000 mugshots from what he described as a “public source.”

    The ACLU then ran the official photos of all 535 members of Congress through Rekognition, asking it to match them up with any of the mugshots—and it ended up matching 28.

    Facial recognition historically has resulted in more false positives for African-Americans.

    The ACLU is concerned that over-reliance on faulty facial recognition scans, particularly against citizens of color, would result in a possible fatal interaction with law enforcement. Amazon’s Rekognition has already been used by a handful of law enforcement agencies nationwide.

    Because of these substantive errors, Snow said the ACLU as a whole is again calling on Congress to “enact a moratorium on law enforcement’s use of facial recognition.”

    “When using facial recognition for law enforcement activities, we guide customers to set a higher threshold of at least 95 or higher.”

  33. Tomi Engdahl says:

    The Most Common Vulnerability Of All
    Rethinking Email for Privacy and Security

    Most of the people I know in the world of cybersecurity rightly focus on deeply entrenched matters: server virtualization and containerization, software sandboxing, and helping to train employees to avoid social engineering hacks. But there’s one technology that we all continue to use that hasn’t really evolved at all since the 1960’s: EMAIL.

    Email was born before the Internet, making it nearly fifty years old. The technology was intended as a way for a limited, known number of users to communicate with each other on a shared Unix mainframe. For that purpose, email was ideally suited.

    But despite the availability of newer messaging technology like texting, social media, Slack and even video chatting, email is not only still going strong, it’s actually thriving. In 2017, 296 billion emails were sent on average… per day.

    Email isn’t very safe, very private or very convenient. Additionally, because most people keep and use multiple email addresses, it’s a very unmanageable solution.

    Let’s take a look at the most glaring vulnerabilities of email and offer a few solutions to help reduce or eliminate them.

    Vulnerability: One-Factor Login
    “If you spend more on coffee than on IT security, you will be hacked. What’s more, you *deserve* to be hacked.” — White House Cybersecurity Advisor, Richard Clarke
    By default, all it takes to gain access to most any email is a username and password

    The Mitigations:
    Implement two or more factors of authentication.

    highly recommend using the free app “Authy” on your iOS and Android devices. It’s biggest advantages over Google’s own Authenticator app is that it allows TouchID confirmation on newer iPhones, stores encrypted backups of your data, and allows your 2-factor authentication (or 2FA) codes to be shared across a number of devices.

    The Hack:
    It’s important to learn a bit about how malicious hackers gain access to your credentials. Three of the most common methods include:
    Man in the Middle (or MITM) attacks
    Using key logger software.
    Employing old-fashioned social engineering

    The Mitigations:
    Implement two or more factors of authentication.
    one of the simplest ways to help protect against one-factor authentication is to require everyone, including you, to pass through multiple security checkpoints to gain access to your email. While this adda an extra 5–10 seconds of time to your login process, it may save you lost weeks or even months of damage control due to a malicious hack.

    Pro tip: To best leverage multi-factor authentication, I highly recommend using the free app “Authy” on your iOS and Android devices.
    If you’re not familiar with 2FA, I’d factor an hour of time to download Authy, set up the app on your smart devices and then step through the process of linking your webmail (and other sensitive) accounts.

    Vulnerability: Sending Data Via Clear Text
    “Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge.” — Bruce Schneier

    by default — email is sent in clear text, a format that’s not encrypted. That makes the content of your messages very easy to read by curious or malicious individuals that work for your ISP or for your company network.

    Users residing on the same computer network as you — a WiFi hotspot at a coffee shop or hotel, for example — can run Wireshark and monitor all traffic on that Wifi network, including both web and email protocols.

    The Mitigations:
    Purchase and use a commercial VPN. Corporations have been using virtual private networks (or VPNs) for years because the software ensures that all network data is encrypted. Individuals can purchase and use VPN services

    Vulnerabilities: Transmission, One-Factor Receiving & Eternal Email
    “If privacy is outlawed, only outlaws will have privacy.” — Philip Zimmermann

    The Mitigations:
    Send links not messages. SendInc has rethought the concept of sending emails and replaced it with sending links to your messages instead. In short, the company keeps your messages on its secure Amazon servers and then sends links with public keys to your intended recipients.

    Force recipients to use a password in order to view email. InfoEncrypt is a very clever, 100% free service that allows you to send encrypted emails that don’t pass through their servers.

    Combine sending links, forcing the use of a password and expiring messages. There’s a reason that ProtonMail gets my highest-recommendation as the ultimate email solution.

    Vulnerabilities: Using Only One Email Address
    “It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” ― Stephane Nappo

    The Mitigations:
    Leverage the power of customizable email aliasing.

    Pro-tip: when you sign up for any online service, provide a custom email address instead.

  34. Tomi Engdahl says:

    Chinese shipping firm infected by ransomware

    Chinese shipping firm Cosco has been caught out by Windows ransomware.

    The infection has knocked out some electronic communications at several of its North American locations.

    In a statement, it said a “local network breakdown” had hit its American region. It said it had isolated the offices as it investigated.

    China Ocean Shipping is China’s largest carrier of containerised goods and the fourth largest of these maritime operators in the world.

    ‘Operating normally’
    Cosco’s US website plus email and many phone lines were all reportedly rendered inoperable by the outbreak.

    Last year, shipping giant Maersk suffered a series of problems when it was infected by the Wannacry ransomware.

  35. Tomi Engdahl says:

    US warns of supply chain cyber-attacks

    The US intelligence community has issued a new warning about cyber-espionage risks posed by attacks made via the technology supply chain.

    A report said China, Russia and Iran were the most capable and active states involved in such economic subterfuge.

    Software supply chain infiltration had already threatened critical infrastructure, it warned, and was poised to imperil other sectors.

    last year marked a “watershed”, with seven significant software supply chain events having been made public.

    ‘Key threat’
    The concern is that attackers are looking for new ways to exploit computer networks via the privileged access given to technology providers

    “To get around increasingly hardened corporate perimeters, cyber-actors are targeting supply chains.”

    In the past week, cyber-security company Crowdstrike also published the results of a survey it had commissioned. Two-thirds of the organisations that responded said they had experienced a software supply chain attack in the past 12 months.

    The average cost of an attack was more than $1.1m (£838,000).

    Kaspersky Lab software has broad and privileged access to machines to scan for viruses

  36. Tomi Engdahl says:

    Windows 10 will try not to reboot when you’re just grabbing a cup of coffee

    New system will try not to reboot when you’re expected to return to your computer soon.

    The next semi-annual update to Windows 10 will use machine learning models to make automatic rebooting for updates a bit less annoying. The models will attempt to predict when you’re likely to return to your PC and not update if you’re expected back soon.

  37. Tomi Engdahl says:

    Russian DragonFly hackers accessed electrical utilities control rooms in lengthy campaign

    The Russian DragonFly APT group, which last year broke into air-gapped networks run by U.S. electric utilities in a likely ongoing campaign that victimized hundreds, accessed the providers’ control rooms where they could have caused blackouts and other damage.

    The group, which also goes by Energetic Bear, used phishing and waterhole attacks to gain access to supplier networks, nick credentials and then access the utilities, the Wall Street Journal cited Department of Homeland Security (DHS) as confirming.

    “Hackers, including state-sponsored Russian hackers, exploit the weakest link in the security chain – the people. “

  38. Tomi Engdahl says:

    The source code of the Exobot Android banking trojan has been leaked online, researchers already verified its authenticity.

    The source code of the Exobot Android banking trojan has been leaked online and experts believe that we will soon assist at a new wave of attacks based on the malware.

    The Exobot Android banking trojan was first spotted at the end of 2016 when its authors were advertising it on the dark web.

    The authors were advertising it saying that it can be used for phishing attacks, it implements various features of most common banking Trojan such as intercepting SMS messages.

  39. Tomi Engdahl says:

    Security researchers have found a high severity flaw (CVE-2018-5383) affecting some Bluetooth implementations that allow attackers to manipulate traffic.

  40. Tomi Engdahl says:

    Cybersecurity firm Tenable closes up 31%

    The company’s subscription-based model has been attractive to investors, according to a principal at Renaissance Capital.
    Cybersecurity companies have been doing well, but the field is a tricky one for investors.

    Cyber risk management company Tenable closed out its first day of trading up 31.5 percent, after jumping 40 percent in its public market debut Thursday.

    Shares opened at $33.00, nudging the company’s market value above $3 billion, and closed at $30.25 per share.

    The company raised $250 million in the public offering

    It’s an impressive fundraising for cybersecurity IPOs and particularly sizable for Tenable’s niche, which is subscription-based cyber risk management tools. The company offers tools for companies to quantify in dollars the damage that could be caused by various types of security breaches, and caters to executives and board members worried about the risk from breaches and the cybersecurity professionals who work for them.

    Tenable has proven it can keep subscriptions going at its approximately 24,000 client firms and that it can “expand inside of accounts,” meaning customers are getting bigger subscriptions after signing on, a positive sign for investors, she said.

    There are some issues to watch out for as well, Smith said: “They are investing a lot in sales and marketing, and gross margins have declined due to a shift in the subscription model.” There are also a lot of competitors in the market, said Smith.

    Two of its closest publicly-traded peers have traded very well so far this year: both Qualys is up roughly 60 percent and Rapid7 is up nearly 70 pecent on the year.

    Tenable likely won’t be the only cybersecurity firm going public this year — Crowdstrike, which helps companies fix breaches and minimize the damage, and Tanium, which helps companies monitor security vulnerabilities on “endpoints” like personal computers in a company, are also reportedly considering IPOs.

  41. Tomi Engdahl says:

    Beware of Fake Banking Malware Apps in Google Play That Steals Credit Card Details and Internet Banking Credentials

    Fake Banking Apps that posing to be from three major Indian banks made way into the official Google Play store. The malicious claiming to increase the credit limit of the three banks.

    Attackers use bogus phish forms to collect the credit card details and internet banking credentials from the victims.

    The Fake banking apps pose to be from three major Indian banks ICICI, RBL, and HDFC.

  42. Tomi Engdahl says:

    New NetSpectre Attack Can Steal CPU Secrets via Network Connections

    Scientists have published a paper today detailing a new Spectre-class CPU attack that can be carried out via network connections and does not require the attacker to host code on a targeted machine.

    This new attack —codenamed NetSpectre

    Spectre attacks, which until now have required the attacker to trick a victim into downloading and running malicious code on his machine, or at least accessing a website that runs malicious JavaScript in the user’s browser.

    But with NetSpectre, an attacker can simply bombard a computer’s network ports and achieve the same results.

    NetSpectre has low exfiltration speeds

    attack’s woefully slow exfiltration speed, which is 15 bits/hour for attacks carried out via a network connection and targeting data stored in the CPU’s cache.

    Academics achieved higher exfiltration speeds —of up to 60 bits/hour

    Nonetheless, both NetSpectre variations are too slow to be considered valuable for an attacker. This makes NetSpectre just a theoretical threat

    Existing mitigations should prevent NetSpectre

    The research paper is named “NetSpectre: Read Arbitrary Memory over Network.”

  43. Tomi Engdahl says:

    A fake Microsoft domain was established as a landing page for phishing attacks directed at three candidates

    Russian hackers already targeted a Missouri senator up for reelection in 2018

    A Democratic senator seeking reelection this fall appears to be the first identifiable target of Russian hacking in the 2018 midterm race.

    In a new story on the Daily Beast, Andrew Desiderio and Kevin Poulsen reported that Democratic Missouri Senator Claire McCaskill was targeted in a campaign-related phishing attack.

    The report cites its own forensic research in determining the attacker is likely Fancy Bear, a hacking group believed to be affiliated with Russian military intelligence.

    “We did discover that a fake Microsoft domain had been established as the landing page for phishing attack

    Microsoft removed the domain and noted that the attack was unsuccessful.

    Sen. McCaskill confirmed in a press release that she was targeted by the attack, which appears to have taken place in August 2017


Leave a Comment

Your email address will not be published. Required fields are marked *