Cyber Security August 2018

This posting is here to collect security alert news in August 2018.

I post links to security vulnerability news to comments of this article.



  1. Tomi Engdahl says:

    New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers

    Semmle security researcher Man Yue Mo has disclosed a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers.

    Apache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS.

    The vulnerability (CVE-2018-11776) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations.

  2. Tomi Engdahl says:

    ‘It’s our time to serve the Motherland’ How Russia’s war in Georgia sparked Moscow’s modern-day recruitment of criminal hackers

  3. Tomi Engdahl says:

    By all accounts, the Russian intelligence community is still actively recruiting hackers in exchange for closing the criminal cases against them.

  4. Tomi Engdahl says:

    Smart irrigation systems vulnerable to attacks, warn researchers

    Internet-connected irrigation systems suffer from security gaps that could be exploited by attackers aiming, for example, to deplete a city’s water reserves, researchers warn

    Security researchers have warned of a potential attack that – using a “piping botnet” of internet-connected irrigation systems that water simultaneously – could impact a city’s water system to the point of actually draining its reserves.

    A team of six academics from Ben-Gurion University of Negev, Israel, identified and analyzed security flaws in the firmware of several commercial irrigation systems that are connected to the internet. They focused on three commonly sold smart irrigation systems – GreenIQ, BlueSpray, and RainMachine – and found that they suffer from vulnerabilities that enable attackers to remotely turn watering systems on and off at will.

    Some devices were found to be prone to Man-in-The-Middle (MiTM) attacks, while others can be tricked into initiating the watering process by manipulating its sensors or spoofing weather data.

  5. Tomi Engdahl says:

    Cloud Product Accidentally Exposes Users’ TLS Certificate Private Keys

    A severe issue was addressed on Monday, an issue that under certain conditions could be used to expose the private keys for TLS certificates used by companies running their infrastructure on cloud servers.

    The issue —which received its own CVE identifier of CVE-2018-15598— affected Traefik, a very popular open source reverse proxy and load balancing solution created and administered by Containous, a French software company.

    In modern web dev environments, developers deploy Traefik proxies/balancers in front of their Docker or Kubernetes server clusters in order to control how traffic flows to a company’s IT infrastructure —such as backends, Intranets, public websites, mobile apps, APIs, or others.

    Since it’s quite an advanced solution, Traefik also comes with a backend panel, to help users better manage their Traefik setups.

  6. Tomi Engdahl says:

    MongoDB Server Exposes Babysitting App’s Database

    The makers of Sitter, a popular app for connecting babysitters with parents, have involuntarily exposed the personal details of over 93,000 users.

    The exposure took place last week and was caused by a MongoDB database left exposed on the Internet with no credentials.

    Independent security researcher Bob Diachenko discovered the database. He told Bleeping Computer that he spotted the database on August 14, when he immediately reported the issue to the Sitter app makers. The Sitter team secured the database on the same day of the report, Diachenko said.

    The database was previously indexed on Shodan, a search engine for Internet-connected devices, a day earlier, on August 13.

  7. Tomi Engdahl says:

    Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades

    A vulnerability affects all versions of the OpenSSH client released in the past two decades, ever since the application was released in 1999.

    The security bug received a patch this week, but since the OpenSSH client is embedded in a multitude of software applications and hardware devices, it will take months, if not years, for the fix to trickle down to all affected systems.

    This bug allows a remote attacker to guess the usernames registered on an OpenSSH server. Since OpenSSH is used with a bunch of technologies ranging from cloud hosting servers to mandate IoT equipment, billions of devices are affected.

    As researchers explain, the attack scenario relies on an attacker trying to authenticate on an OpenSSH endpoint via a malformed authentication request (for example, via a truncated packet).

    Because of OpenSSH’s huge install base, the bug is ideal for both attacks on high-value targets, but also in mass-exploitation scenarios.

    Bug patched last week. PoC code in the wild.

    The bug —tracked as CVE-2018-15473— has been patched in the stable version of OpenSSH —1:6.7p1-1 and 1:7.7p1-1— and the 1:7.7p1-4 unstable branch. Patches have also trickled down to Debian, and most likely other Linux distros.

  8. Tomi Engdahl says:

    Dark Tequila Banking Malware Uncovered After 5 Years of Activity

    Security researchers at Kaspersky Labs have uncovered a new, complex malware campaign that has been targeting customers of several Mexican banking institutions since at least 2013.

    Dubbed Dark Tequila, the campaign delivers an advanced keylogger malware that managed to stay under the radar for five years due to its highly targeted nature and a few evasion techniques.

    Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.

  9. Tomi Engdahl says:

    Supply Chain Attack Operation Red Signature Targets South Korean Organizations

    Together with our colleagues at IssueMakersLab, we uncovered Operation Red Signature, an information theft-driven supply chain attack targeting organizations in South Korea. We discovered the attacks around the end of July, while the media reported the attack in South Korea on August 6.

    9002 RAT also installed additional malicious tools: an exploit tool for Internet Information Services (IIS) 6 WebDav (exploiting CVE-2017-7269) and an SQL database password dumper. These tools hint at how the attackers are also after data stored in their target’s web server and database.

  10. Tomi Engdahl says:

    Chinese Cyberespionage Originating From Tsinghua University Infrastructure

    Following our research uncovering the Chinese RedAlpha campaigns targeting the Tibetan community, Recorded Future’s Insikt Group identified a novel Linux backdoor called “ext4,” deployed against the same Tibetan victim group. By analyzing the backdoor, we uncovered repeated attempted connections to the same compromised CentOS web server emanating from infrastructure registered to Tsinghua1 University, an elite Chinese academic institution.

    We also identified network reconnaissance activities being conducted from the same Tsinghua University infrastructure targeting many geopolitical organizations, including the State of Alaska Government, Alaska’s Department of Natural Resources, the United Nations office in Nairobi, and the Kenya Ports Authority. Additionally, we identified the targeted scanning of German automotive multinational Daimler AG that began a day after it cut its profit outlook for the year, citing the growing trade tensions between the U.S. and China. In several cases, these activities occurred during periods of Chinese dialogue for economic cooperation with these countries or organizations.

  11. Tomi Engdahl says:

    T-Mobile Data Breach Hits Over 2 Million Customers

    T-Mobile revealed late on Thursday that the personal details of “a small percentage” of customers were exposed after hackers gained access to its systems.

    According to the company, the attackers did not access payment card data, social security numbers (SSNs) or passwords. However, they may have stolen personal information such as names, billing zip codes, phone numbers, email addresses, account numbers, and account type. Impacted customers are being notified.

    The data breach was discovered and shut down by T-Mobile’s security team on August 20. The company said it also reported the incident to authorities.

    T-Mobile’s public statement provides no other details about the incident, but the firm’s representatives told SecurityWeek that the breach impacts roughly 3 percent of its 77 million customers, which represents approximately 2.3 million individuals.

    “We always encourage customers to make sure they have PIN/passcodes on their accounts as well as a strong password, and to change their account passwords as well as the PIN/passcode frequently,”

  12. Tomi Engdahl says:

    Half a Million Cards Exposed in Cheddar’s Scratch Kitchen Breach

    Over half a million payment card numbers were exposed after cybercriminals compromised the point-of-sale system of certain Cheddar’s Scratch Kitchen restaurants, Darden Restaurants announced.

  13. Tomi Engdahl says:

    Australia Bans Huawei From 5G Network Over Security Concerns

    CANBERRA, Australia (AP) — Chinese-owned telecommunications giant Huawei has been blocked from rolling out Australia’s 5G network due to security concerns.

    The government said Thursday that the involvement of a company “likely to be subject to extrajudicial directions from a foreign government” presented too much risk.

    Several governments have been scrutinizing Huawei over its links to the Chinese government. The private Chinese company started by a former People’s Liberation Army major in 1987 suffered a setback in the U.S. market in 2012 when a congressional report said it was a security risk and warned phone companies not to buy its equipment.

    Huawei has said it would never hand over Australian customer data to Chinese spy agencies, but the government’s statement said no combination of security controls sufficiently mitigated the risk.

    Acting Home Affairs Minister Scott Morrison said the government was committed to protecting 5G networks.

  14. Tomi Engdahl says:

    Hackers Stole Personal Data of 2 Million T-Mobile Customers

    T-Mobile disclosed an “incident” in which hackers accessed “some” customers’ personal information—but no financial data or passwords.

    UPDATE, Friday, Aug. 24, 3:00 pm ET: After this story was first published, a T-Mobile spokesperson told me that “encrypted passwords” were included in the compromised data. In its original announcement, the company said: “no passwords were compromised.”

    A company spokesperson told me that the breach affected “about” or “slightly less than” 3% of its 77 million customers.

    This is the latest in a seemingly endless series of security incidents for T-Mobile in the last year.

  15. Tomi Engdahl says:

    Extortionist lawyer pleads guilty to creating porn honeypot

    Minneapolis lawyer Paul Hansmeier has pleaded guilty to a scheme in which he and another lawyer made porn films, seeded them to BitTorrent websites, and then extorted those who downloaded them, threatening to file lawsuits unless they paid $3,000 to keep from the embarrassment of getting dragged through court.

    Hansmeier, along with co-defendant and fellow attorney John Steele, were the masterminds behind a multimillion-dollar extortion scheme carried out by their Prenda Law firm. The two were arrested in December 2016

  16. Tomi Engdahl says:

    Nicole Nguyen / BuzzFeed News:
    Researchers find flaw allowing hackers to brute force T-Mobile account PINs, likely via T-Mobile’s faulty API, after initiating purchase on Apple’s online store — Mobile account PINs intended to protect T-Mobile and AT&T customers’ accounts were exposed by two security vulnerabilities.

    Security Flaws Inadvertently Left T-Mobile And AT&T Customers’ Account PINs Exposed

    Mobile account PINs intended to protect T-Mobile and AT&T customers’ accounts were exposed by two security vulnerabilities. After a BuzzFeed News inquiry, the companies fixed the flaws.

    T-Mobile and AT&T customers’ account PINs — passcodes meant to protect mobile accounts from being hacked — have been exposed by two different security flaws, which were discovered by security researchers Phobia and Nicholas “Convict” Ceraolo.

    Apple’s online store contained the security flaw that inadvertently exposed over 77 million T-Mobile customers’ account PINs. The website for Asurion, a phone insurance company, had a separate vulnerability that exposed the passcodes of Asurion’s AT&T customers.

    Apple and Asurion fixed the vulnerabilities after BuzzFeed News shared the security researchers’ findings.

    A mobile account PIN is particularly sensitive information. If a hacker has access to it, they could easily commandeer your phone number and use it to trick the SMS-based authentication designed to verify your identity when you log on to your bank, email provider, or social media accounts.

    SIM hijacking — where hackers forward a victim’s calls and texts to another phone — has become so prevalent that T-Mobile and AT&T sent alerts earlier this year urging customers to create new PIN numbers to protect their accounts.

    But the discovered vulnerabilities on Apple’s and Asurion’s websites, if exploited, would render those PINs useless. They allowed bad actors to use widely available hacking software that can automate what’s called a brute-force attack, which involves repeatedly trying different numeric combinations until the correct sequence is guessed.

    Apple’s online iPhone store exposed the partial Social Security number or account PIN of any T-Mobile customer to hackers.

    According to Ceraolo, the vulnerability is likely due to an engineering mistake made when connecting T-Mobile’s account validation API to Apple’s website.

    On an Asurion webpage where customers can file claims, hackers with knowledge of an AT&T customer’s wireless number could gain access to another form that asked for the account holder’s four- to eight-digit passcode. This form has no limit on tries

  17. Tomi Engdahl says:

    UK phone giant EE hit by another security lapse
    For the second time this week, U.K. phone giant EE has fixed a security lapse, which allowed a security researcher to gain access to an internal site.

    The researcher, who goes by the pseudonym Six, found the company’s internal training site indexed on Google.

    Although the site required an employee username and password to log in, the researcher found that an “admin” account existed, of which anyone with the answer to the secret question could reset the password.

    It turns out that secret question could have been stronger.

    “What is your eye color,”

    EE is the largest phone network in the U.K. with more than 30 million users.

  18. Tomi Engdahl says:

    Leaker of Secret Report on Russian Hacking Gets 5 Years

    A former government contractor who pleaded guilty to mailing a classified U.S. report to a news organization was sentenced to more than five years in prison Thursday as part of a deal with prosecutors, who called it the longest sentence ever imposed for a federal crime involving leaks to the news media.

    Reality Winner, 26, pleaded guilty in June to a single count of transmitting national security information.

    Authorities never identified the news organization. But the Justice Department announced Winner’s June 2017 arrest the same day The Intercept reported on a secret NSA document. It detailed Russian government efforts to penetrate a Florida-based supplier of voting software and the accounts of election officials ahead of the 2016 presidential election. The NSA report was dated May 5, the same as the document Winner had leaked.

    U.S. intelligence agencies later confirmed Russian meddling.

  19. Tomi Engdahl says:

    Epic Fail!
    Google has clapped back in tremendous fashion at Epic Games

    Fortnite’s Android installer shipped with an Epic security flaw


    Fortnite’s Android installer shipped with an Epic security flaw
    Devin Coldewey
    @techcrunch / 15 hours ago

    Google has clapped back in tremendous fashion at Epic Games, which earlier this month decided to make the phenomenally popular Fortnite available for Android via its own website instead of Google’s Play Store. Unfortunately, the installer had a phenomenally dangerous security flaw in it that would allow a malicious actor to essentially install any software they wanted. Google wasted exactly zero time pointing out this egregious mistake.

    By way of a short explanation why this was even happening, Epic explained when it announced its plan that it would be good to have “competition among software sources on Android,” and that the best would “succeed based on merit.”

    Many warned that this was a security risk for several reasons, for example that users would have to enable app installations from unknown sources — something most users have no reason to do. And the Play Store has other protections and features, visible and otherwise, that are useful for users.

  20. Tomi Engdahl says:

    Cross-Platform Mirai Variant Leverages Open-Source Project

    A newly discovered Mirai variant has been created using an open-source project that makes the process of cross compilation very easy, Symantec reports.

    Mirai, a piece of malware that first emerged in the fall of 2016, targets a broad range of Internet of Things (IoT) devices to ensnare them into botnets capable of launching massive distributed denial of service (DDoS) attacks.

    Numerous Mirai variants have emerged since the malware’s source code was leaked in October 2016, targeting a broader range of devices and increasing resilience. Some of the most recent Mirai iterations include Wicked, Satori, Okiru, Masuta, and others.

    Now, Symantec says its researchers discovered a Mirai variant compatible with multiple architectures.

  21. Tomi Engdahl says:

    Security researchers found vulnerabilities at AT&T, T-Mobile, and Sprint that could have exposed customer data

    In each unrelated case, attackers could have used brute-force attacks to guess customer PINs or personal information

    It hasn’t been a good week for telecommunications companies: security researchers have uncovered security flaws with systems at AT&T, Sprint, and T-Mobile that could have left customer data accessible to bad actors.

    Yesterday, BuzzFeed News reported two flaws that left customer information information vulnerable at AT&T and T-Mobile. In T-Mobile’s case, an “engineering mistake” between Apple’s online storefront and T-Mobile’s account validation API allowed for an unlimited number of attempts on an online form

    A similar problem occurred with phone insurance company Asurion and its AT&T customers.

    In each case, both companies fixed the vulnerabilities when contacted by BuzzFeed News.

    In another instance this weekend, TechCrunch reported that security researchers were able to access an internal staff portal at Sprint because of “weak, easy-to-use usernames and passwords,” compounded with the lack of two-factor authentication. Once in, the researcher was reportedly able to access customer account information for Sprint, Boost Mobile, and Virgin Mobile. The researcher also reported that anyone who gained access could make changes to customer accounts, and that customer PINs could be brute-forced.
    A Sprint spokesperson confirmed the vulnerability to TechCrunch

    It’s worth noting that vulnerabilities aren’t necessarily breaches, but it’s vulnerabilities such as these that allow bad actors to gain access to a system and exploit the customer data that they access. These systems are by necessity complicated

  22. Tomi Engdahl says:

    Didi woman passenger killed amid China ride-hailing safety concerns

    Didi Chuxing, the biggest ride-sharing firm globally by number of trips, was “immensely saddened by the tragedy,”

    Following the incident, Zhejiang province, where Wenzhou is located, ordered Didi to suspend its carpooling service there while the company addressed safety issues, the official Xinhua news agency reported.

    Didi Chuxing – which has been valued at $50 billion and counts SoftBank Group Corp (9984.T) as a major investor – is aggressively expanding overseas, targeting new markets in Mexico, Brazil and Australia, going head-to-head with Uber. In 2016, Didi acquired Uber’s China business.

    “The fact that Didi has a driver safety and security issue is a real problem for Didi”

  23. Tomi Engdahl says:

    Isobel Koshiw / The Verge:
    Sources detail a Ukraine-based hacking scheme that stole press releases from three US newswires over at least five years and made $100M+ via insider trading — At a Kiev nightclub in the spring of 2012, 24-year-old Ivan Turchynov made a fateful drunken boast to some fellow hackers.

    How an international hacker network turned stolen press releases into $100 million

    At a Kiev nightclub in the spring of 2012, 24-year-old Ivan Turchynov made a fateful drunken boast to some fellow hackers. For years, Turchynov said, he’d been hacking unpublished press releases from business newswires and selling them, via Moscow-based middlemen, to stock traders for a cut of the sizable profits.

    Oleksandr Ieremenko, one of the hackers at the club that night, had worked with Turchynov before and decided he wanted in on the scam.

    Newswires like Business Wire are clearinghouses for corporate information, holding press releases, regulatory announcements, and other market-moving information under strict embargo before sending it out to the world. Over a period of at least five years, three US newswires were hacked using a variety of methods from SQL injections and phishing emails to data-stealing malware and illicitly acquired login credentials. Traders who were active on US stock exchanges drew up shopping lists of company press releases and told the hackers when to expect them to hit the newswires. The hackers would then upload the stolen press releases to foreign servers for the traders to access in exchange for 40 percent of their profits, paid to various offshore bank accounts.

    The case exemplifies the way insider trading has been quietly revolutionized by the internet. Traders no longer need someone inside a company to obtain inside information. Instead, they can turn to hackers, who can take their pick of security weaknesses

    As one person involved in the press release scheme pointed out, it doesn’t matter what level of security a company has, “you’ve always got the human factor: that one employee who will click on the phishing email or is happy to exchange their password for money.”

    “Just about every organization that compiles financial data that could be useful for traders has, at some point, been hacked,”

    “All the bureaus of economic analysis from major countries in the world have almost certainly been hacked.”

    For the most part, Borg says, these hacks fly below the radar. They tend to be “sophisticated and targeted,” and companies often refrain from reporting them, whether to avoid liabilities and reputational damage or because they don’t even know what information has been stolen.

    In the last eight years, the US Securities and Exchange Commission has added three new teams to enhance its cybercrime detection capabilities and pushed companies to bolster their own security and quickly disclose breaches. The measures have had some success

    From the beginning of 2012 onward, the three newswires — Business Wire, PR Newswire, and Marketwired — were endlessly patching holes and uninstalling malware in an effort to block the hackers’ access, court documents show.

    After authorities alerted PR Newswire to a potential breach, the wire hired the private cybersecurity firm Stroz Friedberg in March 2012 to investigate further. Turchynov’s malware was detected and uninstalled

    But by May 30th, 2012, thanks in part to their new co-worker Ieremenko, the hackers had regained access to PR Newswire and were back in business.

    The US Secret Service decided to send an assistance request to Ukraine’s intelligence services

    In November 2012, the Ukrainians, accompanied by US Secret Service agents now working in tandem with the FBI, carried out raids on nine properties around Kiev tied to the hackers.

    From there, the case went cold. Ukraine does not extradite its own citizens
    None of the hackers were charged in Ukraine, either.

    From US Special Agent Parisella’s visit onward, Turchynov continued to hack press releases, but now at the behest of elements within Ukraine’s intelligence services, Ukraine’s Cyber Police Chief Serhii Demedyuk told The Verge.

    The hacker Turchynov has so far escaped consequences of the scheme collapsing as well. He went on to hack Ukraine’s fiscal services database in 2016 for a different Ukrainian business group, according to Demedyuk, Ukraine’s cyber police chief, and stole information and altered taxes on the group’s behalf. When the police began investigating in January 2017, Turchynov fled through Ukraine’s war-torn eastern territories to Russia, a country out of reach to the US and Ukrainian authorities.

    Breaches of the SEC, including of its EDGAR filing system, occurred from October 2016 to April 2017, Reuters reported, citing an unnamed source, though the SEC’s statements issued in September mentioned only a 2016 intrusion without elaborating on a timeline. The SEC says it is still investigating what happened.

  24. Tomi Engdahl says:

    Ian Bogost / The Atlantic:
    Businesses have been collecting, selling, and reusing personal data for decades; Google and Facebook only made the process more visible via better ad targeting

    Welcome to the Age of Privacy Nihilism

    Google and Facebook are easy scapegoats, but companies have been collecting, selling, and reusing your personal data for decades, and now that the public has finally noticed, it’s too late. The personal-data privacy war is long over, and you lost.

    Online services are only accelerating the reach and impact of data-intelligence practices that stretch back decades. They have collected your personal data, with and without your permission, from employers, public records, purchases, banking activity, educational history, and hundreds more sources. They have connected it, recombined it, bought it, and sold it. Processed foods look wholesome compared to your processed data, scattered to the winds of a thousand databases. Everything you have done has been recorded, munged, and spat back at you to benefit sellers, advertisers, and the brokers who service them. It has been for a long time, and it’s not going to stop. The age of privacy nihilism is here, and it’s time to face the dark hollow of its pervasive void.

  25. Tomi Engdahl says:


    The problem is the customer data that was potentially exposed: name, billing zip code, email address, some hashed passwords, account number, account type, and phone number. Pay close attention to that last one.

    The cumulative danger of all of these data points becoming exposed—not just by T-Mobile but across countless breaches—is that it makes it easier for attackers to impersonate you and take control of your accounts. And while the passwords are bad news, perhaps no piece of standard personal information has more value than your phone number.


    08.25.1807:00 AM

    On Thursday, T-Mobile confirmed that some of its customer data was breached in an attack the company discovered on Monday. It’s a snappy disclosure timeframe, and the carrier said that no financial data or Social Security numbers were compromised in the breach. A relief, right? The problem is the customer data that was potentially exposed: name, billing zip code, email address, some hashed passwords, account number, account type, and phone number. Pay close attention to that last one.

    The cumulative danger of all of these data points becoming exposed—not just by T-Mobile but across countless breaches—is that it makes it easier for attackers to impersonate you and take control of your accounts. And while the passwords are bad news, perhaps no piece of standard personal information has more value than your phone number.

    That’s because phone numbers have become more than just a way to contact someone. In recent years, more and more companies and services have come to rely on smartphones to confirm—or “authenticate”—users. In theory, this makes sense; an attacker might get your passwords, but it’s much harder for them to get physical access to your phone. In practice, it means that a single, often publicly available, piece of information gets used both as your identity and a means to verify that identity, a skeleton key into your entire online life. Hackers have known this, and profited from it, for years. Companies don’t seem interested in catching up.

    But over time, SMS messages, biometric scanners, encrypted apps, and other special functions of smartphones have evolved into forms of authentication as well.

    “The bottom line is society needs identifiers,”

    “We just have to make sure that knowledge of an identifier can’t be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it’s public.”

    The use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number

    “The issue being exposed with SIM swaps is that if you control the phone number you can take over the authenticator,” Grant says. “A lot of it gets to the same issue we run into with Social Security numbers, which is leveraging the same number as both an identifier and authenticator. If it’s not a secret, then you can’t use it as an authenticator.”

    “The people in the card payment space understood a long time ago that separating people’s accounts from static attributes is important, but this definitely hasn’t happened with mobile phone numbers,” Hardjono says. “Plus SMS is a weak way to authenticate anyway, because the protocols are vulnerable. So if your phone could generate this short-term identifier that’s a combination of your physical device identifier and your phone number, it would be replaceable as a safety precaution.”

    The important thing is that it’s not necessarily bad for identifiers to be public; you just need a mechanism to change them if necessary, in a way that causes minimal headaches.

    Substantive change likely won’t come unless the government mandates it. Managing identity schemes is a complicated; falling back on phone numbers and Social Security numbers makes life easier for companies.

  26. Tomi Engdahl says:

    New Side-Channel Attack Uses Microphone to Read Screen Content

    Using regular microphones, academic researchers managed to pick up acoustic signals from computer displays and determine in real time the type of content on the screen.

    The technique could potentially allow an attacker to run surveillance operations, exfiltrate information, or spy on the victim’s browsing activity.

    By studying the audio emissions from multiple LCD screens (with both CCFL and LED backlighting), the researchers noticed a connection between the images displayed and the sound they made. They found that what is shown on screen comes with a distinct audio signature.

    The audio produced by computer screens comes from the power supply emitting a high-pitch noise when modulating current. The sound varies according to the power requirements needed to render the visual content; it is barely noticeable by the human ear, but common microphones have no problem detecting and recording it.

    After working with simple visual models and analyzing the spectogram of their audio recording, the researchers were able to create a fingerprint that could be used to recognize content from other captures.

    A successful attack needs planning

    The researchers experimented with their technique from an attacker’s perspective, who needs to be prepared to deal with variables that influence the recording, such as environmental noise, distance, type of microphone and its position relative to the screen.

    To minimize the risk of failure, an attacker should have sufficient markers to identify the content they’re interested in (websites, text), and a model to spot the patterns automatically.

    Getting relevant audio emissions

    The next step is to grab the audio, a task that does not necessarily require proximity. Recordings of VoIP and video-conference calls include sounds pertinent to creating a fingerprint of the image on the screen.

    “In fact, users often make an effort to place their webcam (and thus, microphone) in close proximity to the screen, in order to maintain eye contact during the video conference, thereby offering high-quality measurements to would-be attackers,” explains the paper.

  27. Tomi Engdahl says:

    Uusi kyberraportti Saksasta varoittaa: hakkerit voisivat pimentää koko Euroopan sähköverkon
    Cyber-Abwehrzentrum warnt vor Stromausfall in ganz Europa

  28. Tomi Engdahl says:

    Smartphones From 11 OEMs Vulnerable to Attacks via Hidden AT Commands

    Millions of mobile devices from eleven smartphone vendors are vulnerable to attacks carried out using AT commands, a team of security researchers has discovered.

    AT (ATtention) commands, or the Hayes command set, is a collection of short-string commands developed in the early 1980s that were designed to be transmitted via phone lines and control modems. Different AT command strings can be merged together to tell a modem to dial, hang up, or change connection parameters.

    Unknown to the common user is that modern smartphones include a basic modem component inside them, which allows the smartphone to connect to the Internet via its telephony function, and more.

    While international telecommunications bodies have standardized basic AT commands, dictating a list that all smartphones must support, vendors have also added custom AT command sets to their own devices —commands which can control some pretty dangerous phone features such as the touchscreen interface, the device’s camera, and more.

    Researchers analyze thousands of Android firmware images

    In massive and groundbreaking research, a team of eleven scientists from the University of Florida, Stony Brook University, and Samsung Research America, have looked into what types of AT commands are currently supported on modern Android devices.

    The research team analyzed over 2,000 Android firmware images from eleven Android OEMs such as ASUS, Google, HTC, Huawei, Lenovo, LG, LineageOS, Motorola, Samsung, Sony, and ZTE.

    They say they discovered that these devices support over 3,500 different types of AT commands, some of which grant access to very dangerous functions.

    Some phones expose AT commands via their USB interface

    These AT commands are all exposed via the phone’s USB interface, meaning an attacker would have to either gain access to a user’s device, or hide a malicious component inside USB docks, chargers, or charging stations.

    In the happiest cases, these AT commands are only available only when the phone’s USB debugging function has been enabled, but researchers said they found many devices where attackers had direct access to AT commands, even if the phone had entered a locked state.

    “In many cases, these commands are completely undocumented,”

    Phone vendors have been notified

    The research team says it notified all vendors which they found to be exposing AT commands via their phones’ USB interface. They also published a website containing a database of phone models and firmware versions that they found exposing the AT interface.

  29. Tomi Engdahl says:

    Epic’s first Fortnite Installer allowed hackers to download and install anything on your Android phone silently
    The exact problem we expected to happen, happened.

    Google has just publicly disclosed that it discovered an extremely serious vulnerability in Epic’s first Fortnite installer for Android that allowed any app on your phone to download and install anything in the background, including apps with full permissions granted, without the user’s knowledge. Google’s security team first disclosed the vulnerability privately to Epic Games on August 15, and has since released the information publicly following confirmation from Epic that the vulnerability was patched.

    In short, this was exactly the kind of exploit that Android Central, and others, had feared would occur with this sort of installation system. Here’s what you need to know about the vulnerability, and how to make sure you’re safe going forward.

    Epic Games’ strategy for Fortnite on Android is stupid, greedy, and dangerous
    This is the worst possible idea, for the worst possible reasons.

  30. Tomi Engdahl says:

    Password Protected Word Document Delivers HERMES Ransomware

    Evading AV detection is part of a malware author’s routine in crafting spam campaigns and an old and effective way of achieving this is spamming a password protected document. Recently, we observed such a password protected document being spammed out, and even worse, its payload was ransomware.

  31. Tomi Engdahl says:

    Security Flaws Inadvertently Left T-Mobile And AT&T Customers’ Account PINs Exposed

    Mobile account PINs intended to protect T-Mobile and AT&T customers’ accounts were exposed by two security vulnerabilities. After a BuzzFeed News inquiry, the companies fixed the flaws.

  32. Tomi Engdahl says:

    Experts Urge Rapid Patching of ‘Struts’ Bug

    In September 2017, Equifax disclosed that a failure to patch one of its Internet servers against a pervasive software flaw — in a Web component known as Apache Struts — led to a breach that exposed personal data on 147 million Americans. Now security experts are warning that blueprints showing malicious hackers how to exploit a newly-discovered Apache Struts bug are available online, leaving countless organizations in a rush to apply new updates and plug the security hole before attackers can use it to wriggle inside.

    On Aug. 22, the Apache Software Foundation released software updates to fix a critical vulnerability in Apache Struts, a Web application platform used by an estimated 65 percent of Fortune 100 companies. Unfortunately, computer code that can be used to exploit the bug has since been posted online, meaning bad guys now have precise instructions on how to break into vulnerable, unpatched servers.

    Attackers can exploit a Web site running the vulnerable Apache Struts installation using nothing more than a Web browser. The bad guy simply needs to send the right request to the site and the Web server will run any command of the attacker’s choosing. At that point, the intruder could take any number of actions, such as adding or deleting files, or copying internal databases.

  33. Tomi Engdahl says:

    Chrome’s anonymous browsing feature isn’t as secret as we assumed
    Twice in two weeks, Google? Ouch

    GOOGLE HAS strongly denied accusations that Chrome’s ‘Private’ or ‘Incognito’ mode is collecting data that it is a lot less anonymous than you may have thought.

    A researcher from Vanderbilt University in Nashville, Tennessee found that although the data collected appears to be anonymised, in reality, Google can retroactively identify it from the usernames and other account data used during the session.

    So, for example, if you sign into a website while using a private browsing window, the details of that login are still sent to Google which can put two and two together.

    Digital Content Next, which organised the study, points out that adverts served up by Google’s advertising can be linked to the cookies created both in and out of Incognito mode.

  34. Tomi Engdahl says:

    Top dark web drug vendors nabbed by ‘Operation Darkness Falls’

    The US government stepped up its attack on dark web criminals this week, announcing the arrests of several alleged drug traffickers that used hidden online services.

    The Department of Justice announced the arrests, along with some charges and guilty pleas, as part of Operation Darkness Falls, a joint initiative involving several government agencies.

    Together, they collared a couple that they called “the most prolific dark net fentanyl vendor in the United States and the fourth most prolific in the world”. San Antonio-based Matthew and Holly Roberts traded under the name MH4Life, among others. Way to obscure your identities, guys.

    The couple traded on several dark web sites, including Dream Market, Silk Road, Darknet Heroes League and Nucleus. They also used AlphaBay, one of the largest dark web marketplaces, before it shut down last year.

    They used Tor to communicate, and bought postage in cryptocurrency to hide their tracks, the DoJ said.

  35. Tomi Engdahl says:

    Aug 18
    Who’s Behind the Screencam Extortion Scam?

    The sextortion email scam last month that invoked a real password used by each recipient and threatened to release embarrassing Webcam videos almost certainly was not the work of one criminal or even one group of criminals. Rather, it’s likely that additional spammers and scammers piled on with their own versions of the phishing email after noticing that some recipients were actually paying up. The truth is we may never find out who’s responsible, but it’s still fun to follow some promising leads and see where they take us.

  36. Tomi Engdahl says:

    FireEye: Tech Firms’ Secret Weapon Against Disinformation

    his week has seen major social media sites step up their policing of online disinformation campaigns.

    Google disabled dozens of YouTube channels and other accounts linked to a state-run Iranian broadcaster running a political-influence campaign.

    Facebook removed 652 suspicious pages, groups and accounts linked to Russia and Iran.

    Twitter took similar action shortly thereafter.

    What did they have in common? The security firm FireEye.

    Best known for its work on high-profile cyberattacks against companies including Target, JPMorgan Chase and Sony Pictures, FireEye is emerging as a key player in the fight against election interference and disinformation campaigns.

    “They’ve really become the Navy SEALs of cybersecurity, especially for next-generation cybersecurity threats,” said GBH Insights analyst Dan Ives.

    “We kind of operate like a private-sector intelligence operation,” he said.

    FireEye was founded by Ashar Aziz, who developed a system for spotting threats that haven’t been tracked before, unlike older companies that sold firewalls or anti-virus programs that block known malware.

    While businesses are spending more on information security, FireEye itself has spent heavily on research, development, sales and marketing. That has led to struggles to remain profitable, as heavy investments offset revenue growth.

    FireEye Inc.’s second-quarter revenue rose 6 percent to $203 million but it lost $72.9 million, or 38 cents per share. That met Wall Street’s expectations, but its shares fell as investors expected more.

    That’s a common problem in the white-hot cybersecurity sector, which includes competitors like Palo Alto Networks, CloudFlare and Check Point. The companies are facing high expectations as the cybersecurity market booms, fueled by heightened cyberattacks and hacking fears.

    “As the space has become more competitive … profitability and growth has been a challenge for (FireEye),” Ives said.

  37. Tomi Engdahl says:

    Google Tells Toomey Hackers Tried to Infiltrate Staff Email

    Google has alerted U.S. Sen. Pat Toomey’s office that hackers with ties to a “nation-state” sent phishing emails to old campaign email accounts, a spokesman for the Pennsylvania Republican said Friday.

    Toomey’s office was notified this week about the attempt to infiltrate email accounts, said spokesman Steve Kelly. He said the dormant accounts hadn’t been used since the end of the 2016 campaign, and the staffers they’re attached to no longer work for Toomey. The nation-state wasn’t identified.

    “This underscores the cybersecurity threats our government, campaigns, and elections are currently facing,” he said. “It is essential that Congress impose tough penalties on any entity that undermines our institutions.”

    Toomey currently isn’t running for office and the effort would not have affected the upcoming midterm elections.

  38. Tomi Engdahl says:

    Half a Million Cards Exposed in Cheddar’s Scratch Kitchen Breach

    Over half a million payment card numbers were exposed after cybercriminals compromised the point-of-sale system of certain Cheddar’s Scratch Kitchen restaurants, Darden Restaurants announced.

    The company says that it has engaged a third-party forensic cybersecurity firm to investigate the incident and that its current systems and networks were not impacted. The legacy system that was compromised has “was permanently disabled and replaced by April 10, 2018, as part of our integration process,” the company says.

  39. Tomi Engdahl says:

    Online Jokes Are No Laughing Matter in Russia

    Russians Increasingly Prosecuted Under Extremism Legislation for Social Media Posts

    Russian authorities have registered 762 “extremist crimes” so far this year, many of them consisting of social media posts. In some cases, the authorities make little effort to conceal that they are using the country’s broad and vague anti-extremism legislation to silence free expression.

    Not everyone in government agrees with this crackdown; the Ministry of Communications recently supported a proposed law change to eliminate criminal liability for reposting content online. But with arrests on the rise, it’s clear free speech online is under threat.

  40. Tomi Engdahl says:

    How hackers managed to steal $13.5 million in Cosmos bank heist

    An in-depth look into the incident reveals how the 112-year-old bank may have been swindled out of millions.

    The attack reportedly took place in two stages been August 10 – 13. According to the Hindustan Times, malware was used on the bank’s ATM server to steal the credit card information of customers, alongside SWIFT codes required for transactions.

    The first wave involved the theft of roughly $11.5 million in transactions from multiple countries. In the second wave, on the same day, close to $2 million was withdrawn through debit card transactions across India.

  41. Tomi Engdahl says:

    The adventures of lab ED011—“Nobody would be able to duplicate what happened there”
    One Romanian campus computer lab both pentested the world and eventually helped protect it.

    BUCHAREST, Romania—At the edge of Europe, Romania’s University Politehnica of Bucharest has long been the most prestigious engineering school in the region. Here, a terracotta-tiled building looms large over the campus, hosting the faculty of the Automatic Control and Computer Science (ACCS) program. On the ground floor, close to the entrance, is a humble computer lab. The label reads ED011.

    Back in the early 1990s, after Romania escaped the grip of communism, this room was one of the few places offering an Internet connection free of charge. So every night, when no one was watching, students descended upon the lab to connect to the rest of the world. Eager to learn about life in Western Europe and the US, these students already had the look of their counterparts there—long hair, blue jeans, and Metallica shirts.

    “Computers gave us the possibility to communicate with people around the world, which was extraordinary,” a former student named Lari tells me today. The ED011 computer lab did more than that, of course. It gave these students total freedom—to not only chat on the early Web but to explore all the odd nooks and crannies of computer science.

    And if you ask former ED011 students, many of them did just that. They built programs to find dates (and watched as things took off far beyond the computer lab). They found the gnarliest malware on the early Web (and built applications to combat it). Some even tried to flex amateur pentesting skills on some of the biggest organizations online at the time (much to the school administration’s chagrin).

    Within this seemingly nondescript university room, Romania’s first truly digital generation was born.

  42. Tomi Engdahl says:

    Andromeda Botnet Operator Released With a Slap on the Wrist

    Sergey Yarets, also known as Ar3s, a hacker arrested last year for running an instance of the Andromeda botnet, was released by Belarusian authorities with nothing more than a slap on the wrist.

    Authorities dropped all charged after Yarets cooperated with investigators, and after he handed over all the profits he made from renting the Andromeda botnet to other cybercriminals. The sum accounted to around 11,000 Belarusian rubles (~$5,400).

    Yarets set free because there were no Belarusian victims

    According to a Radio Free Europe reporter who was at the court hearing, the judge was lenient on Yarets after he gave investigators evidence that proved his own guilt.

    Another factor that “impressed” the judge was that Yarets configured the Andromeda malware to avoid infecting users in Belarus and fellow CIS countries.

    Since there was no damage against any Belarusian users, Yarets’ lawyer argued he should be set free. The lawyer also argued that Yarets’ IT knowledge should be put in the country’s interest, totally ignoring the damages caused to users abroad.

    “This case is another example of a double standard toward prosecuting cybercriminals in post-Soviet countries, where they treat their own cybercriminals differently, allowing them to avoid fair punishment and then using them in the interests of the state, neutralizing the efforts of the international community to combat cybercrimes,” says Alexandr Solad, a security researcher with threat intel firm Recorded Future.

    Yarets ran one of the biggest Andromeda botnets

    Yarets to return to his old job

    In Facebook comments posted on the Radio Free Europe report, Yarets disputed the FBI and Microsoft’s assertion that his botnet caused $10 million in damage, calling it baseless.

    He also alluded that the damage might have been caused by other Andromeda botnets, most of which appeared online after an “American” created a crack for the Andromeda code and released it for free, creating an Andromeda “epidemic.”


Leave a Comment

Your email address will not be published. Required fields are marked *