The Five Eyes — the intelligence consortium of the rich English-speaking countries (the US, Canada, the UK, Australia, and New Zealand) — have issued a “Statement of Principles on Access to Evidence and Encryption” where they claim their needs for surveillance outweigh everyone’s needs for security and privacy.
Israel is a major center of global cybersecurity innovation, as the acquisition of Solebit by MimeCast illustrates. This takeover is another one in a string of recent acquisitions of Israeli cybersecurity startups by public pure play cyber companies. MimeCast joins Symantec, Palo Alto Networks and Proofpoint that all acquired companies during the last 12 months to boost their innovative technology stack for keeping their competitive edge and expanding their product portfolio.
With five 100% Israeli and another six non-Israeli public cybersecurity companies that have a presence in Israel, the country continues to solidify its position as a global center of cybersecurity innovation.
Former Facebook security chief says creating election chaos is still easy
Taylor Hatmaker, Zack Whittaker
Sep 7, 2018
disruptsf18_alex_stamos-1120
Disrupt starts today
As someone who’s had a years-long front-row seat to Russia’s efforts to influence U.S. politics, former Facebook Chief Security Officer Alex Stamos has a pretty solid read on what we can expect from the 2018 midterms. Stamos left the company last month to work on cybersecurity education at Stanford.
“If there’s no foreign interference during the midterms, it’s not because we did a great job,” Stamos said in an interview with TechCrunch at Disrupt SF on Thursday. “It’s because our adversaries decided to [show] a little forbearance, which is unfortunate.”
As Stamos sees it, there is an alternative reality in which the U.S. electorate would be better off heading into its next major nationwide voting day, but critical steps haven’t been taken.
“As a society, we have not responded to the 2016 election in the way that would’ve been necessary to have a more trustworthy midterms,” he said. “There have been positive changes, but overall security of campaigns [is] not that much better, and the actual election infrastructure isn’t much better.”
“It’s kinda a crappy job to be a chief security officer,” said Stamos, Facebook’s former security chief, in an interview with TechCrunch at Disrupt SF on Thursday.
“It’s like being a [chief financial officer] before accounting was invented,” he said.
“When you decide to take on the [chief security officer] title, you decide that you’re going to run the risk of having decisions made above you or issues created by tens of thousands of people making decisions that will be stapled to your resume,” he said.
AdChoices
Disrupt SF 2018
Former Facebook security chief Alex Stamos: Being a CSO can be a ‘crappy job’
Zack Whittaker, Taylor Hatmaker
Sep 7, 2018
Disrupt starts today
Alex Stamos has been at the helm of some of the world’s most powerful companies for the past half-decade and is widely regarded as one of the smartest people working in the security space.
Now, just a month into his new gig as an academic, he can look back at his time with a dose of brutal honesty.
“It’s kinda a crappy job to be a chief security officer,” said Stamos, Facebook’s former security chief, in an interview with TechCrunch at Disrupt SF on Thursday.
“It’s like being a [chief financial officer] before accounting was invented,” he said.
“When you decide to take on the [chief security officer] title, you decide that you’re going to run the risk of having decisions made above you or issues created by tens of thousands of people making decisions that will be stapled to your resume,” he said.
Stamos recently joined Stanford University after three years as Facebook’s security chief. Before then, he was Yahoo’s chief information security officer for less than a year before he departed the company, reportedly in conflict with then-Yahoo chief executive Marissa Mayer over the company’s complicity with a secret government surveillance program.
His name is synonymous to many as a fierce defender of user security and rights, but he was at the helm when both his former employers were hit by security scandals — Yahoo had a a three-billion user data breach, and Facebook with the Cambridge Analytica voter profiling incident. Although inherited, he said he wasn’t going to “shirk” the blame.
“I was the CSO when all this stuff happened — it was my responsibility,” he said.
He said most companies have to navigate security, but also privacy and misuse of their products.
Stamos admits that while he came from a “traditional CSO” background, he quickly learned that the vast majority of harm caused by technology “does not have any interesting technical component.”
Speaking to disinformation, child abuse and harassment, he said that it’s the “technically correct use of the things we build that cause harm.”
He said that the industry needs to vastly expand how companies deal with issues that encompass but don’t fall within the strict realm of cybersecurity. “There’s not really a field around it,” he said, talking to the need to redefine “cybersecurity” to also include issues of trust, safety and privacy — three things that are important for companies to be working to ensure, but don’t necessarily fit into the traditional security model.
Industry given final warning as governments declare they are ready to legislate for backdoor access
The ‘Five Eyes’ governments of the UK, US, Canada, Australia, and New Zealand have challenged tech companies to voluntarily create backdoor access to their systems, or be compelled to by law.
Encryption, deployed by companies such as WhatsApp and Google to guarantee user privacy, poses a significant challenge to combating serious crimes and terrorism, the five nations’ interior ministers agreed at a two-day summit on Australia’s Gold Coast last week.
“Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information,”
“However, the increasing use and sophistication of certain encryption designs present challenges for nations in combating serious crimes and threats to national and global security.
“Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals
Microsoft has always described Windows 10 “as a service” and leaks have already revealed new monthly charges are coming. Of course, for Windows 7 owners this was never something they expected to pay. But times change…
In a new blog post entitled “Helping customers shift to a modern desktop”, Microsoft has announced that it will indeed start charging Windows 7 customers a monthly fee from January 14th 2020, if they want to keep their computers safe.
Catalin Cimpanu / ZDNet:
US GAO releases report on how the 2017 Equifax hack occurred and the steps taken in its aftermath, concluding Equifax left information vulnerable on many fronts — GAO report takes us inside Equifax from March 2017 onward, showing how a few slip-ups led to one of the biggest breaches in US history.
GAO report takes us inside Equifax from March 2017 onward, showing how a few slip-ups led to one of the biggest breaches in US history.
The Government Accountability Office (GAO) has published a report to detail how the Equifax hack went down and how the credit reporting company answered during and after the incident.
The report comes a day before the one-year anniversary of the public announcement of the Equifax breach that exposed the personal details of 145.5 million Americans, but also of millions of British and Canadian citizens.
Siva Vaidhyanathan / New York Times:
Facebook says it deleted 1.3B fake accounts in six months; fake accounts are being created, probably for commercial purposes, faster than Facebook can delete — Sheryl Sandberg’s testimony to Congress revealed that fraudulent pages are being created as fast as the social network can delete them. http://www.nytimes.com/2018/09/05/opinion/facebook-sandberg-congress.html
Catalin Cimpanu / ZDNet:
House passes a bill that requires White House to create and maintain a database with the names of foreign hackers and cyber-threat groups working against US
US hopes that a name-and-shame strategy would deter foreign nation-state hacking groups to attack US infrastructure as often as now.
The US House of Representatives passed a bill this week that would have the White House create and maintain a database containing all the names of individuals and cyber-threat groups associated with foreign cyber-espionage operations active against the US.
The bill, named the Cyber Deterrence and Response Act of 2018 (H.R. 5576), was proposed in June by Rep. Ted Yoho (R, Florida), and passed in the House on Wednesday, September 5, after a voice vote.
According to the bill’s revised text, the White House, through the president, would be required to establish and maintain a database of advanced persistent threats –or APTs– a term used in the cyber-security private sector to refer to government-backed groups that are engaged in cyber-espionage operations against other countries.
Kaspersky Lab products installed on industrial automation systems have detected over 19,000 malware samples in the first half of 2018, and the company has determined that the Internet is an increasingly significant source of attacks.
According to Kaspersky’s “Threat Landscape for Industrial Automation Systems” report for H1 2018, the company detected over 19,400 samples belonging to roughly 2,800 malware families. As expected, most of the attempts to infect industrial systems were part of random attacks rather than targeted operations.
An overall increase in malicious activity has led to attack attempts against 41.2% of the industrial control systems (ICS) protected by the security firm, which represents an increase of nearly 5 percentage points compared to the first half of 2017. Kaspersky detected 18,000 malware samples belonging to more than 2,500 families in that period.
British Airways will financially compensate customers whose data were stolen in a “sophisticated” and “malicious” hack, chief executive Alex Cruz said Friday as he apologised for the fiasco.
BA late Thursday revealed that personal and financial details of customers who booked flights on the group’s website and mobile phone app between August 21 and Wednesday had been stolen.
The revelation comes just a few months after the European Union tightened data protection laws.
“We’re extremely sorry for what has happened,” Cruz told the BBC on Friday.
“There was a very sophisticated, malicious, criminal attack on our website.”
BA took out full-page adverts in the UK newspapers on Friday to apologise to customers, while the share price of parent group IAG was down more than three percent in London deals.
ProtonMail has helped law enforcement identify one of the members of the Apophis Squad, a group that has made bomb threats and launched distributed denial-of-service (DDoS) attacks against many organizations.
The U.K. National Crime Agency (NCA) announced this week that a 19-year-old from Hertfordshire was arrested on August 31. The teen, George Duke-Cohan, remains in custody after he pleaded guilty to three counts of making hoax bomb threats.
Microsoft this week revealed plans to offer paid Windows 7 Extended Security Updates (ESU) for three years after traditional support for the operating system will officially end.
Released in 2009, Windows 7 currently powers around 39% of all machines running Microsoft’s Windows platform, but is slowly losing ground to Windows 10 (currently found on over 48% of Windows systems).
Microsoft stopped selling Windows 7 in 2014 (some variants are still available to OEMs) and ended mainstream support for the operating system in early 2015. The company plans on ending extended support for Windows 7 to January 14, 2020.
A 34-year-old North Korean national has been charged by U.S. authorities over his alleged involvement in the cyberattacks carried out by the Lazarus Group. An affidavit filed by an FBI special agent reveals how investigators linked the man to the notorious threat actor.
According to investigators, Park worked at KEJV’s offices in Dalian, Liaoning, China, a province that borders North Korea. A résumé discovered by agents showed that he had been employed as a developer and that he had programming skills in – among many others – Visual C++, the language used to create many of Lazarus’ tools.
The Accellera Systems Initiative announced formation of its IP Security Assurance Working Group, which will meet every two weeks beginning Tuesday, October 2. The group will develop a security assurance standard for third-party intellectual property going into chip designs.
It’s been one year since Equifax disclosed the data breach that exposed the Social Security numbers of 145.5 million Americans. What have lawmakers done in response? Nothing, essentially. Bills introduced in Congress have died for lack of action, and the federal Consumer Financial Protection Bureau reportedly killed its investigation into the Equifax breach last November. There has been some regulatory action in California and New York State.
The Equifax breach and similar episodes have drawn attention to cybersecurity precautions and brought new business to companies in the field. Gartner forecasts enterprises around the world will spend $96.3 billion on security this year, an 8% increase from 2017. Zacks Investment Research highlights six cybersecurity stocks that could gain momentum as the midterm elections draw near: Fortinet, Radware, Proofpoint, FireEye, Palo Alto Networks, and CyberArk Software.
Here’s a potential growth market: Cybersecurity insurance. Apple and Cisco Systems teamed up earlier this year with Allianz and Aon to offer cyber resilience evaluation services and cybersecurity insurance coverage. One challenge in the nascent business: Not having decades of actuarial data to determine coverage and premiums.
The Equifax data breach was supposed to change everything about cybersecurity regulation on Capitol Hill. One year later, it’s not clear it changed much of anything.
Why it matters: A year ago Friday, Equifax — one of the major credit reporting agencies — announced that 145.5 million U.S. adults had their social security numbers stolen in an easily preventable breach. If any data breach was going to be able to shock Washington into enacting sweeping privacy reforms, this should have been it.
But that didn’t happen: “The initial interest that was implied by congressional actions didn’t pan out,” said Michelle Richardson, director of the Privacy and Data Project at the Center for Democracy and Technology (CDT).
What was supposed to happen: After the first of several hearings involving Equifax, Sen. Chuck Grassley (R-Iowa), chair of the Judiciary Committee, said it was “long past time” for federal standards for how companies like Equifax secure data.
The market for insurance against cyber threats will double by 2020 to over 8 billion dollars, German reinsurance giant Munich Re told a conference in Monaco on Sunday.
“Cyber risks are one of the biggest threats to the networked economy,” Munich Re board member Torsten Jeworrek said in a statement on the first day of an annual meeting of reinsurers in the Mediterranean principality.
Munich Re estimated that companies could more than double their spending on cyber insurance from $3.4-$4 billion (3-3.4 billion euros) in 2017 to $8-$9 billion by 2020.
Google has released its September 2018 security patches for Android, which resolves more than 50 vulnerabilities in the operating system.
The September 2018 Android Security Bulletin is split into two parts, the 2018-09-01 security patch level, which resolves 24 bugs, and the 2018-09-05 security patch level, which addresses a total of 35 bugs.
Five of the vulnerabilities patched with the 2018-09-01 security patch level were rated Critical severity. Three of these are elevation of privilege bugs that impact System, while the remaining two are remote code execution flaws in Media framework.
Theory Suggests we Need to Come to the Very Brink of Cyberwar Before Humanity Backs Down and Finds a Solution
Security firms take a keen interest in the evolution of no-longer fanciful cyberwar — they will be our first line of defense. Kaspersky Lab takes a particular interest, being both a defender and one of the first victims of this evolution. SecurityWeek spoke to Anton Shingarev, Kaspersky Lab’s VP of public affairs.
Google has released its September 2018 security patches for Android, which resolves more than 50 vulnerabilities in the operating system.
The September 2018 Android Security Bulletin is split into two parts, the 2018-09-01 security patch level, which resolves 24 bugs, and the 2018-09-05 security patch level, which addresses a total of 35 bugs.
Five of the vulnerabilities patched with the 2018-09-01 security patch level were rated Critical severity. Three of these are elevation of privilege bugs that impact System, while the remaining two are remote code execution flaws in Media framework.
“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.
A 35-year-old Russian was extradited to the United States from Georgia on Friday to answer criminal charges over the massive theft of customer data from JPMorgan Chase and Dow Jones, officials announced.
Andrei Tyurin is accused of orchestrating major hacking crimes against US financial institutions, brokerage firms and financial news publishers, including the largest theft of customer data from a US financial institution.
US prosecutors say the schemes from 2012 to mid-2015 included the theft of personal information of over 100 million customers of the victim companies.
The scheme compromised data from millions of customers of JPMorgan Chase and other firms, previously identified as the Dow Jones media group and online brokers ETrade and Scottrade.
A recently discovered exploit kit (EK) has been used in a campaign targeting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.
Dubbed Fallout, the new EK has been targeting users in Japan with the SmokeLoader Trojan, but has been also observed delivering the GandCrab ransomware in the Middle East.
Colorado, whose election systems are ranked among the nation’s safest, held a cyber-security and disaster exercise Thursday for dozens of state, county and federal elections officials to reinforce the state’s preparedness for, and public confidence in, November’s midterm elections.
Participants included Department of Homeland Security cyber experts working with county elections clerks to confront a rapid-fire sequence of scenarios. In a brief appearance, Homeland Security Secretary Kristjen Nielsen praised Colorado as a national leader in safeguarding elections.
Kaspersky Lab products installed on industrial automation systems have detected over 19,000 malware samples in the first half of 2018, and the company has determined that the Internet is an increasingly significant source of attacks.
According to Kaspersky’s “Threat Landscape for Industrial Automation Systems” report for H1 2018, the company detected over 19,400 samples belonging to roughly 2,800 malware families. As expected, most of the attempts to infect industrial systems were part of random attacks rather than targeted operations.
British Airways will financially compensate customers whose data were stolen in a “sophisticated” and “malicious” hack, chief executive Alex Cruz said Friday as he apologised for the fiasco.
BA late Thursday revealed that personal and financial details of customers who booked flights on the group’s website and mobile phone app between August 21 and Wednesday had been stolen.
The revelation comes just a few months after the European Union tightened data protection laws.
“We’re extremely sorry for what has happened,” Cruz told the BBC on Friday.
“There was a very sophisticated, malicious, criminal attack on our website.”
TESLA HAS TAKEN plenty of innovative steps to protect the driving systems of its kitted-out cars against digital attacks. It’s hired top-notch security engineers, pushed over-the-internet software updates, and added code integrity checks. But one team of academic hackers has now found that Tesla left its Model S cars open to a far more straightforward form of hacking: stealthily cloning the car’s key fob in seconds, opening the car door, and driving away.
In a Five Eyes ministerial meeting in late August, the governments of the US, UK, Australia, Canada, and New Zealand put forward a number of proposals that focus on national security, including a stronger stance on encrypted messaging.
Established some time during World War II, Five Eyes is an umbrella agreement between the five aforementioned countries that allows for the free sharing of intelligence and information for the sake of national security in each nation.
“The Governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries”, the statement on encryption reads.
Barney Thompson / Financial Times:
On Tuesday, a top EU court will decide if the EU’s “right to be forgotten” regulations should apply worldwide and what type of information should be delisted
Europe’s top judges are being asked to decide the limits of the “right to be forgotten” — a person’s ability to demand that internet search engines hide incorrect, out-of-date or potentially embarrassing information about them.
The ECJ’s eventual ruling will not only affect Google but all other search engines, such as Yahoo and Microsoft’s Bing, and is likely to have implications for social media platforms.
(Reuters) – Apple Inc (AAPL.O) plans to create an online tool for police to formally request data about its users and to assemble a team to train police about what data can and cannot be obtained from the iPhone maker
Daniel Funke / Poynter:
How several fact-checking sites around the world approach harassment and death threats following partnerships with Facebook to stem misinformation
The PDF file is 299 pages long. It has a table of contents, infographics and a statement of intent. And it has extensive details on 40 journalists in Brazil — including archived links and screenshots from each person’s various social media profiles.
Then, it uses all of that as evidence to classify how leftist each journalist is.
“It was very well done,” said Cristina Tardáguila, director of Brazilian fact-checking project Agência Lupa. “Graphically speaking, somebody spent a lot of time doing it.”
The document went viral among right-wing groups on WhatsApp, which has 120 million users in a country of 200 million people. Tardáguila said it racked up countless of shares, and that she alone received it at least 20 times from different friends, colleagues and family members. They wanted her to know she was in it.
The backlash was in response to an announcement on May 10 that Lupa, along with fellow fact-checking organization Aos Fatos, would work with Facebook to limit the spread of misinformation ahead of October’s presidential election. The project lets fact-checkers flag fake images and news stories in the News Feed, limiting their future reach by up to 80 percent.
From there, the trolling snowballed.
Several online influencers wrote about the PDF, Tardáguila said. One right-wing newspaper published a column about how fact-checkers are trying to censor information on the internet ahead of October’s contentious presidential election. A blatantly misogynistic cartoon portraying the directors of all three fact-checking organizations as pets of investor George Soros made the rounds on WhatsApp.
HuffPost India:
Report: hackers have disabled security features of India’s Aadhaar enrollment software with a patch available for ~$35, making it possible to create fake IDs — Skilled hackers disabled security features of Aadhaar enrolment software, circulated hack on Whatsapp
Skilled hackers disabled security features of Aadhaar enrolment software, circulated hack on Whatsapp
NEW DELHI—The authenticity of the data stored in India’s controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals.
The patch—freely available for as little as Rs 2,500 (around $35)— allows unauthorised persons, based anywhere in the world, to generate Aadhaar numbers at will, and is still in widespread use.
This has significant implications for national security at a time when the Indian government has sought to make Aadhaar numbers the gold standard for citizen identification, and mandatory for everything from using a mobile phone to accessing a bank account.
HuffPost India is in possession of the patch, and had it analysed by three internationally reputed experts, and two Indian analysts
The experts consulted by HuffPost India said that the vulnerability is intrinsic to a technology choice made at the inception of the Aadhaar programme, which means that fixing it and other future threats would require altering Aadhaar’s fundamental structure.
“Whomever created the patch was highly motivated to compromise Aadhaar,”
“There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile,” Björksten said. “To have any hope of securing Aadhaar, the system design would have to be radically changed.”
A SERIES OF PRAGMATIC CHOICES
The genesis of the current hack lies in a decision, made in 2010, to let private agencies enrol users to the Aadhaar system in order to speed up enrolments.
This decision to install the software on each enrolment computer, said cyber security expert Björksten, “puts the running of critical components of Aadhaar in the hands of the enemies of the system”.
The UIDAI had also mandated that each computer used for enrolment was attached to a GPS device to ensure enrolment was done within the physical confines of the authorised centres.
Yet by early 2017, these carefully considered security features were bypassed by an elegant software hack that began circulating among the private enrolment operators empanelled to register a billion Indians to the Aadhaar database.
“This is a straightforward, business-like, and utilitarian hack,” said Björksten, the security analyst. “Having examined the entirety of the code, it is my opinion that the patch is the work of more than one coder.”
Once the patch is installed, enrolment operators no longer need to provide their fingerprint to use the enrolment software, the GPS is disabled, and the sensitivity of the iris scanner is reduced. This means that a single operator can log into multiple machines at the same time, reducing the cost per enrolment, and increasing their profits.
WHO IS BEHIND THE AADHAAR HACK?
While the hack is being used by village-level computer operators, with no formal knowledge of programming, security researchers like Björksten and Venkatanarayanan say the hack represents a significant investment in time and resources — suggesting sophisticated well-trained adversaries.
WHAT IS THE IMPACT OF THE AADHAAR HACK?
The software patch is unusual in that it doesn’t seek to access information stored in the Aadhaar database, but rather looks to introduce information into it.
This most recent vulnerability is an illustration of how extending Aadhaar to services and purposes it was never designed for has compromised the security of the entire project.
Virtual private network (VPN) service providers ProtonVPN and NordVPN have made another attempt to patch a potentially serious privilege escalation vulnerability that they first tried to address a few months ago.
Exploit acquisition firm Zerodium has disclosed a NoScript vulnerability that can be exploited to execute arbitrary JavaScript code in the Tor Browser even if the maximum security level is used.
Zerodium disclosed the flaw and provided instructions on how it can be reproduced in a single message posted to Twitter on Monday. The recently released Tor Browser 8 is not affected.
Google is going to Europe’s top court in its legal fight against an order requiring it to extend “right to be forgotten” rules to its search engines globally.
The technology giant is set for a showdown at the European Union Court of Justice in Luxembourg on Tuesday with France’s data privacy regulator over an order to remove search results worldwide upon request.
A cyber-espionage group believed to be operating out of China has been using a digitally signed network filtering driver as part of recent attacks, Kaspersky Lab reports.
Tracked as LuckyMouse, Emissary Panda, APT27 and Threat Group 3390, the actor has been active since at least 2010, hitting hundreds of organizations worldwide (U.S. defense contractors, financial services firms, a European drone maker, and a national data center in Central Asia, among others).
Over the past several months, the actor has been abusing the digitally signed 32- and 64-bit network filtering driver NDISProxy to inject a previously unknown Trojan into the lsass.exe system process memory.
The infamous Mirai and Gafgyt Internet of Things (IoT) botnets are targeting vulnerabilities in Apache Struts and the SonicWall Global Management System (GMS), Palo Alto Networks has discovered.
Google is making it easier for G Suite administrators to access notifications, alerts, and actions by bringing them all together in a single place with the launch of a new alert center.
Currently available in Beta, the alert center provides admins with a comprehensive view on essential notifications, and allows them to easily take actions to better serve and protect their organizations, Google says.
Following the recent source code leak of the Android banking Trojan ExoBot, IBM X-Force research delved into the malware’s inner workings to help uncover insights into its dynamic mechanisms and the features that help criminals use it in cross-channel bank fraud.
Since exploit code for CVE-2018-14847 became publicly available, miscreants have launched attacks against MikroTik routers. Thousands of unpatched devices are mining for cryptocurrency at the moment.
The maker of the routers released a patch of the security bug in April, but users are slow to install the update, enabling cybercriminals to fight for a piece of the pie.
Multiple apps developed by Trend Micro are no longer available in the Mac App Store after researchers showed they were collecting browser history and information about users’ computers.
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated with unprecedented Distributed Denial of Service attacks in November 2016 and since.
These variants are notable for two reasons:
The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).
British Airways has revealed that hackers managed to breach its website and app, stealing data from many thousands of customers in the process.
But how was this possible?
BA has not revealed any technical details about the breach, but cyber-security experts have some suggestions of possible methods used.
Names, email addresses and credit card details including card numbers, expiry dates and three-digit CVV codes were stolen by the hackers.
At first glance, the firm’s statement appears to give no details about the hack, but by “reading between the lines”, it is possible to infer some potential attack routes, says cyber-security expert Prof Alan Woodward at the University of Surrey.
“They very carefully worded the statement to say anybody who made a card payment between those two dates is at risk,” says Prof Woodward.
“It looks very much like the details were nabbed at the point of entry – someone managed to get a script on to the website.”
This means that as customers typed in their credit card details, a piece of malicious code on the BA website or app may have been furtively extracting those details and sending them to someone else.
Prof Woodward points out that this is an increasing problem for websites that embed code from third-party suppliers – it’s known as a supply chain attack.
Braggadocio teen part of up-and-coming Apophis Squad hacking squad fails to protect his identity. Gets promptly arrested by UK police. Pleads guilty.
In blog posts published today after the NCA announcement, ProtonMail and infosec journalist Brian Krebs –whose site Apophis Squad members had also hit with DDoS attacks– confirmed that information they provided to authorities following attacks on their sites led to Duke-Cohan’s arrest.
In particular, ProtonMail says that Duke-Cohan and other Apophis Squad members were ProtonMail users, a valuable piece of information that narrowed down the search for possible suspects.
In order to protect our user community, we have a zero-tolerance policy for criminal acts committed against ProtonMail, or criminal acts committed using ProtonMail.
The number of UK companies on the receiving end of business scams involving email has risen by nearly two-thirds – 58 per cent – in the last year, new data from Lloyds Bank has revealed.
Stats from the bank showed the average loss from so-called “business email compromise” (BEC) frauds has reached £27,000.
IT workers are among the most susceptible to falling victim, along with those working in legal firms, HR and finance.
So-called “tech savvy” – the survey’s words, not ours – millennials face the highest risk of being targeted, with more than one in 10 falling victim or knowing someone who’d been a victim.
Researchers claim to have discovered an exploitable flaw in the baseboard management controller (BMC) hardware used by Supermicro servers.
Security biz Eclypsium today said a weakness in the mechanism for updating a BMC’s firmware could be abused by an attacker to install and run malicious code that would be extremely difficult to remove.
A BMC is typically installed directly onto the motherboard of a server where it is able to directly control and manage the various hardware components of the server independent of the host and guest operating systems. It can also repair, alter, or reinstall the system software, and is remotely controlled over a network or dedicated channel by an administrator. It allows IT staff to manage, configure, and power cycle boxes from afar, which is handy for people looking after warehouses of machines.
Because BMCs operate at such a low level, they are also valuable targets for hackers.
More often than not, today’s malware is distributed via the web – executable files are becoming less of a problem. Also, the G DATA security experts were able to identify a particular trend in the first half of the year that targets users’ computers.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
493 Comments
Tomi Engdahl says:
Five-Eyes Intelligence Services Choose Surveillance Over Security
https://www.schneier.com/blog/archives/2018/09/five-eyes_intel.html
The Five Eyes — the intelligence consortium of the rich English-speaking countries (the US, Canada, the UK, Australia, and New Zealand) — have issued a “Statement of Principles on Access to Evidence and Encryption” where they claim their needs for surveillance outweigh everyone’s needs for security and privacy.
Tomi Engdahl says:
Israel keeps on growing as a major center of global cybersecurity innovation
https://securityboulevard.com/2018/09/israel-keeps-on-growing-as-a-major-center-of-global-cybersecurity-innovation/
Israel is a major center of global cybersecurity innovation, as the acquisition of Solebit by MimeCast illustrates. This takeover is another one in a string of recent acquisitions of Israeli cybersecurity startups by public pure play cyber companies. MimeCast joins Symantec, Palo Alto Networks and Proofpoint that all acquired companies during the last 12 months to boost their innovative technology stack for keeping their competitive edge and expanding their product portfolio.
With five 100% Israeli and another six non-Israeli public cybersecurity companies that have a presence in Israel, the country continues to solidify its position as a global center of cybersecurity innovation.
Tomi Engdahl says:
Alex Stamos says the security infrastructure for this year’s Midterm elections isn’t much better than it was in 2016 https://tcrn.ch/2Qb710e
Former Facebook security chief says creating election chaos is still easy
https://techcrunch.com/2018/09/06/alex-stamos-us-midterm-election-security/
AdChoices
Disrupt SF 2018
Former Facebook security chief says creating election chaos is still easy
Taylor Hatmaker, Zack Whittaker
Sep 7, 2018
disruptsf18_alex_stamos-1120
Disrupt starts today
As someone who’s had a years-long front-row seat to Russia’s efforts to influence U.S. politics, former Facebook Chief Security Officer Alex Stamos has a pretty solid read on what we can expect from the 2018 midterms. Stamos left the company last month to work on cybersecurity education at Stanford.
“If there’s no foreign interference during the midterms, it’s not because we did a great job,” Stamos said in an interview with TechCrunch at Disrupt SF on Thursday. “It’s because our adversaries decided to [show] a little forbearance, which is unfortunate.”
As Stamos sees it, there is an alternative reality in which the U.S. electorate would be better off heading into its next major nationwide voting day, but critical steps haven’t been taken.
“As a society, we have not responded to the 2016 election in the way that would’ve been necessary to have a more trustworthy midterms,” he said. “There have been positive changes, but overall security of campaigns [is] not that much better, and the actual election infrastructure isn’t much better.”
Former Facebook security chief Alex Stamos: Being a CSO can be a ‘crappy job’
https://techcrunch.com/2018/09/06/alex-stamos-facebook-yahoo-security-officer/
“It’s kinda a crappy job to be a chief security officer,” said Stamos, Facebook’s former security chief, in an interview with TechCrunch at Disrupt SF on Thursday.
“It’s like being a [chief financial officer] before accounting was invented,” he said.
“When you decide to take on the [chief security officer] title, you decide that you’re going to run the risk of having decisions made above you or issues created by tens of thousands of people making decisions that will be stapled to your resume,” he said.
AdChoices
Disrupt SF 2018
Former Facebook security chief Alex Stamos: Being a CSO can be a ‘crappy job’
Zack Whittaker, Taylor Hatmaker
Sep 7, 2018
Disrupt starts today
Alex Stamos has been at the helm of some of the world’s most powerful companies for the past half-decade and is widely regarded as one of the smartest people working in the security space.
Now, just a month into his new gig as an academic, he can look back at his time with a dose of brutal honesty.
“It’s kinda a crappy job to be a chief security officer,” said Stamos, Facebook’s former security chief, in an interview with TechCrunch at Disrupt SF on Thursday.
“It’s like being a [chief financial officer] before accounting was invented,” he said.
“When you decide to take on the [chief security officer] title, you decide that you’re going to run the risk of having decisions made above you or issues created by tens of thousands of people making decisions that will be stapled to your resume,” he said.
Stamos recently joined Stanford University after three years as Facebook’s security chief. Before then, he was Yahoo’s chief information security officer for less than a year before he departed the company, reportedly in conflict with then-Yahoo chief executive Marissa Mayer over the company’s complicity with a secret government surveillance program.
His name is synonymous to many as a fierce defender of user security and rights, but he was at the helm when both his former employers were hit by security scandals — Yahoo had a a three-billion user data breach, and Facebook with the Cambridge Analytica voter profiling incident. Although inherited, he said he wasn’t going to “shirk” the blame.
“I was the CSO when all this stuff happened — it was my responsibility,” he said.
He said most companies have to navigate security, but also privacy and misuse of their products.
Stamos admits that while he came from a “traditional CSO” background, he quickly learned that the vast majority of harm caused by technology “does not have any interesting technical component.”
Speaking to disinformation, child abuse and harassment, he said that it’s the “technically correct use of the things we build that cause harm.”
He said that the industry needs to vastly expand how companies deal with issues that encompass but don’t fall within the strict realm of cybersecurity. “There’s not really a field around it,” he said, talking to the need to redefine “cybersecurity” to also include issues of trust, safety and privacy — three things that are important for companies to be working to ensure, but don’t necessarily fit into the traditional security model.
Tomi Engdahl says:
‘Five Eyes’ nations hand tech giants encryption ultimatum
https://www.google.fi/amp/www.itpro.co.uk/encryption/31822/five-eyes-nations-hand-tech-giants-encryption-ultimatum%3famp
Industry given final warning as governments declare they are ready to legislate for backdoor access
The ‘Five Eyes’ governments of the UK, US, Canada, Australia, and New Zealand have challenged tech companies to voluntarily create backdoor access to their systems, or be compelled to by law.
Encryption, deployed by companies such as WhatsApp and Google to guarantee user privacy, poses a significant challenge to combating serious crimes and terrorism, the five nations’ interior ministers agreed at a two-day summit on Australia’s Gold Coast last week.
“Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information,”
“However, the increasing use and sophistication of certain encryption designs present challenges for nations in combating serious crimes and threats to national and global security.
“Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals
Tomi Engdahl says:
Microsoft ‘Confirms’ Windows 7 New Monthly Charge
https://www.forbes.com/sites/gordonkelly/2018/09/08/microsoft-windows-7-monthly-charge-windows-10-free-upgrade-cost/#20170a2a2db1
Microsoft has always described Windows 10 “as a service” and leaks have already revealed new monthly charges are coming. Of course, for Windows 7 owners this was never something they expected to pay. But times change…
In a new blog post entitled “Helping customers shift to a modern desktop”, Microsoft has announced that it will indeed start charging Windows 7 customers a monthly fee from January 14th 2020, if they want to keep their computers safe.
Helping customers shift to a modern desktop
https://www.microsoft.com/en-us/microsoft-365/blog/2018/09
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
US GAO releases report on how the 2017 Equifax hack occurred and the steps taken in its aftermath, concluding Equifax left information vulnerable on many fronts — GAO report takes us inside Equifax from March 2017 onward, showing how a few slip-ups led to one of the biggest breaches in US history.
US government releases post-mortem report on Equifax hack
https://www.zdnet.com/article/us-government-releases-post-mortem-report-on-equifax-hack/
GAO report takes us inside Equifax from March 2017 onward, showing how a few slip-ups led to one of the biggest breaches in US history.
The Government Accountability Office (GAO) has published a report to detail how the Equifax hack went down and how the credit reporting company answered during and after the incident.
The report comes a day before the one-year anniversary of the public announcement of the Equifax breach that exposed the personal details of 145.5 million Americans, but also of millions of British and Canadian citizens.
Actions Taken by
Equifax and Federal
Agencies in Response
to the 2017 Breach
https://www.gao.gov/assets/700/694158.pdf
Tomi Engdahl says:
Siva Vaidhyanathan / New York Times:
Facebook says it deleted 1.3B fake accounts in six months; fake accounts are being created, probably for commercial purposes, faster than Facebook can delete — Sheryl Sandberg’s testimony to Congress revealed that fraudulent pages are being created as fast as the social network can delete them.
http://www.nytimes.com/2018/09/05/opinion/facebook-sandberg-congress.html
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
House passes a bill that requires White House to create and maintain a database with the names of foreign hackers and cyber-threat groups working against US
Bill that would have the White House create a database of APT groups passes House vote
https://www.zdnet.com/article/bill-that-would-have-the-white-house-create-a-database-of-apt-groups-passes-house-vote/
US hopes that a name-and-shame strategy would deter foreign nation-state hacking groups to attack US infrastructure as often as now.
The US House of Representatives passed a bill this week that would have the White House create and maintain a database containing all the names of individuals and cyber-threat groups associated with foreign cyber-espionage operations active against the US.
The bill, named the Cyber Deterrence and Response Act of 2018 (H.R. 5576), was proposed in June by Rep. Ted Yoho (R, Florida), and passed in the House on Wednesday, September 5, after a voice vote.
According to the bill’s revised text, the White House, through the president, would be required to establish and maintain a database of advanced persistent threats –or APTs– a term used in the cyber-security private sector to refer to government-backed groups that are engaged in cyber-espionage operations against other countries.
Tomi Engdahl says:
Malware on ICS Increasingly Comes From Internet: Kaspersky
https://www.securityweek.com/malware-ics-increasingly-comes-internet-kaspersky
Kaspersky Lab products installed on industrial automation systems have detected over 19,000 malware samples in the first half of 2018, and the company has determined that the Internet is an increasingly significant source of attacks.
According to Kaspersky’s “Threat Landscape for Industrial Automation Systems” report for H1 2018, the company detected over 19,400 samples belonging to roughly 2,800 malware families. As expected, most of the attempts to infect industrial systems were part of random attacks rather than targeted operations.
An overall increase in malicious activity has led to attack attempts against 41.2% of the industrial control systems (ICS) protected by the security firm, which represents an increase of nearly 5 percentage points compared to the first half of 2017. Kaspersky detected 18,000 malware samples belonging to more than 2,500 families in that period.
Tomi Engdahl says:
BA Scrambles to Address Theft of Passenger Bank Details
https://www.securityweek.com/ba-scrambles-address-theft-passenger-bank-details
British Airways will financially compensate customers whose data were stolen in a “sophisticated” and “malicious” hack, chief executive Alex Cruz said Friday as he apologised for the fiasco.
BA late Thursday revealed that personal and financial details of customers who booked flights on the group’s website and mobile phone app between August 21 and Wednesday had been stolen.
The revelation comes just a few months after the European Union tightened data protection laws.
“We’re extremely sorry for what has happened,” Cruz told the BBC on Friday.
“There was a very sophisticated, malicious, criminal attack on our website.”
BA took out full-page adverts in the UK newspapers on Friday to apologise to customers, while the share price of parent group IAG was down more than three percent in London deals.
Tomi Engdahl says:
U.K. Teen Involved in ProtonMail DDoS Attack Arrested
https://www.securityweek.com/uk-teen-involved-protonmail-ddos-attack-arrested
ProtonMail has helped law enforcement identify one of the members of the Apophis Squad, a group that has made bomb threats and launched distributed denial-of-service (DDoS) attacks against many organizations.
The U.K. National Crime Agency (NCA) announced this week that a 19-year-old from Hertfordshire was arrested on August 31. The teen, George Duke-Cohan, remains in custody after he pleaded guilty to three counts of making hoax bomb threats.
Tomi Engdahl says:
Microsoft to Charge for Windows 7 Security Updates
https://www.securityweek.com/microsoft-charge-windows-7-security-updates
Microsoft this week revealed plans to offer paid Windows 7 Extended Security Updates (ESU) for three years after traditional support for the operating system will officially end.
Released in 2009, Windows 7 currently powers around 39% of all machines running Microsoft’s Windows platform, but is slowly losing ground to Windows 10 (currently found on over 48% of Windows systems).
Microsoft stopped selling Windows 7 in 2014 (some variants are still available to OEMs) and ended mainstream support for the operating system in early 2015. The company plans on ending extended support for Windows 7 to January 14, 2020.
Tomi Engdahl says:
Opsec Mistakes Allowed U.S. to Link North Korean Man to Hacks
https://www.securityweek.com/opsec-mistakes-allowed-us-link-north-korean-man-hacks
A 34-year-old North Korean national has been charged by U.S. authorities over his alleged involvement in the cyberattacks carried out by the Lazarus Group. An affidavit filed by an FBI special agent reveals how investigators linked the man to the notorious threat actor.
According to investigators, Park worked at KEJV’s offices in Dalian, Liaoning, China, a province that borders North Korea. A résumé discovered by agents showed that he had been employed as a developer and that he had programming skills in – among many others – Visual C++, the language used to create many of Lazarus’ tools.
Tomi Engdahl says:
Week in Review: IoT, Security, Auto
IP security; Equifax breach; NXP buys OmniPHY.
https://semiengineering.com/week-in-review-iot-security-auto-9/
The Accellera Systems Initiative announced formation of its IP Security Assurance Working Group, which will meet every two weeks beginning Tuesday, October 2. The group will develop a security assurance standard for third-party intellectual property going into chip designs.
It’s been one year since Equifax disclosed the data breach that exposed the Social Security numbers of 145.5 million Americans. What have lawmakers done in response? Nothing, essentially. Bills introduced in Congress have died for lack of action, and the federal Consumer Financial Protection Bureau reportedly killed its investigation into the Equifax breach last November. There has been some regulatory action in California and New York State.
The Equifax breach and similar episodes have drawn attention to cybersecurity precautions and brought new business to companies in the field. Gartner forecasts enterprises around the world will spend $96.3 billion on security this year, an 8% increase from 2017. Zacks Investment Research highlights six cybersecurity stocks that could gain momentum as the midterm elections draw near: Fortinet, Radware, Proofpoint, FireEye, Palo Alto Networks, and CyberArk Software.
Here’s a potential growth market: Cybersecurity insurance. Apple and Cisco Systems teamed up earlier this year with Allianz and Aon to offer cyber resilience evaluation services and cybersecurity insurance coverage. One challenge in the nascent business: Not having decades of actuarial data to determine coverage and premiums.
Tomi Engdahl says:
After Equifax’s mega-breach, nothing changed
https://www.axios.com/after-equifaxs-mega-breach-nothing-changed-1536241622-baf8e0cf-d727-43db-b4d4-77c7599fff1e.html
The Equifax data breach was supposed to change everything about cybersecurity regulation on Capitol Hill. One year later, it’s not clear it changed much of anything.
Why it matters: A year ago Friday, Equifax — one of the major credit reporting agencies — announced that 145.5 million U.S. adults had their social security numbers stolen in an easily preventable breach. If any data breach was going to be able to shock Washington into enacting sweeping privacy reforms, this should have been it.
But that didn’t happen: “The initial interest that was implied by congressional actions didn’t pan out,” said Michelle Richardson, director of the Privacy and Data Project at the Center for Democracy and Technology (CDT).
What was supposed to happen: After the first of several hearings involving Equifax, Sen. Chuck Grassley (R-Iowa), chair of the Judiciary Committee, said it was “long past time” for federal standards for how companies like Equifax secure data.
Tomi Engdahl says:
Cyber Insurance Market to Double by 2020, Says Munich Re
https://www.securityweek.com/cyber-insurance-market-double-2020-says-munich-re
The market for insurance against cyber threats will double by 2020 to over 8 billion dollars, German reinsurance giant Munich Re told a conference in Monaco on Sunday.
“Cyber risks are one of the biggest threats to the networked economy,” Munich Re board member Torsten Jeworrek said in a statement on the first day of an annual meeting of reinsurers in the Mediterranean principality.
Munich Re estimated that companies could more than double their spending on cyber insurance from $3.4-$4 billion (3-3.4 billion euros) in 2017 to $8-$9 billion by 2020.
Tomi Engdahl says:
Android September 2018 Patches Fix Critical Flaws
https://www.securityweek.com/android-september-2018-patches-fix-critical-flaws
Google has released its September 2018 security patches for Android, which resolves more than 50 vulnerabilities in the operating system.
The September 2018 Android Security Bulletin is split into two parts, the 2018-09-01 security patch level, which resolves 24 bugs, and the 2018-09-05 security patch level, which addresses a total of 35 bugs.
Five of the vulnerabilities patched with the 2018-09-01 security patch level were rated Critical severity. Three of these are elevation of privilege bugs that impact System, while the remaining two are remote code execution flaws in Media framework.
Tomi Engdahl says:
Talking Global Cyberwar With Kaspersky Lab’s Anton Shingarev
https://www.securityweek.com/talking-global-cyberwar-kaspersky-labs-anton-shingarev
Theory Suggests we Need to Come to the Very Brink of Cyberwar Before Humanity Backs Down and Finds a Solution
Security firms take a keen interest in the evolution of no-longer fanciful cyberwar — they will be our first line of defense. Kaspersky Lab takes a particular interest, being both a defender and one of the first victims of this evolution. SecurityWeek spoke to Anton Shingarev, Kaspersky Lab’s VP of public affairs.
Tomi Engdahl says:
Android September 2018 Patches Fix Critical Flaws
https://www.securityweek.com/android-september-2018-patches-fix-critical-flaws
Google has released its September 2018 security patches for Android, which resolves more than 50 vulnerabilities in the operating system.
The September 2018 Android Security Bulletin is split into two parts, the 2018-09-01 security patch level, which resolves 24 bugs, and the 2018-09-05 security patch level, which addresses a total of 35 bugs.
Five of the vulnerabilities patched with the 2018-09-01 security patch level were rated Critical severity. Three of these are elevation of privilege bugs that impact System, while the remaining two are remote code execution flaws in Media framework.
“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.
Tomi Engdahl says:
Georgia Extradites Russian Data Theft Suspect to US
https://www.securityweek.com/georgia-extradites-russian-data-theft-suspect-us
A 35-year-old Russian was extradited to the United States from Georgia on Friday to answer criminal charges over the massive theft of customer data from JPMorgan Chase and Dow Jones, officials announced.
Andrei Tyurin is accused of orchestrating major hacking crimes against US financial institutions, brokerage firms and financial news publishers, including the largest theft of customer data from a US financial institution.
US prosecutors say the schemes from 2012 to mid-2015 included the theft of personal information of over 100 million customers of the victim companies.
The scheme compromised data from millions of customers of JPMorgan Chase and other firms, previously identified as the Dow Jones media group and online brokers ETrade and Scottrade.
Tomi Engdahl says:
Researchers Discover New “Fallout” Exploit Kit
https://www.securityweek.com/researchers-discover-new-fallout-exploit-kit
A recently discovered exploit kit (EK) has been used in a campaign targeting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.
Dubbed Fallout, the new EK has been targeting users in Japan with the SmokeLoader Trojan, but has been also observed delivering the GandCrab ransomware in the Middle East.
Tomi Engdahl says:
Industry Reactions to U.S. Charging North Korean Hacker: Feedback Friday
https://www.securityweek.com/industry-reactions-us-charging-north-korean-hacker-feedback-friday
Tomi Engdahl says:
Homeland Security Head: Colorado Tops US in Vote Security
https://www.securityweek.com/homeland-security-head-colorado-tops-us-vote-security
Colorado, whose election systems are ranked among the nation’s safest, held a cyber-security and disaster exercise Thursday for dozens of state, county and federal elections officials to reinforce the state’s preparedness for, and public confidence in, November’s midterm elections.
Participants included Department of Homeland Security cyber experts working with county elections clerks to confront a rapid-fire sequence of scenarios. In a brief appearance, Homeland Security Secretary Kristjen Nielsen praised Colorado as a national leader in safeguarding elections.
Tomi Engdahl says:
Malware on ICS Increasingly Comes From Internet: Kaspersky
https://www.securityweek.com/malware-ics-increasingly-comes-internet-kaspersky
Kaspersky Lab products installed on industrial automation systems have detected over 19,000 malware samples in the first half of 2018, and the company has determined that the Internet is an increasingly significant source of attacks.
According to Kaspersky’s “Threat Landscape for Industrial Automation Systems” report for H1 2018, the company detected over 19,400 samples belonging to roughly 2,800 malware families. As expected, most of the attempts to infect industrial systems were part of random attacks rather than targeted operations.
Tomi Engdahl says:
BA Scrambles to Address Theft of Passenger Bank Details
https://www.securityweek.com/ba-scrambles-address-theft-passenger-bank-details
British Airways will financially compensate customers whose data were stolen in a “sophisticated” and “malicious” hack, chief executive Alex Cruz said Friday as he apologised for the fiasco.
BA late Thursday revealed that personal and financial details of customers who booked flights on the group’s website and mobile phone app between August 21 and Wednesday had been stolen.
The revelation comes just a few months after the European Union tightened data protection laws.
“We’re extremely sorry for what has happened,” Cruz told the BBC on Friday.
“There was a very sophisticated, malicious, criminal attack on our website.”
https://www.securityweek.com/british-airways-hacked-details-380000-cards-stolen
Tomi Engdahl says:
U.K. Teen Involved in ProtonMail DDoS Attack Arrested
https://www.securityweek.com/uk-teen-involved-protonmail-ddos-attack-arrested
Tomi Engdahl says:
HACKERS CAN STEAL A TESLA MODEL S IN SECONDS BY CLONING ITS KEY FOB
https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/?mbid=social_fb_onsiteshare
TESLA HAS TAKEN plenty of innovative steps to protect the driving systems of its kitted-out cars against digital attacks. It’s hired top-notch security engineers, pushed over-the-internet software updates, and added code integrity checks. But one team of academic hackers has now found that Tesla left its Model S cars open to a far more straightforward form of hacking: stealthily cloning the car’s key fob in seconds, opening the car door, and driving away.
Tomi Engdahl says:
US and UK governments call for mandatory backdoors in encrypted chat
https://www.techradar.com/news/compulsory-encryption-backdoors-for-us-uk-australia-canada-and-new-zealand
In a Five Eyes ministerial meeting in late August, the governments of the US, UK, Australia, Canada, and New Zealand put forward a number of proposals that focus on national security, including a stronger stance on encrypted messaging.
Established some time during World War II, Five Eyes is an umbrella agreement between the five aforementioned countries that allows for the free sharing of intelligence and information for the sake of national security in each nation.
“The Governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries”, the statement on encryption reads.
Tomi Engdahl says:
Barney Thompson / Financial Times:
On Tuesday, a top EU court will decide if the EU’s “right to be forgotten” regulations should apply worldwide and what type of information should be delisted
Europe’s top judges to hear ‘right to be forgotten’ cases
ECJ to consider whether search engines must delete links globally or only within the EU
https://www.ft.com/content/86ed805c-b4d8-11e8-b3ef-799c8613f4a1
Europe’s top judges are being asked to decide the limits of the “right to be forgotten” — a person’s ability to demand that internet search engines hide incorrect, out-of-date or potentially embarrassing information about them.
The ECJ’s eventual ruling will not only affect Google but all other search engines, such as Yahoo and Microsoft’s Bing, and is likely to have implications for social media platforms.
Tomi Engdahl says:
Apple to provide online tool for police to request data: letter
https://www.reuters.com/article/us-apple-data/apple-to-provide-online-tool-for-police-to-request-data-letter-idUSKCN1LM39O
(Reuters) – Apple Inc (AAPL.O) plans to create an online tool for police to formally request data about its users and to assemble a team to train police about what data can and cannot be obtained from the iPhone maker
Tomi Engdahl says:
Daniel Funke / Poynter:
How several fact-checking sites around the world approach harassment and death threats following partnerships with Facebook to stem misinformation
These fact-checkers were attacked online after partnering with Facebook
https://www.poynter.org/news/these-fact-checkers-were-attacked-online-after-partnering-facebook
The PDF file is 299 pages long. It has a table of contents, infographics and a statement of intent. And it has extensive details on 40 journalists in Brazil — including archived links and screenshots from each person’s various social media profiles.
Then, it uses all of that as evidence to classify how leftist each journalist is.
“It was very well done,” said Cristina Tardáguila, director of Brazilian fact-checking project Agência Lupa. “Graphically speaking, somebody spent a lot of time doing it.”
The document went viral among right-wing groups on WhatsApp, which has 120 million users in a country of 200 million people. Tardáguila said it racked up countless of shares, and that she alone received it at least 20 times from different friends, colleagues and family members. They wanted her to know she was in it.
The backlash was in response to an announcement on May 10 that Lupa, along with fellow fact-checking organization Aos Fatos, would work with Facebook to limit the spread of misinformation ahead of October’s presidential election. The project lets fact-checkers flag fake images and news stories in the News Feed, limiting their future reach by up to 80 percent.
From there, the trolling snowballed.
Several online influencers wrote about the PDF, Tardáguila said. One right-wing newspaper published a column about how fact-checkers are trying to censor information on the internet ahead of October’s contentious presidential election. A blatantly misogynistic cartoon portraying the directors of all three fact-checking organizations as pets of investor George Soros made the rounds on WhatsApp.
Then came the death threats.
“We were being threatened for real,”
Tomi Engdahl says:
HuffPost India:
Report: hackers have disabled security features of India’s Aadhaar enrollment software with a patch available for ~$35, making it possible to create fake IDs — Skilled hackers disabled security features of Aadhaar enrolment software, circulated hack on Whatsapp
UIDAI’s Aadhaar Software Hacked, ID Database Compromised, Experts Confirm
https://www.huffingtonpost.in/2018/09/11/uidai-s-aadhaar-software-hacked-id-database-compromised-experts-confirm_a_23522472/
Skilled hackers disabled security features of Aadhaar enrolment software, circulated hack on Whatsapp
NEW DELHI—The authenticity of the data stored in India’s controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals.
The patch—freely available for as little as Rs 2,500 (around $35)— allows unauthorised persons, based anywhere in the world, to generate Aadhaar numbers at will, and is still in widespread use.
This has significant implications for national security at a time when the Indian government has sought to make Aadhaar numbers the gold standard for citizen identification, and mandatory for everything from using a mobile phone to accessing a bank account.
HuffPost India is in possession of the patch, and had it analysed by three internationally reputed experts, and two Indian analysts
The experts consulted by HuffPost India said that the vulnerability is intrinsic to a technology choice made at the inception of the Aadhaar programme, which means that fixing it and other future threats would require altering Aadhaar’s fundamental structure.
“Whomever created the patch was highly motivated to compromise Aadhaar,”
“There are probably many individuals and entities, criminal, political, domestic and foreign, that would derive enough benefit from this compromise of Aadhaar to make the investment in creating the patch worthwhile,” Björksten said. “To have any hope of securing Aadhaar, the system design would have to be radically changed.”
A SERIES OF PRAGMATIC CHOICES
The genesis of the current hack lies in a decision, made in 2010, to let private agencies enrol users to the Aadhaar system in order to speed up enrolments.
This decision to install the software on each enrolment computer, said cyber security expert Björksten, “puts the running of critical components of Aadhaar in the hands of the enemies of the system”.
The UIDAI had also mandated that each computer used for enrolment was attached to a GPS device to ensure enrolment was done within the physical confines of the authorised centres.
Yet by early 2017, these carefully considered security features were bypassed by an elegant software hack that began circulating among the private enrolment operators empanelled to register a billion Indians to the Aadhaar database.
“This is a straightforward, business-like, and utilitarian hack,” said Björksten, the security analyst. “Having examined the entirety of the code, it is my opinion that the patch is the work of more than one coder.”
Once the patch is installed, enrolment operators no longer need to provide their fingerprint to use the enrolment software, the GPS is disabled, and the sensitivity of the iris scanner is reduced. This means that a single operator can log into multiple machines at the same time, reducing the cost per enrolment, and increasing their profits.
WHO IS BEHIND THE AADHAAR HACK?
While the hack is being used by village-level computer operators, with no formal knowledge of programming, security researchers like Björksten and Venkatanarayanan say the hack represents a significant investment in time and resources — suggesting sophisticated well-trained adversaries.
WHAT IS THE IMPACT OF THE AADHAAR HACK?
The software patch is unusual in that it doesn’t seek to access information stored in the Aadhaar database, but rather looks to introduce information into it.
This most recent vulnerability is an illustration of how extending Aadhaar to services and purposes it was never designed for has compromised the security of the entire project.
Tomi Engdahl says:
VPN Firms Release New Patches for Privilege Escalation Flaw
https://www.securityweek.com/vpn-firms-release-new-patches-privilege-escalation-flaw
Virtual private network (VPN) service providers ProtonVPN and NordVPN have made another attempt to patch a potentially serious privilege escalation vulnerability that they first tried to address a few months ago.
Tomi Engdahl says:
Zerodium Discloses Flaw That Allows Code Execution in Tor Browser
https://www.securityweek.com/zerodium-discloses-flaw-allows-code-execution-tor-browser
Exploit acquisition firm Zerodium has disclosed a NoScript vulnerability that can be exploited to execute arbitrary JavaScript code in the Tor Browser even if the maximum security level is used.
Zerodium disclosed the flaw and provided instructions on how it can be reproduced in a single message posted to Twitter on Monday. The recently released Tor Browser 8 is not affected.
Tomi Engdahl says:
Google Case Set to Examine if EU Data Rules Extend Globally
https://www.securityweek.com/google-case-set-examine-if-eu-data-rules-extend-globally
Google is going to Europe’s top court in its legal fight against an order requiring it to extend “right to be forgotten” rules to its search engines globally.
The technology giant is set for a showdown at the European Union Court of Justice in Luxembourg on Tuesday with France’s data privacy regulator over an order to remove search results worldwide upon request.
Tomi Engdahl says:
China-linked Hackers Use Signed Network Filtering Driver in Recent Attacks
https://www.securityweek.com/china-linked-hackers-use-signed-network-filtering-driver-recent-attacks
A cyber-espionage group believed to be operating out of China has been using a digitally signed network filtering driver as part of recent attacks, Kaspersky Lab reports.
Tracked as LuckyMouse, Emissary Panda, APT27 and Threat Group 3390, the actor has been active since at least 2010, hitting hundreds of organizations worldwide (U.S. defense contractors, financial services firms, a European drone maker, and a national data center in Central Asia, among others).
Over the past several months, the actor has been abusing the digitally signed 32- and 64-bit network filtering driver NDISProxy to inject a previously unknown Trojan into the lsass.exe system process memory.
Tomi Engdahl says:
IoT Botnets Target Apache Struts, SonicWall GMS
https://www.securityweek.com/iot-botnets-target-apache-struts-sonicwall-gms
The infamous Mirai and Gafgyt Internet of Things (IoT) botnets are targeting vulnerabilities in Apache Struts and the SonicWall Global Management System (GMS), Palo Alto Networks has discovered.
Tomi Engdahl says:
Android September 2018 Patches Fix Critical Flaws
https://www.securityweek.com/android-september-2018-patches-fix-critical-flaws
Google has released its September 2018 security patches for Android, which resolves more than 50 vulnerabilities in the operating system.
Tomi Engdahl says:
Google Launches Alert Center for G Suite
https://www.securityweek.com/google-launches-alert-center-g-suite
Google is making it easier for G Suite administrators to access notifications, alerts, and actions by bringing them all together in a single place with the launch of a new alert center.
Currently available in Beta, the alert center provides admins with a comprehensive view on essential notifications, and allows them to easily take actions to better serve and protect their organizations, Google says.
Tomi Engdahl says:
IBM X-Force Delves Into ExoBot’s Leaked Source Code
https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/
Following the recent source code leak of the Android banking Trojan ExoBot, IBM X-Force research delved into the malware’s inner workings to help uncover insights into its dynamic mechanisms and the features that help criminals use it in cross-channel bank fraud.
Tomi Engdahl says:
Over 3,700 MikroTik Routers Abused In CryptoJacking Campaigns
https://www.bleepingcomputer.com/news/security/over-3-700-mikrotik-routers-abused-in-cryptojacking-campaigns/
Since exploit code for CVE-2018-14847 became publicly available, miscreants have launched attacks against MikroTik routers. Thousands of unpatched devices are mining for cryptocurrency at the moment.
The maker of the routers released a patch of the security bug in April, but users are slow to install the update, enabling cybercriminals to fight for a piece of the pie.
Tomi Engdahl says:
Trend Micro Apps Leak User Data, Removed from Mac App Store
https://www.bleepingcomputer.com/news/security/trend-micro-apps-leak-user-data-removed-from-mac-app-store/
Multiple apps developed by Trend Micro are no longer available in the Mac App Store after researchers showed they were collecting browser history and information about users’ computers.
Tomi Engdahl says:
Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated with unprecedented Distributed Denial of Service attacks in November 2016 and since.
These variants are notable for two reasons:
The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).
Tomi Engdahl says:
British Airways breach: How did hackers get in?
https://www.bbc.com/news/technology-45446529
British Airways has revealed that hackers managed to breach its website and app, stealing data from many thousands of customers in the process.
But how was this possible?
BA has not revealed any technical details about the breach, but cyber-security experts have some suggestions of possible methods used.
Names, email addresses and credit card details including card numbers, expiry dates and three-digit CVV codes were stolen by the hackers.
At first glance, the firm’s statement appears to give no details about the hack, but by “reading between the lines”, it is possible to infer some potential attack routes, says cyber-security expert Prof Alan Woodward at the University of Surrey.
“They very carefully worded the statement to say anybody who made a card payment between those two dates is at risk,” says Prof Woodward.
“It looks very much like the details were nabbed at the point of entry – someone managed to get a script on to the website.”
This means that as customers typed in their credit card details, a piece of malicious code on the BA website or app may have been furtively extracting those details and sending them to someone else.
Prof Woodward points out that this is an increasing problem for websites that embed code from third-party suppliers – it’s known as a supply chain attack.
Tomi Engdahl says:
Hacker uses ProtonMail VPN. Hacker DDoSes ProtonMail. Hacker gets arrested.
https://www.zdnet.com/article/hacker-uses-protonmail-vpn-hacker-ddoses-protonmail-hacker-gets-arrested/
Braggadocio teen part of up-and-coming Apophis Squad hacking squad fails to protect his identity. Gets promptly arrested by UK police. Pleads guilty.
In blog posts published today after the NCA announcement, ProtonMail and infosec journalist Brian Krebs –whose site Apophis Squad members had also hit with DDoS attacks– confirmed that information they provided to authorities following attacks on their sites led to Duke-Cohan’s arrest.
In particular, ProtonMail says that Duke-Cohan and other Apophis Squad members were ProtonMail users, a valuable piece of information that narrowed down the search for possible suspects.
British teen admits school and flight bomb threats
http://www.nationalcrimeagency.gov.uk/news/1460-british-teen-admits-school-and-flight-bomb-threats
Tomi Engdahl says:
Apophis Squad member responsible for attacks against ProtonMail has been arrested
Posted on September 6, 2018 by Andy Yen
https://protonmail.com/blog/apophis-squad-arrest/
In order to protect our user community, we have a zero-tolerance policy for criminal acts committed against ProtonMail, or criminal acts committed using ProtonMail.
Tomi Engdahl says:
Feel the shame: Email-scammed staffers aren’t telling bosses about it
Fraud on rise and IT workers (of all people) most susceptible
https://www.theregister.co.uk/2018/09/07/scam_business_emails_on_the_rise/
The number of UK companies on the receiving end of business scams involving email has risen by nearly two-thirds – 58 per cent – in the last year, new data from Lloyds Bank has revealed.
Stats from the bank showed the average loss from so-called “business email compromise” (BEC) frauds has reached £27,000.
IT workers are among the most susceptible to falling victim, along with those working in legal firms, HR and finance.
So-called “tech savvy” – the survey’s words, not ours – millennials face the highest risk of being targeted, with more than one in 10 falling victim or knowing someone who’d been a victim.
Tomi Engdahl says:
Supermicro wraps crypto-blanket around server firmware to hide it from malware injectors
BMC software updates to check code signatures after researchers hit red alert
https://www.theregister.co.uk/2018/09/07/supermicro_bmcs_hole/
Researchers claim to have discovered an exploitable flaw in the baseboard management controller (BMC) hardware used by Supermicro servers.
Security biz Eclypsium today said a weakness in the mechanism for updating a BMC’s firmware could be abused by an attacker to install and run malicious code that would be extremely difficult to remove.
A BMC is typically installed directly onto the motherboard of a server where it is able to directly control and manage the various hardware components of the server independent of the host and guest operating systems. It can also repair, alter, or reinstall the system software, and is remotely controlled over a network or dedicated channel by an administrator. It allows IT staff to manage, configure, and power cycle boxes from afar, which is handy for people looking after warehouses of machines.
Because BMCs operate at such a low level, they are also valuable targets for hackers.
Tomi Engdahl says:
Malware figures for the first half of 2018: The danger is on the web
https://www.gdatasoftware.com/blog/2018/09/31037-malware-figures-first-half-2018-danger-web
More often than not, today’s malware is distributed via the web – executable files are becoming less of a problem. Also, the G DATA security experts were able to identify a particular trend in the first half of the year that targets users’ computers.
Tomi Engdahl says:
Stolen Data from Chinese Hotel Chain and Other Illicit Products Sold in Deep Web Forum
https://blog.trendmicro.com/trendlabs-security-intelligence/we-uncovered-personally-identifiable-information-pii-stolen-from-a-china-based-hotel-chain-being-sold-on-a-deep-web-forum-we-were-monitoring/