EU leaders on Thursday condemned the attempted hack on the global chemical weapons watchdog and vowed to step up the bloc’s efforts to tackle cyber attacks.
With concerns growing about the malign cyber activities of several countries around the world, notably Russia, the bloc’s leaders called for work to begin to set up sanctions to punish hackers.
“Work on the capacity to respond to and deter cyber attacks through EU restrictive measures should be taken forward,” the 28 leaders said in their summit communique.
The statement condemned the bid, revealed this month, by Russia’s GRU military intelligence agency to hack the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.
“Such threats and attacks strengthen our common resolve to further enhance the EU’s internal security and our ability and capabilities to detect, prevent, disrupt and respond to hostile activities of foreign intelligence networks,” the summit statement said.
Transport Layer Security underpins much of the modern internet. It is the foundation of secure connections to HTTPS websites, for one thing. However, it can harbor a sting in its tail for those concerned about staying anonymous online.
Privacy advocates have long warned about the risks posed by various forms of web tracking. These include cookies, web beacons, and too many forms of fingerprinting to name.
The privacy risks associated with web tracking, however, persist, and now it appears there’s yet another mechanism for following people online. Blame researchers from the University of Hamburg in Germany for the latest expansion of the privacy attack surface.
In a paper distributed through ArXiv this week, computer science boffins Erik Sy, Hannes Federrath, Christian Burkert, and Mathias Fischer describe a novel tracking technique involving Transport Layer Security (TLS) session resumption.
Miscreants are using a trio of NSA hacking tools, leaked last year by the Shadow Brokers, to infect and spy on computer systems used in aerospace, nuclear energy, and other industries.
By Andrey Dolgushev, Dmitry Tarakanov, Vasily Berdnikov on October 19, 2018. 10:00 am
In March 2017, the ShadowBrokers published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch.
DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims.
Investigation shows the attack on Czech Ministry of Foreign Affairs was larger and lasted longer than previously reported, but it is still enveloped in extreme secrecy.
On that day, he was travelling light. The other passengers on the flight to the Estonian capital, Tallinn, had no idea that his cabin luggage contains the secret of who has broken into the servers of the EU and NATO country’s foreign office and stolen hundreds of the private emails of Czech diplomats, including the foreign minister himself.
The officer of the Czech secret service was going to Estonia, equipped with the files downloaded from Ministry of Foreign Affairs (MFA) servers, for help. A tiny Baltic nation which in 2007 faced the first massive Russian cyber attack on its government institutions, banks and media, is recognized as having excellent expertise in the field. The cooperation with Tallinn and other EU capitals ultimately helped Prague to reveal the identity of the hackers. But the story turned out more complicated than expected.
Russia and China did not act in a coordinated manner. However, as the Czech investigation has established, they knew about each other, did not move against one other, monitored their illegal activity, and tolerated the other’s presence. The attacks at the time were directed against several EU countries, a source related to country’s intelligence service said to Re:Baltica.
“Russian behaviour in cyberspace has been different from that of other cyber powers on two different accounts. One is related to how Russia has been feeding the fruits of cyber-espionage into disinformation campaigns. It is quite possible that China has even more access to sensitive political, security, technical or business information from the entire world, and is quietly passing what is relevant to its companies, manufacturers, or the military.”
The main unanswered question after closure of ABLV is allegations of the corruption.
The end of ABLV, Latvia’s third largest bank, was fast and brutal.
On February 13, 2018 the Financial Crimes Enforcement Network (FinCEN) at the US Treasury proposed to ban ABLV from having a correspondence account in the United States due to money laundering concerns. The agency accused the lender of institutionalising money laundering as a pillar of the bank’s business practices and failing to implement effective anti-measures, allowing its clients with ties to North Korea anti-ballistic program to circumvent the United Nations’ sanctions.
You can download this keylogger off of VirusBay. So far we have decrypted a whole lot of text using a simple XOR method, which revealed information on how different keys could be logged, file names in which the data could be logged to, and a possible name for the keylogger: KSL0T.
A network of Hezbollah hackers used old tricks on social media to hack into mobile devices across the world. Posing as attractive girls on Facebook, they would contact users and start chatting. After steering the conversation to increasingly sensual topics, the profiles would then ask the user to install a ‘more private and secure application‘.
According to the counterintelligence service’s press release, some impassioned users, mostly men, would comply and install the app. Unaware that it gave hackers access to their sensitive information, including contacts, photographs, calls, text messages, GPS data and the option to secretely record the owner via the mobile device.
CRASHOVERRIDE is the first publicly-known malware designed to impact electric grid operations. While some attention has already been paid to CRASHOVERRIDE’s ICS-specific effects, the broader scope of the attack – and the necessary prerequisites to its execution – have been woefully unexamined. Reviewing previously unavailable data covering log, forensics, and various incident data, this paper will outline the CRASHOVERIDE attack in its entirety, from breach of the ICS network through delivery and execution of ICS-specific payloads. This examination will show that, aside from the requirement to develop and deploy ICS-targeting software for final effects, CRASHOVERRIDE largely relied upon fairly standard intrusion techniques in order to achieve its results. By understanding this methodology and how these techniques can be monitored and detected, ICS asset owners and defenders can begin identifying detection and visibility gaps to catch such techniques in the future. While CRASHOVERRIDE represents an effectively new application of malware to produce a physical impact, the underlying techniques for intrusion and deployment would be immediately recognizable to a junior penetration tester.
As we cover ransomware extensively at BleepingComputer, some ransomware developers tend to interact with our site in various ways. This includes coming to the site to communicate with victims, releasing ransomware keys in our forums, or naming their command & control servers after our site’s name.
Over the weekend, the Kraken Cryptor Ransomware released version 2.0.6, which now connects to BleepingComputer during different stages of their encryption process.
GitHub’s website remains broken after a data storage system failed several hours ago.
Depending on where you are, you may have been working on some Sunday evening programming, or getting up to speed with work on a Monday morning, using resources on GitHub.com – and possibly failing miserably as a result of the outage.
Repairs
From the status page, it appears a data storage system died, forcing the platform’s engineers to move the dot-com’s files over to another box. In the meantime, some older versions of repos are being served to visitors and users.
Researchers have demonstrated that the near-field communication (NFC) protocol can be used to exfiltrate small amounts of data, such as passwords and encryption keys, over relatively long distances.
NFC enables two devices to communicate over distances of up to 10 cm (4 in). The system, present in most modern smartphones, is often used for making payments, sharing files, and authentication.
Technical Hacks to Compromise Sensitive Systems Are Just One Tool in a Much Larger Toolkit
In simpler times, cybersecurity was a fairly straightforward proposition. You had your firewall, your gateway. You monitored traffic and scanned for viruses. The bad guys weren’t even always that bad, per se. Sometimes they were just there for kicks.
But these are not simpler times. In today’s world of sophisticated criminals, hacktivism, espionage and cyber warfare, threats can come from anywhere, and for a variety of more malevolent reasons than 10 or 15 years ago.
One of the most pressing security challenges is the way “hacks” are evolving to include more than just an intrusion to an IT system. Yes, hacking into protected information is still a critical concern. And we’re seeing more efforts to triangulate information from separate hacks to increase its value, as well as an evolution of how stolen information is used.
Windows 10 October 2018 Update, otherwise known as Build 1809, has been having trouble with bugs since it was released. While most of the bugs have since been fixed, reports of a new bug related to extracting zip files using Windows built-in zip functionality has popped up.
With this new build 1809 bug, when you extract a zip archive or drag a file from a zip archive to a location where the same files exist, Windows will not display a confirmation prompt. Instead it will either automatically overwrite the file or simply do nothing.
Transparency reports are standard practice across the tech industry, disclosing the nature, quantity and scope of all the law enforcement requests each company receives in a given year.
But there’s a notable exception to this practice: the “smart home” companies who sell you products that fill your house with gadgets that know every intimate fact of your life — all-seeing eyes, all-listening ears, all-surveillance network taps. The companies that sell these products refuse to say whether (or how) they are being suborned to serve as state surveillance adjuncts by law enforcement.
The website of the Saudi government’s upcoming Future Investment Initiative conference was hacked and defaced with images of the murdered Saudi journalist Jamal Khashoggi.
Several reporters tweeted screenshots of the site after its defacement, purporting to show Saudi crown prince Mohammed bin Salman — the kingdom’s de facto ruler — brandishing a sword. A portion of text on the site was replaced with an accusation the kingdom of “barbaric and inhuman action,”
Almost 9 in 10 Android apps are able to share data with Google, says study
Researchers at Oxford university analysed approximately a third of the apps available in Google’s Play Store in 2017 and found that the median app could transfer data to 10 third parties, with one in five apps able to share data with more than 20.
This year has seen unprecedented scrutiny over how websites use the data they collect from their users, but little attention has so far been paid to the sprawling and fast-growing world of smartphone apps.
Users, regulators and sometimes even the app developers and advertisers are unaware of the extent to which data flow from smartphones to digital advertising groups, data brokers and intermediaries that buy, sell and blend information, he said.
“This industry was growing already on the web . . . when smartphones came along, that was a new opportunity,”
The rapid growth of the app economy has seen almost 10m apps released in the decade
A serious vulnerability in the LIVE555 Streaming Media RTSP server affects popular applications, including VLC, MPlayer and others, Cisco Talos has discovered.
Developed by Live Networks, Inc, LIVE555 Streaming Media represents a set of open-source C++ libraries meant for multimedia streaming. The libraries provide support for open standards used in streaming, but can also be used for the management of various popular video and audio formats. In addition to media players, the libraries are used for cameras and other embedded devices.
A website for a Saudi investment summit was down on Monday after an apparent cyber attack, just a day before the three-day conference overshadowed by the murder of journalist Jamal Khashoggi begins.
There was no immediate claim of responsibility for the apparent attack on the Future Investment Initiative (FII) website, as organisers scrambled to prepare for the summit after a string of cancellations from global business titans over the murder.
The forum, nicknamed “Davos in the desert”, was meant to project the historically insular petro-state as a lucrative business destination and set the stage for new ventures and multi-billion dollar contracts.
But it has been overshadowed by growing global outrage over the murder of Khashoggi inside the kingdom’s consulate in Istanbul.
With the U.S. mid-term elections just a couple of weeks away, there are continuing concerns over the security of the electronic voting procedures used by many states. These concerns range from the integrity of state voter registration databases through the compromise of individual voting machines to the accuracy of their calibration without a paper audit trail to confirm accurate vote tallying.
A mistake in the process used by the Signal Desktop application to encrypt locally stored messages leaves them wide open to an attacker.
When Signal Desktop is installed, it will create an encrypted SQLite database called db.sqlite, which is used to store the user’s messages. The encryption key for this database is automatically generated by the program when it is installed without any interaction by the user.
As the encryption key will be required each time Signal Desktop opens the database, it will store it in plain text to a local file called %AppData%\Signal\config.json on PCs and on a Mac at ~/Library/Application Support/Signal/config.json.
Now, the U.S. is striking back ahead of the midterm elections in an unconventionally gentle way.
U.S. Cyber Command, the military wing tasked with offensive cyberoperations, is directly reaching out to Russian trolls to warn the state-backed spreaders of false news that the U.S. is watching. It’s the command’s first cyberoperation since Obama-era rules governing offensive operations were relaxed
A Washington state internet provider left an unprotected server online without a password, exposing network schematics, passwords and other sensitive files for at least six months.
Worse, it took the company a week to shut off the leak, despite several phone calls and emails warning of the exposure.
The little-known internet provider, PocketiNet
the company put its customers and its network at risk after it left open an Amazon S3 storage bucket — an all too common cause of data exposures — containing tens of gigabytes of files.
Chris Vickery, director of cyber risk research at security firm UpGuard, found the data
plaintext password files belonging to employees and network devices — like firewalls, switches and wireless points
With cyberattacks on medical devices on the rise, the Food and Drug Administration is turning to ethical hackers to help regulators and manufacturers root out vulnerabilities on machines that could put patients’ lives at risk.
As an example, the FDA points to its recent collaboration with a pair of security researchers who uncovered bugs in devices used to program pacemakers that could allow attackers to remotely change settings on patients’ cardiac implants. The researchers’ findings led the FDA and the manufacturer, Medtronic, to issue rare cybersecurity warnings last week.
The rapid spread of connected medical devices has left the health-care sector more exposed to cyberattacks than ever before — and the FDA’s embrace of ethical hackers shows the agency is willing to use nontraditional approaches to tackle the problem. While government officials and manufacturers alike have long been hesitant to showcase findings from outside researchers, the FDA is joining a growing group of federal agencies that are beginning to incorporate their work into their cybersecurity strategies.
Lawmakers are going to bat in a big way for ethical hackers.
The House Homeland Security Committee advanced a pair of bipartisan bills late last week that would force the Department of Homeland Security to open the door to security researchers to probe the agency for cybersecurity vulnerabilities. DHS has resisted such a move, but lawmakers are ready to force the agency’s hand, saying independent testing is an important step toward improving its cyber hygiene.
One bill, called the Hack DHS Act, would create a bug bounty pilot program that would pay security researchers to root out bugs in the agency’s networks.
Haaretz investigation spanning 100 sources in 15 countries reveals Israel has become a leading exporter of tools for spying on civilians. Dictators around the world – even in countries with no formal ties to Israel – use them eavesdrop on human rights activists, monitor emails, hack into apps and record conversations
Report: Saudi Arabia used Israeli cyberweapons to target dissident in Canada
Israel sold advanced weapons to Myanmar during anti-Rohingya ethnic cleansing campaign
Revealed: Israeli military monitors social media, blogs and forums in search of ‘security leaks’
Fighting invalid traffic is essential for the long-term sustainability of the digital advertising ecosystem. We have an extensive internal system to filter out invalid traffic – from simple filters to large-scale machine learning models – and we collaborate with advertisers, agencies, publishers, ad tech companies, research institutions, law enforcement and other third party organizations to identify potential threats. We take all reports of questionable activity seriously, and when we find invalid traffic, we act quickly to remove it from our systems.
A new phishing report has been released that keeps track of the top 25 brands targeted by bad actors. Of these brands, Microsoft, Paypal, and Netflix are the top brands impersonated by phishing attacks.
Email security provider Vade Secure tracks the 25 most spoofed brands in North America that are impersonated in phishing attacks. In their Q3 2018 report, a total of 86 brands are tracked, which consist of 95% of all attacks detected by the company.
Brute-forcing factory default usernames and passwords remains a winning strategy for Internet of Things (IOT) botnet propagation. Botnet operators with the best list will produce the larger botnet and obtain superior firepower for launching DDoS attacks. IOT bots are indiscriminate – they will randomly choose an address to attack and work through their list of usernames and passwords until either giving up or infecting the targeted device. For the month of September we observed 1,065 unique username and password combinations from 129 different countries. Taking a step back and looking at malware-agnostic regional trends for username and password combinations, local affinities for different types of IOT devices emerge.
Key Findings
• Interrogating botnets revealed 1,005 additional username and password combinations beyond Mirai’s default list, of the 1,065 total observed.
• Combinations used across disparate regions surface trends regarding device type deployments.
• Attacks from bots using specific manufacturer default passwords are often perpetrated from similarly compromised devices.
The infamous IOT malware, Mirai, first burst on to the scene in late 2016, resulting in a number of variants emerging since, but much of their success belong to a simple propagation method – default usernames and passwords.
Collecting the usernames and passwords used by IOT malware is a fertile field for analysis. By emulating enough of the telnet protocol to elicit usernames and passwords (and more!), bots will gladly share their hit list to anyone listening. With enough of these collectors, trends emerge.
October is National Cybersecurity Awareness Month, an annual campaign to raise awareness about cybersecurity. Building resilience in critical infrastructure is crucial to national security. The essential infrastructure systems that support our daily lives—such as electricity, financial institutions, and transportation—must be protected from cyber threats.
There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
TRITON Intrusion Demonstrates Russian Links; Likely Backed by Russian Research Institute
FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow
The Internet Engineering Task Force (IETF) has formally adopted DNS-over-HTTPS as a standard, and reignited a debate over whether it’s a danger to the web’s infrastructure.
The IETF gave the proposal its blessing late last week by elevating it to Request For Comment (RFC) level as RFC 8484.
The idea was to guarantee the confidentiality and integrity of DNS lookups, as co-author Mozilla’s Patrick McManus explained to The Register in December 2017, because governments and bad actors alike interfere or snoop on DNS requests.
Encryption provides confidentiality, quite simply because instead of sending a plain-text DNS request over UDP, RFC 8484 sends it over HTTPS, secured by Transport Layer Security (TLS). Integrity protection comes from using the server’s public key to guarantee that nobody’s spoofing the DNS server.
Those sound like good things, but Mauritian coder and contributor to IETF work Logan Velvindron pointed out to The Reg that not everybody’s happy about the RFC.
Paul Vixie, one of the architects of the DNS, reckoned it’s nothing short of a disaster. On Friday, he tweeted: “RFC 8484 is a cluster duck for internet security. Sorry to rain on your parade. The inmates have taken over the asylum.”
Vixie has said that DoH is incompatible with the basic architecture of the DNS because it moves control plane (signalling) messages to the data plane (message forwarding), and that’s a no-no.
Network admins, he argued on Twitter, need to be able to see and analyse DNS activity, and DoH prevents that. “DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH.”
Gen. Paul M. Nakasone, the head of Cyber Command and the National Security Agency, has warned that adversaries are looking to take on the United States through cyberoperations.
LähiTapiolan kutsumat hakkerit löysivät lokakuun tempauksessa yrityksen järjestelmistä 28 haavoittuvuutta korjattavaksi. Haavoittuvuuksista maksettiin palkkioita yhteensä lähes 7 000 euroa ja lisäksi tapahtumasta kertyi lasten kooditaitojen kouluttamiseen 1 000 euron lahjoitus.
Nykyisin tunnistustapahtuman välittämisen hinta on ministeriön mukaan 10 senttiä. Hinta halutaan muuttaa kiinteäksi, 3 senttiin.
Suomessa käytössä olevia vahvoja sähköisiä tunnistusvälineitä tarjoavat pankkien lisäksi teleoperaattorit ja Väestörekisterikeskus. Lisäksi markkinoilla toimii muutama yritys, jotka tarjoavat pelkästään sähköisen tunnistamisen välityspalveluita. Pankkitunnisteilla on kuitenkin yli 90 prosentin markkinaosuus, joten ne saavat rahaa lähes kaikista vahvaa tunnistautumista edellyttävistä asiointitapahtumista.
’’Esimerkiksi sähkökatkon tullen energiayrityksen on löydettävä tärkeät tiedot välittömästi, jotta tilanne saadaan ratkaistua ripeästi. Olemmekin huomanneet, että monet energia-alan yritykset panostavat tehokkaaseen ja turvalliseen tiedonhallintaan erityisen paljon’’,
North Korean hacking outfit “Lazarus” is the most profitable cryptocurrency-hacker syndicate in the world.
Since 2017, internet baddies have in total stolen $882 million worth of cryptocurrency from online exchanges, but none have done it quite as well as the infamous North Koreans.
World-renowned cybersecurity unit Group-IB is prepping to release its annual report on trends in hi-tech cybercrime.
A summary obtained by Hard Fork details 14 different attacks on cryptocurrency exchanges since January last year and calculates the state-sponsored Lazarus group is responsible for $571 million of the ill-gotten gains.
Phishers responsible for 56% of stolen ICO funds
The report also reveals 10 percent of the total funds raised by ICO platforms over the past year and a half have been stolen. A majority of the funds were lost to phishing.
Group-IB attribute much of the losses to baddies taking advantage of “crypto-fever,” where investors are so overcome with a fear of missing out they rush to contribute to new cryptocurrency projects as fast as possible, without checking for fake domain names.
Of the thousands of plugins for the jQuery framework, one of the most popular of them harbored for at least three years an oversight in code that eluded the security community, despite public availability of tutorials that explained how it could be exploited.
The bug affects the widely used jQuery File Upload widget and allowed an attacker to upload arbitrary files on web servers, including command shells for sending out commands.
Together with Sebastian Tschan, the developer of the plugin, the researcher discovered that the flaw was caused by a change introduced in Apache 2.3.9, which disabled by default the .htaccess files that stored folder-related security settings. Unless specifically enabled by the administrator, .htaccess files are ignored.
One reason for this was to protect the system configuration of the administrator by disabling users from customizing security settings on individual folders. Another one was to improve performance since the server no longer had to check the .htaccess file when accessing a directory.
After Apache 2.3.9, plugins using .htaccess files to impose access restrictions no longer benefited from the custom folder access security configuration. This was also the case with jQuery File Upload, which adds files to a root directory.
Now tracked as CVE-2018-9206, the coding flaw is no longer present in the latest version of jQuery File Upload. Tschan changed the code to allow only image file types GIF, JPG, JPEG, and PNG by default; he provides instructions on how to enable more content without running a security risk.
The researcher reached this conclusion after checking some of the forks, where he noticed three common variations. He created a proof-of-concept exploit that tries to find one of the differences and uploads a PHP shell.
New trackers make it easy for developers to identify fed-up users and pester them with targeted ads.
If it seems as though the app you deleted last week is suddenly popping up everywhere, it may not be mere coincidence. Companies that cater to app makers have found ways to game both iOS and Android, enabling them to figure out which users have uninstalled a given piece of software lately—and making it easy to pelt the departed with ads aimed at winning them back.
Adjust, AppsFlyer, MoEngage, Localytics, and CleverTap are among the companies that offer uninstall trackers, usually as part of a broader set of developer tools. Their customers include T-Mobile US, Spotify Technology, and Yelp. (And Bloomberg Businessweek parent Bloomberg LP, which uses Localytics.) Critics say they’re a fresh reason to reassess online privacy rights and limit what companies can do with user data. “Most tech companies are not giving people nuanced privacy choices, if they give them choices at all,”
The solution to password recycling may be easier to implement than previously thought, according to a recent paper
Mandating longer and more complex passwords reduces the likelihood that users will reuse them across multiple online services, researchers have found.
A team of three academics from Indiana University set out to examine the impact of prescribing rules for password creation on password reuse. To do so, they first analyzed the password policies of 22 universities in the US. Then they dived into 1.3 billion username/password combinations that are available online as a result of past breaches. In the process, they found close to 7.4 million login credentials where the email addresses belonged to the domain name associated with universities.
“Based on email addresses belonging to a university’s domain (we checked the .edu domain address), passwords were compiled and tested against a university’s prescribed password policy,” said the researchers.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
495 Comments
Tomi Engdahl says:
EU Leaders Vow Tough Action on Cyber Attacks
https://www.securityweek.com/eu-leaders-vow-tough-action-cyber-attacks
EU leaders on Thursday condemned the attempted hack on the global chemical weapons watchdog and vowed to step up the bloc’s efforts to tackle cyber attacks.
With concerns growing about the malign cyber activities of several countries around the world, notably Russia, the bloc’s leaders called for work to begin to set up sanctions to punish hackers.
“Work on the capacity to respond to and deter cyber attacks through EU restrictive measures should be taken forward,” the 28 leaders said in their summit communique.
The statement condemned the bid, revealed this month, by Russia’s GRU military intelligence agency to hack the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.
“Such threats and attacks strengthen our common resolve to further enhance the EU’s internal security and our ability and capabilities to detect, prevent, disrupt and respond to hostile activities of foreign intelligence networks,” the summit statement said.
Tomi Engdahl says:
You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone’s web privacy
Never-closed browsers and persistent session tickets make tracking a doddle
https://www.theregister.co.uk/2018/10/19/tls_handshake_privacy/
Transport Layer Security underpins much of the modern internet. It is the foundation of secure connections to HTTPS websites, for one thing. However, it can harbor a sting in its tail for those concerned about staying anonymous online.
Privacy advocates have long warned about the risks posed by various forms of web tracking. These include cookies, web beacons, and too many forms of fingerprinting to name.
The privacy risks associated with web tracking, however, persist, and now it appears there’s yet another mechanism for following people online. Blame researchers from the University of Hamburg in Germany for the latest expansion of the privacy attack surface.
In a paper distributed through ArXiv this week, computer science boffins Erik Sy, Hannes Federrath, Christian Burkert, and Mathias Fischer describe a novel tracking technique involving Transport Layer Security (TLS) session resumption.
Tomi Engdahl says:
Google warns Apple: Missing bugs in your security bulletins are ‘disincentive to patch’
https://www.zdnet.com/article/google-warns-apple-missing-bugs-in-your-security-bulletins-are-disincentive-to-patch/
Google’s Project Zero has again called Apple out for silently patching flaws.
Tomi Engdahl says:
Facebook Finds Hack Was Done by Spammers, Not Foreign State
Company believes hackers who accessed 30 million accounts masqueraded as digital marketers
https://www.wsj.com/articles/facebook-tentatively-concludes-recent-hack-was-perpetrated-by-spammers-1539821869
Tomi Engdahl says:
Spotted: Miscreants use pilfered NSA hacking tools to pwn boxes in nuke, aerospace worlds
High-value servers targeted by cyber-weapons dumped online by Shadow Brokers
https://www.theregister.co.uk/2018/10/19/leaked_nsa_malware/
Miscreants are using a trio of NSA hacking tools, leaked last year by the Shadow Brokers, to infect and spy on computer systems used in aerospace, nuclear energy, and other industries.
Tomi Engdahl says:
APT reports
DarkPulsar
https://securelist.com/darkpulsar/88199/
By Andrey Dolgushev, Dmitry Tarakanov, Vasily Berdnikov on October 19, 2018. 10:00 am
In March 2017, the ShadowBrokers published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch.
DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims.
Tomi Engdahl says:
EU under cyber attack by Russia and China
https://en.rebaltica.lv/2018/10/eu-under-cyber-attack-by-russia-and-china/
Investigation shows the attack on Czech Ministry of Foreign Affairs was larger and lasted longer than previously reported, but it is still enveloped in extreme secrecy.
On that day, he was travelling light. The other passengers on the flight to the Estonian capital, Tallinn, had no idea that his cabin luggage contains the secret of who has broken into the servers of the EU and NATO country’s foreign office and stolen hundreds of the private emails of Czech diplomats, including the foreign minister himself.
The officer of the Czech secret service was going to Estonia, equipped with the files downloaded from Ministry of Foreign Affairs (MFA) servers, for help. A tiny Baltic nation which in 2007 faced the first massive Russian cyber attack on its government institutions, banks and media, is recognized as having excellent expertise in the field. The cooperation with Tallinn and other EU capitals ultimately helped Prague to reveal the identity of the hackers. But the story turned out more complicated than expected.
Russia and China did not act in a coordinated manner. However, as the Czech investigation has established, they knew about each other, did not move against one other, monitored their illegal activity, and tolerated the other’s presence. The attacks at the time were directed against several EU countries, a source related to country’s intelligence service said to Re:Baltica.
“Russian behaviour in cyberspace has been different from that of other cyber powers on two different accounts. One is related to how Russia has been feeding the fruits of cyber-espionage into disinformation campaigns. It is quite possible that China has even more access to sensitive political, security, technical or business information from the entire world, and is quietly passing what is relevant to its companies, manufacturers, or the military.”
Tomi Engdahl says:
How Americans Took Down a Latvian Laundromat
https://en.rebaltica.lv/2018/03/how-americans-took-down-a-latvian-laundromat/
The main unanswered question after closure of ABLV is allegations of the corruption.
The end of ABLV, Latvia’s third largest bank, was fast and brutal.
On February 13, 2018 the Financial Crimes Enforcement Network (FinCEN) at the US Treasury proposed to ban ABLV from having a correspondence account in the United States due to money laundering concerns. The agency accused the lender of institutionalising money laundering as a pillar of the bank’s business practices and failing to implement effective anti-measures, allowing its clients with ties to North Korea anti-ballistic program to circumvent the United Nations’ sanctions.
Tomi Engdahl says:
Post 0×17.1: Analyzing Turla’s Keylogger
https://0ffset.wordpress.com/2018/09/14/post-0×17-1-turla-keylogger/
Post 0×17.2: Analyzing Turla’s Keylogger
https://0ffset.wordpress.com/2018/10/05/post-0×17-2-turla-keylogger/
You can download this keylogger off of VirusBay. So far we have decrypted a whole lot of text using a simple XOR method, which revealed information on how different keys could be logged, file names in which the data could be logged to, and a possible name for the keylogger: KSL0T.
Tomi Engdahl says:
Czech intelligence service shuts down Hezbollah hacking operation
https://www.zdnet.com/article/czech-intelligence-service-shuts-down-hezbollah-hacking-operation/
Hezbollah agents used Facebook profiles for attractive women to trick targets into installing spyware-infected apps.
Tomi Engdahl says:
Security
Vendors confirm products affected by libssh bug as PoC code pops up on GitHub
Vendors confirm products affected by libssh bug as PoC code pops up on GitHub
https://www.zdnet.com/article/vendors-confirm-products-affected-by-libssh-bug-as-poc-code-pops-up-on-github/
Red Hat and F5 Networks acknowledge that some products are vulnerable to the libssh authentication bug.
“This vulnerability affects libssh shipped in Red Hat Enterprise Linux 7 Extras,” the company said in an advisory.
Red Hat plans to update the libssh library version to a new one that’s not affected.
Tomi Engdahl says:
Czech counterintelligence helps uncover Hezbollah hacking scheme
https://www.radio.cz/en/section/curraffrs/czech-counterintelligence-helps-uncover-hezbollah-hacking-scheme
A network of Hezbollah hackers used old tricks on social media to hack into mobile devices across the world. Posing as attractive girls on Facebook, they would contact users and start chatting. After steering the conversation to increasingly sensual topics, the profiles would then ask the user to install a ‘more private and secure application‘.
According to the counterintelligence service’s press release, some impassioned users, mostly men, would comply and install the app. Unaware that it gave hackers access to their sensitive information, including contacts, photographs, calls, text messages, GPS data and the option to secretely record the owner via the mobile device.
Tomi Engdahl says:
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
https://dragos.com/whitepapers/CrashOverride2018.html
CRASHOVERRIDE is the first publicly-known malware designed to impact electric grid operations. While some attention has already been paid to CRASHOVERRIDE’s ICS-specific effects, the broader scope of the attack – and the necessary prerequisites to its execution – have been woefully unexamined. Reviewing previously unavailable data covering log, forensics, and various incident data, this paper will outline the CRASHOVERIDE attack in its entirety, from breach of the ICS network through delivery and execution of ICS-specific payloads. This examination will show that, aside from the requirement to develop and deploy ICS-targeting software for final effects, CRASHOVERRIDE largely relied upon fairly standard intrusion techniques in order to achieve its results. By understanding this methodology and how these techniques can be monitored and detected, ICS asset owners and defenders can begin identifying detection and visibility gaps to catch such techniques in the future. While CRASHOVERRIDE represents an effectively new application of malware to produce a physical impact, the underlying techniques for intrusion and deployment would be immediately recognizable to a junior penetration tester.
Tomi Engdahl says:
Kraken Cryptor Ransomware Connecting to BleepingComputer During Encryption
https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-connecting-to-bleepingcomputer-during-encryption/
As we cover ransomware extensively at BleepingComputer, some ransomware developers tend to interact with our site in various ways. This includes coming to the site to communicate with victims, releasing ransomware keys in our forums, or naming their command & control servers after our site’s name.
Over the weekend, the Kraken Cryptor Ransomware released version 2.0.6, which now connects to BleepingComputer during different stages of their encryption process.
Tomi Engdahl says:
GitHub.com freezes up as techies race to fix dead data storage gear
TITSUP: Total Inability To Support Users’ Pushes
https://www.theregister.co.uk/2018/10/22/github_down_storage_failure/
GitHub’s website remains broken after a data storage system failed several hours ago.
Depending on where you are, you may have been working on some Sunday evening programming, or getting up to speed with work on a Monday morning, using resources on GitHub.com – and possibly failing miserably as a result of the outage.
Repairs
From the status page, it appears a data storage system died, forcing the platform’s engineers to move the dot-com’s files over to another box. In the meantime, some older versions of repos are being served to visitors and users.
https://status.github.com/messages
Tomi Engdahl says:
NFCdrip Attack Proves Long-Range Data Exfiltration via NFC
https://www.securityweek.com/nfcdrip-attack-proves-long-range-data-exfiltration-nfc
Researchers have demonstrated that the near-field communication (NFC) protocol can be used to exfiltrate small amounts of data, such as passwords and encryption keys, over relatively long distances.
NFC enables two devices to communicate over distances of up to 10 cm (4 in). The system, present in most modern smartphones, is often used for making payments, sharing files, and authentication.
Tomi Engdahl says:
Triangulating Beyond the Hack: Stolen Records Just One Tool in a Comprehensive Kit
https://www.securityweek.com/triangulating-beyond-hack-stolen-records-just-one-tool-comprehensive-kit
Technical Hacks to Compromise Sensitive Systems Are Just One Tool in a Much Larger Toolkit
In simpler times, cybersecurity was a fairly straightforward proposition. You had your firewall, your gateway. You monitored traffic and scanned for viruses. The bad guys weren’t even always that bad, per se. Sometimes they were just there for kicks.
But these are not simpler times. In today’s world of sophisticated criminals, hacktivism, espionage and cyber warfare, threats can come from anywhere, and for a variety of more malevolent reasons than 10 or 15 years ago.
One of the most pressing security challenges is the way “hacks” are evolving to include more than just an intrusion to an IT system. Yes, hacking into protected information is still a critical concern. And we’re seeing more efforts to triangulate information from separate hacks to increase its value, as well as an evolution of how stolen information is used.
Tomi Engdahl says:
Windows 10 1809 Zip Extraction Bug Overwrites Files without Confirmation
https://www.bleepingcomputer.com/news/security/windows-10-1809-zip-extraction-bug-overwrites-files-without-confirmation/
Windows 10 October 2018 Update, otherwise known as Build 1809, has been having trouble with bugs since it was released. While most of the bugs have since been fixed, reports of a new bug related to extracting zip files using Windows built-in zip functionality has popped up.
With this new build 1809 bug, when you extract a zip archive or drag a file from a zip archive to a location where the same files exist, Windows will not display a confirmation prompt. Instead it will either automatically overwrite the file or simply do nothing.
Tomi Engdahl says:
“Smart home” companies refuse to say whether law enforcement is using your gadgets to spy on you
https://boingboing.net/2018/10/20/the-walls-have-ears.html
Transparency reports are standard practice across the tech industry, disclosing the nature, quantity and scope of all the law enforcement requests each company receives in a given year.
But there’s a notable exception to this practice: the “smart home” companies who sell you products that fill your house with gadgets that know every intimate fact of your life — all-seeing eyes, all-listening ears, all-surveillance network taps. The companies that sell these products refuse to say whether (or how) they are being suborned to serve as state surveillance adjuncts by law enforcement.
Smart home tech makers don’t want to say if the feds come for your data
https://techcrunch.com/2018/10/19/smart-home-devices-hoard-data-government-demands/
Device makers won’t say if your smart home gadgets spied on you
Tomi Engdahl says:
Saudi Arabia’s ‘Davos in the Desert’ website was hacked and defaced
https://techcrunch.com/2018/10/22/saudi-future-investments-conference-site-hacked-defaced-jamal-khashoggi/?sr_share=facebook&utm_source=tcfbpage
The website of the Saudi government’s upcoming Future Investment Initiative conference was hacked and defaced with images of the murdered Saudi journalist Jamal Khashoggi.
Several reporters tweeted screenshots of the site after its defacement, purporting to show Saudi crown prince Mohammed bin Salman — the kingdom’s de facto ruler — brandishing a sword. A portion of text on the site was replaced with an accusation the kingdom of “barbaric and inhuman action,”
Tomi Engdahl says:
Poliisi sai pakottaa puhelimen auki – sormenjälkitunnistus on eri asia kuin salasana tai pin-koodi
https://www.is.fi/digitoday/art-2000005872876.html?ref=rss
Tomi Engdahl says:
How smartphone apps track users and share data
https://ig.ft.com/mobile-app-data-trackers/
Almost 9 in 10 Android apps are able to share data with Google, says study
Researchers at Oxford university analysed approximately a third of the apps available in Google’s Play Store in 2017 and found that the median app could transfer data to 10 third parties, with one in five apps able to share data with more than 20.
This year has seen unprecedented scrutiny over how websites use the data they collect from their users, but little attention has so far been paid to the sprawling and fast-growing world of smartphone apps.
Users, regulators and sometimes even the app developers and advertisers are unaware of the extent to which data flow from smartphones to digital advertising groups, data brokers and intermediaries that buy, sell and blend information, he said.
“This industry was growing already on the web . . . when smartphones came along, that was a new opportunity,”
The rapid growth of the app economy has seen almost 10m apps released in the decade
Tomi Engdahl says:
Flaw in Media Library Impacts VLC, Other Software
https://www.securityweek.com/flaw-media-library-impacts-vlc-other-software
A serious vulnerability in the LIVE555 Streaming Media RTSP server affects popular applications, including VLC, MPlayer and others, Cisco Talos has discovered.
Developed by Live Networks, Inc, LIVE555 Streaming Media represents a set of open-source C++ libraries meant for multimedia streaming. The libraries provide support for open standards used in streaming, but can also be used for the management of various popular video and audio formats. In addition to media players, the libraries are used for cameras and other embedded devices.
http://www.live555.com/liveMedia/
Tomi Engdahl says:
Hackers Deface Website of Saudi Investment Forum
https://www.securityweek.com/hackers-deface-website-saudi-investment-forum
A website for a Saudi investment summit was down on Monday after an apparent cyber attack, just a day before the three-day conference overshadowed by the murder of journalist Jamal Khashoggi begins.
There was no immediate claim of responsibility for the apparent attack on the Future Investment Initiative (FII) website, as organisers scrambled to prepare for the summit after a string of cancellations from global business titans over the murder.
The forum, nicknamed “Davos in the desert”, was meant to project the historically insular petro-state as a lucrative business destination and set the stage for new ventures and multi-billion dollar contracts.
But it has been overshadowed by growing global outrage over the murder of Khashoggi inside the kingdom’s consulate in Istanbul.
Tomi Engdahl says:
Securing the Vote Against Increasing Threats
https://www.securityweek.com/securing-vote-against-increasing-threats
With the U.S. mid-term elections just a couple of weeks away, there are continuing concerns over the security of the electronic voting procedures used by many states. These concerns range from the integrity of state voter registration databases through the compromise of individual voting machines to the accuracy of their calibration without a paper audit trail to confirm accurate vote tallying.
Tomi Engdahl says:
Signal Desktop Leaves Message Decryption Key in Plain Sight
https://www.bleepingcomputer.com/news/security/signal-desktop-leaves-message-decryption-key-in-plain-sight/?fbclid=IwAR3TAf4gU12usHpbbxFSplIbCddMJsDDAp38CShR_6Klk3l5udA7vsdmNfQ
A mistake in the process used by the Signal Desktop application to encrypt locally stored messages leaves them wide open to an attacker.
When Signal Desktop is installed, it will create an encrypted SQLite database called db.sqlite, which is used to store the user’s messages. The encryption key for this database is automatically generated by the program when it is installed without any interaction by the user.
As the encryption key will be required each time Signal Desktop opens the database, it will store it in plain text to a local file called %AppData%\Signal\config.json on PCs and on a Mac at ~/Library/Application Support/Signal/config.json.
Tomi Engdahl says:
https://www.hackread.com/greyenergy-malware-hits-energy-sector-with-espionage/?fbclid=IwAR3m2U99EU93M7uWoOJx8gXEkaVbLb_DojRpnO4zEjp77wVF-B1oGEvcBAg
Tomi Engdahl says:
Hack on 8 adult websites exposes oodles of intimate user data
https://arstechnica.com/information-technology/2018/10/hack-on-8-adult-websites-exposes-oodles-of-intimate-user-data/
A recovered 98MB file underscores the risks of trusting personal info to strangers.
Tomi Engdahl says:
In its first cyberoperation against Russian trolls, U.S. takes a gentle approach
https://techcrunch.com/2018/10/23/first-cyber-operation-gentle-approach-russian-trolls/?utm_source=tcfbpage&sr_share=facebook
Now, the U.S. is striking back ahead of the midterm elections in an unconventionally gentle way.
U.S. Cyber Command, the military wing tasked with offensive cyberoperations, is directly reaching out to Russian trolls to warn the state-backed spreaders of false news that the U.S. is watching. It’s the command’s first cyberoperation since Obama-era rules governing offensive operations were relaxed
Tomi Engdahl says:
A Washington ISP exposed the ‘keys to the kingdom’ after leaving a server unsecured
https://techcrunch.com/2018/10/23/washington-isp-pocketinet-server-leak/?sr_share=facebook&utm_source=tcfbpage
A Washington state internet provider left an unprotected server online without a password, exposing network schematics, passwords and other sensitive files for at least six months.
Worse, it took the company a week to shut off the leak, despite several phone calls and emails warning of the exposure.
The little-known internet provider, PocketiNet
the company put its customers and its network at risk after it left open an Amazon S3 storage bucket — an all too common cause of data exposures — containing tens of gigabytes of files.
Chris Vickery, director of cyber risk research at security firm UpGuard, found the data
plaintext password files belonging to employees and network devices — like firewalls, switches and wireless points
Tomi Engdahl says:
The Cybersecurity 202: The FDA is embracing ethical hackers in its push to secure medical devices
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/10/17/the-cybersecurity-202-the-fda-is-embracing-ethical-hackers-in-its-push-to-secure-medical-devices/5bc6156b1b326b7c8a8d1a01/?noredirect=on&utm_term=.0f7d2efa7028
With cyberattacks on medical devices on the rise, the Food and Drug Administration is turning to ethical hackers to help regulators and manufacturers root out vulnerabilities on machines that could put patients’ lives at risk.
As an example, the FDA points to its recent collaboration with a pair of security researchers who uncovered bugs in devices used to program pacemakers that could allow attackers to remotely change settings on patients’ cardiac implants. The researchers’ findings led the FDA and the manufacturer, Medtronic, to issue rare cybersecurity warnings last week.
The rapid spread of connected medical devices has left the health-care sector more exposed to cyberattacks than ever before — and the FDA’s embrace of ethical hackers shows the agency is willing to use nontraditional approaches to tackle the problem. While government officials and manufacturers alike have long been hesitant to showcase findings from outside researchers, the FDA is joining a growing group of federal agencies that are beginning to incorporate their work into their cybersecurity strategies.
The Cybersecurity 202: Lawmakers are ready to embrace ethical hackers, even if DHS isn’t
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/09/19/the-cybersecurity-202-lawmakers-are-ready-to-embrace-ethical-hackers-even-if-dhs-isn-t/5ba12d481b326b47ec9596d9/?utm_term=.1a8e40ae61c3
Lawmakers are going to bat in a big way for ethical hackers.
The House Homeland Security Committee advanced a pair of bipartisan bills late last week that would force the Department of Homeland Security to open the door to security researchers to probe the agency for cybersecurity vulnerabilities. DHS has resisted such a move, but lawmakers are ready to force the agency’s hand, saying independent testing is an important step toward improving its cyber hygiene.
One bill, called the Hack DHS Act, would create a bug bounty pilot program that would pay security researchers to root out bugs in the agency’s networks.
Tomi Engdahl says:
Revealed: Israel’s Cyber-spy Industry Helps World Dictators Hunt Dissidents and Gays
https://www.haaretz.com/israel-news/.premium.MAGAZINE-israel-s-cyber-spy-industry-aids-dictators-hunt-dissidents-and-gays-1.6573027
Haaretz investigation spanning 100 sources in 15 countries reveals Israel has become a leading exporter of tools for spying on civilians. Dictators around the world – even in countries with no formal ties to Israel – use them eavesdrop on human rights activists, monitor emails, hack into apps and record conversations
Report: Saudi Arabia used Israeli cyberweapons to target dissident in Canada
Israel sold advanced weapons to Myanmar during anti-Rohingya ethnic cleansing campaign
Revealed: Israeli military monitors social media, blogs and forums in search of ‘security leaks’
Tomi Engdahl says:
Google tackles new ad fraud scheme
https://security.googleblog.com/2018/10/google-tackles-new-ad-fraud-scheme.html
Fighting invalid traffic is essential for the long-term sustainability of the digital advertising ecosystem. We have an extensive internal system to filter out invalid traffic – from simple filters to large-scale machine learning models – and we collaborate with advertisers, agencies, publishers, ad tech companies, research institutions, law enforcement and other third party organizations to identify potential threats. We take all reports of questionable activity seriously, and when we find invalid traffic, we act quickly to remove it from our systems.
Tomi Engdahl says:
Phishing Report Shows Microsoft, Paypal, & Netflix as Top Targets
https://www.bleepingcomputer.com/news/security/phishing-report-shows-microsoft-paypal-and-netflix-as-top-targets/
A new phishing report has been released that keeps track of the top 25 brands targeted by bad actors. Of these brands, Microsoft, Paypal, and Netflix are the top brands impersonated by phishing attacks.
Email security provider Vade Secure tracks the 25 most spoofed brands in North America that are impersonated in phishing attacks. In their Q3 2018 report, a total of 86 brands are tracked, which consist of 95% of all attacks detected by the company.
Tomi Engdahl says:
Dipping Into The Honeypot
https://asert.arbornetworks.com/dipping-into-the-honeypot/
Brute-forcing factory default usernames and passwords remains a winning strategy for Internet of Things (IOT) botnet propagation. Botnet operators with the best list will produce the larger botnet and obtain superior firepower for launching DDoS attacks. IOT bots are indiscriminate – they will randomly choose an address to attack and work through their list of usernames and passwords until either giving up or infecting the targeted device. For the month of September we observed 1,065 unique username and password combinations from 129 different countries. Taking a step back and looking at malware-agnostic regional trends for username and password combinations, local affinities for different types of IOT devices emerge.
Key Findings
• Interrogating botnets revealed 1,005 additional username and password combinations beyond Mirai’s default list, of the 1,065 total observed.
• Combinations used across disparate regions surface trends regarding device type deployments.
• Attacks from bots using specific manufacturer default passwords are often perpetrated from similarly compromised devices.
The infamous IOT malware, Mirai, first burst on to the scene in late 2016, resulting in a number of variants emerging since, but much of their success belong to a simple propagation method – default usernames and passwords.
Collecting the usernames and passwords used by IOT malware is a fertile field for analysis. By emulating enough of the telnet protocol to elicit usernames and passwords (and more!), bots will gladly share their hit list to anyone listening. With enough of these collectors, trends emerge.
Tomi Engdahl says:
National Cybersecurity Awareness Month: Critical Infrastructure Cybersecurity
https://www.us-cert.gov/ncas/current-activity/2018/10/23/National-Cybersecurity-Awareness-Month-Critical-Infrastructure
October is National Cybersecurity Awareness Month, an annual campaign to raise awareness about cybersecurity. Building resilience in critical infrastructure is crucial to national security. The essential infrastructure systems that support our daily lives—such as electricity, financial institutions, and transportation—must be protected from cyber threats.
Critical Infrastructure Sectors
https://www.dhs.gov/critical-infrastructure-sectors
There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
Tomi Engdahl says:
TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html
TRITON Intrusion Demonstrates Russian Links; Likely Backed by Russian Research Institute
FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow
Tomi Engdahl says:
‘The inmates have taken over the asylum’: DNS godfather blasts DNS over HTTPS adoption
Can those who need lookup privacy afford architectural purism?
https://www.theregister.co.uk/2018/10/23/paul_vixie_slaps_doh_as_dns_privacy_feature_becomes_a_standard/
The Internet Engineering Task Force (IETF) has formally adopted DNS-over-HTTPS as a standard, and reignited a debate over whether it’s a danger to the web’s infrastructure.
The IETF gave the proposal its blessing late last week by elevating it to Request For Comment (RFC) level as RFC 8484.
The idea was to guarantee the confidentiality and integrity of DNS lookups, as co-author Mozilla’s Patrick McManus explained to The Register in December 2017, because governments and bad actors alike interfere or snoop on DNS requests.
Encryption provides confidentiality, quite simply because instead of sending a plain-text DNS request over UDP, RFC 8484 sends it over HTTPS, secured by Transport Layer Security (TLS). Integrity protection comes from using the server’s public key to guarantee that nobody’s spoofing the DNS server.
Those sound like good things, but Mauritian coder and contributor to IETF work Logan Velvindron pointed out to The Reg that not everybody’s happy about the RFC.
Paul Vixie, one of the architects of the DNS, reckoned it’s nothing short of a disaster. On Friday, he tweeted: “RFC 8484 is a cluster duck for internet security. Sorry to rain on your parade. The inmates have taken over the asylum.”
Vixie has said that DoH is incompatible with the basic architecture of the DNS because it moves control plane (signalling) messages to the data plane (message forwarding), and that’s a no-no.
Network admins, he argued on Twitter, need to be able to see and analyse DNS activity, and DoH prevents that. “DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH.”
Tomi Engdahl says:
U.S. Begins First Cyberoperation Against Russia Aimed at Protecting Elections
https://www.nytimes.com/2018/10/23/us/politics/russian-hacking-usa-cyber-command.html
Gen. Paul M. Nakasone, the head of Cyber Command and the National Security Agency, has warned that adversaries are looking to take on the United States through cyberoperations.
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/vakuutusyhtion-tempaus-varvasi-hakkerit-hommiin-haavoittuvuuksia-loytyi-roppakaupalla-palkkioita-ropisi-tuhdit-maarat-6745901
LähiTapiolan kutsumat hakkerit löysivät lokakuun tempauksessa yrityksen järjestelmistä 28 haavoittuvuutta korjattavaksi. Haavoittuvuuksista maksettiin palkkioita yhteensä lähes 7 000 euroa ja lisäksi tapahtumasta kertyi lasten kooditaitojen kouluttamiseen 1 000 euron lahjoitus.
Tomi Engdahl says:
Halpa “kybervakuutus”: maksa hakkereille hyökkäysyrityksestä
https://www.tivi.fi/CIO/halpa-kybervakuutus-maksa-hakkereille-hyokkaysyrityksesta-6719166
Tomi Engdahl says:
Hack on 8 adult websites exposes oodles of intimate user data
A recovered 98MB file underscores the risks of trusting personal info to strangers.
https://arstechnica.com/information-technology/2018/10/hack-on-8-adult-websites-exposes-oodles-of-intimate-user-data/
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/horjuuko-pankkitunnusten-asema-sahkoisen-tunnistamisen-hintaa-painetaan-alas-6745933
Nykyisin tunnistustapahtuman välittämisen hinta on ministeriön mukaan 10 senttiä. Hinta halutaan muuttaa kiinteäksi, 3 senttiin.
Suomessa käytössä olevia vahvoja sähköisiä tunnistusvälineitä tarjoavat pankkien lisäksi teleoperaattorit ja Väestörekisterikeskus. Lisäksi markkinoilla toimii muutama yritys, jotka tarjoavat pelkästään sähköisen tunnistamisen välityspalveluita. Pankkitunnisteilla on kuitenkin yli 90 prosentin markkinaosuus, joten ne saavat rahaa lähes kaikista vahvaa tunnistautumista edellyttävistä asiointitapahtumista.
Tomi Engdahl says:
Tietoturvariskit puhuttavat energiamessuilla
https://www.uusiteknologia.fi/2018/10/22/tietoturvariskit-puhuttavat-energiamessuilla/
’’Esimerkiksi sähkökatkon tullen energiayrityksen on löydettävä tärkeät tiedot välittömästi, jotta tilanne saadaan ratkaistua ripeästi. Olemmekin huomanneet, että monet energia-alan yritykset panostavat tehokkaaseen ja turvalliseen tiedonhallintaan erityisen paljon’’,
Tomi Engdahl says:
NETSCOUT Offers Free DDoS Protection to Election Officials
https://buyersguide.cablinginstall.com/netscout-systems/pressrelease/netscout-offers-free-ddos-protection-to-election-officials.html?cmpid=enl_cim_cim_data_center_newsletter_2018-10-22
Tomi Engdahl says:
North Korean hacker crew steals $571M in cryptocurrency across 5 attacks
… and they are inspiring more attempts
https://thenextweb.com/hardfork/2018/10/19/cryptocurrency-attack-report/
North Korean hacking outfit “Lazarus” is the most profitable cryptocurrency-hacker syndicate in the world.
Since 2017, internet baddies have in total stolen $882 million worth of cryptocurrency from online exchanges, but none have done it quite as well as the infamous North Koreans.
World-renowned cybersecurity unit Group-IB is prepping to release its annual report on trends in hi-tech cybercrime.
A summary obtained by Hard Fork details 14 different attacks on cryptocurrency exchanges since January last year and calculates the state-sponsored Lazarus group is responsible for $571 million of the ill-gotten gains.
Phishers responsible for 56% of stolen ICO funds
The report also reveals 10 percent of the total funds raised by ICO platforms over the past year and a half have been stolen. A majority of the funds were lost to phishing.
Group-IB attribute much of the losses to baddies taking advantage of “crypto-fever,” where investors are so overcome with a fear of missing out they rush to contribute to new cryptocurrency projects as fast as possible, without checking for fake domain names.
Tomi Engdahl says:
Episode 14| Reinventing the Cold Boot Attack: Modern Laptop Version
https://blog.f-secure.com/podcast-reinventing-cold-boot-attack/
Tomi Engdahl says:
jQuery File Upload Plugin Vulnerable for 8 Years and Only Hackers Knew
https://www.bleepingcomputer.com/news/security/jquery-file-upload-plugin-vulnerable-for-8-years-and-only-hackers-knew/
Of the thousands of plugins for the jQuery framework, one of the most popular of them harbored for at least three years an oversight in code that eluded the security community, despite public availability of tutorials that explained how it could be exploited.
The bug affects the widely used jQuery File Upload widget and allowed an attacker to upload arbitrary files on web servers, including command shells for sending out commands.
Together with Sebastian Tschan, the developer of the plugin, the researcher discovered that the flaw was caused by a change introduced in Apache 2.3.9, which disabled by default the .htaccess files that stored folder-related security settings. Unless specifically enabled by the administrator, .htaccess files are ignored.
One reason for this was to protect the system configuration of the administrator by disabling users from customizing security settings on individual folders. Another one was to improve performance since the server no longer had to check the .htaccess file when accessing a directory.
After Apache 2.3.9, plugins using .htaccess files to impose access restrictions no longer benefited from the custom folder access security configuration. This was also the case with jQuery File Upload, which adds files to a root directory.
Now tracked as CVE-2018-9206, the coding flaw is no longer present in the latest version of jQuery File Upload. Tschan changed the code to allow only image file types GIF, JPG, JPEG, and PNG by default; he provides instructions on how to enable more content without running a security risk.
The researcher reached this conclusion after checking some of the forks, where he noticed three common variations. He created a proof-of-concept exploit that tries to find one of the differences and uploads a PHP shell.
https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/index.php
https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206
Tomi Engdahl says:
Now Apps Can Track You Even After You Uninstall Them
https://www.bloomberg.com/news/articles/2018-10-22/now-apps-can-track-you-even-after-you-uninstall-them
New trackers make it easy for developers to identify fed-up users and pester them with targeted ads.
If it seems as though the app you deleted last week is suddenly popping up everywhere, it may not be mere coincidence. Companies that cater to app makers have found ways to game both iOS and Android, enabling them to figure out which users have uninstalled a given piece of software lately—and making it easy to pelt the departed with ads aimed at winning them back.
Adjust, AppsFlyer, MoEngage, Localytics, and CleverTap are among the companies that offer uninstall trackers, usually as part of a broader set of developer tools. Their customers include T-Mobile US, Spotify Technology, and Yelp. (And Bloomberg Businessweek parent Bloomberg LP, which uses Localytics.) Critics say they’re a fresh reason to reassess online privacy rights and limit what companies can do with user data. “Most tech companies are not giving people nuanced privacy choices, if they give them choices at all,”
Tomi Engdahl says:
Strict password policy could prevent credential reuse, paper suggests
https://www.welivesecurity.com/2018/10/22/strict-password-policy-prevent-credential-reuse/
The solution to password recycling may be easier to implement than previously thought, according to a recent paper
Mandating longer and more complex passwords reduces the likelihood that users will reuse them across multiple online services, researchers have found.
A team of three academics from Indiana University set out to examine the impact of prescribing rules for password creation on password reuse. To do so, they first analyzed the password policies of 22 universities in the US. Then they dived into 1.3 billion username/password combinations that are available online as a result of past breaches. In the process, they found close to 7.4 million login credentials where the email addresses belonged to the domain name associated with universities.
“Based on email addresses belonging to a university’s domain (we checked the .edu domain address), passwords were compiled and tested against a university’s prescribed password policy,” said the researchers.