Cyber Security December 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

You are also free to post related links.

486 Comments

  1. Tomi Engdahl says:

    Clickjacking Bug in Facebook Being Abused By Attackers To Post Spam On Your Facebook Wall
    https://gbhackers.com/clickjacking-bug-facebook/

    A malicious spam campaign that posts the clicked link on you Facebook wall. The campaign exploiting the vulnerability that resides in the mobile version of the Facebook.

    Reply
  2. Tomi Engdahl says:

    Blackmail demand claims to have nailed you watching porn
    https://www.kaspersky.com/blog/extortion-spam/25070/

    One fine (or not so fine) day, you check your inbox and discover a message that starts like this:

    “I’m aware, ********** is your password. You don’t know me and you are probably thinking why you are getting this email, right? Well, I actually placed a malware on the adult video clips (porn) web site…”

    Or like this:

    “I hacked this mailbox and infected your operating system with a virus…”

    Or even:

    “I’m part of an international hacker group. As you can guess, your account was hacked…”

    All sorts of variants exist, but the message boils down to a claim that the sender infected your computer by hacking your account or placing malware on a porn site you visited.

    Reply
  3. Tomi Engdahl says:

    More Than Just a Fad: Lessons Learned About Threat Hunting in 2018
    https://securityintelligence.com/more-than-just-a-fad-lessons-learned-about-threat-hunting-in-2018/

    Threat Hunting Is Here to Stay in 2019

    Going into 2019, the cybersecurity community will continue to learn about the world of threat hunting and how organizations can implement an effective threat hunting program. Just like the fads that will inevitably come and go in 2019, there will be new cybersecurity tools, methodologies and lessons in the new year.

    Reply
  4. Tomi Engdahl says:

    Google’s policy change reduces security, privacy and safety for 75% of users of ESET’s Android anti-theft service
    https://www.welivesecurity.com/2018/12/21/google-policy-change-eset-android-anti-theft-service/

    The unfortunate implications of a well-intentioned change to Google Play Developer policies – and the negative impact it has on ESET’s Android app customers

    Reply
  5. Tomi Engdahl says:

    2018: A Banner Year for Breaches
    https://threatpost.com/2018-biggest-breaches/140346/

    A look back at the blizzard of breaches that made up 2018.

    Where to start? In 2018 the mantra became “another day, another data breach.”

    Reply
  6. Tomi Engdahl says:

    Hacking Christmas Lights For Fun and Mischief
    https://www.bleepingcomputer.com/news/security/hacking-christmas-lights-for-fun-and-mischief/

    Researchers playing with Twinkly IoT lights found security weaknesses that allowed them to display custom lighting effects and to remotely turn off their Christmas brilliance. They estimate that about 20,000 devices are reachable over the internet.

    The LEDs in Twinkly lights can be controlled individually. Exploiting inherent security weaknesses related to authentication and the communication of commands, the researchers were able to use the curtain of lights to play Snake, the game made so popular by Nokia phones in the late 1990s.

    Reply
  7. Tomi Engdahl says:

    Could you speak up a bit? I didn’t catch your password
    We won’t need security experts when there’s no security left
    https://www.theregister.co.uk/2018/12/25/could_you_speak_up_a_bit_i_didnt_catch_your_password/

    Reply
  8. Tomi Engdahl says:

    MD5 and SHA-1 Still Used in 2018
    https://www.schneier.com/blog/archives/2018/12/md5_and_sha-1_s.html

    the current state of cryptanalysis against MD5 and SHA-1 allows for collisions, but not for pre-images. Still, it’s really bad form to accept these algorithms for any purpose.

    Reply
  9. Tomi Engdahl says:

    Over 19,000 Orange modems are leaking WiFi credentials
    Headaches for Orange customers in France and Spain for the holidays.
    https://www.zdnet.com/article/over-19000-orange-modems-are-leaking-wifi-credentials/

    Reply
  10. Tomi Engdahl says:

    Hacker steals ten years worth of data from San Diego school district
    https://www.zdnet.com/article/hacker-steals-ten-years-worth-of-data-from-san-diego-school-district/

    Officials said the hacker made off with the personal information of over 500,000 student and staff.

    Reply
  11. Tomi Engdahl says:

    JungleSec Ransomware Infects Victims Through IPMI Remote Consoles
    https://www.bleepingcomputer.com/news/security/junglesec-ransomware-infects-victims-through-ipmi-remote-consoles/

    A ransomware called JungleSec is infecting victims through unsecured IPMI (Intelligent Platform Management Interface) cards since early November.

    When originally reported in early November, victims were seen using Windows, Linux, and Mac, but there was no indication as to how they were being infected. Since then, BleepingComputer has spoken to multiple victims whose Linux servers were infected with the JungleSec Ransomware and they all stated the same thing; they were infected through unsecured IPMI devices.

    Reply
  12. Tomi Engdahl says:

    Veracode: DevSecOps is having a positive impact on security, but the state of security still has a long way to go
    https://sdtimes.com/security/veracode-devsecops-is-having-a-positive-impact-on-security-but-the-state-of-security-still-has-a-long-way-to-go/

    Even with a stronger focus on security this year, most software is still riddled with security vulnerabilities. According to Veracode’s State of Software Security (SOSS) report, 87.5 percent of Java applications, 92 percent of C++ applications, and 85.7 percent of .NET application contain at least one vulnerability. In addition, over 13 percent of applications contain at least one critical vulnerability.

    Reply
  13. Tomi Engdahl says:

    Hot tub hack reveals washed-up security protection
    https://www.bbc.com/news/technology-46674706

    Thousands of hot tubs can be hacked and controlled remotely because of a hole in their online security, BBC Click has revealed.

    Researchers showed the TV programme how an attacker could make the tubs hotter or colder, or control the pumps and lights via a laptop or smartphone.

    Reply
  14. Tomi Engdahl says:

    Onko Huawei oikea turvallisuusriski vai osa kauppasotaa? “Vaikea sanoa, koska näyttöä vakoilusta ei ole”
    https://yle.fi/uutiset/3-10546742

    Reply
  15. Tomi Engdahl says:

    WATCH A HOMEMADE ROBOT CRACK A SAFE IN JUST 15 MINUTES
    https://www.wired.com/story/watch-robot-crack-safe/

    LAST CHRISTMAS, NATHAN Seidle’s wife gave him a second-hand safe she’d found on Craigslist.

    The original owner had locked it and forgotten the combination. Her challenge to Seidle: Open it.

    Seidle isn’t much of a safecracker. But as the founder of the Niwot, Colorado-based company SparkFun, a DIY and open-source hardware supplier, he’s a pretty experienced builder of homemade gadgets, tools, and robots.

    The result: A fully automated device, built from off-the-shelf and 3-D printed components, that can open his model of SentrySafe in a maximum of 73 minutes, or half that time on average, with no human interaction.

    Reply
  16. Tomi Engdahl says:

    Air Force One spotted in Sheffield: how UK enthusiast revealed Trump’s Iraq trip
    https://www.theguardian.com/uk-news/2018/dec/27/air-force-one-spotted-in-sheffield-how-uk-enthusiast-revealed-trumps-iraq-trip

    Alan Meloy photographed distinctive plane in skies over Yorkshire on Boxing Day

    When Donald Trump flew to Iraq on Christmas Day for a top secret visit, the US government took every precaution to avoid the news leaking out. Journalists were sworn to secrecy

    The US military had not reckoned with a planespotter from the suburbs of Sheffield, who took a photograph of the president’s plane in the sky over Yorkshire and inadvertently helped to break news of the flight to the Middle East while Trump was still in the air.

    After uploading the picture to the photo sharing site Flickr, the image was picked up by other aircraft enthusiasts who combined it with publicly available aircraft tracking data

    As a result, the White House was forced to reveal details of the trip ahead of time, throwing media management and security plans into chaos.

    The president also told journalists that he had never seen anything like the security measures taken to ensure the secrecy of his flight

    there were lessons to be learned: “If you want to do covert work use a covert plane.”

    Reply
  17. Tomi Engdahl says:

    Secret Service Announces Test of Face Recognition System Around White House
    https://www.aclu.org/blog/privacy-technology/surveillance-technologies/secret-service-announces-test-face-recognition

    last week the Department of Homeland Security published details of a U.S. Secret Service plan to test the use of facial recognition in and around the White House.

    According to the document, the Secret Service will test whether its system can identify certain volunteer staff members by scanning video feeds from existing cameras

    Reply
  18. Tomi Engdahl says:

    Security flaws let anyone snoop on Guardzilla smart camera video recordings
    https://techcrunch.com/2018/12/27/guardzilla-security-camera-flaws/?sr_share=facebook&utm_source=tcfbpage

    A popular smart security system maker has ignored warnings from security researchers that its flagship device has several serious vulnerabilities, including allowing anyone access to the company’s central store of customer-uploaded video recordings.

    Reply
  19. Tomi Engdahl says:

    Users report losing Bitcoin in clever hack of Electrum wallets
    Hacker has stolen over $750,000 worth of Bitcoin over the past seven days.
    https://www.zdnet.com/article/users-report-losing-bitcoin-in-clever-hack-of-electrum-wallets/

    A hacker (or hacker group) has made over 200 Bitcoin (circa $750,000 at today’s exchange) using a clever attack on the infrastructure of the Electrum Bitcoin wallet.

    The attack resulted in legitimate Electrum wallet apps showing a message on users’ computers, urging them to download a malicious wallet update from an unauthorized GitHub repository.

    The attack began last week on Friday, December 21

    The problem here is that Electrum servers are allowed to trigger popups with custom text inside users’ wallets.

    After receiving news of attacks, the Electrum team responded by silently updating the Electrum wallet app, so these messages don’t render as rich HTML text anymore.

    Reply
  20. Tomi Engdahl says:

    New Shamoon Sample from France Signed with Baidu Certificate
    https://www.bleepingcomputer.com/news/security/new-shamoon-sample-from-france-signed-with-baidu-certificate/

    A new sample of Shamoon disk-wiping malware was uploaded from France recently to the VirusTotal scanning platform. It tries to pass as a system optimization tool from Chinese technology company Baidu.

    This new Shamoon variant was uploaded on December 23, 2018, and is signed with a digital certificate from Baidu, issued on March 25, 2015. The signature is no longer valid, as it expired on March 26, 2016.

    The targets attacked by the threat actor behind this malware are typically oil and gas companies in the Middle East region. The latest Shamoon samples hit companies in the same area as well as Europe, deleting files on infected systems and making the machines unbootable.

    Reply
  21. Tomi Engdahl says:

    JungleSec Ransomware Infects Victims Through IPMI Remote Consoles
    https://www.bleepingcomputer.com/news/security/junglesec-ransomware-infects-victims-through-ipmi-remote-consoles/

    A ransomware called JungleSec is infecting victims through unsecured IPMI (Intelligent Platform Management Interface) cards since early November.

    When originally reported in early November, victims were seen using Windows, Linux, and Mac, but there was no indication as to how they were being infected. Since then, BleepingComputer has spoken to multiple victims whose Linux servers were infected with the JungleSec Ransomware and they all stated the same thing; they were infected through unsecured IPMI devices.

    IPMI is a management interface built into server motherboards or installed as an add-on card that allow administrators to remotely manage the computer, power on and off the computer, get system information, and get access to a KVM that gives you remote console access.

    Reply
  22. Tomi Engdahl says:

    2018: The Year Machine Intelligence Arrived in Cybersecurity
    https://www.darkreading.com/network-and-perimeter-security/2018-the-year-machine-intelligence-arrived-in-cybersecurity/d/d-id/1333556

    Machine intelligence, in its many forms, began having a significant impact on cybersecurity this year – setting the stage for growing intelligence in security automation for 2019.

    Reply
  23. Tomi Engdahl says:

    What should you do with your old devices
    https://www.welivesecurity.com/2018/12/27/safe-disposal-old-devices-tips-tony-anscombe/

    Disposal of old tech requires thought and effort and the need to cleanse the device of any personal data is just one of the concerns

    Reply
  24. Tomi Engdahl says:

    Nokia denies leaking internal credentials in server snafu
    https://www.zdnet.com/article/nokia-denies-leaking-internal-credentials-in-server-snafu/

    Security researcher finds treasure trove of passwords and API keys on an internet-accessible etcd database.

    Finnish phone vendor Nokia denied today a security company’s claims that it exposed a treasure trove of internal credentials, encryption and API keys in a server that it accidentally left exposed and easily accessible over the Internet.

    The issue at hand is in regards to an etcd server discovered by HackenProof researcher Bob Diachenko.

    Etcd is a database server that is most often used in corporate and cloud computing environments. They are a standard part of CoreOS, an operating system developed for cloud hosting environments, where they are used as part of the OS’ clustering system. CoreOS uses an etcd server as a central

    Diachenko told ZDNet last week that he came across one such etcd server last week, on December 13. He says he discovered the server using the Shodan search engine for internet-connected devices.

    In a blog post today, the researcher finally detailed last week’s findings, after Nokia had secured the exposed server earlier this week.

    https://www.tivi.fi/Kaikki_uutiset/nokia-kiistaa-tietoturvatutkijan-loytaman-tietovuodon-merkittavyyden-6753745

    New Discovery: Nokia left its cloud environment open, config details exposed
    https://blog.hackenproof.com/industry-news/new-discovery-nokia-left-its-cloud-environment-open

    Reply
  25. Tomi Engdahl says:

    Shared Tweeting Privileges Easy to Get by Spoofing Phone Numbers
    https://www.bleepingcomputer.com/news/security/shared-tweeting-privileges-easy-to-get-by-spoofing-phone-numbers/

    Twitter accounts of several celebrities and journalists in the UK shared control of the tweet feed to an unauthorized user for a brief period.

    The interference was part of an experiment meant to highlight the risk of using mobile phone networks to authenticate and interact on the social networking service.

    Getting privileges to post on the timeline of the selected accounts was possible because Twitter offers the option to tweet as long as it is done from the phone number connected to the profile.

    Reply
  26. Tomi Engdahl says:

    Hijacking Online Accounts Via Hacked Voicemail Systems
    https://threatpost.com/hijacking-online-accounts-via-hacked-voicemail-systems/140403/

    Proof-of-concept hack of a voicemail systems shows how it can lead to account takeovers multiple online services.

    LEIPZIG, GERMANY – Voicemail systems are vulnerable to compromise via brute force attacks against the four-digit personal identification numbers that protect them. By doing so, researchers say a malicious user can then access the voicemail system to then take over online accounts similar to WhatsApp, PayPal, LinkedIn and Netflix.

    Reply
  27. Tomi Engdahl says:

    Hackers Make a Fake Hand to Beat Vein Authentication
    https://motherboard.vice.com/amp/en_us/article/59v8dk/hackers-fake-hand-vein-authentication-biometrics-chaos-communication-congress#referrer=https%3A%2F%2Fwww.google.com&amp_tf=From%20%251%24s

    Security researchers disclosed new work at the Chaos Communication Congress showing how hackers can bypass vein based authentication.

    Reply
  28. Tomi Engdahl says:

    Mystery Hacker Steals Data of 1,000 North Korean Defectors to the South
    https://www.thedailybeast.com/mystery-hacker-steals-data-of-1000-north-korean-defectors-to-the-south

    Mystery hackers have stolen the personal information of nearly 1,000 people who defected from North to South Korea. The South Korean Unification Ministry admitted Friday that unknown hackers have gotten hold of the resettlement agency’s database and that the names, birth dates, and addresses of 997 defectors had been taken. “The malware was planted through emails sent by an internal address,”

    Reply
  29. Tomi Engdahl says:

    The most common forms of censorship the public doesn’t know about
    https://techcrunch.com/2018/12/19/the-most-common-forms-of-censorship-the-public-doesnt-know-about/

    Amid all the discussion today about online threats, from censorship to surveillance to cyberwar, we often spend more time on the symptoms than on the underlying chronic conditions. If we want to make people around the world safer from an oppressive, weaponized internet, we need to get a bit nerdy and talk about internet standards.

    Most internet censorship today is only possible because the internet wasn’t designed to protect the privacy of your connections. It wasn’t private by design, so when censors came along, they pushed on an open door.

    Put simply, we should make internet protocols — the who, what, where of internet addresses — more private.

    Privacy makes selective censorship harder

    Improving standards doesn’t take magic — just prototyping, debating, consensus-building and implementing.

    Unfortunately, every time you visit a website, your computer first consults the DNS system without any encryption, allowing censors and snoopers to know the name of every website you visit. A new standard is emerging to encrypt DNS lookups.

    the W3C (another internet standards body) has been establishing a draft standard for Network Error Logging. This potentially helps address one of the trickiest challenges in tackling network interference: figuring out when interference is even happening.

    Network Error Logging allows the user’s device to report a failed lookup to a neutral third party that is not blocked

    If we’re serious about addressing those challenges, we need to start with improving standards.

    Reply
  30. Tomi Engdahl says:

    Bitcoin Wallet Comprise: Electrum Wallet Breach Costs Users Over $750,000
    https://www.newsbtc.com/2018/12/27/bitcoin-wallet-comprise-electrum/

    According to emerging reports, the popular Bitcoin wallet software Electrum has been attacked costing those affected over $750,000 worth of Bitcoin. The security breach involved hackers tricking the wallet into urging users to make a critical update.

    Reply
  31. Tomi Engdahl says:

    Report: Most of the internet is fake, including its users
    https://www.msnbc.com/all-in/watch/report-most-of-the-internet-is-fake-including-its-users-1412606531832?cid=sm_npd_ms_tw_ma

    If you think 2016 Russian disinformation was bad, that was just the tip of the iceberg. What if the entire internet is a fraud?

    Reply
  32. Tomi Engdahl says:

    Julia Reda:
    European Commission to start offering bug bounties on 14 Free Software projects like Notepad++ and VLC that the EU institutions rely on

    In January, the EU starts running Bug Bounties on Free and Open Source Software
    https://juliareda.eu/2018/12/eu-fossa-bug-bounties/

    Reply
  33. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:
    CenturyLink says all consumer services impacted by a ~32-hour outage that started on Thursday, including its 911 emergency services, have been restored
    https://techcrunch.com/2018/12/28/911-service-outage-centurylink/

    Reply
  34. Tomi Engdahl says:

    Andrew Jeong / Wall Street Journal:
    South Korea says hackers stole data, including names and addresses, of 997 North Korean defectors; cybersecurity experts say likely culprit is North Korea

    Hackers Steal Personal Information of North Koreans in South Korea
    https://www.wsj.com/articles/hackers-steal-personal-information-of-north-korean-defectors-in-south-korea-11546001022

    A likely culprit is North Korea, which attempts an estimated 1.5 million cyberattacks daily, or 17 every second

    Reply
  35. Tomi Engdahl says:

    Dell Cameron / Gizmodo:
    A bug Twitter downplayed in 2012 resurfaces as researchers hijack celebrity accounts to send tweets by using a UK mobile phone number tied to an account

    Twitter Hackers Hijack New Accounts After Company Claims It Fixed Bug
    https://gizmodo.com/twitter-hackers-hijacked-new-accounts-after-company-cla-1831369315

    Twitter is claiming to have resolved a bug that allowed a group of London-based security researchers to post unauthorized tweets to the accounts of British celebrities and journalists. But the hackers who initially disclosed the vulnerability says that’s rubbish.

    A Twitter spokesperson told reporters on Friday that it had “resolved a bug that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing.” However, during a conversation with Gizmodo, the hackers who posted the unauthorized tweets to celebrity accounts appeared able to reproduce the experiment after Twitter made its claim.

    Reply
  36. Tomi Engdahl says:

    wallet.fail
    Hacking the most popular cryptocurrency hardware wallets
    https://media.ccc.de/v/35c3-9563-wallet_fail

    Reply
  37. Tomi Engdahl says:

    Caught on camera: Cleveland family is being cyber-stalked on a whole new level
    http://www.cleveland19.com/2018/12/27/caught-camera-cleveland-family-is-being-cyber-stalked-whole-new-level/

    Through phones, computers, games even pizza deliveries the family is being terroized

    Someone has hacked into every aspect of their home.

    “He’s gotten into the home computer, he’s gotten into the video games that the kids are playing, he’s gotten into the phone, phone messages. My daughter’s school, my daughter’s online school. He’s gotten into all of our cell phone, which would be three cell phones,” an exhausted John Garrity described.

    It started in early November.

    Reply
  38. Tomi Engdahl says:

    The Huawei bans aren’t about security — and they’re endangering the future internet
    https://www.verdict.co.uk/huawei-bans-geopolitics-internet/

    Reply
  39. Tomi Engdahl says:

    It’s the end of 2018, and this is your year in security
    https://www.theregister.co.uk/2018/12/27/2018_the_year_in_security/

    From fried chips to stuffed elections, a look back at the year that was

    Reply
  40. Tomi Engdahl says:

    Someone Is Trying To Take Entire Countries Offline
    https://www.iflscience.com/technology/someone-is-trying-to-take-entire-countries-offline/

    Gatwick Airport is Britain’s second busiest by passenger volume, and Europe’s eighth. And yet it was brought to a standstill for two days by two people and a single drone.

    The criminals who break into the web sites of banks or chainstores and steal personal data or money are not the scariest people out there, he told me. The hackers we really ought to be worrying about are the ones trying to take entire countries offline. People who are trying to take down the internet, switch the lights off, cut the water supply, disable railways, or blow up factories.

    The West’s weakness is in the older electronics and sensors that control processes in infrastructure and industry. Often these electronics were installed decades ago. The security systems controlling them are ancient or non-existent. If a hacker can gain control of a temperature sensor in a factory, he — they’re usually men — can blow the place up, or set it on fire. “The problem people don’t realise is it becomes a weapon of mass destruction. You can take down a whole country. It can be done,” he said.

    And then, how do you respond?

    “you have no idea who did it.”

    “You can have a team of five people sitting in a basement and be just as devastating as WMDs,” he said. “It’s really scary. In some sense it’s a matter of time because it’s really easy.”

    “Someone is learning how to take down the Internet,” Bruce Schneier, the CTO of IBM Resilient believes

    The Dyn attack was done by three young men who had created some software that they merely hoped would disable a competitor’s company, until it got out of control. The Mauritania attack was probably done by the government of neighbouring Sierra Leone, which was trying to manipulate local election results by crippling the media.

    It’s not merely that “someone” out there is trying to figure out how to take down the internet. There are multiple someones out there who want that power.

    Reply
  41. Tomi Engdahl says:

    China’s Global Control of 5G Could Be a Cyber Pearl Harbor for US
    https://m.theepochtimes.com/chinas-global-control-of-5g-could-be-a-cyber-pearl-harbor-for-us_2748693.html

    China is determined to control fifth-generation wireless technology (5G) networks, posing a threat to American telecommunication firms and raising national-security concerns. To win the next-generation mobile race, the U.S. government has to act fast, an expert warns.

    Cyberspace is considered the fifth strategic domain of warfare, along with land, sea, air, and space. And the Chinese are on the verge of dominating this domain.

    Reply
  42. Tomi Engdahl says:

    ICE Seizes Over 1 Million Websites With No Due Process; Apparently Unaware That Copyright & Trademark Are Different
    from the this-does-not-bode-well dept
    https://www.techdirt.com/articles/20181213/18030341224/ice-seizes-over-1-million-websites-with-no-due-process-apparently-unaware-that-copyright-trademark-are-different.shtml

    Reply
  43. Tomi Engdahl says:

    Chinese schools are using chips in uniforms to monitor students
    https://www.abacusnews.com/digital-life/chinese-schools-are-using-chips-uniforms-monitor-students/article/3000359

    GPS and ID chips combine with a facial recognition system to track kids (but only during school hours)

    Reply
  44. Tomi Engdahl says:

    Hot tub hack reveals washed-up security protection
    https://www.bbc.com/news/technology-46674706?SThisFB

    Thousands of hot tubs can be hacked and controlled remotely because of a hole in their online security, BBC Click has revealed.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*