A collection point
...and some of my own.
US troops deploying to the Middle East told to leave the phone at home Amid growing tensions with Iran, the US deployed emergency troops to the Middle East a couple weeks back. But before being sent overseas, paratroopers part of the US Army 82nd Airborne Division were told to leave personal devices like smartphones, tablets, and laptops at home, according to CNN Pentagon correspondent Barbara Starr, citing US Army Maj. Gen. James Mingus. The primary concern was that poor operational security (OpSec) practices might put soldiers in danger and expose military operations, US Army 82nd Airborne Division officials told the Army Times last Monday. Citrix Admins Urged to Act as PoC Exploits Surface Phil Muncaster: IT administrators are being urged to put in place mitigations for a serious Citrix vulnerability which the vendor says won’t be patched until next week at the earliest, after proof-of-concept (PoC) exploits were published. The tech giant revealed the CVE-2019-19781 vulnerability in its Citrix Application Delivery Controller (ADC) and Citrix Gateway back in mid-December last year. If exploited, it could allow an unauthenticated attacker to perform arbitrary code execution, the firm warned, strongly advising customers to apply the relevant mitigations and update the firmware when a new version becomes available. However, in a new blog post, Citrix revealed that these fixes would not be available until January 20 at the earliest, with version 10.5 not receiving one until January 31. PoCs have started to emerge on GitHub over the past few days which could allow attackers to gain full control over affected devices. Mursch, chief research officer at Bad Packets, warned that he had detected multiple exploit attempts from a host in Poland over the weekend. Current status? Tripwire researcher Craig Young claimed that 39,378 of the 58,620 IP addresses he detected likely to be NetScaler or ADC VPN portals did not have mitigations enabled. UK: National Lottery Hacker Jailed for Nine Months Michael Hill: Following a National Crime Agency (NCA) investigation, Anwar Batson, 29, of Notting Hill, London, was sentenced at Southwark Crown Court on 10 January. He admitted four offenses under the Computer Misuse Act 1990 and one fraud charge. The NCA was notified of the attack against National Lottery accounts in November 2016. The customer database affected contained around nine million records. The NCA stated that Batson was responsible for using a widely available hacking tool – Sentry MBA – to create a file that launched the attack, telling others they could make quick cash by using the tool against Camelot (which runs the National Lottery). EU: Hundreds of Millions of Haunted Broadcom Modems. Discovered by three researchers from security consultancy Lyrebirds and an independent, the so-called “Cable Haunt” bug (CVE-2019-19494) is described as a buffer overflow, “which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim's browser.” Specifically, the flaw is found in Broadcom chip’s spectrum analyzer component, which is designed to identify problems with the modem cable connection. If attackers can first trick the user into opening a web page containing malicious JavaScript, possibly via a phishing email, then they can affect the buffer overflow, giving them access to the modem. The scale of the problem is potentially immense — affecting many more devices than the 200 million estimated in Europe. “The reason for this is that the vulnerability originated in reference software, which has seemingly been copied by different cable modems manufacturers when creating their cable modem firmware,” the researchers warned. “This means that we have not been able to track the exact spread of the vulnerability and that it might present itself in slightly different ways for different manufacturers.” ISPs have been contacted by the team with a fix prior to disclosure, but the quartet claimed only to have had “limited success” with this approach. Models from Netgear, Sagemcom, Technicolor and Compal are among the 10 identified as affected. Facebook bans deepfakes, but not cheapfakes or shallowfakes. Last week, Facebook banned some doctored videos, but only those made with artificial intelligence (AI), in a way that an average person wouldn’t easily spot. What the policy doesn’t cover are videos made with simple video-editing software, or what disinformation researchers call “cheapfakes” or “shallowfakes.” Facebook will be using its own staff, as well as independent fact-checkers, to judge a video’s authenticity. Facebook Says Encrypting Messenger by Default Will Take Years In March of last year, Mark Zuckerberg made a dramatic pledge: Facebook would apply end-to-end encryption to user communications across all of its platforms by default. The move would grant strong new protections to well over a billion users. It's also not happening anytime soon. What Zuckerberg didn't spell out at the time is just how difficult that transition would be to pull off, and not just in terms of political hurdles from encryption-averse law enforcement or a shift in Facebook's business model. Jon Millican, Facebook's software engineer for Messenger privacy, in a talk Friday at the Real World Crypto conference in New York. Millican readily admitted that means Facebook users shouldn't expect to see a default encryption rollout for several years. That also likely means the company's planned integration of WhatsApp, Facebook, and Instagram messaging will take at least as long, given that all three would likely need to be end-to-end encrypted to avoid undermining the existing default protections in WhatsApp. A Facebook Bug Exposed Anonymous Admins of Pages A bug that was live last Thursday evening until Friday morning allowed anyone to easily reveal the accounts running a Page, essentially doxing anyone who posted to one. All software has flaws, and Facebook quickly pushed a fix for this one—but not before word got around on message boards like 4chan, where people posted screenshots that doxed the accounts behind prominent pages. All it took to exploit the bug was opening a target page and checking the edit history of a post. Facebook mistakenly displayed the account or accounts that made edits to each post, rather than just the edits themselves. "We quickly fixed an issue where someone could see who edited or published a post on behalf of a Page when looking at its edit history," Facebook said in a statement. Using Firefox? Update it now, according to the U.S. Department of Homeland Security Friday the U.S. Department of Homeland Security issued an alert about a “critical vulnerability” affecting Mozilla’s Firefox browser. The DHS advised all Firefox users to update their browser software immediately. The vulnerability was due to a flaw in the “IonMonkey JIT compiler”, which could “lead to a type confusion”... essentially a bug in the part of Firefox that helps to render JavaScript in your browser, which could allow an attacker to run malicious code on your computer. Typically, this type of attack is targeted to a limited number of people and would be done by luring you to a specific website. Most Firefox installs have auto-update turned on by default, so should be safe, but you can check the status of Firefox by looking in the menu bar under Firefox/about Firefox for version 71.0.1 BR: Major Brazilian Bank Tests Homomorphic Encryption on Financial Data Kelly Sheridan: Banco Bradesco, S.A., a prominent Brazilian financial institution, has for the past year been working with IBM Research to apply a technique called homomorphic encryption to banking data. The pilot showed it was possible to apply machine learning algorithms to encrypted data without decrypting it, creating a new level of privacy that could be applied to other industries. The idea behind homomorphic encryption (HE), now emerging in real-life applications like this one, is to keep data encrypted while it's being processed. This type of cryptography was first proposed in the 1970s; it wasn't until 2009 that IBM scientist Craig Gentry created the first fully homomorphic encryption system. HE is based on the mathematics of lattices and, researchers say, protects the confidentiality of data from complex attacks – even by quantum computers. "In the past, we've used encryption for transmitting data," says Flavio Bergamaschi, IBM researcher and lead author of this project. When you shop online and enter your credit card number, it's encrypted to transfer but must be decrypted to do anything with it. The number is encrypted when stored on a disk, but it must be decrypted to act on it. With HE, these machines can perform computations while the data remains encrypted. As a result, the entity can act on data without gathering or storing any sensitive information. HE won't prevent data breaches but will prevent data thieves from grabbing usable information. They claim the tech has reached an "inflection point" at which it's ready for practical use. The bank experiment used AI to determine likelihood for a loan application within the coming 90 days. IBM claimed the same prediction accuracy rate with encrypted data as unencrypted data. We were hoping for a little bit more from this research. HE rolls on, but it may not be ready for prime time for quite a while yet. CN: Intrusion Truth is back The anonymous group known in the cybersecurity world for publishing detailed blog posts about suspected nation-state hackers released new information Thursday alleging that Chinese technology companies are providing the infrastructure for attackers working on Beijing’s behalf. By identifying job postings seeking offensive cybersecurity skills, Intrusion Truth found a number of companies in Hainan, a province in South China, all using the same language in their advertisements. Some of those companies have only a small web presence outside the job ads seeking offensive-minded computer specialists, suggesting that employers actually are trying to recruit hackers for advanced persistent threat groups. US: Amid Senate scrutiny, Ring responds Ring has answered questions about its data protection policies following a string of security incidents in which hackers breached the company’s cameras to view customers' footage. In a letter to five Senate Democrats this week, Ring said it was promoting two-factor authentication with users and scouring the web for credentials sucked up in third-party breaches. For at least one lawmaker, however, the company needs to do more. “There are millions of consumers who already have a Ring camera in their homes who remain needlessly vulnerable to hackers,” Sen. Ron Wyden, D-Ore., said in a statement. Scant details about that Vegas incident Las Vegas officials said that the city experienced a network security incident that may result in “brief interruptions of service” to its residents and visitors, though there are few details about the event. A post from the city’s official Twitter account referred to the incident as a “cyber compromise” that was initially detected about 4:30 a.m. on Tuesday, and quickly addressed by the city’s Department of Information Technologies. A spokesman said the incident was likely set off by a malicious email, and that like many other large local-government organizations, Las Vegas is on the receiving end of hundreds of thousands of breach attempts every month. UK: A tech retailer was lucky to be breached when it was Malicious software lurking inside point-of-sale systems at Dixons Carphone stores from July 2017 through April 2018 collected payment card data of 5.6 million people. Attackers accessed personal information including names, email addresses and details about failed credit checks on some 14 million thanks to weaknesses in the $10.5 billion retailer’s networks. The U.K.’s Information Commissioner’s Office fined the company £500,000 ($653,000) for the incident, the highest penalty authorized under the U.K.’s 1988 Data Protection Act. The incident occurred just before the EU started enforcing the General Data Protection Regulation and, the ICO’s top investigator openly suggested the penalty would have hurt much more if they could use that landmark data protection law. |
Linking the world
Sharing is caring Archives
May 2024
Categories |