A collection point
...and some of my own.
Woot Woot Amazon Prime day - stay safe!
Prime days are already here. Cybercriminals never miss an opportunity and that even applies to Amazon sale days. Never click on e-mail promotional links for Amazon as they are more likely than not to be fake. Set 2FA/MFA on your Amazon account... you can use anything from Authy and Google Authenticator to SMS texts (and frankly even that is better than just a password). In memoriam – Corby Corbató, MIT computer science pioneer, dies at 93 July 11 2019. Fernando José Corbató, better known simply as Corby. Corby won the 1990 Alan Turing Award – the equivalent of a Nobel Prize in Computer Science: For his pioneering work organizing the concepts and leading the development of the general-purpose, large-scale, time-sharing and resource-sharing computer systems, CTSS and Multics. Most people who use Linux know that the name is a sort-of pun on Unix, the operating system that Linux most resembles. But nowhere near as many people realize that the name Unix was originally Unics, and was itself a pun on Multics, the ground-breaking multiuser operating system that gave rise to the Unix project itself. Multics, in turn, was essentially Version 2 of an Massachussets Institute of Technology (MIT) operating system called CTSS, short for Compatible Time-Sharing System. CTSS offered a whole new way of organizing computation, one that we take for granted these days on our laptops, servers and phones. You could run programs in the background as batch jobs, or in the foreground as interactive sessions, and that was “you (plural)”, because several users could be running interactive sessions at the same time. Police in the UK, backed by the government, are testing a facial-recognition system that is 20 percent accurate. Adam Smith: Britain has a close relationship with security cameras. London alone has one of the highest ratios of surveillance cameras per citizen in the developed world. Estimates from 2002 put the number of surveillance cameras in Greater London at more than 500,000; around 110 are used by the City of London Police, according to data obtained through a 2018 Freedom of Information request. Being recorded apparently is not enough; London's Metropolitan Police Service has been testing the use of facial-recognition cameras, and the effort has the support of Home Secretary Sajid Javid—who oversees immigration, citizenship, the police force, and the security service. "I think it's right they look at that," he said, according to the BBC. What Is Doxxing? Doxxing is revealing and publishing someone’s personal information. This information is collected through various means and is combined together to create a complete profile of personal data. It's not just social media, there is a lot more on the internet about us that we might not share ourselves. Like property registration details, date of birth of children, school and workplace details of the family members, phone numbers, location details, and other data. These details are not vulnerable on their own as they are just a piece of information with no background but if these details are combined together and are arranged in a proper manner, these minor details may become problematic. The primary victim of doxxing are celebrities. (So, you, of course). Most often doxxing is used as a mean to attack opponents; to defame public figures and influential personalities. To limit this threat, control your use of social media, if you own a blog, opt for WHOis protection (WHOis protection or Domain privacy is the ability to mask the information you used to register your domain name. When you purchase a domain from a registrar like GoDaddy, or Google, or any other registrar for that matter), they are required to report specific bits of information about the consumer for public record.), Delete past records - comments and posts, use a VPN when web surfing, and use different e-mails for different activities. More than 180,000 routers in Brazil had their DNS settings changed in Q1 2019. Catalin Cimpanu: Most of the Brazilian home routers were hacked while visiting sports, movie streaming sites, or adult portals. On these sites malvertising runs special code inside users' browsers to search and detect the IP address of their home router brand and model. When they detect the router's IP and type, the adware uses a list of default usernames and passwords to log into users' devices, without their knowledge. If the attacks are successful, additional code modifies the default DNS settings on the victims' routers, replacing the DNS server IP addresses routers receive from the upstream ISPs with the IP addresses of DNS servers managed by the hackers. The next time the users' smartphone or computer connects to the router, it will receive alternate DNS server IP addresses, and this way, funnel all DNS requests through the attacker's servers, allowing them to hijack and redirect traffic to malicious clone sites, stealing account login details and passwords. Three different attack variants have evolved, the last of which is based on Sonar.Js, a tool typically used for Penetration testing of network components. The big question is why this activity so far has been concentrated only in Brazil. Expect it to make its way to a network near you soon. In the meantime use complex router admin passwords (I.e. change the default), keep your router patched and verify your DNS settings. Premera Blue Cross to pay $10 million to 30 states over data breach Premera Blue Cross has consented to pay $10 million as compensation for a nearly year-long ( May 5, 2014 through March 6, 2015) data breach that impacted more than 10.4 million health patients, the Washington state’s Attorney General Bob Ferguson announced 2019 07 11. Of those funds, $5.4 million will go to Washington with the the remaining $4.6 million split among the other 29 states. Premera has also been ordered to Hire a Chief Information Security Officer (CISO), a Chief Compliance Officer (CCO), provide data security reports to the Attorney General (AG) and create a training program for employees. Cyber-attacks on UK businesses hit an all-time high in the second quarter of 2019, averaging one every 50 seconds. The business ISP, Beaming, analyzed traffic for its customers during the period and found them to be on the receiving end of 146,491 attempted attacks each, on average. That’s 179% higher than the same period in 2018, when firms faced down 52,596 attacks on average. IoT devices and file sharing services were most frequently targeted, hit by 17,737 and 10,192 attacks respectively during the quarter. Backdoor found in Ruby library for checking for strong passwords A diligent developer's security practices have uncovered a dangerous backdoor in a popular Ruby library for checking the password strength of user-chosen passwords. The malicious code would check if the library was being used in a test or production environment. When in production, it would download and run a second payload downloaded from Pastebin.com, a text hosting portal. Mystery of NSA Leak Lingers as Stolen Document Case Winds Up “It was extraordinarily damaging, probably more damaging than Snowden,” cybersecurity expert Bruce Schneier said of the Shadow Brokers leaks. “Those tools were a lot of money to design and create.” Yet none of that is likely to be mentioned at Martin’s July 17 sentencing. The hearing instead will turn on dramatically different depictions of the enigmatic Martin, a Navy veteran, longtime government contractor — most recently at Booz Allen Hamilton — and doctoral candidate at the time of his arrest. Prosecutors allege Martin jeopardized national security by bringing home reams of classified information even as, they say, he once castigated colleagues as “clowns” for lax security measures. The agents who searched his house that August 2016 afternoon found a trove of documents in his car, home and a dusty, unlocked shed. The 50 terabytes of information from 1996 to 2016 included personal details of government employees and “Top Secret” email chains, handwritten notes describing the NSA’s classified computer infrastructure, and descriptions of classified technical operations. Ubuntu-Maker Canonical’s GitHub Account Hacked Saturday, an unknown hacker successfully managed to break into the official GitHub account of Canonical, the company behind the Ubuntu Linux project and created 11 new empty repositories. It appears that the cyberattack was, fortunately, just a "loud" defacement attempt rather than a "silent" sophisticated supply-chain attack that could have been abused to distribute modified malicious versions of the open-source Canonical software. "Canonical has removed the compromised account from the Canonical organization in GitHub and is still investigating the extent of the breach, but there is no indication at this point that any source code or PII was affected." How to Protect your Children' Data and Privacy Sophie Allaert, Mélina Cardinal-Bradette and Elif Sert: 81% of the world’s children and 92% of US children now have an online presence before they turn 2. 95 % of US teens report having (or having access to) a smartphone. 45% of those teens are online on a near-constant basis, an average of 9 hours each day. Facebook CEO Mark Zuckerberg has asserted that “data ownership” is the answer to this massive online footprint, in which users control their own data and decide when to allow corporations or governments to use it. Though this idea may sound appealing, it is not a sufficient tool in protecting individuals—especially children—from the pervasive effects of an uncontrollable online identity. First, ownership makes no sense when the subject isn’t the creator of the content. Indeed, a person cannot remove content published about them by someone else. During their earliest years, kids' digital identities are shaped by other individuals, most likely their parents. That means a massive amount of public information about them might be generated before they are able to understand what it means to give consent. Furthermore, data can be aggregated. Regardless of whether a person uses online services, some decisions will still be made without their control—even without their knowledge—through inference algorithms. Imagine that a child avoids having a digital footprint—that neither this child’s parents nor the child herself has ever used or posted anything online. Institutions can still use data about other youngsters who fall into similar categories (such as those with the same zip code or those who go to the same school) to make inferences about the child. the Human Rights Center at UC Berkeley School of Law recently published a Memorandum on AI and Child Rights. The research sheds light on how new technologies might affect children’s freedom of expression, as well as their rights not to be subjected to discrimination or abuse. Past generations were able to grow up without a digital record of their past. This generation, and the ones to come, will be held accountable to their inescapable online identities. How current regulations respond to this shift is a fundamental question of our time. Hacker Lexicon: What Is Credential Dumping? Andy Greenberg: The term refers to any means of extracting, or “dumping,” user authentication credentials like usernames and passwords from a victim computer, so that they can be used to reenter that computer at will and reach other computers on the network. Often credential dumping pulls multiple passwords from a single machine, each of which can offer the hacker access to other computers on the network, which in turn contain their own passwords ready to be extracted, turning a single foothold into a branching series of connected intrusions. The danger of credential dumping is that it can turn even one forgotten computer with unpatched vulnerabilities into that sort of network-wide disaster. It’s not the systems that everyone knows about that you need to worry about, those are patched. It's the systems you don't know about. A foothold on these unimportant systems can spread to the rest of your network. China Is Forcing Tourists to Install Text-Stealing Malware at its Border Joseph Cox for Motherboard: Foreigners crossing certain Chinese borders into the Xinjiang region, where authorities are conducting a massive campaign of surveillance and oppression against the local Muslim population, are being forced to install a piece of malware on their phones that gives all of their text messages as well as other pieces of data to the authorities, a collaboration by Motherboard, Süddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR has found. The Android malware, which is installed by a border guard when they physically seize the phone, also scans the tourist or traveller's device for a specific set of files, according to multiple expert analyses of the software. The files authorities are looking for include Islamic content, academic books on Islam by leading researchers, and even music from a Japanese metal band. In no way is the downloading of tourists’ text messages and other mobile phone data comparable to the treatment of the Uighur population in Xinjiang, who live under the constant gaze of facial recognition systems, CCTV, and physical searches. Last week, VICE News published an undercover documentary detailing some of the human rights abuses and surveillance against the Uighur population, but the malware news shows that the Chinese government’s aggressive style of policing and surveillance in the Xinjiang region has extended to foreigners, too. Plot to steal cryptocurrency foiled. npmjs.org blog: The attack was carried out by using a pattern that is becoming more and more popular; publishing a “useful” package (electron-native-notify) to npm, waiting until it was in use by the target, and then updating it to include a malicious payload. The GitHub user sawlysawly published this commit on Mar 8th which added electron-native-notify ^1.1.5 as a dependency to the EasyDEX-GUI application (which is used as part of the Agama wallet). The next version of electron-native-notify was published 15 days later and was the first version to include a malicious payload. Following that Agama version v0.3.5 was released on Apr 13. electron native notify publication timeline "1.0.0": "2019-03-06T23:54:33.625Z" "1.0.1": "2019-03-07T03:07:45.585Z" "1.0.2": "2019-03-07T03:10:00.491Z" "1.0.3": "2019-03-08T03:46:17.223Z" "1.1.0": "2019-03-08T04:04:55.489Z" "1.1.1": "2019-03-08T04:18:13.915Z" "1.1.2": "2019-03-08T04:29:26.857Z" "1.1.3": "2019-03-08T04:44:44.991Z" "1.1.4": "2019-03-08T04:47:23.483Z" "1.1.5": "2019-03-08T09:58:07.558Z" <- KomodoPlatform/EasyDEX-GUI installs package "1.1.6": "2019-03-23T09:28:57.679Z" <- Malicious payload introduced here "1.1.7": "2019-03-23T10:45:36.035Z" "1.2.0": "2019-04-16T02:09:56.904Z" <- Agama updated by sawlysawly to this version "1.2.1": "2019-05-11T11:44:21.933Z" "1.2.2": "2019-06-03T15:26:40.054Z" After being notified by our internal security tooling of this threat we responded by notifying and coordinating with Komodo to protect their users as well as remove the malware from npm. Here is a brief demonstration showing the Agama wallet sending my wallet seed to a remote server. After launching the wallet application there is a request to `updatecheck.herokuapp…` on the right which downloads the second stage payload. Once we enter in our wallet seed you will see another request to that remote server successfully stealing our wallet seed. FBI, ICE find state driver’s license photos are a gold mine for facial-recognition searches. Drew Harwell Drew Harwell: Agents with the Federal Bureau of Investigation and Immigration and Customs Enforcement have turned state driver’s license databases into a facial-recognition gold mine, scanning through millions of Americans’ photos without their knowledge or consent, newly released documents show. The FBI alone does 4,000 searches every month, and a lot of them go through state DMVs.” Thousands of facial-recognition requests, internal documents and emails over the past five years, obtained through public-records requests by Georgetown Law researchers and provided to The Washington Post, reveal that federal investigators have turned state departments of motor vehicles databases into the bedrock of an unprecedented surveillance infrastructure. Police have long had access to fingerprints, DNA and other “biometric data” taken from criminal suspects. But the DMV records contain the photos of a vast majority of a state’s residents, most of whom have never been charged with a crime. 21 states, including Texas and Pennsylvania, plus the District of Columbia, allow the FBI to scan driver’s license photos Neither Congress nor state legislatures have authorized the development of such a system, and growing numbers of Democratic and Republican lawmakers are criticizing the technology as a dangerous, pervasive and error-prone surveillance tool. Google still keeps a list of everything you ever bought using Gmail, even if you delete all your emails Todd Haselton: In May, I wrote up something weird I spotted on Google’s account management page. I noticed that Google uses Gmail to store a list of everything you’ve purchased, if you used Gmail or your Gmail address in any part of the transaction. If you have a confirmation for a prescription you picked up at a pharmacy that went into your Gmail account, Google logs it. If you have a receipt from Macy’s, Google keeps it. If you bought food for delivery and the receipt went to your Gmail, Google stores that, too. You get the idea, and you can see your own purchase history by going to Google’s Purchases page. https://myaccount.google.com/purchases. At the time of my original story, Google said users can delete everything by tapping into a purchase and removing the Gmail. It seemed to work if you did this for each purchase, one by one. This isn’t easy — for years worth of purchases, this would take hours or even days of time. So, since Google doesn’t let you bulk-delete this purchases list, I decided to delete everything in my Gmail inbox. That meant removing every last message I’ve sent or received since I opened my Gmail account more than a decade ago. On Friday, three weeks after I deleted every Gmail, I checked my purchases list. I still see receipts for things I bought years ago. Prescriptions, food deliveries, books I bought on Amazon, music I purchased from iTunes, a subscription to Xbox Live I bought from Microsoft -- it’s all there. Google continues to show me purchases I’ve made recently, too. I can’t delete anything and I can’t turn it off. When I click on an individual purchase and try to remove it — it says I can do this by deleting the email, after all — it just redirects to my inbox and not to the original email message for me to delete, since that email no longer exists. So Google is caching or saving this private information somewhere else that isn’t just tied to my Gmail account. When I wrote my original story, a Google spokesperson insisted this list is only for my use, and said the company views it as a convenience. But it’s a convenience I never asked for, and the fact that Google compiles and stores this information regardless of what I say or do is a bit creepy. Huawei products riddled with backdoors, zero days and critical vulnerabilities Doug Olenick: The security research team at Finite State said it scanned more than 1.5 million files embedded within nearly 10,000 firmware images supporting 558 products looking for risks including hard-coded backdoor credentials, unsafe use of cryptographic keys, indicators of insecure software development practices, and the presence of known and 0-day vulnerabilities.“The results of the analysis show that Huawei devices quantitatively pose a high risk to their users. In virtually all categories we studied, we found Huawei devices to be less secure than comparable devices from other vendors,” the report said. 55 percent of the devices had at least one backdoor primarily in the form of hard-coded, default user accounts and passwords along with several types of embedded cryptographic keys. On average 102 known vulnerabilities associated with each instance of firmware, many rated critical or high, along with hundreds of potential zero day issues. One of the reasons the vulnerabilities were included is Huawei’s development process. The study found the company’s engineers did not use secure development practices, in some cases including 20-year-old software libraries instead of the more secure current version. 29 percent of all devices tested had at least one default username and password stored in the firmware. 76 instances of firmware where the device was, by default, configured such that a root user with a hard-coded password could log in over the SSH protocol, providing for default backdoor access. Eight different firmware images were found to have pre-computed authorized_keys hard coded into the firmware. 424 different firmware images contained hardcoded private SSH keys. Microsoft beefs up OneDrive security Gregg Keizer: Last week, Microsoft announced changes to its OneDrive storage service that will let consumers protect some or even all of their cloud-stored documents with an additional layer of security. The new feature - dubbed OneDrive Personal Vault - was trumpeted as a special protected partition of OneDrive where users could lock their "most sensitive and important files." They would access that area only after a second step of identity verification, ranging from a fingerprint or face scan to a self-made PIN, a one-time code texted to the user's smartphone or the use of the Microsoft Authenticator mobile app. (The process is often labeled as two-factor security to differentiate it from the username/password that typically secures an account.) The idea behind OneDrive Personal Vault, said Seth Patton, general manager for Microsoft 365, is to create a failsafe so that "in the event that someone gains access to your account or your device," the files within the vault would remain sacrosanct. Access to the vault will also be on a timer, Patton said, that locks the partition after a user-set period of inactivity. Files opened from the vault will also close when the timer expires. Yet another Florida City Decides to Pay Ransomware Hackers Last Monday, Lake City, Fla. reportedly authorized its insurer to send the hackers 42 bitcoins ($500,000) in exchange for a decryption key to free computers hit earlier this month. The Ryuk ransomware strain was involved in the attack. (Last week, another Florida city, Riviera Beach, voted to let its insurer pay 65 bitcoins to the hackers behind a ransomware attack that infected municipal computers.) The FBI and IT security firms generally advise against paying ransomware hackers. Doing so can keep the hackers well funded and incentivize them to strike again. MongoDB Offers Field Level Encryption MongoDB calls the new feature Field Level Encryption. It works kind of like end-to-end encrypted messaging, which scrambles data as it moves across the internet, revealing it only to the sender and the recipient. In such a "client-side" encryption scheme, databases utilizing Field Level Encryption will not only require a system login, but will additionally require specific keys to process and decrypt specific chunks of data locally on a user's device as needed. That means MongoDB itself and cloud providers won't be able to access customer data, and a database's administrators or remote managers don't need to have access to everything either. For regular users, not much will be visibly different. If their credentials are stolen and they aren't using multi-factor authentication, an attacker will still be able to access everything the victim could. But the new feature is meant to eliminate single points of failure. With Field Level Encryption in place, a hacker who steals an administrative username and password, or finds a software vulnerability that gives them system access, still won't be able to use these holes to access readable data. Firm Uncovers Major Cyber-Espionage Campaign Against Telcos Elizabeth Montalbano: The attack used tools and techniques commonly associated with a known China-based threat actor, APT10. First they collected CDR, or call detail record data, basically detailed metadata logs generated by a telecom provider that connects calls and messages between those on both ends of the call. While these logs don’t contain actual call or message content, they do provide significant insight into a person’s life, such as who is talking to who, where people are located, and what device is being used. Then they got a China Chopper shell–running on a vulnerable, publicly-facing IIS server. From the attackers gathered information about the network and propagated across it, attempting to compromise critical assets, such as database servers, billing servers, and the active directory elements over at least a two year period. How did this happen to so many (over 12) phone companies? Telecommunications companies also are often woefully behind on implementing the latest security practices. Presidential Phone Alerts Can Be Spoofed, Researchers Say Presidential Alerts that all modern cell phones in the United States are required to receive and display as part of the Wireless Emergency Alert (WEA) program can be easily spoofed. Issued via the Integrated Public Alert and Warnings System (IPAWS) along with AMBER alerts and imminent threat alerts, the Presidential Alerts are intended to inform the public of imminent threats and cannot be blocked. In a recently published white-paper, a group of security researchers from the University of Colorado Boulder has demonstrated how Presidential Alerts could be targeted in spoofing attacks using commercially available hardware and modified open source software. “We find that with only four malicious portable base stations of a single Watt of transmit power each, almost all of a 50,000-seat stadium can be attacked with a 90% success rate; fake alerts in crowded cities or stadiums could potentially result in cascades of panic." Well, that is reassuring.... Six Arrested in $27 Million Cryptocurrency Theft The scheme involved the use of typosquatting, a method where cybercriminals spoof or create an imitation of a well-known online cryptocurrency exchange, in an attempt to trick users into providing their login credentials, to gain access to their Bitcoin wallets and steal funds. The UK authorities identified possible suspects in the Netherlands in February 2018 and referred the case to the European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), which provided support and coordination for the operation. Five men and one woman were arrested. Google formally announce Public DNS over HTTPS (DoH) supporting the RFC 8484 standard DNS over HTTPS, known as DoH users can resolve DNS using DoH at the dns.google domain with the same anycast addresses (like 8.8.8.8) as regular DNS service, with lower latency from edge PoPs throughout the world. General availability of DoH includes full RFC 8484 support at a new URL path, and continued support for the JSON API launched in 2016. The new endpoints are: https://dns.google/dns-query (RFC 8484 – GET and POST) and https://dns.google/resolve (JSON API – GET) Apple is planning to hire 2,000 employees. A new engineering hub in Seattle promises to make the area a key location for software and hardware developers. The new Apple offices will be situated about a block from Amazon's main campus in South Lake Union. Docker containers are filled with vulnerabilities: Here's how the top 1,000 fared. James Sanders: Jerry Gamblin, principal security engineer at Kenna Security, created VulnerableContainers.org to evaluate the security of the 1,000 most popular containers based on downloads, and scans them for vulnerabilities. Using the open-source Trivy security tool, and a virtual machine on AWS, Gamblin's script evaluates Docker images in execution to determine if vulnerabilities exist, which are then measured for severity according to Kenna Security's proprietary Risk Scoring methodology. Official and popular Docker containers are filled with vulnerabilities The results, frankly, are dramatic, with even relatively recently-updated containers having numerous vulnerabilities. Containers distributed by CircleCI, including Elixr, Golang, and OpenJDK, have hundreds of open vulnerabilities, while Ubuntu containers maintained by shared web host 1&1 Internet are vulnerable to an IMAP vulnerability (CVE-2018-19518)... These containers were updated last month. Microsoft's containers for ASP.NET Core and .NET have hundreds each, with PowerShell containing 30. OpenShift's Origin-Release container, updated this week, contains over 1,000 known CVEs, with the most severe (CVE-2016-2776) given the highest possible score by Kenna Security. Origin-Base, also updated this week, contains 420 known CVEs, with the most severe (CVE-2014-6278) receiving a score of 900. Several images maintained by LinuxServer.io—have dozens of open vulnerabilities, with the most severe and commonly recurring being a medium-risk integer overflow in SQLite (CVE-2018-20346). The official Docker image of Plex Media Server, likewise, contains 79 known CVEs. Notably, HashiCorp's popular images are rather commendable—Packer and Terraform contain only two and one vulnerability each; both are low-severity and are easily patchable in a future update—the vulnerabilities relate to libcurl and OpenSSL, respectively. ANOTHER SECURITY HEADACHE FROM MEDTRONIC A vulnerability in an insulin pump made by medical device vendor Medtronic could allow a hacker to change the pump’s settings and control the delivery of the hormone, the FDA warned Thursday, advising patients to ditch the equipment. Medtronic, which describes itself as the world’s largest medical technology company, has recalled the affected equipment. A company spokesperson told CyberScoop roughly 4,000 “direct customers” in the U.S. could be using the affected insulin pumps. The advisory is the latest example of a health care company struggling to secure medical technology. |
Linking the world
Sharing is caring Archives
May 2024
Categories |