In the News…
January 2018... New Year, New (and Old) Threats
A significant emerging threat is being rapidly patched by operating system and cloud services vendors, as the potential for malware attacks that read restricted memory is identified, due to flaws in processor design, especially on Intel CPUs.
One defense against email phishing attacks is to train users to detect and report them ... by sending them email phishing attacks:
Using your face as your password? Windows 10 has trouble telling the real thing from a photo...
(Original report in German: https://www.syss.de/pentest-blog/article/2017/12/18/460/ )
Microsoft includes the "Keeper" password manager in Windows 10, bonus feature is that it allowed your passwords to be stolen due to a vulnerability.
Internet of (hackable) Things ... Apple patches flaws in their HomeKit code that would have allowed unauthorized access to smart locks and garage door openers...
Microsoft "oops" department ... private key for Microsoft Dynamics product is accidentally leaked...
Microsoft's Vulnerability Database was breached in 2013 - security researchers feel this breach opened up significant exploit opportunities, Microsoft kept it quiet as no a big deal...
Maritime computer defenses are sorely lacking - "Ships are basically big floating security nightmares"
Lawmakers in the US have proposed legislation to allow businesses to "pursue" cyber criminals and be exempted from the Computer Fraud and Abuse Act (CFAA). While the CFAA has been used in overreaching ways to punish researchers and activists, many security experts feel that this bill only opens up new issues and does not resolve existing ones.
Security researcher Mathy Vanhoef disclosed a new serious vulnerability in the WPA2 encryption protocol, which most devices and routers use to encrypt WiFi traffic. This issue can make a private WPA2 secured network as open as a public coffee shop hotspot, and expose unencrypted communications.
The New York Times runs an in-depth piece on the rise of North Korean Cyber Warfare capabilities.
Quick Reads for the week:
The US Government Securities and Exchange Commission found its email spoofed and malware hosted on its servers:
Equifax continues to prove itself unable to handle the simplest website security issues:
Author John Detrixhe of Quartz suggests that "hacking is inevitable", and we should just assume that our data will eventually be stolen.
A significant critical issue in the Windows DNS Client, aecting client computers running Windows 8 or later, and servers running Windows 2012 or later, allows attackers to exploit a Heap Buffer Overflow issue and run arbitrary code on the target computers.
The issue was patched by Microsoft this past week as CVE-2017-11779. Unpatched systems can be targeted by "man in the middle" attacks.
From Security Researcher Nick Freeman:
"Better late than never dept".... Internet company Disqus, which creates commenting systems used by many popular news websites, confirmed that in 2012 a database breach exposed information on 17.5 million users, including about 6 million SHA1 hashed/salted passwords. Disqus themselves where apparently unaware of the breach before now, however they were informed by security researcher Troy Hunt of the data being available.
This week Yahoo admitted that a 2013 data breach,one of the largest of all time, actually resulted in the theft of data on all 3 billion Yahoo user accounts in existence. This was a year before the now famous "Russian FSB" data breach, which a "Canadian connection" of Ancaster Resident Karim Baratov as one of four individuals indicted in the breach.
How the Russian Breach took place:
While Equifax may be suffering media scrutiny over the handling of their massive data breach, debate continues about how much real effect there will be for the company due to weak privacy protection laws in the US. This past week the IRS awarded Equifax a new contract to help "prevent fraud".
Week of September 25th 2017…
One of the world's largest account firms, Deloitte, has admitted that it was subject to a significant breach of its internal systems and client emails after an administrator's account was compromised. The breach likely began in late 2016, was discovered in March, and was reported just this month. In the past Deloitte has bragged that it was "ranked the best cybersecurity consultant in the world".
Adobe somewhat misunderstood the use of their "private" PGP email encryption key, as they accidentally posted it to the web. Also - does anyone actually use email encryption? The creator of PGP apparently doesn't.
Week of September 18th 2017…
A freeware system cleanup/optimization tool used by millions of users, CCleaner, was infected by data-harvesting malware, resulting in the compromise of over 2 million systems.
Fallout from the Equifax Data breach continues…
UK Government's National Cyber Security Centre reports that data from 400,000 UK citizens has been compromised:
Equifax has committed to updating affected Canadians soon:
Equifax CIO and CSO "Retire" in wake of security breach:
Week of September 11th 2017…
A newly discovered attack against Bluetooth devices, dubbed "BlueBorne", can infect Windows, Android and IOS devices that have Bluetooth turned on, without requiring any action on the part of the user being attacked. Exploits could be launched from 30 feet away, and most systems in use today are not patched or protected.
Information continues to come out slowly about the massive data breach at credit rating firm Equifax, potentially involving the private data from over 140 million Americans and an unknown number of Canadians and British citizens. The data includes key personal data such as Social Security numbers, driver's license numbers, and more. Equifax took over a month to report the breach, and to many is doing far less than required to address it.
From the NY Times - "Equifax's Maddening Unaccountability":
While initial technical analysis is limited, it appears that the breach was made through a vulnerability in Apache Struts, an open source web framework, that was discovered and patched in March 2017. As well, data was likely compromised from May to July, before being detected on July 29th.
Response from Apache Software Foundation:
Canada's Privacy Commissioner launches investigation into data breach:
A new vector for malware on Windows PC's - running inside the Windows Subsystem for Linux (WSL). In fact, Windows malware can run in the Linux WINE emulator in the WSL on Windows 10 systems, avoiding detection by anti-virus and anti-malware products.
A report from Vice Motherboard:
In South Korea, phones used by youth under 19 must include parental-monitoring software. However, vulnerabilities in those monitoring tools could be far more dangerous than the problem they are trying to solve:
A report by Citizen Lab:
Week of September 4th 2017…
Cyber Security intrusions and hacking in the US 2016 Election were far more widespread than previously detailed, and yet the attacks are receiving little scrutiny, according to a report in the New York Times.
MacEwan University in Alberta was the target of a Phishing Attack in August, and the result was the payment of over $11 million to the attackers. The attack was based on some of the most common and basic forms of social engineering, including the creation of realistic-looking fake websites and emails. MacEwan University officials call the issue an "administrative error".
The largest email and password data dump to date has been published online, featuring over 700 million records. The primary use of this information appeared to be for the purposes of targeting spam and sending spam through other mail servers (SMTP relays).
From Security professional Troy Hunt:
Week of August 28th 2017…
How long does it take malware attackers to find and exploit an unsecured device attached to the internet? About 2 minutes, according to tests by a SANS institute researcher.
Point-of-Sale (POS) System vulnerabilities can allow attackers to override security, configuration, and even pricing at retail stores.
Many owners of Internet-of-Things (IoT) devices that have not changed the default passwords of their devices have been at greatly increased risk since June when the credentials to access over 30,000 devices were posted to the internet. Many of these devices have been used in DDoS (Distributed Denial of Service attacks) and other purposes. Researchers have been working to contact the owners to secure their devices.
Week of August 21st 2017…
Law Enforcement is increasingly accessing the data stored on smartphones of protesters and activists that are detained at demonstrations and rallies. The Intercept has provided some tips on how individuals can protect the privacy of data on their devices.
Blockchain technologies incorporate cryptography and computer security principles, and beyond their use in cryptocurrencies such as Bitcoin, they are set to make an impact in all areas of cyber security.
Researchers at security firm IOActive, based in Seattle, have demonstrated hacking into consumer home robots, and using them for surveillance, as well as remotely controlling them. As with all Internet of Things (IoT) devices, connected home robots pose significant risks for malware infection. Connected industrial robots may pose even greater physical and economic risks.
Coverage from Bloomberg Technology:
Week of August 14th 2017…
Security Firm Trend Micro demonstrated the use of a "Denial-of-Service" (DoS) type of hack on an automobile's computer electronics systems to disable, airbags, brakes, and more.
Report from Wired:
A faulty software update for Internet-connect smart locks by manufacturer LockState has resulted in the locks no longer working electronically or being able to be controlled remotely, an example of risks with IoT (Internet of Things) devices.
Cyber Security firm Kaspersky Lab has released a report on Malware covering April to June 2017, and has found that exploit threats have reached record highs, including ransomware, spyware, and other attacks taking advantage of recent newly published exploits
Kaspersky Lab Q2-2017 Advanced Persistent Threat (APT) Report:
Week of August 7th 2017...
Entertainment Weekly was the first to report that HBO has suffered a major cyber attack, resulting in the loss of a significant amount of data, including emails, scripts, and full episodes of programs. The full extent of the hack, or the weaknesses that the attackers exploited, are still not clear.
HBO offers "White Hat Hacker" Bounty Payment to attackers:
In 2003, the National Institute of Standards and Technology (NIST) published a paper on computer security that included an appendix on password best practices - use special characters and change passwords often. The author of that appendix, Bill Burr, now admits that he was wrong about both of those guidelines.
Coverage from Engaget:
Read more about the efforts to make passwords better:
Hackers are always looking to find new attack vectors for malware (new ways to distribute and infect systems). Researchers have found a way to encode malware in DNA, which would then compromise DNA sequencing software and devices.
Sometimes security vulnerabilities don't even require malware or unauthorized intrusions… a poorly written Pseudo-Random Number Generator (PRNG) can be exploited by just watching the device, such as a slot machine.
Detailed story from Wired: https://www.wired.com/story/meet-alex-the-russian-casino-hacker-who-makes-millions-targeting-slot-machines/
Week of July 31st 2017...
Marcus Hutchins, a security researcher who became known for helping to combat and disable the "WannaCry" ransomware attack in May, has been arrested by the FBI for a role in helping to create a malware program known as "Kronos". Hutchins was in the US visiting a global security conference.
The Verge covers the arrest by the FBI:
The charges include three counts of making "illegal wiretapping devices, and the Washington Post examines the legal issues here:
A successful phishing attack on programmer Chris Pederick, creator of a Chrome extension called Web Developer with over a million users, resulted in his product being hijacked and used to distribute an adware-infected version to his users, before Google helped him regain control over his product.
The US Senate will consider a bill that will make it illegal to sell IoT (Internet of Things) devices that contain security weaknesses to the US Government.
Researchers demonstrate how ad-tracking data can be used to easily match up web users with their browsing history and visited web sites.