Daily NCSC-FI news followup 2019-07-18

Bulgarias biggest leak: Suspect arrested after cyber attack

www.euronews.com/2019/07/17/bulgaria-s-biggest-leak-suspect-arrested-after-cyber-attack Bulgarian police said on Wednesday they have arrested a suspect for a cyber attack on the country’s National Revenue Agency (NRA), which led to the leak of personal and financial data of millions of people.. Also

www.grahamcluley.com/security-researcher-arrested-after-data-on-every-adult-in-bulgaria-hacked-from-government-site/. “Bulgarian anti-virus veteran Vesselin Bontchev tweeted a screenshot of what claims to be a message sent to local media by whoever hacked the NRA.. ” https://twitter.com/VessOnSecurity/status/1151479373263974401

Firefox to Warn When Saved Logins are Found in Data Breaches

www.bleepingcomputer.com/news/software/firefox-to-warn-when-saved-logins-are-found-in-data-breaches/ Firefox will scan the saved login names and passwords and see if they were exposed in a data breach listed on Have I been Pwned. If one is found, Firefox will alert the user and prompt them to change their password.

Perheenisä Kim Holvialan silmien alla liikkui vuosia huumeita Nyt hän kertoo, miten Tor-verkon pimeä huumekauppa toimii

www.hs.fi/kotimaa/art-2000006176681.html Tulli arvioi, että kolmannes kannabiksesta ja amfetamiinista välitetään Suomessa Tor-verkon kautta. Huumeita liikkui myös Kim Holvialan ylläpitämällä keskustelualustalla. Oikeus ratkaisee pian, mikä on ylläpitäjän vastuu huumekaupasta.. (Timantti-artikkeli tilaajille)

Fresh stalkerware crop pops up on Google’s Android Play Store, swiftly yanked offline

www.theregister.co.uk/2019/07/18/android_stalkerware/ The mobile research team at Avast Threatlabs told The Register on Wednesday it believes as many as 130,000 people already downloaded the Android tools, which allow snoops to quietly hoover up contacts, texts, and call histories, and other private details, from devices they are installed on.

Cracking Mifare Classic 1K: RFID, Charlie Cards, and Free Subway Rides

www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/july/charlicard/ In the first section, we will walk through hardware requirements and each step for attacking a Mifare Classic card. Then we talk about Charlie Cards specifically, issues we found with their implementation, and some potential security controls that could be implemented to protect them.

www.waterisac.org/fundamentals To support members and the wider sector in its cybersecurity goals, and in response to continually evolving threats, WaterISAC has published a newly updated resource: 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. The original guide, first published in 2012, has been downloaded thousands of times.. 15 Cybersecurity Fundamentals for Water and Wastewater Utilities

Twitter Can be Tricked Into Showing Misleading Embedded Links

www.bleepingcomputer.com/news/security/twitter-can-be-tricked-into-showing-misleading-embedded-links/ Terence Eden discovered that a problem occurs when a page linked in a tweet monitors for the Twitter Card Generator’s user agent of “Twitterbot/1.0.” If the user agent is detected, it will redirect the bot to a different page; otherwise, it will display the normal content.. When the Twitter Card Generator is redirected, it will use the metadata on the page it landed on to create the Twitter Card. While the card will look like it came from the redirected site, it will still link to the URL originally posted in the Tweet.

BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0

www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/ A Dridex loader sample […] was distributed through the Emotet malware on June 4, 2019. The Dridex sample contained code to decrypt either a 32-bit or a 64-bit core bot module from its sdata section using the exact same encryption, compression, and data format (previously described) that DoppelPaymer uses to extract PEs from its sdata section. This observation ties this Dridex variant directly with DoppelPaymer.

thehackernews.com/2019/07/android-permission-bypass.html In their talk “50 Ways to Pour Your Data” [PDF] at PrivacyCon hosted by the Federal Trade Commission last Thursday, researchers presented their findings that outline how more than 1,300 Android apps are collecting users’ precise geolocation data and phone identifiers even when they’ve explicitly denied the required permissions.. Location Data For instance, researchers found a photo-editing app, called Shutterfly, that collects location data of a device by extracting GPS coordinates from the metadata of photos, as a side-channel, even when users declined to grant the app permission to access location data.. Paper at

www.ftc.gov/system/files/documents/public_events/1415032/privacycon2019_serge_egelman.pdf

New cyberthreats require new ways to protect democracy

blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/ Lets start with a quick look at the newest data available to us. In the past year, Microsoft has notified nearly 10,000 customers theyve been targeted or compromised by nation-state attacks. About 84% of these attacks targeted our enterprise customers, and about 16% targeted consumer personal email accounts. While many of these attacks are unrelated to the democratic process, this data demonstrates the significant extent to which nation-states con. The majority of nation-state activity in this period originated from actors in three countries Iran, North Korea and Russia. We have seen extensive activity from the actors we call Holmium and Mercury operating from Iran, Thallium operating from North Korea, and two actors operating from Russia we call Yttrium and Strontium. . We are excited that attendees of the Aspen Security Forum will be able to try our ElectionGuard demo. . ElectionGuard is free and open-source and will be available through GitHub as an SDK later this summer. This weeks demo is simply one sample of the many ways ElectionGuard can be used to improve voting, and the final SDK will also enable features like Risk Limiting Audits to compare ballots with ballot counts and other post-election audits.. Also

arstechnica.com/tech-policy/2019/07/microsoft-warns-10000-customers-theyre-targeted-by-nation-sponsored-hackers/. Also

www.theregister.co.uk/2019/07/18/microsoft_demos_electionguard_system_will_publish_code_on_github/

Newly Discovered Malware Framework Cashing in on Ad Fraud

www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/ Flashpoint researchers uncovered the framework, which features three separate stages that ultimately install a malicious browser extension designed to perform fraudulent AdSense impressions, as well as generate likes on YouTube videos and watch hidden Twitch streams.

Okrum: Ke3chang group targets diplomatic missions

www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/ The Ke3chang group, also known as APT15, is a threat group believed to be operating out of China. Its activities were traced back to 2010 in FireEyes 2013 report on operation Ke3chang a cyberespionage campaign directed at diplomatic organizations in Europe.. Also

www.theregister.co.uk/2019/07/18/eset_ke3chang_diplomats_malware/.

www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf

www.ssi.gouv.fr/uploads/2017/11/guide_dns_en_anssi_1.3.pdf This document is a guide for those responsible for the security of information systems and system and network architects of organisations of all sizes who have to circulate information, like IP addresses, via domain names that they hold and DNS 1 protocol.

TELIAN UUSI RATKAISU TEKEE LOPUN HUIJAUSPUHELUISTA

www.telia.fi/telia-yrityksena/medialle/epress?articleId=da63c785-dccb-47d0-b1bc-99be810c9210 Huijarit muuttavat toimintaansa jatkuvasti esimerkiksi vaihtamalla numerosarjan, josta huijauspuhelu soitetaan. Tämä tekee ongelman lopettamisesta vaikeaa. Telian uniikki ratkaisu seuraa tunnistettuja numerosarjoja, ja Suomen osalta ulkomailta Suomeen kohdistuvan puheluliikenteen määriä. Puheluliikenteestä tunnistetaan Wangiri-tyyppiset huijauspuhelut. Tunnistamisen jälkeen puheluliikenteen lähde estetään, eivätkä puhelut saavu Telian asiakk

The PGP Problem

latacora.micro.blog/2019/07/16/the-pgp-problem.html Cryptography engineers have been tearing their hair out over PGPs deficiencies for (literally) decades. When other kinds of engineers get wind of this, theyre shocked. PGP is bad? Why do people keep telling me to use PGP? The answer is that they shouldnt be telling you that, because PGP is bad and needs to go away.

Does Your Cloud Vendor Contract Include These Crucial Security Requirements?

securityintelligence.com/posts/does-your-cloud-vendor-contract-include-these-crucial-security-requirements/ One of the key challenges for cloud computing customers is to ensure that contracts include provisions for an appropriate level of security. Increased use of cloud services drives a heightened need for cloud vendor contracts to include basic security requirements. Any omission of security-related cloud vendor contract terms can expose your company to avoidable risks.

Galileo Initial Services have now been restored

www.gsa.europa.eu/newsroom/news/galileo-initial-services-have-now-been-restored Galileo Initial Services have now been restored. Commercial users can already see signs of recovery of the Galileo navigation and timing services, although some fluctuations may be experienced until further notice.

My browser, the spy: How extensions slurped up browsing histories from 4M users

arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dished-private-data-from-apple-tesla-blue-origin-and-4m-people/ DataSpii begins with browser extensionsavailable mostly for Chrome but in more limited cases for Firefox as wellthat, by Google’s account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visits. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as God mod. as God mode for the Internet and uses the tag line See Anyones Analytics Account.

Those facial recognition trials in the UK? They should be banned, warns Parliamentary committee

www.theregister.co.uk/2019/07/18/gov_should_ban_facial_recognition_trials_immediately_warns_parliamentary_committee/ In an excoriating report (PDF), the Science and Technology Committee expressed a series of concerns over the government’s approach to biometrics and forensics.

The Other Side of Critical Control 1: 802.1x Wired Network Access Controls

isc.sans.edu/diary/rss/25146 So why do people want this, and why is it part of the Critical Controls? Because it really is about controlling both your known and unknown inventory. Known devices authenticate properly, and are given access to the network. Unknown devices (visitors, or unsanctioned gear of any kind) are either denied access or shuffled off to a jail or guest VLAN. Either way, the access requests for the unknown devices are all logged and can then be investig. Again, I did cover off the configuration for both MAC Address authentication and trust the phones. Neither is recommended if you are truly trying to secure things. However, in an open office environment with controlled access (visitor signin and locked doors), you can make the case that there are at least some compensating controls to hinder a physical pen-tester or on-premise attacker.

MITM on all HTTPS traffic in Kazakhstan

bugzilla.mozilla.org/show_bug.cgi?id=1567114 Since today all Internet providers in Kazakhstan started MITM on all encrypted HTTPS traffic.. From Kcell website “In connection with the frequent cases of theft of personal and credential data, as well as money from bank accounts of Kazakhstan, a security certificate was introduced that will become an effective tool for protecting the countrys information space from hackers, Internet fraudsters and other types of cyber threats.

Bigger Rewards for Security Bugs

security.googleblog.com/2019/07/bigger-rewards-for-security-bugs.html Today, we’re delighted to announce an across the board increase in our reward amounts! Full details can be found on our program rules page but highlights include tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under Chrome Fuzzer Program is also doubling to $1,000.

Hard Pass: Declining APT34s Invite to Join Their Professional Network

www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html The targeted employee conversed with “Rebecca Watts”, allegedly employed as “Research Staff at University of Cambridge”. The conversation with Ms. Watts, provided in Figure 1, began with the solicitation of resumes for potential job opportunities.. The activity described in this blog post presented a well-known Iranian threat actor utilizing their tried-and-true techniques to breach targeted organizations.. We suspect this will not be the last time APT34 brings new tools to the table. Threat actors are often reshaping their TTPs to evade detection mechanisms, especially if the target is highly desired.

EUROPE’S WEEK-LONG SATELLITE OUTAGE IS OVERBUT STILL SERVES AS A WARNING

www.wired.com/story/galileo-satellite-outage-gps/ “An assumption is made, whether its Galileo or GPS, that that service will always be up and available and is perfectly reliable,” IOActive’s Sheehy says. “And we have seen that that is a flawed assumption. The tech industry is very reliant on these services and it’s really remarkable how much critical infrastructure today depends on timing or location services. So that assumption can have some very significant real world consequences.”

Slack Initiates Mass Password Reset

threatpost.com/slack-password-reset/146545/ Slack said that it has decided to reset passwords for all users who were active at the time of the 2015 breach; those who have changed their password since then and those who log in via single-sign-on (SSO) platforms are excepted. In total, about 100,000 users are affected.

Zoom Zero Day Followup: Getting the RCE

blog.assetnote.io/bug-bounty/2019/07/17/rce-on-zoom/ Last week, Jonathan Leitschuch wrote an excellent blog post covering the vulnerabilities within Zooms Mac client. Jonathans research was independent of ours, and since the vulnerabilities are now patched, we wanted to disclose a remote code execution with the same root cause, and share our story of coming across the initial privacy issue and escalating it into something much worse.

Incident Response Insights Report 2019

www.secureworks.com/resources/rp-incident-response-insights-report-2019 Dont expect a whole lot from your expensive new security tools unless you first master the basics.. The new Secureworks Incident Response Insights Report 2019 shows how organizations are undermining their security programs by leaving gaps in security fundamentals that gift easy opportunities to threat actors. As a result, the adversaries gravitated toward known successful tactics and needed only moderate evolution to achieve success.. Report at

pcdnscwx01-maxyilfdpln5c.azureedge.net/~/media/Files/US/Reports/Secureworks_SECO1240N_IncidentResponseInsightsReport2019.ashx?modified=20190718160713. “Targeted activity from government-sponsored actors comprised 7% of incident response. engagements in 2018.”. “Secureworks analysts consistently find that many organizations have insufficient network, endpoint, and log visibility, which limits the ability to detect threats they are facing.”

We Need a Safer Systems Programming Language

msrc-blog.microsoft.com/2019/07/18/we-need-a-safer-systems-programming-language/ In our first post in this series, we discussed the need for proactively addressing memory safety issues. Tools and guidance are demonstrably not preventing this class of vulnerabilities; memory safety issues have represented almost the same proportion of vulnerabilities assigned a CVE for over a decade. We feel that using memory-safe languages will mitigate this in ways that tools and training have not been able to.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.