The Bad Guys are on a losing streak

Earlier this week we saw a bunch of Russian hackers sentenced to prison, now we see Interpol execute a massive take down of multiple groups of Bad Guys:

Interpol is reporting a big win after a massive combined operation against online criminals made 41 arrests and seized hardware thought to be used for nefarious purposes.

Operation Synergia II – the follow up to the first Synergia raids that were announced in February – saw cops in 95 countries crack down on phishers, ransomware extortionists, and information thieves around the world. The operation was carried out in conjunction with the corporate world, specifically Group-IB, Trend Micro, Kaspersky and Team Cymru.

In addition to the arrests, Interpol revealed 65 people are still under investigation and claimed to have shuttered 22,000 IP addresses, taken control of 59 servers and 43 other computing devices.

Bravo Zulu, y'all.

Spasiba, tovarisch!

Wow:

Four members of the now-defunct REvil ransomware operation have been sentenced to several years in prison in Russia, marking one of the rare instances where cybercriminals from the country have been convicted of hacking and money laundering charges.

Russian news publication Kommersant reported that a court in St. Petersburg found Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov guilty of illegal circulation of means of payment. Puzyrevsky and Khansvyarov have also been found guilty of using and distributing malware.

...

REvil, which was once one of the most prolific ransomware groups, was dismantled after Russia's Federal Security Service (FSB) announced arrests against several members in an unprecedented takedown. 

They aren't just going to prison, they're going to a Russian prison.  More of this, please.

 

 

The good security news keeps rolling in

I don't remember a week of such good security news:

A 25-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake.

On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first reported Moucka’s alleged ties to the Snowflake hacks on Monday.

...

In a statement on Moucka’s arrest, Mandiant said UNC5537 aka Alexander ‘Connor’ Moucka has proven to be one of the most consequential threat actors of 2024.

 Too bad we can't send him to a Russian prison, nyet?

Meta fined for storing user passwords with no encryption

Holy cow, I've been in this industry for decades and can't remember a time when everyone knew that you encrypted the damn passwords*:

Officials in Ireland have fined Meta $101 million for storing hundreds of millions of user passwords in plaintext and making them broadly available to company employees.

Meta disclosed the lapse in early 2019. The company said that apps for connecting to various Meta-owned social networks had logged user passwords in plaintext and stored them in a database that had been searched by roughly 2,000 company engineers, who collectively queried the stash more than 9 million times.

This is such a rookie mistake that it makes you wonder what those 9 million queries were looking for.  Meta has such a horrible reputation for abusing its users privacy that the suspicion is that this was just one more wring on that rag.  That's only a suspicion, but Meta has certainly earned that suspicion over the years.

* Yeah, yeah I know - one-way hash.  I try not to use too much tech jargon.

KIA cars can be hacked with a smartphone

I hope you don't drive a KIA.  This is actually a failure of post manufacturing security processes, not that it makes things any better:

Sam Curry, who previously demonstrated remote takeover vulnerabilities in a range of brands – from Toyota to Rolls Royce – found this vulnerability in vehicles as old as model year 2014. The mess means the cars can be geolocated, turned on or off, locked or unlocked, have their horns honked and lights activated, and even have their cameras accessed – all remotely.

...

The issue originated in one of the Kia web portals used by dealerships. Long story short and a hefty bit of API abuse later, Curry and his band of far-more-capable Kia Boyz managed to register a fake dealer account to get a valid access token, which they were then able to use to call any backend dealer API command they wanted.

"From the victim's side, there was no notification that their vehicle had been accessed nor their access permissions modified," Curry noted in his writeup. "An attacker could resolve someone's license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk."

Security wags have long called this sort of architecture "broken by design" - it was intentionally set up to allow privileged access via a poorly authenticated system that has to scale through a big organization.  I don't have much confidence that KIA can fix this, or that they will likely want to.

And oh yeah - there's a smartphone app to help the Bad Guys.

All I can say is that 1968 Goat isn't vulnerable to this attack, and will never be.

 

Do you have a D-Link home wifi router?

Lots of important security patches are out.

Well, that's one way to improve the Internet coverage on a Navy ship

Navy finds hidden Starlink dish on ship:

Still, the ambassador had nothing on senior enlisted crew members of the littoral combat ship USS Manchester, who didn't like the Navy's restriction of onboard Internet access. In 2023, they decided that the best way to deal with the problem was to secretly bolt a Starlink terminal to the "O-5 level weatherdeck" of a US warship.

They called the resulting Wi-Fi network "STINKY"—and when officers on the ship heard rumors and began asking questions, the leader of the scheme brazenly lied about it. Then, when exposed, she went so far as to make up fake Starlink usage reports suggesting that the system had only been accessed while in port, where cybersecurity and espionage concerns were lower.

Well, it is a pain in the rear end to get hooked up to SIPRnet ... 

Of course, there's been a general helping of Courts Martials to everyone involved.

And the funniest bit?  Elon Musk had Starlink change the default WiFi SSID to "Stinky" to encourage customers to change the damn defaults.

What is this, 1990?

SolarWinds issues security patch to eliminate hard coded password:

SolarWinds left hardcoded credentials in its Web Help Desk product that can be used by remote, unauthenticated attackers to log into vulnerable instances, access internal functionality, and modify sensitive data

The software maker has now issued an update to address that critical oversight; its users are encouraged to install the fix, which presumably removes the baked-in creds.

[blink] [blink]

What makes this even more double-plus ungood is that SolarWinds is a security company.  They know that hard coded passwords are not just A Very Bad Thing Indeed, but considered harmful*.

I guess the only other possibility is that they don't know this, but I just don't believe that.  Heads should roll over this.

* Old computing graybeards will remember the ACM paper "GoTo Considered Harmful" which created such a furor that "considered harmful" is now considered harmful when used descriptively.

Except here, where it is 100% justified.

Time to patch your Windows computer

Microsoft has released a fix for a severe vulnerability in this month's Windows Update.  The problem here is that a Bad Guy sending a specially crafted IPv6 packet can run code on your computer.  Basically it's a spammer's/hacker's dream, and now there is demonstration code in the wild to do this.

If you run Windows 10 or 11, this is probably bad news for you.  Here's what you need to do:

1. Check to see if you are reachable using IPv6.  If you only have IPv4, then you don't need to worry.
2. If the site in the link above can reach you with IPv6, you need to run Windows Update.  Go to the Start Menu and type "Windows Update" in the search bar which will take you right to the update program.
   

I must say that I was surprised about my IPv6 connectivity.  But this is a really nasty bug, so get patching.

FBI security measures laughably weak

The FBI Inspector General has issued a scathing report about the Bureau's lackadaisical  attitude towards protecting sensitive data:

The FBI has made serious slip-ups in how it processes and destroys electronic storage media seized as part of investigations, according to an audit by the Department of Justice Office of the Inspector General.

Drives containing national security data, Foreign Intelligence Surveillance Act information and documents classified as Secret were routinely unlabeled, opening the potential for it to be either lost or stolen, the report [PDF] addressed to FBI Director Christopher Wray states.

...

The OIG report notes that it found boxes of hard drives and removable storage sitting open and unattended for "days or even weeks" because they were only sealed once the boxes were full. This potentially allows any of the 395 staff and contractors with access to the facility to have a rummage around.

There is a photo of the storage facility at the link, and it can only be described as horrifying.

I guess they are too busy spying on regime enemies to, you know, take security very seriously.

Well, that doesn't sound like much of a "Cybersecurity Lab"

Cybersecurity Lab didn't use antivirus:

Dr. Emmanouil "Manos" Antonakakis runs a Georgia Tech cybersecurity lab and has attracted millions of dollars in the last few years from the US government for Department of Defense research projects like "Rhamnousia: Attributing Cyber Actors Through Tensor Decomposition and Novel Data Acquisition."

The government yesterday sued Georgia Tech in federal court, singling out Antonakakis and claiming that neither he nor Georgia Tech followed basic (and required) security protocols for years, knew they were not in compliance with such protocols, and then submitted invoices for their DoD projects anyway.

It seems that Dr. Antonakakis wasn't much impressed with antivirus products.  Fair enough - it's a perpetual game of locking the barn door after the horse got out.

But the contract said that the lab would follow particular standards (in this case, NIST 800-171) which mandates antivirus, and the lab issued compliance statements with the invoices they submitted.  This case seems pretty cut and dried.

And not at all impressive for Georgia Tech Cybersecurity Lab.

 

The buzz from Black Hat this year

Every year in the heat of the Las Vegas desert is the Black Hat Briefings, the premier computer security conference.  There's always interesting news from the briefings (and from the much less buttoned down conference, DEFCON, which runs immediately afterwards).

So what's the buzz from Black Hat this year?  It seems that Palo Alto Networks had Booth Bunnies at their display booth:

[blink] [blink]

Now I did my share of manning the booths (yes, I was a Booth Bunny, thank you for asking) back in the '90s and the '00s.  But even in the '90s we were considerably more buttoned down than this, and for good marketing reasons.  Sure, some of the attendees might like the scenery, but some will not - and some of them will very much not like the scenery.  This has been known to be bad conference marketing juju for literally decades.

Of course, the Palo Alto Networks' Chief Marketing Officer had to go full frontal groveling* in his apology:

PAN's chief marketing officer Unnikrishnan KP, or Unni as he's often called, issued his apology earlier this week calling it "tone deaf."

"Last week at Black Hat in Las Vegas, an unfortunate decision was made at a Palo Alto Networks event to have hostesses wear branded lampshades on their heads," he said. "It was tone-deaf, in poor taste, and not aligned with our company values or brand campaign. 

"I take full responsibility for this misjudgment and have addressed it with my team and am taking steps to prevent such misguided actions in the future.

"Please accept my heartfelt apologies for this regrettable incident."

Nikesh Arora, PAN's chairman and CEO, doubled down on the apologies on Tuesday, echoing the points made by Unni, adding that what happened was "unacceptable."

I expect the headcount at Palo Alto Networks' marketing department has gotten a spin.  We apologize again for the fault in the subtitles. Those responsible for sacking the people who have just been sacked have been sacked.

* See what I did there?  I crack myself up.

If you use 1Password on Mac, you need to get patching

Le sigh:

Password manager 1Password is warning that all Mac users running versions before 8.10.36 are vulnerable to a bug that allows attackers to steal vault items.

...

Think you might be vulnerable? No mitigations were provided by 1Password, so patching up to version 8.10.36 is your only shot at securing those credentials.

Password Managers are great security tools because they make it easy to have very strong passwords (basically, random gobledy gook) for your online accounts.  They remember these passwords so that you don't have to.

But they're not magic, they're software.  That means that even they can get security bugs.  If you use 1Paddword on Mac, make sure you upgrade it to 8.10.36 which fixes this.

 

Crowdstrike threatens Delta Airlines

Wow:

CrowdStrike says it is "highly disappointed" and rejects the claims made by Delta and its lawyers that the vendor exhibited gross negligence in the events that led to the global IT outage a little over two weeks ago.

That's according to a letter, seen by The Reg and sent to David Boies, partner at the law firm Delta hired to investigate the airline's legal options after it struggled more than most to bring its systems back online, leading to a sprawling list of flight cancellations.

The Falcon vendor reiterated its apology to Delta and the wider customer base. It then went on to remind Boies, known for his work as special counsel during the 1990s US antitrust trial against Microsoft, that it had been proactive in reaching out to Delta, offering support to the airline "within hours" of the incident unfolding.

...

CrowdStrike's lawyer, Michael B. Carlinsky, then poked the bear further. He said that among other things, in this hypothetical trial Delta would also need to explain why it took so much longer than competitors to recover from the same issue, why it refused the free on-site help CrowdStrike offered – the support that led to faster recovery times than Delta's, and the operational resiliency of its IT infrastructure.

This is hands down the biggest screw up - ever - by any security vendor.  I guess that a screw up this big is a potential extinction-level event for Crowdstrike but this sure doesn't sound like it will calm down their customer base.  OK, so they offered some help when they took down Delta, and Delta didn't jump on this.  That sounds like it's 1% on Delta and 99% on Crowdstrike.

But that's not what's going on here - it's explicitly telling a customer that they will drag them through the mud if the customer sues them for their monumental screw up.

Holy moley.

Is anyone using old D-Link DIR-859 WiFi routers?

If so, you need to replace it right away.  There is a critical vulnerability which allows a Bad Guy to dump user accounts and passwords - basically, this lets him take over the box.  Because the routers are End Of Life (EOL) there will never be a software update to fix this.

Fortunately, home WiFi routers are pretty cheap these days.

I used to run D-Link in the past (I'm pretty sure I had one at FOB Borepatch, back in the day) but those are long gone now.  If you have one then run, don't walk to get a replacement.

Details here for those who are interested.

I believe that this is the first BBQ security vulnerability

Oops:

Keen meatheads better hope they haven't angered any cybersecurity folk before allowing their Traeger grills to update because a new high-severity vulnerability could be used for all kinds of high jinks.

With summer in full swing in the northern hemisphere, it means BBQ season is upon us, and with Traeger being one of the most trusted brands in grilling and smoking, there's a good chance that many backyard cookouts could be ruined if crafty crims have their way.

Nick Cerne, security consultant at Bishop Fox, discovered a few weaknesses in certain Traeger grills, ones that have the Traeger Grill D2 Wi-Fi Controller installed – an embedded device allowing a grill to be controlled using a mobile app.

Successful exploits could allow a remote attacker to execute day-ruining commands such as temperature change controls or shutting down the grill altogether.

I think that we can all agree that the definition of a Black Hat hacker is someone who changes the temperature on your smoking briskit to 400 degrees ...

But put a computer in it, expect security bugs.

 

 

So what's going on with Kaskersky antivirus?

It looks like just about all of their corporate execs (other than CEO Eugene Kaspersky) have been sanctioned by the US Fed.Gov.  Oh, yeah, the software is banned in the USA after July 20:

The US Treasury Department's Office of Foreign Assets Control (OFAC) cited national security threats in designating the 12 individuals as under sanction. In making the announcement, it also noted: "OFAC has not designated Kaspersky Lab, its parent or subsidiary companies, or its CEO."

The Treasury did, however, designate just about every other exec who reports directly to the Moscow-based firm's chief exec "for operating in the technology sector of the Russian Federation economy," which under EO 14024 is a no-no.

It follows Thursday's actions by the Commerce Department that prohibit Kaspersky Lab Inc from providing its software and other security services in America from July 20 — plus years of directives and mandates to kick Kaspersky products out of US government networks.

This seems weird - maybe it's just more escalation of Great Power Politics between the US and Russia by the neocons in our government.  Kaspersky has made good products, and a scan of the Borepatch archives shows only references to what has been a quality security company. 

If you use their antivirus, it looks like you need to go shopping.

This is getting out of hand

Someone is going to die if this keeps up:

England's NHS Blood and Transplant (NHSBT) has issued an urgent call to O Positive and O Negative blood donors to book appointments and donate after last week’s cyberattack on pathology provider Synnovis impacted multiple hospitals in London.

On June 4, operations at multiple large NHS hospitals in London were disrupted by the ransomware attack that the Russian cybercrime group Qilin (a.k.a. Agenda) launched on Synnovis.

The incident impacted blood transfusions, with many non-urgent procedures being canceled or redirected.

 And so for the lack of adequate backups, Blighty is running out of blood.

Interesting security idea

Actually, it's a breath of fresh air:

A Google security bigwig has had enough of federally mandated phishing tests, saying they make colleagues hate IT teams for no added benefit.

Matt Linton leads Google's security response and incident management division. Tasked with rolling out phishing exercises every year, he believes tests should be replaced by the cybersecurity equivalent of a fire drill.

Today's phishing tests more closely resemble the fire drills of the early days, which were more like fire evacuation drills – sprung upon a building's residents with no warning and later blaming them as individuals for their failures.

Yeah, that's about right.

Linton's idea of a possible alternative is considerably different compared to the tests office workers have become accustomed to over the years.

Hello!  I am a Phishing Email. 

This is a drill - this is only a drill!

If I were an actual phishing email, I might ask you to log into a malicious site with your actual username or password, or I might ask you to run a suspicious command.

You can learn more about recognizing phishing emails at and even test yourself to see how good you are at spotting them. Regardless of the form a phishing email takes, you can quickly report them to the security team when you notice they're not what they seem.

To complete the annual phishing drill, please report me.

Thanks for doing your part to keep

A. Tricky. Phish, Ph.D

This seems like a much more productive approach, IMHO.  Which means that it will be ignored by The Usual Suspects.

GE Medical Ultrasound imager critical security vulnerabilites

"Vulnerabilities" meaning plural: remote code execution, ransomware danger, other cool stuff.  

The good news: you need physical access to the device (supposedly; of course these would *never* be put on the network ...).  The bad news: it's unlikely in the extreme that these devices will ever get patched.

If only someone had been warning them of this problem ...