Security news

Not exactly a Security Smorgasbord post, but interesting and important stuff.

Lawrence has an post about a new sort of phishing scam pretending to be a Paypal invoice for a Walmart purchase.

There’s a new phishing scam making the rounds. I’ve received examples of this one twice myself over the last week, and since it’s a lot more sophisticated and polished than the average email phishing scam, I think it’s worth taking a look at.

You should go read - this is important.

Twitter's ex-Chief of security says that the company is entirely uninteresting in knowing just how many bots make up the Twitter user population.  What makes this really big security news is that the ex-Chief is none other than Mudge, one of the original L0pht guys.  He has big, big stature in the security community.  I don't know how this will play out, but this will be enormously damaging to Twitter's share price.  But it's hard to see this Justice Department go after the Twitter execs who helped the Democrats so much over the last few years.  

The Metaverse sucks, and you cannot have any privacy there.  I expect you already know that.

Sumd00d hacks his Hyundai car to change the smart screen software.  What uber 31337 'sploit does he use to find Hyundai's secret encryption key?  Google.  For realz.  Angels and Ministers of Graqce defend us.

Security Smörgåsbord, vol. 13 no. 8

Here's a roundup of interesting Internet Security news.

Costco discloses credit card skimmer breach.   A "skimmer" is a device that criminals install on ATMs and Point-Of-Sale terminals to steal your credit card numbers (or worse, your Debit Card number and PIN).  I've been posting about them for years (that has a good link to how to spot one in the wild).  Well, Costco spotted some of them at their stores in Chicago.  Let's be safe out there.

The link I talk about in the paragraph above points to security journalist Brian Krebs.  Krebs has a new post up explaining how the FBI's email system got hacked.  It's pretty interesting stuff.

If you use Microsoft's Edge browser, DO NOT turn on the "synch" feature.  It synchs all sorts of data that you may not want it to - like bookmarks - and all sorts of data that you really, really do not want it to - like passwords, credit card numbers, and even passport numbers.  Yikes.  Not cool, Microsoft.

Windows XP still makes up between 3% and 5% of all Windows versions in the wild.  This is interesting, but XP has been out of support for years and you can't get security updates for it.  Interestingly, Vista is about the same amount (at least you can pay for security updates there, but you're stuck on Vista).  If you are running XP, I have recommended for years that you upgrade to Linux.  It's free, and will run on your existing hardware.

Security Smörgåsbord, vol. 13 no. 7

Here's a collection of interesting computer security news from the last month or so.

When there's never any good news, some good news is always welcome. Port of Houston successfully blocks cyber attack: 

The Port of Houston, a major U.S. port, was targeted in an attempted cyber attack last month, the Port shared in a statement on Thursday.

“The Port of Houston Authority (Port Houston) successfully defended itself against a cybersecurity attack in August,” the statement reads. “Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result.” 

I think this may be the first time in 13 years that I've posted a success story.  I have a post tag called pwned; maybe I need one called "Not pwned"?  Anyway, chalk one up for the good guys.  Ports are very much part of critical infrastructure.

Let's Encrypt allows root and intermediate certificates to expire:

Websites and apps are suffering or have suffered outages around the world for at least some netizens today due to connectivity issues.

Though the exact causes of the IT breakdowns are in many cases not fully known right now, there has been a sudden uptick in downtime right as Let's Encrypt, which provides free HTTPS certificates to a ton of organizations, let one of its root and intermediate certs expire.

This expiration should be invisible to software, services, and users relying on the certificates for encryption, tamper-proof communications and whatnot, however not all systems appear to have handled the expiry well. 

[facepalm]  There are two ways to look at this.  The first option is that an Internet Certificate Authority doesn't really know how to manage their own certificates.  The second is that programmers who write code using these certificates don't really know hoe to manage their certificates.  I'm not sure which is more terrifying. 

Ransomware attack leads to baby's death:

A U.S. hospital paralyzed by ransomware in 2019 will be defending itself in court in November over the death of a newborn, allegedly caused by the cyberattack.

As the Wall Street Journal reported on Thursday, the baby’s mother, Teiranni Kidd, gave birth to her daughter, Nicko Silar, on July 16, 2019, without knowing that the hospital was entering its eighth day of clawing its way back from the attack.

According to court filings, health records at the hospital – Springhill Medical Center, in Mobile, Ala. – were inaccessible. A wireless tracking system for locating medical staff was still down. And, in the labor-and-delivery unit, staff were cut off from the equipment that monitors fetal heartbeats, which are normally tracked on a large screen at the nurses’ station and in the delivery room.

Those monitors should have informed the staff of what was a life-threatening situation, alleges a medical malpractice lawsuit that Kidd has filed in the Circuit Court of Mobile County. Nicko was born with the umbilical cord wrapped around her neck, choking off her blood and oxygen. She suffered severe brain damage and died nine months later.

I'm going to have to borrow J.Kb's wood chipper ...

NSA has released a guide on how to pick a secure VPN.  I'm cynical enough to wonder if NSA isn't trying to lead everyone to poor encryption choices.  Again.  Oh, who am I kidding?  They've never stopped.  Once is coincidence, twice is happenstance, three times is enemy action.

Security Smörgåsbord, vol. 13 no. 6

Google report: Government Geofence warrants up ten times in the last year:

POLICE AROUND THE country have drastically increased their use of geofence warrants, a widely criticized investigative technique that collects data from any user's device that was in a specified area within a certain time range, according to new figures shared by Google. Law enforcement has served geofence warrants to Google since 2016, but the company has detailed for the first time exactly how many it receives.

The report shows that requests have spiked dramatically in the past three years, rising as much as tenfold in some states. In California, law enforcement made 1,909 requests in 2020, compared to 209 in 2018. Similarly, geofence warrants in Florida leaped from 81 requests in 2018 to more than 800 last year. In Ohio, requests rose from seven to 400 in that same time.

Across all 50 states, geofence requests to Google increased from 941 in 2018 to 11,033 in 2020 and now make up more than 25 percent of all data requests the company receives from law enforcement.

This is bad juju from a privacy perspective.  Here's advice on how to avoid getting caught up in this.

New report on cyber security recommendations for K-12 systems.  This all seems pretty sensitive.  If you have kids in school, you might want to bring this to the School Board's attention.

IPv6 will give us better security!  IPv6 seems to be something - like fusion power - that's always "5 years away" ...

Google introduces auto-reset of permissions granted to unused apps.  This is an excellent idea, and one that Google seems to have implemented in a very user-friendly manner.  If you have apps that you never use, then it makes sense not to allow them to poke around on your device.  Well done, Google.  I'd like to see Apple do this for iOS as well.

Security Smörgåsbord, vol. 13 no. 5

Report: Direct patient safety risk posed by infusion pump vulnerability exploit

A group of five vulnerabilities in the B. Braun Infusomat Space Large Volume Pump could allow an attacker to modify system configurations in standby mode and deliver an unexpected dose of medication to patients without any need for authentication, according to a new report from McAfee Enterprise Advanced Threat Research.

I've been posting about the security problems in medical devices for going on a decade now.  It's interesting to see major security research players start to issue advisories about these.  Hopefully the FDA expedites these sort of security updates.

DEFCON: Internet of Things random number generators stink

In a DEF CON talk officially released on Saturday (many of this year's talks were pre-recorded and available to stream before their scheduled time) Dan Petro and Allan Cecil, both of Bishop Fox, outline systemic problems with hardware random number generators. That creates systemic problems for the devices that obtain random numbers directly from hardware random number generators.

"One of our top-line takeaways is that this process of talking to hardware RNG [random number generators] directly is just untenable. It's far too complicated on so many levels, to the point where it should really be considered like writing cryptographic code, where it is just too unsafe to do on your own," Petro told SC Media.

You might wonder what the heck a random number generator is and why you need a good one.  Basically, all of the encryption in use today depends on cypher computations starting with as close to truly random numbers as possible.  If the "random number" used are not really random - or worse, if they are predictable - than a Bad Guy could decrypt your communications, masquerade as you (well, as your TV), and do all the bad things to you that encryption is supposed to prevent.  Home computers (and cell phones) don't have this problem because they invest in good random number generation circuitry.  IoT devices are so inexpensive that this isn't done.  Probably having unpatched high risk security vulnerabilities in these devices is worse, but this is just another reason why there isn't much security at all in these pieces of junk.

Firefox 91 has new privacy features

Firefox is still around?  Who knew?  They blew any credibility on user privacy when they ditched Brendan Eich to include RIAA tracking features.

The most secure browser is ... Microsoft?

Microsoft has announced that the Edge Vulnerability Research team is experimenting with a new feature dubbed "Super Duper Secure Mode" and designed to bring security improvements without significant performance losses.

When enabled, the new Microsoft Edge Super Duper Secure Mode will remove Just-In-Time Compilation (JIT) from the V8 processing pipeline, reducing the attack surface threat actors can use to hack into Edge users' systems.

...

Based on CVE (Common Vulnerabilities and Exposures) data collected since 2019, around 45% of vulnerabilities found in the V8 JavaScript and WebAssembly engine were related to the JIT engine, more than half of all 'in the wild' Chrome exploits abusing JIT bugs.

"This reduction of attack surface has potential to significantly improve user security; it would remove roughly half of the V8 bugs that must be fixed," explained Johnathan Norman, Microsoft Edge Vulnerability Research Lead.

That's a neat piece of security work.  And I love "Super Duper Secure Mode".  It reminds me of Tesla's "Ludicrous Mode" which is shamelessly stolen from Spaceballs.

 Google to block old Android phones starting September 27

Google has started emailing users of very old Android devices to tell them it's time to say goodbye.

Starting September 27, devices running Android 2.3.7 and lower will no longer be able to log in to Google services, effectively killing a big portion of the on-rails Android experience. As Google puts it in an official community post, "If you sign in to your device after September 27, you may get username or password errors when you try to use Google products and services like Gmail, YouTube, and Maps."

Android is one of the most cloud-based operating systems ever. Especially in older versions, many included apps and services were tied to your Google login, and if that stops working, a large chunk of your phone is bricked. While Android can update many core components without shipping a full system update today, Android 2.3.7 Gingerbread, released around 10 years ago, was not so modular.

This is actually a Good Thing.  Android has a lot of security holes and there are no updates coming for these 10 year old systems.  If you got 10 years out of your phone, it's really in your best (security) interest to update.

US Government Agencies score low on cyber security

In the "Federal Cybersecurity: America's Data Still At Risk" report, the US Senate Committee on Homeland Security and Governmental Affairs graded the departments of State, Transportation, Education, and the Social Security Administration a "D" for cybersecurity. The departments of Housing and Urban Development, Agriculture, and Health and Human Services each received a "C." The highest grade for cybersecurity, a "B," went to the Department of Homeland Security (DHS). Among the major issues, several agencies, including the State Department, did not deactivate former employees' accounts, allowing access for extended periods of time after the workers left government service.

Maybe the Cloud will help.  These Agencies can't buy cloud services that are not security approved (FedRAMP).  Most of these issues are covered under that certification. 

Security Smorgasbord, vol. 13 no. 4

This Security Smorgasbord now has more snark!

Congress catches up to Borepatch from 2009, holds hearings on Power Grid security:

The lack of adequate security features in critical electrical grid equipment - including high-power transformers - that's made in other nations poses a serious U.S. cybersecurity threat, according to federal officials who testified at a Congressional hearing this week. Supply chain vulnerabilities could result in a grid takedown by nation-state actors and a lengthy recovery period, they said.

Prediction: nothing happens because the $1.2T "Infrastructure" bill is about funding Democratic Party clients, not providing reliable infrastructure.

The top 30 security exploits, per the NSA, UK NCSC, Australian, CSC, and the FBI.  Given the recent news about FBI assets formenting all sorts of plots that didn't exist before, you have to wonder if they're behind some of the Black Hat rings too.

"Swatting" perpetrator sentenced to 5 years in prison after victim dies.  Enjoy your time in jail, jerk.  "Swatting" is when some jerk sends a spoofed 911 call to the victim's local Po-po to get an armed response.  Victims of this sometimes die, either shot by the first responders or in this case from a heart attack.  This spoofing should be getting harder to do now.

D-Link issues fix for home WiFi routers:

D-Link has issued a firmware hotfix to address multiple vulnerabilities in the DIR-3040 AC3000-based wireless internet router.

Following successful exploitation, they can let attackers execute arbitrary code on unpatched routers, gain access to sensitive information or crash the routers after triggering a denial of service state.

The DIR-3040 security flaws discovered and reported by Cisco Talos security researcher Dave McDaniel include hardcoded passwords, command injection, and information disclosure bugs.

Hardcoded passwords.  Top Men, right there.  Top.  Men.  This is why we can't have nice things on the Internet.

Cell phone encryption was intentionally weakened:

A weakness in the algorithm used to encrypt cellphone data in the 1990s and 2000s allowed hackers to spy on some internet traffic, according to a new research paper.

The paper has sent shockwaves through the encryption community because of what it implies: The researchers believe that the mathematical probability of the weakness being introduced on accident is extremely low. Thus, they speculate that a weakness was intentionally put into the algorithm. After the paper was published, the group that designed the algorithm confirmed this was the case.

Ah, the Bad Old Days of export control'ed crypto.  Good thing that that would never happen now, amirite?

Security Smorgasbord, vol. 13 no. 3

Insurance Industry consortium grappling with ransomeware payments:

Both are signs of the cyber insurance world trying to wrap its arms around ransomware, a phenomenon that is leading to costlier payouts, prompting insurers to demand security improvements from policyholders and in some cases driving companies to step back from what they’re willing to cover.

For instance, the annual growth rate in cyber insurance premiums the past four years has been 20%, while the average growth in claims has been more than 39%, according to a report from credit agency AM Best that warned of a “grim” cyber insurance market. Ransomware, AM Best said, now accounts for 75% of cyber claims.

The dirty secret is that insurance has been negotiating payouts with hacking gangs for years.  Unsurprisingly, this has made ransomeware a viable business model for the gangs.

Western Digital mybook live storage system gets remote data wipe command from factory:

Western Digital, maker of the popular My Disk external hard drives, is recommending that customers unplug My Book Live storage devices from the Internet until further notice while company engineers investigate unexplained compromises that have completely wiped data from devices around the world.

The mass incidents of disk wiping came to light in this thread on Western Digital’s support forum. So far, there are no reports of deleted data later being restored.

...

“I have a WD mybook live connected to my home LAN and worked fine for years,” the person who started the thread wrote. “I have just found that somehow all the data on it is gone today, while the directories seem there but empty. Previously the 2T volume was almost full but now it shows full capacity.”

Other My Book Live users quickly joined the conversation to report that they, too, had experienced precisely the same thing. “All my data is gone too,” one user soon responded. “I am totally screwed without that data... years of it.”

This is exactly why you have more than one backup.  Like with carry guns, two is one and one is none.  And I've recommended Western Digital in the past.  I guess I need to reassess that.

Medicate lacks consistent oversight of Cykbersecurity for networked medical devices:

CMS's survey protocol does not include requirements for networked device cybersecurity, and the AOs do not use their discretion to require hospitals to have such cybersecurity plans. However, AOs sometimes review limited aspects of device cybersecurity. For example, two AOs have equipment-maintenance requirements that may yield limited insight into device cybersecurity. If hospitals identify networked device cybersecurity as part of their emergency preparedness risk assessments, AOs will review the hospitals' mitigation plans. AOs told us that in practice, however, hospitals did not identify device cybersecurity in these risk assessments very often. Assessing hospital safeguards for the privacy of medical records may prompt AOs to examine networked devices. Finally, CMS and the AOs do not plan to update their survey requirements to address networked devices or general cybersecurity.

I've been posting for years about how security for medical devices isn't an afterthought.  It wasn't thought of at all.

Windows Print Spooler under attack:

Microsoft has provided mitigation guidance to block attacks on systems vulnerable to exploits targeting the Windows Print Spooler zero-day vulnerability known as PrintNightmare.

This remote code execution (RCE) bug—now tracked as CVE-2021-34527—impacts all versions of Windows per Microsoft, with the company still investigating if the vulnerability is exploitable on all of them.

CVE-2021-34527 allows attackers to take over affected servers via remote code execution with SYSTEM privileges as it enables them to install programs, view, change, or delete data, and create new accounts with full user rights.

Under active exploitation

The company added in a newly released security advisory that PrintNightmare has already been exploited in the wild. Microsoft didn't share who is behind the detected exploitation (threat actors or security researchers).

This is exactly the sort of attack that you would expect.  The print spooler code is almost certainly very old and not really maintained from a security perspective.  It's deployed everywhere and very often enabled by users who have been burned once too much by clicking "No" to "Do you want me to turn this on?" messages.  And so print spoolers are enabled all over the place when there's very little reason for the software to be running at all.  If you have a modern printer (i.e. 5 year old or newer network attached printer) there is no reason for you to have the printer service enabled.  You can turn this off via the instructions in the link.

Security Smorgasbord, vol. 13 no. 2

Here's a collection of security news I found interesting (and horrifying).

US nuclear weapon bunker security secrets spill from online flashcards since 2013

Details of some US nuclear missile bunkers in Europe, which contain live warheads, along with secret codewords used by guards to signal that they’re being threatened by enemies, were exposed for nearly a decade through online flashcards used for education, but which were left publicly available.

The astonishing security blunder was revealed by investigative journalism website Bellingcat, which described what it found after “simply searching online for terms publicly known to be associated with nuclear weapons.”

The flashcards “detail intricate security details and protocols such as the positions of cameras, the frequency of patrols around the vaults, secret duress words that signal when a guard is being threatened and the unique identifiers that a restricted area badge needs to have,” Bellingcat reported.

No doubt the education battalion was up to date on gender pronoun policy, though.

Food giant JBS Foods shuts down production after cyberattack

JBS Foods, a leading food company and the largest meat producer globally, had to shut down production at multiple sites worldwide following a cyberattack.

The incident impacted multiple JBS production facilities worldwide over the weekend, including those from the United States, Australia, and Canada.

JBS is currently the world's largest beef and poultry producer and the second-largest global pork producer, with operations in the United States, Australia, Canada, the United Kingdom, and more.

This story is a little old but underlines the importance of having food on hand for potentially extended emergencies.  Which leads us to the next item ...

How Cyber Safe is Your Drinking Water Supply?

(Spoiler alert: not very)

The Water Sector Coordinating Council surveyed roughly 600 employees of water and wastewater treatment facilities nationwide, and found 37.9 percent of utilities have identified all IT-networked assets, with an additional 21.7 percent working toward that goal.

The Council found when it comes to IT systems tied to “operational technology” (OT) — systems responsible for monitoring and controlling the industrial operation of these utilities and their safety features — just 30.5 percent had identified all OT-networked assets, with an additional 22.5 percent working to do so.

“Identifying IT and OT assets is a critical first step in improving cybersecurity,” the report concluded. “An organization cannot protect what it cannot see.”

It’s also hard to see threats you’re not looking for: 67.9 percent of water systems reported no IT security incidents in the last 12 months, a somewhat unlikely scenario.

Security in the water purification infrastructure isn't an afterthought - it hasn't been thought of at all.  You should have a plan for a week with no water, and you really should have a plan for two weeks with no water.  Err, and food.

Working from home is a (security) bitch

The Army wants to be sure teleworkers aren’t letting smart devices in their home listen in on any government work.

In a May 25 memo, Army CIO Raj G. Iyer laid out mandatory procedures remote workers must use to mitigate leaks of official government information. They apply to all military components, civilian employees and contractors.

Effective immediately, the memo states, the remote work environment for all approved teleworkers must free of internet-of-things devices. That includes more than 70 types of devices, from Bluetooth speakers, fitness trackers, smart kitchen appliances, TVs and gaming consoles and home security systems. The memo makes particular mention of personal home assistants – like Alexa and Siri -- from Amazon, Google, Microsoft, Apple and others. 

Well, yeah for sure.  Alexa, are you listening to secret nuclear missile training?

And here's some (rare) good news: City of Tulsa thwarts ransomware attack

Most residents of Tulsa are being prevented from paying their water bills after the city shut down its computer network as a security measure following an attempted ransomware attack, a city official said Friday.

The attempted breach was stopped before any personal data was accessed, city spokesman Carson Colvin said. Tulsa detected malware in its network May 6 and immediately started shutting it down to prevent hackers from accessing anything sensitive.

“It didn’t get far enough into the system to get personal data,” Colvin said.

The primary effect of the shutdown — which could last from several more days to about a month — is payment for city water services, either online or in person, because the city cannot process credit or debit cards with computers inoperable.

Residents will have five days after online payments are again possible to pay their bills without penalty, Colvin said.

The city said Thursday that police and fire responses continue, but issues such as uploading police body cameras are slowed because of the computer shutdown.

Mayor G.T. Bynum on Thursday said the hackers told the city to pay a ransom or else it would publicize that it had broken into the network, but Bynum said Tulsa didn’t pay and instead announced the breach on its own.

Well, mostly good news.  Well done, Tulsa.  Oh, and you know what also is great to have after a Ransomware attack?  Good backups.

Security Smorgasbord, vol. 13 no. 1

I really need to get back into doing these.  So here you go.

RIP, FTP

Mozilla is removing support for downloading files from FTP links.  All in all, this is a good thing - we've known that passing unencrypted usernames and passwords across the Intarwebs is A Very Bad Thing Indeed for oh, 30 years or so.

Google: Here's a cool new privacy feature.  Everybody: Nah, we're good

Google has a new privacy "solution" that pretty much everybody thinks is designed to rip off users' privacy even more.  The Vivaldi team released a statement that really sums up why none of the browsers (other than Chrome) are going to use Google's cunning scheme:

“We will not support the FLoC API and plan to disable it, no matter how it is implemented. It does not protect privacy and it certainly is not beneficial to users, to unwittingly give away their privacy for the financial gain of Google.”

Oft evil will shall evil mar, and all that.  Hey Google, don't be evil.  (P.S. Don't use Chrome)

SAP attacks under way in the wild

You don't get more buttoned down corporate in the software world than database maker SAP.  And they're seeing attacks against their software, as hackers reverse engineer SAP security patches.

 2 year old VPN server vulnerability being exploited in the wild

I can't imagine why someone wouldn't install a critical security patch on a critical security device, but it seems that a bunch of folks haven't.  Oooooh kaaaaay, then.

SpaceX encrypts telemetry

Well, it looks like they've been encrypting Starship for a couple years, but they are now encrypting Falcon 9 telemetry.

Security Smorgasbord, vol. 12 no. 1

 I used to do these regularly but have gotten lazy in my dotage.  Ah well, maybe we can reboot the series.

Government actually does something smart about election security (yes, it finally happened!)

Ohio introduces election site vulnerability disclosure policy:

Ohio’s secretary of state has established guidelines for security experts to find and help fix software flaws in the state’s election-related websites, the first such move by a state as the 2020 election approaches.

The vulnerability disclosure policy (VDP) covers registration websites for Ohio residents and overseas and military voters, among other sites, and provides legal liability protections for researchers. The program will bolster the efforts of Ohio Secretary of State Frank LaRose’s security team at a time when threats to election infrastructure “have never been greater,” the policy states. Under the policy, researchers are required to wait four months after reporting a vulnerability to Ohio officials before going public with it.

This is an excellent move by the State of Ohio.  There are a lot of White Hat hackers out there that can help the State find and close security bugs before the Black Hat d00dz find (and exploit) them, but up until now the risk of prosecution by grandstanding District Attorneys has scared off a lot of research.  By encouraging this research - with "responsible disclosure" policies in place, we can hope that the electoral system can get a little bit of hardening.  Well done, Ohio.

Voting machine manufacturer actually does something smart about election security (yes, it finally happened!)

Manufacturer takes bold step of not ignoring vulnerability reports:

Just hours after Professor Matt Blaze today discussed the state of election system security in America, one of the largest US voting machine makers stepped forward to say it's trying to improve its vulnerability research program.

Election Systems and Software (ES&S), whose products include electronic ballot boxes and voter registration software, said it is working with infosec outfits and bug-finders to improve the security of its products.

Speaking at this year's online Black Hat USA conference, CISO Chris Wlaschin outlined a number of steps his biz has already or will soon take to overhaul its relationship with bug-bounty hunters.

Well done to ES&S.  And sending their CISO to talk at Black Hat is pretty l33t ...

Someone is messing around with Tor Exit Nodes:

Mysterious actors setting up many exit nodes to do SSL stripping attacks:

Since January 2020, a mysterious threat actor has been adding servers to the Tor network in order to perform SSL stripping attacks on users accessing cryptocurrency-related sites through the Tor Browser.

The group has been so prodigious and persistent in their attacks, that by May 2020, they ran a quarter of all Tor exit relays — the servers through which user traffic leaves the Tor network and accesses the public internet.

This is very bad juju if you use Tor.  I've written a fair amount about Tor - this is a good starting place.  It's a way to keep your network traffic anonymous (well, maybe).  This is an interesting new attack against it.

Boeing 747s still receive critical software updates via 3.5" floppy disk:

Long time reader and commenter (and all around great guy) Libertyman sends a link to this, which has very interesting security implications.  Boeing sends critical 747 software updates via floppy disk:

Boeing’s 747-400 aircraft, first introduced in 1988, is still receiving critical software updates through 3.5-inch floppy disks. The Register reports that security researchers at Pen Test Partners recently got access to a British Airways 747, after the airline decided to retire its fleet following a plummet in travel during the coronavirus pandemic. The team was able to inspect the full avionics bay beneath the passenger deck, with its data center-like racks of modular black boxes that perform different functions for the plane.

Pen Test Partners discovered a 3.5-inch floppy disk drive in the cockpit, which is used to load important navigation databases. It’s a database that has to be updated every 28 days, and an engineer visits each month with the latest updates.

Two key security points here: there's no possibility of "over the air" hacks, and the in-person delivery is probably very security indeed.  However, if nobody manufactures 3.5" floppy disks then you have a real problem here.  That's not a problem (yet) since both the floppy disks and the drives are still available.  Who knew?

Security Smorgasbord, vol 7 no 1

Boy, it's been long time since I've done one of these.

Protecting yourself from phishing attacks in email.  "Phishing" is a technique where a Bad Guy tries to trick someone into giving up information or installing malicious code.  It is usually done via email or social media.  Microsoft has a really good article on how to detect that someone is trying to do this to you.

Google: Android security is pretty darn good, despite what you've heard.They claim to have data and everything.  The claim is that most people who get malware on their Android device did it by downloading something dodgy on purpose:

It also fitted a pattern he had noticed, that there isn't really any complex malware out there in the wild infecting Android devices. Software nasties tend to be sleazy apps, installed by punters, that do unpleasant things in the background, rather than malicious code that silently infects devices via webpages, text messages, and so on. 

“Most of the abuse we get isn’t interesting from a security perspective,” he said. “We see spamming ads for fake antivirus stuff but it’s really basic social engineering. Even if malware is installed it seldom involved privilege escalation, it primarily just downloads other apps.” 

The same thing seems to be happening in Apple's iOS world, too, he said. 

Remember Borepatch's First Law Of Security: "Free Download" is internet-speak for "Open your mouth and close your eyes".

The secret chat app used by Donald Trump's people.  I'm not sure how much I'd trust it, but then again I'm not sure how much I'd trust anything.  Actually, I am pretty sure how much I trust anything (answer: not much).  Still, this does seem to minimize a number of opportunities for Opsec failures.

Life, the Universe, and Everything about security.  The answer means that you don't really understand the question, but there are some of security's Hall Of Famers here talking about it all.

Security Smorgasbord, vol 6 no 1

Paypal's 2-factor authentication is entirely broken:

Researchers at DUO Security claim to have found a way of bypassing a two factor authentication feature that secures logins to Paypal.com, eBay’s online payment service.

The vulnerability could allow an attacker who has stolen a Paypal customer’s user name and password to gain access to the account, even though the customer had enabled the more secure two-factor authentication option.

Two factor authentication is a big step up from the normal username/password.  Often it's implemented by sending you a random string of text and/or numbers via SMS to your phone.  This way, you need not only to steal the username and password, but the person's cell phone as well.  Unless the way the two factor authentication is implemented is broken.  Oops.  Paypal users, FYI.  Paypal said they're "working on it", whatever that means.

Why do you rob banks?  Because that's where the money is:

The experts at Kaspersky Lab have discovered evidence of a targeted attack against the clients of a large European bank. According to the logs found in the server used by the attackers, apparently in the space of just one week cybercriminals stole more than half a million euros from accounts in the bank.

The first signs of this campaign were discovered on 20 January this year when a C&C [Command & Control - Borepatch] server was detected on the net. The server’s control panel indicated evidence of a Trojan program used to steal money from clients’ bank accounts.

The experts also detected transaction logs on the server, containing information about which sums of money were taken from which accounts. All in all, more than 190 victims could be identified, most of them located in Italy and Turkey. The sums stolen from each bank account, according to the logs, ranged between 1,700 to 39,000 euros.

The campaign was at least one week old when the C&C was discovered, having started no later than Jan. 13 2014. In that time the cybercriminals successfully stole more than 500,000 Euros. Two days after GReAT discovered the C&C server, the criminals removed every shred of evidence that might be used to trace them. However, experts think this was probably linked to changes in the technical infrastructure used in the malicious campaign rather spelling the end of the Luuuk campaign.

If you bank online, you should check your account every day.

History repeats itself because nobody listens the first time:

The security industry is adding layers of defensive technologies to protect systems rather than addressing the most substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday.

Eugene Spafford, a noted computer security expert and professor of computer science at Purdue University, said software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas. The problem has grown so bad that today businesses are rushing to invest in many of the latest security technologies designed to detect infections without any ability to efficiently address them, Spafford said.

“Instead of building secure systems, we are getting further and further away from solid construction by putting layer upon layer on top of these systems,” Spafford said. “The idea is for vendors to push things out rather than get things right the first time.”

Spaf is one of the luminaries of the industry, and is absolutely correct here.  It's getting much worse with poorly coded apps for smart phones.  Just wait for the "Internet Of Things" to computerize your house ...

Is it OK for me to hate on Google Glass users?  Please?

Google Glass wearers can snoop on passcodes and other sensitive information with only a passing glance, according to a proof-of-concept demo by security researchers.

Researchers from the University of Massachusetts Lowell were able to use video streams from wearables like Google Glass and the Samsung smartwatch to capture four-digit PIN codes typed onto an iPad from around three metres away.

ASM826 has been posting about situational awareness.  Be aware of who's near you when you're at the ATM.

Security Smorgasboard

The NSA has weaponized the Internet:

According to revelations about the QUANTUM program, the NSA can “shoot” (their words) an exploit at any target it desires as his or her traffic passes across the backbone. It appears that the NSA and GCHQ were the first to turn the internet backbone into a weapon; absent Snowdens of their own, other countries may do the same and then say, “It wasn’t us. And even if it was, you started it.”

If the NSA can hack Petrobras, the Russians can justify attacking Exxon/Mobil. If GCHQ can hack Belgacom to enable covert wiretaps, France can do the same to AT&T.

Securely deleting cache, cookies, and sensitive data:

BleachBit quickly frees disk space and tirelessly guards your privacy. Free cache, delete cookies, clear Internet history, shred temporary files, delete logs, and discard junk you didn't know was there. Designed for Linux and Windows systems, it wipes clean a thousand applications including Firefox, Internet Explorer, Adobe Flash, Google Chrome, Opera, Safari,and more. Beyond simply deleting files, BleachBit includes advanced features such as shredding files to prevent recovery, wiping free disk space to hide traces of files deleted by other applications, and vacuuming Firefox to make it faster. Better than free, BleachBit is open source.

Seems like quite a good idea, even if you don't lean towards the tin foil hat side of the spectrum.

A live OS from USB that lets you browse anonymously via TOR:

Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:

• use the Internet anonymously and circumvent censorship;
  all connections to the Internet are forced to go through the Tor network;
• leave no trace on the computer you are using unless you ask it explicitly;
• use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.

This also seems like an interesting idea.

Private Instant Messaging:

Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing:

Encryption

No one else can read your instant messages.

Authentication

You are assured the correspondent is who you think it is.

Deniability

The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.

Perfect forward secrecy

If you lose control of your private keys, no previous conversation is compromised.

Boy, the NSA sure has inspired the security guru community.  Way to go, NSA!

Oh, and the TSA is completely useless:

Back in 2006, I -- and others -- explained how to print your own boarding pass and evade the photo-ID check, a trick that still seems to work. In 2008, I demonstrated carrying two large bottles of liquid through airport security. Here's a paper about stabbing people with stuff you can take through airport security. And here's a German video of someone building a bomb out of components he snuck through a full-body scanner. There's lots more if you start poking around the Internet.

So, what's the moral here? It's not like the terrorists don't know about these tricks. They're no surprise to the TSA, either. If airport security is so porous, why aren't there more terrorist attacks? Why aren't the terrorists using these, and other, techniques to attack planes every month?

I think the answer is simple: airplane terrorism isn't a big risk. There are very few actual terrorists, and plots are much more difficult to execute than the tactics of the attack itself.

But hey, those citizens won't grope themselves.  Mission Accomplished, G-Man!

Security news

Lots of Windowsy goodness in this week's Patch Tuesday, including a fix that covers all versions of Windows.  That's right, something that could be exploited in every Windows machine.  Cool beans.  One of the vulnerabilities is being exploited in the wild.  And bonus Internet Explorer fixes. Get yer fixes here (you need to use Internet Explorer for this).

Adobe released security updates for Flash and Shockwave.  Restarting your browser likely will do this (Adobe will tell you there's an update and ask you if you want it).  Or get it here.

The Commerce Department has an interesting approach to getting rid of malware: grind up the computers in industrial shredders:

A US Department of Commerce agency has been chastised for spunking $2.7m chasing down a supposed major malware infection that was actually limited to a handful of PCs.

The Economic Development Administration adopted a scorched earth policy - isolating itself from the internet before destroying more than $170,000 worth of equipment including printers, TVs, and even computer mice - in a comically inept attempt to resolve the phantom outbreak.

The physical destruction of equipment only ceased after the department's disposal budget was exhausted. "The destruction of IT components was clearly unnecessary," the Office of the Inspector General’s (OIG) auditor said in an official report released last month.

[rolls eyes]

Here are a couple of interesting browser plugins to combat nosy web tracking.  Ghostery and DoNotTrackMe are worth a look.  Note that this only protects you against nosy marketing types, not against the NSA.

Security guru Rich Mogul has a very interesting article about Apple's security strategy: make security both effective and invisible to the user:

For many years, Apple tended to choose good user experience at the expense of leaving users vulnerable to security risks. That strategy worked for a long time, in part because Apple’s comparatively low market share made its products less attractive targets. But as Apple products began to gain in popularity, many of us in the security business wondered how Apple would adjust its security strategies to its new position in the spotlight.

As it turns out, the company not only handled that change smoothly, it has embraced it. Despite a rocky start, Apple now applies its impressive design sensibilities to security, playing the game its own way and in the process changing our expectations for security and technology.

Worth a read.

Security Smorgasbord, vol 5 no 1

Microsoft asks Is everything we know about passwords wrong? Interesting:

Federal Reserve Regulation E guarantees that US con-

sumers are made whole when their bank passwords are

stolen. The implications lead us to several interest-

ing conclusions. First, emptying accounts is extremely

hard: transferring money in a way that is irreversible

can generally only be done in a way that cannot later

be repudiated. Since password-enabled transfers can

always be repudiated this explains the importance of

mules, who accept bad transfers and initiate good ones.

This suggests that it is the mule accounts rather than

those of victims that are pillaged. We argue that pass-

words are not the bottle-neck, and are but one, and by

no means the most important, ingredient in the cyber-

crime value chain. We show that, in spite of appear-

ances, password-stealing is a bad business proposition.

When is it time to patch Adobe Reader and Java?  Any day that ends in "-day":

Adobe and Oracle each released updates to fix critical security holes in their software. Adobe’s patch plugs two zero-day holes that hackers have been using to break into computers via Adobe Reader and Acrobat. Separately, Oracle issued updates to correct at least five security issues with Java.

The Java update comes amid revelations by Apple, Facebook and Twitter that employees at these organizations were hacked using exploits that attacked Java vulnerabilities on Mac and Windows machines.

Related:

Removing Java from your browser

Apple finally patches Java for OS X

Adobe Reader: security is now 3% less sucky

Security infrastructure vendors under attack

We've seen attacks against security technology vendors over the last few years: RSA, McAfee, a number of certificate granting firms.  Add a new one to the list:

Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered an electronic compromise that cuts to the core of its business: helping clients distinguish known “safe” files from computer viruses and other malicious software.

Waltham, Massachusetts-based Bit9 is a leading provider of “application whitelisting” services, a security technology that turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous.

It's an interesting technology, because antivirus techniques are always closing the barn door after the horse gets out.  Bit9's whitelisting technology reverses this: anything new is unusual and suspicious.  They have some clever ways to make sure that new updates from iTunes are added to the "good" list, so they've done decently well with forward thinking customers and have (so far) avoided the big problems with implementation and day to day operations that a lot of other technologies have encountered (*cough* IDS *cough*).

But their white list is only as good as the security of their list.  Bad Guys seem to have penetrated their network and added malware to the "good" list.  Several Bit9 customers seem to have been compromised this way.

I expect the trend of attacking security infrastructure to continue.  As Willie Sutton is said to have replied when asked why he robbed banks, "that's where the money is."  Penetrating technology infrastructure lets you get into the targets you really want much more easily.

Because that's where the money is

Money draws talent, and security is no exception.  Three examples show that the attackers are doing much more surgical targeting of victims.

Maker of "Smart Grid" control software hacked:

The maker of an industrial control system designed to be used with so-called smart grid networks disclosed to customers last week that hackers had breached its network and accessed project files related to a control system used in portions of the electrical grid.

Telvent, which is owned by Schneider Electric, told customers in a letter that on Sept. 10 it learned of the breach into its network. The attackers installed malicious software on the network and also accessed project files for its OASyS SCADA system, according to KrebsOnSecurity, which first reported the breach.

According to Telvent, its OASyS DNA system is designed to integrate a utility’s corporate network with the network of control systems that manage the distribution of electricity and to allow legacy systems and applications to communicate with new smart grid technologies.

Telvent calls OASyS “the hub of a real-time telemetry and control network for the utility grid,” and says on its website that the system “plays a central role in Smart Grid self-healing network architecture and improves overall grid safety and security.”

Isn't that exactly what the Bad Guys would want to target?  Note that this software is also used extensively by oil and gas companies, and some water works as well.

Adobe scrambles to revoke stolen cert:

Adobe has revealed an attack that compromised some of its software development servers, resulting in its code signing certificate being used to disguise malware as Adobe software.

The attackers compromised a build server, Adobe says in this statement, which had “access to the Adobe code signing infrastructure”. The build server had been put into service even though “the details of the machine’s configuration were not to Adobe corporate standards”.

The company is now revoking the certificates, which had been used to sign at least pwdump7 v7.1, which extracts password hashes from Windows; libeay32.dll, which works in conjunction with pwdump; and myGeeksmail.dll, which it describes as a malicious ISAPI filter.

If you've ever wondered how your browser recognizes a secure web site (say, Paypal), it uses X.509 certificates.  The security here is very, very good, but rests entirely on only the Good Guys being able to sign certificates.  If the Bad Guys get into the system that does this - for example, Adobe's build server (the server that compiles their source code into executable software) then it's Game Over.

A build server is exactly the sort of system that the Bad Guys would want to target at a company like Adobe.  They used it to sign their own malware, so presumably some computer users would have felt comfortable installing it.

Espionage Hackers target "watering hole" sites:

Security experts are accustomed to direct attacks, but some of today’s more insidious incursions succeed in a roundabout way — by planting malware at sites deemed most likely to be visited by the targets of interest. New research suggests these so-called “watering hole” tactics recently have been used as stepping stones to conduct espionage attacks against a host of targets across a variety of industries, including the defense, government, academia, financial services, healthcare and utilities sectors.

As defenses have gotten better and it's gotten harder for the Bad Guys to penetrate corporate firewalls, the Bad Guys have looked for softer targets.  Web server attacks that leave malware posted on sites where people of interest are likely to visit means that you've shifted from hunting to trapping.  The problem for IT is that they're now not looking at a single firewall's security, but the security of thousands of end users.

And since the web site might be using SSL encryption, the malware will stream down through the firewall over an encrypted connection.  Sweet.

Why are the Bad Guys going to all this trouble?  It's because that's where the money is.  It's been a while since the days of hacking web sites and replacing them with "L4m3rz!!1!  W3 0wnz j00!!!1!!!"  Now it's "show me the money".

Security Smorgasbord, vol 4 no 3

If you use LinkedIn, change your password now:

A Russian hacker says he has stolen 6,458,020 encrypted passwords and posted them online (without usernames) to prove his feat. The breach comes on the heels of news that LinkedIn’s iOS app potentially violates user privacy by sending detailed calendar entries to its servers.

What's the big deal if there are no user names associated with the passwords?  Simples: he's running up the price of the information he's selling by establishing credibility.  It's not that he doesn't have the user account names, just that he didn't post them.  His clients have to pay for that.

So get changing.  By the way, LinkedIn really hides the "Change Password" feature so I'm hot-linking it here.  It's really quite shameful how cavalier they are about their user's security.  At least they have a blog post about it, but nothing when you log in.

--------------------------------

The first rule about Cyber Attack Plans is that there are no Cyber Attack Plans:

CyCon 2012 NATO does NOT need cyber-offensive capabilities, according to a senior military commander.

Major General Jaap Willemse, who was speaking at the International Conference on Cyber Conflict (CyCon), said launching barrages of computer-based attacks is off the agenda for the Western military alliance, at least for the immediate future.

Well OK then!  Boy, that's a relief.  Pay no attention to that man behind the curtain.  The Great and Powerful Willemse has spoken ...

-------------------------------------

I keep telling people that they shouldn't attach critical systems (like SCADA process controllers) to Al Gore's series of tubes.  It's trivial to find them using this point and drool interface.

We're entirely screwed.

-------------------------------------

Apple is finally starting to get serious about security.  IT types, you'll want to grab their iOS Security Guide.

-------------------------------------

It seems that the FBI put together a file on Richard Feynman.  Interesting.  Remember, if I come across as paranoid, I was trained that way by the finest minds in the Free World.

Security Smorgasbord, vol 4 no 2

Malware in Macland

More Mac OS X trojan activity:

Last week, Apple released two urgent updates to Mac OS X to:

1. Remove the Flashback malware about which we have already written

2. Automatically deactivate the Java browser plugin and Java Web Start, effectively disabling java applets in browsers

Particularly, the second step shows the severity of the CVE-2012-0507 vulnerability exploited by Flashback to infect almost 700,000 users via drive-by malware downloads.

Actually, it was the right decision because we can confirm yet another Mac malware in the wild - Backdoor.OSX.SabPub.a being spread through Java exploits.

This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine.

Apple has been pretty immune to this sort of thing in the past, while their market share was too small to attract the attention of the Bad Guys.  Those days are over.  loadlin, baby!

Malware in Androidland

Borepatch's First Law of security is "free download" is Intarwebz speak for "open your mouth and close your eyes".  We've seen malware in the Android app store, and that doesn't look like it's changing:

Recently we discovered a new Android Trojan in the official Google Play market that displays a video downloaded from the Internet–but only if some sensitive information is previously sent to a remote server. The malicious applications are designed for Japanese users and display “trailers” of upcoming video games for Android.

It grabs the Android device ID, the phone number, your contacts list, etc, and beams it to somewhere on the 'net.  Seems over 70,000 people have downloaded it.  Me, I don't use apps.

Malware in Google Chrome browser extensions

Google has a web store for extensions to their Chrome browser.  Guess what showed up in the store?

Crooks have found a new venue to push malware: the official Google Chrome Web Store. It was recently used to hawk Chrome browser extensions secretly hijacking users' Facebook profiles.

According to Kaspersky Lab expert Fabio Assolini, one malicious extension hosted on Google's own servers contained hidden code that "can gain complete control" of the user's Facebook profile. The extension then used that access to spread malicious messages and register Facebook Likes for certain items, also inviting fellow users to install it. The same operators advertised a service that delivered Likes of companies looking to promote their profiles. It costs about $27 per 1,000 Likes.

Notice a common thread here?  Security - it's not just a good idea.  It's Borepatch's Law.

Security Smorgasbord, vol 4 no 1

TSA Follies, Act The First:

A FBI Counter-Terrorism Special Agent says that the TSA is "tilting at windmills":

TSA has never, (and I invite them to prove me wrong), foiled a terrorist plot or stopped an attack on an airliner. Ever. They crow about weapons found and insinuate that this means they stopped terrorism.  They claim that they can’t comment due to “national security” implications. In fact, if they had foiled a plot, criminal charges would have to be filed. Ever hear of terrorism charges being filed because of something found during a TSA screening? No, because it’s never happened. Trust me, if TSA had ever foiled a terrorist plot, they would buy full-page ads in every newspaper in the United States to prove their importance and increase their budget.

I have a unique position from which to make these statements. For 25 years, as many of readers know, I was an FBI Special Agent, and for many of those years, I was a counter-terrorism specialist. I ran the Los Angeles Joint Terrorism Task Force (JTTF) Al Qaeda squad. I ran the JTTF’s Extra-territorial squad, which responded to terrorism against the United States or its interests throughout the world. I have investigated Al Qaeda cell operations in the United States, Pakistan, Indonesia, the Philippines, and Thailand, just to name a few.

...

I have dealt with TSA since its inception and FAA security prior to that. I have witnessed TSA operate since they became a separate organization in 2002 and seen their reaction to intelligence provided them. I have now watched them operate for a decade, and I have respect for their hard-working employees who are doing a thankless job. But I have come to the conclusion that TSA is one of the worst-run, ineffective and most unnecessarily intrusive agencies in the United States government.

Long, but worth it for the straight talk.  Brutal straight talk.

TSA Follies, Act The Second

The comments here are particularly interesting.  Click on the tab that sorts them in terms of "highest rated" and then start reading.  All of the comments supporting the intrusive TSA search are from commenters in Europe.  All of them.

I said recently that in the 19th Century, everyone in Europe who thought that Europe sucked came here.  It seems that Europe has been breeding for an appreciation of suckiness.

All Your Devices Are Belong To Us

All your devices can be hacked.  All of them:



Avi Rubin is a big gun in computer security.  This is nothing short of horrifying, although putting Pac Man on a voting machine is pretty stylin'.  Another reason for my next car to be a '69 GTO.  Hack that, bitches ...

You watch us, we watch you

Anonymous released a bunch of U.S. Government diplomatic cables.  The ACLU saved one, and then filed a FOIA request for the same cable.  The U.S. Government gave them one that was heavily redacted. So now we know what the U.S. Government thinks is secret.  Yikes.

I'd say that the ACLU just hacked the Fed.Gov ...