In last week’s post, we reported on some concerning code identified in the Pipdig Power Pack (P3) plugin. The plugin, which is installed alongside WordPress themes sold by Pipdig, was found to contain a number of suspicious or malicious features. Among these features were a remote “killswitch” Pipdig could use to destroy sites, an obfuscated function used to change users’ passwords, and code which generated hourly requests with the apparent intent of DDoSing a competitor’s site.
In the days since we published that report, Pipdig has taken a series of increasingly questionable steps in their attempts to mitigate the fallout of their actions. Their team has issued baseless accusations that facts have been fabricated, collusion between their competitors had taken place, and that no wrongdoing of any sort had occurred.
These assertions stand in direct conflict with their actions. They’ve pulled down incriminating files from their sites, pushed undocumented updates to their plugins to remove additional malicious code, and have attempted to rewrite history by modifying dates of changelog entries. Then, perhaps most egregiously, Pipdig took down the Bitbucket repository containing a great deal of evidence of these actions. All of this had been done while an entire community of WordPress developers watched.
Protecting yourself from legal stalkerware: "What’s wrong with “legal” commercial spyware":
Despite its legal status, stalkerware is dangerous indeed. These apps put at risk both the subject and the object of spying. How do such apps pass the collected data to the person who installed them? By uploading it to a server where the user can access it and sift through the catch. So if you decide to spy on an employee suspected of dirty play, all of their incoming and outgoing letters with every confidential document and project detail will end up on that server, including the ones written by you. If you’re keen to learn the secrets of your love interest, your wooing messages, too, will be on the record.
But what’s wrong with that, you being the only person who can view this data? The problem is, you are probably not the only one. The app developer is almost certain to have access to it, too. That’s for starters. Worse, this sensitive data may end up in the hands of malefactors or even become publicly available.
... if the vehicle knows that the fake lane is pointing to the reverse lane, it should ignore this fake lane and then it could avoid a traffic accident.
This one explains who hacked the Tesla. It's an impressive article and shows the skills of Chinese white-hat hackers.
If you’re a programmer, don’t run servers as root. Code that accepts data packets from anywhere on the network shouldn’t be processing those packets as root, just in case something goes wrong. If crooks find a vulnerability in your network code and figure out an exploit, why hand them root-level powers at the same time?
If you own an affected router, be aware that anyone you allow onto your Wi-Fi network can probably take it over rather easily using Garrett’s proof-of-concept code. In particular, if you run a coffee shop or other shared space, avoid using an SR20 for your free Wi-Fi access point.
Whichever brand of router you have, go into the administration interface and check your Remote access setting. At home, you almost never need or want to let outsiders see the inside of your network, so make sure that remote access is off unless you are certain that you need it.
Their new cryptographic library provides a number of security guarantees. The researchers proved that EverCrypt is free of coding errors, like buffer overruns, that can enable hacking attacks — in effect, provably ruling out susceptibility to all possible corner cases. They also proved that EverCrypt gets the cryptographic math right every time — it never performs the wrong computation.
But the most striking guarantee EverCrypt makes has to do with an entirely different class of security weaknesses. These occur when a bad actor infers the contents of an encrypted message just by observing how a program operates.
For example, an observer might know that an encryption algorithm runs just a little faster when it adds “0” to a value and just a little slower when it adds “1” to a value. By measuring the amount of time an algorithm takes to encrypt a message, an observer could start to figure out whether the binary representation of a message has more 0s or 1s in it — and eventually infer the complete message. “Somewhere deep in your algorithm or the way you implement your algorithm you are leaking information, which can completely defeat the purpose of the entire encryption,” said Bhargavan. Such “side-channel attacks” were behind several of the most notorious hacking attacks in recent years, including the Lucky Thirteen attack. The researchers proved that EverCrypt never leaks information in ways that can be exploited by these types of timing attacks.
“Poor software engineering and cyber security processes lead to security and quality issues, including vulnerabilities. The number and severity of vulnerabilities discovered, along with architectural and build issues, by the relatively small team in HCSEC is a particular concern. If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of the network, in some cases causing it to cease operating correctly. Other impacts could include being able to access user traffic or reconfiguration of the network elements.”
NCSC does not believe that the defects identified are because of Chinese government interference.
If you don't want any site to prompt you to allow push notifications, enter about:config on your address line and return it. Enter dom.webnotifications.enabled in the search box. Double click on the line that shows. It will toggle the setting from true to false. (Double clicking again will reverse that.) Close that tab with it set to false, and you're done.
Using Amazon is easy, but that means lazy server admins can use it and leave huge security holes.
Computer security expert at Surrey University, Professor Alan Woodward explained to The BBC that the flaw resembled the type of backdoors the NSA creates to spy on targets' computers, saying:
"It was introduced at the manufacture stage but the path by which it came to be there is unknown and the fact that it looks like an exploit that is linked to the NSA doesn't mean anything. It could be organised crime gangs, which are increasingly interfering with the supply chain, or it could be someone playing geo-politics to discredit Huawei. There is no evidence that the company has done anything malicious or any evidence they were under pressure from the state."
... the security flaw was caused by communication issues between the various SDKs used by the Guard Provider app making it possible for potential attackers to "inject any rogue code he chooses such as password stealing, ransomware, tracking or any other kind of malware."
What made this security issue all the more serious was the fact that the Check Point Research team found it in one of the pre-installed applications on Xiaomi smartphones, a company which ranked third in the mobile phone market during 2018 with an 8% market share.
More than a dozen US-based web servers were used to host 10 malware families, distributed through mass phishing campaigns.
Malware families include Dridex, GandCrab, Neutrino, IcedID and others.
Evidence suggests the existence of distinct threat actors: one responsible for email and malware hosting, and others that operate the malware.
Indications that the servers are part of Necurs botnet malware-hosting infrastructure.
03 Apr 2019 - Posted by Luca Carettoni
We’re back from BlackHat Asia 2019 where we introduced a relatively unexplored class of vulnerabilities affecting Electron-based applications.
Despite popular belief, secure-by-default settings are slowly becoming the norm and the dev community is gradually learning common pitfalls. Isolation is now widely deployed across all top Electron applications and so turning XSS [cross-site scriting] into RCE [remote code execution] isn’t child’s play anymore.
Posted on April 4, 2019 by Troy Mursch
Ongoing DNS hijacking campaign targeting consumer routers:
As Twitter user “parseword” noted, the majority of the DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082).
Anyone with a Google account can access a “Google Cloud Shell” machine by simply visiting this URL. This service provides users with the equivalent of a Linux VPS with root privileges directly in a web browser. Due to the ephemeral nature of these virtual machines coupled with Google’s slow response time to abuse reports, it’s difficult to prevent this kind of malicious behavior.
An EXE infection for your Mac:
April 5, 2019
The idea that macOS is invulnerable is a myth, as we’ve said many times before. Recently, cybercriminals found yet another way to tiptoe past its built-in defense mechanism. They collected data about the infected system and fed it into adware using files with the EXE extension, which usually runs only in Windows. An EXE file infecting Mac users? Strange, but the method does work.
Since the GPS system went into use in 1980, the first reset of the week counters happened on Aug 21, 1999, so the next one is set to take place on April 6. Officials at the Department of Homeland Security's (DHS) Cyber security and Infrastructure Security Agency have warned critical infrastructure operators in communications, transportation, power grid, finance and other fields to ensure that their GPS receivers can handle the resetting of the counters this week.
Just as wireless signals can be spoofed and mobile devices tricked into connecting with fake transmitters that then collect private information, GPS devices can be tricked into connecting to fake devices that can then manipulate location and time signals.
Last week, C4ADS, a non-profit group that focuses on security, released a report showing that it found 9,883 cases of GPS spoofing across 10 locations in and around Europe, which affected 1,311 civilian navigation systems since February 2016.
A majority of those false GPS signals were generated by Russian-made equipment and were likely [I dislike speculation, which can be outright propaganda] used by Moscow's security services to protect Russian President Vladimir Putin from possible attacks, as well as for strategic reasons in Syria, Crimea and in the Black Sea region to defend Russian interests, C4ADS said.
Why did I add, "I dislike speculation, which can be outright propaganda"? Well, most cybersecurity people globally are aware of the attacks on Kaspersky Lab, which is of Russian origin. Most of them also know that Kaspersky has directly aided the global cybersecurity community immensely and that includes many important, even vital, US companies, by reporting hundreds and hundreds of cyber weaknesses in software developed everywhere, including in Russia itself.
I'm not saying straitstimes is engaging in deliberate propaganda because the post refers to Russia. I'm saying that it's wise to always take country-of-origin claims concerning cyber attacks with a block of salt. Origins and hardware and software, etc., can all be faked by others out to make another country or organization look bad. It's just a fact of cyber life.
These people are the source for the "Russia likely did it" comment: C4ADS. They may be right about Russia in this case, but they may not be, which the "likely" clearly states.
Has the World's First Unhackable Chip Arrived?:
They needed to strip out all logic and leave no structural traces. Hackers could identify the chip design, but they would have no sense of its logic or functionality without the special key of 0’s and 1’s. The functionality, says Sinanoglu, is buried in the secret key. They unveiled the subtractive version of their chip in December 2018, and once again invited hackers to have at it. Since then, Sinanoglu says, no one has found the key.
... But Dan Goldberg, founder of Castlerock Cyber Security and an information security consultant in Virginia, expresses skepticism that anything “as complex as a microprocessor or general purpose computing device” can be truly unhackable.
For starters, Goldberg worries about key discipline: Who has access to the key and what happens when that access is revoked? Could a spurned employee exact revenge? What if the key is lost? Goldberg’s approach is to design networks and systems that follow a “defense in-depth” model. “If a malicious actor gets access to one aspect of the system, they don’t immediately have access to everything,” he explains. Sinanoglu acknowledges that, for now, they can only secure their chip at the hardware layer, but when the hardware is compromised, the whole system is compromised — which is why he considers his team’s latest iteration the unhackable ideal he has been working toward for most of his life.
Has the World's First Unhackable Chip Arrived? I doubt it very seriously. Although, the stronger, the better until ....
Deepfake Malware Can Trick Radiologists Into Believing You Have Cancer:
A search online with Shodan.io (a search engine for IoT devices) found 1,849 medical image (DICOM) servers and 842 PACS servers exposed to the internet. Researchers have demonstrated that these services are vulnerable to external attack, as well as internal penetration. They write:
Since 3D medical scans provide strong evidence of medical conditions, an attacker with access to a scan would have the power to change the outcome of the patient’s diagnosis. For example, an attacker can add or remove evidence of aneurysms, heart disease, blood clots, infections, arthritis, cartilage problems, torn ligaments or tendons, tumors in the brain, heart, or spine, and other cancers.
The threat of deepfakes has mostly been framed as an attack on truthful public messaging or assaults on privacy. Using AI to record fake messages from politicians declaring support for causes they don’t stand for, or to insert someone else’s face into hardcore pornography is a threat to accurate reporting and privacy. Now, there’s evidence they can be used to alter data, even in the places we most need data to be accurate. The risk of attack is low, but the potential for disruption in the event of a successful intrusion is quite high.
An online black market offering cybercrime goods and services was found on Facebook, spreading over 74 groups and totaling around 385,000 members, according to a report by Cisco Talos security researchers.
And they still keep springing up on Facebook.
This is really bad. If I were a black-hat hacker, the last place I'd have thought would be "safe" to go for illegal stuff would be a place like Facebook, which can look up your ___ (fill in the blank). For Facebook not to have known this was going on defies the imagination.
Nasty and stupid:
As reported by Ars Technica, Office Depot and its subsidiary OfficeMax developed a fake “PC Health Check” that would tell customers that their computers had been infected with malware regardless of the computer’s actual status. The program then recommended that customers purchase a repair service that often cost up to $300.
Good for the employee who refused to run the scans!
Massive bank app security holes: You might want to go back to that money under the mattress tactic:
My favorite finding from the Aite Group report: "Several mobile banking apps hard-coded private certificates and API keys into their apps. [Thieves] could exploit this by copying the private certificates to their computers and running any number of free password-cracking programs against them," the report noted. "Should the [attackers] successfully crack the private key, they would be able to decrypt all communication between the back-end servers and mobile devices, among other things.
...Aite said, it chose to not tell any of the companies examined that it found major security holes on their sites. This is regrettable, but understandable. It's a fear — ranging from litigation to being blackballed in the industry — that pen testers have these days about examining sites or apps without the company's permission. Given that Aite has to work with these companies, it makes sense that it wouldn't want to flag these companies that they have issues.
In a Utopian world, companies would be ecstatic to be informed about issues on their site/app before cyberthieves found them, but that's not how the world works, especially in the U.S. Hint to FI companies: Hire a pen tester today to check out your site and apps. Some of you have massive issues.