Multiple consumers have reported being terrified after hackers infiltrated the Nest cameras in their homes, with one malicious actor making claims of a North Korean missile threat, according to CBS News.
California resident Laura Lyons reported that malicious actors gained control of her Nest security camera, which belted out a terrifying emergency alert warning them to find shelter because three missiles from North Korea were headed to the US.
Another family in South King County, Washington, reported a hacker gained access to their Nest security camera and verbally assaulted the mother and children, according to K5 News.
What consumers might not understand, though, is that it’s not vulnerabilities that are causing this. “It is the reuse of existing passwords that have already been exposed in previous attacks,” said Laurence Pitt, security strategy director, Juniper Networks.
“If people want to keep these important devices safe, they need to use strong and unique passwords at a minimum, and make the investment in a password management tool (1Password, my favorite, or LastPass, for example). This can help to create strong passwords and then stores them in a safe place so that there’s no need to try and remember them all,” Pitt said.
In a prepared statement shared with Infosecurity, Nest confirmed that there indeed was no vulnerability or breach. “These recent reports are based on customers using compromised passwords [exposed through breaches on other websites]. In nearly all cases, two-factor verification eliminates this type of the security risk.
“We take security in the home extremely seriously, and we’re actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials.”
News of the hacks has raised questions about who is responsible for the security of in-home connected devices. “Consumers will need to rethink how much of a security risk they’re willing to take in exchange for the convenience of a connected device, appliance, or car,” said Pat Ciavolella, digital security and operations director for The Media Trust.
"The problem with consumers, as I see it, is understanding the security vs. convenience trade-off. It's a tough choice for companies to make: potentially frustrate a customer by forcing them to do a password reset or allowing the customer to have convenience at the expense of their privacy and/or security,” said Lisa Plaggemier, chief evangelist, InfoSec Institute.
“Consumers are very quick, it seems, to choose convenience. Even when consumers exhibit bad security habits that make them vulnerable (in this case, using the same password on multiple accounts), when something goes wrong, the consumer blames the device provider.
“Bottom line: If more companies would adopt the measures Google is putting in place (forcing password resets, and preventing breached credentials from being reused), I think consumers would start to accept it as 'normal' instead of an inconvenience.”
Executives at financial services companies are increasingly concerned about risks, but as technology becomes more integrated in managing financials, more executives say that cybersecurity is increasingly becoming the most important type of risk, according to a new Deloitte survey, Global Risk Management Survey, 11th Edition.
When asked which risk types would grow in importance over the next two years, 67% of financial services executives named cybersecurity, according to the report, up from 41% in 2016.
Despite identifying the increased risk from cyber, approximately half of the respondents said their companies are extremely effective or very effective at managing this risk. When looked at in different categories, 58% of respondents said rated their organizations as effective at managing disruptive attacks, 57% for financial losses or fraud, 54% for cybersecurity risks from customers and loss of sensitive data, and 53% for destructive attacks.
When asked about managing risks from nation-state attacks, though, only 37% of financial services executives felt their institutions were effective.
Still, the study reflected a continued growth in cybersecurity risk awareness, with only 31% of respondents saying it is a challenge to "get the businesses to understand their role in cybersecurity risk," down from 47%.
The concerns are not unwarranted, particularly given the news that more than 24 million banking and financial records were left exposed. Protecting the financial services sector from increasing cybersecurity risks is one reason banks, fintech companies, data aggregators and others have joined a nonprofit by FS-ISAC with the goal of creating and supporting a unified API standard that allows consumers and businesses to share data with greater confidence and control.
“Balancing financial innovation with the critical need for data security is one of the main reasons we created the Financial Data Exchange (FDX),” said Don Cardinal, managing director of FDX. “This is the first time the industry has come together to fund a single standard that secures financial data sharing.”
Google Cloud Platform (GCP) services have been targeted by a newly discovered malware campaign delivering malware via PDF file decoys, according to Netskope Threat Research Labs.
Attackers are reportedly using the Google Cloud App Engine platform to deliver malware with PDF decoys, identified as PDF_Phish.Gen, and GCP URLs that redirect victims to malicious payloads. The research conducted by the team verified evidence of these attacks targeting governments and financial firms worldwide, with multiple decoys possibly linked to the Cobalt Strike advanced persistent threat (APT) group.
The team reportedly detected several targeted attacks predominantly in the banking and finance sector, all of which were EML files that carried an .eml extension and contained the same detection name, which triggered alerts.
“This targeted attack is more convincing than the traditional attacks because the decoy deceives the victim with a GoogleApp Engine URL which is abused to redirect the victim to the malware. As the payload seems to be originating from a trusted source, the chance of falling victim to such attacks is very likely,” researchers wrote.
Though PDF readers typically warn users about potential security risks with document that are connects to a website, researchers said, “Once 'remember this action for this site' is checked for a domain, this feature allows any URL within the domain without any prompt.” Leveraging this default option allows the attacker to successful execute multiple attacks without prompting the security alert.
Each of the files used in the attack reportedly downloaded Microsoft Word documents with obfuscated macro code or PDF documents as the second-stage payload.
“The PDF decoy detected in our customer instances downloaded a word document named 'Doc102018.doc' containing obfuscated macro code...On execution, the victim is presented with a message to enable editing and content mode to view the document,” the report said.
The research suggests that continued adoption of the platform will create an increased cyber-attack surface where hackers can target the infrastructure.
Security researchers have warned of a new malvertising campaign using steganography techniques to target Apple users.
The VeryMal group has run multiple campaigns since August 2018, attempting to redirect users to the veryield-malyst domain, according to Confiant security engineer, Eliya Stein.
As many as five million users may have been subject to the most recent campaign, which used steganography to hide the payload from security tools.
“As malvertising detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done,” explained Stein.
In this case the campaign is designed to drop a trojan known as Shlayer, an adware installer which uses “an atypical installation routine” in a bid to evade detection.
VeryMal campaigns are typically only active for a few days, in this case from January 11-13 on two top-tier exchanges representing around a quarter of the top 100 publisher sites, Stein added.
US-based Mac and iOS customers are the target for VeryMal.
This could be hurting the ad industry dear. Confiant calculated the financial impact of just one day of this campaign at over $1.2m — factoring in publishers losing money from interrupted user sessions and increased use of ad blockers by disgruntled users in the future.
Ad exchanges also lose out from having inventory access cut off, and advertisers suffer ad fraud from infected devices, not to mention users with infected machines, explained Stein.
Confiant detected and blocked over 191,000 impressions across its publisher customers for this campaign, whilst a further two in December apparently yielded over 437,000 impressions.
A UK-based cybersecurity vendor has detailed how it turned the tables on an angler phishing operation posing as Virgin Media support on Twitter.
This particular type of phishing attack is a relatively new tactic. It involves the scammer registering fake Twitter accounts that masquerade as legitimate customer support and then monitoring the real support accounts for irate customer messages.
They then jump in quickly to exploit the customer’s frustration and the immediacy of Twitter to send messages back to those customers, typically loaded with malicious links.
This is what happened to a member of the team at pen-testing firm Fidus Information Security when they complained to Virgin Media via Twitter.
After receiving replies from the official account and a legitimate-looking fake they decided to have some fun.
First, they attempted to test how gullible the scammers were, providing a fake name (Wade Wilson, aka comic book character Deadpool) and address (Savile Row police station).
The scammers subsequently requested card details linked to the Virgin Media account, to which Fidus replied with a set of test credit card details.
After the card didn’t authorize for the scammers, they tried to persuade their ‘victim’ into handing over details to another card. At the same time, the security vendor was in turn trying to trick them into clicking on a link to site hosted by its company, to expose their IP address.
In the end the firm faked a screenshot of an AmEx fraud alert SMS featuring its own phishing link requesting that the user click to verify their card details.
That appears to have been enough to phish the phishers.
“After sending a fake SMS message we received a click on our web server. At this point the game was up as the IP linked back to our website and we never received a reply back,” the vendor explained.
“We reported this all back to Twitter, who’ve since suspended the account, and Police in the UK in the hope some action can be taken against those responsible.”
Cybercrime against UK households is more common today than robbery of theft offenses, according to the latest Office of National Statistics (ONS) figures.
The Crime in England and Wales survey (CSEW) is based on survey questions posed mainly to households by the ONS.
It calculated that computer misuse affected 1.8% of the UK population in the year ending September 2018, about the same as violent crime, but more than robbery (0.3%), “theft from the person” (0.8%), and “other theft of personal property” (1.3%).
The survey estimated around a million computer misuse offenses against UK households during this time period, although this figure has dropped by a third (33%), thanks to a major 45% fall in computer virus-related incidents.
Action Fraud data was also broken down in the report, as although it covers a smaller volume of offenses (24,000), it does include figures on cybercrime reported by businesses, which the CSEW does not.
It also reported a drop in reported computer viruses of 25%, but overall computer misuse crime jumped 12% over the period.
This figure is thought to have been driven by an increase in “hacking – social media and email” crimes over the 12 months.
“This is thought to reflect an increasing awareness of falling victim to hacking among the public, leading to a greater likelihood of incidents being reported,” the ONS claimed.
Fraud figures didn’t change significantly from the previous year, with online scams now accounting for 56% of the total, or 1.9m incidents, according to the report.
Fraser Kyne, EMEA CTO at Bromium, said the findings chimed with trends observed by his company over the past two years.
“Last year there was a 145% rise in malware, but this year that dropped by 25% as hackers switched tactics to hijack email and social media accounts,” he explained.
“The risk here for organizations is that hackers are still exploiting the weakest link in security, people. It is also worth noting that Action Fraud’s stats only reflect reported crime. These detected events prove that hackers are still bypassing defenses; but we must also assume that malware is breaking through and remaining undetected.”
A new cybersecurity curriculum targeting junior Girl Scouts aged 9-11 aims to shift the image of the young girls in green from cookie distributors to cyber defenders, according to news from Hewlett Packard Enterprise (HPE).
HPE has teamed up with the Girl Scouts to launch a cybersecurity education program specifically for young girls to learn and test out their cyber savvy using a newly debuted interactive online game. The game is dubbed Cyber Squad, and the program is initially being rolled out with Girl Scouts of Nation’s Capital, in counties throughout Washington D.C., Maryland and Northern Virginia.
The narrative game was custom-designed specifically for the Girl Scouts pro bono by HPE’s women in cybersecurity group. Cyber Squad takes players through mock scenarios and simulates the consequences of both risky and safe online behaviors.
At a time when 86% of girls engage in online chats unbeknownst to their parents, this new educational tool is critical to keeping young women safe online. Given that 69% of teens regularly receive electronic exchanges from strangers and don’t share that information with their parents, they are becoming increasingly vulnerable to negative online behaviors and privacy risks. In fact, according to HPE’s press release, 27% of young people willingly agree to in-person meetings with someone they have only met online.
“Kids are becoming more mobile, networked and connected, but this also comes with alarming risks and dangers. Making basic cybersecurity awareness at a young age is imperative, and as fundamental as safety skills in the physical world, like learning how to cross the street,” said HPE chief information security officer Liz Joyce in a press release.
“As someone who tackles cyber risks and crime by day and goes home to a young daughter at night, I know just how critical this education is. Through this collaboration, we hope to arm Girl Scouts with the cybersecurity literacy and knowledge they need to be savvy, secure and safe online, and to empower them to be good digital citizens.”
To address the growing concerns of online behavior and communication, the curriculum will cover four crucial areas, including personal information and digital footprint, online safety, privacy and security, and cyber-bullying.
Those Girl Scouts who complete the game and a corresponding curriculum (taught via troops) will earn an embroidered patch for their uniforms certifying their newfound knowledge. The curriculum and game are intended to foster cyber and STEM smarts in fun and relatable way.
The British public is dead-set against the use of drones, with the vast majority believing that as they continue to represent a national security risk and that cyber experts must do more to mitigate the threat from above.
Think tank Parliament Street polled 2000 members of the public to compile its latest report, Drones 4 U.
It appears as if recent incidents at two London airports has had a major impact on the public perception of unmanned aerial vehicles (UAVs).
Three-quarters (75%) believe them to be a national security threat, with only 2% disagreeing, according to the report.
Over a third (38%) said they want to see drones banned altogether, but a larger number (83%) backed a mandatory licensing system for owners similar to firearm regulations.
The vast majority (83%) of those surveyed also believe the UK is failing to keep up with the threat of developments in drone technology, and a similar number (84%) want cyber experts to do more to help during serious incidents.
Drones flying over Gatwick Airport caused chaos last month as both runways were forced to close, leading to an estimated 800 cancelled flights affecting 120,000 passengers over several days. The incident was a much worse repeat of a 2017 closure of the same airport due to UAVs when a runway was shut for 14 minutes.
A similar problem hit Heathrow Airport earlier this month.
Such incidents are becoming increasingly frequent. According to Parliament Street, drones have flown dangerously close to passenger aircraft in the airspace around Gatwick at least five times over the past four years.
There are also concerns over drones potentially being hijacked by hackers and used to cause incidents like the ones above.
PwC warned last year that GPS receivers are a major weakness in civilian drones as they’re dependent largely on unencrypted signals.
“Without secure authentication mechanisms, location spoofing is possible. The internal measurement units rely on data from other sensors on the drone and measure direction of travel — if they are fed incorrect information, the drone’s course or altitude could be altered,” it added in a blog post.
“Another potential vulnerability is the functionality to configure a drone to ignore communications from the ground during flight. This is meant to be a safety control, but it could be attractive to threat actors looking to cause harm … it is important that end-to-end security is employed to secure any drone-enabled service.”
Security researchers are warning of a newly discovered and highly sophisticated strain of modular ransomware featuring special capabilities to resist analysis.
Dubbed “Anatova” by McAfee, the malware has been detected across the globe, in the US, UK, Russia, Italy, Sweden and beyond. It was discovered in a private P2P network, using a game or application icon to trick users into downloading it.
Compiled on January 1 this year, Anatova is believed to have been created by “skilled malware authors.”
Each sample analyzed by McAfee had its own unique key, a rarity in the ransomware world, and featured strong protection against static analysis.
Most strings are encrypted, using different keys to decrypt them, and 90% of calls are dynamic and use only standard Windows APIs and C- programming, the vendor claimed. The malware also initiates a memory cleaning procedure if it comes across one of a list of usernames commonly used by virtual machines/sandboxes.
Files are encrypted via Salsa20 and the malware will also hunt down any files on network shares, with 10 DASH coins ($700) demanded in return for decryption.
“Finally, when all steps are completed, the ransomware will follow the flow of cleaning code…mainly to prevent dumping memory code that could assist in creating a decryption tool,” McAfee explained.
The ransomware is modular in architecture, leading to speculation that its authors could package these capabilities up with information-stealing or other functionality to improve the chances of monetizing attacks.
The findings highlight the fact that ransomware remains a major threat to organizations, despite more publicity being focused on crypto-mining in 2018.
Earlier this month the Texan city of Del Rio warned that it had been hit by a major ransomware-related outage.
Europol last year warned that ransomware would be a top threat to businesses for years to come.
Google is under investigation in Sweden over alleged breaches of the GDPR, just days after it was issued with a major €50m fine in France.
Swedish regulator Datainspektionen revealed earlier this week that it launched the investigation into collection of Android users’ location data, after receiving a complaint from the Sveriges Konsumenter (Swedish Consumer Association) linked to allegations in an earlier report by Forbrukerrådet (the Norwegian Consumer Council).
“In summary, the complainant holds that the way Google provides itself access to the location data of users of its mobile operative system Android by ways of its so called ‘Location History’ and ‘Web & App Activity’ is in breach of the GDPR,” the authority said.
“According to the complainant, the report by Forbrukerrådet states that Google use deceptive design, misleading information and repeated pushing to manipulate users into allowing constant tracking of their movements. In essence, the complainant holds that the processing of location data in this way is unlawful and that Google is in violation of Articles 5, 6, 7, 12, 13 and 25 of the GDPR.”
A supervisory letter sent to the web giant requests more information and answers to a series of questions by February 1.
Specifically, it wants to know the total number of Swedes who have had location data slurped through the services and how many data points are gathered on average per individual, broken down for every hour of the day.
It asks for privacy policies, data impact assessments and records of processing activities, and wants to know the legal basis for processing, why data is being collected, and when and how consumers are notified, among other details.
The investigation highlights the continued scrutiny of firms under the GDPR. Although we have yet to hear about a major investigation undertaken due to concerns over data security, one is surely not far away as the regulators begin to flex their muscles.
What was reported earlier this week as only two Elasticsearch database misconfigurations that left millions of bets and thousands of personal records exposed has evolved into a trove of disclosures involving more than 24 million banking and financial records at several organizations, including Bancolombia, according to security researcher Bob Diachenko.
As the week has progressed, Diachenko has revealed the names of different organizations that were part of his Elasticsearch discovery, including Citi and Ascension, a data and analytics company. Today, Diachenko has revealed his exchange with yet another company, Bancolombia, whose database misconfigurations left records exposed.
In an email to Infosecurity, Diachenko wrote:
To discover data breaches, leakages, and vulnerabilities on the Internet, we at SecurityDiscovery.com use public search engines only, such as Shodan, Censys etc. When we find a public database (data that’s fully accessible to anyone without any restrictions) we collect several digital samples for further analysis. If these samples contain any kind of private and sensitive data, we employ a Responsible Disclosure model to privately communicate the findings with data owners (the company or organization that left the information publicly accessible) and help them implement specific security safeguards to protect their private data.
On Nov 29th I have identified an unprotected Elasticsearch cluster, available for public access, via Shodan engine. It took me some time before I analyzed the data and noted that almost all payment information (credit cards details) was related to Bancolombia, so I decided it would be the quickest possible solution to prevent this data from being stolen and report the incident directly to bank authorities.
Shortly after I contacted Bancolombia, instance has been secured (Nov. 30) and on the next day I was contacted by a representative of a company that managed the data, Waumovil, who thanked me for the heads up and said that "unfortunately we had some open ports that I was not aware”.
In an attempt to get ahead of what has been dispersed on social media, Bancolombia responded to Diachenko, asserting that none of its systems had been compromised but that the information was “stolen at trade,” according to a translation of the statement.
"We have previously reported that the lack of authentication allowed the installation of malware or ransomware on the Elasticsearch servers. The public configuration allows the possibility of cyber-criminals to manage the entire system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains," Diachenko said.
"Although the company reacted fast to secure their data it is unclear how long it may have been publicly available or who else might have accessed the files. Data privacy and data protection laws like GDPR are a good first step but companies and charities need to be proactive when it comes to data protection."
Enterprises around the globe have seen a surge in compromises resulting from phishing attacks, so much so that phishing has surpassed ransomware by an overwhelming margin, according to Proofpoint.
According to the new 2019 State of the Phish report, last year saw a 65% increase in enterprises compromised by phishing attacks, with credential compromises rising by more than 70% to become the most commonly experienced attack in 2018.
The comprehensive study analyzed tens of millions of simulated phishing emails in its survey of nearly 15,000 information security professionals and 7,000 end users across 16 different industries.
As cyber-criminals continue to focus their attention on people rather than technologies, the study found that many end users “are relying on IT teams to automatically discover and fix accidental downloads of malicious software. The lack of clarity with regard to the role of IT in attack prevention could be giving users a false sense of security and unnecessarily taxing infosec resources.”
While the report reflected a global average of 66% of end users who know what phishing is, more than half of the respondents (55%) reported that they do not know what smishing is and 63% were unfamiliar with vishing. Though ransomware awareness has improved, there has been little growth in phishing awareness for users in the US, UK and Germany.
In fact, from 2017 to 2018, the average number of users who said they know what phishing is actually declined in the UK and Germany. When broken down by age group, the 54+ population seem to have the greatest awareness, with 73% correctly defining phishing, while only 47% of those aged 18-21 were able to correctly do so.
“Baby boomers and Gen X respondents (ages 38-53) exhibit much stronger recognition of phishing and ransomware, which we feel is likely due to longer-term exposure to security awareness training about these topics,” the report said.
“Millennials and their younger counterparts are strongest in recognition of smishing and vishing, two more recent threat vectors –though less than a third of each group responded correctly, so not a great showing overall.”
As 2018 rounded to a close, Malwarebytes predicted that Emotet and Trickbot were the future of malware, and the third annual State of Malware Report released today confirms that the Trojan families spread wildly, most often targeting the education, government, manufacturing and healthcare sectors.
The old adage, "When one goes up, the other comes down," rang true with malware attacks in 2018. By the second quarter of the year, there was a notable decline in crypto-mining attacks, which saw only a 7% year-over-year increase; however, there was significant rise in information-stealing malware. The former banking Trojans Emotet and TrickBot plagued the education industry, while manufacturing suffered attacks from WannaCrypt and Emotet.
“The year 2018 was action-packed from start to finish,” said Adam Kujawa, director of Malwarebytes Labs, in a press release. “It began with threat actors diversifying their cryptomining tactics; broadening their reach to Android, Mac and cryptomining malware; and experimenting with new innovations in browser-based attacks.”
Seven categories of malware were detected within businesses, with Trojans, RiskWare tool, backdoors and spyware as the top four as a result of a more than 100% year-over-year increase. Vools was the top detection among backdoor compromises, according to the report.
“Year after year, we see cyber perpetrators finding new (and old) avenues for monetizing on their attacks. Regardless of whether it is ransomware, mineware or 'good old' Trojans and info stealers, the strategy is the same: find the weakest link and abuse it for initial infiltration, then deploy the 'profit module' of your choice," said Matan Or-El, co-founder and CEO of Panorays.
If the report offered any good malware news, it was that consumer attacks declined, despite business threats increasing by 79%. “Despite the focus on business targets, consumer malware detections only decreased by three percent year over year, thanks to increases in backdoors, Trojans, and spyware malware categories throughout 2018. While 2017 saw 775,327,346 consumer detections overall, 2018 brought with it about 25 million fewer instances of infection – a healthy decrease in number, percentages aside,” the report said.
Last year also witnessed a rise in rogue app attacks, with extensions that fooled both users and app stores into thinking they were legitimate. Also, as Infosecurity reported, Magecart covered a lot of ground in its widespread attacks on e-commerce sites.
Finally, sextortion made its way to the top 10 takeaways list. “Major scams for the year capitalized on stale PII from breaches of old. Phishing emails were blasted out to millions of users in extortion (or in some cases, sextortion) attempts, flashing victims’ old, but potentially still viable, passwords and warning them that they’d expose their secrets if they didn’t pay up.”
Last year cybersecurity professionals struggled to defend against increasing crypto-mining attacks, along with fileless attacks, ransomware and commodity malware, marking 2018 as the year of the next-generation of attacks.
“Modern cyberattacks appear to increasingly...reveal how clever attackers have become in evolving to remain undetected – using techniques such as lateral movement, island hopping and counter incident response to stay invisible,” the report stated.
The data analyzed in the study found that, in aggregate, enterprises saw approximately one million attempted cyber-attacks per day, though half of today’s cyber-attacks use the victim primarily for island hopping.
Governments around the globe experienced increased attacks that appeared to stem from Russia, China and North Korea. “Of the identified fileless attacks, variants of the malware Graftor were uniquely identified as the fileless payload. The FBI has high confidence that Graftor variants are used by North Korean cyber operations, also referenced as HIDDEN COBRA, to maintain presence on victim networks and to further network exploitation,” the report stated.
In addition the threat data revealed that computers/electronics, healthcare, business services, internet/software and manufacturing were the five industries most targeted by cyber-attacks in 2018.
Kryptic was the most commonly used ransomware variant in 2018, and the five industries most targeted with ransomware were manufacturing, business services, retail, government and computers/electronics.
The data also showed that the average endpoint “was targeted by two cyberattacks per month throughout 2018. At this rate, an organization with 10,000 endpoints is estimated to see more than 660 attempted cyberattacks per day.”
Another key finding of the study found that approximately $1.8 billion of cryptocurrency-related thefts transpired last year, up from the $1.3 billion in total losses reported by the FBI in 2016, and cyber-criminals have largely shifted from Bitcoin to Monero as their currency of choice.
“Of the identified attacks, cryptocurrency exchanges are the most vulnerable target for cybercriminals. Attacks on these exchanges account for just over 27% of all reported incidents. These exchanges represent prime targets for cryptocurrency theft, fraud and harvesting of user information for follow-on targeting by these same criminals.”
A security researcher with the Qihoo 360 Vulcan Team, Qixun Zhao (@S0rryMybad), has revealed the second stage of an exploit chain in which he was able to remotely jailbreak the latest iOS system on iPhone X.
In a January 23 blog post, Zhao released the proof of concept (PoC) of a kernel vulnerability that can be reached in the sandbox, which he dubbed Chaos. For the benefit of beginners, he provides what he calls elaborate details on the tfp0 exploit, though he does not reveal the exploit code.
Instead, he stated, “if you want to jailbreak, you will need to complete the exploit code yourself or wait for the jailbreak community’s release. At the same time, I will not mention the exploit details of the post exploit, as this is handled by the jailbreak community.”
Zhao does demonstrate the jailbreak in a video posted to Twitter..
Following his intuition, Zhao said he believed there would be a path that would cause a leak, which he found could be exploited before iOS 12 even started in the sandbox.
Noting that the bug has been fixed in the most recent version, Zhao wrote, “As soon as I saw the code I felt that this part of the code is definitely lacking review and the quality is not high enough. After all, the code that can be directly reached in the sandbox, that means the kernel developer may not be familiar with the rules for generating MIG code. This information is more important than finding the bug in the above.”
Despite the misguided belief that PAC mitigation was the end of UaF or jailbreak, Zhao said the UaF hole can still be used in the PAC environment. “We can see that in the whole process of getting tfp0, we didn't need to control the pc. This is because there was a port property value in the object ipc_voucher we released. The exploitation of the UaF vulnerability depends greatly on the data structures of the released object, as well as how to use them, since in the end we have to convert to type obfuscation."
US officials have confirmed their intention to formally extradite Huawei CFO Meng Wanzhou from Canada to face criminal charges, according to reports.
Meng, who is also the daughter of founder Ren Zhengfei, was arrested in Vancouver on December 1 last year at the request of Washington.
A statement from the Department of Justice confirmed that the US plans to meet the 60-day deadline for filing a formal extradition demand, which runs to January 30.
“We will continue to pursue the extradition of defendant Ms. Meng Wanzhou, and will meet all deadlines set by the US/Canada Extradition Treaty,” said DoJ spokesman Marc Raimondi, in the reported statement. “We greatly appreciate Canada’s continuing support of our mutual efforts to enforce the rule of law.”
The news will likely inflame Sino-Canadian diplomatic relations as Beijing continues to lambast Ottowa for what it sees as a geopolitical decision, while Justin Trudeau’s government stands firm on the rule of law.
Beijing has apparently retaliated by arresting two Canadians on suspicion of spying.
It is alleged that Meng participated in a conspiracy at the telecoms equipment giant to trick US banks into breaking sanctions on Iran. This was apparently done by pretending that subsidiary Skycom was not connected to the Shenzhen firm.
Although Huawei has repeatedly claimed it does not represent a national security risk, governments around the world are getting cold feet, following America’s lead in sidelining its role or banning outright its technology in upcoming 5G networks.
The UK is one of the few Five Eyes countries which has taken a fairly liberal stance with the Chinese firm, although an official change in its policy could be on the cards.
Back in November the government reminded 5G network providers to ensure their suppliers are heavily vetted for security.
In a rare appearance, MI6 boss Alex Younger said in December: “We need to decide the extent to which we are going to be comfortable with Chinese ownership of these technologies and these platforms in an environment where some of our allies have taken a quite definite position.”
Hundreds of security researchers have come together in a global non-profit project, working to take down 100,000 malicious websites in just 10 months.
Revealed on Monday, the stats are testament to the power of information sharing among the information security community and hosting providers, when they work together to fight a common foe, according to Abuse.ch.
The non-profit’s URLhaus project saw 265 researchers work together to identify and submit 300 malware sites each day over the period. This makes it easier for hosters to spot and remediate any bad domains on their networks.
“This is not an easy task, especially for large hosting providers that have tens of thousands of customers and hence a significant amount of hijacked websites in their network that are getting abused by cyber-criminals to distribute malware,” the non-profit explained.
However, despite its early success, there’s still a long way to go. URLhaus claimed to observe 4-5000 active malware distribution sites every day, and that they stay active for over eight days on average, potentially infecting thousands of devices in the process.
In China, things are even worse: the three top malware hosting networks have an “average abuse desk reaction time” of over a month.
Of the 380,000 malware samples collected by the project over the past 10 months, Emotet/Heodo was the most common.
“Emotet gets propagated through spam that hits users inbox almost every day. These malspam campaigns usually contain a malicious Office document with macros. Once the victim opens the document and enables macros, it will automatically download and execute Emotet from a comprised website,” Abuse.ch explained.
“To bypass spam filters, these malspam campaigns sometimes point to a compromised website that hosts the malicious Office document instead of attaching it to the email directly. To dismantle these campaigns and prevent that users are getting infected with Emotet, it is essential that the associated malware distribution sites are getting cleaned up in time by the responsible hosting provider.”
The group urged national CERTs, ASN operators and TLD owners to subscribe to the free URLhaus feed and implement its free block lists.
The US Department of Homeland Security (DHS) has taken the unusual step of issuing an emergency directive demanding government agencies take urgent action to protect DNS infrastructure, in response to a major attack campaign.
The Mitigating DNS Infrastructure Tampering directive was issued by the Cybersecurity and Infrastructure Security Agency (CISA) and details the modus operandi of recently reported Iranian activity designed to intercept and redirect web and mail traffic.
The attackers are said to obtain or compromise user credentials to make changes to DNS records, directing users to their own infrastructure for “manipulation or inspection” before sending them on to the legitimate service.
“Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names,” the directive continued. “This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.”
This activity has been observed affecting multiple domains run by executive branch agencies, it claimed.
CISA is demanding all agencies audit their DNS records on all .gov and related domains within 10 days to see if they resolve to the intended location, and report any that don’t.
It also wants users to update passwords for any accounts that can change DNS records, and implement multi-factor authentication (MFA) for these, again within the 10-day timeframe.
CISA also gave notice of a new Certificate Transparency initiative which agencies will have to participate in, by monitoring any log data for issued certificates that they didn’t request.
The urgent nature of the directive points to its criticality at a time when the government remains mired in the longest shutdown on record over President Trump’s border wall demands.
In early January, FireEye detailed the cause of the problem, a global DNS hijacking campaign traced back to Iran targeting “dozens” of domains run by government, telecommunications and internet infrastructure providers in the Middle East and North Africa, Europe and North America.
It’s thought that confidential information from Middle East governments may be the ultimate target of the operation.
Attackers can potentially run a malicious MySQL server and gain access to connected data, according to a new security alert.
MySQL has issued a security notice resulting from issues with the LOAD DATA LOCAL, noting that the “statement can load a file located on the server host, or, if the LOCAL keyword is specified, on the client host.”
The design flaw exists in the file transfer interaction between a client host and a MySQL server, according to BleepingComputer. Leveraging this attack would allow a malicious actor to steal sensitive information from a web server that is not properly configured either by enabling connections to untrusted servers or from database management applications.
According to the security notice, there are two potential security concerns. “The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any statement, not just LOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)”
In a January 20 blog post, security researcher Willem de Groot responded to the security notice’s claim that this flaw could be leveraged “in theory,” noting that “an Evil Mysql Server which does exactly that can be found on Github, and was likely used to exfiltrate passwords from these hacked sites. And could be used to steal SSH keys and crypto wallets, as interfail points out.”
“Although this may not sound critical, since most users are not easily fooled into connecting to an attacker's mySQL server, there are in fact many web servers with exposed database management interfaces that allow attacker initiated connections to arbitrary servers,” said Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT).
“Website administrators must be aware that such pages, even when not linked to other content, may be discovered and abused by attackers. Administration tools like Adminer should not be left unprotected in any circumstances.”
After news broke that an Elasticsearch server belonging to several online casinos was left without a password, independent security researcher Bob Diachenko discovered another unprotected Elasticsearch database from AIESEC, a global, youth-run nonprofit.
A database breach exposed more than four million intern applications with personal and sensitive information on a server without a password. The database reportedly contained information included in applications that had been tagged as "opportunity applications" for AIESEC internships and "included sensitive information as email, full name, DOB, gender, plus a detailed description on their intentions for applying for AIESEC as well as interview details,” according to Diachenko’s blog post on SecurityDiscovery.
“Basically, AIESEC was using software that is great for giving their staff access to money-making data, but they focused far too little on protecting the data,” said LUCY Security CEO Colin Bastable.
“GDPR penalties apply to the global revenues of virtue-signaling nonprofits just as much as they do to their virtue-seeking corporate sponsors. I suspect they will get a slap on the wrist, and the IT budget will be invested appropriately in keeping Laurin Stahl out of the IT security press next year. There is probably a significant proportion of nonprofits that are vulnerable in this way, so they should take this as a warning to get serious about securing consumer data. The message for consumers is [that] you can’t trust any organization with your personal data, even if they are driven by the most noble ideals, so share with care.”
This is the second misconfiguration in an Elasticsearch database disclosed this week. News also broke that a password-less Elasticsearch server belonging to a variety of online casinos had compromised the information on over 108 million bets, including customers’ payment card info, full names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information and more.
The payment card details indexed in the server were partially redacted, however, suggesting that they were not exposing each user’s full financial details. The leaky server was found last week and was just taken offline on January 21, making it no longer accessible.
“This breach is yet another example of a company leaving a server and critical information unsecured without any password protection, an unfortunate trend that has been the cause of many recent leaks, such as the VOIPo and Oklahoma Securities Commission’s latest incidents,” said Mark Weiner, CMO, Balbix.
He continued, “108 million bets were exposed by this data leak, including full names, home addresses, phone numbers, email addresses and account balances that could be used by malicious actors as a part of phishing scam to target those who recently won large sums of money. Fortunately, the exposed payment card data was partially redacted, meaning that users did not have their full financial information exposed.”