Wednesday, April 26, 2017

What Role Should ISPs Play in Cybersecurity?

From DarkReading:

What Role Should ISPs Play in Cybersecurity?

"There are many actions ISPs could do to make browsing the Web safer, but one thing stands out.

For well over a decade, the security industry has debated what role Internet service providers (ISPs) should take in cybersecurity. Should they proactively protect their customers with upstream security controls and filters (e.g., intrusion prevention systems, IP/URL blacklists, malware detection, etc.), or are customers responsible for their own security?"

New computers could delete thoughts without your knowledge, experts warn

From The Independent:

New computers could delete thoughts without your knowledge, experts warn

“Thou canst not touch the freedom of my mind,” wrote the playwright John Milton in 1634.

But, nearly 400 years later, technological advances in machines that can read our thoughts mean the privacy of our brain is under threat.

Now two biomedical ethicists are calling for the creation of new human rights laws to ensure people are protected, including “the right to cognitive liberty” and “the right to mental integrity”.

New BrickerBot Variants Emerge

From SecurityWeek:

New BrickerBot Variants Emerge

"New variants of a recently discovered BrickerBot Internet of Things (IoT) malware capable of permanently disabling devices were observed last week, Radware security researchers warn.

BrickerBot first emerged about a month ago, with two variants observed in early April. The first threat had a short life span of less than a week and targeted BusyBox-based Linux devices. The other is still activ and targeting devices both with and without BusyBox. Devices with an exposed Telnet service that is secured with default credentials are potential victims."

More LastPass flaws: researcher pokes holes in 2FA

From Sophos Naked Security:

More LastPass flaws: researcher pokes holes in 2FA

"Recently we’ve been writing about LastPass more than seems healthy.

March saw two rounds of serious flaws made public by Google’s Tavis Ormandy (quickly fixed), which seemed like a lot for a single week. Days ago, news emerged of a new issue (also fixed) in the company’s two-factor/two-step authentication (2FA) security."

Display Software Flaw Affects Millions of Devices

From SecurityWeek:

Display Software Flaw Affects Millions of Devices


"A potentially serious vulnerability has been found in third-party software shipped by several major vendors for their displays. The developer has rushed to release a patch for the flaw, which is believed to affect millions of devices worldwide.

The security hole was identified by researchers at SEC Consult in display software developed by Portrait Displays. The impacted product allows users to configure their displays (e.g. rotation, alignment, colors and brightness) via a software application instead of hardware buttons.

Portrait Displays’ products are used by several major vendors, including Sony, HP, Acer, Fujitsu, Philips, Dell, Benq, Lenovo, Sharp and Toshiba. However, SEC Consult could only confirm the vulnerability for Fujitsu’s DisplayView, HP’s Display Assistant and My Display, and Philips’ SmartControl applications. The apps, which are pre-installed on millions of devices, have been classified by the security firm as bloatware."

Flaws in Hyundai App Allowed Hackers to Steal Cars

From SecurityWeek:

Flaws in Hyundai App Allowed Hackers to Steal Cars

"South Korean carmaker Hyundai has released updates for its Blue Link mobile applications to address vulnerabilities that could have been exploited by hackers to locate, unlock and start vehicles.

The Blue Link application, available for both iOS and Android devices, allows users to remotely access and monitor their car. The list of features provided by the app includes remote engine start, cabin temperature control, stolen vehicle recovery, remote locking and unlocking, vehicle health reports, and automatic collision notifications."

Chipotle Investigating Payment Card Breach

From SecurityWeek:

Chipotle Investigating Payment Card Breach

"Fast-casual restaurant chain Chipotle Mexican Grill, which has more than 2,000 locations in the United States and other countries, informed customers on Tuesday that its payment processing systems have been breached.

Chipotle said it recently detected unauthorized activity on the network that supports payment processing for its restaurants. The company’s investigation into the incident is ongoing and only limited information has been made public for now."

Tuesday, April 25, 2017

What happens when a vendor doesn’t patch its software?

From Sophos Naked Security:

What happens when a vendor doesn’t patch its software?

"Microsoft engineers won’t be happy this month, thanks to the community-minded actions of a Github user named Zeffy. Not content with the way that Redmond was updating its software, he decided to patch Microsoft’s patch.

Zeffy is irritated with Microsoft’s decision to stop updating Windows 7 and 8.1 on newer CPUs. The company, which worked hard to push users to upgrade to Windows 10, announced in January last year that it would not update versions of these older operating systems running on seventh-generation processors (that’s Kaby Lake silicon from Intel, and Bristol Ridge silicon from AMD). A select set of products using sixth-generation Skylake processors would continue to get support until the middle of this year, it said."

UK Man Jailed for Running Global Cyberattack Business

From NewsMax:

UK Man Jailed for Running Global Cyberattack Business

"LONDON (AP) — A British man has been sentenced to two years in prison for creating and selling a program used in online attacks around the world.

Adam Mudd was 16 when he created Titanium Stresser, a program that carried out more than 1.7 million "denial of service" attacks on websites including gaming platforms Minecraft and Xbox Live."

Facebook's thought police

From The Week:

Facebook's thought police

"The social panic and media hysteria over fake news continues unabated. And once again, Facebook's reaction is all wrong."

LinkedIn app’s oversharing via Bluetooth sparks alarm

From Sophos Naked Security:

LinkedIn app’s oversharing via Bluetooth sparks alarm

"Geez, LinkedIn, you are one pushy app! If you’re not spamming users’ contacts (and getting sued for it), you’re pawing our Bluetooth – even after we thought you’d gone home for the night!

News of LinkedIn’s latest market-the-beejezus-out-of-us stunt came on Thursday, when security researcher Rik Ferguson spotted a proclamation from LinkedIn about wanting to make data available to nearby Bluetooth devices, “even when you’re not using the app”."

Top secret messages sent via Confide might not be so secret after all

From Sophos Naked Security:

Top secret messages sent via Confide might not be so secret after all

"Nervy constituents! Prying newspapers! Always wanting to find out what politicians are up to, who they’re talking to, and what they’re saying!

No wonder politicians (and their whistleblowing staff) have flocked to message-erasing app Confide."

Trump’s promise on cybersecurity: what’s been happening?

From Sophos Naked Security:

Trump’s promise on cybersecurity: what’s been happening?

"As US President Donald Trump closes in on his 100th day in office, he faces plenty of scrutiny over things that didn’t get done in that all-important period of any new administration. One big criticism in the media last week was that he’d blown his self-imposed 90-day deadline to unveil a tough new cybersecurity plan for the federal government."

Kelihos Botnet Author Indicted in U.S.

You. Will. Get. Caught.  From SecurityWeek:

Kelihos Botnet Author Indicted in U.S.

"The alleged author of the Kelihos botnet has been charged in an eight-count indictment returned by a federal grand jury in Bridgeport, Connecticut, after being arrested in Spain earlier this month.

Peter Yuryevich Levashov, 36, a Russian national also known as Petr Levashov, Peter Severa, Petr Severa and Sergey Astakhov, was charged last week with one count of causing intentional damage to a protected computer, one count of conspiracy, one count of accessing protected computers in furtherance of fraud, one count of wire fraud, one count of threatening to damage a protected computer, two counts of fraud in connection with email, and one count of aggravated identity theft."

Webroot Tags Windows Files, Facebook as Malicious

From SecurityWeek:

Webroot Tags Windows Files, Facebook as Malicious

"An update released by Webroot has caused the company’s home and business products to flag legitimate files and websites as malicious.

While the faulty update was only available for less than 15 minutes on Monday, many customers took to social media and Webroot’s forum to complain that it had caused serious problems for their organization. Users reported that hundreds and even thousands of their endpoints were affected."

Monday, April 24, 2017

Cyber Shield Act: A New Legislative Approach to Improving Cyber Security

From SecurityWeek:

Cyber Shield Act: A New Legislative Approach to Improving Cyber Security

"The Cyber Shield Act is a legislative proposal designed to cut "to the core of critical infrastructure cyber defense." It is proposed by Senator Edward J. Markey, Massachusetts -- but you won't find a draft bill anywhere yet."

Hackers Are Using NSA's DoublePulsar Backdoor in Attacks

From SecurityWeek:

Hackers Are Using NSA's DoublePulsar Backdoor in Attacks

"A hacking tool allegedly used by the NSA-linked threat actor “Equation Group” that was exposed to the public roughly a week ago has been already observed in live attacks.

Dubbed DoublePulsar, the backdoor was released by the Shadow Brokers hacker group on Friday before the Easter holiday, as part of a password-protected archive containing a larger set of tools and exploits. Last week Microsoft said that the newly revealed exploits don’t affect up-to-date systems.
"

Ransomware hidden inside a Word document that’s hidden inside a PDF

From Sophos Naked Security:

Ransomware hidden inside a Word document that’s hidden inside a PDF

"SophosLabs has discovered a new spam campaign where ransomware is downloaded and run by a macro hidden inside a Word document that is in turn nested within a PDF, like a Russian matryoshka doll. The ransomware in this case appears to be a variant of Locky.

Most antivirus filters know how to recognize suspicious macros in documents, but hiding those document inside a PDF could be a successful way to sidestep it, according to SophosLabs researchers.
"

Multiple security holes discovered in Linksys routers

From Sophos Naked Security:

Multiple security holes discovered in Linksys routers

"Do home router makers devote enough resources to finding security vulnerabilities in their products before they ship?

One could be forgiven for having doubts after this week’s news that research outfit IOActive had found 10 significant flaws affecting almost every home router currently sold by Linksys.
"

How Uber Deceives the Authorities Worldwide

Didn't mean to start the morning trashing Uber but there seems to be some privacy issues going on with the company.  Another from the NY Times:

How Uber Deceives the Authorities Worldwide

"SAN FRANCISCO — Uber has for years engaged in a worldwide program to deceive the authorities in markets where its low-cost ride-hailing service was resisted by law enforcement or, in some instances, had been banned."

Uber’s C.E.O. Plays With Fire

From the NY Times:

Uber’s C.E.O. Plays With Fire

"SAN FRANCISCO — Travis Kalanick, the chief executive of Uber, visited Apple’s headquarters in early 2015 to meet with Timothy D. Cook, who runs the iPhone maker. It was a session that Mr. Kalanick was dreading."

Friday, April 21, 2017

7 Ways Hackers Target Your Employees

From Dark Reading:

7 Ways Hackers Target Your Employees

"One employee under reconnaissance by cyberattackers can put your whole business at risk. Where are they being targeted, and what should they know?"

UK government reports on business breaches and it’s not pretty

From Sophos:

UK government reports on business breaches and it’s not pretty

"The UK is about to go into general election mode unexpectedly, so it’s a funny time for its government to be issuing its Cyber Security Breaches Report 2017, which acknowledges that at least 2.5m cyberhacks have happened over the past 12 months."

Several Google engineers have left one of its most secretive AI projects to form a stealth start-up

From CNBC


Several Google engineers have left one of its most secretive AI projects to form a stealth start-up

"Google has slowly been pulling back the curtain on homegrown silicon that could define the future of machine learning and artificial intelligence."

Elon Musk Lays Out Plans to Meld Brains and Computers

From the Wall Street Journal

Elon Musk Lays Out Plans to Meld Brains and Computers

"Billionaire entrepreneur Elon Musk on Thursday confirmed plans for his newest company, called Neuralink Corp., revealing he will be the chief executive of a startup that aims to merge computers with brains so humans could one day engage in “consensual telepathy.”

Thursday, April 20, 2017

DNS Query Length... Because Size Does Matter

Great tutorial on how cybercriminals can exfiltrate data through DNS queries from SANS ISC:

DNS Query Length... Because Size Does Matter

"In many cases, DNS remains a goldmine to detect potentially malicious activity. DNS can be used in multiple ways to bypass security controls. DNS tunnelling is a common way to establish connections with remote systems. It is often based on "TXT" records used to deliver the encoded payload. "TXT" records are also used for good reasons, like delivering SPF records but, too many TXT DNS request could mean that something weird is happening on your network."

The Rise Of The Social Media Killer

From Vocativ:

The Rise Of The Social Media Killer

"This week, the nation tuned in as hundreds of news outlets reported that an Ohio man was still on the loose after killing an elderly stranger named Robert Godwin Sr. and posting the footage on Facebook on Monday. Steven Stephens, the killer who quickly became the subject of a nationwide manhunt, was found dead in an apparent suicide on Tuesday, but only after becoming the ringleader of a media circus he had orchestrated."

Tuesday, April 18, 2017

That ‘iPhone Wi-Fi bug’ isn’t just for Apple users – here’s a rundown

From Sophos:

That ‘iPhone Wi-Fi bug’ isn’t just for Apple users – here’s a rundown

"Earlier this week, we advised iPhone users to waste no time applying the latest iOS update, even though it came out just five days after Apple’s previous, much bigger update."

Update your iPhone to avoid being hacked over Wi-Fi

From Sophos:

Update your iPhone to avoid being hacked over Wi-Fi

"It’s only been five days since Apple’s last security update for iOS, when dozens of serious security vulnerabilities were patched."

Apple Readies iPhone Overhaul for Smartphone's 10th Anniversary

From Bloomberg:

Apple Readies iPhone Overhaul for Smartphone's 10th Anniversary

"Apple is testing a revamped iPhone with an all-screen front, curved glass and a stainless steel frame alongside upgrades to the current models."

FTC Alert: There’s no Nintendo Switch emulator

From the Federal Trade Commission:

There’s no Nintendo Switch emulator

"If you can’t get your hands on a Nintendo Switch gaming system, you may think an emulator is the next best thing. Think again. Online ads for emulators, sometimes with Nintendo branding, say they can run Switch’s games on your desktop. But there is no legit Nintendo Switch emulator. It’s a scam."

US-CERT Alert: Microsoft Addresses Shadow Brokers Exploits

From US-CERT:

Microsoft Addresses Shadow Brokers Exploits

"The Microsoft Security Response Center (MSRC) has published information on several recently publicized exploit tools which affect various Microsoft products."

Thursday, April 13, 2017

Nation-State Hackers Go Open Source

From Dark Reading:

Nation-State Hackers Go Open Source

"Researchers who track nation-state groups say open-source hacking tools increasingly are becoming part of the APT attack arsenal.

"Nation-state hacking teams increasingly are employing open-source software tools in their cyber espionage and other attack campaigns."

4 Bad Cyber-Security Habits

From Core Security:

4 Bad Cyber-Security Habits

"We hear about high-profile breaches almost every week in the news, but what actions are organizations taking to keep these breaches from happening? Implementing new solutions is great and new tools are always helpful, but it’s the bad habits formed by your team that can really hurt you."

US-CERT Alert: Easter Holiday Phishing Scams and Malware Campaigns

From US-CERT:

Easter Holiday Phishing Scams and Malware Campaigns

As the Easter holiday approaches, US-CERT reminds users to stay aware of holiday scams and cyber campaigns, which may include:
  • unsolicited shipping notifications that may actually be scams by attackers to solicit personal information (phishing scams),
  • electronic greeting cards that may contain malicious software (malware),
  • requests for charitable contributions that may be phishing scams or solicitations from sources that are not real charities, and
  • false advertisements for holiday accommodations or timeshares.

FTC Alert - The FTC won’t offer to fix your computer

From the FTC:

The FTC won’t offer to fix your computer

"Some cons send pop-up computer warnings to pitch unnecessary – and sometimes harmful – tech support services. Some make phone calls. Others – like one scammer the FTC just sued – send spam emails that falsely claim the FTC hired them to help remove problem software. In this case, announced today, the court has ordered the defendant to stop claiming he’s affiliated with the FTC, to shut down his websites and phone numbers, and inform current customers who contact him that he is not affiliated with the FTC. If you got one of those messages, please tell the FTC."

FTC Alert - Free movies, costly malware

From the FTC:

Free movies, costly malware

Something for nothing” sounds appealing, but often there’s a hidden cost. If the something is a site or app offering free downloads or streams of well-known movies, popular TV shows, big-league sports, and absorbing games, the hidden cost is probably malware. Sites offering free content often hide malware that can bombard you with ads, take over your computer, or steal your personal information."

FTC Alert - “I have an emergency and need money”

From the FTC:

“I have an emergency and need money”

"If you’ve ever gotten one of those calls, you know how alarming they can be. And that’s exactly what the scammers count on. They want you to act before you think – and acting always includes sending them money: by wiring it or by getting a prepaid card or gift card, and giving them the numbers on the card. Either way, your money’s gone."

ISC Releases Security Updates for BIND

From US-CERT:

ISC Releases Security Updates for BIND

The Internet Systems Consortium (ISC) has released updates that address multiple vulnerabilities in BIND. A remote attacker could exploit any of these vulnerabilities to cause a denial-of-service condition.

Available updates include:
•BIND 9 version 9.9.9-P8
•BIND 9 version 9.10.4-P8
•BIND 9 version 9.11.0-P5
•BIND 9 version 9.9.9-S10

Wednesday, April 12, 2017

Microsoft Releases April 2017 Security Updates

From US-CERT:

Microsoft Releases April 2017 Security Updates

"Microsoft has released 61 updates to address vulnerabilities in Microsoft software. Exploitation of some of these vulnerabilities could allow a remote attacker to take control of a system. This Security Update addresses a Microsoft Office vulnerability that is actively being exploited to spread malicious code."

Microsoft patches Word zero-day booby-trap exploit

From Sophos:

Microsoft patches Word zero-day booby-trap exploit

"Microsoft Tuesday patched a previously undisclosed Word zero-day vulnerability attackers used to install a variety of malware on victims’ computers."

Attackers using a Word zero-day to spread malware

From Sophos:

Attackers using a Word zero-day to spread malware

"Attackers are using a previously undisclosed security hole in Microsoft Word to install a variety of malware on victims’ computers. Microsoft knows about the zero-day and is expected to patch it later today. As we await that security update, here’s a review of the bug and the available defenses."

United Talent Agency Hacked: Work Disrupted, Ripples Throughout Hollywood (Exclusive)

From The Wrap (never heard of them, fake news?):

United Talent Agency Hacked: Work Disrupted, Ripples Throughout Hollywood (Exclusive)

"United Talent Agency was the victim of a computer hack that severely disrupted business at the agency on Tuesday, shutting down email, causing meetings to cancel and forcing staff to work on their personal devices, numerous individuals told TheWrap."

Tuesday, April 11, 2017

Millions of Stolen US University Email Credentials for Sale on the Dark Web

From Dark Reading:

Millions of Stolen US University Email Credentials for Sale on the Dark Web

"Researchers find booming underground market for stolen and fake email credentials from the 300 largest universities in the US."

That Fingerprint Sensor on Your Phone Is Not as Safe as You Think

From the NY Times:

That Fingerprint Sensor on Your Phone Is Not as Safe as You Think

"SAN FRANCISCO — Fingerprint sensors have turned modern smartphones into miracles of convenience. A touch of a finger unlocks the phone — no password required. With services like Apple Pay or Android Pay, a fingerprint can buy a bag of groceries, a new laptop or even a $1 million vintage Aston Martin. And pressing a finger inside a banking app allows the user to pay bills or transfer thousands of dollars."

Monday, March 27, 2017

Elon Musk’s Billion-Dollar Crusade to Stop the A.I. Apocalypse

From Vanity Fair:

Elon Musk’s Billion-Dollar Crusade to Stop the A.I. Apocalypse

"Elon Musk is famous for his futuristic gambles, but Silicon Valley’s latest rush to embrace artificial intelligence scares him. And he thinks you should be frightened too. Inside his efforts to influence the rapidly advancing field and its proponents, and to save humanity from machine-learning overlords."

Wednesday, July 22, 2015

FTC Alert: Are you following the “leads”?

From the Federal Trade Commission:

Are you following the “leads”?

Ever complete an online application to get the best rate on a loan? Or enter your email address on a website to learn more about colleges you’d like to attend? Getting products and information this way can be convenient and very fast. But the information you share may go through the hands of middlemen you may not know exist.

It's official: The average DDoS attack size is increasing

From Help Net Security:

It's official: The average DDoS attack size is increasing

New global DDoS attack data from Arbor Networks shows strong growth in the average size of DDoS attacks, from both a bits-per-second and packets-per-second perspective.

Healthcare Hacker Attacks: The Impact

From Data Breach Today:

Healthcare Hacker Attacks: The Impact

The recent string of major hacker attacks in the healthcare sector, including the cyber-attack on UCLA Health, calls attention to the urgent need for organizations to step up their security programs.

Security experts say healthcare organizations need to carefully reassess their risks and then take appropriate security measures, which, in many cases, will include implementing multifactor authentication; improving breach monitoring and detection; and ramping up staff security education, among other steps.

600TB of data exposed due to misconfigured MongoDB instances

From Help Net Security:

600TB of data exposed due to misconfigured MongoDB instances

Shodan, the search engine that lets users find devices connected to the Internet, can be used for a number of different things. As its creator, John Matherly, pointed out, it's a means to measure things that couldn't be measured before, and gain new and very muh needed insights.

The latest of these is that there are nearly 30,000 instances of MongoDB on the Internet that don't have any authorization enabled, i.e. are easily accessible to unauthorized users.