CHB Cybersecurity Briefing 17/06/19
by Cameron Hunter Bell
- [UK] Daniel Kelley, 22, from Llanelli, Carmarthenshire, who was involved in a major hack of telecoms firm TalkTalk has been sentenced to four years' detention.
- U.S. escalates online attacks on Russia's power grid: The U.S. is ramping up its offensive cyber-operations on Russia's power grid. Citing interviews with officials, it's part of an ongoing effort to one-up the opponent. Earlier this week, the WSJ cited John Bolton as saying U.S. cyber operations are on the increase. "Mr. Bolton acknowledged that U.S. cyber offensives wouldn’t end hacking sponsored by foreign powers, but he said they were designed to impose costs on the attackers," the paper wrote. Perhaps the most interesting nugget is that the NSA director has a lot more leeway to conduct operations without President Trump's approval. In some cases, officials said they were worried the president may "countermand" or "discuss" details with foreign officials.
- Kremlin-linked entities are believed to have been behind a sophisticated cyber espionage attack that targeted the European Union’s embassy in Moscow and stole highly sensitive material from the mission’s internal network just weeks before the European Parliament elections in late May.
- 'Most dangerous' hackers are targeting U.S. utilities E&E News: 'Triton' hackers that previously targeted oil and petroleum plants are now probing the U.S. power grid, according to a report. The grid regulator NERC sounded the alarm earlier this year, saying the hackers were conducting "reconnaissance and potential initial access operations." The Triton hackers are the same group that targeted a Saudi petrochemical plant with an effort to try to blow it up. ICS security firm Dragos said the hacker group's foray into energy systems was "emblematic of an increasingly hostile industrial threat landscape."
- New research by Sanguine Security shows that cyberattacks on websites relying on e-commerce content management system (CMS) Magento are surging due to increased activity by two hacking groups. The number of hacked websites using Magento 2.x has been doubling every month since March of this year.
- Google disclosed bug that could "take down a Windows fleets" ZDNet: Project Zero researcher Travis Ormandy published details about a bug in a core cryptographic library in Windows 8 and later that could be used to "take down a Windows fleet pretty quickly." The bug is found in SymCrypt, and an exploit could trigger a denial-of-service condition on affected devices. Microsoft was said to have committed to fixing the bug within Google's 90-day disclosure window but couldn't ship in time due to issues in testing — hence why it was made public.
- Cybersecurity company Trend Micro claims to have detected a web address spreading a botnet featuring a Monero (XMR) mining component alongside a backdoor. The malware was described on Trend Micro’s official blog on June 13.
- US CBP says traveler photos and license plate data stolen in breach: Customs & Border Protection confirmed one of its contractors had a data breach this week. What remains unclear is exactly who was behind it. CBP said one of its subcontractors improperly "transferred copies of license plate images and traveler images" to its network. About 100,000 records were stolen, CBP said. Only weeks earlier, Perceptics had a data breach which seemed to cover the data involved. The only clue that there was a connection was that the Word document containing the press statement had "Perceptics" in the title. Later, Motherboard obtained the images stolen from Perceptics.
- A hacking group described at the 'most dangerous threat' to industrial systems has taken a close interest in power grids in the US and elsewhere, according to a security company. The hacking group believed to be behind the attack on the industrial control systems (ICS) of a petrochemical plant in Saudi Arabia are now apparently probing more potential victims around the world including US power grids according to security company Dragos.
- Hackers discussed targeting The Intercept after UAE coverage: This lede from The Intercept says it all. "Operatives at a controversial cybersecurity firm working for the United Arab Emirates government discussed targeting The Intercept and breaching the computers of its employees, according to two sources, including a member of the hacking team who said they were present at a meeting to plan for such an attack."
- A year later, U.S. government sites are still redirecting to hardcore porn: Dozens of federal government websites contain a security flaw allowing anyone the generate URLs with their domains that redirect to external sites. Many sites fixed the redirect bug in the past year after it was discovered, but many haven't — allowing bots to generate tons of spam porn links. That's also going to make it easier to carry out phishing campaigns, writes @dellcam.
- Congress to take another stab at 'hack back' legislation: Congress wants to legally allow companies to "hack back," despite it being widely considered one of the "worst ideas in cybersecurity." But that hasn't stopped Rep. Tom Graves from reintroducing a bill to allow companies to do just that — enabling them to go outside their networks to disrupt hackers. @shanvav has a good explainer on this, and you should also check out @RobertMLee's take — he used to work in cyber offensive operations.
- Ransomware halts production for days at major airplane parts manufacturer: Airplane part manufacturer ASCO was hit by ransomware. The infection was so bad, the company had to stop production in its factories across four countries. The outage forced about 1,000 of its 1,400 workers to be sent home. It's the latest major company to be hit by ransomware, after Norsk Hydro and Arizona Beverages.
- Google’s login chief really hates passwords: In an interview, Google's sign-in and login chief Mark Risher said he'd much rather people use Apple's new sign-in service than his own company's — if it means nuking passwords from existence. "I honestly do think this technology will be better for the internet," he told The Verge. "Even if they’re clicking our competitors button when they’re logging into sites, that’s still way better than typing in a bespoke username and password, or more commonly, a recycled username and password." It's an interesting concept. Possible that sign-in services will be better for security than biometrics, which can still be stolen.
- Troy Hunt talks about the future of Have I Been Pwned: Have I Been Pwned, one of the world's most useful sites in security, isn't going anyway any time soon, but Troy Hunt is just one guy running the site — and he's looking to take it to the next level. He's looking to have HIBP acquired — and him with it — so it'll go to a new home with greater resources and backing. "I'll be working with KPMG to more clearly identify which organisations fit into the first category," he wrote.
- LaLiga’s app listened in on fans to catch bars illegally streaming soccer: A Shazam-like app was secretly recording audio using the geolocation of the phone to figure out which bars offering the match for public viewing didn't have licenses to stream soccer matches. The app was downloaded more than 10 million times. The Spanish data protection authority caught wind of the privacy infraction and fined the app maker roughly $280,000.
Experts: Spy used AI-generated face to connect with targets: Experts said an AI-generated face was part of a "vast army of phantom profiles lurking on the professional networking site LinkedIn." The experts said it was an espionage effort to create fake social media profiles to hone in on American targets. “Instead of dispatching spies to some parking garage in the U.S to recruit a target, it’s more efficient to sit behind a computer in Shanghai and send out friend requests to 30,000 targets,” a senior U.S. spy told the AP. This entire story is well worth a read. No surprise that @razhael wrote the story.
- DOJ efforts to break encryption should be made public, EFF says: The EFF wants to know why a court forbade the Justice Dept. from forcing Facebook to crack open the encryption on its Messenger app. The decision, made last year, remains secret. EFF wants to know what the reasoning was so it can protect users from over-broad requests in the future. Riana Pfefferkorn told the court that the public has a right under common law to access judicial opinions. The appeal is ongoing.
- That push notification on your phone might be a phishing attempt: Phishers are now using push notifications that look like legitimate messages from known companies, reports Cyberscoop. The researchers from Lookout "detected one phishing campaign in which attackers created what appeared to be a Chrome notification alerting them to a missed call."
- Researchers use Rowhammer bit flips to steal 2048-bit crypto key: A new Rowhammer exploit lets unprivileged attackers extract and steal cryptographic keys and other secrets stored in vulnerable DRAM. Previously it was possible to cause bits in memory rows to flip. In a new exploit, the new bug — dubbed RAMbleed — lets attackers steal RSA keys and more. You can read the researchers' full paper here.
- Another 200,000 patients affected by AMCA collections breach: Looks like the AMCA breach hit didn't just affect Quest or LabCorp. This time, security firm Gemeni Advisory found a batch of data on the dark web — some 200,000 patients who used the AMCA's third-party payment page. According to ZDNet, that now pushes the data breach over the 20 million affected mark.
- UK rights advocate co-owns spyware firm: Yana Peel, a leading human rights campaigner and "a self-proclaimed champion of free speech," is said to co-own the NSO Group, a $1 billion Israeli spyware maker accused of spying on dissidents. It's the same spyware outfit that reportedly hit WhatsApp a few weeks ago. It's also the same company said to be linked to the murder of Saudi journalist Jamal Khashoggi.
- Yubico to replace Yubikey FIPS keys over reduced randomness bug: Yubico, the maker of security keys, said it found a bug in its FIPS key and will issue a replacement. According to an advisory, the first set of random values used by YubiKey FIPS applications after each device power-up have reduced randomness. The complexity of an attack means exploitation is low and unlikely — but take the replacement anyway.
Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World
Cult of the Dead Cow is the tale of the oldest, most respected, and most famous American hacking group of all time. Though until now it has remained mostly anonymous, its members invented the concept of hacktivism, released the top tool for testing password security, and created what was for years the best technique for controlling computers from afar, forcing giant companies to work harder to protect customers. They contributed to the development of Tor, the most important privacy tool on the net, and helped build cyberweapons that advanced US security without injuring anyone. With its origins in the earliest days of the Internet, the cDc is full of oddball characters -- activists, artists, even future politicians. You can buy it here.
- Infosec legend Bruce Schneier will speak at Edinburgh's Napier University Cyber Academy on "Trust, Privacy & The Future" this Wednesday the 19th.
About the Author
Cameron is a UK InfoSec veteran and an experienced innovation strategist. He speaks regularly at conferences and industry events about commercial strategy, ecosystem creation and business design. In 2009, he helped found the cyber security startup Vacta Ltd, which was integrated into the ECS Group in 2012. Cameron has successfully implemented innovation programs for several multinational defence, logistics, automotive manufacturers and financial service providers. He previously established the highly successful Berlin Studio for Idean (now part of the CapGemini Invent Group), specialising in service and ecosystem design for autonomous automotive. More recently, Cameron led the team delivering LORCA, the new 13.5M London cyber innovation centre, for Plexal in association with Deloitte, CSIT Belfast and the UK Department for Culture Media and Sport. Cameron advises Casta Spes Technologies, an AI driven robotics startup tackling the challenge of physical perimeter security.
The article has been originally published at: https://www.linkedin.com/pulse/chb-cybersecurity-briefing-170619-cameron-hunter-bell/