With tensions soaring between America and Iran following the drone strike that killed top Persian general Qassem Soleimani, experts are weighing in on what the US could face should the Mid-East nation fully mobilize its cyber resources.

The threat of an online attack from the wannabe-nuclear state was significant enough that over the weekend the US Department of Homeland Security’s National Terrorism Advisory System posted a seemingly dire alert [PDF] outlining the capabilities of Tehran’s hackers.

“Iran maintains a robust cyber program and can execute cyber attacks against the United States,” Uncle Sam warned.

“Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States. Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of US-based targets.”

While Iran has previously targeted things like energy and oil plants with months-long hacking campaigns, the nation’s ability to spark nationwide damage and panic in the US is in doubt, according to experts.

Rather, they believe, Iranian computer-security offensives would probably look more like attacks restricted to specific limited geographical regions. Of course, a region like New York City is home to millions of people, so it’s not a threat that can be ignored – though it’s nothing to lose your mind over.

“If an attack were to occur, the impacts would likely be limited and local,” said Sergio Caltagirone, veep of threat intelligence at infosec outfit Dragos. “Industrial infrastructure worldwide is resilient but, also underprepared to defend itself. We need to do more, but fear less.”

That is not to say that Iran would not be capable of wrecking or disrupting equipment remotely. FireEye director of intelligence analysis John Hultquist noted to The Register that the Mid-East country’s tendency to use wiper malware infections has been particularly effective against industrial control systems.

“Iran has leveraged wiper malware in destructive attacks on several occasions in recent years,” Hultquist said. “Though, for the most part, these incidents did not affect the most sensitive industrial control systems, they did result in serious disruptions to operations.”

In short, there is a real and significant threat of attacks from Iran on industrial infrastructure, though we’re not likely to see anything like a sustained, widespread crippling of critical systems.

Then, there is the information warfare threat. While the defacement attacks spotted thus far have been dismissed as the work of private groups of unsophisticated “script kiddies,” Iran also maintains a formidable information warfare operation of its own.

Iran says it staved off cyber attack but doesn’t blame US

READ MORE

The use of that network could take the form of widespread disinformation efforts, say experts.

“We are already seeing Iranian disinformation efforts by these networks surrounding [the Soleimani] strike, and the US should expect that Iranian influence efforts surrounding the US will increase over the coming days or weeks as political developments evolve,” said FireEye senior manager of information operations analysis Lee Foster.

“There are many similarities and some differences between Iran’s tactics in this space and those of Russia, which has received the majority of public attention regarding state-directed information operations. Iran’s efforts, in general, have been more geographically widespread than Russia’s, being directed at audiences in most parts of the globe.”

Regardless of their form, cyber-attacks from Iran are largely seen as inevitable, though at the same time are nothing to panic over. Rather, admins should maintain a close eye on their networks, particularly incoming connections, and follow best security practices, particularly for embedded and industrial systems. That means putting systems behind firewalls and limiting access, using air gaps, using non-default secure passwords and multi-factor authentication if possible, keeping up with patches, and so on.

Given the Iranian’s fondness for software wiping attacks, making sure backups are up to date wouldn’t hurt either. ®

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/06/iran_attack_speculation/

The Federal Depository Library Program (FDLP) website was attacked by a group of hackers claiming to represent the government of Iran.

An obscure US federal website was attacked and vandalized on January 4, resulting in the site being taken down for more than 24 hours.

A group claiming to represent the Islamic Republic of Iran launched the attack against the Federal Depository Library Program (FDLP) website, changing its landing page to include a statement in Farsi and a Photoshopped image of President Trump bring struck by a fist representing the Revolutionary Guard.

The hack and defacement came on the heels of a US airstrike on Friday that killed Iran Revolutionary Guard General Qassem Soleimani.

The FDLP, whose site is now operating normally, has a mission to, “…provide free, ready, and permanent public access to Federal Government information, now and for future generations.” It operates under the Government Publishing Office.

Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency at DHS, on Saturday via Twitter warned organizations to renew their vigilance against potential Iranian cyberattacks, especially attacks concerning industrial control systems.

Given recent developments, re-upping our statement from the summer.

Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS. Make sure you’re also watching third party accesses! https://t.co/4G1P0WvjhS

— Chris Krebs (@CISAKrebs) January 3, 2020

 

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Tools Will Find Misconfigurations in My AWS S3 Cloud Buckets?“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-government-publishing-office-website-defaced/d/d-id/1336723?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The active attack involving three malicious Android applications is the first exploiting CVE-2019-2215, Trend Micro researchers report.

Researchers have discovered an attack exploiting CVE-2019-2215, which leverages three malicious apps in the Google Play store to compromise a target device and collect users’ data.

This threat is linked to the SideWinder advanced persistent threat (APT) group, report Trend Micro’s Ecular Xu and Joseph Chen in a blog post. Sidewinder, a group detected by Kaspersky Labs in the first quarter of 2018, primarily targets Pakistani military infrastructure and has been active since at least 2012. Security researchers believe the threat group is associated with Indian espionage interests and has a history of targeting both Windows and Android devices.

CVE-2019-2215 was disclosed in October 2019 by Maddie Stone of Google’s Project Zero. The zero-day local privilege escalation vulnerability affected hundreds of millions of Android phones at the time it was published. A patch was released in December 2017 for earlier Android versions; however, new source code review indicated newer versions of the software were vulnerable.

The use-after-free vulnerability is considered “high severity” and requires a target to download a malicious application for potential exploitation. An attacker would have to chain CVE-2019-2215 with another exploit to remotely infect and control a device via the browser or another attack vector. The bug allows for a “full compromise” of a vulnerable device, Stone explained.

While it was “highly likely” the bug was being used in attacks last October, this marks the first known active campaign using it in the wild, Xu and Chen report. This particular vulnerability exists in Binder, the main interprocess communication system that exists in Android, and the three malicious apps used in the attack were disguised as photography and file manager tools.

Android apps Camero, FileCrypt Manager, and callCam are believed to be related to the SideWinder group and have been active on Google Play since March 2019, based on one of the apps’ certificate information. All have since been removed from the Play store.

CallCam is the payload app and is installed in two stages, the researchers explain. First a DEX file — an Android file format — is downloaded from the command-and-control server. The downloaded DEX file downloads an APK file and installs it after exploiting the device or employing accessibility. Camero and FileCrypt Manager both act as droppers. After downloading the DEX file from the C2 server, they call extra code to download, install, and launch the callCam app.

Researchers note the C2 servers used are suspected to be part of SideWinder’s infrastructure. Further, a URL linking to one of the apps’ Google Play pages is on one of the C2 servers.

SideWinder relies on device rooting as one of its tactics to deploy callCam without alerting the victim. The malware retrieves a specific exploit from the C2 server depending on the DEX the dropper downloads. This approach only works on Google Pixel (Pixel 2 and Pixel 2 XL), Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F0 (CPH1881), and Redmi 6A devices.

Over the course of its investigation, Trend Micro was able to download five exploits from the C2 server and found they used CVE-2019-2215 and MediaTek-SU to gain root privileges. Once they achieve this, the malware installs callCam, enables accessibility permissions, and launches.

Another approach is using the accessibility permission, a technique used by the FileCrypt Manager on Android phones running Android 1.6 or higher. After launch, FileCrypt asks the user to enable accessibility. When granted, this displays a full-screen overlay that says it requires further setup. In the background, the app is calling code from the DEX file so it can download more apps and install callCam. It enables the accessibility permission and launches the payload.

“All of this happens behind the overlay screen, unbeknownst to the user,” Xu and Chen write.

After launch, the callCam icon is hidden on the target device and collects data in the background to send to the C2 server. This information includes location, battery status, files stored on the device, list of installed apps, account data, Wi-Fi data, and information related to the device, sensor, and camera. It also pulls data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome. CallCam encrypts all of this stolen data using RSA and AES encryption, and uses SHA256 to verify the data’s integrity and customize the encoding routine.

Related Content:

• 6 Traits to Develop for Cybersecurity Success
• Rethinking Enterprise Data Defense
• Ransomware Victim Southwire Sues Maze Operators
• Time for Insider-Threat Programs to Grow Up

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Tools Will Find Misconfigurations in My AWS S3 Cloud Buckets?“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/application-security/malicious-google-play-apps-linked-to-sidewinder-apt/d/d-id/1336728?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Have you ever received items by courier from people overseas?

If so, you’ll know that sometimes – notably in the case of gifts, where the other person hasn’t told you what they’re sending – the courier company doesn’t deliver the item directly.

Sometimes you get an email saying that the item is delayed because the authorities want to inspect it; or there’s import duty; or there’s a supplementary delivery charge if you can’t collect it from the depot yourself.

And to help you get through the paperwork easily, there’s often a tracking code and a clickable link in the email.

You can see where this is going…

…because cybercooks love to copy real life, on the grounds that it’s easier to lull you into a false sense of security when you’re following a process that feels familiar.

Like this email that a Naked Security reader received this weekend:

A free Macbook Pro for just $1!

(Ironically, you could argue that this phish might work better if the “free gift” were a bit less valuable that a Macbook Pro laptop, and if the delivery fee were a bit higher than $1, because the value and the charge don’t quite seem to go together very well – but that’s a detail we shan’t investigate any further here.)

As we mentioned above, scams like this aren’t miles away from real life, because emails from courier companies that document unexpected import and delivery charges are not unusual.

As for gifts, well, they’re not unusual during the Christmas holiday season, either – and, being gifts, they’re often a surprise that you don’t find about until either you or customs officals open the package.

If you click though, you’ll see a landing page, in this case tailored to the same country as the recipient’s email address, which ended in .com.au:

Next, the crooks tell you that they have “found” your item from its “barcode”:

And then the crooks advise you that the item has arrived in your country, but is stuck at the depot, pending payment of a delivery fee:

If you fall for the scam and click through, you’ll see some realistic-looking pages that take you to a fake pay page.

We entered bogus data here for the screenshot:

(All the sites used by the crooks have been hacked or setup for the purpose of the scam, so they all have HTTPS certificates and show a padlock in the address bar – but the server name is unlike any courier company you’ve ever heard of.)

The crooks then present a plausible conclusion for the fake transaction by simply claiming that it didn’t go through:

As you can see, the crooks are still phishing for more, even at the end, brazenly suggesting that you try another credit card and thus giving them two-for-the-price-of-one.

Of course, if you get this far you’ve just handed over your card details to the crooks, including the CVV (security short code) from the back of your card that no legitimate merchant would store.

What to do?

• Beware free gifts. Seriously, there is no free iPhone, no free iPad, and definitely no free Macbook. Even if the link just takes you to a survey rather than to a full-on phish like here, don’t give out personal data to people you’ve never heard of.
• Beware courier emails. When sending or receiving items by courier, try to get in contact with the recipient or sender without using email – perhaps make a phone call in advance – to advise them of the courier company you’re using and to provide a tracking number you can both trust.
• Check the URL in the address bar. These days, most cybercriminals are using HTTPS websites, because everyone expects a padlock in the address bar. But the padlock doesn’t say you are on the correct site, merely that you are on a site with an HTTPS certificate.
• Avoid links in emails. If you know you’ll be dealing with courier company X, find out the right website to use in advance, and go there yourself. Don’t rely on links emailed to you, because those links say whatever the sender wants.
• Report compromised cards immediately. If you get as far entering any banking data into a “pay page” and then realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)

PS. Don’t forget that just typing data into a web form exposes it to crooks because they can “keylog” what you type into a webpage even if you never press the [Submit] button.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6ku0_sae734/

GCHQ and its cyber-defence offshoot NCSC have both denied that they are investigating a cyber-attack on the London Stock Exchange, contrary to reports.

The Wall Street Journal, normally a reliable source for news with a financial flavour, reported that British signals intelligence agency Government Communications Headquarters (GCHQ) has been looking into an August 2019 outage of the LSE, which was reported to the Financial Conduct Authority at the time.

“The incident,” the newspaper claimed, “which delayed the market open by more than an hour and a half and was the worst outage in eight years, immediately triggered government cyber alert systems, according to the people familiar with the matter.”

It added that GCHQ was “examining if the software code may have played a role in the outage. Officials are looking at timestamps affiliated with the code’s production, which could offer clues to its origin.”

Unusually, GCHQ has outright denied that it is carrying out an investigation.

The National Cyber Security Centre, GCHQ’s cyber defence offshoot which normally does this sort of work during or after a cyber attack, told The Register: “The NCSC has not treated the LSE outage as a cyber security related incident and has not investigated it as such.”

A spokeswoman for the eavesdropping agency added that GCHQ itself wasn’t looking into the outage either.

While it is certainly possible that GCHQ and its cuddly public-facing arm are publicly denying the existence of an investigation, perhaps to keep a potential attacker in the dark, an on-the-record denial could be interpreted to point the other way.

Oddly, the WSJ doesn’t include statements from GCHQ or NCSC, though it does quote an LSE spokeswoman who told the newspaper the outage was caused by a “technical software configuration issue following an upgrade of functionality.” She added that the LSE “has thoroughly investigated the root cause of the issue to mitigate against any future incidents.”

The London Stock Exchange itself – the largest in Europe, with thousands of companies from around the world listed – is one of the critical institutions that keeps London as one of the world’s pre-eminent places for the finance industry. Outages can cause predictable levels of trouble, as we reported when one such outage happened a decade ago.

With the current Middle East situation seeming precarious following the US assassination of an Iranian general at Baghdad airport, GCHQ may have other things on its corporate mind. ®

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/06/gchq_not_investigating_london_stock_exchange_cyberattack_allegation/

Misconfigured cloud buckets leak sensitive data. Here’s how to keep your Amazon Web Services (AWS) Simple Server Storage (S3) buckets secured.

Question: Are there any tools that can help me find misconfigurations in my AWS S3 cloud buckets?

Kurtis Minder, CEO of GroupSense: Yes. There are a number of tools that are available to look for misconfigured or open S3 buckets. Most of these tools are available for free on GitHub. S3-inspector, S3Scanner, and Bucket Finder are a few that will uncover buckets and misconfigurations.

Keep in mind, threat actors can use these tools also. Better to use on yourself before they do. In fact, cybercriminals don’t even bother hacking into systems deployed on AWS – there are so many misconfigured S3 buckets out there that they just use these tools to find the screw-ups and steal the data. I saw a stat from Skyhigh Networks that 7% of all S3 buckets have unrestricted public access, and 35% are unencrypted.

This is like shooting fish in a barrel for data thieves, so it is really critical for companies to use these tools to shore up their configurations before they start putting sensitive data into AWS or any other public cloud.

Related Content:

• What are the First Signs of a Cloud Data Leak?
• Why Clouds Keep Leaking Data
• What’s in a WAF?
• What Should I Look for in a Data Protection Officer? 

 

Kurtis Minder is a driven entrepreneur developing new technologies to make the world a better place. He is currently the CEO of GroupSense, an enterprise digital risk management company.  Minder is also a frequent contributor to the startup community and serves as an … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/what-tools-will-find-misconfigurations-in-my-aws-s3-cloud-buckets/b/d-id/1336720?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

How California’s new privacy law increases the liability for securing Web-facing user data, and what enterprises can do to mitigate their risk.

On January 1, 2020, California’s new privacy law took effect, which will dramatically increase security risks for any company operating there as well as for third parties that might have access to your data. This is a problem because one of the fastest-growing types of cyberattacks — client-side JavaScript attacks — often targets third-party services. Magecart attacks, for example, frequently focus on compromising plug-ins to major e-commerce platforms such as Magento and Shopify or other popular publishing platforms like WordPress to surreptitiously skim customer data.

The California Consumer Privacy Act (CCPA), which dictates how companies and organizations need to secure the data of users, could drive heavy fines against sites that fail to protect against these attacks. The act can also be a positive force to drive major improvements in your web application security approach.

Why Website Issues Are a CCPA Risk
While the CCPA is the strongest state consumer privacy legislation in the United States, the law also has global reach. A French or a Chinese company that has customers, partners, service providers, or offices in California could be fined if its website is breached and California residents are affected.

However, the exposure is broader than data breaches. CCPA extends liability for compromises of user data to third-party services that web application publishers and operators use. This can include payment processors, chatbot operators, and any other provider of third-party services that integrate with web applications. This could mean large financial exposure if California, which has a track record of aggressive enforcement, pursues fines.

In the European Union, recent interpretations of the 2016 General Data Protection Regulation (GDPR) found that JavaScript attacks by malicious third parties to skim sensitive user data that are not promptly spotted and halted constitute GDPR violations. In these instances, the databases and internal systems were never breached; site code was modified, but not by the site’s owner. California adopting this view sets a high bar for website operators.

CCPA also sets up a provision under which people whose data is stolen can sue businesses “as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” This is a broad mandate to litigation in the event of any type of security incident.

The upshot? CISOs, CMOs, site reliability engineers, and CROs at companies with even small exposure to California should care about liabilities conferred by CCPA on web applications and site code.

CCPA Risks from Third-Party JavaScript Code
Nearly all web applications (including web, mobile web, and hybrid mobile applications) use JavaScript. Increasingly, these applications also use third-party JavaScript libraries and services that are added to their web application. These third-party JavaScript inclusions enhance site functionality in many ways. They also accelerate the speed at which web applications can be constructed, and enable better web application performance by off-loading computationally intensive tasks to third parties.

Unfortunately, it’s become hard for companies to keep track of all the third-party JavaScript on their web applications. In a survey of 230 companies averaging 1,000 employees conducted by PerimeterX, 55% of respondents said that more than 50% of their site code is from third parties. Roughly one-fifth said that over 70% of their site code was from third parties, and a surprising 8.3% said they had no idea how much of their site code was third-party code.

Having trouble tracking what third-party services and code companies use complicates auditing for CCPA liabilities. Worse, when third-party libraries and services are hacked or suffer security breaches, the owners of these third-party elements may not notify all website owners that use these libraries and services promptly. The PerimeterX survey found that 42% of respondents have no way to know when and if their site code was changing without their proper authorization.

How to Reduce Risks from Third Parties
Some basic steps can significantly reduce your risk, or, at a minimum, show you performed solid due diligence into the risks third parties confer on your organization (and by extension, on your customers). First, identify all instances of third-party code running on your site. If this code is from third-party open source libraries, then you must treat it as if it’s your own code and analyze it for security risks. This includes static code analysis.

For JavaScript from service providers, ask the following questions to gauge their own CCPA risk to you:

• Do you capture our user data in any way? If yes, please give a detailed explanation how you capture this data.
• If you capture our data, who has access to that data (additional parties) and how is it secured?
• How are you checking your code for unauthorized changes? (They should be able to give you a list of steps such as static code analysis and live application scanning.)
• Do you have full (not partial) SOC 2 or ISO 27001 compliance?

The best offense against CCPA, however, is a good defense. To that end, verify that all your public-facing applications and APIs are properly locked down. All public apps must be guarded by firewalls and other security measures with updated configurations.

To spot any JavaScript attacks early and head off a CCPA risk, deploy a modern artificial intelligence-based anomaly detection platform on real-time data collected in runtime from site visitors, that locates strange code behavior indicating user data is being harvested. [Editor’s note: PerimeterX is one of several providers that offer such detection solutions.] These solutions can also give you a real-time updated view of which scripts on your site are actually accessing and collecting personal data, which could provide compliance air cover, as well.

Even if the script is actually a legitimate and uncompromised library or service, compliance rules around data gathering and ability to provide any information on how data is used mandate that site operators must be able to identify every third-party that has access to data, in any way, shape, or form. 

Related Content:

• Assessing Cybersecurity Risk in Today’s Enterprise
• 7 Steps to Web App Security
• Attacks on JavaScript Services Leak Info from Websites

Ido Safruti is a co-founder and CTO at PerimeterX, provider of application security solutions that keep businesses safe in the digital world, detecting risks to web and mobile applications and proactively managing them. Previously, Ido headed a product group in Akamai focused … View Full Bio

Article source: https://www.darkreading.com/risk/client-side-javascript-risks-and-the-ccpa/a/d-id/1336650?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Segasec’s technology will be integrated into Mimecast’s email and Web security services to identify malicious domains.

Mimecast has confirmed plans to acquire threat protection startup Segasec, starting a new year of cybersecurity MA after an especially active 2019. Terms of the deal were not disclosed.

Tel Aviv-based Segasec, founded in 2017 by Elad Schulman and Gad Akuka, aims to protect businesses from phishing, business email compromise, ransomware, and other threats. Its platform monitors domain registrations, new certificates, mail server provisioning, social networks, and other Web resources where consumers and brands interact. The goal is to help companies better defend against attacks using fake websites and domains for credential theft.

Mimecast plans to integrate Segasec’s technology into email and Web security services as part of a broader effort to build an approach dubbed Email Security 3.0. The idea behind this is to improve security defense against three types of threats: those trying to breach the perimeter (Zone 1), those that exist inside the perimeter (Zone 2), and attacks taking place outside the perimeter (Zone 3). The Segasec acquisition is specifically intended to address Zone 3 by improving the ability to identify attacks that imitate brands using domains they don’t own.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What Tools Will Find Misconfigurations in My AWS S3 Cloud Buckets?“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/mimecast-acquires-segasec-to-boost-phishing-defense/d/d-id/1336722?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

If you downed tools for the holidays, get yourself up to date with everything we’ve written since Christmas.

Wednesday 25 December 2019

• Happy Holidays – and big thanks to everyone who’s working today!

Thursday 26 December 2019

• Apple iCloud “data dump” extortionist avoids prison

Friday 27 December 2019

• Christmas malware uses “Support Greta Thunberg” as a lure

Saturday 28 December 2019

• 7 types of virus – a short glossary of contemporary cyberbadness

Friday 3 January 2020

• Python is dead. Long live Python!
• Cryptocurrency exchange Poloniex issues password reset warning

Catch up on our latest podcasts

The Naked Security podcast is taking a break over the festive season, so why not check out the whole series, or catch up on some of our recent episodes you may have missed:

S2 Ep21: Plundervolt, domain name gunfight and Facebook snubs Congress

Check out our new YouTube channel

If you haven’t subscribed to our new YouTube channel, why not check it out now? (Don’t forget you can click on the “bell” icon to be notified when we post new videos.)

Here’s an example from our new What to do When… series:

(Watch directly on YouTube if the video won’t play here.)

News, straight to your inbox

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TCSlQtPBF6o/

Roundup Welcome to the New Year: here are some security headlines that may have slipped past you during the gorging season.

Tesla Wi-Fi taken for a ride by hackers

The team at Tencent Keen Security Lab has done it again: hacking Tesla’s Model S, in which the security shop’s parent company has a significant stake.

This time the Tesla hacking crew has demonstrated how it would be possible to compromise the Wi-Fi firmware and driver software in the car, then use that as a springboard to get into the host Linux system of the MuskMobile.

“We presented the details of the vulnerability in the firmware and the vulnerability in the Marvell kernel driver and explained how to utilize these two vulnerabilities to compromise the Parrot Linux system by just sending malicious packets from a normal Wi-Fi dongle,” the team reports.

Fortunately, Tesla owners have nothing to fear. Aside from being rather difficult to actually perform – the process requires close proximity and only has a 25 per cent success rate – both bugs have already been patched after Tencent privately reported the flaws.

One Dell of a start to 2020 for RSA

It seems security company RSA’s days as a part of the Dell family of brands may be numbered.

The Register‘s storage sister site Blocks and Files reports that Dell has brought in Morgan Stanley to find a buyer for the security and conference specialist. It was reported in November that Dell was mulling offloading RSA.

“The business has more than 30,000 customers across the globe, generates $170m – $200m EBITDA and could fetch as much as $3bn, according to some estimates,” notes fellow vulture Chris Mellor.

The deal could be a big part of the chatter at next month’s RSA Conference in San Francisco, USA.

Roll your own Capital One pwnage

A rather cool educational project allows you to experience firsthand how the Capital One hack likely went down.

Avishay Bar and Maros Hluska have created a virtual environment that lets anyone with an AWS account more or less recreate the essential parts of the cyber-break-in, and see exactly what went wrong and where. The site is a neat way for IT admins and infosec pros alike to learn something new and avoid similar mistakes by shoring up their cloud-based defenses.

What a BusKill! USB key provides nuclear option against thieves

For those who really, really want to keep their data out of the hands of thieves, there’s a nifty gadget you might want to try. Invented by Michael Altfield, a sysadmin at the Open Source Ecology project, the BusKill cord acts as a sort of kill switch against thieves that works via USB.

The idea is that, when working at a cafe or other public place, the user would plug one end of the pull-away cord into their laptop, and the other to an anchor such as a belt loop or keyring.

If a miscreant tries to snatch your machine and run off with it, the cord would pull out and a USB key remaining in the socket would trigger a udev command that would, at its worst, completely wipe the machine. It’s also remarkably affordable, the whole DIY project only costs around $20 to create.

Just make sure it doesn’t accidentally fall out.

Speaking of wires… The O.MG Cable, which looks remarkably like a normal USB or Lightning cable but can be used to compromised connected targets, is now on sale. This is designed for red teams working in the field who need to rapidly and stealthily physically pwn computers at locations.

Rowhammer returns as FPGA hack

Memory-bit-forcing attacks are back. The familiar Rowhammer technique has now been extended to servers and other systems that link together FPGAs and CPU cores.

Dubbed JackHammer [PDF], the technique is said to make Rowhammer-style attacks more efficient on some FPGA-CPU hybrid systems. It is possible, for example, to use a maliciously configured gate array to flip bits in memory being used by a CPU core to perform sensitive stuff, like crypto-key generation. This could be a particular problem on multi-tenant cloud systems with FPGA attachments, where different customers are sharing various cores and programmable arrays in a server.

That said, this is an academic paper investigating the Intel Arria 10 GX, and the chance of an actual practical attack rearing its head any time soon remains, in our view, low… for now.

Colorado town rolled, smoked for $1m by BEC scam

The town of Erie, high in Colorado, USA, found itself deep in the weeds after an email-based scam resulted in it getting lit up to the tune of $1m.

The decidedly not-chill hackers posed as accountants from a construction company that built a bridge for the town. Using the lookalike email addresses, the hackers contacted city workers and requested the method of payment for the building work be changed.

Thinking they were paying a legitimate bill, town administrators blazed over payments to the new account, controlled by miscreants. Erie Police are now working with the FBI in a joint effort.

Ransomware forces marketeer to close up shop

A marketing company in Arkansas, USA, is no longer a going concern, thanks to a particularly nasty ransomware infection.

Local news station KATV reported that, after sending home all of its employees in December, the Heritage Company will not be re-opening. It seems the cost of recouping the data and getting everything back up and running was too much for the small telemarketing firm. ®

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/06/roundup_january_2/