STE WILLIAMS

Add the Australian Signals Directorate (ASD) to the already long list of organizations compromised by the security weaknesses of third-party contractors.

But in this case it wasn’t just credit card and other consumer data compromised. It was detailed information on some of the nation’s major military defence systems – aircraft, bombs and naval vessels.

The first mention of the breach came almost in passing and with few details, deep in the Australian Cyber Security Centre (ACSC) 2017 Threat Report. It said that almost a year ago, in November 2016, the ACSC:

…became aware that a malicious cyber adversary had successfully compromised the network of a small Australian company with contracting links to national security projects. ACSC analysis confirmed that the adversary had sustained access to the network for an extended period of time and had stolen a significant amount of data.

The report didn’t name the company, its size or what kind of national security work it did.

Turns out it should have been obvious that the company – a 50-person aerospace engineering firm with only one person handling all IT-related functions – was an obviously weak link in the security chain.

That and quite a bit more detail – although the company still remained unnamed – came earlier this week, from Mitchell Clarke, incident response manager at the ASD, in a presentation at the national conference of the Australian Information Security Association (AISA) in Sydney.

According to ZDNet correspondent Stilgherrian, who obtained an audio of the presentation, Clarke said the attacker(s), who had been inside the company’s network at least since the previous July, had “full and unfettered access” for several months, and exfiltrated about 30GB of data including, “restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and a few Australian naval vessels.”

He said the attackers, who used a tool called China Chopper, could have been state sponsored or a criminal gang.

And they likely had little trouble gaining access.

Clarke, who named the advanced persistent threat (APT) actor “APT ALF” after a character in an Australian television soap opera Home and Away, said besides the single IT employee, who had only been on the job for nine months, the “mum and dad-type business” had major weaknesses:

There was no protective DMZ network, no regular patching regime, and a common Local Administrator account password on all servers. Hosts had many internet-facing services.

Access was initially gained by exploiting a 12-month-old vulnerability in the company’s IT Helpdesk Portal, which was mounting the company’s file server using the Domain Administrator account. Lateral movement using those same credentials eventually gave the attacker access to the domain controller and the remote desktop server, and to email and other sensitive information.

Beyond that, Clark said the firm’s Internet-facing services still had their default passwords of admin and guest. He called the months between when the hackers gained access and their intrusion was discovered, “Alf’s Mystery Happy Fun Time.”

The Age reported that a spokesperson for ACSC said while the data was “commercially sensitive,” it was not classified.

But Clarke said among the stolen documents was one that, “was like a Y-diagram of one of the Navy’s new ships and you could zoom in down the captain’s chair and see that it’s one metre away from the nav (navigation) chair and that sort of thing.”

Whatever the sensitivity of the data, it seems certain that the breached firm wasn’t following what the ASD calls the “Essential Eight Strategies to Mitigate Targeted Cyber Intrusions.”

The agency said while no strategy is guaranteed to prevent cyber intrusions, simply implementing the “Top 4” would block 85% of adversary techniques. They amount to what most security experts, and regular readers of Naked Security, will recognise as basic security hygiene:

1. Use application allow lists so only run approved programs
2. Patch applications like Flash, web browsers, Microsoft Office, Java and PDF viewers
3. Patch operating systems
4. Restrict admin privileges based on user duties

According to ASD, those strategies have been mandatory for all Australian government organizations since 2013.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iuBneke9n_o/

Crooks have come up with a strain of Android ransomware that both encrypts user data and locks victims out of compromised devices by changing PINs.

DoubleLocker combines a cunning infection mechanism with two powerful tools for extorting money from its victims.

“Its payload can change the device’s PIN, preventing the victim from accessing their device and encrypts the victim’s data,” said Lukáš Štefanko, the malware researcher at security firm ESET who discovered DoubleLocker. “Such a combination hasn’t been seen yet in the Android ecosystem.

“DoubleLocker misuses Android accessibility services, which is a popular trick among cybercriminals.”

The nasty is based on a banking trojan, which means that account-compromising functionality might easily be added.

The Android malware spreads in the very same way as its PC parent, as a fake Adobe Flash Player update that’s pushed via compromised websites.

Once launched, the app requests activation of the malware’s accessibility service, named “Google Play Service”. After the malware obtains these accessibility permissions, it uses them to activate device administrator rights and set itself as the default Home application, in both cases without the user’s consent.

“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence,” Štefanko said. “Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home.”

DoubleLocker, once planted on a compromised device, creates two reasons for the victims to pay. First, it changes the device’s PIN, effectively blocking the victim from using it. Second, DoubleLocker encrypts all files from the device’s primary storage directory using the AES encryption algorithm.

DoubleLocker ransom message [source: ESET blog post]

The ransom has been set at a relatively modest 0.0130 BTC (approximately $54). The only viable option to clean a non-rooted device of the DoubleLocker ransomware is via a factory reset. A way around the PIN lock on rooted devices is possible, if not exactly straightforward. Encrypted files can’t be easily recovered. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/13/doublelocker_android_ransomware/

Politifact, the Pulitzer Prize-winning website devoted to checking the factual accuracy of US politicians’ words, appears to have been hacked so that it secretly mines cryptocurrency in visitors’ browsers.

The dot-com is run by the Tampa Bay Times, and already has its work cut out for it given the state of American politics. Right now, it fires up code from Coin Hive in browsers to generate Monero coins, each worth about $95, for the miscreants who embedded the software in the site’s pages.

Coin Hive is a legit outfit that offers free JavaScript to web admins: the code, when placed on a page, invisibly and silently runs in the browser and takes spare CPU cycles to mine Monero. Whoever controls the code then collects the coins from the miners. This is supposed to be an alternative revenue stream to placing ads on pages.

However, the code hidden on Politifact.com at this moment appears to be malicious: it is completely non-throttled, and kicks off eight instances of the miner, which means it hammers the visiting machine’s processor, taking up 100 per cent of spare processor capacity.

Infosec analyst Troy Mursch noticed his computer went into overdrive when visiting the site, and tipped us off in the past hour. Redditors also clocked the secret mining operation.

Burning up those CPU cycles … Coin Hive code running on Politifact.com (Click to enlarge)

An examination of the JavaScript on the website revealed a huge chunk of mining routines stashed in what appeared to be a script for controlling the site’s navigation bar.

The coin-mining code isn’t mentioned on the website nor in its terms and conditions, so either Politifact doesn’t know it is hosting the mining software, presumably because it’s been hacked, or is weirdly keeping quiet about it.

More and more websites are mining crypto-coins in your browser to pay their bills, line pockets

READ MORE

It appears in this case, as with the mysterious CBS Showtime.com Monero mining, that the Politifact website has been compromised to include the math-crunching code.

Hackers are getting increasingly adept at dumping Coin Hive code on unsuspecting web properties and reaping the rewards. Politifact has 3.2 million monthly unique visitors according to its Quantcast analytics, and the CPU cycles from people dropping by may earn the code’s operators a pretty penny.

Coin Hive is getting a bad rap as the moment as increasing numbers of websites are using its tools to dig up cyber-dosh using the computer hardware and electricity of visitors. A survey earlier this month found 220 websites are using the code, primarily porn sites and torrent trackers.

Having spoken to Politifact this morning, we can say its editorial desk is not aware of the mining software, and is investigating its sudden appearance. Just be aware that when you visit, you’ll be directly lining someone else’s pockets, assuming your ad blocker isn’t shutting it down. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/13/politifact_mining_cryptocurrency/

How security practitioners can apply structured analysis and move from putting out fires to fighting the arsonists.

Today’s security environment is complex, ever changing, and sometimes even political. Many organizations struggle to keep current about the cyber threats they face. This is due to a number of issues, ranging from the failure to adapt security recommendations to the specific needs of an organization, to an over focus on malware instead of the human adversary.

Adding to the struggle is the fact that every organization is different. For example, inside an industry vertical, you may find political or regional differences beyond just technical ones. There may be differences in how one division within an organization approaches security in comparison to other divisions within the company. These division-based differences can be the result of varying organizational missions or business units. Each disparity impacts the organization’s overarching threat model, and its understanding of its threat landscape.

Over the years defenders have taken a tool-centric approach. But technology alone won’t stop a well-focused and funded human adversary. While technology is great at synthesizing data, limiting the attack space, and making human analysts more efficient, at the end of the day, it is a human adversary vs. human defender contest – and it must be treated as such.

Even organizations that appreciate the value of threat intelligence can be misled in their application of it. For example, insight into threats can be limited by a vendor-centric approach to how threat intelligence is consumed. And while processing reports created by external parties and leveraging threat data are a valuable way to gather information on adversaries, capabilities and infrastructure, the information gathered should complement a larger internal effort by the security team, not replace it. Put another way, when security practitioners use information obtained through technology and threat intelligence feeds incorrectly, the result is reactive, Whack-a-Mole security, not a deeper understanding of adversary tradecraft.

The Power of Analysis
To truly be successful in threat intelligence organizations must empower and train their human defenders in analytical approaches so they become good analysts. This means understanding complex scenarios and thinking about them more critically. Simply put, good analysts should look at the world a little differently.

Join Dark Reading LIVE for two days of practical cyber defense discussions from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

While there is significant value in learning how to use a tool in certain environments (and some great vendor-neutral courses to show you how), the real value is in structured analysis training. Becoming a good analyst requires much more than knowing which tool to use and when. When faced with complex scenarios, it is vital that the security community thinks critically and evaluate various options. This requires practitioners to develop skills that expand into complicated topics such as adversary intrusion, campaign analysis, adversary tradecraft, and moving from relying on indicators to leveraging behavioral analytics. 

Security practitioners must also tie together individual intrusions and look at them as long-term campaigns being run against organizations, as opposed to one-off attacks. There are a lot of security efforts where every intrusion is treated as a separate entity, when realistically we might be dealing with an entire campaign from an adversary.

This is not a new concept in of itself. Richard Betjlich was advocating for this approach in the early 2000’s. Today, amazing strides in defense are being made in organizations that are attempting to tie intrusions together successfully in order to reduce risk. Sharing knowledge and analysis of an adversary campaign between tactical and strategic level players is essential to getting – and staying – ahead of adversaries.

While technical training and labs are important, to truly understand the human threat requires that practitioners hone their analysis skills and change their perspective. By that I mean, responders and security operations teams must develop intelligent analysis skills across data sets in a way that gives them a deeper understanding of security from tactical, operational, and strategic approaches. Analysis-based cyber threat intelligence will allow security practitioners to move from putting out fires to fighting the arsonists.  

The ideal training should also help develop an operational view into how a threat program can mature. From a strategic level, it should arm practitioners with insight into adversaries at a level that C-suite and boards of directors can appreciate and leverage to protect the overall organization.

Bottom line: When organizations understand their own environments, can confidently and accurately identify what constitutes a threat to them, and can think critically about the information they receive, only then will threat intelligence becomes an extremely useful addition to security. 

If you wish to learn more, please check out the SANS FOR578: Cyber Threat Intelligence course or research these concepts online.

Related Content:

• Best and Worst Security Functions to Outsource
• Unstructured Data: The Threat You Cannot See
• Security Analytics: Making the Leap from Data Lake to Meaningful Insight

 

Robert M. Lee is the CEO and Founder of the industrial (ICS/IIoT) cyber security company Dragos, Inc. He is also a non-resident National Cybersecurity Fellow at New America focusing on policy issues relating to the cybersecurity of critical infrastructure. For his research … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/getting-the-most-out-of-cyber-threat-intelligence-/a/d-id/1330119?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Payment card information stolen when cards were either swiped or manually entered into registration systems at some Hyatt hotels.

Hyatt Hotels suffered a credit card breach at some of its locations, marking a second time that it has encountered such an issue in the past two years.

The most recent breach occurred between March 18 to July 2 and affected 41 Hyatt sites in 13 countries, according to a notice posted on Hyatt’s website. Hyatt hotels in China took the brunt of the attack, affecting 18 hotel properties in that country, while three resorts in Hawaii were affected, as well as one in Guam and one in Puerto Rico.

“Based on our investigation, we understand that such unauthorized access to card data was caused by an insertion of malicious software code from a third party onto certain hotel IT systems,” Hyatt stated on its site. “Our enhanced cybersecurity measures and additional layers of defense implemented over time helped to identify and resolve the issue. I want to assure you that there is no indication that information beyond that gained from payment cards – cardholder name, card number, expiration date and internal verification code – was involved.”

The breach follows a similar breach in 2015, when 250 of Hyatt’s hotels in 50 countries were affected, reports Krebs on Security.  

Read more about the Hyatt breach here.

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/hyatt-hit-with-another-credit-card-breach/d/d-id/1330129?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google just can’t seem to shake the problem of malicious Chrome extensions that find their way past its security checks and onto its Web Store.

The latest example should have been easy to spot as it was masquerading as the popular Adblock Plus adblocker, the legitimate version of which has been downloaded over 100 million times.

Or perhaps not: borrowing an almost identical name to the genuine extension (the capitalised B in “block” being a small difference), only users who studied the application pane and string of negative user reviews might have twigged that something wasn’t right.

By the time it was reported by anonymous Twitter user @SwiftOnSecurity on October 9, the fake extension had been on the Chrome Store for weeks during which it had been downloaded 37,000 times.

Google allows 37,000 Chrome users to be tricked with a fake extension by fraudulent developer who clones popular name and spams keywords. pic.twitter.com/ZtY5WpSgLt

— SwiftOnSecurity (@SwiftOnSecurity) October 9, 2017

Judging from comments, users who installed the fake AdBlock Plus extension ended up with unwanted advertising pushed to them in browser tabs.

The incident left @SwiftOnSecurity unimpressed:

I’m being mean to Google because there’s no way their Chrome team is happy with this extension vetting/moderation situation.

Google said its Chrome Extensions Security team removed the extension “within minutes” of being told, deleting it from machines that had installed it and suspending the account of the developer involved.

Which still leaves the uncomfortable fact that a rogue extension impersonating a well-known piece of software was there at all.

How did it evade detection?

The extension has been taken down so it’s difficult to know for sure but @SwiftOnSecurity suggested the answer might lie in some form of homograph Punycode spoofing in which one or more Cyrillic characters were used in place of Roman letters.

You can read Naked Security’s detailed account of how this this technique works but what matters is that Google’s automated security might not have detected it.

It’s not as if the problem of extensions masquerading as the real McCoy is even that new or innovative with ad blocking extensions having been a target for this type of attack in the past.

Google claims it is aware of the problem, mentioning plans to improve its checking:

This app was able to slip through the cracks, but we’ve identified the reason and are addressing it.

More broadly, we wanted to acknowledge that we know the issue spans beyond this single app. We can’t go into details publicly about solutions we are currently considering, but we wanted to let the community know that we are working on it…

Critics will counter that Google has been tightening its checking regime for years and yet rogues keep popping up.

Three years ago, Google enforced a rule that all extension be hosted on its Web Store, after which rogues dropped in number. And yet problems are still reported, including recent incidents in which genuine extensions were hijacked.

Extensions can also change ownership, after which they suddenly turn bad, as happened to Particle for YouTube.

We wish we could say that bogus extensions are easy to spot but they’re not.

The best advice is to install as few extensions as you need and study each one very carefully before installing it, no matter how familiar it seems. Search for extensions by name rather than browsing but be aware that fakes can be returned near the top of results, so read negative comments carefully. Unhappy users will often complain if they experience something alarming (although reviewers have been known to get it spectacularly wrong).

Remember that a browser extension is just another piece of software – don’t let your guard down just because it’s listed on the Google Web Store.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BNx0nZvbTno/

For months, the US government has played legal tug-of-war with DreamHost, the hosting company used by disruptj20.org: a site that helped co-ordinate the protest against the inauguration of Donald Trump as the 45th President of the United States.

Now, the fight is over, and DreamHost is claiming victory: it got what it was after. Namely, limits on a search warrant that it said had a serious problem with overreach.

On Tuesday, Washington, DC Chief Judge Robert E. Morin issued a revised order (PDF) that said government prosecutors have no right to “rummage through the information contained on DreamHost’s website”:

…while the government has the right to execute its Warrant, it does not have the right to rummage through the information contained on DreamHost’s website and discover the identity of, or access communications by, individuals not participating in alleged criminal activity, particularly those persons who were engaging in protected First Amendment activities.

They do, of course, have the right to demand details about lawbreakers. Specifically, about disruptj20 members who plotted premeditated rioting, which in this case means those who violated D.C. Code § 22-1322: DC’s rioting statute. On Inauguration day, some rioters were armed with hammers, crow bars, wooden sticks and other weapons. The government says that both civilians and police officers were hurt in the riot.

As we reported in August, DreamHost had initially refused to comply with the warrant, which it received in July, given that compliance would involve handing over the IP addresses of 1.3m visitors to the site, their contact information, their email content, and photos of thousands of people, all “in an effort to determine who simply visited the website”.

In an opposition motion (PDF), DreamHost said at the time that the warrant’s breadth violated Fourth Amendment protection against unreasonable search because it failed to describe with “particularity” the items to be seized. Instead, it demanded “all records or other information” pertaining to the site, including “all files, databases and database records.”

Complying with the warrant would also have First Amendment implications, DreamHost had argued, given that it would give the government information on protesters and thus might lead to a chilling of free speech and association.

In August, Chief Judge Morin had agreed with DreamHost’s arguments – at least, to the point that he scaled back the government’s data demands.

Morin, who will oversee review of the data, said at the time that the government has to specify what protocols will be put in place to keep prosecutors from seizing the data of “innocent users”.

Because that’s what the original warrant was in fact after: details about any user who visited the protest site, regardless of whether the government had reason to suspect that they were involved in illegal protest.

DreamHost has been awaiting Chief Judge Morin’s final order, which would spell out the exact nature of the data that DreamHost will be required to hand over while mulling over a decision to appeal the court’s general order. On Tuesday, that’s what Morin provided.

The results have DreamHost “elated,” it said in a blog post:

We’re elated to see significant changes that will protect the constitutional rights of innocent internet users worldwide.

The revised order gives DreamHost the ability to redact all identifying information and to protect the identities of users who interacted with disruptj20.org before the company hands over any data to the court.

DreamHost says that every scrap of this “drastically reduced amount of data” will be scrubbed to remove identifying information that relates to non-subscribers of the Disruptj20 site.

The order requires that before the Department of Justice (DOJ) gets its hands on the redacted data, it has to submit its proposed search protocols and procedures. Then, the court will review and approve them before giving the go-ahead.

Next, the DOJ will need to file an itemized list of information that it believes constitutes evidence of premeditated rioting. Prosecutors will also need to provide the court with specific reasons why the data is relevant to their investigation.

Think you can get the data then, DOJ? Sorry, there’s one more hurdle: the court then has to find probable cause that the requested data is “evidence of criminal activity” without identifying innocent users of disruptj20.org.

Only then will the DOJ be able to get non-redacted data from DreamHost.

With all of those stipulations, the requested data now more closely aligns with the other government requests for data that DreamHost has received and complied with.

…all of which leads to the end of the battle, DreamHost said:

We do not intend to appeal the court’s ruling.

It’s a win for the innocent people who DreamHost has been fighting to protect from the start, the company said, while still ensuring that the law can do its job by bringing violent protesters to justice:

We applaud this course of action as it goes a long way toward negating any fears of a “digital dragnet” and targets individual, specific users to whom probable cause has been found by the court. The contact information of simple website visitors, journalists, historians, and any other users who may have interacted with the DisruptJ20 website with innocent intentions is now explicitly protected.

DreamHost stressed that no government employee will lay eyes on user information until the company has “personally gone over it with a fine-toothed comb.”

It’s an “absolute victory,” say DreamHost – not just for the company itself, but for all of the country’s online service providers and for “internet users around the world.”

As a result of this ruling, internet users retain the ability to simply browse the internet without fear of being swept up in a criminal probe.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mjJeNnrlPAw/

Accenture is the latest in a string of major companies to expose sensitive cloud data this year, following Verizon, Deloitte, and Dow Jones.

(Image: Posteriori via Shutterstock)

One of many concerning security trends from 2017 is the accidental exposure of cloud data via misconfigured Simple Storage Service (S3) buckets from Amazon Web Services. This year has been marked with several data leaks from major organizations, most recently Accenture.

“While this incident is very unfortunate, it’s not very surprising,” says RedLock cofounder and CEO Varun Badhwar of the Accenture leak.

Research from RedLock CSI (Cloud Security Intelligence) shows 53% of businesses using cloud storage services like AWS S3 have inadvertently exposed one or more of the service to the public Internet, up from 40% earlier in May. Researchers also found 38% of businesses have experienced the potential compromise of an administrative account in their public cloud.

The trend underscores a dangerous problem common among businesses of all sizes, as well as the third parties with which they entrust sensitive information. Many don’t take steps to properly configure their cloud storage accounts or don’t take the time to verify the security practices of third-party firms. As a result, they compromise customers’ data.

“While you can offshore or outsource tasks and functions, you can never outsource the risks,” said Chris Pierson, chief security officer at Viewpost, after the exposure of voter data from the Republican National Committee (RNC) via third-party misconfiguration back in June.

“As such, every company that deals in sensitive or valuable data should have an information assurance program that risk rates their vendors, monitors them for security and other factors, and provides governance to the company regarding their third party and the risk appetite set by the company.”

Here, in no particular order, we round up ten major AWS leaks from this year, affecting everyone from Chicago voters to US government employees with Top Secret security clearance.

 

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/cloud/10-major-cloud-storage-security-slip-ups-(so-far)-this-year/d/d-id/1330122?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

We suspect that you’ve heard the proverb, “It never rains but that it pours”.

It means that when bad stuff starts, you often get a whole lot of it hammering down on you – a literary way of suggesting that things are going to get worse before they get better.

People have been saying that proverb for 300 years or more, but it could have been written especially for Equifax, the way things are going.

First there was the breach, then the silly domain name, then the tweet that advertised a mis-spelling of the silly domain name, then the news that the breach was bigger than first thought, and then the news that the breach was bigger than first thought by more than was first thought.

How do you top that?

According to security blogger Randy Abrams, you top it by getting hit by malvertising.

That’s when a third-party company that you trusted to deliver content into your website (ads, perhaps, or some sort of tracking service)…

…screws up and delivers dodgy content that turns your site into a temporary but visible purveyor of tat.

Abrams published a short video showing him browsing to Equifax’s signup page to request a personal information check – as you might do after a breach.

(Abrams says he was signing up so he could check his data because he suspected there might be a mistake in it that he wanted to correct.)

He started here:

But then you see his browser quickly bouncing him through a sequence of third-party domains, ending up on a content delivery network called centerbluray, which promptly offered up a fake Flash Player Install that claimed it would update you to the latest version of Flash:

As Abrams drily quipped on his blog:

Seriously folks. Equifax has enough on their plate trying to update Apache. They are not going to help you update Flash.

What happened?

According to Reuters, Equifax explained the blunder as follows:

The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content.

In a word, malvertising, which we defined above.

The page that Abrams was on when the SNAFU happened now redirects to an Equifax holding page that tells the story rather differently (and uses an unencrypted, unauthenticated HTTP page to present its upbeat message about better service, too):

So, there you have it – Equifax is “working diligently to better serve you.”

As we said at the start, it never rains but that it pours.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iJvtfTDFXBE/

Roundup We almost wanted to feel sorry for Equifax, were it not for the fact that the credit biz takes to IT security like a duck to an acid bath. After a brutal few weeks under the spotlight, on Wednesday night it suffered another hacking scare.

When’s it going to end?

Visitors to one of Equifax’s customer support webpages couldn’t help but notice they were being redirected to a dodgy site telling them to download and install Adobe Flash to proceed. The program on offer was actually Windows malware dubbed Eorezo that forces adverts to appear in Internet Explorer, thus Equifax’s site was effecting telling people to infect themselves with adware.

Had Equifax been hacked again to inject these downloads? No, not quite. A third-party analytics provider, which measures and reports the performance of sites, was being used by Equifax – and it was this vendor that had been pwned, it seems. Miscreants changed its JavaScript served via Equifax’s site to redirect visitors to the malware download screen.

And Equifax wasn’t alone. Another US credit rating agency, TransUnion, was also using the same third-party vendor and also threw up fake Flash installation prompts on its online home. After the last few weeks, you’d think these agencies would be on high alert, but it seems not. Equifax said it has disabled the offending support page.

Meanwhile, the US taxmen are having a rethink about awarding Equifax a $7m identity verification contract.

T-Mobile US’s inadvertent telephone lookup

While we’re on the subject of website cockups, T-Mobile US, America’s scrappy cellphone network upstart, had some problems of its own.

A security researcher at Secure7 was noodling around on T-Mob’s website and, after logging in, spotted what looked like an exploitable backend API call. By switching up some of the parameters in the GET request, and supplying a stranger’s valid T-Mobile US number, he could pull up their account details, such as their email address and handset’s unique IMEI number.

Obviously, that’s quite a big deal for things like identity theft, social engineering customer support desks, stalking, and so on, so he got in touch with the cell network. Thankfully, T-Mobile US was quick on its toes and the issue was fixed within 24 hours of being reported – however, it is claimed black hats knew about this flaw for a while and were exploiting it. T-Mob denies anyone used the API to slurp strangers’ information.

Beware geeks bearing gifts

Last week Google had a big press event in San Francisco to introduce its latest hardware it wants to get into your homes. As the assembled hacks left the venue Google handed over one of the devices, a Home Mini, as a gift to each hack.

Ours was passed along to our reviewer of such things, and Kieran is working on the review now. But this week it emerged that some of the devices had a troubling flaw. Instead of waking up and listening for a voice command when the user either touched the device’s buttons or said “OK Google,” the device was switching itself on automatically all the time and recording everything that it could hear.

Thankfully this wasn’t a dastardly plan by the Chocolate Factory to spy on journalists, or so we’re told, just a flaw in the early Home Mini models. A firmware upgrade has now been pushed out to permanently disable the activation button to stop the gizmos from snooping 24/7.

ChromeOS TPM security scare

Usually ChromeOS is one of the toughest systems out there to crack, but there was a kerfuffle this week when it emerged that Chromebooks could have been generating weak and potentially crackable RSA crypto keys.

The problem wasn’t Google’s but stemmed from a cockup by Infineon, which makes the Trusted Platform Module (TPM) hardware used by ChromeOS, Windows, and other operating systems to generate RSA encryption keys. When Microsoft released its monthly patching bundle, it addressed the TPM vulnerability by switching to software algorithms to craft and regenerate stronger RSA key pairs.

Any attack against the keys is likely theoretical at best – you’d need to put a lot of computing grunt into the job to break cryptography relying on the dodgy keys. A simple update from Google addresses the issue on ChromeOS and Chromebooks, but that still leaves the rather unsettling thought that there are a lot of poor keys out there, generated on countless machines fitted with Infineon’s TPM chips. If you use the affected silicon, grab a firmware update from Infineon.

Bronze Butler targets Japan

No, this one’s not a Marvel reboot of the Silver Samurai but an advanced hacking attack against Japanese industry by what is thought to be Chinese hackers.

Dell’s Secureworks security team spotted the attacks against Japanese critical infrastructure, heavy industry, manufacturing, and international relations organizations with the aim of stealing intellectual property. They started with a highly targeted phishing campaign that used both custom-built malware and some off-the-shelf products.

According to the report, this bears all the hallmarks of a state-sponsored espionage job. The malware wasn’t going after money, deleted itself where possible, but also had a persistence element so that it could check to see if there was something new worth stealing. Government servers around the world possibly harbor similar code.

This sound may break your brain

Last month, after weeks of rumors, the US pulled all but emergency staff from its newly-opened embassy in Cuba, claiming a sonic weapon was being used against them.

The details of the weapons weren’t released but the effects were. The US and Canadians said that staff had suffered ear complaints, hearing loss, dizziness, headache, fatigue, cognitive issues, and difficulty sleeping. Now you can hear the sound that harms yourself…

Youtube Video

Sonic weapons are certainly a thing – they are used in the US for riot control, but this case is unusually creepy. We’ll keep an eye on this as it develops.

Pokémon Goski

Finally, we have an almost unbelievable tale of claims about Russian involvement in last year’s US presidential election involving the game of choice for the self-involved, Pokémon Go.

The network claims that players of the game were encouraged with the promise of Amazon gift cards to make Pokémon political and to try and link it to the Black Lives Matter movement via a group called Don’t Shoot Us.

It now appears that the group was set up as part of a misinformation campaign to get people riled up before the election, but there’s no evidence it worked – apart from the current occupant of the White House as half the country seems to think. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/13/security_roundup/