STE WILLIAMS

Black Hat The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year’s ceremony in Las Vegas.

That’s not surprising: government officials, US spy agencies, and software makers aren’t usually in the mood to acknowledge their failures.

The Pwnies give spray-painted pony statues to those who have either pulled off a great hack or failed epically. This year it was nation states that got a significant proportion of the prizes. The gongs are divided into categories, and nominations in each section are voted on by the hacker community. The ponies are then dished out every year at the Black Hat USA security conference in Sin City.

The award for best server-side bug went to the NSA’s Equation Group, whose Windows SMB exploits were stolen and leaked online this year by the Shadow Brokers. The tools attack three stunning vulnerabilities (CVE-2017-0143, 0144, 0145), and were later used by malware including WannaCryt to wreck systems across the globe, forcing Microsoft to issue patches for out-of-date operating systems to fight the outbreak.

While Uncle Sam’s snoops didn’t pick up their award, neither did other governments. The epic 0wnage award was split between North Korea and Russia for launching the WannaCry ransomware contagion and masterminding the Shadow Brokers, respectively.

Meanwhile, Australian prime minister Malcom Turnbull earned an award for the most epic fail for insisting the laws of Australia trump the laws of mathematics. The Aussie leader was told it’s not possible to backdoor encryption for counterterrorism snoops without ruining the crypto for everyone else, and was having none of it.

“The laws of Australia prevail in Australia, I can assure you of that,” he said. “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”

That landed him the pony, although Turnbull faced strong competition. Kaspersky’s flawed iOS browser was a close runner up, as was online publication The Intercept after its alleged source Reality Winner was collared by the Feds.

Speaking of winners, here’s a summary of the other awards handed out:

• Best client-side bug: Ryan Hanson, Haifei Li, Bing Sun and unnamed bods for uncovering CVE-2017-0199 aka a Microsoft OLE flaw.
• Best privilege escalation bug: Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida for their Drammer rowhammer RAM attacks.
• Best cryptographic attack: The SHAttered team – Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, and Yarik Markov.
• Best backdoor: MeDoc was shamed with this pony after its software update systems were hacked to spread NotPetya.
• Best branding: Ghostbutt aka CVE-2017-8291.
• Most innovative research: Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos and Cristiano Giuffrida scoped this one for their ASLR bypass work.
• Lifetime achievement award: FX of Phenoelit.

And finally, the lamest vendor response award went to Systemd supremo Lennart Poettering for his controversial, and perhaps questionable, handling of the following bugs in everyone’s favorite init replacement: 5998, 6225, 6214, 5144, and 6237 that we covered here.

“Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there’s no chance that the CVE number will referenced in either the change log or the commit message,” reads the Pwnie nomination for Systemd, referring to the open-source project’s allergy to assigning CVE numbers. “But CVEs aren’t really our currency any more, and only the lamest of vendors gets a Pwnie!”

All of this year’s nominations are here, and the results will be published on the awards website a little later. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/28/black_hat_pwnie_awards/

Seagate will cough up $5.75m to settle a lawsuit brought after its bungling staff accidentally handed over employees’ sensitive information to fraudsters.

The storage giant told [PDF] the California Northern US District Court this week that it is willing to cover the cost of identity protection services as a result of that privacy cockup: specifically, it’ll pay up to $3,500 for each of the 12,000 employees whose data was leaked in a 2016 phishing attack.

The settlement, submitted to Judge Richard Seeborg, also includes Seagate paying for insurance coverage totaling around $42m for the costs the workers might incur from identity theft resulting from the attack – which has already been linked to a string of fake tax return scams.

The deal would put to rest the claims that the company was criminally negligent and in violation of California competition laws when, in 2016, one of its workers was duped by a phishing email and handed over the W-2 forms of everyone who had worked for the biz in the previous calendar year.

“Almost immediately, the cybercriminals exploited Seagate’s wrongful actions and filed fraudulent federal and state tax returns in the names of the employees,” the complaint [PDF] alleges.

“Some employees have learned that the cybercriminals filed fraudulent joint tax returns, using not only the employee’s social security number, but also the employee’s spouse’s social security number.”

Six named employees – Everett Castillo, Linda Castillo, Nicholas Dattoma, Freda Lang, Wendy Tran and Steven Wilk – filed suit on behalf of all the workers whose personal info, including social security numbers, was leaked.

In filing for the settlement, attorneys for the plaintiffs say that the $5.75m is likely more than they would have been awarded had they taken the case to trial. The payout would not only cover two years of identity theft services from credit reporting and financial services conglomerate Experian, but also any other expenses the workers incurred when they had to clear their names for the fake tax returns. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/28/seagate_to_pay_5m_phishing/

At DEF CON, a researcher demonstrated how to attack a popular model of infusion pump used in major hospitals around the world.

DEF CON – Las Vegas – The dangers of medical device hacking can be severe, and potentially lethal, when conducted by cybercriminals with the means and motivation to cause physical harm.

Dan Regalado, principal security researcher for IoT firm Zingbox, demonstrated how an attacker could break into a medical infusion pump during a presentation at DEF CON’s IoT Village. IV pumps are sensitive and pricey medical devices used to deliver medications, fluids, blood, and blood products to adult, pediatric, and neonatal patients.

Infusion pumps present a growing attack surface for hackers to break into at hospitals. The market is expected to hit $10.84 billion by 2021, he said, citing a “Market and Markets” forecast.

Why would someone hack an IV pump? There are several reasons, Regalado pointed out. If successful, an attacker could steal personally identifiable information (PII), hijack hospital devices and demand ransom, corrupt the device in a denial-of-service attack, or use the pump as an entryway into the broader corporate network. 

For his educational research, Regalado chose to break into the Alaris PC Unit and IV Pump module manufactured by Bectron. The pump is a market-leading brand used at several hospitals around the world, he said.

His presentation dug into details of the device’s internal components and their vulnerabilities. 

Flash FX, the generic block device driver, links the system and hardware. It lets the OS access the internal flash memory as if it were a hard drive or RAM disk, and stores sensitive information like credentials for accessing network systems. The compact Flash card inside the pump, used to boot the ENEA OSE system, stores patient profiles and is easy to retrieve and alter.

Regalado demonstrated onstage how an attacker could bypass the image integrity check, and gain access to the restricted configuration by changing the machine’s PIN number.

“You can modify the integrity of the system,” he explained. “The infusion pump will do whatever you want.”

From there, a hacker could conduct a man-in-the-middle attack by impersonating the access point and server to manipulate pumps. Each hospital can have up to 400-1,000 pumps, said Regalado, each of which could have its settings configured to administer dangerously low or high dosages to its patient.

An attacker could also use this level of access to reconfigure the pump’s network properties and overwrite the internal flash with new wifi configurations, or execute commands from the internal shell to destroy critical files or collect sensitive data.

“We need to assume a physical attack will happen and work towards asset protection,” said Regalado, adding that internal attacks are more common than external ones.

While this demonstration required physical access to the pump, he warned remote attacks would be next. Regalado also noted that the vendor was notified of the pump’s vulnerabilities and committed to a 30-60 day policy to address them.

His presentation ties in with the broader growth of cybercrime on healthcare organizations. Major cyberattacks on the industry grew 63%. Researchers discovered an increase in medical device hijacking, which involves the use of backdoors in medical devices to load malware tools and exfiltrate intellectual property. 

The same year, a record-breaking 328 healthcare businesses reported data breaches. Experts say attackers are becoming more confident as breaches are increasingly publicized. It’s becoming clearer that healthcare targets aren’t as security-savvy as once believed, and the industry has consistently seen more breaches year after year.

Related Content:

• The Lazy Habits of Phishing Attackers
  
• Majority of Consumers Believe IoT Needs Security Built In
• How Attackers Use Machine Learning to Predict BEC Success
• Downtime from Ransomware More Lethal to Small Businesses Than the Ransom

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/lethal-dosage-of-cybercrime-hacking-the-iv-pump/d/d-id/1329490?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The malware is being primarily distributed via email spam in the form of spoofed invoices from an international financial services com, says Flashpoint.

The relative success that the authors of the WannaCry and NotPetya ransomware samples had in distributing their malware using a worm-like propagation method appears to be inspiring others to follow the same tack.

Security vendor Flashpoint this week reported discovering a new version of the Trickbot banking Trojan featuring a worm propagation module. The malware is being primarily distributed via email spam in the form of spoofed invoices from an international financial services company.

Once the malware infects a system it is designed to spread locally on the network via Server Message Block (SMB) shares. The new propagation module is rigged to scan an infected domain for vulnerable servers and computers via the NetServerEnum Windows API and Lightweight Directory Access Protocol (LDAP) enumeration.

So far, there has been no evidence of the modified version of Trickbot actually spreading via SMB shares. This suggests that the malware authors have not fully implemented the capability yet, Flashpoint security researcher Vitali Kremez, wrote in a blog this week.

According to Kremez, it is likely that the malware authors are testing how to equip Trickbot for lateral movement within a local area network with the goal of infecting more computers and co-opting them into a botnet.

News of the new worm-like module in Trickbot comes just days after Flashpoint warned that Trickbot, for the first time, was being used to target and infect customers of U.S. banks and financial institutions. Though Trickbot has been around since mid-2016 it has only targeted victims outside the U.S.

But since around the middle of July a new Trickbot spam campaign powered by the notorious Necurs botnet has begun targeting users in the US, United Kingdom, New Zealand, Canada, Denmark and several other countries.

The Necurs botnet is one of the world’s largest botnets with up to one million infected Necurs bots being active at any time. The botnet has been around for several years and has been used to deliver a wide variety of malware. Recently it was tweaked to add a new component that allows it to be used for launching denial of service attacks.

Since July 17, there have been at least three Necurs botnet-powered spam waves that included Trickbot as the final payload, Flashpoint said.  The initial spam wave contained a spam email with a malicious Windows Script File attachment that purported to be from an Australian telecommunications company. More recent spam mails have evolved and involve spam emails with malicious macro-laden documents as attachments.

Related content:

• Petya Or Not? Global Ransomware Outbreak Hits Europe’s Industrial Sector, Thousands More
• WannaCry: Ransomware Catastrophe or Failure?
• NSA Tools Behind WannaCry Being Used In Even Bigger Attack Campaign
• 5 Security Lessons WannaCry Taught Us the Hard Way

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/wannacry-inpires-worm-like-module-in-trickbot/d/d-id/1329491?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Jeff Moss, founder of the hacker conference, is planning to host a full-blown election and voting system for hacking in 2018 at DEF CON, complete with a simulated presidential race.

DEF CON 25 – Las Vegas – It took just 90 minutes before hackers here today had rooted out two zero-day vulnerabilities in a pair of decommissioned voting systems stationed in the hacker conference’s first-ever Voting Machine Hacker Village.

DEF CON founder Jeff Moss, aka Dark Tangent, says he and his team recently purchased the used voting machines on eBay for hackers here to hammer away at and find flaws that ultimately get reported to the vendors of the machines. There were 30 pieces of voting equipment in the room, including Sequoia AVC Edge, ESS iVotronic, Diebold TSX, Winvote, and Diebold Expresspoll 4000 voting machines.

The first two hacks this morning are expected to be the tip of the iceberg: these systems are well-known to be rife with outdated software such as Windows CE, and plenty of ports for hardware exposure, including PCMCIA, serial ports, and even a WEP-based WiFi feature – all of which are ripe for abuse. As of this posting, another hacker had cracked the hardware and firmware of the Diebold TSX voting machine. 

In the first two discoveries of the day, a hacker found a remote access flaw in the WinVote voting machine’s operating system, and exposed real election data that was still stored there. Another hacker cracked the Express-Pollbook system, exposing the internal data structure via a known OpenSSL flaw, CVE-2011-4109, allowing remote attacks.

“What this tells me is hackers in less than two hours can figure something out and a nation-state could have this on their hands for months or years,” Moss said in an interview here today. “It doesn’t have to be nation-states. It could be criminal organizations; it doesn’t have to be limited to Russia.”

Moss said for DEF CON next year, he’s planning an actual election voting simulation at the hacker conference: DEF CON will hold a mock election, possibly with Moss running for president against another as-yet unnamed opponent. Hackers will have their crack at the systems.

“There’s never been a security test of a complete voting system … We’re trying to build a whole system, but it’s hard to get the back-end pieces,” he said. “I have confidence by next year we will have a complete end to end voting system set up. We’ll have fake elections and people can attack it and at the end of the con,” we’ll share the results, he said.

While the Voting Village concept evolved out of concerns raised by Russia’s tampering with the 2016 US election, it also came amid a backdrop of a cybersecurity industry that’s experiencing some soul-searching, and growing pains. Alex Stamos, CISO of Facebook, during the keynote address earlier this week at Black Hat USA urged attendees to channel energy into innovative defensive solutions, rather than just breaking things.

Facebook also upped the ante for its Internet Defense Prize program, to $1 million to encourage more hackers to come up with unique defense solutions for Internet users.

Meanwhile, DEF CON is now 25 years old, a milestone that had Moss reflecting on what comes next for the world’s largest hacker conference and the hacking community. “The days of the lone hacker being able to to it all is pretty much [over]. It’s much more social, is one of my messages this year,” Moss said. “Since you can’t know it all, and it’s more important about who you know, and they know the stuff you don’t know and can help you.”

It’s a bit of a throwback to the pre-Google search days, when hackers sought out mentors and other hackers to assist their research and inform their work, he noted. Mentorship is key to this next phase of security innovation, he said.

That doesn’t mean offense is dead. “There’s a big place for breaking because offense always informs the defense. If you love breaking just keep breaking. You have to recognize that you’re operating in a bigger context now.”

“Hacking is not going to slow down. If anything, it’s going to become more relevant,” Moss said. “We try to stay true to our identity as best we can. It can never be the way it was 20 years ago, but I think we’re making the change … the world has moved on and we’re moving along with it.”

Related Content:

• Voter Registration Data from 9 States Available for Sale on Dark Web
• Russian Hackers Focused on Election Systems in 21 States
• Trump Extends Obama’s EO for Sanctioning Hackers
• Clinton Campaign Tested Staffers With Fake Phishing Emails

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/def-con-rocks-the-vote-with-live-machine-hacking/d/d-id/1329492?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Thanks to Jagadeesh Chandraiah and Ferenc László Nagy of SophosLabs for their behind-the-scenes work on this article.

Android users take note: spyware called Lipizzan has infected up to 100 devices and can monitor phone activity while extracting data from popular apps.

That doesn’t sound like a huge number of devices, but as researchers elsewhere have noted, this looks like targeted, precision malware rather than a broad data-stealing tool. Google’s Android Developers’ blog said that “Lipizzan’s code contains references to a cyberarms company, Equus Technologies”, whose LinkedIn page says it’s a company “specializing in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organizations”.

Lipizzan appeared on Google Play as an innocent-looking app with names like “Backup”, “Cleaner” and “Notes”.

Researchers described Lipizzan as a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls, and media. Twenty Lipizzan apps were distributed in a targeted fashion to 100 or so devices. Google has blocked the developers and apps from the Android ecosystem, and Google Play Protect has removed it from the infected phones.

Though Google’s response was swift, the spyware itself exemplifies the ever-increasing zeal malware creators are showing when it comes to targeting Android.

SophosLabs researchers have analyzed the spyware and painted the following picture:

In one of the samples, the stage-1 application appears as “Notes Plus” – an innocent-looking notes-taking application:

If you look carefully under assets, you can see that Lipizzan has an AES-encrypted zip file that is decrypted and loaded at runtime.

Payload

A stage-2 apk file does all the malicious activities and includes the spyware payload. The payload examined by SophosLabs received following commands:

It has the ability to:

• record calls,
• take snapshots,
• hijack the microphone, and
• capture the location.

In addition to monitoring your phone, it also fetches data from popular apps, SMS and call logs:

It targets data from the following applications:

• Skype
• Hangouts
• LinkedIn
• Telegram
• Whatsapp
• Viber
• Call logs
• Email
• Gmail

You can see the data extraction code for Hangouts and whatsapp below:

Anti-debug and anti-VM

The stage-2 file is designed to make life difficult for security researchers by employing anti-debug and anti-emulator features to slow down analysis in test environments.

For anti-debug verification, it checks if adb is enabled. Researchers use adb to interact with Android devices from another computer.

The anti-emulator checks for the following:

• If Build_PRODUCT – sdk, google_sdk, sdk_x86 , vbox86p (AndroVM)
• If Build_MANUFACTURER – unknown, Genymotion (Popular Android Emulator)
• If Build.BRAND – generic , generic_x86
• If Build.DEVICE – generic, generic_x86, vbox86p
• If Build.MODEL- sdk, google_sdk, Android SDK built for x86
• If Build.HARDWARE – goldfish, vbox86
• If Build.FINGERPRINT – generic/sdk/generic, generic_x86/sdk_x86/generic_x86, generic/google_sdk/generic, generic/vbox86p/vbox86p

Now what?

As noted above, Google has blocked the spyware from Google Play. Sophos detects it as Andr/Lipizan-A and has blocked it from customers.

The continued onslaught of malicious Android apps demonstrates the need to use an Android antivirus such as our free Sophos Mobile Security for Android.

By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CSoe2QiVyYM/

Your daily round-up of some of the other stories in the news

When a carwash goes rogue

We’ve written about hacking cars on Naked Security, and we’re all too well aware of the vulnerabilities of devices connected to the Internet of Things. But the news that a connected carwash could potentially be vulnerable to attacks has pretty much floored us.

First, we have to ask: why on earth does a carwash need to be connected? It turns out that some carwashes made by PDQ not only come with huge whirly brushes and water jets, but also with a web server that, according to Bleeping Computer, allows staff to manage the contraption remotely.

And, according to researchers led by Billy Rios, that web server comes with a default password that’s common to all the models identified in their alert, which means that if it’s not changed anyone could take control of the carwash.

The researchers said in their presentation at Black Hat in Las Vegas that they’d actually alerted the manufacturer to the vulnerability two years ago, but that it hadn’t yet been patched.

The research makes for scary reading: they said they could potentially lock cars with customers and operatives inside the carwash and direct water at them.

Next time you’re thinking of getting the car washed, you might want to check out what model your local garage has installed – and maybe pick somewhere else.

Man sentenced for Mirai attack on Deutsche Telekom

A British man was given a suspended sentence at a court in Germany on Friday after he admitted to having been behind the Mirai attack last year that knocked out nearly one in 20 German customers of the ISP Deutsche Telekom.

The 29-year-old man, identified as Daniel K, told the court in Cologne last week that the attack was “the worst mistake of my life”, and, according to Sky News, claimed that he’d been paid £7,700 by a Liberian company to develop a botnet.

The man, who uses the online handle “Spiderman”, is also facing charges in the UK, where authorities have asked for his extradition.

Deutsche Telekom said the attack had caused damages totalling €2m, and added that it’s considering a civil lawsuit against the man, who was arrested at Luton airport in the UK in February.

End of the line for the iPod

It’s the end of an era for those of us whose first experience of digital music on the move was Apple’s iconic iPod: the Cupertino company has said that it’s to finally retire its venerable iPod Nano and iPod Shuffle.

Those two devices are the last in the line of a product that was born back in 2001, launched by Steve Jobs with the tagline: “1,000 songs in your pocket”. The very first iteration was Mac-only and had a mechanical clickwheel and a mono screen, with a similar Windows-friendly version following soon after.

From there the iPod acquired a touchwheel and a colour screen, and then the ability to store and display photographs before shrinking down into the much smaller Shuffle and Nano devices, and also evolving into the iPod Touch, the immediate precursor to the iPhone.

While we mourn an iconic piece of hardware, let’s not forget that it wasn’t the first digital music player to sport a hard drive, and many of us would very much like to see iTunes, which was developed to manage the iPod, follow the device into oblivion.

But the writing was on the wall for the iPod as smartphones acquired not only the ability to play music, but also decent-sized hard drives. Meanwhile, I’m going to dust off my first-gen iPod Touch (running iOS 5) and see if a museum would like to give it a home.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/igg7JqAeMQ0/

Black Hat USA Security researchers say they have come up with two separate “attacks” against ApplePay, highlighting what they claim are weaknesses in the mobile payment method.

One of the attacks developed by the white hats, and presented at Black Hat USA yesterday, requires a jailbroken device to work, but the other assault does not.

In the first attack, say the researchers from Positive Technologies, hackers will initially need to infect a jailbroken device with malware. Having achieved this, they might then be able to intercept traffic en route to an Apple server, in this case payment data being added to the device’s account. Once hackers have succeeded in pushing malware with root privileges, then it’s game over (in most scenarios), claim the white hats.

The second attack can be performed against any device as hackers intercept and/or manipulate SSL transaction traffic without employing any sophisticated equipment or skills, they say. The attack involves replaying or tampering with transaction data: changing the amount or currency being paid, or changing the delivery details for the goods being ordered.

Timur Yunusov, head of banking security for Positive Technologies explained: “With wireless payments – PayPass, ApplePay, SamsungPay, etc, there is a perception that ApplePay is one of the most secure systems. ApplePay’s security measures mean that it has a separate microprocessor for payments [Secure Enclave], card data is not stored on the device nor is it transmitted in plaintext during payments.”

Although Apple’s approach might seem sound, Positive Technologies claimed it had nevertheless uncovered two potential avenues of attack. While one relies on the device being jailbroken – a practice frowned upon by security experts that is carried out by an estimated one in five users – another attack can target an unmodified iPhone or iPad, as Positive Technologies explained to El Reg.

The first step in the second attack is for hackers to steal the payment token from a [targeted] victim’s phone. To do that, they will use public Wi‑Fi, or offer their own ‘fake’ Wi‑Fi hotspot, and request users create a profile. From this point they can steal the ApplePay cryptogram [the key to encrypting the data].

Apple states that the cryptogram should only be used once. However, merchants and payment gateways are often set up to allow cryptograms to be used more than once.

As the delivery information is sent in cleartext, without checking its integrity, hackers can use an intercepted cryptogram to make subsequent payments on the same website, with the victim charged for these transactions.

“Attackers can either register stolen card details to their own iPhone account, or they can intercept the SSL traffic between the device and the Apple Server to make fraudulent payments directly from the victim’s phone,” according to Yunusov.

There are some limitations to the attack from the point of view of would-be cybercrooks. For one thing, the victim will get an advisory detailing the transaction as soon as it is made so they may block their card – although they could just dismiss the warning as an error. There is also the risk that the bank/merchant/payment gateway could identify and block suspicious transactions.

Positive Technology advises users to be vigilant when using ApplePay to purchase items online, particularly monitoring for the use of “https” or fraudulent websites, and to avoid making transactions in public Wi‑Fi environments where traffic might be easily snooped.

Positive Technology’s Yunusov presented his research at Black Hat USA yesterday. The security firm confirmed it had informed Apple of its research beforehand.

Fixing the issue will require action from all points in the chain, including the banking merchants, payment gateways, and card issuers, the security firm claimed. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/28/applepay_vuln/

Virgin America’s staff and contractors have been told to change their passwords after a hacker raided the airline’s systems.

The T-Mobile-USA-of-the-skies revealed in a letter to its workforce that its network was compromised by one or more miscreants. A copy of the missive was, as required by law, shared with California’s employment officials, who made it public this week. The intrusion was detected in mid-March.

According to the memo, the hacker swiped login information and passwords used to access Virgin America’s corporate network. Some 3,120 employees and contractors had their credentials lifted, and 110 folks may have had their personal information taken, too. Alaska Airlines, which owns Virgin America, is not affected.

A spokesperson for VA told us:

As part of our security monitoring, we identified potential unauthorized access to certain Virgin America Computer systems. The unauthorized third party gained access to a limited amount of information, including logins and passwords for Virgin America employees and contractors.

After conducting an investigation, we did not identify evidence that this affected any Alaska Airlines employees or systems. Customer data for Virgin America and Alaska Airlines was not impacted.

3120 employees/contractors potentially had their log in credentials potentially compromised

110 additional employees/contractors/vendors had additional information including addresses, Social Security numbers, driver’s license or government issued IDs, or health-related information that may have been affected.

We take the protection of personal information seriously. We are in the process of notifying potentially impacted employees, contractors, and vendors about this issue and are providing them with guidance and resources to protect themselves.

We have implemented additional security policies, procedures and tools to enhance our security program, and will continue to evaluate additional security enhancements going forward. We have also changed our password policies, and will now require employees and contractors to rotate/change their passwords every 90 days.

Virgin America is yet another hacking statistic. However, some pundits praised the airline’s incident response.

“While details aren’t clear as to who breached Virgin America’s systems, or how, the fact that Virgin was able to detect the breach itself demonstrates the value and requirement in having good security monitoring and threat detection capabilities in place to discover breaches rapidly in order to minimize impact,” said Javvad Malik of AlienVault.

Mark James of ESET told us: “The good things to take from this are that they spotted they had been hacked and have notified the affected parties. The bad, of course, is that hackers were able to get away with data that is unchangeable.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/28/virgin_america_hacked/

Black Hat USA The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year’s ceremony in Las Vegas.

That’s not surprising: government officials, US spy agencies, and software makers aren’t usually in the mood to acknowledge their failures.

The Pwnies give spray-painted pony statues to those who have either pulled off a great hack or failed epically. This year it was nation states that got a significant proportion of the prizes. The gongs are divided into categories, and nominations in each section are voted on by the hacker community. The ponies are then dished out every year at the Black Hat USA security conference in Sin City.

The award for best server-side bug went to the NSA’s Equation Group, whose Windows SMB exploits were stolen and leaked online this year by the Shadow Brokers. The tools attack three stunning vulnerabilities (CVE-2017-0143, 0144, 0145), and were later used by malware including WannaCryt to wreck systems across the globe, forcing Microsoft to issue patches for out-of-date operating systems to fight the outbreak.

While Uncle Sam’s snoops didn’t pick up their award, neither did other governments. The epic 0wnage award was split between North Korea and Russia for launching the WannaCry ransomware contagion and masterminding the Shadow Brokers, respectively.

Meanwhile, Australian prime minister Malcom Turnbull earned an award for the most epic fail for insisting the laws of Australia trump the laws of mathematics. The Aussie leader was told it’s not possible to backdoor encryption for counterterrorism snoops without ruining the crypto for everyone else, and was having none of it.

“The laws of Australia prevail in Australia, I can assure you of that,” he said. “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”

That landed him the pony, although Turnbull faced strong competition. Kaspersky’s flawed iOS browser was a close runner up, as was online publication The Intercept after its alleged source Reality Winner was collared by the Feds.

Speaking of winners, here’s a summary of the other awards handed out:

• Best client-side bug: Ryan Hanson, Haifei Li, Bing Sun and unnamed bods for uncovering CVE-2017-0199 aka a Microsoft OLE flaw.
• Best privilege escalation bug: Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida for their Drammer rowhammer RAM attacks.
• Best cryptographic attack: The SHAttered team – Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, and Yarik Markov.
• Best backdoor: MeDoc was shamed with this pony after its software update systems were hacked to spread NotPetya.
• Best branding: Ghostbutt aka CVE-2017-8291.
• Most innovative research: Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos and Cristiano Giuffrida scoped this one for their ASLR bypass work.
• Lifetime achievement award: FX of Phenoelit.

And finally, the lamest vendor response award went to Systemd supremo Lennart Poettering for his controversial, and perhaps questionable, handling of the following bugs in everyone’s favorite init replacement: 5998, 6225, 6214, 5144, and 6237 that we covered here.

“Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there’s no chance that the CVE number will referenced in either the change log or the commit message,” reads the Pwnie nomination for Systemd, referring to the open-source project’s allergy to assigning CVE numbers. “But CVEs aren’t really our currency any more, and only the lamest of vendors gets a Pwnie!”

All of this year’s nominations are here, and the results will be published on the awards website a little later. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/28/black_hat_pwnie_awards/