STE WILLIAMS

A German security researcher has revealed that one model of Fujitsu wireless keyboard will accept unauthenticated input, despite the presence of AES-128 encryption.

Matthias Deeg discovered that the LX901 would respond to unencrypted but correctly formatted keystroke commands broadcast nearby. The set is normally shipped as a keyboard, mouse and receiver combination.

“The Fujitsu wireless keyboard itself only transmits keystrokes via AES-encrypted data packets with a payload size of 16 bytes using the 2.4GHz transceiver CYRF6936 from Cypress Semiconductor,” Deeg wrote in an advisory about the flaw, later confirming to The Register that he really did mean that the keyboard’s paired receiver was accepting unencrypted inputs from an unauthenticated source.

Provided the unencrypted messages conformed to the spec published by Cypress with a related reference design, the bridge would happily accept them and pass them to the host as if they were legitimate input from the user, Deeg found. He used an off-the-shelf RF transceiver module to generate the plaintext commands.

Deeg said he first notified Fujitsu in late 2018, giving them 45 days to respond. Cypress end-of-lifed the reference design Deeg had used in January this year, though all the download links for the documentation and firmware were still live at the time of writing.

The practical impact of this vuln will be relatively small. As Deeg himself pointed out, the keyboard runs at 2.4GHz, meaning practical applications of the attack are limited to Wi-Fi range – assuming, that is, your attacker is not the sort of agency that can get away with very high power outputs without attracting attention from the authorities. To make it a practical threat rather than an embuggerance, the attacker also needs to be able to see your screen.

Deeg’s company, SySS GmbH, revealed a similar flaw in wireless keyboards two years ago.

Mitigation is easy: sit with your back against the wall. And use a wired keyboard.

Fujitsu had not yet commented by the time of publication. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/18/fujitsu_lx901_keyboards_accept_unencrypted_input/

When a domain registration expires, they can be claimed by new owners. And sometimes, those new owners have malicious intent.

Internet domain name ownership is not perpetual.

Domains are assigned to their owners for a limited amount of time. Once a registration expires, domains are released back to the public to be claimed by potential new owners, on a first-come first-served basis.

Internet citizens won’t be strangers to questionable (and sometimes outright abusive) practices around this phenomenon. I’m sure many readers have revisited an interesting website bookmarked for a rainy day, only to return and be greeted by an unrelated page laden with advertisement banners. This is one typical method for exploiting residual traffic to a domain, where a new party registers an expired domain in the hopes that the old website’s unsuspecting clientele will bring in ad revenue. Another common situation, this time with clear malicious intent, is mimicking an obsolete website in an attempt to mount phishing attacks on visitors.

These are fairly obvious adversarial scenarios for the security community today. Unfortunately, the problems don’t end there. Domain names are not merely pointers to websites, but they are generic identifiers used for addressing a wide variety of resources over the Internet.

For example, reclaim a lapsed domain and you automatically gain access to all future emails destined to previously active mailboxes on that name. Register an abandoned DNS server domain, and you can redirect querying clients to any destination of your choosing. In one notorious case, a security professional was able to acquire the expired name server domains for the “.io zone,” giving him the ability to hijack traffic to all .io websites in existence.

And there is yet more trouble. Domain names are used as a trust anchor in many security-critical settings, and ownership of a domain often extends to other seemingly unrelated resources. Consider online services that send password reset links to email addresses on record, treating successful access to that email account as a mechanism for authentication. Hijacking that email domain as discussed above will then have a cascade effect compromising all connected online accounts that belong to the previous owner.

The situation is similar for security mechanisms that assume a permanent domain assignment model. When users grant a website permission to access their camera, microphone, or location, these access control decisions are bound to the website’s domain name. Even if the domain’s owner eventually changes, previously granted permissions will persist, allowing the new owner to abuse the residual trust put on that domain. Note that Transport Layer Security (TLS) offers very little in the way of protecting users against these problems. TLS only authenticates domains but is oblivious to who owns them. Short of manually inspecting WHOIS records, users are left with no easy way to detect domain ownership changes before the damage is done.

While a quick online search will reveal select high-profile incidents of this nature, inquisitive readers may ask how practical these exploits generally are, how often they are seen in the wild, and whether Internet users are facing a real risk.

As it happens, there is a vibrant and professionally organized scene for domain recycling. Users can visit one of many online domain drop-catch services and place an order for a domain they wish to purchase when its registration lapses. Drop-catch services then mobilize large clusters of computing resources and flood registration systems with requests to claim an expiring domain the moment it becomes available, competing against all other potential registrants on the planet. This resembles the high-frequency trading scene in financial markets, but for domain names instead of stocks.

In a recent experiment I conducted together with fellow scientists from Northeastern University in Boston, we confirmed our concerns regarding the high demand for expiring domain reuse. We observed that just three major drop-catch services operated 75% of all accredited domain registrars, and were responsible for nearly 80% of all domain registration attempts. Up to 10% of .com, and 5% of .org domains were reregistered on the day they expired.

A second venue for domain recycling is auctions held by registrars for domains nearing expiration. Domains obtained through auctions pose a particular threat; they do not go through the typical expiration and reregistration phases, but instead they are transferred from the previous owner to a new party. As a result, domain registration information including the domain’s creation date does not change, making it difficult to spot the ownership change even with careful analysis of WHOIS records. This is problematic because many commercial security products, domain reputation services, and blacklist maintainers base their decisions on the age of a domain, where older domains are considered more trustworthy.

Domains change hands, and evidence shows they do so frequently, facilitated by a thriving ecosystem of drop-catch and auction services. Sadly, domain ownership is heavily relied upon as a trust anchor by many Internet applications and even security mechanisms. The implicit assumption that domains perpetually live pervades. Going forward, we security professionals should incorporate into our threat models the fundamental pitfalls of this assumption and the risks involved therein. When designing future systems, we should strive to have the necessary safeguards to ensure domain ownership cannot be accidentally lost, and if that eventually happens, have sufficient revocation mechanisms to respond and shift trust to a new anchor. Certificate Transparency has worked wonders for monitoring TLS certificates. Maybe we should start thinking about a Domain Transparency initiative.

Acknowledgments: The ideas presented in this article are based on a series of research projects jointly carried out by the author and his colleagues Tobias Lauinger, Ahmet Buyukkayhan, Abdelberi Chaabane, William Robertson, and Engin Kirda.

Related Content:

• Credential Compromises by the Numbers
• 4 Reasons to Take an ‘Inside Out’ View of Security
• Debunking 5 Myths About Zero Trust Security
• In 2019, Cryptomining Just Might Have an Even Better Year

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kaan Onarlioglu is a researcher and engineer at Akamai who is interested in a wide array of systems security problems, with an emphasis on designing practical technologies with real-life impact. He works to make computers and the Internet secure — but occasionally … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/are-you-prepared-for-a-zombie-(domain)-apocalypse/a/d-id/1334171?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

NexDefense ICS security tool will be offered for free by Dragos.

ICS security firm Dragos has acquired NexDefense, a pioneer security vendor in the industrial sector.

Dragos now is offering for free NexDefense’s continous monitoring and asset discovery tool for ICS/SCADA networks, which was developed as “Sophia” by the US Department of Energy at the Idaho National Laboratory in 2010 and 2011. Sophia was later updated and commercialized by NexDefense, which renamed the product “Integrity.”

“This technology will not be integrated into the Dragos platform; rather, it is a more of a precursor for organizations that are looking to take the first step toward ICS security,” says Robert M. Lee, founder and CEO of Dragos.

Dragos also is offering for free its CyberLens assessment tool to ICS operators. Financial terms of the acquisition were not released.

Read more here.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/analytics/dragos-buys-ics-firm-with-us-dept-of-energy-roots/d/d-id/1334185?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers have offered more detail on a recently patched vulnerability that would allow an attacker to take over a WordPress site using something as simple as a maliciously crafted comment.

Discovered by RIPS Technologies, the flaw is a cross-site request forgery (CSRF) flaw that exists on any site running version 5.1 or earlier with default settings and comments enabled.

The problem at the heart of this flaw is the problem of how WordPress protects itself (or rather, doesn’t) from CSRF-based takeovers in comments.

CSRF attacks happen when an attacker hijacks an authenticated user session so that the malicious instructions appear to come from that user’s browser.

In the case of the latest flaw, all the attacker has to do is lure a WordPress admin to a malicious website serving a cross-site scripting (XSS) payload.

Websites defend themselves against CSRF in different ways, but the complexity of the task means there are always cracks attackers can slip through.

From the report:

WordPress performs no CSRF validation when a user posts a new comment. This is because some WordPress features such as trackbacks and pingbacks would break if there was any validation. This means an attacker can create comments in the name of administrative users of a WordPress blog via CSRF attacks.

The full sequence is somewhat involved but, if executed, would be bad news.

Writes RIPS Tech’s Simon Scannell:

As soon as the victim administrator visits the malicious website, a CSRF exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover.

What to do

The solution is to update WordPress to version 5.1.1, which appeared on 12 March with a fix for this flaw. If auto-updating is not turned on, it’s the usual drill: visit Dashboard Updates and click Update.

A more extreme solution would be to disable comments entirely while remembering to log out of WordPress admin before visiting other websites.

You can see a related example of this class of attack in a recently patched CSRF flaw affecting Facebook.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/z6Nkwbm6EhQ/

Users of Google’s cloud-based suite of productivity apps may find when logging in that their usual two-factor authentication options (2FA, or 2-step verification, as Google calls it) have disappeared.

If G Suite users have previously been logging in with SMS or voice call verifications, they could now be asked to authenticate using another method such as Google’s Prompt system or a security token based on the FIDO/2.0 standards.

Hopefully, this won’t come as a surprise to users because their G Suite admins will have mentioned this change in their 2FA options to users in advance.

Tough love

What lies behind the change is a new setting Google has made available in the G Suite console that for the first time gives admins the power to migrate users from one method of authentication to another.

Previously, admins could simply enable 2FA, choosing from a range of possible ways this could happen. Now, although admins can allow any type of authentication if they wish, two specific types of authentication – SMS and voice calls – can also be disallowed by policy.

From an admin point of view, the obvious worry is that users will ignore enforcement warnings that ask them to enrol in a new authentication method and find themselves locked out as a result. Google’s solution to this is enrolment reports that identify any laggards.

Google’s advice:

You can give these users extra time to enrol by putting these users into an exception group where 2SV isn’t enforced until they can add a 2SV method.

It’s a small but important tweak that’s been on the cards for a while, hastened by the dawning realisation that older forms of 2FA are not only theoretically less secure but are now under active attack.

For most users, this means SMS authentication, which can be undermined in a rising number of ways, including automated phishing attacks that just request the code (then entered by the attackers) to SIM swap fraud.

Both rapid release and scheduled release G Suite domains can expect to see this new console option in the next two weeks.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/pTAK48hsQ_0/

Intel released a slew of patches last week, fixing a range of vulnerabilities that could allow attackers to execute their own code on affected devices.

The chip maker released several security advisories to address the risks. One group of patched vulnerabilities affect its Converged Security and Management Engine (CSME), Server Platform Services, Trusted Execution Engine and Active Management Technology (AMT).

These are technologies that run at a very low level in the hardware stack, often underneath anti-malware software that might otherwise pick up suspicious activity. The bugs allow users to potentially escalate privileges, disclose information or cause a denial of service, Intel said.

There are 12 vulnerabilities in this group, including five marked with high severity.

Of these, only CVE-2018-12187 can be executed remotely via a network. This is a high-severity denial of service bug relying on insufficient input validation in Intel’s Active Management Technology.

Two of the other high-severity bugs rely on local access, which is tied to read/write/execute capabilities. In practice, this means that the attacker has to be logged into the machine, or that the user must be persuaded to interact with a malicious file.

These bugs are CVE-2018-12190, which lets an attacker potentially execute arbitrary code via insufficient input validation in CSME. CVE-2018-12200 could allow privilege escalation via insufficient access control in the Intel Capability Licensing Service.

The other two high-severity bugs require physical access to the device. CVE-2018-12208 could allow an unauthenticated user to potentially execute arbitrary code via CSME, while CVE-2018-12185 carries a similar danger, via AMT.

You can read more about the meanings of the attack vectors used in CVE vulnerability listings.

Another set of patches addressed vulnerabilities in its Windows 10 graphics drivers, which could execute a range of activities, including denial of service, extracting information, and causing execution problems such as out-of-bound memory reads and integer overflows. Several allow code execution on affected machines.

This group of patches addressed 19 security flaws, two of which were marked as high severity. The severest security bugs stem from memory corruption and insufficient input validation in Intel’s kernel mode driver. Each of them potentially enable a privileged user to execute arbitrary code.

One flaw was particularly interesting: CVE-2018-12223 enables an unprivileged user to escape from a virtual machine guest to the host machine via local access. This was marked with medium severity.

Intel recommends that users of Intel Graphics Driver for Windows update to versions 10.18.x.5059 (aka 15.33.x.5059), 10.18.x.5057 (aka 15.36.x.5057), 20.19.x.5063 (aka 15.40.x.5063) 21.20.x.5064 (aka 15.45.x.5064) and 24.20.100.6373 or later.

Other advisories issued by Intel last week covered security flaws in its firmware, including the high-severity flaw CVE-2018-12204, which allows for arbitrary code execution in its Platform Sample/Silicon Reference firmware Intel Server Board, Intel Server System and Intel Compute Module via local access.

Lenovo issued updates to implement many of these Intel fixes in its own products two days after Intel released its own patches.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/pnADFWllh2M/

The US Government is working on an electronic voting system that it hopes will prevent people from tinkering with voting machines at the polls.

Motherboard reports that the Defence Advanced Research Projects Agency (DARPA) is working with Oregon-based verifiable systems company Galois to create a voting system based on open source hardware and software.

There will be two systems, according to the report, neither of which will be offered for sale. Instead, they will serve as reference platforms for other vendors to produce more secure electronic voting machines.

The first system, which DARPA plans to bring to DefCon Voting Village this summer, will use a touch screen for voters to choose their candidates. It will then print out a paper ballot for a voter to check before depositing it into an optical scanning machine that counts the vote. That machine prints a paper receipt with a cryptographic code unique to that voter and their choices.

After all the votes have been counted, the codes will be listed on a website so that each voter can check that their votes were logged correctly.

Independent observers will also be able to count all the votes on the website and check the election results, Motherboard said.

The second system, due at DefCon next year, will scan hand-marked ballots.

Paper ballots have been trumpeted as the best answer to voting machine hacking, and at the Voting Village last year, a group of children were invited to hack the voting machines, proving it’s child play to tamper with election results.

Hardware security

Voting is just one application for the research effort, which focuses on producing secure hardware. Verifying hardware security is a major problem in most computing applications because any insecure hardware could potentially be compromised and used to run rogue software.

Research has highlighted hardware insecurities in voting machines before.

A report from researchers at DefCon last summer highlighted problems in one machine, the Dominion AVC Edge, which enabled an attacker to open its outer casing with a screwdriver and replace its removable storage.

Because the machine’s entire execution environment was on the storage device, the attacker could simply replace it with a new operating system and modified application, the researchers said. There were no security measures, such as secure boot or cryptographic signatures.

Galois will build secure voting software to run on over 20 separate secure CPU designs produced by a range of university teams and another from Lockheed Martin. The CPUs should be able to distinguish between malicious and legitimate behaviour, according to the report.

Transparency is the main difference between this electronic voting machine project and existing commercial ones.

Most voting machines to date have been proprietary systems with jealously guarded code. The hardware and software designs for these systems will be published online for all to see and review.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/emZJL_k-qkc/

Researchers working for VPNMentor have accused Chinese e-commerce site Gearbest of storing user information in “completely unsecured” Elasticsearch databases after discovering “1.5 million records” which they were able to access through a browser.

The wholesaler – which mostly shifts electronics – disputed this, claiming that 280,000 customers’ data had been exposed. Whatever the true figure, this is an embarrassing cockup that will do nothing to enhance consumer confidence in the e-shop.

VPNMentor’s white hats said they had found a treasure trove of personal data spread across three internal databases, including:

• Products purchased
• Shipping address and postcode
• Customer name
• Email address
• Phone number
• Order number
• Payment type
• Payment information
• IP address
• Date of birth
• National ID and passport information
• Account passwords

“Gearbest’s database isn’t just unsecured. It’s also providing potentially malicious agents with a constantly updated supply of fresh data,” VPNMentor commented, highlighting the obvious potential for identity theft and placing fraudulent orders with saved payment data.

In a response shared on Twitter by lead researcher Noam Rotem, Gearbest insisted the vuln affected an “external tool” rather than its core databases, claiming that customer data was “protected with all necessary encryption measures and are absolutely safe”, something that does not appear to have been true when Rotem’s team found the breach.

In an attempt to explain the breach, Gearbest admitted that on 1 March firewalls protecting its databases from public access “were mistakenly taken down by one of our security team members for reasons still being under investigation” [sic].

VPNMentor also went into a little detail about those who had bought sex toys from the site, including a Pakistani man who’d treated himself to three dildos. Highlighting Pakistan’s backwards attitude to LGBT rights, VPNMentor said “this information could mean a literal death sentence for this user”. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/18/gearbest_data_breach_1_5m_customers_affected/

UK signals intelligence agency GCHQ, celebrating its centenary, has released emulators for famed World War II-era cipher machines that can be run within its web-based educational encryption app CodeChef.

“We’ve brought technology from our past into the present by creating emulators for Enigma, Typex and the Bombe in #CyberChef,” GCHQ said Thursday via Twitter. “We even tested them against the real thing! Try them out for yourself!”

Enigma machines turn text into ciphertext and back again; they were used by the German military, among others, to encrypt and decrypt messages during the Second World War.

The machines were produced shortly after the end of World War I and initially sold as tools for keeping commercial secrets. There were later adopted by the German military, and in 1932 sale of the devices required military approval.

With the approach of World War II, the Enigma machine attracted the attention of code breakers in Poland, where concerns about German belligerence were magnified by the proximity of German forces. In 1939, just before Germany invaded Poland, the British received an Enigma machine from Polish code breakers and soon after resumed a longstanding effort to crack the Enigma at the newly established Bletchley Park.

Building upon previous Polish work, Alan Turing, one of the pioneers of modern computing, and “forgotten genius” Gordon Welchman developed the Bombe, a code breaking device to determine Enigma key settings.

Baroness Trumpington, former Bletchley Park clerk, dies aged 96

READ MORE

Typex was a British-made cipher machine used by the Royal Air Force.

The success the Allies had breaking codes in Europe and the Pacific theaters played a crucial role in the outcome of World War II. And now you can play along at home.

In keeping with its interest in codes, both past and present, GCHQ has emulated Enigma, Bombe, and Typex in software, through CodeChef, a web app that debuted in 2016. The surveillance outfit describes CodeChef as “a simple, intuitive web app for analyzing and decoding data without having to deal with complex tools or programming languages.”

CodeChef provides a variety of options for exploring the encoding and decoding of data, such as decoding a Base64-encoded string and disassembling shell code. Its source code is available on GitHub.

Recreating the Enigma machine in software is rather less costly than buying an actual Enigma – original machines have sold for prices ranging from $75,000 to more than $500,000 at auction.

GCHQ isn’t the first to develop an emulator – you can find them on the web or as desktop or mobile apps. But the agency does have a certain brand credibility for this sort of thing. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/18/gchq_enigma_emulator/

Roundup Last week we saw a conservative app exposed, the revelation of Beto’s hacker past, and the rise of Slub.

Let’s kick start this week with some extra bits and bytes from the infosec world.

Certs still foiling AV detectors

We may be a bit jaded after this year’s RSA Conference hype-fest, but it’s less than shocking to learn that antivirus suites, for all their marketing budgets, still struggle with some basic elements of malware detection.

Researchers with MalwareHunterTeam came a across a piece of ransomware called LockerGoga that, on its face, should have been easy to spot and remove. But it apparently evaded detection across the spectrum in VirusTotal tests, thanks to carrying a valid certificate.

Let me present you, in 2019 March, a signed LockerGoga ransomware sample that is not crypted/packed/etc it is still FUD on VT: https://t.co/CWytrhYKIf

Note: README_LOCKED.txt

And of course, cert is given by Sectigo…

😂@demonslay335

cc @SwitHak pic.twitter.com/thwopGZAQf

— MalwareHunterTeam (@malwrhunterteam) March 8, 2019

To be fair, it was noted that the malware would still have been spotted by apps running decent heuristics tools that can spot the malicious behavior while in progress. But still, it’s not a good look that such infections don’t get spotted right away.

BlackBerry courts the US government

If you haven’t heard the name BlackBerry since 2011, let us get you up to speed. The one-time smartphone king has since been driven out of the market by iOS and Android and has since reshuffled itself as a mobile security specialist.

That effort has been re-upped this week with the launch of a new subsidiary known as BlackBerry Government Solutions. The brand will, as its name suggests, focus on pitching BlackBerry’s mobile and IoT security products to the US government in hopes of landing lucrative agency contracts.

The plan is not a bad one. Entire sectors of the IT industry thrive on nothing but government contracts, and BlackBerry’s remaining product lines are uniquely suited for government agencies that can’t exactly pop down to the mall if they want equipment that meets federal security regulations.

Mt. Gox boss walks despite conviction

It looks like infamous Mt Gox head Mark Karpeles will be able to avoid any time behind bars for his role in the cryptocoin exchange’s $480m collapse in 2014. A Japanese court found Karpeles guilty of falsifying data about the exchange’s financial state, but acquitted him on the more serious charges of embezzlement.

In sentencing, Karpeles was given a 2.5 year prison term that will be suspended for four years. If Karpeles can keep his nose clean during that four year period, he won’t have to spend a day behind bars. Prosecutors had sought a 10-year sentence.

Microsoft and Google patch the bug that never was

We use the term “zero day” for a vulnerability that gets reported before a patch can be issued, but what is the term for a patch that gets released before any practical bug can even be found?

This was the feat pulled off by Microsoft and Google this week when the two tech giants issued a report on a new class of vulnerability they had discovered in Windows before the bug had even been able to get into an actual product.

The two firms said that the flaw is a type of elevation of privilege bug that would allow a logged-in attacker or malware to get kernel mode access by exploiting the way Windows IO Manager handles requests.

Interestingly, Microsoft says that the flaw, discovered by Google’s James Forshaw, was never actually exposed in any public versions of Windows: the code pairings needed to pull off a proof-of-concept could not be found. In other words, the type of bug is there, it would likely work, but as luck would have it the software components never quite aligned.

Still, Microsoft said it will ensure future releases of Windows, starting with Windows 10 19H1 due out any moment now, will not feature this class of elevation of privilege.

Another week, another misconfigured database spaffing sensitive documents

Stop us if you’ve heard this one before: researcher Bob Diachenko has uncovered a public-facing database containing tens of thousands of confidential documents holding sensitive data.

This time the insecure AWS instance belongs to a company called LexSphere, and the exposed data is a cache of 250,000 court documents from cases handled by a law firm known as LexVisio.

As with others, this database had been improperly configured to allow access to the general internet, rather than walled off to only allow in those with proper clearance. With the advent of search tools like Shodan, finding these sort of exposed servers has become trivial to those who know what they’re doing, and few are better at it than Diachenko.

“Danger of having exposed Elasticsearch or similar NoSql databases is huge. I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers,” the researcher writes.

“The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges.”

Navy swamped by Chinese hackers

It is no secret that China was looking to hack US military agencies and contractors in hopes of getting blueprints and tech to boost its navy, but if a recent report from the Wall Street Journal is to be believed, the problem is even more severe than first feared.

Citing a leaked report from the US Navy, the WSJ says that Chinese hackers have put naval networks “under cyber siege” as infiltrators have been trying to lift critical documents and data from its systems and, more importantly, those of the private contractors it partners with.

“We are under siege,” the article quotes one official as saying. “People think it’s much like a deathly virus — if we don’t do anything, we could die.”

Counter-Strike struck by Belonard trojan

Gamers beware, a nasty piece of malware has been targeting players of the iconic FPS Counter-Strike 1.6.

Researchers with Dr Web say (PDF) that a trojan called Belonard (named for the in-game handle of its creator) has been infecting the game clients of players and then using the resulting botnet to advertise gaming servers that Belonard operated for money.

“Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan,”

As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard. “

Pretty devious. Imagine if he would have done it on a game released this decade.

Android AV: mostly useless

If you’re relying on an antivirus app to protect your Android device, there’s a very good chance you’re only fooling yourself.

That’s because a recent test from AV Comparatives showed that of 250 top Android security Apps, 138 were able to accurately detect less than 30 per cent of the malware samples presented, and another 32 were so bad that Google actually pulled them from the play store.

“We consider those apps to be risky, that is to say, ineffective or unreliable. In some cases the apps are simply buggy, e.g. because they have poorly implemented a third-party engine,” AV Comparatives explained.

“Others detect only a handful of very old Android malware samples, and allow any apps that contain certain strings, making them likely to pass some quick checks and thus be accepted by the app stores.”

That means only 80 of the 250 anti-malware apps were even anything close to effective. The good news is, those good apps were the ones developed by known and reputable security firms. Vendors like F-Secure, AVG, Kaspersky, Symantec, McAfee, and Sophos all scored 100 per cent. Stick with a familiar name and you should be all right. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/18/security_roundup_150319/