29th October AVIEN updates

Updates to Anti-Social Media 

Tomáš Foltýn for ESET: Nothing exceeds like excess; or, a lack of privacy in the digital age 
What has the internet brought us? And how does privacy stay anchored in the data deluge of the digital age? Here’s a brief reflection to celebrate today’s Internet Day

Updates to Cryptocurrency/Crypto-mining News and Resources

Lawrence Abrams for Bleeping Computer: Exposed Docker APIs Continue to Be Used for Cryptojacking – “Trend Micro has recently spotted an attacker that is scanning for exposed Docker Engine APIs and utilizing them to deploy containers that download and execute a coin miner. “


Sophos: Call of Duty players caught up in cryptocurrency theft racket – “According to the Chicago Sun-Times, which has seen the first-hand report from a court filing in Chicago, the FBI alleges that the criminals involved stole more than $3.3 million USD in a variety of cryptocurrencies, including Reputation and Ethereum tokens and that the thieves coerced other Call of Duty players into joining their criminal activities.”

Updates to: Ransomware Resources

Stephen Cobb for ESET: Ransomware and the enterprise: A new white paper
“Ransomware remains a serious threat and this new white paper explains what enterprises need to know, and do, to reduce risk”

David Harley

Advertisements

26th October resource updates

Cryptocurrency updates

ZDNet: North Korea blamed for two cryptocurrency scams, five trading platform hacks
” A Group-IB report published last week pinned five of 14 cryptocurrency exchange hacks on Lazarus Group, a codename assigned by the cyber-security industry to North Korea’s military hacking units….In a report published today by threat intel firm Recorded Future, individuals associated with the North Korean regime have also been blamed for running cryptocurrency-related scam.” [sic]


Pierluigi Paganini: Experts presented BOTCHAIN, the first fully functional Botnet built upon the Bitcoin Protocol – “The presentation titled “BOTCHAIN aka The Dark side of Blockchain” includes details about the first fully functional Botnet built upon the Bitcoin Protocol named “BOTCHAIN”.”

Updates to Anti-Social Media 

The Register: Apple boss decries ‘data industrial complex’ while pocketing, er, billions to hook Google into iOS – ” …”Advancing AI by collecting huge personal profiles is laziness, not efficiency,” he said. “For artificial intelligence to be truly smart, it must respect human values including privacy.”….Apple … sells Google access to iOS customers for $9bn. That’s how much Google is expected to pay Apple this year to be the default search provider on iDevices, according to a Goldman Sachs estimate.”


The Register: Jeez, not now, Iran… Facebook catches Mid East nation running trolly US political ads – “Whack-a-Troll: Ad biz smashes latest manipulation plot to show it’s doing…something … Facebook, the antisocial advertising platform on which anyone can promote just about anything, on Friday said it found people promoting political discord in the US and UK, yet again.”

IoT update


Tomáš Foltýn for ESET: IoT: A roomful of conundrums
“How can you stay safe in a world where “smart” is the new default?”


The Register: We asked 100 people to name a backdoored router. You said ‘EE’s 4GEE HH70’. Our survey says… Top answer! – SSH hardcoded ‘admin’ login found, patch, er, patch coming?


Europol press release: If your toothbrush calls you, it might not be for dental hygiene: the importance of securing the internet of things

“Building on this work, ENISA continues to engage with stakeholders and will publish a new study in 2018 on Good Practices for Security of IoT with a focus on Industry 4.0 and smart manufacturing, while in 2019 relevant efforts concerning smart cars are expected.”

Updates to Specific Ransomware Families and Types

ESET: ESET releases new decryptor for Syrian victims of GandCrab ransomware – “ESET experts have created a new decryption tool that can be used by Syrian victims of the GandCrab ransomware. It is based on a set of keys recently released by the malware operators”

Updates to Anti-Malware Testing

SE Labs introduces penalty shootout

Updates to Chain Mail Check

Je te plumerai le BEC

Updates to Mac Virus

ZDnet: Apple blocks GrayKey police tech in iOS update – “Reports suggest the data-slurping tool has been rendered useless — but no-one knows how.”

The Register: Apple boss decries ‘data industrial complex’ while pocketing, er, billions to hook Google into iOS – ” …”Advancing AI by collecting huge personal profiles is laziness, not efficiency,” he said. “For artificial intelligence to be truly smart, it must respect human values including privacy.”….Apple … sells Google access to iOS customers for $9bn. That’s how much Google is expected to pay Apple this year to be the default search provider on iDevices, according to a Goldman Sachs estimate.”

David Harley

October 24th AVIEN updates

Updates to Anti-Social Media 

The Register: Facebook, Google sued for ‘secretly’ slurping people’s whereabouts – while Feds lap it up – “Facebook and Google are being sued in two proposed class-action lawsuits for allegedly deceptively gathering location data on netizens who thought they had opted out of such cyber-stalking.”


Graham Cluley: Twitter thought Elon Musk’s bizarre tweets were evidence he’d been hacked – “It’s an odd state of affairs when the bogus Elon Musk accounts offering bitcoin giveaways appear more legitimate than the real Elon’s tweets.”

Since there’s been a spate of Bitcoin fraud tweets spoofing his account, offering to sell someone some Bitcoin may have been a tweet too far.

Updates to Cryptocurrency/Crypto-mining News and Resources

Graham Cluley: Twitter thought Elon Musk’s bizarre tweets were evidence he’d been hacked – “It’s an odd state of affairs when the bogus Elon Musk accounts offering bitcoin giveaways appear more legitimate than the real Elon’s tweets.”

Since there’s been a spate of Bitcoin fraud tweets spoofing his account, offering to sell someone some Bitcoin may have been a tweet too far.

Updates to Specific Ransomware Families and Types

BitDefender: Gamma ransomware compromises data on 16,000 patients at California hernia institute – “The attack was tied to the email address Glynnaddey@aol.com which, according to databreaches.net, is associated with Gamma ransomware (part of the Crysis ransomware family). “

Updates to Mac Virus

 for ESET: Banking Trojans continue to surface on Google Play
The malicious apps have all been removed from the official Android store but not before the apps were installed by almost 30,000 users


Buzzfeed: Apps Installed On Millions Of Android Phones Tracked User Behavior To Execute A Multimillion-Dollar Ad Fraud Scheme – “A BuzzFeed News investigation uncovered a sophisticated ad fraud scheme involving more than 125 Android apps and websites, some of which were targeted at kids.”

David Harley

23rd October 2018 resources update

Updates to Anti-Social Media 

New York Times: U.S. Begins First Cyberoperation Against Russia Aimed at Protecting Elections – “WASHINGTON — The United States Cyber Command is targeting individual Russian operatives to try to deter them from spreading disinformation to interfere in elections, telling them that American operatives have identified them and are tracking their work, according to officials briefed on the operation.”


The Facebook Newsroom: The Hunt for False News – fairly undramatic examples of fake news stories discovered, but somewhat interesting for the insight it gives into what approaches FB is taking towards finding such stories.


Graham Cluley: If Facebook buys a security company, how will it retain the staff who absolutely hate Facebook? – “…if Facebook did actually acquire a company brimming with security boffins, there’s a good chance that a fair proportion of them would be very privacy-minded. And it’s quite possible that a good number of them would rather pull their toenails out with pliers than find that their new boss is Mark Zuckerberg.”


The Next Web: Firefox 63 will prevent cookies tracking you across sites TNW seems quite enthusiastic, saying “This is a welcome feature from Mozilla, which is increasingly concerned about the state of privacy and surveillance on the Internet.” I have to wonder, though, if it has considered modifying its own cookie policy.

TNW’s cookie statement says: “You give your consent for cookies to be placed and read out on our Platform by clicking “agree” on the cookie notice or by continuing to use the Platform. For more information about the use of the information collected through cookies see our Privacy Statement.

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Graham Cluley: Watch how a Tesla Model S was stolen with just a tablet – “Watching Kennedy’s video of the theft, it appears that the two criminals used a “relay attack”, where a signal from a nearby key fob (in this case, out of range of the car inside Kennedy’s darkened house) is boosted to a location close to the car.”


The Register: Patch me, if you can: Grave TCP/IP flaws in FreeRTOS leave IoT gear open to mass hijacking. Further to this article from Zimperium, which I flagged on 22nd October: FreeRTOS TCP/IP Stack Vulnerabilities Put A Wide Range of Devices at Risk of Compromise: From Smart Homes to Critical Infrastructure Systems

David Harley

22nd October AVIEN updates

Updates to Anti-Social Media 

Wired: How a suspicious Facebook page is pushing pro-Brexit ads to millions – “The UK’s fake news inquiry says the website Mainstream has spent around £257,000 on pushing a pro-Brexit advertising campaign on Facebook in the last 10 months. The problem? Nobody knows who runs the page or where the money comes from”

And I somehow didn’t get round to posting this nearly a year ago, but it’s still worth reading. The Verge: Former Facebook exec says social media is ripping apart society – ‘No civil discourse, no cooperation; misinformation, mistruth….He went on to describe an incident in India where hoax messages about kidnappings shared on WhatsApp led to the lynching of seven innocent people.’

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Pierluigi Paganini: Researchers found that one of the most popular Internet of Things real-time operating system, FreeRTOS, is affected by serious vulnerabilities.

Refers to this blog by Zimperium: FreeRTOS TCP/IP Stack Vulnerabilities Put A Wide Range of Devices at Risk of Compromise: From Smart Homes to Critical Infrastructure Systems

Updates to Tech support scams resource page

Lawrence Abrams for Bleeping Computer: McAfee Tech Support Scam Harvesting Credit Card Information. A scam that has its cake and attempts to eat it. Several times.

“Essentially, these scammers are not only earning commissions on affiliate sales, but also stealing your credit card and personal information. This information can then be used to charge other purchases or perform identity theft using your credentials.”

David Harley

Anti-social media part umpteen

BBC: Children ‘blackmailed’ for sexual images in online video chats. “A surge in the use of video chats and live-streaming among children is leaving them vulnerable to abuse, the NSPCC has warned, calling for a social network regulator to be introduced.”


Graham Cluley: Facebook Portal isn’t designed to be as private as you might hope – Graham says “I doubt I’m alone in the world in thinking that allowing Facebook, of all companies, into your home with a microphone and a video camera is a pretty terrible idea.” Indeed he isn’t… And this story is not reassuring, with FB’s weaselly partial backtracking on the assertion that it would not collect data for targeted advertising.


I’m not the biggest fan of SANS and its newsletters. (That would be SANS…) But the Top Of The News section in its October 19th 2018 Newsbites newsletter includes a number of links relevant to election interference and social media that you might find worth reading.

David Harley

AVIEN, Chainmailcheck, & MacVirus updates

Updates to Anti-Social Media 

ESET: Tumblr patches bug that could have exposed user data
The microblogging platform is assuring its users that has found no evidence that any data was actually stolen

The Register: Tumblr turns stumblr, left humblr: Blogging biz blogs bloggers’ private info to world+dog – “Tumblr today reveal it has fixed a security bug in its website that quietly revealed private details of some of its bloggers”


The Next Web: Twitter releases 10M Iranian and Russian propaganda tweets ahead of US Midterms – “Twitter yesterday released a bevy of data related to Iranian and Russian-sponsored misinformation campaigns started as long ago as 2009. The hope, in releasing the trove, is that academics and researchers will use it to come up with solutions to the propaganda problem plaguing US politics.”

Updates to Cryptocurrency/Crypto-mining News and Resources

Bleeping Computer: Researcher Livestreams 51% Attack on Altcoin Blockchain – “A little over a week ago, researcher promised to run a 51% attack on the blockchain of a small cryptocurrency called Einsteinium (EMC2), to show the world how easy the entire process was.”

Updates to GDPR page

ZDNet: Apple to US users: Here’s how you can now see what personal data we hold on you – “Apple’s privacy tools now go beyond Europe, so more now get to download the personal data it has collected….he move brings the four countries in line with Europe, where Apple began offering a simpler way to download a copy of user data in May, just before the EU’s strict GDPR privacy legislation came into effect.”

Updates to Meltdown/Spectre and other chip-related resources

The Register: Decoding the Google Titan, Titan, and Titan M – that last one is the Pixel 3’s security chip – “Chocolate Factory opens lid, just a little, on secure boot and crypto phone coprocessor”

Updates to Specific Ransomware Families and Types

Bleeping Computer: GandCrab Devs Release Decryption Keys for Syrian Victims – “After seeing this tweet, the GandCrab developers posted on a forum that they have released the keys for all Syrian victims. They also stated that it was a mistake that Syria was not added to the original list of countries that GandCrab would not encrypt, but did not say if they would be added going forward.”

Updates to Chain Mail Check

Recognizing scams

Updates to Mac Virus

Apple and personal data, plus Android issues

David Harley

IoT updates

Updates to Internet of (not necessarily necessary) Things

Added a few days ago, in fact, but I’ve been a bit busy…

  • Threat Post: Remote Code Implantation Flaw Found in Medtronic Cardiac Programmers – “The flaw impacted patients with pacemakers, implantable defibrillators, cardiac resynchronization devices and insertable cardiac monitors.”
  • The Register: Last year, D-Link flubbed a router bug-fix, so it’s back with total pwnage – “Plain text password storage? Check. Directory traversal? Check. SOHOpeless? Check….Eight D-Link router variants are vulnerable to complete pwnage via a combination of security screwups, and only two are going to get patched.”
  • The Register: Alexa heard what you did last summer – and she knows what that was, too: AI recognizes activities from sound – “Gadgets taught to identify actions via always-on mics” What could go wrong?
  • Pierluigi Paganini: A Russian cyber vigilante is patching outdated MikroTik routers exposed online – “Alexey described his activity on a Russian blogging platform, he explained he hacked into the routers to change settings and prevent further compromise.” As Paganini points out, this is still ‘cybercrime’. Well, in most jurisdictions. Indeed, I remember dissuading a friend from taking somewhat similar action to remediate the impact of the Code Red worm in 2001 . Even if the motivation is pure, it’s still unauthorized access and modification. I talked about related issues in the context of the BBC’s purchase of a botnet in 2009 here and elsewhere linked in the article. Unfortunately, the ESET link there no longer works, and it’s on ESET’s blog that I did most of my writing on the topic, but you could try this.
  • The UK’s National Cyber Security Centre (NCSC), in collaboration with the Department for Digital, Culture, Media and Sport (DCMS) , has published a Code of Practice for Consumer IoT Security (a differently-formatted – i.e. picture-free – version is available here). It is based on the following guidelines:
    • No default passwords
    • Implement a vulnerability disclosure policy
    • Keep software updated
    • Securely store credentials and security-sensitive data
    • Communicate securely
    • Minimise exposed attack surfaces
    • Ensure software integrity
    • Ensure that personal data is protected
    • Make systems resilient to outages
    • Monitor system telemetry data
    • Make it easy for consumers to delete personal data
    • Make installation and maintenance of devices easy
    • Validate input data

Commentary from The Register: GCHQ asks tech firms to pretty please make IoT devices secure – “Hive, HP Inc sign up to refreshed code of practice”

 

Updates to Anti-Social Media October 17th 2018

Sophos: Donald Daters app for pro-Trump singles exposes users’ data at launch – “Donald Daters, a new dating app that promises to “make dating great again” has instead leaked its users’ data.”

The Mercury News: Facebook lured advertisers by inflating ad-watch times up to 900 percent: lawsuit – “A group of small advertisers … alleged in the filing that Facebook “induced” advertisers to buy video ads on its platform because advertisers believed Facebook users were watching video ads for longer than they actually were.”

David Harley

AVIEN resource updates: 13th October 2018

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

The Register: It’s the real Heart Bleed: Medtronic locks out vulnerable pacemaker programmer kit – “The US Food and Drug Administration (FDA) is advising health professionals to keep an eye on some of the equipment they use to monitor pacemakers and other heart implants.”

Updates to Specific Ransomware Families and Types

David Bisson for Tripwire: New Sextortionist Scam Uses Email Spoofing Attack to Trick Users – “As reported by Bleeping Computer, an attack email belonging to this ploy attempts to lure in a user with the subject line “[email address] + 48 hours to pay,” where [email address] is their actual email address.”

In the Bleeping Computer article, Lawrence Abrams says: “In the past, the sextortion emails would just include a target’s password that the attackers found from a data breach dump in order to scare the victim into thinking that the threats were real. Now the scammers are also pretending to have access to the target’s email account by spoofing the sender of the scam email to be the same email as the victim.”

Updates to Mac Virus

Krebs/Sager interview on supply chain security (also published on this site).

David Harley