Earther The Earth Sciences Are White AF | The A.V. Club Infinity War’s ending packs a wallop, if you don’t think about it too hard | The Takeout Vegan woman buys ice cream for a little kid, becomes subject of online firestorm |
Earther Good Job Rhinos, Keep Boning | The A.V. Club Westworld broadens its horizons to good effect | The Takeout Ask The Salty Waitress: What should I have done when accidentally served alcohol while pregnant? |
Dr Aleksandr Kogan, the academic behind the personality quiz app that harvested Facebook information of 80+ million people, has also had access to a random sample of public tweets posted during a five-month period.
Twitter has confirmed that Kogan, through his company Global Science Research (GSR), has bought access to those tweets and the usernames, photos, profile pictures and location data of the users who posted them from Twitter.
“In 2015, GSR did have one-time API access to a random sample of public tweets from a five-month period from December 2014 to April 2015,” Twitter told Bloomberg. “Based on the recent reports, we conducted our own internal review and did not find any access to private data about people who use Twitter.”
Twitter does not require users to use their real name, and tweets don’t contain location data by default. The company sells direct access to public tweets to a variety of organizations, who then use it for a variety of purposes, but most often to gauge users’ attitude towards events, topics, brands, etc.
Dr Kogan sold the information collected from Facebook to Strategic Communication Laboratories (SCL)/Cambridge Analytica, to be used for compiling psychological profiles on American voters.
According to The Sydney Morning Herald, he says that the data he accessed on Twitter had only been used to create “brand reports” and “survey extender tools.” Also, that he had not violated Twitter’s policies.
Following this revelation, Twitter has announced that they have decided to off-board advertising from all accounts owned and operated by Cambridge Analytica.
“This decision is based on our determination that Cambridge Analytica operates using a business model that inherently conflicts with acceptable Twitter Ads business practices,” a company spokesamn said, but noted that Cambridge Analytica may remain an organic user on their platform.
A Cambridge Analytica spokesman has commented the revelation by claiming that the company had never received Twitter data from GSR, even though Dr Kogan recently testified before a committee of the UK Department for Digital, Culture, Media & Sport that GSR was created in 2014 for the express purpose of creating datasets for SCL.
This sort of data sharing will no longer be possible as GDPR comes into force on 25 May.
“Some experts are concerned about potential over-regulation with the upcoming enforcement of GDPR. However, exactly such incidents may well justify severe regulation of the personal data market. Twitter, for example, has already adjusted its Terms of Service and Privacy to comply with the new European regulations,” Ilia Kolochenko, CEO of web security company High-Tech Bridge, commented for Help Net Security.
“On the other side, users of all free services should clearly understand that social networks are not charities, and have to pay millions per day for their operations. Thus, they will predictably use all available avenues to generate revenue. Therefore, keep in mind that all you share or write online can be used against you one day or become public.”
The UK High Court has ruled that part of the Investigatory Powers Act 2016 (nicknamed Snoopers’ Charter) is incompatible with European Union law and the European Convention on Human Rights and, therefore, unlawful.
The section in question is Part 4 – Retention of Communications Data – in particular the power given to the Secretary of State to issue “retention notices” to telecommunications operators requiring the retention of relevant communications data (but not its contents), as well as location data and internet use history.
The challenge was brought to the court by the National Council for Civil Liberties (NCCL), aka Liberty, a UK-based advocacy group that aims to protect civil liberties and promote human rights.
They argued that the court should order the UK government to amend that particular part of the Investigatory Powers Act (IPA) because it allows the storage of and access to the aforementioned data with no independent authorization, for crime-fighting purposes extending far beyond “serious crime,” and for a wide range of other non-crime purposes – all of which violates the UK citizen’s right to privacy.
The High Court sided with Liberty by declaring that Part 4 of the IPA is incompatible with fundamental rights in EU law because access to retained data is not limited to the purpose of combating “serious crime” and access to retained data is not subject to prior review by a court or an independent administrative body.
On the other hand, the Court found that the same part of the legislation does not permit “a general and indiscriminate retention of traffic and location data.”
The Home Office sees this ruling as a victory, as the Court did not judge the data collection unlawful, and they’ve previously already acknowledged that the Act doesn’t comply with European laws and were planning to make appropriate changes.
They asked the Court to be allowed to make those changes by April 2019, but the latter said that there is no reason why the legal framework cannot be amended before that date, even if the practical arrangements (e.g., the creation of an Office for Communications Data Authorisations) take longer.
Therefore, the Court has decided on 1 November 2018 as the deadline for the government to amend the legislation so that it is in line with the EU law.
Liberty also considers the judgement a victory.
“The Government must now change the law to require prior review by a court or independent administrative body and – in the context of crime-fighting – to only allow access to data for purposes of combatting ‘serious crime.’ The Court did not rule on the legitimacy of the wide range of other non-crime purposes in the Act because the Government has already proposed legislation to remove them,” the group commented.
Martha Spurrier, Director of Liberty, said that the group has already issued legal challenges to three other parts of the IPA.
“Today’s ruling focuses on just one part of a law that is rotten to the core. It still lets the state hack our computers, tablets and phones, hoover up information about who we speak to, where we go, and what we look at online, and collect profiles of individual people even without any suspicion of criminality,” she noted, and has asked the public to contribute funds to ensure they can continue with the next stage of the legal challenge.
Online disinformation, also refered to as “fake news”, has recently received a lot of attention as a potential disruptor of democratic processes globally. There is a need to initiate a dialogue in the EU around the possible responses to this phenomenon.
In this regard, ENISA publishes an opinion paper meant to present some views and recommendations on the problem of online disinformation in the EU from a Network and Information Security (NIS) perspective.
The use of AI algorithms should be deployed to assist in the detection of online disinformation campaigns and misuse of online platforms such as scraping, spam, etc. The outputs of these algorithms should be verified by humans before any action is taken.
Online platforms should consider deploying the results from their disinformation analysis and reporting in a transparent manner to build a confidence score on the content, which is presented to the end-user. This approach should build confidence for end-users in analysing the content presented.
Online media operators should develop signatures that could be included in their news articles, where users can verify the source of the content.
Online platforms should clearly identify reporting locations for the ordinary user to report suspected online disinformation. The reports should be examined in a timely manner by the operators to decide on the appropriate action. The operator should have the necessary resources in place to address the challenge arising from this activity.
A strategy should be developed to create economic disincentives, which could include the cutting off of advertising for sites that are found to be involved in the dissemination of online disinformation.
Venafi announced the results of a survey querying 512 security professionals attending RSA Conference 2018. The survey evaluated opinions on the intersection of cyber security, privacy threats and government regulation.
According to the survey, 70 percent of respondents say governments should regulate the collection of personal data by social media companies to protect user privacy. However, 72 percent believe their government officials do not have a good understanding of the threats impacting digital privacy.
“These results are disturbing,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “While security professionals agree that government officials do not understand the nuances of social media and digital privacy, they’re still looking to them to regulate the technology that permeates our daily lives.”
In addition, 74 percent of the respondents said government officials do not have a good understanding of the current cyber threat landscape. Despite their lack of confidence, nearly half (45 percent) believe governments should be able to impose encryption backdoors on private companies.
Bocek added: “It’s disheartening that so many security professionals think encryption backdoors will somehow make us safer. There is no question that they will undermine our global economy and make digital communication much more vulnerable. Any backdoor will be extremely lucrative, so cyber criminals will spend an enormous amount of effort to steal one. And once a backdoor is leaked it’s certain to be available to the highest bidders on the dark web.”
Earther Oh God, Ryan Zinke | The A.V. Club “Here’s your 2 dollars”: 9 great gags from otherwise tepid comedies | The Takeout Vegetarians will smugly outlive the rest of us |
Everyone wants to talk about The Handmaid’s Tale, and you want to be in on the conversation. There’s just one problem: You’ve never watched it. Fortunately, you have Lifehacker to provide you with the essential facts you need to hold your own in any Handmaid-related chitchat. Let’s skim some dystopia!
Earther It Looks Like the US Just Set a New Daily Rainfall Record | The A.V. Club Here’s the extremely subtle clue about season two hidden in Westworld’s pilot | The Takeout Wake and bake French toast casserole |
Opening up your house to a bunch of hungry friends can be quite fun, but you can quickly rack up some pricey party expenses if you’re not careful. But there are a lot of ways to serve fancy food without draining your bank account, and we’re going to show you how. This week, we’re focusing on fromage fort, a cheesy little French number that is essentially made out of scraps.
Instagram, the visual story-centric social media platform owned by Facebook, has now added a long-requested feature: the ability for users to download their data – including images, posts and comments.
Not to be cynical, but Instagram is not making this move out of the kindness of its heart: the compliance deadline for GDPR is in a month and data portability is one of its many requirements.
What’s data portability? From the GDPR articles:
Data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format
To decode this a bit, the “data subject” means the user of the service – in this case anyone who uses Instagram.
While GDPR is meant to apply to any service that holds or uses the personal data of any European citizen, many online services are making GDPR-mandated services available to all their users regardless of where they live. This seems like a pretty good thing for everyone and a victory for user rights and privacy around the world.
So if you happen to be an Instagram user who’d like to quit the platform and delete your account, but would like to save the photos, videos and stories you’ve posted, the new Instagram “data download” option will allow you to take all your data with you when you leave.
To access this service, log in to your account, go to your profile, click “edit profile,” and then go to the “privacy and security” area. You’ll see a “Data download” header with a link to request a download of your data.
Once you make the request for your data, keep in mind that you won’t receive it right away. When I made my request, it took a few hours to get an email that my data was ready to download. Instagram says that it could take up to two days in some cases.
My data was split up into multiple parts. I’ve been a frequent Instagram user since 2012 or so, so I do have a lot of data I suppose.
The GDPR regulations say, in somewhat vague terms, mostly what needs to happen with user data and a little less on how it should happen.
The data portability requirement, for example, says users should be able to get their data in a “commonly used and machine-readable format.” If you try to download your data from Facebook, it’s presented to you in an HTML format, a machine-readable format that can be opened in a web browser so you can see it and click around to see the data they have on you.
Note that the GDPR regulation says “machine-readable” and not “human-readable,” though. Given that Instagram is part of Facebook, I had high hopes for what I’d see when downloading my Instagram data – that it would be readable and navigable, as my Facebook data was. Unfortunately, this was not the case.
While my images and videos were easy to view in JPG and MP4 formats respectively, all my other data was in JSON (JavaScript Object Notation) format, and while I know how to read it in a text editor, it’s not the friendliest option for the average Instagram user.
The good news is that JSON is a very well understood and commonly used format for storing and exchanging data, particularly on apps and websites. With Instagram data now available in this format a host of programs to read it, or import it into other apps and services, probably isn’t far away.
Opening up a JSON file, it’s clear that it’d take a little bit of formatting and parsing work to make this data dump really readable.
While it’s not terribly “human-readable”, this data checks the GDPR box of being “machine-readable,” and realistically, it’s probably not as interesting to most users as their pictures and videos. And let’s not lose sight of the big picture here – the good news is that your data is no longer walled up in the Instagram platform, and if you decide you want to leave, you can finally take your data with you.
Earther Atoll Islands Home to Thousands Could Be Uninhabitable by Mid-Century | The A.V. Club On Late Night, Patton Oswalt talks about the capture of his late wife’s nemesis, The Golden State Killer | The Takeout Survey: “Plant-based” sounds more appealing than “vegan” |
Last week, Google rolled out two-factor authentication prompts to its updated Gmail app, all in the hopes that more people using Google products will use two-factor authentication to protect their accounts, and that users will choose prompt-based authentication over less secure methods, like SMS codes.
Why turn on two-step verification (also known as two-factor authentication, or 2FA)? Because a password, even a strong one (which you aren’t using anywhere else, are you?), isn’t enough to keep your account secure.
If the service you’re using offers 2FA, you should enable it — it’s another layer of protection on your account that stops someone who can steal or guess your password from getting access.
The beauty of what the Gmail app offers is that it makes two-step authentication easier to use.
Instead of waiting for an email or SMS to appear on your phone, or setting up an authentication code on a 3rd party code generator, and then typing in the code you receive or generate, it’s just one touch to authenticate.
In this case, you simply open Gmail app, which will ask if it’s you trying to sign in on a new device. You just hit a button to confirm, yes, it’s actually me trying to sign in to my account on that computer.
Ease of use is important because, for all the security benefits that 2FA brings, Gmail users just haven’t been using it.
The prompt-based approach to 2FA is something many organizations, including Google, have been pushing for a few years, as the SMS-based 2FA method can be vulnerable to fraud. It is better than nothing, but push-based methods—like the Google prompt—are more secure, and easier to use.
If this is something you’ve held off on doing, here’s how to get the prompt-based 2FA set up on your Google account. (Note that the setup is slightly different for Android and iOS users.)
Android users: Google Play Services deliver the prompt on your phone, so make sure your version is updated for this feature to work.
iOS users: The Google prompt works on iPhone version 5s and higher via the Google app and now the Gmail app as well.
First, you’ll need to navigate to the two-step authentication setting on your Google account on a computer (for Android or iOS users), or via the settings within your Google app (for iOS users). To find the 2FA setting from either a computer or the app, go to the settings of your Google profile, and select “signing in to Google” from under the Sign-in and Security area.
The screenshots below are from iOS on an iPhone 7, but it’s very similar when going through this process on a computer.
In the “signing in to Google section,” click the “two-step verification” option and hit the “try it now” prompt.
You’ll now see what the prompt looks like:
If it was you trying to sign in, hit “Yes,”.
You’re not done yet though! The app will ask you to confirm that you want to turn this feature on, so tap “turn it on.”
Now you should be ready to go with the prompts on your Google account, and the 2-step verification screen will show you that Google prompts are enabled, along with any other prior 2FA methods you may have enabled (like the Authenticator app, SMS or physical keys).
If you have notifications enabled for the Google app, next time you (or anyone else!) tries to sign in to your Google account on a new device, you’ll be pinged to open the app and verify that it’s you. If you don’t have notifications enabled, you’ll need to open the Google app yourself to verify the login.
Onapsis researchers revealed a critical security configuration vulnerability that results from default installations in SAP systems which if left insecure, could lead to a full system compromise in unprotected environments.
If exploited the impact could be full control of the system by hackers, putting business-critical ERP, HR, PII, Finance, and Supply Chain data and processes at risk.
The vulnerability, mainly driven by a security configuration originally documented by SAP in 2005, is still present in the majority of SAP implementations either from neglecting to apply security configurations or due to unintentional configuration drifts of previously secured systems.
Onapsis has spent the past six months reaching out to SAP customers to alert them and help ensure they are addressing the risk in their landscapes. After analyzing hundreds of real SAP customer implementations, Onapsis found that 9 out of 10 of SAP systems were vulnerable before the Onapsis Risk Assessment or Onapsis Security Platform implementation.
The vulnerability is found in SAP Netweaver and can be compromised by a remote unauthenticated attacker having only network access to the system. Attackers can obtain unrestricted access to SAP systems, enabling them to compromise the platform along with all of its information, modify or extract this information or shut the system down.
SAP Netweaver is the foundation of all SAP deployments and as such the vulnerability affects all versions of SAP Netweaver, representing 378,000 customers worldwide and 87% of the Global 2000. This risk still exists within the default security settings on every Netweaver-based SAP product, including the latest versions such as cloud and the next generation digital business suite S/4HANA.
“While much attention this year will go to new vulnerabilities, such as IoT, Meltdown and Spectre, there is a more silent threat lurking behind the scenes that may be as serious and certainly as broad. Many SAP landscapes are so interconnected and complex that taking a system offline to implement a secure configuration can be very disruptive to the organization. That being said, it is critical that organizations ensure that they make the time to implement the configuration. These upgrades must be planned out and timed to have the lowest impact on the organization,” said JP Perez-Etchegoyen, CTO at Onapsis.
“Additionally, once the configuration is secured it is almost impossible to ensure that separate teams do not reset the configuration to an insecure setting due to adding, migrating or upgrading a system,” continued Perez-Etchegoyen.
It's Lt. Gen. Paul Nakasone.
I know nothing about him.
Yet another Drupal remote code execution vulnerability has been patched by the Drupal security team, who urge users to implement the offered updates immediately as the flaw is being actively exploited in the wild.
The vulnerability (CVE-2018-7602) affects Drupal versions 7.x and 8.x. Users should upgrade to v7.59 and 8.5.3.
Those who, for whatever reason, can’t implement the update can implement standalone patches, but before doing so they have to apply the fix from SA-CORE-2018-002 (dating back to March 28, 2018).
This is the second time in less than a month that a critical remote code execution flaw has been plugged.
The first one – CVE-2018-7600 – affected Drupal 8, 7, and 6 sites, estimated to number approximately one million.
Although the flaw was discovered and responsibly disclosed by a researcher, it didn’t take long for attackers to develop an exploit once the security updates and patches had been released.
“Sites not patched by Wednesday, 2018-04-11 may be compromised. This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that,” the Drupal security team recently shared.
“With the March update, Drupal added a global sanitation function. This approach is often difficult to implement correctly,” SANS ISC CTO Johannes Ullrich commented.
“It is very difficult to sanitize and validate data before it is clear how it is being used, in particular if this is done for an existing and complex application like Drupal. We will see how this will work for Drupal in the long run.”
The second flaw – CVE-2018-7602 – is related to the previous one, was unearthed by the same researcher and members of the Drupal security team, and is also being actively exploited in the wild.
China-based Netlab 360 recently observed a large number of scans on the internet against CVE-2018-7600.
The attackers search for vulnerable Drupal installations, exploit the flaw, and install cryptocurrency miners and DDoS-capable software on the compromised servers, as well as backdoors that make it possible for them to access the system whenever they want.
It is to be expected that CVE-2018-7602 will be exploited with the same goals in mind.
The Drupal team warns that, once the critical updates/patches are installed, administrators should check whether their installation has been compromised and a backdoor installed on the host.
“Simply updating Drupal will not remove backdoors or fix compromised sites. You should assume that the host is also compromised and that any other sites on a compromised host are compromised as well,” they noted.
“If you find that your site is already patched, but you didn’t do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.”
Instructions on what users should do if they find their Drupal site has been hacked are available here.
When you read to kids, you do so much more than “reading”—you put on a performance and hold a conversation. You do voices, you show them the pictures, and you follow the special cadence of kids’ books. Using his book Hey A.J., It’s Bedtime!, children’s author and NFL player Martellus Bennett joins us on video to demonstrate his techniques for reading aloud to kids.
Earther Tabasco Sauce Is in a Battle For Its Very Survival | The A.V. Club The shitty Avengers: 15 movie superheroes not ready for franchising | The Takeout Why it’s time for skeptics to reconsider the IPA |
Unknown attackers have managed to steal approximately $150,000 in Ethereum from a number of MyEtherWallet (MEW) users, after having successfully redirected them to a phishing site posing as MyEtherWallet.com.
The redirection was seamless, and the only thing that gave some indication that the phishing site is not what it pretended to be was the warning showed to visitors saying that the TLS certificate used by the site was signed by an unknown authority (i.e., was self-signed).
Those who chose to ignore the warning, accept the certificate and proceed doing their business through the phishing site had their private keys stolen and their funds taken by the attackers.
MyEtherWallet.com uses Amazon’s Route 53 DNS service.
“The attackers used BGP [Border Gateway Protocol] — a key protocol used for routing internet traffic around the world — to reroute traffic to Amazon’s Route 53 service,” researcher Kevin Beaumont explained.
“They re-routed DNS traffic using a man in the middle attack using a server at Equinix in Chicago. From there, they served traffic for over two hours. This would allow them to intercept traffic globally across the internet to Amazon Route 53 customers.”
It also allowed them to redirect traffic meant for MyEtherWallet.com to the lookalike phishing site, hosted on a server in Russia.
Cloudflare’s Louis Poinsignon has provided a more detailed explanation of the steps involved in the attack.
As far as we know, MyEtherWallet and its customers were the only targets in this attack.
“This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system. It can happen to any organization, including large banks,” MEW explained in the official statement published after the attack.
“This is not due to a lack of security on the @myetherwallet platform. It is due to hackers finding vulnerabilities in public facing DNS servers.”
Amazon made sure to point out that neither AWS nor Amazon Route 53 were hacked or compromised.
“An upstream Internet Service Provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain,” they explained.
The ISP in question is Ohio-based eNet.
Equinix also piped up to say that the server used for the attack was not one of theirs, but customer equipment deployed at one of their Chicago IBX data centers. “We generally do not have visibility or control over what our customers – or customers of our customers – do with their equipment. Our role is to provide the best environment possible for our customers to transform their business,” they noted.
The attack against MEW netted the attackers just over $150,000 in Ethereum, but the amount of currency contained in the wallet to which the stolen funds were sent was around £20 million/$17 milion before the attack. As Beaumont noted, whoever they are they are not poor.
He also posited that there might have been other targets.
“Mounting an attack of this scale requires access to BGP routers at major ISPs and real computing resource to deal with so much DNS traffic. It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access.”
Securing BGP might be a difficult proposition but, as Cloudflare systems engineer Patryk Szczygłowski noted, implementing DNSSEC and HSTS would have helped minimize the effectiveness of this type of attack:
Today's attack on @myetherwallet (via BGP hijack of AWS name servers) proves beyond doubt that everyone should implement DNSSEC and HSTS asap!
DNSSEC = resolvers would deny fake records
HSTS = browsers would prevent users burning themselves from self-signed certs.— Patryk SzczygÅ‚owski (@epatryk) April 24, 2018
Unfortunately, MyEtherWallet users who fell for this phishing scheme have no way of getting their funds back. MEW also warned them be on the lookout for possible subsequent scams
“We urge users to ignore any tweets, reddit posts, or messages of any kind which claim to be giving away or reimbursing ETH on behalf of MEW,” they said, and advised them to run a local (offline) copy of the MEW and to use hardware wallets to store their cryptocurrencies.
Researchers at Check Point and CyberInt, have discovered a new generation of phishing kit that is readily available on the Dark Web.
A posting on the Dark Net that advertises the [A]pache phishing kit
Created by a cyber-criminal known as ‘[A]pache’, the kit makes it simple for those with very little technical ability to carry out their own cyber-attack. By simply downloading this multi-functioning phishing kit and following the straightforward installation instructions, a threat actor is able to launch a phishing campaign, that collects the personal and financial information of unsuspecting consumers, very quickly.
Unlike previous kits which are primarily composed of just one or two pages to collect personal or financial data, this new and advanced phishing kit enables hackers to create a convincing fake site. This includes options to create spoof websites of many well-known brands including Walmart, Americanas, Ponto Frio, Casas Bahia, Submarino, Shoptime and Extra.
In order to convincingly persuade their victims that they are shopping at the genuine site they think they are at, online scammers then need a domain that is similar to the targeted brand, for example, https://ift.tt/2HYvQJ9. To simplify this process, [A]pache has developed a simple user interface within the admin panel where the threat actor can paste the product URL of the legitimate retailer and the kit will automatically import the product information into the phishing page. They can then view their ‘products’ and change their original prices. Once registered, they are ready to deploy the kit to a PHP and MySQL supported web host. They can then log in to the kit’s admin panel and begin configuring their campaign.
Like any shop, the fake phishing site encourages it users to also be competitive, so the kit suggests that the product prices are attractive. This helps to motivate potential ‘customers’ to click on the items and proceed to checkout. Reducing prices too low though would raise suspicions with captivated ‘customers’. In addition, one trick is to list highly valued and desired items first, like smartphones, to entice potential victims.
The phishing kit’s admin panel
When customers click through from the threat actor’s email, social media link or any other way in which they could be sending traffic, the site will look exactly like the target site and customers can proceed to checkout with no suspicions raised. At this point ‘customers’ enter their payment and delivery details, including the CVV, which are then sent straight to the threat actor’s database, enabling the cyber criminal to see the victim’s personal and financial information. After the victim has entered their payment details, they are presented with a notification that the payment process has failed. This helps convince them to not be concerned when the purchased ‘product’ does not arrive.
At $100-$300, the cost is higher than more standard phishing kits. Standard kits usually retail at $20-$50, with some even free, as they only provide login pages and prompts for personal and financial information. With the [A]pache phishing kit however, threat actors are provided with a full suite of tools to pull carry out their attack. These include a whole backend interface with which they can create convincing fake retail product pages and manage their entire campaign.
With some reports claiming that 91% of cyberattacks and data breaches begin with a phishing email, phishing remains a constant threat for stealing financial information, intellectual property, and even interfering with elections. For this reason, consumers and businesses alike must ensure they have the latest protections for safe guarding against such threats.
It’s time to update your Mac and iOS-powered devices again: Apple has plugged four vulnerabilities, two of which could be exploited to execute arbitrary code if a user visits a malicious website.
The two critical vulnerabilities (CVE-2018-4200, CVE-2018-4204) affect WebKit, the web browser engine used in Apple’s Safari browser (both the Mac and the iOS version). They have been discovered and flagged by Ivan Fratric of Google Project Zero and Richard Zhu working with Trend Micro’s Zero Day Initiative.
The other two vulnerabilities are less severe, but still can be exploited to do some damage.
CVE-2018-4206, reported by Ian Beer of Google Project Zero, affects Crash Reporter, the app that sends Unix crash logs to Apple for engineers to review and that shows crash alerts to users. Its buggy error handling could allow an application to trigger a memory corruption that could allow the app to gain elevated privileges.
Finally, CVE-2018-4187, flagged both by Zhiyang Zeng of Tencent Security Platform Department and IT security consultant Roman Mueller, is a QR code URL parser bug that could be exploited by attackers to direct users to malicious sites:
Mueller found that it’s easy to construct a QR code which will show an innocent-looking hostname in the notification shown by the device while the link is pointing to a malicious site.
More information on how this bug can be exploited can be found here.
Apple hasn’t released updates for tvOS, watchOS or iTunes, but judging by previous experience we can expect them to be released soon as WebKit is included in those offerings and WebKit patches are usually implemented in those updates.
The A.V. Club Here’s what you need to know going into Avengers: Infinity War | Earther The National Park System Just Got Its First Dark Sky Sanctuary | The Takeout The best method for cooking asparagus is 2,000 years old |
Air-gapped cold wallets might be one of the safest options for keeping your cryptocurrency stash, but even they can be compromised. And, as demonstrated by security researchers from the Ben-Gurion University of the Negev, Israel, extracting private keys from such a wallet can be done relatively easily.
The attacks they demonstrated rely on the offline wallet being already compromised by malware, but once that’s achieved the keys can be sent to and received by a nearby smartphone equipped with software that receives the electromagnetic or ultrasonic signals carrying the information.
“The malware can be preinstalled or pushed in during the initial installation of the wallet, or it can infect the system when removable media (e.g., USB flash drive) is inserted into the wallet’s computer in order to sign a transaction,” the researchers explained.
They’ve tested a number of covert ways to exfiltrate those private keys, using techniques they and others devised. Some are more effective than others, and some would not work at all.
For example, by using radio signals generated by the wallet an attacker can exfiltrate the key to the smartphone device in less than 15 seconds. And, as seen in the second demonstration video, doing it via ultrasonic signals can shorten that time to 3 seconds.
There are ways for wallet owners to keep their devices safe from these types of attacks.
“A basic hardware-based countermeasure scheme involves shielding computers with metallic materials to prevent electromagnetic radiation from leaking from the shielded equipment. However, it is less suitable for private users due to the maintenance required and cost,” the researchers noted.
“When a highly valuable wallet is involved, a signal jamming approach might be taken. In this approach, a specialized hardware transmitter continuously generates random noises that interfere with potential transmissions from the wallet. Jamming is primarily used to block of electromagentic and acoustic signals.”
The Domain Name System (DNS) turns a user-friendly domain name into an IP address that computers use to identify each other. DNS is unencrypted by default.
Most security vendors still heavily rely on signature-based detection, such as DNS firewalls and DNS blacklisting. It essentially performs DNS query checks of known bad domains.
Soon all DNS traffic will be encrypted. Analyzing DNS traffic will not help to spot and stop malicious activity on the network. It brings numerous challenges to network operators. They can solve them by implementing security measures powered by artificial intelligence.
This whitepaper discusses why DNS blacklisting is not an effective security control anymore.
Earther Scientists Are Fed Up With This | The A.V. Club 5 things to know about Archer’s new Danger Island reboot | The Takeout Chefs are fed up with Gordon Ramsay’s “bullshit”—but America’s not |
The A.V. Club Westworld is back, heavy on the violent ends | Earther The Machines That Could Darken the Sun to Stop Climate Change | The Takeout Teetotaling pro wrestler Jerry “The King” Lawler now has his own beer; won’t try it |
This acoustic technology identifies individuals by their ear shapes. No information about either false positives or false negatives.
US commercial bank SunTrust has announced on Friday that they’ve fallen victim to insider threat, and that customer records of some 1.5 million of its customers had been extracted from its systems.
What is known so far and has been shared with investors by the bank’s Chairman and CEO William Rogers, the insider was a former employee had tried to download customer data and hand it over to a “criminal third party.”
Rogers said that the attempt to steal the data happened six to eight week ago.
The data in question includes the name, address, phone number and account balances of approximately 1.5 million clients. “The contact lists did not include personally identifying information, such as social security number, account number, PIN, User ID, password, or driver’s license information. SunTrust is also working with outside experts and coordinating with law enforcement,” the company said.
But, as far as they’ve been able to discover, the stolen information never left the bank.
Nevertheless, the bank has offered free identity protection services (on an ongoing basis) for all current and new consumer clients – not just those potentially affected by this incident.
“The IDnotify product by Experian is being offered in addition to existing SunTrust security protocols: ongoing monitoring of accounts, FICO score program, alerts, tools and zero liability fraud protection,” the company shared.
The IDnotify protection offered includes Experian 1B credit monitoring, an annual credit report, identify theft insurance with up to $1 million reimbursement for covered expenses, identity restoration assistance, dedicated call center support and dark web monitoring.
The bank heightened their monitoring of accounts and increased other security measures, as the former employee was not authorized to get that level of information.
But the good news is that they’ve not identified significant fraudulent activity and they promise that clients will not be held responsible for any loss on their accounts as a result of this situation.
The US Food and Drug Administration (FDA) plans to tackle security issues related to medical devices and has released a plan of action it means to implement in the near future.
Broadly, plan is as follows:
Among the more specific actions when if comes to pushing for greater medical device cybersecurity, the FDA says it is thinking about requiring firms to:
Fixing vulnerabilities in a timely manner and propagating the fixes to the customers and users is also important, and to that end the FDA aims to push firms to adopt policies and procedures for coordinated disclosure of vulnerabilities.
It is also looking into creating a new public-private partnership that would complement its current device vulnerability coordination and response mechanisms.
“The CyberMed Safety (Expert) Analysis Board (CYMSAB) would encompass a broad range of expertise (including hardware, software, networking, biomedical engineering, and clinical) in order to integrate critical patient safety and clinical environment dimensions into the assessment and validation of high-risk/high-impact device vulnerabilities and incidents,” the FDA noted.
“Its functions would include assessing vulnerabilities, evaluating patient safety risks, adjudicating disputes, assessing proposed mitigations, serving in a consultative role to organizations navigating the coordinated disclosure process, and serving as a ‘go-team’ that could be deployed in the field to investigate a suspected or confirmed device compromise at a manufacturer’s or FDA’s request. The operationalization of a CYMSAB would be an invaluable asset to FDA, industry, and healthcare facilities in averting and responding to cybersecurity vulnerabilities and exploits.”
Here’s an overview of some of last week’s most interesting news and articles:
RSA Conference 2018 coverage
Check out what you missed at the infosec event of the year.
Real-time detection of consumer IoT devices participating in DDoS attacks
Could we detect compromised consumer IoT devices participating in a DDoS attack in real-time and do someting about it? A group of researchers Princeton University have presented some encouraging results showing that the first part of that equation can be relatively easily solved.
New targeted surveillance spyware found on Google Play
A new targeted surveillance app has been found and booted from Google Play. The app, named Dardesh, posed as a chat application and acted as a downloader for a second app that could spy on users.
Your Android phone says it’s fully patched, but is it really?
How do fully-maintained (i.e., patched) Android phones end up getting exploited? Searching for an answer to that question spurred security researchers to analyze thousands of Android firmwares for the presence of hundreds of patches.
NIST releases Cybersecurity Framework 1.1
The US Commerce Department’s National Institute of Standards and Technology (NIST) has announced the release of version 1.1 of its popular Framework for Improving Critical Infrastructure Cybersecurity, more widely known as the Cybersecurity Framework.
How attackers can exploit iTunes Wi-Fi sync to gain lasting control of target devices
An iOS feature called iTunes Wi-Fi sync, which allows a user to manage their iOS device without physically connecting it to their computer, could be exploited by attackers to gain lasting control over the device and extract sensitive information from it.
Cisco plugs critical hole in WebEx, users urged to upgrade ASAP
Cisco has fixed a critical vulnerability in its WebEx videoconferencing software that could be exploited to compromise meeting attendees’ systems by simply opening a booby-trapped Flash file shared in a meeting.
Cryptominers displace ransomware as the number one threat
During the first three months of 2018, cryptominers surged to the top of detected malware incidents, displacing ransomware as the number one threat, Comodo’s Global Malware Report Q1 2018 has shown.
Researchers develop algorithm to detect fake users on social networks
Ben-Gurion University of the Negev and University of Washington researchers have developed a new generic method to detect fake accounts on most types of social networks, including Facebook and Twitter.
Security researchers sinkholed EITest infection chain
Security researchers have managed to neutralize “EITest,” one of the oldest infection chains and thus preventing as many as two million potential malicious redirects a day.
Energy security pros worry about catastrophic failure due to cyberattacks
70 percent of energy security professionals are concerned that a successful cyberattack could cause a catastrophic failure, such as an explosion, a recent survey has shown.
When BEC scammers specialize
A group of BEC scammers has been focusing its efforts on the global maritime shipping industry.
Researchers propose scheme to secure brain implants
A group of researchers from KU Leuven, Belgium, have proposed a practical security scheme that would allow secure communications between a widely used implantable neurostimulator – an electrical brain implant used to treat a number of medical issues – and its external device programmer.
US, UK warn Russians hackers are compromising networking devices worldwide
The attackers are compromising routers, switches, firewalls, Network-based Intrusion Detection System (NIDS) devices in general, and Generic Routing Encapsulation (GRE), Cisco Smart Install (SMI), and Simple Network Management Protocol (SNMP) enabled network devices in particular.
Moxa plugs serious vulnerabilities in industrial secure router
A slew of serious vulnerabilities in the Moxa EDR-810 series of industrial secure routers could be exploited to inject OS commands, intercept weakly encrypted or extract clear text passwords, expose sensitive information, trigger a crash, and more.
Earther Apple’s E-Waste Problem Will Take More Than Robots to Solve | The A.V. Club Please enjoy this excruciating video of a Westworld Q&A being shut down after a single question | The Takeout Asshole YouTuber may go to prison for feeding homeless man toothpaste-filled Oreos |
Earther Colorado’s Climate Lawsuit Could Be a Template For Flyover Country | The A.V. Club Tragically and fashionably, The Crow turned superhero cinema into a death dance | The Takeout What’s the tastiest use for leftover bacon fat? |
Bots run by shady websites are abusing the redirection functionality found in some US government websites to create thousands of phantom “pages” linking to unsavoury content.
Gizmodo reported on Tuesday that it had discovered the flaw on the Justice Department’s AmberAlert.gov website, an emergency broadcast system for sending alerts about suspected child abductions.
A website run by the US Justice Department and used to gather information about missing and abducted children is redirecting visitors to porn sites with names such as “schoolgirl porn” …
Naked Security can confirm that the flaw also exists on a plethora of other government websites too, including: a website operated by the US Congress, websites used to access important federal services and local government sites at the state and county level.
Gizmodo reports that “the Amber Alert site was repaired … efforts [are] underway to address any similar issues affecting other government domains”.
The government websites being abused in this way haven’t been hacked. No pages have been created – it’s just that the way the government sites handle page redirects makes it possible for an attacker to fool Google into thinking they have.
They likely do this in the hope it will improve their chances of being found in a Google search – either because there are multiple URLs for one page, or because it improves the attacker’s PageRank.
Simplistically, Google’s fabled PageRank algorithm treats links from one website to another as a “vote” for the site being linked to. The votes are weighted so that links from sites with a high PageRank are more valuable than links from sites with a low PageRank.
All other things being equal, the better your site’s PageRank, the better it will do in search results.
The attack works like this:
An attacker operating the website attacker.example creates a computer program to crawl the web looking for websites with an open redirect flaw (also known as unvalidated redirects or unvalidated forwards).
During its crawl it finds a government website, we’ll call it victim.example, with a vulnerable redirection page at victim.example/redirect.
The vulnerable redirection page takes a parameter, let’s call it url, that indicates which page a user should be redirected to. This allows the attacker to concoct a victim.example URL that will send a users to its website, like this:
http://victim.example/redirect?url=attacker.example/page-1.html
And the attacker isn’t limited to one URL. Each redirect is a unique URL that Google will treat as a separate page.
http://victim.example/redirect?url=attacker.example/page-1.html http://victim.example/redirect?url=attacker.example/page-2.html http://victim.example/redirect?url=attacker.example/page-3.html ... http://victim.example/redirect?url=attacker.example/page-9999.html
Note that the victim’s site isn’t breached and no pages have been created on the victim’s site – all the attacker has done is discovered that they can make a URL with a victim.example domain.
Now they have to use that capability, somehow.
They could use the open redirect to create trustworthy-looking links that redirect to phishing pages, malware downloads or other dangerous content, and put those links in emails, tweets or other messages.
In this case though they want to get listed in Google search results so all they have to do is put the links somewhere Google’s web crawler will find them, such as their own website.
When the Google crawler visit’s the attacker’s site it finds a link to the victim.example redirection page. It follows the link and the page that it finds there gives the attacker two bites of the cherry:
attacker.exampleattacker.exampleGoogle catalogues the content it finds on the attacker.example page under the victim.example URL it used to get there, leading to search results that look like this:
The lesson, as ever, is that any and all user input should be treated as hostile until it has been checked and sanitised.
If your website’s redirection code relies on a parameter that users can manipulate, have a good long think about whether that’s the right approach. If you’re sure it is, be careful to reject anything that doesn’t match the strict criteria for sites you’re happy to link to, using something like a closed list of friendly sites or pages.
You can add a belt to your braces and make it difficult for other sites to hijack your redirection code by forcing them to supply a nonce (a “number used once”) known only to your site, along with the URL they want to redirect to.
70 percent of energy security professionals are concerned that a successful cyberattack could cause a catastrophic failure, such as an explosion, a recent survey has shown.
Of the 151 IT and operational technology (OT) security pros at energy and oil and gas companies that were polled, 97 percent are concerned that attacks could cause operational shutdowns, and 96 percent believe they could impact the safety of their employees.
Respondents were also asked about their organizations’ security investments, with the following results:
“Energy companies have accepted the reality that digital threats can have tangible consequences,” said Tim Erlin, vice president of product management and strategy at Tripwire. “This perception is perhaps heightened by recent attacks that were specifically designed to affect physical operations and have proven capable of doing so.”
It is widely recommended that organizations properly secure their critical infrastructure ICS with a layered approach, commonly referred to as Defense in Depth.
In the survey, only 35 percent of respondents said they implement a multilayered approach to ICS security. 34 percent said they focus primarily on network level security, and 14 percent said ICS device security.
“It’s encouraging to see that companies have increased their security investment somewhat. However, it’s concerning that more than half would wait for an attack to happen before investing properly, given what’s at stake with critical infrastructure,” Erlin added. “The energy industry should invest in establishing more robust cybersecurity strategies, with a proper foundation of critical security controls and layers of defense.”
A group of BEC scammers has been focusing its efforts on the global maritime shipping industry, compromising emails accounts and attempting to trick targets into delivering considerable sums to bank accounts set up by the group.
Secureworks researchers have been tracking the group’s activities for quite a while and have been warning the targets. They estimate that between June 2017 and January 2018, the scammers attempted to steal a minimum of $3.9 million U.S. dollars from maritime shipping businesses and their customers in South Korea, Japan, Singapore, Philippines, Norway, US, Egypt, Saudi Arabia, and Colombia.
“Companies involved in shipping industries are typically globally dispersed and operate in different time zones, meaning that they are often entirely reliant on email for conducting business transactions. Some maritime shipping businesses are therefore susceptible to BEC fraud methods,” the researchers noted.
Among the targets were companies companies that provide ship management services, port services, and cash to master services.
The group, dubbed Gold Galleon by the researchers:
Once a target’s system is compromised, the scammers use stolen credentials to access the business email account, harvest contacts from the address book, and use the access to get an idea of the company’s business dealings. And, when the right opportunity presents itself, they change the payment details in emailed invoices and hope that the buyer will not notice and will submit the payment.
After tracking the group’s activities for a while, the researchers believe that the group is based in Nigeria: they use Nigerian Pidgin phrases while communicating via instant messages, regularly connect to the Internet via Nigeria-based infrastructure, and use phrases, usernames, and passwords linked to a criminal subset of a well-known Nigerian human rights and social justice movement.
“The group appears to have a loose organizational structure, with activities coordinated by several senior individuals. Tasks are allocated to individuals in the group; for example, one group member may have responsibility for obfuscating the group’s RATs with crypters, while others are tasked with monitoring victims’ email for business transactions that are about to be invoiced,” they explained.
“Some senior members often handle the purchasing of malware, crypters, and infrastructure, and they frequently experiment with alternative tools. CTU researchers also observed senior members coaching and mentoring less-experienced group members and liaising with external providers of related criminal services (e.g., suppliers of mule accounts for transferring stolen funds and crypter sellers).”
What’s good to hear that many of the fraud attempts the researchers warned targets about were already marked as suspicious by the targets themselves.
The researchers offer the usual advice to businesses looking to mitigate the BEC threat: use two-factor authentication for corporate and personal email, check for suspicious email redirect rules, carefully review wire transfer information in suppliers’ email requests, confirm wire transfer instructions independently (but not via email or any contact info contained in the emails), and be suspicious of changes to typical business practices and designated wire transfer activity.
They also believe it’s a good idea to create detection rules that flag emails with extensions that are similar to company email addresses and have provided a free tool that can detect suspicious edits to PDF invoice files.