Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for SMS Malware that Imi ...

 Security

Security researchers have discovered a new piece of malware said to be targeting Android users in India by impersonating the COVID-19 free vaccine registration application. Dubbed SMS Worm, it encourages users to download a fake vaccine registration app, spreads through text messages and steals sensitive information.   show more ...

Lukas Stefanko, a malware researcher, first identified the SMS Worm on Twitter, claiming that the latest Android malware is targeted at Indian users, specifically. He also included screenshots of the malware spreading via text messages. The fake free vaccine registration app appears on the phone as the Vaccine Register app and demands access to personal information once users download it using the link provided in the message. Cyble, a risk intelligence company based in Australia, has also disclosed how the SMS Worm malware works. When downloaded, the malware performs a variety o... (read more)

image for Smart TVs in China F ...

 Security

In the past week, Chinese smart TV users were surprised to find out that their TVs are gathering and sending out all sorts of information through Gozen Data, a leading Chinese TV analytics company located in Beijing. This event was first revealed on a forum for tech enthusiasts called V2EX. A post made by a user   show more ...

stated that his Skyworth Smart TV had become slow and started to look into the source code of applications to find out why this was happening. He discovered a piece of software that checks the user's Wi-Fi home network every ten minutes and uploads its findings to Gozen Data's database. Those data strings included information like what smart devices were used in that specific home, whether the owner's phone was there, and who used the Wireless Network. After these practices were exposed on the aforementioned discussion forum, news about what had been going on reached Weibo, causing widespread outra... (read more)

image for State-Sponsored Succ ...

 Security

Iranian state-sponsored attackers have been linked to a variety of cyberespionage activities aimed at organizations all over the world. Flashpoint security experts recently discovered another ransomware strain from Iran, that has been operating since July 2020. According to Flashpoint, Iran’s Islamic Revolutionary   show more ...

Guard Corps (IRGC) was running a ransomware campaign through Emen Net Pasargard, an Iranian contracting firm (ENP). The ransomware campaign known as “Project Signal” is thought to have started between late July and early September 2020, with ENP’s internal analysis team putting together a list of unspecified target websites.  “Iran has a history of attempting to use cybercriminal TTPs to blend in with non-state-sponsored malicious cyber activity to avoid attribution and maintain plausible deniability. It’s largely assumed that Iran has been behi... (read more)

image for Cybersecurity in sea ...

 Business

You may remember that the Galactic Empire’s cybersecurity situation was far from healthy. The theft of the Death Star plans from a highly classified storage facility and a failure of oversight causing the loss of a critical infrastructure facility are just some of the recorded incidents. We watched season 2 of   show more ...

The Mandalorian, eager to find out whether the Empire had learned from its mistakes — for that seemed to be the subject of the new season — and because, after all, we think of Moff Gideon, the story’s main antagonist and a former officer of the Imperial Security Bureau (ISB), as a colleague of sorts. Chapter 11. The Heiress Incident: Raid on Imperial cargo ship at takeoff This incident is more relevant to physical security than to information security, but being a computer-controlled vehicle, any spaceship qualifies as a cyberphysical system. The one in question used to haul arms but still lacked the most obvious safety feature: locking doors and elevators from the cockpit. As a result, the Mandalorians penetrated the security like a hot knife through butter, quickly taking the ship’s controls. The professional competence of the defending party deserves a mention, too, managing to lock the assailants in the cargo compartment’s control room — the very one with the controls to unlock the doors or even depressurize the compartment. Furthermore, those critical systems are accessible without any authentication. These guys could really use a modern cybersecurity awareness class. Chapter 12. The Siege Incident: Raid on the Imperial research base on Nevarro Nevarro’s Imperial facility looks like any other half-derelict forward operating base, but it is a research lab. Whether the defenders relied too heavily on the deserted look or no decent security pros remained with the Empire is anyone’s guess. The Mandalorian and his comrades neutralize security and penetrate the base without raising any alarm. Moreover, they surge into the control room and take possession of the code cylinder, which appears to be the master key for all the doors. Using it, they open the doors to the base’s power reactor room, conveniently located in the same place as the reactor’s cooling system shutoff. In theory, equipping the base with an specialized security solution made to monitor industrial sensors and alert engineers or operators of overheating, might have averted the resulting explosion. In the labs, the Empire subjects demonstrate sparks of reason, hastening to delete data to keep it from being captured in the attack. Yet they lack time to delete everything before being put to sudden death; the Mandalorian steals a look at Dr. Pershing’s secret video report, which is addressed to Moff Gideon. That’s a simple enough demonstration of how lacking a quality data encryption solution affects security. If the lab’s data were encrypted, the defenders would be able to focus on evacuation instead of having to delete files in a panic, and the Mandalorian would not learn that Moff Gideon was still alive. Chapter 15. The Believer Incident: Raid on the Empire’s secret refinery on the planet Morak The Mandalorian is after the coordinates of Moff Gideon’s ship, so he sets free Migs Mayfeld, a former Imperial soldier turned prisoner who may still remember the Imperial protocols. To acquire the coordinates, he needs to find his way to a terminal on a secret base used by the Empire for mining and processing of rhydonium, a highly unstable and explosive mineral. Former officers of the Imperial Security Bureau manage the facility, and they take security seriously. Thus, according to Mayfeld, the base is equipped with a biometric system that checks genetic signatures against databases. As a result, former rebel fighter Cara Dune cannot raid the base, and neither can wanted criminal Fennec Shand or Boba Fett, who is wearing the face of an Imperial clone. Some issues remain unclear. Does the system control access to the information terminal alone or check the identity of everyone arriving at the base? In the former case, it is unclear why none of the persons mentioned above can accompany Mayfeld (they do not have to meddle with the terminal). If it’s the latter, then why would the systems let runaway soldier Mayfeld pass? For that matter, what about the Mandalorian, who does not appear in any database? A system like that should operate in default deny mode. And the key question is, why is this third-rate mining facility the only one equipped with such an advanced system? The Mandalorian and Mayfeld end up hijacking a cargo vehicle (by jumping aboard in flight). That done, they change into Stormtroopers’ outfits, fend off a ship from some local enemies of the Empire, and arrive at the base as heroes. Well, there is no question about the arrival part — who would deny their own cargo ship entry when it under enemy fire? But why didn’t the much-praised biometric system figure out that the signatures of the pilots back from the mission didn’t match those of the original crew? Letting arriving staff move about the base freely without any further authentication is a big mistake. The information terminal’s protection system also seems a bit weird. Accessing the data requires a face-scan, but the face not being in the database seems not to matter. What is the point? Is the scanning not followed by a database check? Or is the scanner, too, set up to operate in default allow mode? Chapter 16. The Rescue Incident: Attack on Moff Gideon’s cruiser The Mandalorian and his friends attack Dr. Pershing’s shuttle, take his code cylinder, and obtain the secret info about Gideon’s ship compartments. Next, they pull off an attack using a method based essentially on social engineering: Posing as the shuttle being chased by Boba Fett’s ship, they request an emergency landing on the cruiser. The cruiser’s garrison does not give them clearance to land, but, having fallen for the emergency trick, also doesn’t open fire on the shuttle. With the help of Pershing’s code cylinder, the Mandalorian opens the airlock of a compartment containing Imperial combat droids (Dark Troopers) and kicks them out into open space. What does that tell us? Nothing except that the Empire set up staff rights management badly. Why would a doctor and a clone specialist be authorized to operate the combat droids’ compartment airlock? In a critical infrastructure facility (and Moff Gideon’s cruiser certainly falls into that category), staff access rights must follow a policy of Least Privilege Access policy, granting only the permissions needed for the tasks at hand. But there is still hope! The ship’s doors are finally lockable from the captain’s bridge! Not that that helped the struggling bits of the Empire; it’s the Mandalorian’s friends who captured the bridge, not the Imperials protecting it, who used the function. Conclusion The remnants of the Empire have inherited a lot of cybersecurity problems, and all of their innovations — such as the biometric system — are very poorly set up. We recommend shortening the interval between security system audits and not being squeamish about penetration tests.

image for The Wages of Passwor ...

 A Little Sunshine

When normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. When cybercriminals develop the same habit, it can eventually cost them their freedom. Our passwords can say a lot about us, and much of what they have to say is unflattering. In a world   show more ...

in which all databases — including hacker forums — are eventually compromised and leaked online, it can be tough for cybercriminals to maintain their anonymity if they’re in the habit of re-using the same unusual passwords across multiple accounts associated with different email addresses. The long-running Breadcrumbs series here tracks how cybercriminals get caught, and it’s mostly through odd connections between their online and offline selves scattered across the Internet. Interestingly, one of the more common connections involves re-using or recycling passwords across multiple accounts. And yes, hackers get their passwords compromised at the same rate as the rest of us. Which means when a cybercrime forum gets hacked and its user databases posted online, it is often possible to work backwards from some of the more unique passwords for each account and see where else that password was used. SWATTING THE FLY Of all the stories I’ve written here over the last 11 years, probably the piece I get asked most to recount is the one about Sergey “Fly” Vovnenko, a Ukrainian man who in 2013 hatched and executed a plan to buy heroin off the dark web, ship it to our house and then spoof a call to the police from one of our neighbors saying we were dealing drugs. Fly was the administrator of a Russian-language identity theft forum at the time, and as a secret lurker on his forum KrebsOnSecurity watched his plan unfold in real time. As I described in a 2019 story about an interview Fly gave to a Russian publication upon his release from a U.S. prison, his propensity for password re-use ultimately landed him in Italy’s worst prison for more than a year before he was extradited to face charges in America. Around the same time Fly was taking bitcoin donations for a fund to purchase heroin on my behalf, he was also engaged to be married to a young woman. But Fly apparently did not fully trust his bride-to-be, so he had malware installed on her system that forwarded him copies of all email that she sent and received. But Fly would make at least two big operational security mistakes in this spying effort: First, he had his fiancée’s messages forwarded to an email account he’d used for plenty of cybercriminal stuff related to his various “Fly” identities. Mistake number two was the password for his email account was the same as his cybercrime forum admin account. And unbeknownst to him at the time, that forum was hacked, with all email addresses and hashed passwords exposed. Soon enough, investigators were reading Fly’s email, including the messages forwarded from his wife’s account that had details about their upcoming nuptials, such as shipping addresses for their wedding-related items and the full name of Fly’s fiancée. It didn’t take long to zero in on Fly’s location in Naples. POOR PASSWORDS AS GOOD OPSEC? While it may sound unlikely that a guy so enmeshed in the cybercrime space could make such rookie security mistakes, I have found that a great many cybercriminals actually have worse operational security than the average Internet user. Countless times over the years I’ve encountered huge tranches of valuable, dangerous data — like a botnet control panel or admin credentials for cybercrime forums — that were full of bad passwords, like password1 or 123qweasd (an incredibly common keyboard pattern password). I suspect this may be because the nature of illicit activity online requires cybercrooks to create vast numbers of single- or brief-use accounts, and as such they tend to re-use credentials across multiple sites, or else pick very poor passwords — even for critical resources. Regardless of their reasons or lack thereof for choosing poor passwords, it is fascinating that in terms of maintaining one’s operational security it actually benefits cybercriminals to use poor passwords in many situations. For example, it is often the denizens of the cybercrime underground who pick crappy passwords for their forum accounts who end up doing their future selves a favor when the forum eventually gets hacked and its user database is posted online. SOME ADVICE FOR EVERYONE It really stinks that it’s mid-2021 and we’re still so reliant on passwords. But as long as that’s the case, I hope it’s clear that the smartest choice for all Internet users is to pick unique passwords for every site. The major Web browsers will now auto-suggest long, complex and unique passwords when users go to set up a new account somewhere online, and this is obviously the simplest way to achieve that goal. Password managers are ideal for people who can’t break the habit of re-using passwords, because you only have to remember one (strong) master password to access all of your stored credentials. If you don’t trust password managers and have trouble remembering complex passwords, consider relying instead on password length, which is a far more important determiner of whether a given password can be cracked by available tools in any timeframe that might be reasonably useful to an attacker. In that vein, it’s safer and wiser to focus on picking passphrases instead of passwords. Passphrases are collections of multiple (ideally unrelated) words mushed together. Passphrases are not only generally more secure, they also have the added benefit of being easier to remember. Their main limitation is that countless sites still force you to add special characters and place arbitrary limits on password length possibilities. Finally, there’s absolutely nothing wrong with writing down your passwords, provided a) you do not store them in a file on your computer or taped to your laptop, and b) that your password notebook is stored somewhere relatively secure, i.e. not in your purse or car, but something like a locked drawer or safe. Further reading: Who’s Behind the GandCrab Ransomware?

image for Seeds of Destruction ...

 Business

In this episode of the podcast (#213): Molly Jahn of DARPA and University of Wisconsin joins us to talk about the growing cyber risk to the Food and Agriculture sector, as industry consolidation and precision agriculture combine to increase the chances of cyber disruption of food production. The post Seeds of   show more ...

Destruction: Cyber Risk Is Growing in...Read the whole entry... » Related StoriesEpisode 205 – Google’s Camille Stewart: InfoSec’s Lack of Diversity is a Cyber RiskEncore Edition: Veracode CEO Sam King on Infosec’s Leaky Talent PipelineDeere John: Researcher Warns Ag Giant’s Site Provides a Map to Customers, Equipment

 Companies to Watch

The funding, which brings the total raised by the company to more than $400 million, was led by CVC Capital Partners VII. Acronis announced achieving unicorn status in 2019 after raising $147 million.

 Companies to Watch

Imperva today announced it plans to acquire application programming interface (API) security company CloudVector for an undisclosed sum to differentiate itself in the API protection market.

 Threat Intel & Info Sharing

The U.S. NSA last week released a cybersecurity advisory focusing on the security of operational technology (OT) systems, particularly in terms of connectivity to IT systems.

 Feed

This Metasploit module exploits an arbitrary config write/update vulnerability to achieve remote code execution. Unauthenticated users can execute a terminal command under the context of the web server user. Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages.   show more ...

In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of the administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system commands under the context of the web-server user.

 Feed

OpenDNSSEC is software that manages the security of domain names on the Internet. The project intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security.

 Feed

Ubuntu Security Notice 4935-1 - It was discovered that the NVIDIA GPU display driver for the Linux kernel incorrectly performed access control. A local attacker could use this issue to cause a denial of service, expose sensitive information, or escalate privileges. It was discovered that the NVIDIA GPU display driver   show more ...

for the Linux kernel incorrectly performed reference counting. A local attacker could use this issue to cause a denial of service. Various other issues were also addressed.

 Feed

Ubuntu Security Notice 4934-1 - It was discovered that Exim contained multiple security issues. An attacker could use these issues to cause a denial of service, execute arbitrary code remotely, obtain sensitive information, or escalate local privileges.

 Feed

Ubuntu Security Notice 4932-1 - It was discovered that Django incorrectly handled certain filenames. A remote attacker could possibly use this issue to create or overwrite files in unexpected directories.

 Feed

Ubuntu Security Notice 4933-1 - It was discovered that OpenVPN incorrectly handled certain data channel v2 packets. A remote attacker could possibly use this issue to inject packets using a victim's peer-id. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that OpenVPN incorrectly   show more ...

handled deferred authentication. When a server is configured to use deferred authentication, a remote attacker could possibly use this issue to bypass authentication and access control channel data. Various other issues were also addressed.

 Feed

Ubuntu Security Notice 4918-3 - USN-4918-1 fixed vulnerabilities in ClamAV. The updated package could fail to properly scan in some situations. This update fixes the problem. It was discovered that ClamAV incorrectly handled parsing Excel documents. A remote attacker could possibly use this issue to cause ClamAV to hang, resulting in a denial of service. Various other issues were also addressed.

 Feed

Ubuntu Security Notice 4931-1 - Steven French discovered that Samba incorrectly handled ChangeNotify permissions. A remote attacker could possibly use this issue to obtain file name information. Bas Alberts discovered that Samba incorrectly handled certain winbind requests. A remote attacker could possibly use this   show more ...

issue to cause winbind to crash, resulting in a denial of service. Francis Brosnan Blázquez discovered that Samba incorrectly handled certain invalid DNS records. A remote attacker could possibly use this issue to cause the DNS server to crash, resulting in a denial of service. Various other issues were also addressed.

 Feed

Apple on Monday released security updates for iOS, macOS, and watchOS to address three zero-day flaws and expand patches for a fourth vulnerability that the company said might have been exploited in the wild. <!--adsense--> The weaknesses all concern WebKit, the browser engine which powers Safari and other third-party web browsers in iOS, allowing an adversary to execute arbitrary code on target

 Feed

Ivanti, the company behind Pulse Secure VPN appliances, has released a security patch to remediate a critical security vulnerability that was found being actively exploited in the wild by at least two different threat actors. Tracked as CVE-2021-22893 (CVSS score 10), the flaw concerns "multiple use after free" issues in Pulse Connect Secure that could allow a remote unauthenticated attacker to

 Feed

Researchers on Tuesday disclosed a novel malware that uses a variety of tricks to stay under the radar and evade detection, while stealthily capable of executing arbitrary commands on infected systems. Called 'Pingback,' the Windows malware leverages Internet Control Message Protocol (ICMP) tunneling for covert bot communications, allowing the adversary to utilize ICMP packets to piggyback

 Feed

Ask the average helpdesk technician what they do all day, and they will probably answer by saying that they reset passwords. Sure, helpdesk technicians do plenty of other things too, but in many organizations, a disproportionate number of helpdesk calls are tied to password resets. On the surface, having a helpdesk technician reset a user’s password probably doesn’t seem like a big deal. After

 Business + Partners

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually corresponding shifts in crypto-based crime, such as   show more ...

ransomware, though it’s not necessarily the kind of change you might predict. According to Tyler Moffitt, senior threat researcher and resident crypto expert, “whatever Bitcoin does, the altcoins are going to follow. When [Bitcoin] crashes, the rest crash.” But that doesn’t necessarily mean you’ll see big spikes in ransomware or cryptojacking. In fact, Moffitt states, because Bitcoin is known for being fairly volatile, it can undermine any direct effect on, say, the amount demanded in a ransomware scheme. It’s very possible for a Bitcoin ransom to lose value over time due to market flux, making it less profitable than it might otherwise appear. So, what’s the real story? As we see cryptocurrency values rise and fall, how should we interpret shifts in the threats we can expect to see? Is it safe for ordinary folks to try to get into the crypto market, or does that just give malicious actors another method to scam and steal from you?Get answers to these questions and more in this informative Hacker Files podcast with Joe Panettieri, in which he and Tyler Moffitt discuss the ins and outs of crypto, what the market looks like, how it actually affects cybercrime, and what everyone from crypto novices and to bigtime enthusiasts need to know. The post How Cryptocurrency and Cybercrime Trends Influence One Another appeared first on Webroot Blog.

 Application Security

The introduction of containers and micro-service architectures have changed the way we develop, deploy, and run our applications.  Not only has this changed application development, but it’s also created some visibility challenges for application security.  Move those applications to the cloud and we only amplify   show more ...

those challenges.  How do we architect our cloud services and […] The post How Cloud Defenders Thwart Attacks Against Resilient Services appeared first on Security Weekly.

2021-05
Aggregator history
Tuesday, May 04
SAT
SUN
MON
TUE
WED
THU
FRI
MayJuneJuly