Category Archives: News Bites

Short news items

Security News for the Week Ending January 14, 2022

Hackers Sending Malware Filled USB Sticks in the Mail

Old, tried and true techniques continue to work as hackers have been sending malware-filled USB sticks in the mail and UPS to defense, transportation and insurance companies, hoping someone did not do their security awareness training and plugs the drive into their computer. It just shows that hackers do not need to keep inventing new tricks; the old ones continue to work. Credit: Gizmodo

Norton Installs Cryptomining Software on Users’ Computers

Norton and its sister company Avira, both owned by the same parent, are installing cryptomining software as part of the default install. Norton turns it on automatically since they get 15% of anything you earn, Avira has it off by default. If Norton was still on your approved list (it went off our list years ago), you should probably remove it. Credit: Brian Krebs

White House Hosts Open Source Security Summit

In the wake of the Log4j and other open source software attacks, the White House hosted a summit this week with the likes of Akamai, Amazon, Apache, Apple, Cloudflare, Facebook, Google, IBM and others to discuss how to improve open source security. While no “results” have been announced yet, the fact that the summit was called and led by Anne Neuberger is an acknowledgement that “Houston, we have a problem”. With open source used throughout the IT world including critical infrastructure and many times that software is either not maintained at all or maintained by volunteers – there is no easy solution as there are millions of open source packages. Stay tuned; we might be able to do something for a few of the larger, more important packages. Ultimately, it is both the responsibility and liability for the companies that use open source and that should not be much comfort to anyone. Credit: Data Breach Today

Canon’s Printer DRM Comes Back to Haunt Them

Consumer printer makers make most of their money selling you toner and ink, so years ago they came up with the idea of putting chips in the cartridges to try and stop you from using low cost supplies. But now they can’t get chips so they are making cartridges without the chips, causing their customers’ printers to alarm. As a result, Canon is telling their customers how to break their own DRM. Not to worry though, Canon says they will go back to trying to hurt their competitors when the chip market eases up. Credit: Gizmodo

Car Makers Say Giving Owners Data From Their Cars Will Embolden Sexual Predators

Car owners have been trying for years to force car makers to give them the tools they need to repair their own cars. One of those tools is the data that their cars generate. If car owners could repair their own cars, car makers would lose billions of dollars in revenue. Massachusetts voters overwhelmingly voted in a right to repair law in 2020, even though car makers spent $26 million explaining why letting people repair their own cars was bad, even claiming it would embolden sexual predators. Now they are saying the law is unconstitutional. Anything to try and stop the revenue drain. Credit: Vice

Security News for the Week Ending January 7, 2022

Software released by Microsoft and other vendors is digitally signed so that users can validate that it really came from the vendor in question and that it has not been modified since the vendor created it.

However, hackers have figured out how to bypass the security provided by Microsoft’s digital signature verification process, allowing them to add malware while leaving the signature intact.

According to security firm Check Point, here is how the malware that they have detected works. The problem is, however, much bigger than this. Now that the technique is public, this could be used to modify any already signed software leaving the signature intact.

This particular attack begins by installing Atera software on a victim’s machine. Atera is a legitimate remote maintenance product (like Kasaya, which was compromised last year) used by Managed Service Providers (MSPs). In this case, the victim did not know that they were installing Atera; they thought they were installing a Java update.

Check Point is still trying to figure out exactly how the Atera software was deployed in this case, but in earlier cases, the hacker played a short click of adult content and then told the victim that they needed to install this Java update, which was really malware.

Once the Atera software is on the victim’s computer, the hacker tells Atera to download and run two batch files. One changes Window’s Defender’s preferences to not check certain folders and filetypes and the other installs the malware.

Next the attacker runs MSHTA with a particular DLL as the parameter. The catch is that the DLL had malicious scripts added to it. Due to an oversight by Microsoft, adding the script does not invalidate the signature.

Microsoft FIXED this bug in 2013 – that’s right, 9 years ago, but they changed it in 2014 after discovering that it broke some customer software. Microsoft, in its always effort to be customer friendly, decided to totally compromise their customers’ security rather than telling their customers to re-sign their software.

Now that decision is coming back to bite them in the ….. (fill in the blank).

It looks like the way their disabled it was to change the install of the fix (for CVE-2020-1599, CVE-2013-3900 and CVE-2012-0151) from mandatory to optional. As a result most users do not have it installed.

The fix is to install the update, understanding that it is possible that it might break some stuff: Microsoft Security Advisory 2915720 | Microsoft Docs .

Credit: MSN and Dark reading

Security News for the Week Ending December 31, 2021

W. Va. Hospital Breach Timeline – Way Too Long

The Monongalia Health System was attacked recently and hackers had access to several email accounts, apparently belonging to contractors from May 10 to August 15 or about three months. It took them another 60 days to investigate. They are just not telling us about the breach – more than 7 months after it started. They only figured out that they were hacked because a vendor said that they were not paid (a standard business email compromise attack). They will, no doubt, get whacked by the feds, but this is a lesson to everyone that your vendors are your risk too. Credit: ZDNet

Java Code Repo Riddled with Hidden Log4j Bugs

Remember that you should assume that any code that you download from the net is full of bugs and security holes. If you assume that, and you are lucky, then that is good, if you assume the reverse and you are not lucky, well, not so good. Threatpost is reporting that there are 17,000 unpatched Log4j packages in the Maven Central ecosystem. Many of those will never be patched. CAVEAT EMPTOR

Fallout from Kronos Ransomware Attack – Some Employees Not Receiving Full Pay

Kronos, the international HR firm suffered a ransomware attack several weeks ago. Some employees at appliance maker Electrolux are saying that they are still not receiving their full wages or in some cases, not getting paid at all. In most states the law is pretty specific about paying employees, so if you don’t want to be on the wrong end of an investigation, create a disaster recovery plan. Credit Cyber News

North Korean Hackers Stole $1.7 Billion as an Investment

North Korea considers cryptocurrency a long term investment. As a result, when they steal billions in crypto, instead of selling it, they save it. Maybe that is not a bad strategy. Bitcoin, for example, was worth $313 in 2015, $997 in 2017, $3869 in 2019 and $46,847 right now. So if you stole 1 coin in 2015, your “investment returned 150x today; that is, your $313 crime is worth $46,847. Maybe the North Koreans are onto something. Credit: Dailycoin

Oops, The Dog Ate 77 TB of Our Backups

Well, not exactly, but something ate the backups. Kyoto University in Japan lost 77 terabytes of data when a backup process went wild on their HP supercomputer. The event happened in mid-December when 34 million files were wiped from the system and the backups. The University determined that some of the data cannot be restored. The University has not said how this happened or what the impact of this failed backup process is. Credit: Bleeping Computer

Security News for the Week Ending December 24, 2021

Russian Hackers Make Millions by Stealing SEC Earning Reports

A Russian hacker working for a cybersecurity company has been extradited to the U.S. for hacking into the computer networks of two SEC filing agents used by multiple companies to file their quarterly and annual SEC reports. Using that insider information, the hacker traded stock in advance of the earnings being made public and earned millions. The hacker made the mistake of visiting Switzerland. I guess he figured that the U.S. did not know who he was. He was wrong. Credit: Bleeping Computer

Security Flaw Found in Popular Hotel Guest WiFi System

I always tell people not to use hotel guest WiFi systems because they are not secure. A researcher says that an Internet gateway used by hundreds of hotels for the guest WiFi are not secure and could put guest personal information at risk. The gateway, from Airangel, uses extremely easy to guess and hardcoded passwords. You can pretty much guess the rest. Credit: Tech Crunch

Feds Recover $154 Million in Bitcoin Stolen by Sony Employee

The U.S. has taken legal action to seize and recover $154 million stolen from Sony Life Insurance by an employee in a very basic business email compromise attack. The funds were supposed to be transferred between company accounts but were diverted. The hacker was not very smart, was in a country friendly to the U.S. (Japan), used a U.S. bank account and a Coinbase Bitcoin account, making it pretty easy to recover once found. The FBI managed, somehow, to obtain the private key for the hacker’s Bitcoin wallet, which made recovering the funds even easier. What the FBI has not disclosed is how they were able to recover the private key, probably because they do not want to disclose methods. Score one for the good guys. Credit: Bleeping Computer

Former Uber CSO Faces New Charges for Breach Cover-Up

Here is a tip about covering up a breach. Joe Sullivan, Uber’s Chief Security Officer between 2015 and 2017, faces more charges of covering up Uber’s breach. This time it is deliberately covering up a felony, which could bring him 8 years in prison and a $500,000 fine. Knowing Uber, they are probably not paying his legal costs. Moral: don’t lie. Credit: Data Breach Today

Russia Surging Both Tanks and Cyberattacks on Ukraine

In addition to moving 175,000 soldiers to the Ukraine border as Ukraine plans to join NATO, Russia is also stepping up cyberattacks on Ukraine’s financial system and critical infrastructure. In response, the US, UK and other friendly (NATO) countries have sent cyber experts to Ukraine to help defend their digital frontier. What war looks like now. Credit: Data Breach Today

Security News for the Week Ending December 17, 2021

The Gift That Keeps on Giving – Log4j – List of Affected Vendors

First, get used to hearing about this. It will be haunting us for months, at least. Jen Easterly, current head of DHS’s CISA and formerly at NSA and a professor at the US Military Academy at West Point says this may be THE WORST vulnerability she has seen in her career. As of Monday, here is a list of affected vendors. If you use any of these vendors, and it looks like a who’s who of computer software, watch for patches. Second, it looks like the first patch for Log4j, 2.15, didn’t close the hole and now there is a new release, 2.16. This will keep evolving, so if you are a company that uses software, this applies to you.

From Friday through Tuesday researchers tracked more than 840,000 attempted attacks looking for the Log4J vulnerability. They are only getting started. Credit: Ars Technica

Hackers Hit Third Cryptocurrency Company This Month-Total Haul is Over $400 Mil

Vulcan Forge is the next cryptocurrency company to get hit by hackers. They stole about $135 million from them. If you get the sense that cryptocurrency software is buggy and processes are weak, you have it about right. In VulcanForge’s case, since it is decentralized, there is no central authority to block the movement of stolen currency. This is not going to end anytime soon. Credit: Vice

Apple Airtags Make a Wonderful Stalking Tool

Stalkers are using Apple Airtags to stalk people. A woman in Arkansas, for example, got into her car and her iPhone told her that an airtag was following her. She found the tag on her trunk. If a stalker tried to hide it, say under her car somewhere, it would be more difficult to find. Apple says that Android users can detect a rogue Airtag because it will beep if it is separated from its owner for more than three days (assuming that is the case).

Credit: Apple Insider and Daily Kos. Apple has released an Android app to detect rogue trackers, but how many Android users are going to even think of downloading an Apple app. Credit: PC Mag

Feds Don’t Quite Handle Incident Response

A backdoor in the network of the United States Commission on International Religious Freedom has allowed attackers to intercept, and likely exfiltrate, all local network traffic on the agency’s systems. Security firm Avast discovered the intrusion in May, spoke the agency’s executive director and even talked to CISA. After getting no follow-up for months, Avast published their findings. Avast says that due to lack of communications from the Agency, they don’t know if they fixed the problem. They have since reached out to other agencies and NGOs focused on international rights to warn them. Maybe they fixed the problem right away? Who knows? Credit: Data Breach Today

Security News for the Week Ending December 10, 2021

NEW LOG4J JAVA LIBRARY ZERO-DAY IS BEING EXPLOITED IN THE WILD

A proof of concept for a zero-day vulnerability in the very popular Apache Log4j Java library is being shared online. Log4j is used both in enterprises and in cloud services. Products from Apple, Amazon, Twitter and Steam, among others may be vulnerable to remote code execution exploits. All versions through 2.14.1 are vulnerable CISA and other government agencies have issued alerts. Many Managed Service Providers are finding themselves under attack. Find details at Bleeping Computer and US CERT and Huntress Labs.

Researcher Found Method to Brute Force Verizon PINs

A researcher discovered a bug that allowed him to brute force any customer’s Verizon security PIN. After reporting it to Verizon, Verizon told Vice that they solved the problem by taking down the vulnerable website pages. Hopefully, when those pages return, the bug will be fixed. Credit: Vice

US Military Admits to Offensive Hacking

Cyber Command, AKA the NSA, has confirmed that they have taken unspecified hacking to disrupt hackers ability to hack. This comes from none other than General Paul Nakasone, head of the NSA and CyberCom. While they know that they can’t shut down hackers, they also know that they can make it more costly. Nakasone said that a number of elements of the government (i.e. more than just the NSA) have taken actions and we have imposed costs. Just speculating, but hackers are often not good programmers and even worse at operational security, so it is not at all surprising that they can be hacked. Historically we haven’t done that, but it looks like now we are. Credit: CNN

A Camera the Size of a Grain of Salt

It can take better full color images than a camera 500,000 times its size. It even works in ordinary light. The surface is made from silicon nitride, meaning that it can be made in microchip manufacturing plants. It could be used in medicine (like in an endoscope), but think about the uses by spies. What an incredible spy cam. No one is going to see a grain of salt. Credit: Vice

In the Face of a $150 BILLION Lawsuit, Facebook Bans Myanmar Military

Facebook announced this week that it will remove pages, groups and accounts representing military controlled businesses. Many criticized it as a cynical ploy to deflect criticism coming from the billion dollar lawsuit. The US lawsuit illustrates how Facebook’s algorithms often recommend extremist groups and violent content in exchange for more customers. Credit: ZDNet