AT&T Backs Away From Deal to Supply China Made Huawei Phones
11.1.2018 securityweek IT
AT&T has reportedly walked away from a deal to provide new mobile phones to U.S. customers made by Chinese technology giant Huawei

Based in Shenzhen, China, Huawei announced in December 2017 that it would be supplying smartphones via U.S. carriers this year; and it was widely expected that a deal would be announced during the CES Huawei Keynote speech in Las Vegas on Tuesday.

But just one day earlier, The Wall Street Journal reported that AT&T had backed out the deal under political pressure. Members of the U.S. Senate and house intelligence committees had apparently written to the FCC on 20 December, 2017, noting concerns over "Chinese espionage in general, and Huawei's role in that espionage in particular."

It is assumed that this led to political pressure on AT&T to abandon the deal; and it is believed that Verizon is under pressure not to conclude a similar deal with Huawei later in the year. Huawei has been a persona non grata in U.S. official channels since a 2012 Congressional Report raised concerns over possible state-sponsored espionage delivered via Huawei communications equipment.

Huawei has always denied any involvement with the Chinese government; and the U.S. is almost alone in 'banning' (effectively, if not legally) Huawei equipment. Similar concerns in the UK government have to a large extent been mitigated by the ability to examine hardware and reverse engineer software under GCHQ overview at a location called The Cell in Banbury, near Oxford.

There is little official comment about what happened this week. It seems from Huawei's consumer business unit CEO Richard Yu's comments on Tuesday that Huawei blames AT&T for the break down of the deal. "It's a big loss for consumers," he told his audience, "because they don't have the best choice for devices."

Although entering the market late, Huawei is already the world's third largest supplier of smartphones, behind only Samsung and Apple. Access to the huge American market, where by far the majority of phones are provided by the carriers, will now be seriously limited. It is worth noting that there is no legal ban on Huawei phones, and the Chinese company will still sell them to American consumers through online outlets such as Amazon.

There are some similarities with the US government ban on Russia's Kaspersky Lab products. In both cases, concern has been raised over historical ties with the founders' respective governments. Eugene Kaspersky, founder and CEO of Kaspersky Lab, was educated at a KGB-sponsored school and served in the Russian military as a software engineer; while Ren Zhengfei, founder and president of Huawei Technologies Co, is an ex-People's Liberation Army officer. There is concern that both companies could retain covert relations with their respective governments.

There is, however, one very big difference. With Kaspersky Lab, the ban is on its use by federal agencies. With Huawei, the ban is effectively on anyone seeking to acquire Huawei hardware via a phone-and-data-plan from a carrier; that is, the Huawei ban excludes general consumers -- who could pose no national security risk -- from acquiring these phones in the most popular manner.

This in turn has raised some concerns that the pressure on AT&T is more economic and perhaps geopolitical than it is national security. Could it be additional political pressure on China to be more proactive against North Korea? Or could it be a visible manifestation of 'America First' and President Trump's demand that China balance bilateral trade between the two countries?

Either way, it is unlikely to be good for U.S./China relations.

The South China Morning Post today quoted He Weiwen, a former business counselor at the Chinese consulate in New York. "Investment cooperation between China and the U.S. will be squeezed," he said. "China should contemplate countermeasures."

However, at this stage it is only conjecture (however well-informed) that this is a U.S. political move -- without further details it could be an AT&T business decision.

"This might be because there is something preinstalled on the phones that AT&T doesn't agree with; for example, preinstalled software, certificate authority certificates and other things that might yield some kind of data gathering capabilities and/or control either directly or indirectly," noted F-Secure's principle security consultant Tom Van de Wiele. "It might be that Huawei is putting its foot down on the application eco-system and its rules."

He also pointed out further non-political issues that could have scuppered the deal. "The phone might be too 'open' in that it easily allows you to unlock it and switch telcos, away from AT&T -- and that's still a huge thing in the U.S."

Similarly, there are potential security issues with any phone, possibly heightened by Huawei phones using Huawei proprietary chips. "As Android devices come in a multitude of deployments -- it's easier for overly 'curious' features to get included without being noticed," F-Secure's security adviser Sean Sullivan told SecurityWeek. "There have been several cases in which vendors screwed up and included things such as Baidu components in European deployments."

But he added, "These were budget phones; you get the quality that you pay for. In the case of Huawei -- too many eyes are/would be auditing its devices -- it's doubtful that anything deliberate would be done via an AT&T phone." Sullivan is not convinced that the AT&T deal has been shelved for purely security concerns.

This is the second China deal to have been prevented in the last few days. Last week the U.S. Committee on Foreign Investment rejected Chinese firm Ant Financial's takeover bid for U.S.-based money transfer firm MoneyGram -- again citing national security concerns.

NVIDIA Updates GPU Drivers to Mitigate CPU Flaws
11.1.2018 securityweek
NVIDIA has released updates for its GPU display drivers and other products in an effort to mitigate the recently disclosed attack methods dubbed Meltdown and Spectre.

Shortly after researchers revealed the existence of the flaws that allow Meltdown and Spectre exploits, which can be leveraged to gain access to sensitive data stored in a device’s memory, NVIDIA announced that its GPU hardware is “immune,” but the company has promised to update its GPU drivers to help mitigate the CPU issues.

The Meltdown and Spectre vulnerabilities affect processors from Intel, AMD and ARM. Similar to Qualcomm, some of NVIDIA’s system-on-chip (SoC) products rely on ARM CPUs and the company has promised to develop mitigations.

On Tuesday, NVIDIA informed customers about the availability of GPU display driver updates that include mitigations for one of the Spectre vulnerabilities, specifically CVE-2017-5753. The company is still working on determining if the second Spectre flaw, CVE-2017-5715, affects its GPU drivers. On the other hand, there is no indication that the drivers are impacted by the Meltdown vulnerability (CVE-2017-5754).

NVIDIA has provided display driver updates for the Windows and Linux versions of GeForce, Quadro, and NVS graphics cards. In the case of Tesla GPUs, updates have been provided only for the R384 branch, while an update for R390 is expected to become available during the week of January 22. In the case of the GRID virtual GPU solution, updates should become available by the end of the month.

NVIDIA has also released updates for the Android-based Shield TV media player and Shield Tablet, and the Jetson embedded system, which is built around the Tegra mobile processor. The company says only the Jetson TX2 update includes mitigations for all three CPU vulnerabilities – the other updates include mitigations only for CVE-2017-5753 and in some cases CVE-2017-5715 (i.e. the Spectre flaws).

The mitigations for the Meltdown and Spectre vulnerabilities are known to introduce performance penalties for certain types of operations, but NVIDIA has not provided any information on this issue.

Intel says regular users should not see any difference after applying the fixes, but Microsoft’s tests show that most Windows 7 and 8 systems will likely incur significant penalties if they use 2015-era or older CPUs.

Tests conducted by Red Hat also showed significant slowdowns for certain types of operations. However, Amazon, Google and Apple said they had not seen any noticeable performance problems – although some AWS customers did report degraded performance.

Let's Encrypt Disables TLS-SNI-01 Validation
11.1.2018 securityweek
Free and open Certificate Authority (CA) Let’s Encrypt on Tuesday disabled TLS-SNI-01 validation after learning that users could abuse it to obtain certificates for domains they do not own.

The issue was found to have been created by the use of the ACME TLS-SNI-01 challenge type for domains on a shared hosting infrastructure. Discovered by Frans Rosén of Detectify, the bug could be abused for malicious purposes, which sparked Let’s Encrypt to disable TLS-SNI-01 validation entirely.

The issue doesn’t appear to be related to the certificate authority itself, but to a combination of factors. However, it is centered on the manner in which the ACME server (the CA) validates a domain name’s IP address as part of ACME protocol’s TLS-SNI-01 challenge.

As part of the process, a random token is generated. The ACME client uses it to create a self-signed certificate with an invalid hostname (.acme.invalid) and configures the web server on the domain name to serve the certificate, after which it looks up the domain name’s IP address, initiates a TLS connection, and sends the specific invalid hostname, awaiting to receive a self-signed certificate containing that hostname as response.

When that happens, “the ACME client is considered to be in control of the domain name, and will be allowed to issue certificates for it,” Josh Aas, Internet Security Research Group (ISRG) Executive Director, explains.

However, when more users are hosted on the same IP address, which happens with large hosting providers, and these users also have the ability to upload certificates for arbitrary names without proving domain control, the assumptions behind TLS-SNI are broken and an attack is possible.

Thus, if an attacker controls a website hosted at the same shared hosting IP address as a legitimate site, the attacker can run an ACME client to get a TLS-SNI-01 challenge, and obtain an illegal certificate for the legitimate website.

The attacker would simply install their .acme.invalid certificate on the hosting provider, which will serve it to the ACME server when it looks up the legitimate website. Next, the ACME server will consider the attacker’s ACME client as being authorized to issue certificates for the legitimate website, and the attack is successful.

“This issue only affects domain names that use hosting providers with the above combination of properties. It is independent of whether the hosting provider itself acts as an ACME client. It applies equally to TLS-SNI-02,” Aas explains.

Let’s Encrypt disabled TLS-SNI-01 immediately after becoming aware of the issue, but plans on restoring the service as soon as possible, given that a large number of people and organizations use the TLS-SNI-01 challenge type to get certificates. However, they won’t enable it until they consider it sufficiently secure.

“At this time, we believe that the issue can be addressed by having certain services providers implement stronger controls for domains hosted on their infrastructure. We have been in touch with the providers we know to be affected, and mitigations will start being deployed for their systems shortly,” Aas notes.

Let’s Encrypt is also working on creating a list of vulnerable providers and associated IP addresses and to re-enable the TLS-SNI-01 challenge type with vulnerable providers blocked from using it.

IBM Starts Patching Spectre, Meltdown Vulnerabilities
10.1.2018 securityweek
IBM has started releasing firmware patches for its POWER processors to address the recently disclosed Meltdown and Spectre vulnerabilities. The company is also working on updates for its operating systems, but those are expected to become available only next month.

On January 4, one day after researchers disclosed the Meltdown and Spectre attack methods against Intel, AMD and ARM processors, IBM informed customers that it had started analyzing impact on its own products. On Tuesday, the company revealed that its POWER processors are affected.

IBM told customers that attacks against its Power Systems server line can be fully mitigated only by installing both firmware and operating system patches.

The company has already released firmware patches for its POWER7+ and POWER8 processors, and fixes are expected to become available for POWER9 systems on January 15. Users of earlier products that are still supported will be notified at a later time about the availability of firmware updates.

Users whose devices run Linux can obtain operating system patches from their respective vendors. Red Hat, SUSE and Canonical have already released fixes. As for IBM’s own operating systems, namely AIX and IBM i, patches are expected to become available on February 12.

“If this vulnerability poses a risk to your environment, then the first line of defense is the firewalls and security tools that most organizations already have in place,” IBM explained.

The company has told customers that IBM storage appliances are not impacted by the vulnerabilities.

The mitigations for the Meltdown and Spectre vulnerabilities are known to introduce performance penalties for certain types of operations, but IBM has not mentioned anything about performance impact.

Intel says regular users should not see any difference after applying the fixes, but Microsoft’s tests show that most Windows 7 and 8 systems will likely incur significant penalties if they use 2015-era or older CPUs.

In addition to performance penalties, some mitigations also cause problems due to compatibility issues. Microsoft has required security product vendors to set a specific registry key in order for their customers to receive security updates. Furthermore, one of the company’s updates has been found to break computers with some older AMD processors.

Industrial Cybersecurity Firm Nozomi Networks Raises $15 Million
10.1.2018 securityweek ICS
Industrial cybersecurity firm Nozomi Networks has raised $15 million in a Series B funding round, the company announced Wednesday. The new funding brings the total amount raised by the company to date to $23.8 million.

Nozomi’s flagship offering, SCADAguardian, employs machine learning and behavioral analysis to detect zero-day attacks in real-time; while integration with firewalls and SIEMs, ICS incident alerting and notification systems allow rapid response to alerts.

The company said the additional funding will be used to support worldwide expansion of marketing, sales and support and further bolster product innovation.


Nozomi Networks Exhibits at SecurityWeek's 2017 ICS Cyber Security Conference in Atlanta (Image Credit: SecurityWeek)
The company claims to be rapidly gaining new customers across 5 continents, with more than 200 deployments that span energy, manufacturing, pharmaceuticals, chemicals, mining, utilities and other sectors.

“Now is a prudent time for funding to meet this exploding market opportunity,” said Nozomi Networks CEO Edgard Capdevielle. “We resisted the temptation of raising too much funding before our product leadership was established.”

“FireEye’s recent discovery of Triton malware in the wild highlights how critical infrastructure facilities are increasingly at risk. After extensive testing, we've partnered with Nozomi Networks because they provide the right solution customers need to detect these attacks at the earliest stages and minimize the impact before the safety and reliability of their critical operations is threatened,” Grady Summers, CTO at FireEye, said in a statement.

The Invenergy Future Fund led the Series B round with participation from THI Investments and all existing investors, GGV Capital, Lux Capital and Planven Investments SA. Nozomi previously raised $7.5 million in a Series A funding round in late 2016.

Nozomi is one of several security startups targeting the industrial space that have recently raised funding. Others include Dragos, Indegy, Bayshore Networks, CyberX, Claroty, and SCADAFence. Veteran industrial software firm PAS raised $40 million in April 2017. Darktrace, which has an offering targeted to the industrial sector, recently raised $75 million at a valuation of $825 million.

Rockwell Automation Patches Serious Flaw in MicroLogix 1400 PLC
10.1.2018 securityweek
A firmware update released a few weeks ago by Rockwell Automation for its MicroLogix 1400 programmable logic controllers (PLCs) patches a potentially serious vulnerability.

The MicroLogix PLC family is used worldwide by organizations in the critical infrastructure, food and agriculture, and water and wastewater sectors for controlling processes.

Thiago Alves from the University of Alabama in Huntsville (UAH) discovered that these controllers are affected by a buffer overflow vulnerability. In 2016, Alves and two other UAH researchers published a paper on using virtual testbeds for industrial control systems (ICS).Rockwell Automation MicroLogix 1400 PLC


According to Rockwell Automation, the expert discovered that several MicroLogix 1400 PLCs running version 21.002 and earlier of the firmware are affected by a buffer overflow vulnerability that can be triggered by sending specially crafted Modbus TCP packets to affected devices. The flaw can be exploited remotely by an unauthenticated attacker.

“The Modbus buffer is not deallocated when a packet exceeds a specific length. Repeated sending of Modbus TCP data can cause a denial of service to the Modbus functionality, and potentially cause the controller to fault,” the vendor explained.

The security hole is tracked as CVE-2017-16740 and it has been classified by both Rockwell and ICS-CERT as high severity with a CVSS score of 8.6. While Rockwell’s advisory only mentions DoS attacks, ICS-CERT’s advisory says it may also be possible to exploit the flaw for remote code execution.

Rockwell Automation patched the vulnerability last month with the release of firmware version 21.003 for series B and series C hardware. As a workaround, users can disable Modbus TCP support if it’s not needed, which prevents remote access to the device.

Last month, after discovering a serious DoS vulnerability in several product lines from Siemens, experts at industrial cybersecurity firm CyberX pointed out that these types of flaws should not be taken lightly.

“The December 2016 attack on the Ukrainian electrical grid used this type of exploit to disable protection relays and make it more difficult for operators to recover,” the company told SecurityWeek at the time.

Android Malware Developed in Kotlin Programming Language Found in Google Play
10.1.2018 securityweek Android
Security researchers at Trend Micro have discovered a malicious application in Google Play that was developed using the Kotlin programming language.

Detected as ANDROIDOS_BKOTKLIND.HRX, the malicious program was masquerading as Swift Cleaner, a utility designed to clean and optimize Android devices. The application had between 1,000 and 5,000 installs when discovered.

Kotlin, a first-class language for writing Android apps, was announced in May 2017. Coming from Google, it is open source and is already used by 17% of Android Studio projects. Some of the top applications to use the programming language include Twitter, Pinterest, and Netflix.

Developers using Kotlin can deliver safer applications, due to avoiding entire classes of errors, and can also ensure their software is interoperable by taking advantage of existing libraries for JVM, Android, and the browser. What’s yet uncertain is how malware developers can leverage the programming language when building nefarious code.

The discovered malicious application, Trend Micro says, can engage into a broad range of nefarious activities, including remote command execution. It is also capable of stealing users’ information, sending SMS messages, forwarding URLs, and performing click ad fraud. Furthermore, it has been designed to sign up users for premium SMS subscription services without their permission.

When first launched, the malware sends device information to a remote server and starts a background service to receive tasks from the command and control (C&C) server. Upon the initial infection, the malware also sends a message to a specified number provided by the C&C.

Upon receiving SMS commands, the remote server starts executing URL forwarding and click ad fraud operations on the infected device.

During the click ad fraud routine, the malware uses Wireless Application Protocol (WAP), a technical standard for accessing information over a mobile wireless network. Next, malicious JavaScript code is injected and regular expressions are replaced, so that the malicious actors can parse the ads’ HTML code in a specific search string.

“Subsequently, it will silently open the device’s mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server,” Trend Micro explains.

The malicious program can send information on the service provider, login data, and CAPTCHA images to the C&C server. Once such information is uploaded, the C&C server automatically processes a premium SMS service subscription, which can cost the victim money.

To stay protected from such threats, both end users and enterprise customers are advised to install and maintain a security solution on their devices.

According to Trend Micro, Google was informed on the security risk the Swift Cleaner application poses and the company verified that Google Play Protect can keep users safe from this malware family.

SAP Publishes Light Patch Day for January 2018
10.1.2018 securityweek
SAP this week released its monthly set of security patches to address just three vulnerabilities in its products, all three rated Medium severity.

In addition to the three security notes, the January 2018 SAP Security Patch Day includes four updates to previously released security notes. These too had a Medium severity rating, the company said.

The most severe of the patches were updates to a security note released in October 2014, which addressed a code injection bug in Knowledge Provider. The issue is tracked as CVE-2018-2363 and features a CVSS score of 6.5.

“Depending on the code, attackers can inject and run their own code, obtain additional information that should not be displayed, change and delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or escalate privileges by executing malicious code or even perform a DOS attack,” ERPScan, a company that specializes in securing SAP and Oracle products, explains.

SAP also released an update to a security note released in December 2017, addressing CVE-2017-16690, a DLL preload attack possible on NwSapSetup and Installation self-extracting program for SAP Plant Connectivity (CVSS score 5.0).

Newly resolved issues include CVE-2018-2361, an Improper Role Authorizations in SAP Solution Manager 7.2 (CVSS score 6.3), CVE-2018-2360, Missing Authentication check in Startup Service (CVSS score 5.8), and CVE-2018-2362, Information Disclosure in Startup Service in SAP HANA (CVSS score 5.3).

By exploiting CVE-2018-2360, an attacker could access a service “without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks,” ERPScan reveals.

CVE-2018-2361’s exploitation could provide an attacker with the possibility to edit all tables on the server, which could result in data compromise, the company continues.

ERPScan, which considers the code injection security note updates as a single patch, says that 10 SAP Security Notes (5 SAP Security Patch Day Notes and 5 Support Package Notes) were closed with the January 2018 SAP Security Patch Day. 3 were updates to previous security notes and 5 were released after the second Tuesday of the previous month and before the second Tuesday of this month.

Electrum patches a critical flaw that exposed Bitcoin Wallets to hack since 2016
10.1.2018 securityaffairs

The development team behind the popular Electrum Bitcoin wallet app has issued an emergency patch for a critical vulnerability in the company bitcoin wallets.
Electrum is a free application that’s used by many cryptocurrency sites to store bitcoin. Administrators can run their own Electrum server and the software supports hardware wallets such as Trezor, Ledger and Keepkey.

The development team behind the popular Electrum Bitcoin wallet app has issued an emergency patch for a critical vulnerability in the company bitcoin wallets.

The vulnerability allowed any website hosting the Electrum wallet to potentially steal the user’s cryptocurrency.

The flaw seems to be present in the software for almost two years, it is related to the exposure of passwords in the JSONRPC interface.

The company first issued a security patch failed to address the issue, but it failed, then Electrum opted out to issue a second update on Sunday evening.

The story has begun in November when many researchers observed numerous massive scans going on for Bitcoin and Ethereum wallets in order to steal their funds.

The security expert Didier Stevens observed a significant scanning activity over the weekend, just two days before Bitcoin price jumped from $7,000 to over $8,000.

The researcher observed a huge number of requests to his honeypot to retrieve Bitcoin wallet files.
Of course, the crooks were exploring the possibility to target also other cryptocurrencies, such as the Ethereum. Very interesting the analysis proposed by that reported the discovery made by the researcher Dimitrios Slamaris.

The security expert reported Internet wide Ethereum JSON-RPC scans.

The expert caught a JSON RPC call in his honeypot, someone was making requests to the JSON-RPC interface of Ethereum nodes that should be only exposed locally.

The access to the interface does implement any authentication mechanism and wallet apps installed on the PC can send command to the Ethereum client to manage funds. If the interface is exposed inline, attackers can send requests to this JSON-RPC interface and issue commands to move funds to an attacker’s wallet.

Early November, Slamaris uncovered another massive scan that allowed the attacker to steal 8 Ethers (about $3,200 at current exchange).

Slamaris teamed with SANS Internet Storm Center expert Johannes Ullrich also uncovered a second campaign, they discovered two IP addresses were scanning specifically hard using these requests: – Interserver Inc. (a New Jersey hosting company) – NFOrce Entertainment BV (Durch hosting company)
A user going by the name of “jsmad” noticed that the Electrum wallet app was also exposing a similar JSON RPC online.

“The JSONRPC interface is currently completely unprotected, I believe it should be a priority to add at least some form of password protection.” wrote the user.

“Scans for the JSONRPC interface of Ethereum wallets have already started:“

The knowledge of the Electrum password allowed attackers to interact through the JSON RPC interface with the wallers.

The Electrum developers were criticized by the claim of the popular Google white hat hacker Tavis Ormandy who contacted the company.

“Hello, I’m not a bitcoin user, a colleague pointed me at this bug report because localhost RPC servers drive me crazy 😛.” wrote Ormandy.

“I installed Electrum to look, and I’m confused why this isn’t being treated as a critical and urgent vulnerability? If this bug wasn’t already open for months, I would have reported this as a vulnerability, but maybe I misunderstand something.

The JSON RPC server is enabled by default, it does use a random port but a website can simply scan for the right port in seconds.

I made you a demo. It’s very basic, but you get the idea. If you did set a password, some misdirection is required, but it’s still game over, no?

Here is how I reproduced:

Install Electrum 3.0.3 on Windows.
Create a new wallet, all default settings. I left the wallet password blank – the default setting.
Visit in Chrome.
Wait a few seconds while it guesses the port, then an alert() appears with:
seed: {"id": 0.7398595146147573, "result": "pony south strike horror throw acquire able afford pen lunch monster runway", "jsonrpc": "2.0"}
(Note: i dont use bitcoin, you can steal my empty wallet if you like)”

In a real attack scenario, hackers could trick Electrum users into accessing a malicious website that could scan for the Electrum’s random JSON RPC port and empty the wallet by issuing commands.

Below a video of such kind of attack shared by a Twitter user.

Update your #electrum wallets. Only having the program running and surfing the web can be unsafe. Any website can steal your wallet if it is not protected with a password or if it's easy to guess it can be bruteforced #bitcoin

8:02 PM - Jan 7, 2018
10 10 Replies 251 251 Retweets 361 361 likes
Twitter Ads info and privacy
The Electrum development team released the version 3.0.5 that addresses the vulnerability, users urge to update their wallet app.

According to the developers, the flaw affects versions 2.6 to 3.0.4 of Electrum, on all platforms. It also affects clones of Electrum such as Electron Cash.

“In addition, the vulnerability allows an attacker to modify user settings, the list of contacts in a wallet, and the “payto” and “amount” fields of the user interface while Electrum is running.” reads the analysis published by the Electrum development team.

“Although there is no known occurrence of Bitcoin theft occurring because of this vulnerability, the risk increases substantially now that the vulnerability has been made public.”