Dr. T's security brief
Daniel Tauritz
Hackers Say 'Jackpotting' Flaws Tricked Popular ATMs Into Spitting Out Cash
TechCrunch
Zack Whittaker
August 6, 2020
Security researchers Brenda So and Trey Keown of the Red Balloon security firm unveiled two new "jackpotting" flaws that force Nautilus ATMs to dispense cash on command. The bugs have lain dormant within the ATMs' underlying software—a 10-year-old version of Windows no longer supported by Microsoft—which the researchers reverse-engineered. The Extensions for Financial Services software layer contained the first vulnerability, based on its implementation by the manufacturer; Keown said transmitting a malicious request over the network could trigger the cash dispenser and dump the cash inside. The second flaw resided in the ATM's remote management software, and So said switching its payment processor with a hacker-controlled server to extract data like credit card numbers was possible. The researchers privately disclosed their findings to Nautilus last year, and Bloomberg reported roughly 80,000 Nautilus ATMs in the U.S. were vulnerable at the time.
Qualcomm Chip Vulnerability Puts Millions of Phones at Risk
Computer Weekly
Alex Scroxton
August 6, 2020
The Check Point security firm found 400 code vulnerabilities on Qualcomm's Snapdragon digital signal processor (DSP) chip, used in more than 40% of Android smartphones worldwide. A hacker would only have to persuade a target to download a simple, innocuous application without any permissions in order to exploit the flaws. Check Point's Yaniv Balmas said affected devices could be hijacked to spy on and track users, install malware, and even prevent the device from being fixed. He added that hundreds of millions of phones are at risk even though Qualcomm has fixed the issues, and mitigating all the flaws will take months, possibly years. Balmas said DSP vulnerabilities are especially serious because the chips are managed as "Black Boxes," and a review of their design, functionality, or code by anyone but Qualcomm is extremely difficult.
Smart Locks Opened With a MAC Address
ZDNet
Charlie Osborne
August 6, 2020
Researchers at cybersecurity solutions vendor Tripwire found that attackers could open a smart lock sold by major U.S. retailers with just a MAC address. A misconfiguration error and other security issues with U-Tec's UltraLoq, which have since been resolved, enabled attackers to determine the device's MAC address and steal unlock tokens. The MAC address was leaked via MQTT, a publish-subscribe protocol found in Internet of Things (IoT) devices to exchange data between nodes, and made available via radio broadcast to anyone within range. This vulnerability allowed attackers to steal unlock tokens in bulk or from specific devices. In response, U-Tec has closed an open port, added rules to prevent non-authenticated users from subscribing to services, turned off non-authenticated user access, and implemented user isolation protocols.
Insecure Satellite Internet Threatens Ship, Plane Safety
Ars Technica
Dan Goodin
August 5, 2020
At last week’s Black Hat online security conference, Oxford University's James Pavur presented findings that satellite-based Internet services are putting millions of people at risk. Pavur intercepted the signals of 18 satellites beaming Internet data to people, ships, and airplanes in a 100-million-square-kilometer region over several years. Pavur showed session hijacking could be used to cause planes or ships to transmit sensitive, falsified data, or to create denials of service that prevent vessels from receiving data critical to safe operations. Said Pavur, “The goal of my research is to bring out these unique dynamics that the physical properties of space create for cybersecurity, and it’s an area that’s been underexplored.”
Tech Firms Broaden Group to Secure U.S. Election
The New York Times
Mike Isaac; Kate Comger
August 12, 2020
Facebook, Google, and other major technology firms on Wednesday announced an expansion of their coalition to secure the November U.S. presidential election, and held a meeting with government agencies. The group aims to prevent the type of online meddling and foreign interference that tainted the 2016 presidential election. The latest additions to the group include the nonprofit Wikimedia Foundation, professional networking website LinkedIn, and Verizon Media, while the meeting included representatives of the U.S. Federal Bureau of Investigation, Office of the Director of National Intelligence, and Department of Homeland Security. While the coalition will discuss active threats, it remains each member company's responsibility to ameliorate election interference on its platform.
*May Require Paid Registration
Macy's Sued for Use of Clearview Facial Recognition Software
Bloomberg
Clare Roth
August 6, 2020
Illinois resident Isela Carmine filed a proposed class action suit in federal court against Macy's department store for allegedly using facial recognition software from Clearview to identify shoppers from security camera video. The software can be used to match faces on security videos to those in a database of images scoured from the Internet, and Macy's reportedly performed over 6,000 such searches. Carmine said those reports form the basis of her lawsuit, which claims the software permitted Macy's to exploit stolen data and "stalk or track" customers in violation of Illinois' Biometric Information Privacy Act, one the nation’s most stringent biometric privacy laws. New York-based Macy’s declined to comment on the suit.
EtherOops Attack Takes Advantage of Faulty Cables |
Dutch Hackers Found a Simple Way to Mess With Traffic Lights
Wired
Andy Greenberg
August 5, 2020
At the Defcon hacker conference last week, researchers from Dutch security research firm Zolder were scheduled to present their findings about vulnerabilities in an "intelligent transport" system that would enable them to hack traffic lights in at least 10 cities in the Netherlands. The hack involves faking bicycles approaching an intersection, with the traffic system automatically giving them a green light; other vehicles seeking to cross in a perpendicular direction would be given a red light. Said Zolder's Wesley Neelen, "We could do the same trick at a lot of traffic lights at the same time, from my home, and it would allow you to interrupt the traffic flow across a city." The researchers tested apps that share a bike rider's location with traffic systems and give them green lights whenever possible as they approach an intersection; they found the same spoofing vulnerability in two of the apps they tested.
Baking, Boiling Botnets Could Drive Energy Market Swings, Damage
Georgia Tech Research Horizons
John Toon
August 4, 2020
Georgia Institute of Technology researchers warn that botnets could hijack high-wattage Internet-connected appliances in order to manipulate energy demand, potentially fueling price swings and wreaking financial havoc on deregulated energy markets. A study by the researchers, to be presented at this week's Black Hat USA 2020 conference, found that such an Internet of Things (IoT) Skimmer attack could turn compromised equipment on or off to artificially raise or lower power demand, which could help an unprincipled electric utility rig prices, or allow nation-states to remotely damage another country's economy. The investigators believe such botnets already exist, and that hackers could rent them on the dark web. Proposed countermeasures include integrated monitoring of devices' normal power use, and limiting access to energy demand data to those who truly need it.
Researchers Disclose Widespread Bootloader Vulnerability
Federal Computer Week
Derek B. Johnson
July 29, 2020
Researchers at enterprise device security company Eclypsium reported a buffer-flow flaw during booting that could potentially compromise billions of Linux and Windows-based computing devices. The vulnerability affects devices and operating systems employing signed versions of the open source GRUB2 bootloader software used in most Linux systems, and systems or devices utilizing the Secure Boot root firmware interface with Microsoft's standard third-party certificate authority. The researchers said, "If this process is compromised, attackers can control how the operating system is loaded and subvert all higher-layer security controls." Bypassing the boot process could give attackers persistent, cloaked root-level access free of temporary credentials or access privileges.
Daniel Tauritz
Researchers Discovered Significant Vulnerability in Amazon's Alexa
The Hill
Chris Mills Rodrigo
August 13, 2020
Researchers at cybersecurity provider Check Point have issued a report detailing a vulnerability in Amazon's Alexa virtual assistant that would have allowed potential hackers to hijack the devices using malicious Amazon links. The flaw, which was patched in June, would have enabled hackers to install or remove "Skills" – essentially apps – from the devices once those links were clicked. Hackers also would have gained access to the user's voice history and personal information, including banking data and home address. Such vulnerabilities could pose major privacy risks, given that more than 200 million Alexa-enabled devices were sold by the end of last year. An Amazon spokesperson said the company fixed the issue as soon as it became known and is not aware of any instances in which customer information was exposed.
NSA, FBI Expose Russian Intelligence Hacking Tool
Reuters
Christopher Bing
August 13, 2020
The U.S. National Security Agency (NSA) and Federal Bureau of Investigation (FBI) have publicly exposed a Russian hacking tool. Russia's Main Intelligence Directorate apparently used the "Drovorub" malware to penetrate Linux-based computers, which Keppel Wood at NSA's Cybersecurity Directorate said are pervasively employed by National Security Systems, the U.S. Department of Defense, the defense industrial base, and the at-large cybersecurity community. Steve Grobman at cybersecurity company McAfee said, "Drovorub is a 'Swiss Army knife' of capabilities that allows the attacker to perform many different functions, such as stealing files and remote-controlling the victim's computer." The report on Drovorub is the latest in a series of public disclosures by the U.S government targeting Russian hacking operations ahead of the 2020 presidential election.
Security Gap Allows Eavesdropping on Mobile Phone Calls
Ruhr-University Bochum (Germany)
Julia Weiler
August 12, 2020
Researchers from Germany's Ruhr-Universitat Bochum (RUB) and New York University Abu Dhabi in the U.A.E. have eavesdropped on cellphone calls by exploiting a security flaw in base station implementation. The bug impacts the Voice over LTE (4G) standard used for nearly all cellphone calls not made through special messenger services. With this exploit, a hacker who called one of two people shortly after their conversation, and recorded the encrypted traffic from the same cell, would receive the same key that shielded the previous conversation. Tests of randomly chosen radio cells in Germany revealed that the vulnerability affected 80% of the cells, and by now manufacturers and phone providers have updated base stations' software to patch the bug. The RUB team has developed an application for Android devices to track down still-vulnerable radio cells, to be reported to the Global System for Mobile Communications Association.
Black Hat: Hackers Are Using Skeleton Keys to Target Chip Vendors
ZDNet
Charlie Osborne
August 6, 2020
At the Black Hat conference, researchers at CyCraft Technology described attacks against semiconductor companies in Taiwan that may have been conducted by a Chinese advanced persistent threat (APT) group seeking semiconductor designs, source code, software development kits (SDKs), and other proprietary information. The researchers said at least seven vendors and their subsidiaries appear to have fallen victim to "precise and well-coordinated attacks" by the same APT group, which used the legitimate penetration testing tool Cobalt Strike and a custom skeleton key to launch a series of attacks in 2018 and 2019. The goal may have been to gain a competitive advantage over rivals. The so-called "SkeletonKeyInjector" can be implanted into Active Directory (AD) and domain-controlled servers, bypassing existing security software and moving laterally across a network to make direct syscalls. The researchers said skeleton keys could go undetected for a time given that AD machines rarely are rebooted.
Mirai Botnet Is Targeting RCE Vulnerability in F5 BIG-IP Software
Computing
Dev Kundaliya
August 4, 2020
Researchers at cybersecurity company Trend Micro warn that the Mirai botnet is attempting to exploit a remote code execution vulnerability in F5 BIG-IP software discovered in July, with an Internet of Things (IoT) botnet downloader that can be added to new malware variants. The downloader looks for exposed BIG-IP devices and sends a malicious payload to target systems with the bug. The flaw exists in devices' Traffic Management User Interface (TMUI), and attackers must deliver a specially crafted HTTP request to the TMUI-hosting server. The researchers said a successful exploit would enable attackers "to create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network." FT Networks has patched the flaw, and the researchers recommended that system administrators constantly monitor manufacturers' releases to guarantee their IoT devices' firmware runs on the latest versions.
The Hack That Could Make Face Recognition Think Someone Else Is You |
New Approach Takes Quantum Key Distribution Further |
Hackers Can Remotely Hijack Enterprise, Healthcare Temi Robots |
ZDNet |
At the Black Hat USA event, McAfee's Advanced Threat Research team unveiled an exploit that could remotely hijack "personal robots" used in hospitals, care homes, and enterprises. The team focused on Robotemi Global's Temi robots, which can be controlled using a mobile device to scan their quick response code. The researchers discovered four vulnerabilities, including use of hard-coded credentials, an origin validation error, missing authentication for critical functions, and an authentication bypass. "Together, these vulnerabilities could be used by a malicious actor to spy on Temi's video calls, intercept calls intended for another user, and even remotely operate Temi—all with zero authentication," the team said. Robotemi Global quickly patched the bugs after McAfee reported them in early March. |
Daniel Tauritz
Google, Apple Downplay Possible Election Threat in Their Covid-19 Tracing Software
Forbes
Michael del Castillo
August 27, 2020
A new study suggests Google-Apple Exposure Notification software, designed to alert users when they have been in contact with a Covid-19-infected individual without identifying that individual, could be used to scare people away from voting. The Google-Apple Privacy Preserving Contact Tracing service allows authorities to allocate authentication codes so one cellphone can notify another when its owner is infected. The investigators warned those codes could be illegally acquired, duplicated, and broadcast, through either a compromised mobile application with access to the handset's Bluetooth, or via physical attack using Bluetooth transmitters near high-population areas. The lack of a central repository collecting those codes means they could be used to "expose" millions of users in hundreds of locations concurrently, and detecting or preventing such an attack while in progress would be impossible. The authors said this bug could be exploited to undermine an election via voter suppression, but Google and Apple say app stores have built-in detection to identify and remove malware.
New Technique to Prevent Medical Imaging Cyberthreats
Ben-Gurion University of the Negev (Israel)
August 25, 2020
Researchers at Israel's Ben-Gurion University of the Negev (BGU) have developed a new artificial intelligence method to shield medical imaging devices from cyberattacks, and from human error involving anomalous instructions sent from a host computer. BGU's Tom Mahler and colleagues designed a dual-layer architecture to protect devices from both context-free (CF) and context-sensitive (CS) anomalous instructions, and tested the framework on computed tomography instructions. The team assessed the CF layer using 14 unsupervised anomaly detection algorithms, then evaluated the CS layer for four types of clinical objective contexts, using five supervised classification algorithms for each context. The researchers found adding the CS layer increased anomaly detection performance from an F1 score of 71.6% to between 82% and 99%.
NASA Looking To Machine Learning To Detect Cyber Threats
ExecutiveGov 
(8/24, Rivers) reports NASA Associate Chief Information Officer (ACIO) for Cybersecurity & Privacy and Senior Agency Information Security Officer (SAISO) Mike Witt “has said the agency is working to apply zero-trust principles through emerging technologies and partnerships with the Department of Defense (DoD), FedScoop reported Friday.” Witt “told attendees at an ACT-IAC webinar that NASA is investing in an enterprise-wide system that will leverage machine learning to collate system logs and detect cyber threats.” According “to Witt, NASA is also partnering with the DoD and intelligence community in red teaming activities to improve agency capacities for network threat detection.”
Security Researchers Found Way to Pick Locks Using Only the Sound of the Key
ScienceAlert
David Nield
August 21, 2020
Security researchers at the National University of Singapore suggest the sound of a key sliding into a lock should be sufficient to create a copy that opens the lock. Their proof-of-concept simulation demonstrated that a key's shape can be inferred by mapping the clicks produced by its ridges as they shift the lock mechanism's pins up and down. The SpiKey system produces candidate keys—most often three, one of which will fit the lock. The team's calculations and models indicate that of 586,584 possible key combinations for a six-pin lock, about 56% are vulnerable to a SpiKey breach, and 94% of combinations in that subset can be reduced to less than 10 candidate keys. Said the researchers, "SpiKey inherently provides many advantages over lock-picking attacks, including lowering attacker effort to enable a layperson to launch an attack without raising suspicion."
U.S. Agency Takes Part in Simulated Cyberattack on Critical Systems |
Daniel Tauritz
Online Voting Company Pushes to Make It Harder for Researchers to Find Security Flaws
CNet
Alfred Ng
September 3, 2020
The Voatz electronic-voting company argued in a brief filed with the U.S. Supreme Court that security researchers should only seek flaws in e-voting systems with companies' permission. Voatz said, "Allowing for unauthorized research taking the form of hacks/attacks on live systems would lead to uncertain and often faulty results and conclusions, [and] makes distinguishing between true researchers and malicious hackers difficult." Voatz in February disputed Massachusetts Institute of Technology researchers' conclusions that its e-voting platform was rife with vulnerabilities, claiming their findings were "relatively useless" because the investigation was unauthorized. Researchers are pushing for the high court to consider such work shielded from the Computer Fraud and Abuse Act, which deems any intentional, unauthorized access to a computer a federal crime. They warned that malefactors will exploit the knowledge gap created if flaw detection and disclosure are allowed only with companies' explicit consent, rendering security research ineffective.
Outsmarting the PIN Code
ETH Zurich (Switzerland)
Felix Würsten
September 1, 2020
Researchers at ETH Zurich in Switzerland have found a serious loophole in the EMV (Europay, Mastercard, Visa) standard on which contactless payments are based. The researchers discovered a critical gap in a protocol used by Visa that renders ineffective the PIN code to be entered at checkout for large purchases, allowing fraudsters to steal money from cards that have been lost or stolen. The researchers exploited the vulnerability by developing an Android app and installing it on two Near-Field-Communication-enabled mobile phones. The first phone scans the necessary credit card data and transfers it to the second phone, which simultaneously debits the amount at checkout without a PIN request. The researchers have informed Visa about the vulnerability and proposed a solution requiring three changes to the protocol that could be installed in the payment terminals with the next software update.
Attackers Trying to Exploit High-Severity Zero-Day in Cisco Gear
Ars Technica
Dan Goodin
August 31, 2020
Networking hardware company Cisco warned telecoms and datacenter operators that hackers are attempting to exploit a high-severity zero-day vulnerability in the firm's networking devices. The flaw is rooted in the Distance Vector Multicast Routing Protocol within Cisco's iOS XR Software, an operating system for carrier-grade routers and other networking devices. Cisco said the vulnerability can enable malefactors to "cause memory exhaustion, resulting in instability of other processes," including but not restricted to internal and external routing protocols. Cisco added that hackers could send malign Internet Group Management Protocol traffic to vulnerable devices. The company warned that exploits could be severe because they jeopardize high-availability servers where reliability and security are crucial, adding that a patch for the vulnerability is not yet available.
Windows Computers Targets of 83% of Malware Attacks in Q1
PC Magazine
Jason Cohen
August 28, 2020
Microsoft Windows and Android security evaluator AV Test's 2019/2020 Security Report found malware targeting Windows computers constituted 83.45% of all malware attacks in the first quarter of this year. The report said 114 million new pieces of malware were developed last year, and anticipates 160 million new malicious programs by the end of this year, with many hackers exploiting Covid-19's disruption to spread malware and boost phishing attacks. The CVE database of known system vulnerabilities found that Microsoft has more than 660 dangerous flaws, with 357 of them attributed to Windows 10. Besides backdoor vulnerabilities, 64.31% of Windows-targeting malware were trojans, 15.52% were viruses, and 7.79% were worms. As a result of these various threats, Windows 10, which is loaded into about 51% of the world's computers, was rated the least secure operating system.
Foiling Illicit Cryptocurrency Mining with AI
Los Alamos National Laboratory News
August 20, 2020
Computer scientists at the U.S. Department of Energy's Los Alamos National Laboratory have developed an artificial intelligence (AI) system that could potentially detect malware that hijacks supercomputers for cryptocurrency mining. The system compares the contours in an algorithm's flow-control graph to a catalog of graphs for programs permitted to run on a given computer, but also checks for the presence of a graph that identifies programs that should be running. The researchers compared a known benign code to a malicious bitcoin-mining code with their system, which identified the illicit mining operation faster and more reliably than conventional, non-AI analyses. The system's reliance on graph comparisons renders it immune to common code-masking deceptions that illicit cryptocurrency miners employ.
Daniel Tauritz
WhatsApp Reveals 6 Previously Undisclosed Vulnerabilities
Tech Crunch
Zack Whittaker; Sarah Perez
September 3, 2020
WhatsApp has reported six previously undisclosed vulnerabilities on a new dedicated security advisory website. The Facebook-owned messaging app said it had fixed all of the vulnerabilities and found no evidence hackers had actively exploited any of them. About a third of the new vulnerabilities were reported through WhatsApp's Bug Bounty Program, while the others were detected in routine code reviews and through automated systems. The website, rolled out as part of the company's efforts to be more transparent and to respond to user feedback, will provide a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVE). The new site will be updated monthly (or more frequently if users must be warned of an active attack), and will feature an archive of past CVEs dating back to 2018.
Secure Quantum Communications Network the Largest of Its Kind |
Kids' Smartwatches a Security Nightmare, Despite Years of Warnings
Wired
Andy Greenberg
September 10, 2020
Researchers at Germany's Münster University of Applied Sciences found smartwatch brands marketed for children are exploitable, based on years of similar findings. Of the six brands investigated, four use variants of a model from the same white label manufacturer, with hardware and backend server architecture from Chinese company 3G. Smartwatches using that system lack encryption or authentication in their communications with the server that sends data to and from parents' location-tracking smartphone application. Hackers could exploit such a smartwatch's International Mobile Equipment Identity (IMEI) identifier to spoof communications from the watch for nefarious means, or they could abuse Structured Query Language injection vulnerabilities in 3G's backend server to send malicious commands to the watches. Münster's Sebastian Schinzel said, “It's 2020. How can you sell something that speaks over mobile networks, is unencrypted and has no authentication or anything?”
China Launches Initiative to Set Global Data Security Rules |
*May Require Paid Registration
|
Swiss Official Airs Concerns About Data Privacy in U.S. |
MIT Researchers Unveil New Cybersecurity Aggregation PlatformTechRepublic
Australian Government Releases Voluntary IoT Cybersecurity Code of Practice |