Dr. T's security brief
Daniel Tauritz
Lucifer: Devilish Malware That Abuses Critical Vulnerabilities on Windows Machines
ZDNet
Charlie Osborne
June 25, 2020
Researchers at Palo Alto Networks' Unit 42 discovered a new variant of a powerful cryptojacking and DDoS-based malware, called Lucifer, which infects Windows machines by exploiting their vulnerabilities. The malware scans for open TCP ports 135 (RPC) and 1433 (MSSQL) and uses credential-stuffing attacks to gain access. After infecting the machine, the malware drops the XMRig program to covertly mine for the Monero cryptocurrency. In addition, Lucifer connects to a command-and-control server to receive commands, transfer stolen system data, and inform operators of the status of the Monero cryptocurrency miner. Lucifer also tampers with the Windows registry to schedule itself as a task at startup and checks for the presence of sandboxes or virtual machines to evade detection or reverse engineering. The researchers recommend applying updates and patches to the affected software.
Netgear Moves to Plug Vulnerability in Routers After Researchers Find Zero-Day
CyberScoop
Sean Lyngaas
June 17, 2020
Netgear said it is close to releasing a patch for a newly discovered software vulnerability that could enable hackers to remotely exploit home Internet routers and potentially access devices running on those networks. The cybersecurity company GRIMM and Trend Micro's Zero Day Initiative (ZDI) reported the vulnerability. GRIMM's Adam Nichols said his team detected a vulnerable copy of a Web server on the router in 79 different Netgear devices. He noted that a hacker does not necessarily need to be on a Wi-Fi network to launch an attack. Researchers said the vulnerability affects a version of Netgear firmware dating to 2007. ZDI first reported the bug to Netgear in January, delaying its analysis so Netgear could address the issue. It published its findings on June 15 to raise awareness after Netgear requested multiple extensions for releasing a fix. Netgear said the patch has been delayed by the pandemic.
Ransomware Masquerades as Covid-19 Contact-Tracing App on Your Android Device
ZDNet
Charlie Osborne
June 24, 2020
Researchers from Slovak security company ESET say cyberattackers have deployed malware in an Android app marketed as Health Canada's official Covid-19 contact tracing app, which will not be made available to mobile users until next month at the earliest. The cybersecurity firm said two websites, tracershield[.]ca and covid19tracer[.]ca, which are now defunct, offered what looked like Health Canada's tracing app, but were actually hosting APKs that installed the CryCryptor ransomware on Android devices. When installed, the malware requests access to files and begins encrypting content on the device with specific extensions. A decryption tool for the current version of the malware has been released by ESET. The firm said the release of the open source malware, called CryDroid, was disguised by its developer as a research project.
Australia Spending Nearly $1 Billion on Cyberdefense as China Tensions Rise
The New York Times
Damien Cave
July 1, 2020
On June 30, Australia announced an investment of AU$1.35 billion (US$930 million) over the next decade—its largest ever—to combat a surge of cyberattacks attributed to the Chinese government. The Australian government said it plans to recruit at least 500 “cyberspies.” Further, the Australian Signals Directorate and the Australian Cyber Security Center will increase their capacity to defend against attacks and build connections with the companies that run the country's digital networks. Defense Minister Linda Reynolds said the investment will be used to develop a rapid-response process that would "prevent malicious cyberactivity from reaching millions of Australians by blocking known malicious websites and computer viruses at speed." The Australian Strategic Policy Institute's Peter Jennings said this likely is a down payment as "the need for more investment in cybersecurity, both defense and offense, will keep growing."
Reverse Engineering of 3D-Printed Parts by Machine Learning Reveals Security Vulnerabilities
NYU Tandon School of Engineering
July 1, 2020
Researchers at the New York University (NYU) Tandon School of Engineering have reverse-engineered three-dimensional (3D)-printing toolpaths with machine learning (ML) tools applied to the microstructures of a printed component obtained via computed tomography (CT). The toolpaths are a series of coordinated locations that a tool will follow in computer-aided design file instructions. The researchers captured the printing direction used during 3D-printing from the printed part's fiber orientation through micro-CT scans; as fiber orientation is difficult to spot with the naked eye, the team used ML algorithms trained over thousands of micro CT scan images to anticipate the orientation on any fiber-reinforced 3D-printed model. NYU's Nikhil Gupta said, "Machine learning methods ... used in the design of complex parts ... can be a double-edged sword, making reverse engineering also easier."
Home Security Camera Wi-Fi Signals Can be Hacked to Tell When People Are Home |
Uncovered: 1,000 Phrases That Incorrectly Trigger Alexa, Siri, and Google Assistant
Ars Technica
Dan Goodin
July 1, 2020
Researchers at Ruhr University Bochum and the Max Planck Institute for Security and Privacy in Germany have identified more than 1,000 word sequences that incorrectly trigger voice assistants like Alexa, Google Home, and Siri. The researchers found that dialogue from TV shows and other sources produces false triggers that activate the devices, raising concerns about privacy. Depending on pronunciation, the researchers found that Alexa will wake to the words "unacceptable" and "election," while Siri will respond to "a city," and Google Home to "OK, cool." They note that when the devices wake, a portion of the conversation is recorded and transmitted to the manufacturer, where employees may transcribe and check the audio to help improve word recognition. This means each company’s logs may contain fragments of potentially private conversations.
Quantum Entanglement Demonstrated on Tiny CubeSat in Orbit
New Atlas
Michael Irving
June 25, 2020
Researchers at the National University of Singapore (NUS) have demonstrated quantum entanglement on a new mini-satellite orbiting earth. The SpooQy-1 mini-satellite carries a device that can produce pairs of quantum-entangled photons by shining a blue laser diode onto non-linear crystals. SpooQy-1 is the smallest quantum satellite so far, weighing less than 5.7 pounds. The development could help roll out a fast, secure quantum Internet, which would require a network of quantum satellites. Said NUS's Aitor Villar, "In the future, our system could be part of a global quantum network transmitting quantum signals to receivers on Earth or on other spacecraft."
Michigan Law Would Make It Illegal for Companies to Force Employees to Be Implanted With Microchips |
Daniel Tauritz
A Hacker Used Twitter's Own 'Admin' Tool to Spread Cryptocurrency Scam
TechCrunch
Zack Whittaker
July 15, 2020
A hacker this week accessed an "admin" tool on Twitter to commandeer prominent Twitter accounts to spread a cryptocurrency scam, according to a person with direct knowledge of the incident. This person said the hacker ("Kirk") generated more than $100,000 in just hours by using the tool to reset the email addresses of targeted accounts so account-holders had more difficulty regaining control; the scam claimed whatever funds a victim sent "will be sent back double." The person theorized that Kirk accessed the tool by hijacking a Twitter employee's corporate account. Twitter verified that it suffered "a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools." Twitter briefly suspended certain account actions, and prevented verified users from tweeting, to stem the exploits.
Virus-Tracing Apps Are Rife with Problems. Governments Are Rushing to Fix Them
The New York Times
Natasha Singer; Aaron Krolik
July 8, 2020
Governments are scrambling to fix coronavirus contact-tracking applications riddled with privacy and security flaws, which human rights groups and technologists warned could place hundreds of millions of people at risk for stalking, scams, identity theft, or government surveillance. For example, in June Britain ditched a virus-tracing app it was developing in favor of software from Apple and Google promoted as more "privacy preserving." Analysis by the Guardsquare mobile app security company determined that "the vast majority" of government-used virus-tracing apps are inadequately secure, and can be exploited by hackers easily. Location-tracking apps, which some countries are using to alert people of possible virus exposure or to enforce quarantines, are drawing heightened scrutiny because some continuously collect data on users' health, exact whereabouts, and social interactions. Some digital rights groups said these app launches are designed mainly to assure the public that the government is taking action.
*May Require Paid Registration
Home Router Warning: They're Riddled With Known Flaws and Run Ancient, Unpatched Linux
ZDNet
Liam Tung
July 6, 2020
Researchers at the Fraunhofer Institute for Communication (FKIE) in Germany studied 127 home routers from seven brands and found that 46 had not had a security update within the past year. The study also revealed that many routers have hundreds of known vulnerabilities, and that vendors are shipping firmware updates without fixing known vulnerabilities. The researchers further found that German router manufacturer AVM was the only one that didn't publish private cryptographic keys in its router firmware. A Linux operating system was used by about 90% of the routers studied, but researchers found that manufacturers were not updating it. Said FKIE's Johannes vom Dorp, "Really, all the manufacturers would have to do is install the latest software, but they do not integrate it to the extent that they could and should."
Google Fixes Smartwatch Security Problem
Purdue University News
Kayla Wiles
July 8, 2020
Google has corrected a security vulnerability in its Wear OS smartwatches that could have allowed attackers to crash specific applications, render the app or the watch unresponsive, or cause continuous reboots. Purdue University’s Saurabh Bagchi and colleagues uncovered the flaw using the Vulcan tool, which feeds a program or app different permutations of data until one exposes a weakness. Through this fuzzing technique, the researchers learned that a hacker could hijack an app or the smartwatch by manipulating the language, or Intents, that apps use to communicate. Sending such Intents at high volumes when the operating system is less stable could overload the app or watch, even without root-level privileges. The Purdue team demonstrated a proof-of-concept mitigation method, and released its codebase on GitHub after Google issued a patch for the Wear OS vulnerability on June 24.
This Device Keeps Voice Assistants From Snooping on You
Ars Technica
Dan Goodin
July 14, 2020
A team of researchers from Germany's Darmstadt University, France's University of Paris Saclay, and North Carolina State University has developed a Raspberry Pi-based device that eventually may be able to warn users when Amazon's Alexa and other voice assistants are snooping on people. The researcher said the $40-prototype LeakyPick tool detects the presence of devices that stream nearby audio to the Internet with 94% accuracy. LeakyPick periodically emits sounds and monitors subsequent network traffic to identify audio transmissions, triggering an alert whenever the identified devices are confirmed as streaming ambient sounds. LeakyPick also tests devices for words that incorrectly trigger the assistants, having to date found 89 words that prompt Alexa to send audio to Amazon.
E.U.-U.S. Privacy Shield for Data Struck Down by Court |
Filter Protects Against Deepfake Photos, Videos
NextGov.com
Jeremy Schwab
July 8, 2020
Computer scientists at Boston University (BU) have created an algorithm that prevents deepfakes by adding an imperceptible filter to videos and photos before they are uploaded to the Internet. If a deep neural network attempts to alter a protected image or video, the filter leaves the media unchanged, or completely distorted and rendered unusable as a deepfake. The open source code has been made publicly available on GitHub. Said BU's Sarah Adel Bargal, "We covered what we call 'white-box' attacks in our work, where the network and its parameters are known to the disruptor. A very important next step is to develop methods for 'black-box' attacks that can disrupt deepfake networks [in ways] inaccessible to the disruptor."
Smartwatch Hack Could Send Fake Pill Reminders to Patients
BBC News
July 9, 2020
Researchers at U.K.-based security firm Pen Test Partners found security vulnerabilities in smartwatches that aim to help elderly patients remember to take their pills or alert caregivers if the patient wanders off. The software in question, SETracker, is used in a wide range of low-cost smartwatches and has been downloaded more than 10 million times. The researchers expressed concern that hackers could send medication alerts to the watches numerous times, raising the risk of overdoses. The China-based company behind the software fixed the security flaw after being notified, but Pen Test researchers said there was no way to know whether the flaw had been exploited before being fixed.
dtau...@gmail.com
U.S. Hatches Plan to Build Quantum Internet That Might Be Unhackable
The Washington Post
Jeanne Whalen
July 23, 2020
U.S. officials and scientists yesterday unveiled a plan to construct a potentially hackproof quantum Internet to operate parallel to the world's existing networks. The Department of Energy (DoE) and its national laboratories will form the project's main support pillar, and DoE official Paul Dabbar suggested it could be funded using some of the $500 million to $700 million in annual federal quantum information technology investments. A quantum Internet relies on entangled photons to share information over long distances without physical links; the race to create one is a global competition. Researchers said attempts to observe or disrupt photons or quantum bits in a quantum Internet would automatically change their state and destroy the transmitted information. A quantum Internet also could interconnect various quantum systems and boost their computing power.
Popular Chinese-Made Drone Found to Have Security Weakness
The New York Times
Paul Mozur; Julian E. Barnes; Aaron Krolik
July 23, 2020; et al.
Cybersecurity researchers found a vulnerability in an application that pilots the world's most popular consumer aerial drones, made by China-based Da Jiang Innovations (DJI). Investigators from the France-based Synacktiv and U.S.-based GRIMM security firms said the app records personal information from phones that could be exploited by China's government; DJI also can update the app and pass changes to customers before Google can review them. DJI claimed its app forces updates on users to stop hobbyists from attempting to hack the app to bypass government restrictions on geofencing and altitude. Much of the information the app collects dovetails with Chinese government surveillance practices, which require phones and drones to be connected to a user's identity. U.S. Cybersecurity and Infrastructure Security Agency director Christopher Krebs said, "This ... is a good reminder that organizations need to pay attention to the risks associated with the various technologies they're using for operations."
Microsoft Urges Patching Severe-Impact, Wormable Server Vulnerability
Ars Technica
Dan Goodin
July 14, 2020
Researchers at the security firm Check Point discovered a vulnerability that resides in Windows DNS and allows attackers to assume control of entire networks with no user interaction. The SigRed vulnerability is "wormable," meaning it can spread quickly from computer to computer. SigRed does not apply to client versions of Windows but is present in 2003-2019 server versions. Check Point researchers said it does not appear the vulnerability is actively under exploit, but that likely will change. Said Check Point's Sagi Tzadik, "Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers. In addition, some Internet service providers may even have set up their public DNS servers as WinDNS." Microsoft has issued a fix as part of this month's Update Tuesday and is urging Windows server customers to install the patch as soon as possible.
Major Security Flaws Found in South Korea Quarantine App
The New York Times
Choe Sang-Hun; Aaron Krolik; Raymond Zhong
July 21, 2020; et al.
Software engineer Frederic Rechtenstein found a South Korean mobile application designed to enforce pandemic quarantines contained major security flaws that could compromise users' private information. The country in April started requiring all visitors and residents from abroad to isolate themselves for two weeks, with compliance monitored by the location-tracking Self-Quarantine Safety Protection app. Rechtenstein discovered developers were assigning users easily guessable identity numbers, which hackers could exploit to access information provided upon registration; the app also insecurely encrypted communications with the server where data was stored, enabling hackers to easily find the key and decode the data. The New York Times confirmed the defects, which South Korea's Ministry of the Interior and Safety has corrected. Ministry officials acknowledged the rush to develop and deploy the app and a lack of security expertise likely gave rise to the flaws.
Deepfake Used to Attack Activist Couple Shows New Disinformation Frontier
Reuters
Raphael Satter
July 15, 2020
A student at the U.K.'s University of Birmingham has been unmasked as fictional by state-of-the-art forensic analysis programs from Israel-based startup Cyabra, which determined his online profile photo is a deepfake—a hyper-realistic digital forgery. Reuters investigated one "Oliver Taylor" after he accused London academic Mazen Masri and his wife, Palestinian rights activist Ryvka Barnard, of being "known terrorist sympathizers." Six experts identified background distortions and inconsistencies, glitches around the neck and collar, and other features in Taylor's online image as deepfake telltales. Cyabra founder Dan Brahmy said personas like Taylor, a rare example of deepfakes integrated with disinformation, are dangerous because they can construct "a totally untraceable identity." Publications including the Times of Israel published articles Taylor authored, and Times of Israel opinion editor Miriam Herschlag said such deepfake personas could distort public discourse, and make editors less willing to publish unknown writers.
Recognizing Fake Images Using Frequency Analysis
Ruhr-Universitat Bochum (Germany)
Julia Weiler; Christina Schotten
July 16, 2020
Researchers at Germany’s Ruhr-Universitat Bochum (RUB) and the Cluster of Excellence Cyber Security in the Age of Large-Scale Adversaries have developed a novel frequency analysis technique for efficiently identifying deepfake images. The team converted deepfake images into the frequency domain via the discrete cosine transform, expressing the generated image as the sum of multiple cosine functions. This demonstrated that generative adversarial networks used to produce deepfakes possess artifacts in the high-frequency range, and these artifacts extend to all deep learning algorithms. RUB's Joel Frank said, "We assume that the artifacts described in our study will always tell us whether the image is a deepfake image created by machine learning."
Daniel Tauritz
Volunteer Hacker Army Boosts U.S. Election Cybersecurity
NBC News
Kevin Collier
July 30, 2020
A University of Chicago program aims to strengthen U.S. election security by enlisting qualified experts to aid local election officials who may otherwise lack access to cybersecurity services and qualified specialists. The Election Cyber Surge initiative will allow election officials to select areas of concern, then choose from a list of professionals willing to help via phone or video chat. The initiative will start with about 50 vetted volunteers, most of whom were identified through a university database of trusted cybersecurity professionals, and who have at least 10 years of field experience. The U.S. Department of Homeland Security has been warning since last fall that voter registration systems and county governments are especially vulnerable to ransomware, and criminal gangs regularly target local government networks with unpatched bugs.
A Cyberattack on Garmin Disrupted More Than Workouts
Wired
Lily Hay Newman
July 27, 2020
The navigation and fitness firm Garmin last week was hit by a ransomware attack that took down numerous services. In addition to affecting Garmin Connect, the cloud platform that syncs user activity data, and portions of Garmin.com, the hack resulted in days-long outages for the flyGarmin and Garmin Pilot app, impacting flight-planning mechanisms and the ability to update mandatory Federal Aviation Administration aeronautical databases. The hack highlights the threat that ransomware poses across industries. The Front Range Flight School in Colorado said the hack temporarily grounded one plane due to the inability to update the databases for the Garmin 430, which is used for navigation. Although tablet apps are used by pilots as backups to flight plan and navigation systems, those using Garmin Pilot did not have access to that failsafe.
Google Promises Privacy with Virus App but Can Still Collect Location Data
The New York Times
Natasha Singer; Aaron Krolik
July 20, 2020
Despite Google's promise that its free smartphone software preserves privacy and does not track user locations, governments adopting it for coronavirus-tracing applications were surprised to learn that location-setting must be active for the software to work with Android phones. Human rights groups and technologists have warned that aggressive data collection and security flaws in apps imperil the privacy of hundreds of millions of people. Google's Pete Voss said virus-alert apps using Google's software employ Bluetooth scanning signals to detect smartphones that come into close proximity with one another without pinpointing their locations. There are concerns that although Google and Apple prohibit government virus apps from tracking users, Google may determine and use device locations of Android app users, depending on their settings. Alexandra Dmitrienko at Germany's University of Wurzburg suggested governments should pressure Google to stop requiring Android users of virus-alert apps to activate location.
Police Requests for Google Users' Location Histories Face New Scrutiny
The Wall Street Journal
David Uberti
July 27, 2020
Police use of "geofence" warrants is being disputed by criminal defendants in Virginia and San Francisco, and could be banned by lawmakers in New York in what are considered the tactic's first legal and political challenges. These warrants involve scanning geographic areas and time periods for suspects through user location histories stored by tech companies. In both legal cases, police used data from Google. To maintain as much user privacy as possible, Google searches its entire database of accounts with location history enabled to determine which users passed through the general area during the specified time period and compiles the information into an anonymized data set for police. However, authorities may try to compel Google to de-anonymize account data to identify specific users. If Google complies, privacy advocates are worried police will seek similar data from fitness trackers, ride-share apps, and other companies.
Apple Starts Giving 'Hacker-Friendly' iPhones to Top Bug Hunters |
BadPower Attack Corrupts Fast Chargers to Melt or Set Your Device on Fire
ZDNet
Catalin Cimpanu
July 20, 2020
Chinese security researchers from Tencent's Xuanwu Lab said they can corrupt the firmware of fast chargers to cause damage to the items they charge. The BadPower exploit alters the default charging setting to deliver more voltage than the receiving device can manage; the technique needs no prompts or interactions, and the attacker only has to connect an attack rig to the fast charger, wait a few seconds, then leave, having corrupted the firmware. When the user connects their infected device to the fast charger, the malware modifies the charger's firmware, and the charger will overload any subsequently linked devices, melting or even setting them on fire. The Tencent team found that although updating device firmware can eliminate the BadPower vulnerability, this option is lacking in many fast-charging chips. The researchers alerted all affected vendors and the Chinese National Vulnerabilities Database, suggesting tougher firmware safeguards and deployment of overload protection to charged devices.
Tech Execs Urge Washington to Accelerate AI Adoption for National Security
VentureBeat
Khari Johnson
July 22, 2020
Technology company CEOs have issued 35 recommendations to Congress through the National Security Commission on Artificial Intelligence (NSCAI) for maintaining global AI supremacy. Recommendations include establishing a National Reserve Digital Corps modeled on military reserve corps, enabling machine learning practitioners to contribute to government projects on a part-time basis. NSCAI also urged the founding of an accredited U.S. Digital Services Academy, whose graduates would commit to five years of civil service. Other recommendations include training State Department workers in emerging technologies like AI that "define global engagement strategies," and encouraging the Defense Department to adopt AI systems for robotic process automation and similar applications.
Why E-Mobility Is the 'Wild West' of Cybersecurity
Financial Times
Sooraj Shah
July 19, 2020
E-mobility raises serious cybersecurity issues, and the Coalfire consultancy's Andy Barratt described the technology as being like the Wild West in terms of cybersecurity. The full range of e-mobility technology can have vulnerabilities, and Barratt said the more forward-thinking companies have dedicated security units. F-Secure Consulting's Vic Harkness envisions malefactors exploiting e-mobility weaknesses to wreak havoc, like causing high-speed vehicle collisions or localized traffic jams, suggesting cybersecurity researchers' unfamiliarity with e-mobility vehicles compounds the risk. Several experts have urged baking security into e-mobility design from the outset, and Andrew Tsonchev at the Darktrace cybersecurity group said manufacturers should prioritize security and cooperate with each other. Said Harkness, "If a vendor discovers a vulnerability within one of their systems, a framework should be in place whereby this information can be shared with other vendors."