Dr. T's security brief
Daniel Tauritz
Intel SGX is Vulnerable to an Unfixable Flaw That Can Steal Crypto Keys and More
Ars Technica
Dan Goodin
March 10, 2020
A team of international researchers from Worcester Polytechnic Institute, the University of Michigan, Katholieke Universiteit Leuven in Belgium, Graz University of Technology in Austria, Australian digital research network Data61, and Australia’s University of Adelaide disclosed a previously undiscovered vulnerability that steals information from Intel's Software Guard eXtensions (SGX), a kind of digital vault for securing users' most sensitive data. The proof-of-concept attack—called Load Value Injection (LVI)—stems from speculative execution. The exploit allows for the raiding of information stored in the SGX enclave. Said the researchers, “Unlike all previous Meltdown-type attacks, LVI cannot be transparently mitigated in existing processors and necessitates expensive software patches, which may slow down Intel SGX enclave computations up to 19 times."
AMD Processors From 2011 to 2019 Vulnerable to Two New Attacks
ZDNet
Catalin Cimpanu
March 7, 2020
A study by researchers at the Graz University of Technology in Austria and the University of Rennes in France indicated that AMD processors fabricated between 2011 and 2019 are vulnerable to two new exploits, affecting data processed inside the central processing units (CPUs) and allowing the theft of sensitive information or the downgrading of safeguards. The exploits target the CPUs' L1D cache way predictor, used to lower power consumption via more efficient in-memory data caching. The researchers could recreate a map of the predictor's internal mechanism and learn whether it was leaking data or clues about the nature of that data. The Collide+Probe and Load+Reload attacks enable monitoring of how processes interact with the AMD cache, then leak small data segments from other apps. Although the researchers alerted AMD to the flaws last August, the company has not issued firmware updates, because these "are not new speculation-based attacks."
Modern RAM Still Vulnerable to Rowhammer Attacks
ZDNet
Catalin Cimpanu
March 11, 2020
Extensive mitigations deployed during the last six years have failed to eliminate modern random-access memory (RAM) cards' vulnerability to Rowhammer exploits, according to researchers at ETH Zurich in Switzerland and Vrije University in the Netherlands. The investigators said a generic tool named TRRespass that can upgrade Rowhammer attacks to hack RAM cards with Target Row Refresh (TRR) safeguards. The researchers said, "This triggered an industry-wide effort in addressing the issues raised in this paper. Unfortunately ... it will take a long time before effective mitigations will be in place." The hardware community has been trying to fix the Rowhammer situation since 2014.
Microsoft Orchestrates Coordinated Takedown of Necurs Botnet
ZDNet
Catalin Cimpanu
March 10, 2020
Microsoft said it has taken down the Necurs spam and malware botnet in coordination with industry partners in 35 countries. The initiative broke the Necurs domain generation algorithm (DGA), which enabled the botnet to allegedly infect more than 9 million computers globally. Authors on Necurs could register DGA-produced domains months ahead of time and host the botnet's command-and-control (C&C) servers, where compromised computers connect to receive new commands. The DGA takedown enabled Microsoft and its collaborators to compile a list of future Necurs C&C server domains that they can now inhibit, and prevent the Necurs team from registering. Once Microsoft commandeered the existing Necurs infrastructure, the collaborators were able to sinkhole the botnet and obtain data about where all its bots were located.
Hackers Can Clone Millions of Toyota, Hyundai, Kia Keys
Wired
Andy Greenberg
March 5, 2020
Researchers at Katholieke Universiteit Leuven in Belgium and the University of Birmingham in the U.K. found new vulnerabilities in encryption systems used by in-vehicle devices that communicate at close range with key fobs to unlock the car's ignition. Millions of Toyota, Hyundai, and Kia vehicles use Texas Instruments' DST80 encryption, which bases cryptographic keys on cars' serial numbers. A hacker who swipes a Proxmark radio-frequency identification reader/transmitter near the fob of an auto equipped with DST80 can obtain sufficient data to acquire its secret cryptographic value, impersonate the key within the car, and start the engine. The researchers said this cloning exploit is more difficult than "relay" attacks that car thieves typically use, but hackers can use the compromised information to repeatedly drive the targeted auto.
Flaw in Billions of Wi-Fi Devices Left Communications Open to Eavesdropping
Ars Technica
Dan Goodin
February 26, 2020
Researchers at Slovakian Internet security company ESET discovered that billions of devices are affected by a Wi-Fi vulnerability that allows nearby attackers to decrypt sensitive data. The team named the vulnerability Kr00k; it is tracked as CVE-2019-15126. The vulnerability exists in Wi-Fi chips manufactured by Cypress Semiconductor and Broadcom, affecting devices such as iPhones, iPads, Macs, Amazon Echos and Kindles, Android devices, Raspberry Pi 3's, and certain Wi-Fi routers. Kr00k exploits the fact that wireless devices disassociate from a wireless access point, exposing any unsent data frames. Rather than encrypt this unsent data with the session key negotiated earlier and used during the normal connection, vulnerable devices use a key consisting of all zeros. While manufacturers have made patches available for most of the affected devices, it is not clear how many devices actually installed the patches.
FDA Airs Potential Cybersecurity Vulnerabilities in Medical Devices with Bluetooth Low Energy
U.S. Food and Drug Administration
March 3, 2020
The U.S. Food and Drug Administration (FDA) has alerted patients, medical providers, and manufacturers about potential cybersecurity vulnerabilities in medical devices that use Bluetooth Low Energy (BLE). BLE lets two devices "pair" and share data while saving battery life. "SweynTooth" exploits may allow hackers to wirelessly hijack devices like pacemakers, glucose monitors, and ultrasound probes and crash them, stop them from working, or access functions on them normally reserved for authorized users, with publicly available software. The FDA's Suzanne Schwartz said the agency recommends device manufacturers proactively correct such vulnerabilities via coordinated disclosure and mitigation. The agency also requested that device manufacturers communicate to healthcare providers and patients which devices could be impacted by SweynTooth, and how they could ameliorate associated risks.
U.S. Internet Bill Seen as Opening Shot Against End-to-End Encryption
The Guardian
Alex Hern
March 6, 2020
Four U.S. senators are sponsoring a bill to make legal safeguards that Internet platforms rely on contingent on those platforms following stated practices related to privacy and prevention of child sexual exploitation. The measure is viewed as the first round in a push against end-to-end encryption, with the U.S. Department of Justice (DOJ) taking technology companies to task for developing products that law enforcement cannot intercept. The bipartisan measure calls for amending section 230 of the Communications Decency Act, which protects online platforms from being viewed as publishers of hosted content. The practices that companies would be required to follow are unspecified in the legislation, but an outline suggested by the DOJ and the multinational Five Eyes surveillance coalition included 11 voluntary principles.
How Secure Are Four, Six-Digit Mobile Phone PINs?
Ruhr-University Bochum (Germany)
Julia Weiler
March 11, 2020
Information technology security experts at Germany’s Ruhr-Universitat Bochum (RUB) and Max Planck Institute for Security and Privacy, and George Washington University assessing personal identification numbers (PIN) codes for securing Apple and Android cellphones found that six-digit PINs offer little more security than four-digit PINs. RUB's Philipp Markert said although a four-digit PIN can be used to create 10,000 different combinations and a six-digit PIN can be used to create 1 million, users prefer simple combinations that often fail to exploit six-digit PINs' full potential. The study also concluded that four and six-digit PINs are less secure than passwords, but more secure than pattern locks.
Researchers Identify Cybersecurity Approach to Protect Army Systems
U.S. Army Research Laboratory
March 4, 2020
Researchers at the University of California, Riverside and the U.S. Army Combat Capabilities Development Command's Army Research Laboratory (ARL) have developed an approach to protecting Army systems from attack in ways that don't require much manual intervention. The approach, called SymTCP, can be used to identify previously unknown ways to bypass deep packet inspection (DPI) checks in networked devices. Internet service providers often use DPI checks to prevent malicious attacks from being launched or to censor certain content. The research provides an automated method to identify potential vulnerabilities in the Transmission Control Protocol (TCP) state machines of DPI implementation. Said ARL's Kevin Chan, "This research will improve the security of Army networks in terms of being able to protect against future intrusion and evasion strategies. It has developed an efficient way to find and patch vulnerabilities in future Army network infrastructure."
How the Cloud Has Opened Doors for Hackers
The Washington Post
Craig S. Smith
March 2, 2020
Corporate transfers of operations to the cloud have elevated the threat of hacking, as the cloud can be accessed remotely with ease. Manav Mital, co-founder of cloud security startup Cryal, said cloud companies manage the upkeep and security of physical servers, but client requirements for ease of access have spawned new apps and databases, and increasingly complex services that are difficult to manage and monitor. Although companies still shield private data behind firewalls and other security measures, more people and programs require access to data in the cloud, making it easier for bad actors to find potential vulnerabilities. The Ponemon Institute estimated that cloud breaches cost each individual company $3.92 million on average.
*May Require Paid Registration
Daniel Tauritz
Location Data to Gauge Lockdowns Tests Europe's Love of Privacy
Bloomberg
Jonathan Tirone; Thomas Seal; Natalia Drozdiak
March 18, 2020
Officials in Austria and Italy are using location data transmitted by mobile phones to determine the effectiveness of their coronavirus lockdown policies. Telekom Austria AG is using tracking technology originally developed to analyze travel patterns to provide "anonymized data" to relevant authorities. Meanwhile, Vodafone Group Plc is providing Italian officials with anonymized customer data to track and analyze population movements in the Lombardi region of the country. European countries have some of the world's strictest rules regarding the use and sharing of mobile phone location data, and European companies must seek explicit consent from users in most cases before processing any personal data; the EU also mandates high standards for data anonymization.
Israel Takes Step Toward Monitoring Phones of Virus Patients
Associated Press
Josef Federman
March 15, 2020
Israel's government has authorized its Shin Bet security agency to use its phone-surveillance system on coronavirus patients in an effort to control the epidemic, with Prime Minister Benjamin Netanyahu acknowledging that such measures would "entail a certain degree of violation of privacy." Shin Bet would employ mobile-phone tracking technology to more precisely model a patient's movements prior to diagnosis, and identify people who might have been exposed to the virus. In response to privacy concerns, Netanyahu reduced the scope of information to be collected and restricted how many people can view the data, to shield against misuse. Yuval Elovici at Ben-Gurion University's cybersecurity research center suggested privacy issues can be minimized by culling data anonymously.
Researchers Expose Vulnerabilities of Password Managers
University of York
Shelley Hughes
March 16, 2020
Researchers at the University of York in the U.K. have demonstrated that some commercial password managers may not completely protect users. The team created a malicious app to impersonate a legitimate Google app and was able to fool two out of the five password managers it tested into revealing a password. Some of the password managers used weak criteria for identifying an app and which username and password to suggest for autofill; others did not have a limit on the number of times a master PIN or password could be entered. York's Siamak Shahandashti said the researchers suggest password managers “need to apply stricter matching criteria that is not merely based on an app's purported package name."
Study Ranks Privacy of Major Browsers
Ars Technica
Dan Goodin
March 17, 2020
A study of the privacy protection provided by major browsers ranked upstart browser Brave at the top of the list. In the study, computer scientist Doug Leith at Ireland's Trinity College Dublin analyzed browsers' transmission of data that could be used to monitor users over time. Microsoft Edge and Russia's Yandex tied for the lowest ranking, while Google Chrome, Mozilla Firefox, and Apple Safari were ranked in the middle. Edge and Yandex transmit persistent identifiers that can be used to tie requests and associated Internet Protocol (IP) address/location to backend servers. Brave's default settings offer the most privacy, with no collection of identifiers permitting the tracking of IP addresses over time, and no sharing of details of webpages visited with backend servers.
Bugs in Open Source Software Hit a Record High
ZDNet
Liam Tung
March 13, 2020
The number of open source software vulnerabilities identified has risen from 4,100 last year to 6,100 this year, according to security firm WhiteSource. This trend can be attributed to increased adoption of open source software and more focused efforts on finding dangerous bugs. WhiteSource found that 85% of open source vulnerabilities have been disclosed and already have a fix available (although some users are not aware of the fixes because only 84% of known open-source bugs have been entered into the National Vulnerability Database). WhiteSource also looked at how many vulnerabilities were found across the most-used programming languages. The greatest share (30%) of vulnerable code was written in C, while code written in PHP was responsible for 27% of security bugs, and Python code was responsible for 5% of bugs.
WordPress, Apache Struts Account for 55% of Weaponized Vulnerabilities
ZDNet
Catalin Cimpanu
March 17, 2020
A study of all vulnerability disclosures between 2010 and 2019 by risk analysis firm RiskSense estimated that the WordPress and Apache Struts application frameworks were responsible for more than half (55%) of all weaponized and exploited security bugs. Vulnerabilities in PHP and Java apps were the most weaponized bugs in coding languages during that period. Although JavaScript and Python contained the fewest bugs, New Mexico-based RiskSense, which provides vulnerability and cybersecurity risk management services, expects this will change in the future as both languages' popularity and adoption ramp up. The three leading bugs by weaponization rate were command injection (60% weaponized), OS command injection (50% weaponized), and code injection (39% weaponized).
Record Set for Cryptographic Challenge
UC San Diego Jacobs School of Engineering
March 12, 2020
A team of computer scientists in France and the U.S. has set a new record for integer factorization, a major challenge in the security of most public-key cryptography currently in use. The researchers used free software created by collaborators at INRIA Nancy in France to factor the largest integer of its form to date as part of the RSA Factoring Challenges. The integer is the product of two prime numbers that each possess 125 decimal digits, which took 2,700 years of running powerful computer cores to execute, using tens of thousands of machines worldwide over several months. The key the researchers cracked has 829 binary bits, while modern cryptographic practice stipulates that RSA keys should be 2,048 binary bits long at minimum. The University of California, San Diego's Nadia Heninger said, "Achieving computational records regularly is necessary to update cryptographic security parameters and key size recommendations."
Chip-Based Devices Improve Practicality of Quantum-Secured Communication |
Detailed Audit of Voatz' Voting App Confirms Security Flaws
Government Technology
Andrew Westrope
March 18, 2020
Security consulting firm Trail of Bits confirmed issues raised by Massachusetts Institute of Technology researchers and others that the Voatz mobile voting app is riddled with flaws, with an audit identifying 79 bugs, with 33% of them designated high-severity. Trail of Bits cited technical flaws in Voatz ranging from a lack of test coverage and documentation to manually provisioned infrastructure without infrastructure-as-code tools, outdated features that have yet to be deleted, and nonstandard cryptographic protocols. Michael Fernandez with the Association for the Advancement of Science's Center for Scientific Evidence in Public Issues said the challenge of mobile voting is permitting audits of each ballot, without exposing how any specific person voted.
Panel Outlines Massive Federal Cybersecurity Overhaul
Politico
Tim Starks
March 11, 2020
After approximately a year of work, the Congressional Cyberspace Solarium Commission issued its report on the state of cybersecurity in the U.S., which included sweeping recommendations for shoring up cyberdefense and tightening cybersecurity policy responsibility in the government. The report offered 75 recommendations in total, based on information gleaned in 30 meetings and 300 interviews. Among other actions, the commission recommended the creation of a Senate-confirmed National Cyber Director, a Bureau of Cyber Statistics, House and Senate cybersecurity committees, and a special fund to respond to and recover from cyberattacks. The Commission also addressed election security, saying, "The American people still do not have the assurance that our election systems are secure from foreign manipulation. If we don't get election security right, deterrence will fail and future generations will ... wonder how we screwed the whole thing up."
Boeing, SpaceX Parts Manufacturer Visser Hit With Ransomware Attack, Documents Leaked Online
TechCrunch 
(3/1) reported that Visser Precision, a parts manufacturer for companies such as The Boeing Company, SpaceX and Tesla, has been hit with a ransomware attack. Researchers “say the attack was caused by the DoppelPaymer ransomware, a new kind of file-encrypting malware which first exfiltrates the company’s data,” then “threatens to publish the stolen files if the ransom is not paid” A Visser spokesperson said that the company “continues its comprehensive investigation of the attack, and business is operating normally.” Hackers have also published a website with a “list of files stolen from Visser, including folders with customer names – including Tesla, SpaceX, and aircraft maker Boeing, and defense contractor Lockheed Martin.” Some of the files are available for download. Documents include non-disclosure agreements between Visser, and SpaceX and Tesla.
Daniel Tauritz
Attack on Home Routers Sends Users to Spoofed Sites That Push Malware
Ars Technica
Dan Goodin
March 25, 2020
Researchers citing data from Bitdefender security products are warning that a hack of Linksys and D-Link routers for homes and small offices is redirecting users to malicious sites that pose as COVID-19 informational resources. The researchers believe the hackers are guessing passwords used to secure the routers' remote management console when the feature is turned on, or are guessing credentials for users' Linksys cloud accounts. The hacks redirect users to malicious sites that install malware or attempt to phish passwords. Bitdefender’s Liviu Arsene said the spoofed sites close port 443, the Internet gate that transmits traffic protected by HTTPS authentication protections, preventing the display of warnings from browsers or email clients that a TLS certificate is invalid or untrusted. The researchers said these routers should have remote administration turned off whenever possible.
Cybercriminals Take Advantage of Coronavirus
The Wall Street Journal
Jenny Strasburg; Drew Hinshaw; Catherine Stupp
March 24, 2020
Hackers are targeting critical healthcare systems already strained by the coronavirus pandemic, compromising computer networks and disrupting patient care. Flavio Aggio of the World Health Organization (WHO) said criminals have stepped up exploits, including ransomware attacks, against the agency. WHO and other global health organizations have been combating scams spreading misinformation about the coronavirus, or exploiting anxieties to breach corporate networks and work-from-home workforces. Experts said criminals are taking advantage of the pandemic to launch more targeted attacks against healthcare facilities, whose resources are focused on the coronavirus. A ransomware attack disabled the Champaign-Urbana Public Health District's website in Illinois earlier this month, and hackers also crippled a Czech Republic hospital's computer network.
Windows Code-Execution Zeroday Is Under Active Exploit, Microsoft Warns
Ars Technica
Dan Goodin
March 23, 2020
Microsoft has issued a warning that a Windows zero-day vulnerability is being exploited in "limited targeted attacks" to execute malicious code on fully updated systems. The font-parsing remote code-execution vulnerability exists in the Adobe Type Manager Library, which numerous apps use to manage and render fonts available from Adobe Systems. The two code-execution flaws can be exploited by convincing a target to open or view a booby-trapped document in the Windows preview pane. Said Microsoft in an advisory, "For systems running supported versions of Windows 10, a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities." Until a patch is made available, Microsoft recommends disabling the Preview Pane and Details Pane in Windows Explorer, disabling the WebClient service, or renaming ATMFD.DLL or disabling the file from the registry.
DDoS Attacks Could Affect Next-Generation 911 Call Systems
Help Net Security
Andrew Lavin
March 13, 2020
Researchers at Ben-Gurion University of the Negev (BGU) in Israel have found that next-generation 911 systems that accommodate text, images, and video continue to be vulnerable to many of the same cyberattacks that previous systems were. The team evaluated the impact of distributed denial of service (DDoS) attacks on the current (E911) and next-generation 911 (NG911) infrastructures in North Carolina, and found that just 6,000 bots were sufficient to significantly compromise the availability of a state's 911 services (and just 200,000 bots could jeopardize the entire U.S.). Said BGU's Mordechai Guri, “We believe that this research will assist the respective organizations, lawmakers, and security professionals in understanding the scope of this issue and aid in the prevention of possible future attacks on the 911 emergency services."
Approach Could Protect Control Systems From Hackers
IEEE Spectrum
Michelle Hampson
March 26, 2020
Researchers at Siemens and Croatia’s University of Zagreb have developed a technique to more easily identify attacks against industrial control systems (ICS), like those used in the electric power grid, or to control traffic. The researchers applied the concept of "watermarking" data during transmission to ICS, in a manner that is broadly applicable without requiring details about the specific ICS. In such a scenario, when data is transmitted in real time over an unencrypted channel, it is accompanied by a specialized algorithm in the form of a recursive watermark (RWM) signal; any disruption to the RWM signal indicates an attack is underway. Said Siemens' Zhen Song, “If attackers change or delay the real-time channel signal a little bit, the algorithm can detect the suspicious event and raise alarms immediately."
National Space Council Considering Cybersecurity Policy Directive
Space News (3/9, Erwin, Subscription Publication) reports that the National Space Council “is weighing a new policy directive that would call for the space industry to voluntarily adopt cybersecurity standards to help protect data and companies’ intellectual property.” Within the Trump Administration, their is a growing effort “to raise awareness about hackers trying to target satellite networks and industrial spies stealing U.S. space technology, [former NSC employee Mir] Sadat said March 9 during a panel at the Satellite 2020 symposium.” Sadat said, “If we’re going to start relying on smallsats, we have to make sure that these things don’t get hacked.” Sadat added, “You’ll probably see something in the next couple of weeks or months roll out of the White House on cybersecurity for space.” Sadat indicated that the White House doesn’t plan to establish formal standards but instead “raise attention to the issue and let ‘the industry figure it out.’” The “directive would recommend that companies work with the Commerce Department’s National Institute of Standards and Technology.”
Towards an Unhackable Quantum Internet |
China to Launch National Blockchain Network in 100 Cities
IEEE Spectrum
Nick Stockton
March 20, 2020
An alliance of Chinese government groups, banks, and technology firms plans to launch the Blockchain-based Service Network (BSN), one of the first blockchain networks constructed and maintained by a central government, in April. Advocates say the BSN will slash the costs of blockchain-based business by 80%, with nodes hopefully installed in 100 Chinese cities by launch time. The network will allow programmers to develop blockchain applications more easily, but apps running on the BSN will have closed or "permissioned" membership by default. North Carolina State University's Hong Wan suggests China's government aims to make the BSN the core component of a digital currency and payment system that competes with other services. The BSN Alliance hopes the platform will become the global standard for blockchain operations, but the Chinese government's retention of the BSN's root key means it can monitor all transactions made via the platform.