Dr. T's security brief

[Daniel Tauritz]

Microsoft Says Russian Hackers Viewed Some of Its Source Code
The New York Times
Nicole Perlroth
December 31, 2020

Microsoft on Thursday said the Russian exploit of U.S. government agencies and private corporations extended further into its network than the company previously thought, as the hackers viewed Microsoft source code. The software giant said its investigation turned up unusual activity from a small number of employee accounts, then ascertained one account had been used to view "a number of source code repositories." The company said the account lacked permissions to modify code or engineering systems, and no changes were made. The exploit appears to have started as far back as October 2019, when hackers infiltrated SolarWinds, which supplies technology monitoring services to government agencies and 425 Fortune 500 companies. Some government officials expressed frustration at Microsoft's failure to detect the breach and alert the government earlier, while Microsoft president Brad Smith blamed the hack on the government's failure to share threat intelligence findings among agencies and the private sector.

Full Article

*May Require Paid Registration

 

 

Cryptocurrency Stealer for Windows, macOS, Linux Went Undetected for a Year
Ars Technica
Dan Goodin
January 5, 2020

A report by Israeli security firm Intezer documented an operation to steal cryptocurrency holders' wallet addresses using custom-made malware written from scratch, which had gone undetected for at least a year. The hackers used trojanized applications that run on Windows, macOS, and Linux, while also relying on a network of bogus companies, websites, and social media profiles to lure victims. The apps masquerade as benign software useful to cryptocurrency holders, concealing a remote access trojan (RAT) called ElectroRAT that lets attackers log keystrokes; capture screenshots; upload, download, and install files; and execute commands on compromised machines. None of the major antivirus products caught the apps.

Full Article

 

 

Hackers Exploit Backdoor Built Into Zyxel Devices
Ars Technica
Dan Goodin
January 4, 2021

Niels Teusink, a researcher at Netherlands-based security firm Eye Control, found that hackers are attempting to exploit a backdoor built into several Zyxel device models used as VPNs, firewalls, and wireless access points by thousands of individuals and businesses. This backdoor is an undocumented user account with full administrative rights that is hardcoded into the device’s firmware, which can be accessed over SSH or through a Web interface. Said Teusink, "An attacker could completely compromise the confidentiality, integrity and availability of the device.” A fix already is available for firewall models and will be available Jan. 8 for AP controllers.

Full Article

 

 

Apple Loses Copyright Battle Against Security Startup Corellium
The Washington Post
Reed Albergotti
December 29, 2020

Apple's lawsuit against security research firm Corellium has failed, with a federal judge rejecting claims that Corellium's software breached copyright law in finding bugs and security holes on Apple products. Corellium lets customers run "virtual" iPhones on desktop computers, making physical iPhones with specialized software unnecessary to test iOS security. Judge Rodney Smith determined the virtual iPhones were not a copyright violation, partly because they were designed to help enhance security for all iPhone users, and did not constitute a competing product for consumers. Corellium's co-counsel David L. Hecht said, "The court affirmed the strong balance that fair use provides against the reach of copyright protection into other markets, which is a huge win for the security research industry in particular." Blackstone Law Group's Alexander Urbelis added that the decision "makes it possible for cybersecurity researchers to virtualize and test distinct components of third-party software for security vulnerabilities."

Full Article

*May Require Paid Registration

 

 

Insecure Wheels: Police Turn to Car Data to Destroy Suspects' Alibis
NBC News
Olivia Solon
December 28, 2020

Law enforcement agencies increasingly are using data stored in an automobile's onboard computers to solve crimes. Digital vehicle forensics can utilize data generated and stored by onboard computers to reconstruct where a vehicle has been and the behavior of its passengers. Law enforcement agencies generally focus on the vehicle's telematics and infotainment systems, which can reveal such things as the vehicle’s location and speed, the opening and closing of doors, voice commands, Web histories, call logs, text messages, which devices were connected to the vehicle, and more. Privacy activists are concerned about the lack of security built into onboard computers, as well as the dearth of federal laws to regulate what data can be collected by automakers and what can be done with it.

Full Article

 

 

Open Source Developer, Manager David Recordon Named White House Director of Technology ZDNet Steven J. Vaughan-Nichols January 5, 2021 President-elect Joe Biden's transition team announced that open source software developer David Recordon has been named the White House Director of Technology. The team said his nearly 20-year career has focused on the intersection of technology, security, open source software, public service, and philanthropy. Recordon also was the first Director of White House Information Technology (IT) during the Obama administration, with IT modernization and cybersecurity his priorities. His agenda during the Biden presidency will include getting a grip on next-generation technology like facial recognition, artificial intelligence, and predictive analytics. Recordon wrote on LinkedIn: "The pandemic and ongoing cybersecurity attacks present new challenges for the entire Executive Office of the President, but ones I know that these teams can conquer in a safe and secure manner together." Full Article

 

 

A Better Kind of Cybersecurity Strategy
MIT News
Peter Dizikes
December 10, 2020

Researchers at the Massachusetts Institute of Technology (MIT), Northwestern University, and the University of Chicago contend Russia's use of North Korean IP addresses for a cyberattack during the opening ceremonies of the 2018 Winter Olympics underscored the need for a new cybersecurity strategy involving selective retaliation. Said MIT's Alexander Wolitzky, "If after every cyberattack my first instinct is to retaliate against Russia and China, this gives North Korea and Iran impunity to engage in cyberattacks." After extensive modeling of scenarios in which countries are aware of cyberattacks against them but have imperfect information about the attacks and attackers, the researchers found a successful strategy involves simultaneously improving attack detection and gathering more information about the attackers' identity before retaliating. Wolitsky added, "If you blindly commit yourself more to retaliate after every attack, you increase the risk you're going to be retaliating after false alarms."

Full Article

 

 

How We Can Be Manipulated Into Sharing Private Information Online
Ben-Gurion University of the Negev (Israel)
December 23, 2020

Researchers at Israel's Ben-Gurion University of the Negev (BGU) found online users are more likely to expose private information based on the structuring of website forms. BGU's Lior Fink said, "We are able to cause smartphone and PC users of online services to disclose more information by measuring the likelihood that they sign-up for a service simply by manipulating the way information items [name, address, email] were presented." The BGU team worked with online bank Rewire to demonstrate that digital "foot-in-the-door" methods, like requesting personal information from less important to more private, can coax users into revealing more private data. Placing each request on consecutive, separate webpages also encourages data exposure, and sites can further manipulate users by diffusing information requests over several pages. BGU's Naama Ilany-Tzur said, "The general public and regulators should be made aware of these vulnerabilities, since it is so easy to capture more private information, despite their privacy concerns."

Full Article

 

[Daniel Tauritz]

macOS Malware Used Run-Only AppleScripts to Avoid Detection for Five Years
ZDNet
Catalin Cimpanu
January 12, 2021

Researchers at California-based cybersecurity firm SentinelOne have identified the OSAMiner malware, which hijacks the hardware resources of infected macOS computers used to mine cryptocurrency. The malware, which has avoided detection since at least 2015, infects vulnerable systems via pirated games and software, and appears to target mainly Chinese and Asia-Pacific communities. Two Chinese security firms identified and analyzed older versions of the malware in 2018, but security researchers were unable to retrieve the malware's entire code at the time. SentinelOne's Phil Stokes noted the length of time it has been active, and the lack of attention given to the macOS.OSAMiner campaign, “shows exactly how powerful run-only AppleScripts can be for evasion and anti-analysis."
 

Full Article

 

 

Phishing Attack Uses Odd Lure to Deliver Windows Trojan Malware ZDNet Danny Palmer January 6, 2021 Researchers at cybersecurity company Trustwave have reported a new phishing campaign that lures victims into downloading trojan malware that grants hackers full control over infected Microsoft Windows machines. The researchers described it as a "significantly enhanced" version of the Quaverse Remote Access Trojan (QRat), using an email that purports to offer targets a loan with a "good return on investment." Accompanying the email is an unrelated attachment claiming to contain a video of President Trump; attempting to open this Java Archive file (JAR) activates a QRat malware installer equipped with detection-avoidance mechanisms. Also triggered is a pop-up warning users that the installed software can be used for remote access and penetration testing. Trustwave's Diana Lopera said, "Email administrators should be looking to take a hard line against inbound JARs and block them in their email security gateways." Full Article

 

SolarWinds Hack Serves As A Warning For Higher Ed

Inside Higher Ed  (1/6) reports that while the full impact of the SolarWinds hack on higher education institutions is not yet known, “college IT leaders can take steps to guard against future intrusions.” Institutions that use the Orion platform are advised to “follow guidance issued by the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency, said Brett Callow, threat analyst at cybersecurity solutions company Emsisoft.” IT leaders in higher ed should also “think about their procurement processes and ask potential vendors tough questions about their security practices, said Kim Milford, executive director of the Research and Education Networks Information Sharing and Analysis Center at Indiana University in Bloomington, known as REN-ISAC.”

 

State Department Sets Up Bureau for Cybersecurity, Emerging Technologies The Hill Maggie Miller January 7, 2021 The establishment of a new bureau at the U.S. State Department for cybersecurity and emerging technologies has been approved by Secretary of State Mike Pompeo. The Bureau of Cyberspace Security and Emerging Technologies (CSET) will help spearhead diplomatic programs around these topics, including prevention of cyber conflicts with potentially adversarial nations. The announcement came as the federal government continues to deal with Russia's breach of information technology company SolarWinds, which affected the State Department and about a dozen other federal agencies. A State Department spokesperson said, "The need to reorganize and resource America's cyberspace and emerging technology security diplomacy through the creation of CSET is critical, as the challenges to U.S. national security presented by China, Russia, Iran, North Korea, and other cyber and emerging technology competitors and adversaries have only increased since the Department notified Congress in June 2019 of its intent to create CSET." Full Article

 

 

U.K. Government Use of 'General Warrants' to Authorize Computer, Phone Hacking Is Unlawful: Court
Computer Weekly
January 8, 2021

The U.K.'s High Court has ruled that government security and intelligence services cannot use "general warrants" to indiscriminately hack domestic mobile phones and computers. The court declared neither GCHQ nor MI5 can use warrants issued under Section 5 of the Intelligence Services Act to interfere with electronic gear and other property. The implication is that targets for hacking must be scrutinized by a secretary of state, rather than permitting surveillance to be authorized solely by intelligence agencies. The High Court judges cited common law principles established more than 250 years ago in determining that general hacking warrants breached individuals' rights not to have their property searched without lawful authority. Said Caroline Wilson Pallow at charity Privacy International, “General warrants are no more permissible today than they were in the 18th century. The government has been getting away with using them for too long.”

Full Article