A crippling ransomware attack hit a water utility in the aftermath of Hurricane Florence

A water utility in the US state of North Carolina suffered a severe ransomware attack in the week after Hurricane Florence hit the East Coast of the U.S.

According to the Onslow Water and Sewer Authority (aka ONWASA) some internal systems were infected with the Emotet malware, but the regular water service was not impacted.

According to ONWASA, the infections would require several of the main databases to be completely recreated, fortunately, no customer information was compromised.

“We are in the middle of another disaster following Hurricane Florence and tropical storm Michael,” CEO Jeff Hudson said employees in a video posted on Facebook,

“With a very sophisticated attack they penetrated our defenses, just as they penetrated the city of Atlanta and Mecklenburg county.”

hurricane florence

ONWASA CEO Jeffrey Hudson confirmed the ransomware attack began on October 4, the IT staff initially thought to have locked out the threat, however, on October 13 the malware started dropping the Ryuk ransomware into the infected systems.

“An ONWASA IT staff member was working was working at 3am and saw the attack,” ONWASA said.

“IT staff took immediate action to protect system resources by disconecting ONWASA from the internet, but the crypto-virus spread quickly along the network encrypting databases and files.”

Operators at the utility did not pay the ransom and opted out to recreate the infected systems.

“Ransom monies would be used to fund criminal, and perhaps terrorist activities in other countries,” ONWASA reasoned. “Furthermore, there is no expectation that payment of a ransom would forestall repeat attacks.”

The incident response had a significant impact on the operations of the utility in a critical moment, the aftermath of the Hurricane Florence.

ONWASA estimates it will take several weeks to rebuild all of the damaged systems, it will not possible for customers to pay the bill online and major delays will affect the service provided by the utility.

The effects of the Hurricane Florence on the Onslow county were important, schools are still closed and local authorities are still working to clean up debris from the massive storm. It has been estimated that costs to restore the ordinary situation will hit $125m.

Pierluigi Paganini

(Security Affairs – Hurricane Florence, ransomware)

The post A crippling ransomware attack hit a water utility in the aftermath of Hurricane Florence appeared first on Security Affairs.

Party like it’s 1987… SVGA code bug haunts VMware’s house, lets guests flee to host OS

Malicious code in VMs can leap over ESXi, Workstation, Fusion hypervisor security

Get busy, VMware admins and users: the virtualisation virtuoso has patched a programming blunder in ESXi, Workstation Pro and Player, and Fusion and Fusion Pro products that can be exploited by malicious code to jump from guest OS to host machine.…

Blog | Avast EN: Avast scores high in malware protection | Avast

Independent lab AV-Comparatives focuses on one thing and one thing only — constant, regular tests of the leading antivirus software on the market. After putting each brand’s software suite through its paces, the lab then publishes the results in easy-to-read reports aimed at helping consumers make informed decisions in choosing the cybersecurity that’s right for them. This week, AV-Comparatives published result reports from three studies, and Avast software was tested in each of them.



Blog | Avast EN

‘Do Not Track,’ the Privacy Tool Used By Millions of People, Doesn’t Do Anything

An anonymous reader quotes a report from Gizmodo: When you go into the privacy settings on your browser, there's a little option there to turn on the "Do Not Track" function, which will send an invisible request on your behalf to all the websites you visit telling them not to track you. A reasonable person might think that enabling it will stop a porn site from keeping track of what she watches, or keep Facebook from collecting the addresses of all the places she visits on the internet, or prevent third-party trackers she's never heard of from following her from site to site. According to a recent survey by Forrester Research, a quarter of American adults use "Do Not Track" to protect their privacy. (Our own stats at Gizmodo Media Group show that 9% of visitors have it turned on.) We've got bad news for those millions of privacy-minded people, though: "Do Not Track" is like spray-on sunscreen, a product that makes you feel safe while doing little to actually protect you. Yahoo and Twitter initially said they would respect it, only to later abandon it. The most popular sites on the internet, from Google and Facebook to Pornhub and xHamster, never honored it in the first place. Facebook says that while it doesn't respect DNT, it does "provide multiple ways for people to control how we use their data for advertising." (That is of course only true so far as it goes, as there's some data about themselves users can't access.) From the department of irony, Google's Chrome browser offers users the ability to turn off tracking, but Google itself doesn't honor the request, a fact Google added to its support page some time in the last year. [...] "It is, in many respects, a failed experiment," said Jonathan Mayer, an assistant computer science professor at Princeton University. "There's a question of whether it's time to declare failure, move on, and withdraw the feature from web browsers." That's a big deal coming from Mayer: He spent four years of his life helping to bring Do Not Track into existence in the first place. Only a handful of sites actually respect the request -- the most prominent of which are Pinterest and Medium (Pinterest won't use offsite data to target ads to a visitor who's elected not to be tracked, while Medium won't send their data to third parties.)

Read more of this story at Slashdot.

Tem bolsonarista querendo uma Noite dos Cristais

Nas ruas do Rio, vê-se cada vez menos gente com adesivos contendo mensagens políticas e eleitorais colados em roupas, bolsas e mochilas. Os adesivos sumiram por causa do medo sentido por quem os exibia até a votação do primeiro turno. Medo da violência contra quem pensa diferente. Além do medo político e do medo existencial, alastra-se o medo físico.

Não é paranoia dos que se recolheram à discrição. A onda de violência não aguardou, para rebentar, o sol da manhã seguinte ao tsunami eleitoral bolsonarista. Na madrugada de 8 de outubro, o mestre capoeirista, compositor, fundador do Afoxé Badauê e militante negro Moa do Katendê foi morto a sangue frio em Salvador. O barbeiro Paulo Sérgio Ferreira de Santana desferiu-lhe 12 facadas. Moa tinha 63 anos. Paulo Sérgio tem 36.

Num bar, o autor de “Baudauê”, música gravada por Caetano Veloso no disco “Cinema Transcendental”, reivindicara seu voto em Fernando Haddad. Eleitor de Jair Bolsonaro, o barbeiro bateu boca, saiu, buscou a faca e atraiçoou Moa pelas costas. Enterraram o capoeirista ao som de berimbaus. No Pelourinho, centenas de vozes entoaram o “Canto das três raças” em sua memória.

No Recife, surraram a funcionária pública Paula Guerra na noite do domingo da eleição, depois de ela criticar ideias de Bolsonaro. Seu rosto ficou desfigurado, o corpo cobriu-se de escoriações, e diagnosticou-se fratura do osso em um braço. Paula estava com um adesivo de Ciro Gomes.

Mais cedo, também na capital pernambucana, cortaram uma jornalista no braço e no queixo com um instrumento de metal. Ela estava no lugar onde votou. Os dois homens que a feriram a ameaçaram de estupro. Um deles vestia camiseta com estampa de Bolsonaro. O deputado é coautor de um projeto de lei que revoga o atendimento obrigatório, pela rede pública de saúde, das vítimas de violência sexual.

No mesmo fim de semana, em Nova Iguaçu, agrediram a cantora transexual Jullyana Barbosa. Homens a xingaram com palavrões homofóbicos. Um deles, ela não esquece, berrou: “Tomara que o Bolsonaro ganhe para matar esse lixo”. Bateram em sua cabeça com uma barra de ferro, e Jullyana sangrou. Dez pontos suturaram o ferimento.

Em Curitiba, um estudante da Universidade Federal do Paraná com boné do MST levou chutes e garrafadas de um grupo que gritava, conforme testemunhas, “Aqui é Bolsonaro!” A cozinheira e doula Luísa Alencar contou que em São Paulo pintava num muro, com estêncil, a mensagem “Ele Não”. Ela disse que um policial lhe deu uma rasteira, derrubando-a no chão. E falou: “Só tiro você daí se você falar ‘ele sim’”. Arrastada para uma delegacia, só pôde partir depois de pronunciar as duas palavras exigidas. Antes, um dos policiais a ofendeu: “Vagabunda!”

A professora Sabine B. Righetti passeava com sua cachorra e se recusou a receber um panfleto pró-Bolsonaro. O homem que distribuía a propaganda chamou-a de “vagabunda, comunista, prostituta”. A jornalista Cynara Menezes ironizou a truculência dos bolsonaristas: “Eles não são machistas; só chamam a mulher de vagabunda em qualquer discussão”.

No domingo de eleição, a funcionária pública Paula Guerra  foi espancada porcriticar ideias de Bolsonaro.

No domingo de eleição, a funcionária pública Paula Guerra foi espancada por criticar ideias de Bolsonaro.

Foto: Reprodução/Facebook

A volta das suásticas

“Vagabunda!”, esbravejou Jair Bolsonaro para a deputada Maria do Rosário, em 2010. Muitos eleitores dele resolveram combinar violência verbal com violência física. De 30 de setembro a 10 de outubro, apoiadores do candidato do PSL foram autores de ao menos 50 agressões, inventariou a Agência Pública. São “casos isolados”, minimizou Bolsonaro, que denominou “excesso” os atos criminosos. Lamentou-os. E lavou as mãos: “O que eu tenho a ver com isso?”

Ele mencionou o atentado sofrido em Juiz de Fora para sustentar que é vítima, e não arauto, da violência. Mas nenhum contendor de Bolsonaro mantém discurso inspirador de emprego de força. Aparentemente sem querer, o candidato referendou na quinta-feira a impressão inescapável: “Sou vítima daquilo que prego”.

Os gays têm sido alvo particular de hidrofobia. Ecoa o reconhecimento do capitão: “Sou homofóbico, sim, com muito orgulho”. Sua pedagogia: “Se o filho começa a ficar assim meio gayzinho, leva um couro, ele muda o comportamento dele”. Bolsonaro descreve homossexual como “o cara que faz sexo com seu órgão excretor”.

Em Porto Alegre, uma jovem andava com um adesivo impresso com um arco-íris, símbolo LGBTI, e o recado “Ele Não”. Ela relatou que numa noite da semana passada, ao descer do ônibus, três rapazes a atacaram a socos. Com um canivete, cortaram sua barriga e desenharam uma suástica. O delegado Paulo Jardim negou o óbvio, em entrevista à BBC News Brasil: “É um símbolo budista, de harmonia, de amor, de paz e de fraternidade”.

As suásticas voltaram, e não como prenúncio de paz e amor. Em Pelotas, picharam-na na estátua do escritor João Simões Lopes Neto. Num distrito de Nova Friburgo, foram ao menos seis, numa igreja centenária. Vandalizaram um prédio do Instituto de Linguagens da Universidade Federal do Mato Grosso, com a suástica acompanhada do número 17. Num banheiro da Faculdade de Direito de São Bernardo do Campo, leu-se: “Bolsonaro vai limpar essa faculdade de preto e viado”.

No Rio, no Colégio Franco-Brasileiro, intimidaram: “Sapatas vão morrer”. Alunos de uma escola estadual de São Paulo miraram uma professora negra de sociologia, Odara Dèlé, e escreveram: “Preta galinha do caralho”. Completaram a investida com uma suástica, cujo conteúdo Odara lhes havia ensinado em aula. Uma semana antes, quatro alunos brancos tinham gritado “Viva o Bolsonaro!”

O parentesco de ideias bolsonaristas com o nazifascismo não tem sido percebido apenas por quem no Brasil o rejeita e difunde as hashtags #Bolsonazi e #BOLSONARO (com o “S” trocado por uma suástica). O site da revista norte-americana Foreign Policy publicou um artigo intitulado “O modelo de Jair Bolsonaro não é Berlusconi. É Goebbels”.

O jornalista e escritor Juremir Machado da Silva tuitou uma boa sacada: os próprios bolsonaristas se perfilam à direita do nazismo: “Façanha. À direita de Hitler. O bolsonarismo radical é tão de extrema-direita que por ignorância, extremismo e ideologia considera o nazismo de esquerda”.

Ouviu-se a voz de um pensador, de inegável legitimidade, rechaçando semelhanças entre bolsonarismo e nazismo: Guilherme de Pádua. O assassino da atriz Daniella Perez se disse (mal) “impressionado” com quem acredita “que o Bolsonaro vai perseguir os negros e os gays como Hitler perseguiu os judeus”.

O ideário do capitão seduz. O historiador norte-americano David Duke, veterano do grupo racista Ku Klux Klan e negacionista do Holocausto, afiançou: Bolsonaro “soa como nós. E também é um candidato muito forte. É um nacionalista”.

Na passeata de ao menos 150 mil manifestantes contra a extrema-direita, sábado em Berlim, ergueram cartazes a favor da democracia no Brasil e contra Bolsonaro. O chargista Benett ridicularizou a interpretação desatinada do delegado: desenhou a suástica como “símbolo budista” e Hitler como o cineasta Charles Chaplin. O Instagram censurou-o, retirando do ar seu trabalho.

Na primeira pesquisa do segundo turno, o Datafolha constatou vantagem contundente de Bolsonaro, 58% a 42%. Entre os entrevistados de “cor preta”, no entanto, Haddad liderou (45% a 37% do total de intenção de votos). E olha que ainda se ignorava que o general Aléssio Ribeiro Souto, assessor do capitão em política educacional, opõe-se às cotas raciais e sociais no ensino.

 

‘Autoritarismo matador’

O deputado já defendeu que “desapareçam” as minorias que não se “adéquem” às maiorias. Logo depois do primeiro turno, prometeu “botar um ponto final em todos os ativismos”. “Desaparecimento” e “ponto final” são conceitos associados a aniquilamento e extermínio. Com o êxito de Bolsonaro no mata-mata de 7 de outubro, alguns dos seus adeptos perderam o pudor para barbarizar. Acertam contas, no lombo alheio, com seus recalques, ressentimentos, frustrações.

O escritor Olavo de Carvalho, entusiasta de Bolsonaro, previu que uma derrota “dos representantes do atual esquema de poder [sic]” será “a sua total destruição enquanto grupos, enquanto organizações e até enquanto indivíduos”. Carvalho eliminou dúvidas sobre a expressão “até enquanto indivíduos”: “Eles não estão lutando pelo poder nem para vencer uma eleição, estão lutando pela sua sobrevivência política, social, econômica e até física”.

Caetano Veloso respondeu-lhe na “Folha”, com o artigo “Olavo faz incitação à violência; convoco meus concidadãos a repudiá-lo”. Na interpretação do compositor, o arrazoado do autor radicado nos Estados Unidos “é anúncio de autoritarismo matador”. Outro dia Bolsonaro desdenhou dos pelo menos 400 mortos e “desaparecidos” políticos durante a ditadura: “Hoje morre isso no Carnaval, e não se fala nada”.

Sua impiedade é recorrente. No ano passado, Fernando Henrique Cardoso admitiu o receio de ser morto por Bolsonaro, que nos anos 1990 o ameaçara de morte: “Hoje eu tenho medo, porque agora ele tem poder, ainda não, ele tem a possibilidade de poder”.

Registram-se raros episódios de agressões a bolsonaristas. Tão evidente é o estandarte ultradireitista de quem conduz o surto de violência que mais mentiras são forjadas para confundir. Um falsificador plantou no WhatsApp e no Facebook uma fotografia de mulher idosa com o rosto deformado por hematomas. Denunciou: “Esta senhora foi agredida por petistas na rua quando gritou Bolsonaro”.

A tal senhora é Beatriz Segall, que morreu no dia 5 de setembro, devido a complicações respiratórias. A imagem é de 2013, quando a atriz tropeçou numa calçada e caiu. O “Sensacionalista” mangou: “Vaticano investiga ressurreição de Beatriz Segall em fake news”.

Em harmonia com o acosso do bolsonarismo a jornalistas, a mentiralhada se impõe, na campanha eleitoral mais mentirosa da história do Brasil. Olavo de Carvalho postou: “Estou lendo um livrinho do Haddad, onde ele defende a tese encantadora de que para implantar o socialismo é preciso derrubar primeiro o ‘tabu do incesto’. Kit gay é fichinha. O homem quer que os meninos comam suas mães”. Era fantasia, mas circulou como fato nas correntes de WhatsApp. O vereador Carlos Bolsonaro compartilhou. O TSE se negou a proibir a afirmação mentirosa.

Nem às vésperas do golpe de 1964 houve nas ruas ambiente de perseguição política (hoje também comportamental) tão inquietante. A multiplicação das agressões coincide com a perspectiva crescente de Bolsonaro se eleger.

Abordagens intimidadoras do tipo “espera o Bolsonaro ser presidente…” sugerem que a cólera manifestada até agora pode vir a ser moderada, na comparação com eventual selvageria praticada simultaneamente pelos adeptos mais radicais e furibundos do bolsonarismo. Alguém duvida que esse dia de horror possa chegar?

Na Alemanha, chegou há 80 anos. O pretexto foi o assassinato de um diplomata alemão por um jovem judeu. Na virada de 9 para 10 de novembro de 1938, milhares de nazistas incendiaram residências de famílias judaicas, destruíram suas lojas, profanaram as sinagogas, espancaram muita gente. Mataram quase uma centena de pessoas. O pogrom foi batizado como Noite dos Cristais, por causa dos cacos de vidros das janelas e vitrines quebradas pela turba hitlerista. Cúmplices, os policiais observaram, sem interferir.

O Brasil de 2018, por sorte, não é a Alemanha de 1938. Mas herda do passado o ódio e a intolerância extremistas, aqui impregnados nas franjas fanáticas do bolsonarismo. Elas querem mais violência. Caso venham a se lançar em conjunto a uma caçada a quem discorda delas, a noite que se descortina será ainda mais dolorosa e cruel.

Foto de capa: Pichações nazistas e ameaças xenofóbas na Lagoa do Taquaral, em Campinas.

The post Tem bolsonarista querendo uma Noite dos Cristais appeared first on The Intercept.

Women in Information Security: Theresa Payton

Last time, I had fun speaking with my friend, red team-minded student/teacher Alana Staszczyszyn. This time, I had the privilege of speaking with cybersecurity and intelligence industry veteran Theresa Payton. She’s always had tons of responsibility. She went from the White House to start her own private sector firm, Fortalice Solutions. Kim Crawley: Hi, Theresa! […]… Read More

The post Women in Information Security: Theresa Payton appeared first on The State of Security.

NCSAM: It’s Everyone’s Job to Ensure Online Safety at Work

October is National Cyber Security Awareness Month (NCSAM). NCSAM is a great initiative to help educate and inform our friends and family on the importance of taking your digital security seriously. Week Three in particular aims to help users fuse cybersecurity across their work and personal lives and emphasizes the shared responsibility of employees to […]… Read More

The post NCSAM: It’s Everyone’s Job to Ensure Online Safety at Work appeared first on The State of Security.

YouTube is Down

YouTube is facing outage worldwide, users and web tracker DownDetector reported Tuesday evening. Users attempting to visit the site have reported seeing a blank website frame instead of the usual homepage. The YouTube app also showed the same problems. In a tweet, YouTube said it was working on resolving the issues.

Read more of this story at Slashdot.

Chrome 70 Arrives With Option To Disable Linked Sign-Ins, PWAs On Windows, and AV1 Decoder

Krystalo quotes a report from VentureBeat: Google today launched Chrome 70 for Windows, Mac, and Linux. The release includes an option to disable linking Google site and Chrome sign-ins, Progressive Web Apps on Windows, the ability for users to restrict extensions' access to a custom list of sites, an AV1 decoder, and plenty more. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome. An anonymous Slashdot reader adds: "The most anticipated addition to today's release is a new Chrome setting panel option that allows users to control how the browser behaves when they log into a Google account," reports ZDNet. "Google added this new setting after the company was accused last month of secretly logging users into their Chrome browser accounts whenever they logged into a Google website." Chrome 70 also comes with support for the AV1 video format, TLS 1.3 final, per-site Chrome extension permissions, TouchID and fingerprint sensor authentication, the Shape Detection API (gives Chrome the ability to detect and identify faces, barcodes, and text inside images or webcam feeds), and, last but not least, 23 security fixes.

Read more of this story at Slashdot.

Breaking Down the Rapidly Evolving GandCrab Ransomware

Most ransomware strains have the same commonalities – bitter ransom notes, payment demanded in cryptocurrency, and inventive names. A select few, however, can go undetected by a handful of antimalware products. Meet GandCrab ransomware, a strain that somehow manages to accomplish all of the above. Our McAfee Labs team has found that the ransomware, which first appeared in January, has been updating rapidly during its short lifespan, and now includes a handful of new features, including the ability to remain undetected by some antimalware products.

First and foremost, let’s break down how GandCrab gets its start. The stealthy strain manages to spread in a variety of ways. GandCrab can make its way to users’ devices via remote desktop connections with either weak security or bought in underground forums, phishing emails, legitimate programs that have been infected with the malware, specific exploits kits, botnets, and more.

GandCrab’s goal, just like other ransomware attacks, is to encrypt victims’ files and promise to release them for a fee paid in a form of cryptocurrency (often Dash or Bitcoin). It can also be sold across the dark web as ransomware-as-a-service, or RaaS, which allows wannabe cybercriminals to purchase the strain to conduct an attack of their own.

So, the next question is what can users do to defend against this tricky attack? Thankfully, McAfee gateway and endpoint customers are protected against the latest GandCrab versions but beyond using security software, there are a handful of other things you can do to ensure you’re protected from GandCrab ransomware. Start by following these tips:

  • Don’t pay the ransom. Many ransom notes seem convincing, and many only request small, seemingly doable amounts of money. Doesn’t matter – you still don’t pay. Paying does not promise you’ll get your information back, and many victims often don’t. So, no matter how desperate you are for your files, hold off on paying up.
  • Do a complete backupWith ransomware attacks locking away crucial data, you need to back up the data on all your machines. If a machine becomes infected with ransomware, there’s no promise you’ll get that data back – it could even become wiped entirely in some cases. Make sure you cover all your bases and have your data stored on an external hard drive or in the cloud.
  • Use decryption toolsNo More Ransom – an initiative that teams up security firms, including McAfee, and law enforcement – provides tools to free your data, each tailored for a specific type of ransomware. If your device gets held for ransom, start by researching what type of ransomware it is. Then check out No More Ransom’s decryption tools and see if one is available for your specific strain.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Breaking Down the Rapidly Evolving GandCrab Ransomware appeared first on McAfee Blogs.

McAfee Blogs: Breaking Down the Rapidly Evolving GandCrab Ransomware

Most ransomware strains have the same commonalities – bitter ransom notes, payment demanded in cryptocurrency, and inventive names. A select few, however, can go undetected by a handful of antimalware products. Meet GandCrab ransomware, a strain that somehow manages to accomplish all of the above. Our McAfee Labs team has found that the ransomware, which first appeared in January, has been updating rapidly during its short lifespan, and now includes a handful of new features, including the ability to remain undetected by some antimalware products.

First and foremost, let’s break down how GandCrab gets its start. The stealthy strain manages to spread in a variety of ways. GandCrab can make its way to users’ devices via remote desktop connections with either weak security or bought in underground forums, phishing emails, legitimate programs that have been infected with the malware, specific exploits kits, botnets, and more.

GandCrab’s goal, just like other ransomware attacks, is to encrypt victims’ files and promise to release them for a fee paid in a form of cryptocurrency (often Dash or Bitcoin). It can also be sold across the dark web as ransomware-as-a-service, or RaaS, which allows wannabe cybercriminals to purchase the strain to conduct an attack of their own.

So, the next question is what can users do to defend against this tricky attack? Thankfully, McAfee gateway and endpoint customers are protected against the latest GandCrab versions but beyond using security software, there are a handful of other things you can do to ensure you’re protected from GandCrab ransomware. Start by following these tips:

  • Don’t pay the ransom. Many ransom notes seem convincing, and many only request small, seemingly doable amounts of money. Doesn’t matter – you still don’t pay. Paying does not promise you’ll get your information back, and many victims often don’t. So, no matter how desperate you are for your files, hold off on paying up.
  • Do a complete backupWith ransomware attacks locking away crucial data, you need to back up the data on all your machines. If a machine becomes infected with ransomware, there’s no promise you’ll get that data back – it could even become wiped entirely in some cases. Make sure you cover all your bases and have your data stored on an external hard drive or in the cloud.
  • Use decryption toolsNo More Ransom – an initiative that teams up security firms, including McAfee, and law enforcement – provides tools to free your data, each tailored for a specific type of ransomware. If your device gets held for ransom, start by researching what type of ransomware it is. Then check out No More Ransom’s decryption tools and see if one is available for your specific strain.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Breaking Down the Rapidly Evolving GandCrab Ransomware appeared first on McAfee Blogs.



McAfee Blogs

McAfee Honors 25 Partners with Awards for Excellence & Innovation in Security

Today McAfee, the device-to-cloud cybersecurity company, announced the winners of its distinguished Partner Awards. The awards ceremony, hosted at McAfee’s Americas Partner Summit in Las Vegas, recognized partners who demonstrated the embodiment of three foundational pillars of the McAfee Partner Program: strategic relationships, profitable partnerships and driving better customer outcomes.

Partners received awards based on their commitment to McAfee’s business strategy, building strong ecosystems, dedication to customers, delivery of exemplary marketing strategies, going above and beyond in the name of community service, demonstration of technical efficiency and successful buildout of managed services.

“In cybersecurity no one company can prevent every possible threat, and that’s what makes the partner community so vital to the success of our customers,” said Ken McCray, head of channel sales and operations for the Americas at McAfee. “No matter what, we put the customer at the core of everything we do by working together with our partners to provide the solutions and expertise that businesses depend on.”

Winners included:

The post McAfee Honors 25 Partners with Awards for Excellence & Innovation in Security appeared first on McAfee Blogs.

McAfee Security Innovation Alliance 2018 DevCon Awards

Today McAfee, the device-to-cloud cybersecurity company, announced the winners of its distinguished SIA Partner Awards. The awards ceremony, hosted at McAfee’s Americas Partner Summit in Las Vegas, recognized partners who demonstrated the embodiment of innovation, strategic value, and market leadership in their respective market segments that complement the McAfee solution portfolio.

“Today’s businesses are challenged more than ever before to stay ahead of the latest risks and cyberthreats,” said D.J. Long, vice president of strategic business development, McAfee. “McAfee understands that no single cybersecurity company can prevent every possible threat. The McAfee SIA program enables businesses to tap into certified integrated solutions from industry-leading providers to help protect data and minimize risk with fewer resources.”

We are pleased to announce the winners of the 2018 McAfee Security Innovation Alliance DEVCON Awards in the following three categories: Rookie of the Year, Most Innovative Partner of the Year, and SIA Partner of the Year.

Rookie of the Year 2018: Menlo Security

Rookie of the Year criteria include business impact, solution innovation, and program membership under 18 months.

Menlo Security joined SIA in May 2018. Their integration with McAfee Web Gateway was fully completed and certified in just one month! Immediately after certification, Menlo jumped in to support McAfee on a unique project to drive innovation with a mutual customer.

Menlo Security has partnered with McAfee to provide web security that wins against today’s advanced threats. McAfee Web Gateway customers can set up policies to dynamically route web sessions to the Menlo Security Isolation Platform. The enterprise is protected from any potential web threats while the user has a seamless experience with their native browser. The joint solution improves employee productivity by providing safe access to the internet and reduces burden on IT staff who no longer need to maintain restrictive web policies and manage exceptions. The Isolation Platform can also be used to address “air-gap” requirements of certain financial services and government organizations.

Most Innovative Partner of the Year: IBM Security

Criteria for Most Innovative Partner of the Year are based on the design and use of the McAfee ePO software development kit (SDK), McAfee Threat Intelligence Exchange, McAfee Data Exchange Layer, and other key McAfee technologies.

IBM Security are partnering with McAfee across multiple IBM and McAfee product sets and teams including Resilient, BigFix, and QRadar on the IBM side. Completed and certified integrations with IBM’s Incident Response platform, Resilient include: TIE, DXL, ePO, and ATD completed just last week. ESM is slated for end of September and NSP is in progress. Furthermore, all McAfee Resilient integrations are published on IBM’s AppExchange. Roadmap projects include: building QRadar -ePO app and working to leverage bi-lateral agent deployments with Big Fix. Read our  solution brief for more details

SIA Partner of the Year 2018 : Avecto/BeyondTrust (Both acquired this year by Bomgar)

Most Valuable Partner of the Year criteria cover the breadth and depth of the partner’s multiple integrations and close business engagement with McAfee.

Avecto are the undisputed leader in sales teaming success, with an average closed-won deal size of $350K and currently more than 30 registered and accepted opportunities in the pipeline. The other half of this team are BeyondTrust with $6M in pipeline and over 100% growth Year over Year. Avecto and BeyondTrust integrate with McAfee ESM, ePO and DXL.

For more information about our integrations read the solution briefs on integrations with Avecto and  BeyondTrust .

The post McAfee Security Innovation Alliance 2018 DevCon Awards appeared first on McAfee Blogs.

Palm Is Back With a Mini Companion Android Phone That’s Exclusive To Verizon

A couple months ago, it was reported that the dearly departed mobile brand known as Palm would be making a comeback. That day has finally come. Yesterday, Palm announced The Palm, a credit card-sized Android smartphone that's supposed to act as a second phone. Droid Life reports: The Palm, which is its name, is a mini-phone with a 3.3-inch HD display that's about the size of a credit card, so it should fit nicely in your palm. It could be put on a chain or tossed in a small pocket or tucked just about anywhere, thanks to that small size. It's still a mostly fully-featured smartphone, though, with cameras and access to Android apps and your Verizon phone number and texts. The idea here is that you have a normal phone with powerful processor and big screen that you use most of the time. But when you want to disconnect some, while not being fully disconnected, you could grab Palm instead of your other phone. It uses Verizon's NumberSync to bring your existing phone number with you, just like you would if you had an LTE smartwatch or other LTE equipped device. Some of the specs of this Verizon-exclusive phone include a Snapdragon 435 processor with 3GB RAM, 32GB storage, 12MP rear and 8MP front cameras, 800mAh battery, IP68 water and dust resistance, and Android 8.1. As Kellen notes, "It does cost $350, which is a lot for a faux phone..." We've already seen a number of gadget fans perplexed by this device. Digital Trends goes as far as calling it "the stupidest product of the year."

Read more of this story at Slashdot.

Stocks Surge on Earnings as Saudi Tensions Ease

US stocks started the session in positive territory following the positive earnings surprises by Goldman Sachs (GS) and Morgan Stanley (MS), and from then on, the floodgates opened and we saw the strongest rally on Wall Street since March. President Trump’s more diplomatic stance towards Saudi Arabia helped the bounce in stocks, together with the […]

The post Stocks Surge on Earnings as Saudi Tensions Ease appeared first on Hacked: Hacking Finance.

FBI Releases Article on Defending Against Payroll Phishing Scams

Original release date: October 16, 2018

The Federal Bureau of Investigation (FBI) has released an article on building a digital defense against phishing scams targeting electronically deposited paychecks. In these schemes, scammers use phishing emails to direct employees to fraudulent websites and collect their work credentials. Scammers then use victims’ credentials to replace legitimate direct deposit information with their own account details.

NCCIC encourages users to review the FBI Article and NCCIC Tip on Avoiding Social Engineering and Phishing Attacks for more information. If you believe you have been a victim of these scams, report it to the FBI’s Internet Crime Complaint Center at www.ic3.gov.


This product is provided subject to this Notification and this Privacy & Use policy.


US-CERT Current Activity: FBI Releases Article on Defending Against Payroll Phishing Scams

Original release date: October 16, 2018

The Federal Bureau of Investigation (FBI) has released an article on building a digital defense against phishing scams targeting electronically deposited paychecks. In these schemes, scammers use phishing emails to direct employees to fraudulent websites and collect their work credentials. Scammers then use victims’ credentials to replace legitimate direct deposit information with their own account details.

NCCIC encourages users to review the FBI Article and NCCIC Tip on Avoiding Social Engineering and Phishing Attacks for more information. If you believe you have been a victim of these scams, report it to the FBI’s Internet Crime Complaint Center at www.ic3.gov.


This product is provided subject to this Notification and this Privacy & Use policy.




US-CERT Current Activity

Google Maps Adds EV Charging Station Info

Google Maps is adding a new feature that will let you search for charging stations and provide you with useful information about that station. The feature is rolling out today and will be available on both Android and iOS. Engadget reports: Just search for "EV charging stations" or "EV charging," and Google Maps will locate those nearby. It will also tell you what types of ports are available, how many there are as well as the station's charging speeds, and businesses with charging stations will now have a link that will lead you to more information about their setup. Additionally, you'll be able to see what other users thought of the station, as Google Maps will bring up user-posted photos, ratings and reviews. Google Maps will include information about charging stations from Tesla and Chargepoint worldwide. In the US, it will also source info about SemaConnect, EVgo and Blink stations. UK users will have access to Chargemaster and Pod Point stations, while Australia and New Zealand EV drivers will see info on Chargefox stations. Unfortunately, you won't be able to tell if individual charging stations are occupied. Also, Google doesn't have Electrify America, a Volkswagen subsidiary that's building a nationwide network of fast-charging stations with universal technology.

Read more of this story at Slashdot.

Amazon Worker Pushes Bezos To Stop Selling Facial Recognition Tech To Police

An anonymous reader quotes a report from The Hill: An Amazon employee is seeking to put new pressure on the company to stop selling its facial recognition technology to law enforcement. An anonymous worker, whose employment at Amazon was verified by Medium, published an op-ed on that platform on Tuesday criticizing the company's facial recognition work and urging the company to respond to an open letter delivered by a group of employees. The employee wrote that the government has used surveillance tools in a way that disproportionately hurts "communities of color, immigrants, and people exercising their First Amendment rights." "Ignoring these urgent concerns while deploying powerful technologies to government and law enforcement agencies is dangerous and irresponsible," the person wrote. "That's why we were disappointed when Teresa Carlson, vice president of the worldwide public sector of Amazon Web Services, recently said that Amazon 'unwaveringly supports' law enforcement, defense, and intelligence customers, even if we don't 'know everything they're actually utilizing the tool for.'" The op-ed comes one day after Amazon CEO Jeff Bezos defended technology companies working with the federal government on matters of defense during Wired's ongoing summit in San Francisco. "If big tech companies are going to turn their back on the U.S. Department of Defense, this country is going to be in trouble," Bezos said on Monday.

Read more of this story at Slashdot.

CVE-2018-11021

kernel/omap/drivers/video/omap2/dsscomp/device.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device /dev/dsscomp with the command 1118064517 and cause a kernel crash.

CVE-2018-11024

kernel/omap/drivers/misc/gcx/gcioctl/gcif.c in the kernel component in Amazon Kindle Fire HD (3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device /dev/gcioctl with the command 1077435789 and cause a kernel crash.

CVE-2018-14772

Pydio 4.2.1 through 8.2.1 has an authenticated remote code execution vulnerability in which an attacker with administrator access to the web application can execute arbitrary code on the underlying system via Command Injection.

CVE-2018-11025

kernel/omap/drivers/mfd/twl6030-gpadc.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device /dev/twl6030-gpadc with the command 24832 and cause a kernel crash.

CVE-2018-11022

kernel/omap/drivers/misc/gcx/gcioctl/gcif.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device /dev/gcioctl with the command 3224132973 and cause a kernel crash.

CVE-2018-11023

kernel/omap/drivers/misc/gcx/gcioctl/gcif.c in the kernel component in Amazon Kindle Fire HD (3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device /dev/gcioctl with the command 3222560159 and cause a kernel crash.

CVE-2018-11020

kernel/omap/drivers/rpmsg/rpmsg_omx.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device file /dev/rpmsg-omx1 with the command 3221772291, and cause a kernel crash.

CVE-2018-11019

kernel/omap/drivers/misc/gcx/gcioctl/gcif.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device /dev/gcioctl with the command 3221773726 and cause a kernel crash.

Why Investors Should Be Paying Attention to Digitex Futures Token

Right now, to say cryptocurrencies are in a bit of a valley is an understatement. Since January 2018, there has been a consistent downtrend or plateau for much of the year. We’ve heard many crypto-naysayers declare that this is the death of crypto, or that these assets are only now trading at their fair market […]

The post Why Investors Should Be Paying Attention to Digitex Futures Token appeared first on Hacked: Hacking Finance.

MoD secrets exposed in major cyberattack

itproportal.com - Secrets of the Ministry of Defence (MoD) have been exposed in numerous cyber security incidents last year, the media are reporting this Monday. According to Sky News, who has seen MoD’s reports, a to…


Tweeted by @cybersimplified https://twitter.com/cybersimplified/status/1052318427057012737

Qualcomm’s New Wi-Fi Chips Are Meant To Rival 5G Speeds

"Qualcomm is launching a family of chips that can add incredibly high-speed Wi-Fi -- at speeds up to 10 gigabits per second -- to phones, laptops, routers, and so on," reports The Verge. The Wi-Fi standard used for something like replacing a virtual reality headset's data cable with a high-speed wireless link is being updated. Qualcomm's latest chips improve a wireless technology called WiGig, which relies on a connection standard known as 802.11ad, which can hit speeds up to 5 gigabits per second over close to 10 meters. The new generation of that wireless standard, called 802.11ay, can reach speeds twice as fast, and can do so up to 100 meters away, according to Dino Bekis, the head of Qualcomm's mobile and compute connectivity group. The Wi-Fi Alliance says the new standard "increases the peak data rates of WiGig and improves spectrum efficiency and reduces latency." From the report: So why not just use this as normal Wi-Fi, given how fast it gets? Because that range is only line-of-sight -- when there's literally nothing in the way between the transmitter and the receiver. This high-speed Wi-Fi is based on millimeter wave radio waves in the 60GHz range. That means it's really fast, but also that it has a very difficult time penetrating obstacles, like a wall. That's a problem if you want a general purpose wireless technology. That's why 802.11ay, like 802.11ad before it, is being used as an optional add-on to existing Wi-Fi technology. If you're one of the people who has a need for these extreme wireless speeds, then maybe you'll find a use for it. Just keep in mind, you'll probably need to keep your router and the device receiving these high speeds in the same room in order for it to work, due to the whole "walls" issue. WiGig will also be competing with 5G, as it offers "similarly fast speeds over similarly limited distances," reports The Verge. "[T]he two standards may be competing as an option for delivering internet from a tower to a home -- that's what Facebook's Terragraph is doing with WiGig, and it's what Verizon is doing with 5G."

Read more of this story at Slashdot.

NCSC Report Says Phishing On The Decline As Nation State Attacks Take Over, Major UK Cyber Attack Inevitable

This morning, the National Cyber Security Centre (NCSC) published its two-year review, detailing findings from its second year of operations. The report found that there is “little doubt” that a major cyber attack will happen in the near future and whilst the NCSC has cut the UK’s share of phishing attacks targeting the UK in half from 5.3% to 2.4%, most worryingly, it has also had to prevent multiple attacks from hostile nation states. IT security experts commented below.

Fraser Kyne, EMEA CTO at Bromium:

“This report should raise the alarm for any organisation unprepared for attacks from hostile nation states. Whether it’s a sophisticated zero day attack, or a simplistic phishing attempt, organisations must ensure they are ready to proactively prevent nation states from disrupting operations. However, current systems are woefully ill-equipped to deal with common attack vectors like email or downloads, so a determined hacker with the resources of a nation state behind them can easily bypass cyber-defences.

“Currently, enterprises are relying on threat detection tools to estimate where lightning is going to strike, so they can attempt to intercept hackers before they cause disruption. However, all too often these tools throw up a deluge of alerts that only allow operations teams to react and mitigate once a breach has taken place. It’s time for a change in mindset that focuses on protection first, containing threats before they can do any damage. Detection alone cannot protect organisations from advanced threats. Instead, organisations need to adopt layered cybersecurity defences that allow them to proactively defend against common attack vectors in real-time, instead of reacting after the fact.”

Bill Evans, senior director at One Identity:

“The figures within the NCSC’s report, to my mind, are surprisingly low. This might be due to the limited types of breaches or attempted breaches investigated by the NCSC.  In terms of the eventuality of a Category 1 cyberattack, it’s nearly impossible to measure readiness for cyber threats. However, there have been more than 1,000 investigated breaches in the past several years – very few of which have been successful. This suggests that the UK is doing a fine job at averting disaster. As threat actors are continually evolving their strategies for cyberwarfare, the UK needs to continue updating its defences on a daily basis and avoid complacency.

Provided those charged with cybersecurity remain focused on their mission during the upheaval that has and will ensue as a result of Brexit, the UK should remain at least as safe as it is today. The biggest potential threat to our cyber defences is if a parliamentarian, who may not be well-versed in cyber security, decides to enact a law that prevents our security professionals from effectively defending our cyber borders.

In order for organisations to play their part in effort to reduce the threat of cyberattack, all enterprises should focus on the “big four” of cyber defences: using multi-factor authentication, implementing a strong privileged access management programme, governance and end user education.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“The comments by NCSC are very interesting and deserve close attention. With the spread of IoT into so many aspects of daily life and critical infrastructure, a cyber attack can have far greater impact and consequences. Companies of all sizes should be wary of cyber attacks and have in place appropriate and adequate security controls to help detect threats so that this information can be shared to better protect everyone.”

The ISBuzz Post: This Post NCSC Report Says Phishing On The Decline As Nation State Attacks Take Over, Major UK Cyber Attack Inevitable appeared first on Information Security Buzz.

MongoDB Switches Up Its Open-Source License

MongoDB is taking action against cloud giants who are taking its open-source code and offering a hosted commercial version of its database to their users without playing by the open-source rules. The company announced today that it has issued a new software license, the Server Side Public License (SSPL), "that will apply to all new releases of its MongoDB Community Server, as well as all patch fixes for prior versions," reports TechCrunch. From the report: For virtually all regular users who are currently using the community server, nothing changes because the changes to the license don't apply to them. Instead, this is about what MongoDB sees as the misuse of the AGPLv3 license. "MongoDB was previously licensed under the GNU AGPLv3, which meant companies who wanted to run MongoDB as a publicly available service had to open source their software or obtain a commercial license from MongoDB," the company explains. "However, MongoDB's popularity has led some organizations to test the boundaries of the GNU AGPLv3." So while the SSPL isn't all that different from the GNU GPLv3, with all the usual freedoms to use, modify and redistribute the code (and virtually the same language), the SSPL explicitly states that anybody who wants to offer MongoDB as a service -- or really any other software that uses this license -- needs to either get a commercial license or open source the service to give back the community. "The market is increasingly consuming software as a service, creating an incredible opportunity to foster a new wave of great open source server-side software. Unfortunately, once an open source project becomes interesting, it is too easy for cloud vendors who have not developed the software to capture all of the value but contribute nothing back to the community," said Eliot Horowitz, the CTO and co-founder of MongoDB, in a statement. "We have greatly contributed to -- and benefited from -- open source and we are in a unique position to lead on an issue impacting many organizations. We hope this will help inspire more projects and protect open source innovation."

Read more of this story at Slashdot.

Notes on the UK IoT cybersec "Code of Practice"

The British government has released a voluntary "Code of Practice" for securing IoT devices. I thought I'd write some notes on it.

First, the good parts

Before I criticize the individual points, I want to praise if for having a clue. So many of these sorts of things are written by the clueless, those who want to be involved in telling people what to do, but who don't really understand the problem.

The first part of the clue is restricting the scope. Consumer IoT is so vastly different from things like cars, medical devices, industrial control systems, or mobile phones that they should never really be talked about in the same guide.

The next part of the clue is understanding the players. It's not just the device that's a problem, but also the cloud and mobile app part that relates to the device. Though they do go too far and include the "retailer", which is a bit nonsensical.

Lastly, while I'm critical of most all the points on the list and how they are described, it's probably a complete list. There's not much missing, and the same time, it includes little that isn't necessary. In contrast, a lot of other IoT security guides lack important things, or take the "kitchen sink" approach and try to include everything conceivable.

1) No default passwords

Since the Mirai botnet of 2016 famously exploited default passwords, this has been at the top of everyone's list. It's the most prominent feature of the recent California IoT law. It's the major feature of federal proposals.

But this is only a superficial understanding of what really happened. The issue wasn't default passwords so much as Internet-exposed Telnet.

IoT devices are generally based on Linux which maintains operating-system passwords in the /etc/passwd file. However, devices almost never use that. Instead, the web-based management interface maintains its own password database. The underlying Linux system is vestigial like an appendix and not really used.

But these devices exposed Telnet, providing a path to this otherwise unused functionality. I bought several of the Mirai-vulnerable devices, and none of them used /etc/passwd for anything other than Telnet.

Another way default passwords get exposed in IoT devices is through debugging interfaces. Manufacturers configure the system one way for easy development, and then ship a separate "release" version. Sometimes they make a mistake and ship the development backdoors as well. Programmers often insert secret backdoor accounts into products for development purposes without realizing how easy it is for hackers to discover those passwords.

The point is that this focus on backdoor passwords is misunderstanding the problem. Device makers can easily believe they are compliant with this directive while still having backdoor passwords.

As for the web management interface, saying "no default passwords" is useless. Users have to be able to setup the device the first time, so there has to be some means to connect to the device without passwords initially. Device makers don't know how to do this without default passwords. Instead of mindless guidance of what not to do, a document needs to be written that explains how devices can do this both securely as well as easy enough for users to use.

Humorously, the footnotes in this section do reference external documents that might explain this, but they are the wrong documents, appropriate for things like website password policies, but inappropriate for IoT web interfaces. This again demonstrates how they have only a superficial understanding of the problem.

2) Implement a vulnerability disclosure policy

This is a clueful item, and it should be the #1 item on every list.

Though they do add garbage on top of this, but demanding companies respond in a "timely manner", but overall this isn't a bad section.

3) Keep software updated

This is another superficial understanding of the problem.

Software patching works for desktop and mobile phones because they have interfaces the user interacts with, ones that can both notify the user of a patch as well as the functionality to apply it. IoT devices are usually stuck in a closet somewhere without such interfaces.

Software patching works for normal computers because they sell for hundreds of dollars and thus have sufficient memory and storage to reliably do updates. IoT devices sell for cut-throat margins and have barely enough storage to run. This either precludes updates altogether, or at least means the update isn't reliable, that upon every update, a small percentage of customer devices will be "bricked", rendered unusable. Adding $1 for flash memory to a $30 device is not a reasonable solution to the problem.

Software patching works for software because of its enormous margins and longevity. A software product is basically all profit. The same doesn't apply to hardware, where devices are sold with slim margins. Device makers have a hard time selling them for more because there are always no-named makers of almost identical devices in Shenzen willing to undercut them. (Indeed, looking at Mirai, it appears that was the majority of infected devices, not major brands, but no-named knock-offs). 

The document says that device makers need to publish how long the device will be supported. This ignores the economics of this. Devices makers cannot know how long they will support a device. As long as they are selling new ones, they've got incentive and profits to keep supplying updates. After that, they don't. There's really no way for them to predict the long term market success of their devices.

Guarantees cost money. If they guarantee security fixes for 10 years, then that's a liability they have to account for on their balance sheet. It's a huge risk: if the product fails to sell lots of units, then they are on the hook for a large cost without the necessary income to match it.

Lastly, the entire thing is a canard. Users rarely update firmware for devices. Blaming vendors for not providing security patches/updates means nothing without blaming users for not applying them.

4) Securely store credentials and security-sensitive data

Like many guides, this section makes the superficial statement "Hard-coded credentials in device software are not acceptable". The reason this is silly is because public-keys are a "credential", and you indeed want "hard-coded" public-keys. Hard-coded public-key credentials is how you do other security functions, like encrypted and signature verification.

This section tells device makers to use the trusted-enclave features like those found on phones, but this is rather silly. For one thing, that's a feature of only high-end CPUs, not the low-end CPUs found in such devices. For another thing, IoT devices don't really contain anything that needs that level of protection.

Storing passwords in clear-text on the device is almost certain adequate security, and this section can be ignored.

5) Communicate securely

In other words, use SSL everywhere, such as on the web-based management interface.

But this is only a superficial understanding of how SSL works. You (generally) can't use SSL for devices because there's no secure certificate on the device. It forces users to bypass nasty warnings in the browser, which hurts the entire web ecosystem. Some IoT devices do indeed try to use SSL this way, and it's bad, very bad.

On the other hand, IoT devices can and should use SSL when connecting outbound to the cloud.

6) Minimise exposed attack surfaces

This is certainly a good suggestion, but it's a platitude rather than an action item. IoT devices already minimize as much as they can in order to reduce memory/storage requires. Where this is actionable requires subtler understanding. A lot of exposed attack services come from accidents. 

A lot of other exposed attack surfaces come about because device makers know no better way. Actual helpful, meaning advice would consist of telling them what to do in order to solve problems, rather than telling them what not to do.

The reason Mirai-devices exposed Telnet was for things like "remote factory reset". Mirai infected mostly security cameras which don't have factory reset buttons. That's because they are located high up out of reach, or if they are in reach, they don't want to allow the public to press the factory reset button. Thus, doing a factory reset meant doing it remotely. That appears to be the major reason for Telnet and "hardcoded passwords", to allow remote factory reset. Instead of telling them not to expose Telnet, you need a guide explaining how to securely do remote factory resets.

This guide discussed "ports", but the reality is that the attack surface in the web-based management interface on port 80 is usually more than all other ports put together. Focusing on "ports" reflects a superficial understanding of the problem.

7) Ensure software integrity

The guide says "Software on IoT devices should be verified using secure boot
mechanisms". No, they shouldn't be. In the name of security, they should do the opposite.

First of all, getting "secure boot" done right is extraordinarily difficult. Apple does it the best with their iPhone and still they get it wrong. For another thing, it's expensive. Like trusted enclaves in processors, most of the cheap low-end processors used in IoT don't support it.

But the biggest issue is that you don't want it. "Secure boot" means the only operating system the device can boot comes from the vendor, which will eventually stop supporting the product, making it impossible to fix any security problem. Not having secure boot means that customers can still be able to patch bugs without the manufacturer's help.

Instead of secure boot, device makers should do the opposite and make it easy for customers to build their own software. They are required to do so under the GNU Public License anyway. That doesn't mean open-sourcing everything, they can still provide their private code as binaries. But they should allow users to fix any bug in open-source and repackage a new firmware update.

8) Ensure that personal data is protected

I suppose giving the GDPR, this section is required, but GDPR is a pox on the Internet.

9) Make systems resilient to outages

Given the recent story of Yale locks locking people out of their houses due to a system outage, this seems like an obviously good idea.

But it should be noted that this is hard. Obviously such a lock should be resilient if the network connection is down, or their servers have crashed. But what happens when such a lock can contact their servers, but some other component within their organization has crashed, such that the servers give unexpected responses, neither completely down, but neither completely up and running, either?

We saw that in the Mirai attacks against Dyn. It left a lot servers up and running, but took down on some other component that those servers relied upon, leaving things in an intermediate state that was neither unfunctional nor completely functional.

It's easy to stand on a soapbox and proclaim devices need to be resilient, but this is unhelpful. What would instead be helpful is a catalog of failures that IoT will typically experience.

10) Monitor system telemetry data

Security telemetry is a desirable feature in general. When a hack happens, you want to review logfiles to see how it happened. This item reflects various efforts to come up with such useful information

But again we see something so devoid of technical details as to be useless. Worse, it's going to be exploited by others, such as McAffee wanting you to have anti-virus on TV sets, which is an extraordinarily bad idea.

11) Make it easy for consumers to delete personal data

This is kinda silly in that the it's simply a matter of doing a "factory reset". Having methods to delete personal details other than factory resets is bad.

The useful bit of advise is that factory resets don't always "wipe" information, they just "forget" it in a way that can be recovered. Thus, we get printers containing old documents and voting machines with old votes.

On the other hand, this is a guide for "consumer IoT", so just the normal factory reset is probably sufficient, even if private details can be gleaned.

12) Make installation and maintenance of devices easy

Of course things should be easy, everyone agrees on this. The problem is they don't know how. Companies like Microsoft and Apple spend billions on this problem and still haven't cracked it.

My home network WiFi password uses quotes as punctuation to improve security. The Amazon Echo app uses Bluetooth to pair with the device and set which password to use for WiFi. This is well done from a security point of view.

However, their app uses an input field that changes quotes to curly-quotes making it impossible to type in the password. I instead had to go to browser, type the password in the URL field, copy it, then go back to the Alexa app and paste it into the field. Then I could get things to work.

Amazon is better at making devices easy and secure with Echo and they still get things spectacularly wrong.

13) Validate input data

Most security vulnerabilities are due to improper validation of input data. However, "validate input data" is stupid advice. It's like how most phishing attacks come from strangers, but how telling people to not open emails from strangers is stupid advice. In both cases, it's a superficial answer that doesn't really understand how the problem came about.

Let's take PHP and session cookies, for example. A lot of programmers think the session identifier in PHP is some internal feature of PHP. They therefore trust it, because it isn't input. They don't perceive how it's not internal to PHP, but external, part of HTTP, and something totally hackable by hackers.

Or take the famous Jeep hacker where hackers were able to remotely take control of the car and do mischievous things like turn it off on the highway. The designers didn't understand how the private connection to the phone network was in fact "input" coming from the Internet. And then there was data from the car's internal network, which wasn't seen as "input" from an external source.

Then there is the question of what "validation" means. A lot of programmers try to solve SQL injection by "blacklisting" known bad characters. Hackers are adept at bypassing this, using other bad characters, especially using Unicode. Whitelisting known good characters is a better solution. But even that is still problematic. The proper solution to SQL injection isn't "input validation" at all, but using "parameterized queries" that don't care about input.

Conclusion

Like virtually every other guide, this one is based upon platitudes and only a superficial understanding of the problem. It's got more clue than most, but is still far from something that could actually be useful. The concept here is virtue signaling, declaring what would be virtuous and moral for an IoT device, rather than something that could be useful to device makers in practice.
















Upcoming Intel Conference: U.S. & Israeli Counter-terrorism/Counter-intelligence Pros “Compare Notes” – Commentary By Adina Kutnicki

adinakutnicki.com - ביקרתי את אויבי ולחקור אותם; לא החזרתי את עצמי עד שהם הושמדו Stipulated, there is nothing new under the sun, at least when it comes to professional development, conferences, and a by-product thereof,…


Tweeted by @JEdward02 https://twitter.com/JEdward02/status/1052298816014168064

Facebook Could Use Data Collected From Its Portal In-Home Video Device To Target You With Ads

An anonymous reader quotes a report from Recode: Facebook announced Portal last week, its take on the in-home, voice-activated speaker to rival competitors from Amazon, Google and Apple. Last Monday, we wrote: "No data collected through Portal -- even call log data or app usage data, like the fact that you listened to Spotify -- will be used to target users with ads on Facebook." We wrote that because that's what we were told by Facebook executives. But Facebook has since reached out to change its answer: Portal doesn't have ads, but data about who you call and data about which apps you use on Portal can be used to target you with ads on other Facebook-owned properties. "Portal voice calling is built on the Messenger infrastructure, so when you make a video call on Portal, we collect the same types of information (i.e. usage data such as length of calls, frequency of calls) that we collect on other Messenger-enabled devices. We may use this information to inform the ads we show you across our platforms. Other general usage data, such as aggregate usage of apps, etc., may also feed into the information that we use to serve ads," a spokesperson said in an email to Recode. That isn't very surprising, considering Facebook's business model. The biggest benefit of Facebook owning a device in your home is that it provides the company with another data stream for its ad-targeting business.

Read more of this story at Slashdot.

Oracle Releases October 2018 Security Bulletin

Original release date: October 16, 2018

Oracle has released its Critical Patch Update for October 2018 to address 301 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review the Oracle October 2018 Critical Patch Update and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Os ricos, os pobres e os precariados: os 3 tipos de eleitores de Bolsonaro

Uma possibilidade de lidar com o atual cenário político é partir do princípio de que metade da população é composta por fascistas, ignorantes – ou ambos. Sendo assim, podemos jogar a toalha e repetir que cada povo tem o governante que merece. Outra possibilidade, que me parece mais interessante, é diferenciar esse espectro de eleitores, tentando entender como e por que diferentes perfis são capturados por essa pulsão autoritária de Jair Bolsonaro.

Tenho diferenciado três perfis de eleitores, que operam como tipos ideais que ajudam a refletir e a agir. O primeiro são os ricos, que tiveram capital educacional para saber o que está em jogo e conscientemente optam pelo projeto autoritário contra a “corrupção”, mas na verdade veem em Bolsonaro e no antipetismo uma oportunidade para legitimar antigos preconceitos contra a “gentalha”.

Na outra ponta, há os pobres, com baixíssimo capital educacional e que possuem um antipetismo brando. Votam em Bolsonaro por adesão por causa da igreja, por influência familiar, desespero ou esperança, mas salientam que o Lula “roubava, mas dava o que era nosso”, “roubava, mas nossa vida era melhor”.

Na base da pirâmide, ao contrário dos ricos, há desilusão e desinteresse generalizado, mas também há flexibilidade para falar de diferentes candidatos. São sujeitos que não projetam a raiva ou jogam a culpa por sua vida deteriorada nos imediatamente abaixo – por que não há ninguém abaixo. Por causa do clientelismo, esses eleitores tendem a desacreditar na política como um todo. O grande desafio, para esse segmento, portanto, não é a mudança de candidato, mas convencê-los a ir votar no dia da eleição.

Entre os ricos e os pobres, está todo o restante da população brasileira, os precariados. É aí exatamente que reside o grande imbróglio do eleitor bolsonarista que engloba desde (A) o simpático motorista de Uber, a vendedora delicada, o porteiro prestativo, o microempresário trabalhador e a manicure festeira – todos indignados com o sistema político frouxo ou com a moral tradicional abalada e também frustrados com a própria situação – até o (B) o fanático, o agressor tomado pela fúria prestes a “se vingar” e a matar um esquerdista, uma pessoa negra, LGBT, uma feminista – os “culpados” pela deterioração do mundo.

A diferença entre A e B existe. Mas a tendência é que ela diminua conforme o cenário se radicaliza. A frustração “contra tudo que está aí”, contra essa “pouca vergonha” (sic) que contamina a política os valores morais, tende a mesclar ambos os perfis em um universo cada vez mais homogêneo. Num piscar de olhos, o grupo A,  que interioriza valores das elites abastadas e culpa a “gentalha” por suas frustrações, transforma-se em B.

É assim que a razão autoritária cresce, uma vez que não existe o fascista a priori: o que existe é subjetividade mobilizada pelo projeto autoritário.

Vivemos tempos em que está se autorizando a pensar, dizer e fazer o que outrora era impensável.

Nesse novo contexto no qual os eleitores são nutridos por um sistema capilar e horizontal de comunicação, sem qualquer responsabilidade com a verdade, as mensagens pró-Bolsonaro são lidas da forma como é conveniente para cada trajetória pessoal e familiar, cooptando e organizando as diferentes frustrações, identificando causas e soluções imediatas. Tudo isso em meio a uma sociedade que, desde 2013 e, principalmente, após o impeachment de Dilma Rousseff em 2016, vê-se desprovida de autoridade, regras e coesão. É aí que a extrema-direita tem encontrado solo fértil para fazer com que a diferença entre o eleitor A e B torne-se cada vez menor. O bolsonarismo é, antes de tudo, um discurso vazio, que se propaga no vácuo para responder a profundos e diversos ressentimentos.

Sobre o eleitor B: é ele quem nos aterroriza. Ele é o personagem de uma realidade distópica. Vivemos tempos em que está se autorizando a pensar, dizer e fazer o que outrora era impensável. Uma vez que a ordem, no sentido sociológico, está ausente, os indivíduos caçam por si próprios o inimigo. E o pior: sabem que nada vai acontecer a eles. Algumas pessoas sabem que estão autorizadas a violentar.

Precisamos entender que estamos diante de um surto coletivo que faz emergir muitos salvadores de “justiça com as próprias mãos” – e que Bolsonaro é, sim, responsável por aqueles que mobiliza.

Já escrevi algumas vezes que nossas lições não vêm apenas da Alemanha de 1933 ou do Brasil de 1964, mas também da distante China da primeira metade do século 20, marcada por intensa polarização, surgimento de seitas, salvadores e que se finda em mais um projeto autoritário marcado pela paranoia denunciativa, que destrói laços de amizade e familiares, e que, finalmente, acaba no culto à personalidade capaz de justificar toda a crítica como “ameaça inimiga”. O que nós vemos no Brasil hoje é o surgimento de seitas organizadas em seus próprios mundos paralelos: nelas Bolsonaro é o herói do bem. Absolutamente tudo que se diz contra ele seria fabricado nos antros esquerdistas. Repetindo um velho script da história cristã, os “cidadãos de bem” são também justiceiros e matam – ou deixam matar – em nome de uma justiça muito particular.

O eu patriótico, autoritário e conservador pode coexistir com o eu democrático.

Voltemos ao eleitor A. É preciso disputá-lo. E dificilmente isso pode ser feito via redes sociais: nós perdemos feio a guerra dos memes e os eleitores de Bolsonaro que estão engajados online possuem contra argumentos para tudo. É inócuo. Ainda existem muitos eleitores que pensam em votar no candidato, mas não aderiram totalmente à lógica de seita que se propaga nas redes. É com essas pessoas que precisamos tentar a boa e velha conversa olho no olho, que  tem se demonstrado menos dramática do que nos ambientes digitais.

A antropologia do self – ou seja da construção do “eu” – nos ensina que não existe um self único. Obras como o do psiquiatra Arthur Kleinman nos ajudam a entender que o eu patriótico, autoritário e conservador pode coexistir com o eu democrático: somos sujeitos complexos e cada uma dessas subjetividades ocupa maior ou menor espaço conforme o contexto político e econômico. (É claro que, em um país de pobre tradição democrática e laica como o Brasil, o eu conservador tende a ocupar mais espaço). Não podemos desistir de tantas pessoas que conviveram conosco e que sabemos que possuem facetas generosas, solidárias e comunitárias.

Nós precisamos confrontar sujeitos contraditórios que estão seduzidos pela narrativa fácil do autoritarismo.

Nós precisamos confrontar sujeitos contraditórios e multifacetados que estão seduzidos pela narrativa fácil do autoritarismo. Desempregados, trabalhadores precários, motoristas de Uber, ambulantes. São sujeitos muitas vezes pobres ou empobrecidos, que não se veem contemplados pelas políticas sociais dos últimos anos. São sujeitos que querem emergir socialmente, sentem-se injustiçados por ralar 15 horas por dia, vivem na insegurança das grandes cidades e percebem o governo como uma grande farsa que atua para seu próprio enriquecimento ou apenas para o benefício de “minorias”. Esse perfil, hoje, não encontra no PT autocrítica em relação à corrupção, não encontra propostas de emprego e quase nada sobre segurança pública. É mentira que o governo deu tudo para os paupérrimos ou para as minorias, mas é verdade que o pobre que é não paupérrimo encontrou pouco amparo e possibilidade de mobilidade social.

Bolsonaro tem muitas contradições. Ele se vende como um “outsider”, mas é um político profissional. Suas propostas simplórias não são a solução para problemas complexos, e se enganam aqueles que acreditam que, por serem os “cidadãos de bem”, nada vai lhes acontecer num governo autoritário. Vai. A esquerda e o PT têm uma tarefa para o segundo turno e para os próximos anos, independentemente do resultado das eleições: recompor seu radicalismo, organizar a indignação, combater a corrupção e voltar a falar de temas básicos da vida em comunidade: segurança, saúde, educação e emprego.

Foto de capa: Eleitores pró-Bolsonaro fazem carreata em Porto Velho, Rondônia.

The post Os ricos, os pobres e os precariados: os 3 tipos de eleitores de Bolsonaro appeared first on The Intercept.

Market Update: U.S. Stocks Rebound Sharply as Earnings Season Underway; Cryptos Stabilize After Wild Monday

U.S. stocks rebounded sharply on Tuesday, with the Dow adding more than 500 points as traders set their sights on corporate earnings. Meanwhile, cryptocurrecy prices hovered in a narrow range as trade volumes returned to normal. Stocks in Recovery Mode All of Wall Street’s major bourses posted large gains on Tuesday, with the large-cap S&P […]

The post Market Update: U.S. Stocks Rebound Sharply as Earnings Season Underway; Cryptos Stabilize After Wild Monday appeared first on Hacked: Hacking Finance.

Outraged Lawmakers Want to End the U.S.’s Cozy Relationship With Saudi Arabia

Massachusetts Rep. Jim McGovern, the leading Democrat on the powerful House Rules Committee, on Tuesday introduced a bill that threatens to sever the decades-old security relationship between the United States and Saudi Arabia. The bill, which is co-sponsored by six Democrats and two Republicans, is the latest outraged response from lawmakers on Capitol Hill to the disappearance and suspected murder of prominent Saudi journalist Jamal Khashoggi.

Specifically, McGovern’s bill would ban all arms sales and military cooperation with Saudi Arabia, unless the secretary of state certifies that the Saudi government and its agents “did not order or direct” Khashoggi’s disappearance or killing. It would also suspend the security relationship between the two countries, except to protect or evacuate U.S. citizens and diplomatic personnel in the kingdom. The bill would also require a detailed report from the secretary of state about Khashoggi’s status.

“If the United States stands for anything, we need to stand out loud and foursquare for human rights,” McGovern said in a Friday statement announcing his intent to introduce the legislation. “Our values are our strength, and we cannot be indifferent or complicit when those values are undermined or attacked.”

Khashoggi, a prominent critic of Saudi Crown Prince Mohammed bin Salman, was last seen October 2, entering the Saudi Consulate in Istanbul for documents he needed in order to get married. Since then, a steady stream of sometimes conflicting leaks from Turkish officials has led to the widespread belief that Khashoggi, who lived in self-imposed exile in Virginia, was assassinated and dismembered by the Saudis. The Saudi government has vehemently denied these accusations, but it has not presented a credible explanation for Khashoggi’s disappearance.

This image taken from CCTV video obtained by the Turkish newspaper Hurriyet and made available on Tuesday, Oct. 9, 2018 claims to show Saudi journalist Jamal Khashoggi entering the Saudi consulate in Istanbul, Tuesday, Oct. 2, 2018. Turkey said Tuesday it will search the Saudi Consulate in Istanbul as part of an investigation into the disappearance of a missing Saudi contributor to The Washington Post, a week after he vanished during a visit there. (CCTV/Hurriyet via AP)

This image, taken from closed-circuit TV footage obtained by the Turkish newspaper Hürriyet and made available on Oct. 9, 2018, appears to show Saudi journalist Jamal Khashoggi entering the Saudi Consulate in Istanbul on Oct. 2, 2018.

Photo: CCTV/Hurriyet via AP

President Donald Trump, meanwhile, defended the U.S.-Saudi relationship this weekend, saying he didn’t want to endanger future arms sales over allegations that Saudi agents killed a Washington Post columnist. On Tuesday, Secretary of State Mike Pompeo met with Saudi King Salman in Riyadh regarding Khashoggi’s disappearance, but the response from the Trump administration has been relatively muted. On Capitol Hill, however, the kingdom’s relationship with Congress is in free fall.

“I’m hearing, on both sides of the aisle, a questioning of the Saudi relationship, more so after the Khashoggi incident than after 9/11,” said Rep. Ro Khanna, a Democrat from California who has been highly critical of the Saudi war in Yemen. “It’s the final straw that has broken the U.S.-Saudi relationship.”

Last week, 11 Democratic and 11 Republican senators sent Trump a letter invoking the Global Magnitsky Act, a 2016 law that requires the president to make a determination about whether to sanction human rights violators. All but one member of the Senate Foreign Relations Committee signed the letter, which directs Trump not to spare “the highest ranking officials in the Government of Saudi Arabia.” (Sen. Rand Paul, R-Ky., was the sole committee member who did not sign the letter; he has, however, indicated that he’ll be pushing to stop U.S. arms sales to Saudi Arabia.)

In an interview with “Fox and Friends” on Tuesday morning, Republican Sen. Lindsey Graham — one of the signatories of the letter, and historically one of the kingdom’s strongest defenders in Washington — called for the crown prince’s removal and said he would “sanction the hell out of Saudi Arabia.”

“I can never do business with Saudi Arabia again, until we get this behind us,” Graham said.

Saudi Arabia is the United States’s oldest ally in the Middle East, and sanctions against its king or crown prince would be unprecedented.

In addition to demands to penalize Saudi Arabia, members of Congress are also demanding answers about what the U.S. knew about the plot beforehand.

The Washington Post reported last week that U.S. intelligence agencies had intercepted communications indicating that the crown prince ordered Khashoggi’s arrest, but it was unclear if Khashoggi was warned ahead of time. Sen. Bob Corker, the Republican chair of the Senate Foreign Relations Committee, later told CNN that “intel points directly” at the Saudis, and that he believes Khashoggi was murdered.

On Friday, Khanna and Rep. Mark Pocan, D-Wis., released the text of a letter calling on the director of national intelligence to explain what the intelligence community knew before Khashoggi’s disappearance, including “the precise date on which any arm of the U.S. intelligence community first became aware of the Saudi plan to detain Khashoggi.”

“Considering the profound ramifications of this potential crime, U.S. foreknowledge of Saudi plans to detain Mr. Khashoggi, and whether the U.S. intelligence community carried out its duty to warn, we intend to use the full force of Congressional oversight and investigatory powers to obtain these answers should they not be forthcoming,” the letter reads.

Khanna and Pocan, both members of the Congressional Progressive Caucus, are still collecting signatures, and they plan to send the letter later this week, according to a Democratic aide.

Traditionally, the intelligence community has a “duty to warn” people when they detect impending plots to their security, and it is unclear whether Khashoggi was told of any plot to detain him.

Despite reports about the intelligence community’s foreknowledge, Trump has expressed uncertainty about whether the Saudis were responsible. Following a 20-minute phone call with the Saudi king on Monday, Trump told reporters that the king’s denials were made “very strongly.” He added,“It sounded to me like maybe these could have been rogue killers. Who knows.”

A cameraman gets into position as U.S. Secretary of State Mike Pompeo meets with Saudi Crown Prince Mohammed bin Salman, in Riyadh, Saudi Arabia, Tuesday Oct. 16, 2018. Pompeo also met on Tuesday with Saudi King Salman over the disappearance and alleged slaying of Saudi writer Jamal Khashoggi, who vanished two weeks ago during a visit to the Saudi Consulate in Istanbul. (Leah Millis/Pool via AP)

A cameraperson gets into position as U.S. Secretary of State Mike Pompeo, obscured at left, meets with Saudi Crown Prince Mohammed bin Salman in Riyadh, Saudi Arabia, on Oct. 16, 2018.

Photo: Leah Millis, Pool/AP

The alleged murder of Khashoggi would be the latest in a series of aggressive and interventionist moves by Crown Prince Mohammed, the 33-year-old de facto ruler of Saudi Arabia. In June 2017, he leapfrogged his elder cousin to become next in the line for the throne.

Commonly billed as a “reformer” who has allowed women to drive and opened movie theaters, the crown prince’s tenure has also been marked by an intensive crackdown on critics and an overtly interventionist foreign policy.

Crown Prince Mohammed is the architect of Saudi Arabia’s three-year intervention in Yemen, which has killed tens of thousands of people and led to mass starvation throughout the country. Under the crown prince, Saudi Arabia has maintained a trade embargo on Qatar, and last November, he scooped up billions of dollars in assets by arresting his family members as part of an “anti-corruption” crackdown. That same month, the Saudi government detained Lebanese Prime Minister Saad Hariri and forced him to read a prewritten resignation speech on Saudi state television. (Hariri eventually returned to Lebanon and rescinded his resignation.)

On Capitol Hill, Khashoggi’s disappearance could catalyze frustration with the crown prince’s U.S.-backed intervention in Yemen, which the Trump and Obama administrations have supported with arms sales and logistical aid.

Last year, citing human rights concerns over the war in Yemen, the Senate nearly blocked an arms sale to Saudi Arabia in a 47-53 vote. Currently, Sen. Bob Menendez, the most powerful Democrat on the Foreign Relations committee, is holding up a $2 billion weapons sale to Saudi Arabia and the United Arab Emirates for the same reason.

In the House, leading Democrats have joined a resolution that would direct the Trump administration to withdraw all U.S. forces who are participating in the war. Khanna said that in the wake of Khashoggi’s disappearance, he thought it was likely to pass.

“I think that the relationship has been permanently damaged,” he told The Intercept by phone. “I don’t think it will ever recover.”

Top photo: Saudi journalist Jamal Khashoggi speaks on his cellphone at the World Economic Forum in Davos, Switzerland, on Jan. 29, 2011.

The post Outraged Lawmakers Want to End the U.S.’s Cozy Relationship With Saudi Arabia appeared first on The Intercept.

Nano (NANO) Named ‘Fastest’ Crypto; Added to PayFair Exchange; Climbs 10%;

Nano (NANO) saw a 10.6% boost to its market valuation on Tuesday following its addition to the decentralized peer-to-peer exchange, PayFair. The escrow platform grants Nano exposure to over thirty-five fiat pairings, and over twenty-five other cryptocurrencies. Meanwhile, in an impartial study conducted by Bitcoin Kit, Nano was revealed to the fastest cryptocurrency when it […]

The post Nano (NANO) Named ‘Fastest’ Crypto; Added to PayFair Exchange; Climbs 10%; appeared first on Hacked: Hacking Finance.

Russia-linked APT group DustSquad targets diplomatic entities in Central Asia

Kaspersky experts published a detailed analysis of the attacks conducted by the Russian-linked cyber espionage group DustSquad.

Earlier October, security experts from ESET shared details about the operations of a cyber espionage group tracked as Nomadic Octopus, a threat actor focused on diplomatic entities in Central Asia.

The group has been active since at least 2015, ESET researchers presented their findings at the Virus Bulletin conference.

“ESET researchers recently discovered an interesting cyber espionage campaign active in several countries of Central Asia. We attribute these attacks to a previously undocumented APT group that we have named Nomadic Octopus.” states the blog post published by Virus Bulletin.

“Our findings suggest that this APT group has been active since at least 2015. The main goal of Nomadic Octopus appears to be cyber espionage against high-value targets, including diplomatic missions in the region”

The experts presented their findings at the Virus Bulletin conference.

Now Kaspersky experts published a detailed analysis of the attacks conducted by the group, tracked by the Russian firm as DustSquad, and the tools they used.

Kaspersky is monitoring the activity of the group for the last two years, DustSquad is a Russian-language cyberespionage group particularly active in Central Asian.

“For the last two years we have been monitoring a Russian-language cyberespionage actor that focuses on Central Asian users and diplomatic entities. We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware.” states the analysis published by Kaspersky Lab.

“The name was originally coined by ESET in 2017 after the 0ct0pus3.php script used by the actor on their old C2 servers. We also started monitoring the malware and, using Kaspersky Attribution Engine based on similarity algorithms, discovered that Octopus is related to DustSquad, something we reported in April 2018. “

The group targeted the victims with spear-phishing emails, the threat actors use Russian malware filenames.

Kaspersky tracked a campaign conducted by the group back to 2014 when hackers targeted entities in the former Soviet republics of Central Asia, plus Afghanistan.

In April 2018, the researchers discovered a new Octopus sample developed to target Windows systems, the malicious code had been disguised as a Russian version of the Telegram app used by the Democratic Choice (DVK) opposition party in Kazakhstan.

Attackers attempted to exploit the threaten of the Kazakhstan government to block Telegram over its use by the DVK.

DustSquad fake Telegram

The Octopus Trojan is written in Delphi, the same programming language used by Russian-linked APT group Sofacy for the development of the Zebrocy backdoor.

The malicious code backdoor features, including the ability to execute commands, upload and download files, take screenshots, and finding *.rar archives on the host.

Experts noticed that even if they found malware used by both  DustSquad and Sofacy APT on the compromised machines, the two cyber espionage groups are not linked.

Kaspersky pointed out that many components of the Octopus malware are still unfinished, likely attackers created the malicious code in a hurry and not implemented certain features such as communication functionalities.

“Political entities in Central Asia have been targeted throughout 2018 by different actors, including IndigoZebra, Sofacy (with Zebrocy malware) and most recently by DustSquad (with Octopus malware),” continues the Kaspersky report.

“Interestingly, we observed some victims who are ‘threat magnets’ targeted by all of them. From our experience we can say that the interest shown by threat actors in this region is now high, and the traditional ‘players’ have been joined by relative newcomers like DustSquad that have sprung up locally.”

Additional technical details are reported in the analysis, including IoCs.

Pierluigi Paganini

(Security Affairs – DustSquad, Russia)

The post Russia-linked APT group DustSquad targets diplomatic entities in Central Asia appeared first on Security Affairs.

New York Attorney General Expands Inquiry Into Net Neutrality Comments

The New York attorney general subpoenaed more than a dozen telecommunications trade groups, lobbying contractors and Washington advocacy organizations on Tuesday, seeking to determine whether the groups sought to sway a critical federal decision on internet regulation last year by submitting millions of fraudulent public comments, according to a person with knowledge of the investigation. From a report: Some of the groups played a highly public role in last year's battle, when the Republican-appointed majority on the Federal Communications Commission voted to revoke a regulation issued under President Barack Obama that classified internet service providers as public utilities. The telecommunications industry bitterly opposed the rules -- which imposed what supporters call "net neutrality" on internet providers -- and enthusiastically backed their repeal under President Trump. The attorney general, Barbara D. Underwood, last year began investigating the source of more than 22 million public comments submitted to the F.C.C. during the battle. Millions of comments were provided using temporary or duplicate email addresses, others recycled identical phrases, and seven popular comments, repeated verbatim, accounted for millions more.

Read more of this story at Slashdot.

CVE-2018-6974

VMware ESXi (6.7 before ESXi670-201810101-SG, 6.5 before ESXi650-201808401-BG, and 6.0 before ESXi600-201808401-BG), Workstation (14.x before 14.1.3) and Fusion (10.x before 10.1.3) contain an out-of-bounds read vulnerability in SVGA device. This issue may allow a guest to execute code on the host.

CVE-2018-1777

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 148800.

Does Saudi Arabia Own Donald Trump?

On Tuesday morning, President Donald Trump tweeted: “For the record, I have no financial interests in Saudi Arabia (or Russia, for that matter). Any suggestion that I have is just more FAKE NEWS (of which there is plenty)!”

Is this yet another barefaced lie from the commander-in-chief?

In this video essay, I examine Trump’s long history of doing deals with Saudi royals and look back at how the former reality TV star even bragged about his financial ties to the kingdom during the election campaign. I also highlight the controversial payments made by the Saudi government to Trump-owned properties since the Republican businessman entered the White House.

With the president refusing to take a strong stance against the Saudi government’s alleged murder of journalist Jamal Khashoggi, I ask: “Does Saudi Arabia own Donald Trump?”

The post Does Saudi Arabia Own Donald Trump? appeared first on The Intercept.

Best new Windows 10 security features: More patching, updating flexibility

With the new era of Windows as a service, Microsoft is rolling out changes to the operating system twice a year. Many of those changes will allow you to improve your security posture and offer more security choices. You no longer have to wait for a new operating system to deploy new security features.

Below is a summary of all the new security features and options in Windows 10 version 1809, which features Windows Defender Advanced Threat Protection (ATP) enhancements, more options for enterprises to update and patch Windows, and other security improvements. Bookmark this article, because we will be adding new security features as Microsoft releases future Windows updates.

To read this article in full, please click here