Daily Archives: October 9, 2018

SN 684: The Supply Chain

  • An October Surprise of a different sort - Windows 10 update deletes users' files
  • A security researcher has massively weaponzied the existing MicroTik vulnerability and released it as a proof-of-concept
  • A clever voicemail WhatsApp OTP bypass
  • What happened with that recent Google+ breach?
  • Google tightens up its Chrome extensions security policies
  • WiFi radio protocol designations finally switch to simple version numbering
  • Intel unwraps its 9th-generation processors
  • Head-spinning PDF updates from Adobe and Foxit (this isn't a competition, guys!)
  • Bloomberg's earth-shaking controversial report on Chinese hardware hacking

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.


Risky Business #517 — Bloomberg’s dumpster fire lights up infosec

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • Bloomberg’s shaky, disputed report on hardware back doors
  • A look back on other false reports about imaginary incidents published by Bloomberg
  • GRU operations doxed by GCHQ
  • DOJ charges Russian intelligence officers
  • APT crews targeting MSPs
  • Google+ API exposure the final straw
  • Enterprise TLS interception gear is woefully insecure

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

(9+)Turkish Pipeline Explosion Probably No Cyber ​​Attack - Digital - Süddeutsche.de
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies - Bloomberg
Codebook - October 10, 2018 - Axios
Patrick Gray on Twitter: "Just got this from Bloomberg PR.… "
Apple Bloomberg Congressional Letter
Patrick Gray on Twitter: "Holy shit… "
Report: Apple designing its own servers to avoid snooping | Ars Technica
Apple deleted server supplier after finding infected firmware in servers [Updated] | Ars Technica
New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom - Bloomberg
HHM22137A2 TDK | Mouser Australia
Reckless campaign of cyber attacks by Russian military intelligence service exposed - NCSC Site
Justice Department charges 7 Russian intelligence officers
U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations | OPA | Department of Justice
Gordon Corera on Twitter: "Breaking - Dutch intelligence (with help of British) disrupted a Russian GRU cyber operation targeting OPCW on April 13th. Four Russian intelligence officers escorted out of country."
Advanced Persistent Threat Activity Exploiting Managed Service Providers | US-CERT
Google shuts down Google+ after API bug exposed details for over 500,000 users | ZDNet
Google Plus Will Be Shut Down After User Information Was Exposed - The New York Times
Google forcibly enables G Suite alerts for government-backed attacks | ZDNet
SandboxEscaper on Twitter: "Why did gmail just throw a notification that government attackers are trying to get into my account. Not even kidding -.-"
Google sets new rules for third-party apps to access Gmail data | ZDNet
It's 2018, and network middleware still can't handle TLS without breaking encryption | ZDNet
CEO Pleads Guilty to Selling Encrypted Phones to Organized Crime - Motherboard
Project Zero: 365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools
Microsoft October 2018 Patch Tuesday fixes zero-day exploited by FruityArmor APT | ZDNet
U.S. GAO - Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities
Senetas, a leading provider of encryption technology

Does PCI Matter?

There’s an interesting article at the CBC, about how in Canada, “More than a dozen federal departments flunked a credit card security test:”

Those 17 departments and agencies continue to process payments on Visa, MasterCard, Amex, the Tokyo-based JCB and China UnionPay cards, and federal officials say there have been no known breaches to date.

There are some interesting details about the who and why, but what I want to focus on is the lack of (detected) breaches to date, and the impact of the audit failure.

The fact that there have been no breaches detected is usually a no-op, you can’t learn anything from it, but with credit cards, there’s a “Common Point of Purchase” analysis program that eventually turns a spotlight on larger “merchants” who’ve been breached. So the lack of detection tells us something, which is that a large set of PCI failures don’t lead to breaches. From that we can, again, question if PCI prevents breaches, or if it does so better than other security investments.

The second thing is that this is now a “drop everything and fix it” issue, because it’s in the press. Should passing PCI be the top priority for government agencies? I generally don’t think so, but likely it will absorb the security budget for the year for a dozen departments.

The VORACLE OpenVPN Attack: What You Need to Know

Many of us know that using a VPN (Virtual Private Network) adds an extra layer of security to our Wi-Fi networks. But VORACLE, a recently discovered vulnerability that was announced at a security conference by security researcher Ahamad Nafeez, is making some people reconsider this this steadfast safety tip. Let’s look under the hood at this vulnerability to understand what was impacted and why, and what we should do in the future when it comes to safely connecting to Wi-Fi.

Under the Hood of a VPN

A VPN is a connection between a secure server and your mobile device or computer. Through the VPN your activity and information on the internet is encrypted, making it difficult for anyone else to see your private information. Many of us use a VPN for work when we travel, some of us use them to watch videos online, and more and more of us use them as a best practice to help keep our information safe any time we want to use a Wi-Fi connection that we’re not sure about.

About the VORACLE VPN Vulnerability

At a high level, VORACLE leverages a vulnerability found in the open-source OpenVPN protocol. OpenVPN is an open-source protocol used by the majority of VPN providers, meaning many VPN products are affected.

The VORACLE attack can recover HTTP traffic sent via encrypted VPN connections under certain conditions, the first being that the VPN app in use enables compression via the OpenVPN protocol. A  hacker must be on the same network and able to lure you to an HTTP (not HTTPS) site with malicious code through phishing or a similar other tactic. The attack can happen on all web browsers but Google Chrome, due to the way in which HTTP requests are made.

Luckily the McAfee Safe Connect VPN was not built on the vulnerable OpenVPN code. That said, I want to take this opportunity to remind you of something we talk about a lot in the security industry: relying on only one layer of security is simply not enough today. Here are some tips and best practices to stay safe.

  • Set up multi-factor authentication whenever possible. This tip is especially important for valuable accounts like email or social media, which might be connected to financial information. With multi-factor authentication in place, you’ll be better protected by combining your usual login information with another layer of protection, such as a one-time-password sent to your phone, bio metrics (say, a thumb print), or a security token that you’ll need to confirm before getting access to your account.
  • Use secure websites (HTTPS) whenever possible. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted. Most websites are moving toward this standard practice, so if you notice yourself landing on a website with just HTTP, stay alert.
  • Avoid making financial transactions until you’re on a network you trust. Sharing personal data like your credit card information can lead to unnecessary vulnerabilities. The best bet is to wait until you’re on your home network with additional layers of security such as McAfee’s Secure Home Platform already in place.
  • Consider using your mobile network and being your own hotspot. If your mobile or IoT data plan includes a hot spot, consider using that over Wi-Fi to avoid some of the challenges that come with it in the first place.
  • Do continue to use a personal VPN when you’re on the go and using Wi-Fi– just be sure to do so while having an additional layer of security in place so that if a similar vulnerability is discovered, you’ll already have a backup.

Looking for more mobile security tips and trends? Be sure to follow @McAfee_Home on Twitter, and like us on Facebook.

The post The VORACLE OpenVPN Attack: What You Need to Know appeared first on McAfee Blogs.

Top 10 Trending Keywords in .Com and .Net Registrations in September

With more than 300 million domain names registered globally, there are numerous examples of trending keywords reflected by domain name registrations. We have shown in the past that there is a correlation between domain name registrations and newsworthy and popular events, as well as anticipated trends.

Keeping in the spirit of the zeitgeist that .com and .net domain name registration trends can represent, Verisign publishes this monthly blog post series identifying the top 10 trending .com and .net keywords registered in English during the preceding month.


Here are the top 10 trending keywords registered in September 2018. Any surprises?



asset marijuana
organic  removal
kiosk  cane
sets titan
 plex sustain
 cane  fiber
florence double
kratom florence
 homecare damage
niagara  divine


Click here to see other domain trends blog posts, and make sure you check back the second Tuesday of each month for the latest keyword registration trends in .com and .net. Better yet, subscribe to the Verisign blog to have the posts delivered directly to your inbox.

Note: Each list was developed by examining keyword registration growth relative to the preceding month, such that those keywords with the highest percentage of registration growth are being reported on. This method is used to eliminate commonly registered keywords, such as “online” and “shop,” to provide a true look at monthly trends. In order to be included, a keyword must experience a minimum threshold in registration growth month over month. Qualifying keywords with the highest volume of registrations are then ranked and included in the list.

The post Top 10 Trending Keywords in .Com and .Net Registrations in September appeared first on Verisign Blog.



Related Stories


When the Digital Impacts the Physical

Cyberattacks have always been, well, cyber. Their immediate effects were on our data, our digital information, and our devices…until they weren’t. The interconnected nature of the world and the way it’s built in 2018 has brought us exciting and revolutionary innovations, but it has also been leveraged by hackers to extend the impact of a cyberattack beyond the digital sphere into the physical. Pacemakers can be hacked, shocks can be sent to patients remotely. Critical infrastructure can be taken down, rendering cities powerless. Large corporations we trust with our data are violating that trust by collecting our data unknowingly, and even tracking our locations without consent. Cybercrime is no longer just cyber, and it can compromise a lot more than just data.

When you think of one’s well-being, physical health often comes to mind. Hospitals, health care, and medical tools and devices have evolved to become members of an interconnected ecosystem. Many health care systems connect to the internet to operate, the same holds true with numerous medical devices such as pacemakers. But that makes the latter part of the ”Internet of Things,” a growing collection of connected devices which are potentially vulnerable to cyberattack. In fact, there have already been reports of threats to these medical devices. Just last year, the FBI recalled half a million pacemakers, as a crucial flaw was discovered that could expose users to an attack. Additionally, security researchers recently revealed a chain of vulnerabilities in a particular pacemaker brand that an attacker could exploit to control implanted pacemakers remotely and cause physical harm to patients.

Cybercriminals have also set their sights on larger targets when it comes to hacking health care devices and institutions. We’ve seen a handful of hospitals taken offline in recent ransomware attacks, all due to the use of outdated or vulnerable systems. Some of these attacks locked patient data and made proper care unachievable for hours on end.

Hospitals are also not the only type of critical infrastructure that’s been on the victim’s end of a cyberattack. In fact, cybercriminals have recently begun hitting critical infrastructure hard and fast, with dramatic results emerging from their efforts. They’ve infamously put an entire city in the Ukraine out of power for about an hour. Then there was the Schneider Electric hack, in which cybercriminals leveraged a zero-day vulnerability within an industrial plant’s safety system for a cyberattack.

There are also cyber issues that impact our physical safety that don’t even come in the form of an attack. Lately, news has been circulating about big-name companies tracking users’ locations or data, even when certain settings are off or when the user is unaware of the action. Specifically, it was discovered that even if a user disables Location History, Google still tracks users in particular instances — whenever they open up the Maps app, scan the internet for certain things, or receive automatic weather notifications. Even smartwatches have been used recently to record and track kids’ physical location.

Ramifications such as these have changed the nature of privacy, as well as digital and physical safety as we know it. But as the threat landscape is evolving, so is the industry determined to protect innocent users everywhere.

We at McAfee are working together with our entire industry to stop these types of attacks. We’re sharing threat intelligence, resources, and research findings to ensure we put up a united front against these threats. By learning from these attacks, we’re better preparing for those to come.

We believe that together is power. And though these attacks are advanced, we know that acting together to stop them will be even more powerful.

To learn more about McAfee’s approach to protecting against advanced cyberattacks and more, be sure to check us out at @McAfee and @McAfee_Labs.


The post When the Digital Impacts the Physical appeared first on McAfee Blogs.

Preview: SecurityWeek’s 2018 ICS Cyber Security Conference (Oct. 22-25)

Hundreds of professionals from around the world will meet in Atlanta, Ga., on October 22-25, for SecurityWeek's 2018 ICS Cyber Security Conference, the largest and longest-running conference dedicated to industrial and critical infrastructure cybersecurity.

The ICS Cyber Security Conference brings together industrial control systems users and vendors, security solutions providers, and government representatives to discuss critical issues facing operators of industrial networks.

Throughout the four day conference, presentations, training sessions and workshops will help participants improve their knowledge on how to efficiently protect SCADA systems, programmable logic controllers (PLCs), distributed control systems (DCS), engineering workstations, and field devices.

The exchange of technical information, details about actual incidents, insights, and best practices will help representatives of energy, manufacturing, transportation, water, utilities, and other industrial and critical infrastructure organizations address the issues they currently face.

The ICS Cyber Security Conference, set to take place at the InterContinental Buckhead Atlanta, will kick off on Monday, October 22, with a day dedicated to extended workshops and breakout sessions focusing on technology and strategy. The workshops include Red Team/Blue Team training, and a hands-on workshop by Palo Alto Networks and CyberX on defending ICS and SCADA networks.

The other sessions of day one will focus on risk assessments, vulnerability research, enhancing security using the ATT&CK Frameworkpathing of critical systems, zero trust networking applied in ICS, the risk posed by physical access controls, defense strategies for robotic systems, and securing applications using a local certificate authority.

The second day begins with representatives from Rockwell Automation, Schneider Electric and Siemens discussing the current state of cybersecurity in the ICS Manufacturer's Panel.

Next, Robert M. Lee and Marc Seitz of Dragos will present their research on Xenotime, the group that created the Triton/Trisis ICS malware. Participants will also learn from ARC Advisory Group's Larry O'Brien about the best approach for selecting cybersecurity vendors for operation technology (OT) environments.

On Wednesday, Andrea Carcano of Nozomi Networks will share details of research into the Triton attack, and Dr. Alex Tarter of Thales will discuss how the British Ministry of Defence protects critical infrastructure through a methodology called ‘Cyber Vulnerability Investigations’. On the same day, representatives from Sony's security team will discuss security in manufacturing environments, and Edna Conway, CSO for Cisco's Global Value Chain, will have a fireside chat with Microsoft Cybersecurity Field CTO Diana Kelley on supply chain security.

On the last day of the conference, Colonel Mark Gelhardt, Former CIO for President Clinton, will talk about his time at the White House and the lessons learned. Attendees will also learn about the actual meaning of “anomaly detection” and “machine learning” in the context of ICS threat monitoring, and they will find out how security researchers and automation vendors can work together on reporting and patching vulnerabilities. Another interesting presentation comes from the Department of Homeland Security, whose representatives will talk about Russian cyber activity on US critical infrastructure.

Each day of the conference also features various case studies, technical sessions, and strategy sessions, including on insider threats, side-channel attacks on ICS, preventing attacks on the power grid, cybersecurity programs at nuclear plants, best practices, threat detection, and the threat posed by IT malware.

In addition to amazing content, there will be several receptions and parties to give delegates the chance to network and discuss in a relaxed environment.

Check out the complete agenda for the 2018 ICS Cyber Security Conference

Copyright 2010 Respective Author at Infosec Island

Russian Hackers Spy on Military Targets, Governments: Report

In 2017 and 2018, a Russian cyber-espionage group believed to be government-backed has engaged in covert attacks targeting military and government organizations in Europe and South America, Symantec warns. 

Tracked as APT28 but also referred to as Fancy Bear, Swallowtail, Strontium, Sofacy and Sednit, the group was accused of targetingthe Democratic National Committee (DNC) during the 2016 Presidential elections in the United States. 

Unlike the 2016 attacks, however, the campaigns the group has conducted this year and the last were low-key intelligence-gathering operations, a new Symantec report reveals. 

The assaults, the security firm says, hit a well-known international organization, as well as military targets and governments in Europe, a government of a South American country, and an embassy belonging to an Eastern European country.

According to Symantec, between 2007 and 2016, Fancy Bear had conducted intelligence-gathering operations, and the targeting of DNC marked a major change in the group’s activity. Also in 2016, the group targeted the World Anti-Doping Agency (WADA)and leaked confidential drug testing information.

“After receiving an unprecedented amount of attention in 2016, APT28 has continued to mount operations during 2017 and 2018. However, the group’s activities since the beginning of 2017 have again become more covert and appear to be mainly motivated by intelligence gathering,” Symantec notes. 

Despite the recent change in tactics, the actor remains focused on expanding its tools portfolio. Last week, ESET revealed that Fancy Bear is the first threat actor to have used a Unified Extensible Firmware Interface (UEFI) rootkitin a malicious campaign. 

The hackers updated other tools as well over the past couple of years, including XTunnel(Trojan.Shunnael), which was specifically built to compromise the DNC network. The malicious tool was completely re-written in .NET. 

Some security researchers attribute the Zebrocy malwareto Fancy Bear, but Symantec claims that another group is responsible for this threat, namely Earworm (aka Zebrocy). 

Active since at least May 2016 and focused on military targets in Europe, Central Asia, and Eastern Asia, the group is apparently involved in operations that differ from those of Fancy Bear. Despite that, Symantec did notice command and control (C&C) overlaps between the two groups, which suggests a potential connection between them. 

“It is now clear that after being implicated in the U.S. presidential election attacks in late 2016, APT28 was undeterred by the resulting publicity and continues to mount further attacks using its existing tools. This ongoing activity and the fact that APT28 continues to refine its toolset means that the group will likely continue to pose a significant threat to nation state targets,” Symantec concludes. 

Related: Russian Cyberspies Use UEFI Rootkit in Attacks

Related: Sofacy Attacks Overlap With Other State-Sponsored Operations

Copyright 2010 Respective Author at Infosec Island

Application Security Mistake No. 6: Going It Alone

We’ve been in the application security business for more than 10 years, and we’ve learned a lot in that time about what works, and what doesn’t. This is the sixth and final post in a blog series that takes a look at some of the most common mistakes we see that lead to failed AppSec initiatives. Use our experience to make sure you avoid these mistakes and set yourself up for application security success.

Why AppSec Expertise and Experience Matters

Defining and growing an application security program for your organization can be a daunting task, and it requires people with a deep understanding of software security. In addition, when your program is up and running, finding vulnerabilities in your code is only the first step. The second is remediation, which requires knowledge, experience, and specialized developers. What happens if you get stuck and don’t know the right way to remediate?

Whether you are figuring out where to start or trying to scale an established application security program, getting help from people with experience can improve the effectiveness and maturity of your program.

What happens to your application security program without enough or the right staff? The negative impacts include:

  • Delayed software releases because security issues are not getting fixed in time
  • Ever increasing technical debt because found flaws are not fixed
  • Developers are frustrated, creating friction with the security team
  • AppSec issues become marginalized due to perceived inability to do anything about it
  • Increasing information security risk exposure

Yet organizations struggle to find the right people who fit that bill. Veracode recently sponsored the DevSecOps Global Skills Survey from DevOps.com and found that nearly one in three technology professionals said the IT workforce is unprepared to securely deliver software at DevOps speeds, and just over half said they believe it is only somewhat prepared.

The survey also revealed that less than one in four developers or other IT pros were required to take a single college course on security. Meantime, once developers get on the job, employers aren't advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don't provide them adequate training in application security.

Finally, the 2018 Cyberthreat Defense Report found that a rising shortage of skilled personnel is the number one inhibitor organizations face when trying to establish a security program.

Evidence of the Expertise Edge

Considering the skills shortage, engaging outside AppSec expertise goes a long way, both to establish your program’s goals and roadmap and keep it on track, and to guide you through fixing the flaws you find. We aren’t suggesting you replace your security team with consultants, but rather that you complement it with specialized AppSec expertise.

We’ve seen the difference this support makes: Veracode customers who work with our security program managers grow their application coverage by 25 percent each year, decrease their time to deployment, and demonstrate better vulnerability detection and remediation metrics.

In fact, data collected for our State of Software Security report found that developers who get coaching from security experts fix 88 percent more flaws.

Learn From Others’ Mistakes

Don’t repeat the mistakes of the past; learn from other organizations and avoid the most common AppSec pitfalls. Today’s tip: Extend your security team with outside AppSec expertise. Get details on all six of the most popular mistakes in our eBook, AppSec: What Not to Do.

What is IAM? Identity and access management explained

IAM definition

Identity and access management (IAM) in enterprise IT is about defining and managing the roles and access privileges of individual network users and the circumstances in which users are granted (or denied) those privileges. Those users might be customers (customer identity management) or employees (employee identity management. The core objective of IAM systems is one digital identity per individual. Once that digital identity has been established, it must be maintained, modified and monitored throughout each user’s “access lifecycle.” 

IDG Contributor Network: Communicate or die: Tech leaders who bring information security to life

Effective CISOs often have to move out of their own comfort zones to become great communicators. The ability to align terms and expectations and to separate the “signal” from the “noise” is crucial in dealing with multiple tasks within an enterprise, driving budgets, motivating employees, educating boards of directors, and more.

I have learned the hard way what works and what doesn’t work as a TEDx and Google Talk speaker. Watching people’s faces light up or glaze over during my talks has provided invaluable data on what generates engagement. I also study how others, especially tech speakers, make complex terms and ideas easier for the non-tech person to understand and engage in.

To read this article in full, please click here