Security

Attackers Deploy 'Triton' Malware Against Industrial Safety Equipment (securityweek.com) 10

wiredmikey writes: A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye said on Thursday. The malware, which has been dubbed "Triton," is designed to target Schneider Electric's Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation. The investigation found that the attackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but they may have done it inadvertently while trying to determine how they could cause physical damage.
Security

Fortinet VPN Client Exposes VPN Creds; Palo Alto Firewalls Allow Remote Attacks (bleepingcomputer.com) 22

An anonymous reader shares a report: It's been a bad week for two of the world's biggest vendors of enterprise hardware and software -- Fortinet and Palo Alto Networks. The worst of the bunch is a credentials leak affecting Fortinet's FortiClient, an antivirus product provided by Fortinet for both home and enterprise-level clients. Researchers from SEC Consult said in an advisory released this week that they've discovered a security issue that allows attackers to extract credentials for this VPN client. The second major security issue disclosed this week affects firewall products manufactured by Palo Alto Networks and running PAN-OS, the company's in-house operating system. Security researcher Philip Pettersson discovered that by combining three vulnerabilities together, he could run code on a Palo Alto firewall from a remote location with root privileges.
Security

Author of BrickerBot Malware Retires, Says He Bricked 10 Million IoT Devices (bleepingcomputer.com) 131

An anonymous reader writes: The author of BrickerBot -- the malware that bricks IoT devices -- has announced his retirement in an email to Bleeping Computer, also claiming to have bricked over 10 million devices since he started the "Internet Chemotherapy" project in November 2016. Similar to the authors of the Mirai malware, the BrickerBot developer dumped his malware's source code online, allowing other crooks to profit from his code. The code is said to contain at least one zero-day. In a farewell message left on hundreds of hacked routers, the BrickerBot author also published a list of incidents (ISP downtimes) he caused, while also admitting he is likely to have drawn the attention of law enforcement agencies. "There's also only so long that I can keep doing something like this before the government types are able to correlate my likely network routes (I have already been active for far too long to remain safe). For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.
Open Source

Avast Launches Open-Source Decompiler For Machine Code (techspot.com) 102

Greg Synek reports via TechSpot: To help with the reverse engineering of malware, Avast has released an open-source version of its machine-code decompiler, RetDec, that has been under development for over seven years. RetDec supports a variety of architectures aside from those used on traditional desktops including ARM, PIC32, PowerPC and MIPS. As Internet of Things devices proliferate throughout our homes and inside private businesses, being able to effectively analyze the code running on all of these new devices becomes a necessity to ensure security. In addition to the open-source version found on GitHub, RetDec is also being provided as a web service.

Simply upload a supported executable or machine code and get a reasonably rebuilt version of the source code. It is not possible to retrieve the exact original code of any executable compiled to machine code but obtaining a working or almost working copy of equivalent code can greatly expedite the reverse engineering of software. For any curious developers out there, a REST API is also provided to allow third-party applications to use the decompilation service. A plugin for IDA disassembler is also available for those experienced with decompiling software.

Robotics

Robots Are Being Used To Shoo Away Homeless People In San Francisco (qz.com) 389

An anonymous reader quotes a report from Quartz: San Francisco's Society for the Prevention of Cruelty to Animals (SPCA) has been ordered by the city to stop using a robot to patrol the sidewalks outside its office, the San Francisco Business Times reported Dec. 8. The robot, produced by Silicon Valley startup Knightscope, was used to ensure that homeless people didn't set up camps outside of the nonprofit's office. It autonomously patrols a set area using a combination of Lidar and other sensors, and can alert security services of potentially criminal activity.

In a particularly dystopian move, it seems that the San Francisco SPCA adorned the robot it was renting with stickers of cute kittens and puppies, according to Business Insider, as it was used to shoo away the homeless from near its office. San Francisco recently voted to cut down on the number of robots that roam the streets of the city, which has seen an influx of small delivery robots in recent years. The city said it would issue the SPCA a fine of $1,000 per day for illegally operating on a public right-of-way if it continued to use the security robot outside its premises, the San Francisco Business Times said.

Security

Maker of Sneaky Mac Adware Sends Security Researcher Cease-and-Desist Letters (zdnet.com) 84

Zack Whittaker, writing for ZDNet: The maker of a sneaky adware that hijacks a user's browser to serve ads is back with a new, more advanced version -- one that can gain root privileges and spy on the user's activities. News of the updated adware dropped Tuesday in a lengthy write-up by Amit Serper, principal security researcher at Cybereason. The adware, dubbed OSX.Pirrit, is still highly active, infecting tens of thousands of Macs, according to Serper, who has tracked the malware and its different versions for over a year. Serper's detailed write-up is well worth the read. [...] TargetingEdge sent cease-and-desist letters to try to prevent Serper from publishing his research. "We've received several letters over the past two weeks," Serper told ZDNet. "We decided to publish anyway because we're sick of shady 'adware' companies and their threats."
Botnet

Mirai IoT Botnet Co-Authors Plead Guilty (krebsonsecurity.com) 31

Three hackers responsible for creating the massive Mirai botnet that knocked large swathes of the internet offline last year have pleaded guilty. Brian Krebs reports: The U.S. Justice Department on Tuesday unsealed the guilty pleas of two men (Editor's note: three men) first identified in January 2017 by KrebsOnSecurity as the likely co-authors of Mirai, a malware strain that remotely enslaves so-called "Internet of Things" devices such as security cameras, routers, and digital video recorders for use in large scale attacks designed to knock Web sites and entire networks offline (including multiple major attacks against this site). Entering guilty pleas for their roles in developing and using Mirai are 21-year-old Paras Jha from Fanwood, N.J. and Josiah White, 20, from Washington, Pennsylvania. Jha and White were co-founders of Protraf Solutions LLC, a company that specialized in mitigating large-scale DDoS attacks. Like firemen getting paid to put out the fires they started, Jha and White would target organizations with DDoS attacks and then either extort them for money to call off the attacks, or try to sell those companies services they claimed could uniquely help fend off the attacks. Editor's note: The story was updated to note that three men have pleaded guilty. -- not two as described in some reports.
Businesses

Uber's Massive Scraping Program Collected Data About Competitors Around The World (gizmodo.com) 29

Kate Conger, reporting for Gizmodo: For years, Uber systemically scraped data from competing ride-hailing companies all over the world, harvesting information about their technology, drivers, and executives. Uber gathered information from these firms using automated collection systems that ran constantly, amassing millions of records, and sometimes conducted physical surveillance to complement its data collection. Uber's scraping efforts were spearheaded by the company's Marketplace Analytics team, while the Strategic Services Group gathered information for security purposes, Gizmodo learned from three people familiar with the operations of these teams, from court testimony, and from internal Uber documents. Until Uber's data scraping was discontinued this September in the face of mounting litigation and multiple federal investigations, Marketplace Analytics gathered information on Uber's overseas competitors in an attempt to advance Uber's position in those markets. SSG's mission was to protect employees, executives, and drivers from violence, which sometimes involved tracking protesters and other groups that were considered threatening to Uber. An Uber spokesperson declined to comment for this story.
Security

Old Crypto Vulnerability Hits Major Tech Firms (securityweek.com) 31

wiredmikey writes: A team of researchers has revived an old crypto vulnerability and determined that it affects the products of several major vendors and a significant number of the world's top websites. The attack/exploit method against a Transport Layer Security (TLS) vulnerability now has a name, a logo and a website. It has been dubbed ROBOT (Return Of Bleichenbacher's Oracle Threat) and, as the name suggests, it's related to an attack method discovered by Daniel Bleichenbacher back in 1998. ROBOT allows an attacker to obtain the RSA key necessary to decrypt TLS traffic under certain conditions. While proof-of-concept (PoC) code will only be made available after affected organizations have had a chance to patch their systems, the researchers have published some additional details. Researchers have made available an online tool that can be used to test public HTTPS servers. An analysis showed that at least 27 of the top 100 Alexa websites, including Facebook and PayPal, were affected.
Businesses

Trump Signs Into Law US Government Ban on Kaspersky Lab Software (reuters.com) 138

President Donald Trump signed into law on Tuesday legislation that bans the use of Kaspersky Lab within the U.S. government, capping a months-long effort to purge the Moscow-based antivirus firm from federal agencies amid concerns it was vulnerable to Kremlin influence. From a report: The ban, included as part of a broader defense policy spending bill that Trump signed, reinforces a directive issued by the Trump administration in September that civilian agencies remove Kaspersky Lab software within 90 days. The law applies to both civilian and military networks. "The case against Kaspersky is well-documented and deeply concerning. This law is long overdue," said Democratic Senator Jeanne Shaheen, who led calls in Congress to scrub the software from government computers. She added that the company's software represented a "grave risk" to U.S. national security.
Databases

Searchable Database of 1.4 Billion Stolen Credentials Found On Dark Web (itworldcanada.com) 70

YVRGeek shares a report from IT World Canada: A security vendor has discovered a huge list of easily searchable stolen credentials in cleartext on the dark web, which it fears could lead to a new wave of cyber attacks. Julio Casal, co-founder of identity threat intelligence provider 4iQ, which has offices in California and Spain, said in a Dec. 8 blog his firm found the database of 1.4 billion username and password pairs while scanning the dark web for stolen, leaked or lost data. He said the company has verified at least a group of credentials are legitimate. What is alarming is the file is what he calls "an aggregated, interactive database that allows for fast (one second response) searches and new breach imports." For example, searching for "admin," "administrator" and "root" returned 226,631 passwords of admin users in a few seconds. As a result, the database can help attackers automate account hijacking or account takeover. The dump file was 41GB in size and was found on December 5th in an underground community forum. The total amount of credentials is 1,400,553,869.
Bitcoin

SEC Shuts Down Munchee ICO (techcrunch.com) 43

The Securities and Exchange Commission has shut down Munchee, a company that built a $15 million token sale. According to TechCrunch, "The Munchee ICO aimed to fund the MUN coin, a payment system for restaurant reviews." However, the company "received a cease and desist from the SEC on December 11" because it constituted the offer and sale of unregistered securities. From the report: Within the SECs findings they noted that Munchee touted itself as a "utility" token which means that the company believed the MUN token would be primarily used within the Munchee ecosystem and not be used to fund operations. However, thanks to an application of the Howey Test (a Supreme Court finding that essentially states that any instrument with the expectation of return is an investment vehicle), the SEC found the Munchee was actually releasing a security masquerading as a utility. "Munchee offered MUN tokens in order to raise capital to build a profitable enterprise," read the SEC notice. "Munchee said that it would use the offering proceeds to run its business, including hiring people to develop its product, promoting the Munchee App, and ensuring 'the smooth operation of the MUN token ecosystem.'" The stickiest part? Munchee claimed that its coins would increase in value thanks to a convoluted process of growth.

In short, Munchee was undone by two things: depending on the token sale as a vehicle to raise cash for operations and using the typically spammy and scammy marketing efforts most ICO floggers use now, tactics taken directly from affiliate marketing handbooks. Fortunately, Munchee was able to return all $15 million to the 40 investors that dumped their coins into scheme.

IT

Tech Support Scammers Invade Spotify Forums To Rank in Search Engines (bleepingcomputer.com) 33

Tech support scammers have been aggressively posting on Spotify forums to inject their phone numbers in a bid to vastly improve their odds of showing up on Google and Bing search results, a new report claims. And that bet seems to be working. From the report: They do this by submitting a constant stream of spam posts to the Spotify forums, whose pages tend to rank well in Google. While this behavior causes the Spotify forums to become harder to use for those who have valid questions, the bigger problem is that it allows tech support scammers to rank extremely well and trick unknowing callers into purchasing unnecessary services and software. BleepingComputer was alerted to this problem by security researcher Cody Johnston who started to see an alarming amount of tech support scam phone numbers being listed in Google search results through indexed Spotify forum posts. The tech support scams being posted to Spotify include Tinder, Linksys, AOL, Turbotax, Coinbase, Amazon, Apple, Microsoft, Norton, McAfee and more.
Privacy

How Email Open Tracking Quietly Took Over the Web (wired.com) 116

Brian Merchant, writing for Wired: There are some 269 billion emails sent and received daily. That's roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an "email intelligence" company that also builds anti-tracking tools. The tech is pretty simple. Tracking clients embed a line of code in the body of an email -- usually in a 1x1 pixel image, so tiny it's invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online. But lately, a surprising -- and growing -- number of tracked emails are being sent not from corporations, but acquaintances. "We have been in touch with users that were tracked by their spouses, business partners, competitors," says Florian Seroussi, the founder of OMC. "It's the wild, wild west out there." According to OMC's data, a full 19 percent of all "conversational" email is now tracked. That's one in five of the emails you get from your friends. And you probably never noticed.
Google

Google Releases Tool To Help iPhone Hackers (vice.com) 52

Lorenzo Franceschi-Bicchierai, writing for Motherboard: Google has released a powerful tool that can help security researchers hack and find bugs in iOS 11.1.2, a very recent version of the iPhone operating system. The exploit is the work of Ian Beer, one of the most prolific iOS bug hunters, and a member of Google Project Zero, which works to find bugs in all types of software, including that not made by Google. Beer released the tool Monday, which he says should work for "all devices." The proof of concept works only for those devices he tested -- iPhone 7, 6s and iPod touch 6G -- "but adding more support should be easy," he wrote. Last week, Beer caused a stir among the community of hackers who hack on the iPhone -- also traditionally known as jailbreakers -- by announcing that he was about to publish an exploit for iOS 11.1.2. Researchers reacted with excitement as they realized the tool would make jailbreaking and security research much easier.
HP

HP Laptops Found To Have Hidden Keylogger (bbc.com) 114

Hidden software that can record every letter typed on a computer keyboard has been discovered pre-installed on hundreds of HP laptop models, BBC reported on Monday citing the findings of a security researcher. From the report: Security researcher Michael Myng found the keylogging code in software drivers preinstalled on HP laptops to make the keyboard work. HP said more than 460 models of laptop were affected by the "potential security vulnerability." It has issued a software patch for its customers to remove the keylogger. The issue affects laptops in the EliteBook, ProBook, Pavilion and Envy ranges, among others. HP has issued a full list of affected devices, dating back to 2012. Mr Myng discovered the keylogger while inspecting Synaptics Touchpad software, to figure out how to control the keyboard backlight on an HP laptop. He said the keylogger was disabled by default, but an attacker with access to the computer could have enabled it to record what a user was typing. According to HP, it was originally built into the Synaptics software to help debug errors. It acknowledged that could lead to "loss of confidentiality" but it said neither Synaptics nor HP had access to customer data as a result of the flaw.
Debian

Does Systemd Makes Linux Complex, Error-Prone, and Unstable? (ungleich.ch) 740

"Systemd developers split the community over a tiny detail that decreases stability significantly and increases complexity for not much real value." So argues Nico Schottelius, talking about his experiences as the CEO of a Swiss company providing VM hosting, datacenters, and high-speed fiber internet. Long-time Slashdot reader walterbyrd quotes Nico's essay: While I am writing here in flowery words, the reason to use Devuan is hard calculated costs. We are a small team at ungleich and we simply don't have the time to fix problems caused by systemd on a daily basis. This is even without calculating the security risks that come with systemd. Our objective is to create a great, easy-to-use platform for VM hosting, not to walk a tightrope...

[W]hat the Devuan developers are doing is creating stability. Think about it not in a few repeating systemd bugs or about the insecurity caused by a huge, monolithic piece of software running with root privileges. Why do people favor Linux on servers over Windows? It is very easy: people don't use Windows, because it is too complex, too error prone and not suitable as a stable basis. Read it again. This is exactly what systemd introduces into Linux: error prone complexity and instability. With systemd the main advantage to using Linux is obsolete.

The essay argues that while Devuan foisted another choice into the community, "it is not their fault. Creating Devuan is simply a counteraction to ensure Linux stays stable. which is of high importance for a lot of people."
Python

Did Programming Language Flaws Create Insecure Apps? (bleepingcomputer.com) 99

Several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks, according to research presented at the Black Hat Europe 2017 security conference. An anonymous reader writes: The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi, who says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.

Fuzzing involves providing invalid, unexpected, or random data as input to a software application. The researcher created his own fuzzing framework named XDiFF that broke down programming languages per each of its core functions and fuzzed each one for abnormalities. His work exposed severe flaws in all five languages, such as a hidden flaw in PHP constant names that can be abused to perform remote code execution, and undocumented Python methods that can be used for OS code execution. Arnaboldi argues that attackers can exploit these flaws even in the most secure applications built on top of these programming languages.

Bug

Microsoft's 'Malware Protection Engine' Had A Remote Code Execution Flaw (theregister.co.uk) 54

Slashdot reader Trax3001BBS shares an article from The Register: Microsoft posted an out-of-band security update Thursday to address a remote code execution flaw in its Malware Protection Engine. Redmond says the flaw, dubbed CVE-2017-11937, has not yet been exploited in the wild. Because it is an out-of-band critical fix, however, it should be installed as soon as possible. For most users, this will happen automatically.

The security hole is present in Windows Defender and Microsoft Security Essentials, as well as Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016... According to Microsoft, the vulnerability can be triggered when the Malware Protection Engine scans a downloaded file to check for threats. In many systems this is set to happen automatically for all new files. By exploiting a memory corruption error in the malware scanning tool, the attack file would be able to execute code on the target machine with LocalSystem privileges.

Security

Touting Government/Industry 'Partnership' on Security Practices, NIST Drafts Cybersecurity Framework Update (scmagazine.com) 15

Remember NIST, the non-regulatory agency of the U.S. Department of Commerce? Their mission expanded over the years to protecting businesses from cyberthreats, including a "Cybersecurty Framework" first published in 2014. "The original goal was to develop a voluntary framework to help organizations manage cybersecurity risk in the nation's critical infrastructure, such as bridges and the electric power grid," NIST wrote in January, "but the framework has been widely adopted by many types of organizations across the country and around the world." Now SC Media reports: The second draft of the update to the National Institute of Standards and Technology's cybersecurity framework, NIST 1.1, is meant "to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use," according to NIST. Specifically, it brings clarity to cybersecurity measurement language and tackles improving security of the supply chain. Calling the initial NIST CSF "a landmark effort" that delivered "important benefits, such as providing common language for different models" of standards and best practices already in use, Larry Clinton, president and CEO of the Internet Security Alliance, said "it fell short of some of the most critical demands of Presidential Executive Order 13636, which generated its development...

"To begin with, the new draft makes it clear that our goal is not some undefined metric for use of the Framework, but for effective use of the Framework. Moreover, this use-metric needs to be tied not to some generic standard, but to be calibrated to the unique threat picture, risk appetite and business objective of a particular organization"... Clinton praised the process used by NIST as "a model 'use case' for how government needs to engage with its industry partners to address the cybersecurity issue." The internet's inherent interconnectedness makes it impossible for sustainable security to be achieved through anything other than true partnership, he contended.

Slashdot reader Presto Vivace reminds you that public comments on the draft Framework and Roadmap are due to NIST by 11:59 p.m. EST on January 19, 2018. "If you have an opinion about this, NOW is the time to express it."

Slashdot Top Deals