Tag bitcoin

InfoSec Week 48, 2018

Sennheiser's HeadSetup software is installing a root certificate into the OS Trusted CA Certificate store.
They have also put a private key on a device, the same one for all users, which allows any user to perform a man-in-the-middle SSL attacks against SSL communication.
https://www.bleepingcomputer.com/news/security/sennheiser-headset-software-could-allow-man-in-the-middle-ssl-attacks/

German chat platform Knuddels.de (Cuddles) has been fined 20k€ for storing user passwords in plain text.
What is interesting is that the regional GDPR data watchdog wanted to avoid bankrupting the company. "The overall financial burden on the company was taken into account in addition to other circumstances".
https://www.theregister.co.uk/2018/11/23/knuddels_fined_for_plain_text_passwords/

Crooks are using new attack vector to spread malware, they are requesting maintainer access to a widely-used open source projects on github, then pushing compromised version to millions of people.
https://github.com/dominictarr/event-stream/issues/116

Two international cybercriminal Rings dismantled and eight defendants indicted for causing tens of millions of dollars in losses in the digital advertising fraud.
They have produced Boaxxe/Miuref & Kovter malware.
https://www.us-cert.gov/ncas/alerts/TA18-331A

Cisco Talos has discovered DNSpionage malware targeting governments and companies in the Middle East using phishing attack.
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html

The U.S. Treasury Department has sanctioned two Iranians allegedly involved in Bitcoin ransomware scheme SamSam.
They have basically put Bitcoin addresses on the Office of Foreign Assets Control’s (OFAC) sanctions list.
https://home.treasury.gov/news/press-releases/sm556

Scammers are changing the contact details for banks on Google Maps.
http://blog.abhijittomar.com/2018/10/19/google-business-claim-scam/

Almost all VPN browser extensions are in fact just a proxy and are vulnerable to a different level of IP leaks and DNS leaks.
https://blog.innerht.ml/vpn-extensions-are-not-for-privacy/

Google, Mozilla are working on letting web apps edit local user files despite warning it could be really dangerous.
https://www.techrepublic.com/article/google-mozilla-working-on-letting-web-apps-edit-files-despite-warning-it-could-be-abused-in-terrible/

The German Federal Office for Information Security, BSI, publishes Microsoft Windows 10 telemetry analysis.
https://www.ghacks.net/2018/11/23/german-federal-office-bsi-publishes-telemetry-analysis/

BlackBerry purchased Cylance, the machine-learning based anti-malware company for $1.4 billion dollars.
They plans to integrate Cylance's anti-malware solution into the BlackBerry Spark platform.
https://www.csoonline.com/article/3321746/security/blackberrys-acquisition-of-cylance-raises-eyebrows-in-the-security-community.html

The Sequoia team introduced the first release of a new Rust implementation of the OpenPGP licensed under GPL 3.0.
https://sequoia-pgp.org/blog/2018/11/26/initial-release/

InfoSec Week 13, 2018

The city of Atlanta government has become the victim of a ransomware attack. The ransomware message demanding a payment of $6,800 to unlock each computer or $51,000 to provide all the keys for affected systems. Employees were told to turn off their computers.
https://arstechnica.com/information-technology/2018/03/atlanta-city-government-systems-down-due-to-ransomware-attack/

The academic researchers have discovered a new side-channel attack method called BranchScope that can be launched against devices with Intel processors and demonstrated it against an SGX enclave. The patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.
http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf

Good insight into the ransomware business and how it operates, how it transfers Bitcoin funds, with data gathered over a period of two years.
The paper is named "Tracking Ransomware End-to-end"
https://www.elie.net/static/files/tracking-ransomware-end-to-end/tracking-ransomware-end-to-end.pdf

Mozilla has created a Facebook Container extension for Firefox, which should enable users to protect their online habits by sandboxing Facebook webpage.
https://blog.mozilla.org/firefox/facebook-container-extension/

Interesting article about the North Korean army of hackers operating abroad with the mission to earn money by any means necessary.
https://www.bloomberg.com/news/features/2018-02-07/inside-kim-jong-un-s-hacker-army

Unified logs in the MacOS High Sierra (up to 10.13.3) show the plain text password for APFS encrypted external volumes via disk utility application.
https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp

SophosLabs researchers analyzed a new Android malware which is pretending to he a legitimate QR reader application, but actually is monetizing users by showing them a flood of full-screen advertisements. More than 500k apps were installed.
https://nakedsecurity.sophos.com/2018/03/23/crooks-infiltrate-google-play-with-malware-lurking-in-qr-reading-utilities/

Brian Krebs analyzed the social network behind the recently famous Coinhive javascript cryptocurrency mining business.
https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/

CloudFlare published a Merkle Town dashboard, Certificate Transparency logs visualization tool.
https://blog.cloudflare.com/a-tour-through-merkle-town-cloudflares-ct-ecosystem-dashboard/

Facebook is tracking users' phone call information via their Android Messenger application.
https://twitter.com/i/web/status/977325434030428160

There are multiple critical vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp

New version (4.0) of the most secure operating system on the planet - Qubes OS was released.
https://www.qubes-os.org/news/2018/03/28/qubes-40/

InfoSec Week 12, 2018

Facebook, Google, Cisco, WhatsApp and other industry partners get together to create Message Layer Security as an open standard for end-to-end encryption with formal verification. Messaging Layer Security is now an IETF working group as well.
https://datatracker.ietf.org/doc/draft-omara-mls-architecture/

Long read about the takedown of Gooligan, Android botnet that was stealing OAuth credentials back in 2016.
https://www.elie.net/blog/security/taking-down-gooligan-part-1-overview

The Israeli security company CTS Labs published information about a series of exploits against AMD chips just one day after they have notified the AMD.
https://www.schneier.com/blog/archives/2018/03/israeli_securit.html

Russia orders company behind the Telegram messaging application to hand over users’ encryption keys.
https://www.theverge.com/2018/3/20/17142482/russia-orders-telegram-hand-over-user-encryption-keys

Hacker behind Guccifer 2.0 pseudonym, known for providing WikiLeaks with stolen emails from the US Democratic National Committee, was an officer of Russia’s military intelligence directorate.
https://www.thedailybeast.com/exclusive-lone-dnc-hacker-guccifer-20-slipped-up-and-revealed-he-was-a-russian-intelligence-officer

Fascinating in depth blog about the breaking security of the Ledger cryptocurrency hardware wallet.
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/

There was a Facebook bug which made persistent XSS in Facebook wall possible by embedding an external video using the Open Graph protocol.
https://opnsec.com/2018/03/stored-xss-on-facebook/

Two part series about the password cracking Chinese hardware "encrypted" hard drives. PIN recovered.
https://syscall.eu/blog/2018/03/12/aigo_part1/
https://syscall.eu/blog/2018/03/12/aigo_part2/

Documents leaked by Edward Snowden reveal that the NSA worked to “track down” Bitcoin users.
https://theintercept.com/2018/03/20/the-nsa-worked-to-track-down-bitcoin-users-snowden-documents-reveal/

Dark Web Map - a visualization of the structure of 6.6k Tor's onion services, a.k.a. hidden services, a.k.a. the dark web.
https://www.hyperiongray.com/dark-web-map/

InfoSec Week 22, 2017

Notoriously known Gh0st RAT spyware is spreading through the same SMB vulnerability as a WannaCry ransomware.
https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html

Jaff, ransomware distributed by the today's biggest spam botnet Necurs, is sharing server infrastructure with a PaySell cybercrime marketplace based in Saint Petersburgh, Russia.
https://heimdalsecurity.com/blog/jaff-ransomware-operation-cyber-crime-marketplace/

Security researchers have spotted a new PowerPoint infection vector. Malware is downloaded to a computer whenever a victim hovers a link. Without the macros.
https://www.bleepingcomputer.com/news/security/powerpoint-file-downloads-malware-when-you-hover-a-link-no-macros-required/

Wikileaks has published yet another CIA toolkit - Windows implant capable of the on-the-fly infection of a file executed over the network.
https://wikileaks.org/vault7/releases/#Pandemic

This guy lost lots of bitcoin in 15 minutes as attacker exploited Verison alternative authentification method. Interesting read.
https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac

Company behind OneLogin, a single sign-on and identity management for cloud-based applications, has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data.
https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/

InfoSec Week 17, 2017

A team of researchers from New York University said they identified a severe flaw in General Electric Multilin protection relays, which are widely deployed in the US energy sector.
https://www.blackhat.com/us-17/briefings.html#and-then-the-script-kiddie-said-let-there-be-no-light.-are-cyber-attacks-on-the-power-grid-limited-to-nation-state-actors

Kaspersky labs analyzed Backdoor.Win32.Denis, malware using DNS tunneling as a communication infrastructure. Base64 is not an encryption, tough.
https://securelist.com/blog/research/78203/use-of-dns-tunneling-for-cc-communications/

Check Point researchers have discovered a new Mac malware family that uses nag screens to obtain admin privileges, Tor to hide traffic diverted to a remote proxy, and a rogue certificate to intercept encrypted browser traffic. It's spreading via email spam.
http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/

A critical vulnerability (CVE 2017-5135) in the implementation of the SNMP protocol allows an attacker to take over at least 78 cable modem models.
https://www.bleepingcomputer.com/news/security/several-cable-modem-models-affected-by-snmp-god-mode-flaw/

Wired wrote about the research of Android applications that turns the smartphone into a file server, exposing open ports to the internet, and why is it dangerous. https://www.wired.com/2017/04/obscure-app-flaw-creates-backdoors-millions-smartphones/

CIAs document tracking program Scribbles allegedly embeds a web beacon-style tag into watermarks located on Microsoft Word documents that can report document analytics back to the CIA.
https://wikileaks.org/vault7/#Scribbles

The Antminer, bitcoin mining hardware, has a backdoor that can disable miner remotely. http://www.antbleed.com/ https://www.reddit.com/r/Bitcoin/comments/67qwqv/antbleed_exposing_the_malicious_backdoor_on/dgsk6cf/

Troy Hunt published blog about some of the most insane password reset schemes, security questions, and corporate responses he saw through the career.
https://www.troyhunt.com/reckon-youve-seen-some-stupid-security-things-here-hold-my-beer/

InfoSec Week 1, 2017

Koolova ransomware or better "awarenessware" decrypts files if victims read 2 articles about ransomware. No money involved.
https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-for-free-if-you-read-two-articles-about-ransomware/

An attacker going by the name of Harak1r1 is hijacking unprotected MongoDB databases, stealing and replacing their content, and asking for a Bitcoin ransom to return the data.
https://www.bleepingcomputer.com/news/security/mongodb-databases-held-for-ransom-by-mysterious-attacker/
http://arstechnica.com/security/2017/01/more-than-10000-online-databases-taken-hostage-by-ransomware-attackers/

Company PagerDuty open sourced their Incident Response Documentation. "The PagerDuty Incident Response Documentation is a collection of best practices detailing how to efficiently deal with any major incidents that might arise, along with information on how to go on-call effectively." Very useful material. I have included link to the hacker news, because interesting discussion appeared there.
https://www.pagerduty.com/blog/incident-response-documentation/ https://github.com/PagerDuty/incident-response-docs https://news.ycombinator.com/item?id=13309761

ThreatConnect researcher Robert Simmons published paper "Open Source Malware Lab". It examines usage of the open source tools like Cuckoo Sandbox, Thug, Bro Network Security Monitor and Volatility Framework when analyzing malware samples.
https://www.virusbulletin.com/blog/2017/01/vb2016-paper-open-source-malware-lab

New malware visual analysis platform KAMAS is published as a research paper on the Arxiv.org. "KAMAS, a knowledge-assisted visualization system for behavior-based malware analysis. KAMAS supports malware analysts with visual analytics and knowledge externalization methods for the analysis process."
https://arxiv.org/pdf/1612.06232.pdf

InfoSec Week 52, 2016

A hacker transferred early bitcoiners phone number from T-Mobile to a carrier called linked to a Google Voice account in the hacker’s possession using fake identity. Within minutes, dozens of his accounts were stolen.
http://www.forbes.com/sites/laurashin/2016/12/20/hackers-have-stolen-millions-of-dollars-in-bitcoin-using-only-phone-numbers/

Three Chinese nationals hacked two New York law firms and used stolen data for insider trading on the stock market.
http://www.securitynewspaper.com/2016/12/30/three-chinese-charged-hacking-law-firms-stealing-insider-trading-data/

Hacker Kapustkiy hacked the Slovak Chamber of Commerce, more than 4000 users record were accessed.
http://securityaffairs.co/wordpress/54550/data-breach/slovak-chamber-commerce-hacked.html

A comprehensive report on ransomware-related events covering a time frame of May – December 2016. This is only going to get worse over time.
http://privacy-pc.com/articles/ransomware-chronicle.html

The Electronic Frontier Foundation published a review of the technical developments in cryptography for the past year.
https://www.eff.org/deeplinks/2016/12/what-happened-crypto-2016

Interesting paper - "Estimating individual employment status using mobile phone network data" - which predicts individual employment status from the mobile phone network logs externally validated with household survey data. Scary stuff!
https://arxiv.org/pdf/1612.03870v1.pdf

A nice new publication available called "A Salad of Block Ciphers" - Survey on the state of the art in block cipher design and analysis.
https://eprint.iacr.org/2016/1171