Tag tracking

InfoSec Week 2, 2019

Personal information of many German politicans were published online. Since then, Police arrested 20 years old suspect.
https://www.thelocal.de/20190108/suspect-20-arrested-over-massive-german-politician-data-hack

Qualys has sent out a security advisory describing three stack-overrun vulnerabilities in systemd-journald. They have two working exploits already.
https://lwn.net/Articles/776404/

Samsung Phone Users Perturbed to Find They Can't Delete Facebook.
According to a Hacker News comment (2nd link), it should be possible to delete application via cable using ADB. I didn't try it.
https://www.bloomberg.com/news/articles/2019-01-08/samsung-phone-users-get-a-shock-they-can-t-delete-facebook
https://news.ycombinator.com/item?id=18864354

Australian government issued a warning regarding WhatsApp hoax that is promoting installation of a ‘gold’ version of the application. Installation leads to a malware infection.
https://cyber.gov.au/individual/news/whatsapp-gold-hoax/

After Motherboard's article about US carriers selling customers location data, senators call on FCC to investigate T-Mobile, AT&T, and Sprint.
https://motherboard.vice.com/en_us/article/j5z74d/senators-harris-warner-wyden-fcc-investigate-att-sprint-tmobile-bounty-hunters

Trial of a Mexican drug lord Joaquín "El Chapo" Guzmán started and it looks like his IT security guy gave encryption keys for a SIP communication service to investigators long time ago.
El Chapo also spyied on his wife and fiancées using Flexi-spy spyware which provider was subpoenaed by FBI.
https://www.nytimes.com/2019/01/08/nyregion/el-chapo-trial.html
https://twitter.com/alanfeuer/status/1083033189956964353

Singapore's ministry of communications and information published "Public Report of the Committee of Inquiry (COI) into the cyber attack on Singapore Health Services Private Limited Patient Database".
If you are into incident response, this report is really great source.
https://www.mci.gov.sg/~/media/mcicorp/doc/report%20of%20the%20coi%20into%20the%20cyber%20attack%20on%20singhealth%2010%20jan%202019.pdf?la=en

Back in 2015, Facebook filed patent request describing how to track user relations using the dust on camera lens.
https://gizmodo.com/facebook-knows-how-to-track-you-using-the-dust-on-your-1821030620

If your computer rely on BitLocker in TPM mode (boot without PIN), it is possible to extract cryptographic material data out of your computer and decrypt the hard drive.
https://twitter.com/marcan42/status/1080869868889501696

Zerodium platform wants to pay you $2,000,000 for remote iOS jailbreaks, $1,000,000 for WhatsApp / iMessage / SMS / MMS remote code execution exploit, and $500,000 for Chrome remote exploit.
https://twitter.com/Zerodium/status/1082259805224333312

Security engineer Chris Palmer published blog about the state of software security in 2019.
https://noncombatant.org/2019/01/06/state-of-security-2019/

The NSA has so far open-sourced 32 projects on Github, as part of its Technology Transfer Program.
https://github.com/nationalsecurityagency

Research paper on a new hardware-agnostic side-channel attack which is targeting the operating system page cache was published.
https://arxiv.org/abs/1901.01161

Interesting paper from the last October a long-term secure storage proposal:
"ELSA: Efficient Long-Term Secure Storage of Large Datasets".
https://arxiv.org/abs/1810.11888

InfoSec Week 50, 2018

According to the New York Times sources, Marriott customers' data were breached by Chinese hackers.
Attribution is hard, especially when investigating government related hacks. We have to wait for more information.
https://www.nytimes.com/2018/12/11/us/politics/trump-china-trade.html

A Google+ API software update introduced in November had caused the Google+ API to broadcast user profiles to third-party developers, exposing the personal information of more than 52 million users.
https://www.blog.google/technology/safety-security/expediting-changes-google-plus/

Excellent journalistic piece about the location data industry. It's impossible to anonymize this kind of datasets. Really recommended!
https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html

Check Point researchers found 53 critical bugs in Adobe Reader and Adobe Pro by using WinAFL fuzzer.
https://research.checkpoint.com/50-adobe-cves-in-50-days/

The Cisco Talos team wrote about the various practical side-channel attack scenarios against the encrypted messaging apps like WhatsApp, Telegram, and Signal.
https://blog.talosintelligence.com/2018/12/secureim.html

Study finds 5 out of 17 tested certification authorities are vulnerable to spoofing domain validation by using the IP fragmentation attack.
https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf

A team behind the open source automation tool Jenkins published a patch for a critical vulnerability that could allow permission checks to be bypassed through the use of specially-crafted URLs.
https://jenkins.io/security/advisory/2018-12-05/

Microsoft took the first step in advocacy for the regulation of a facial recognition technology.
https://blogs.microsoft.com/on-the-issues/2018/12/06/facial-recognition-its-time-for-action/

A recent variant of a Shamoon malware wiped around ten percent PCs of the Italian oil and gas company Saipem.
https://www.zdnet.com/article/shamoon-malware-destroys-data-at-italian-oil-and-gas-company/

Russian State Duma is going to prohibit Russian servicemen from publishing personal information online.
https://informnapalm.org/en/seared-by-napalm-russian-state-duma-advances-legislation-banning-russian-servicemen-from-publishing-personal-information-online/

Researcher Natalie Silvanovich from the Google Project Zero fuzzed WhatsApp application and (surprisingly) didn't find exploitable bugs, just a heap corruption.
https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-conferencing-part-3.html

Australian guys, there is a GitHub repository where you can ask legal questions about the terrible Assistance and Access Bill. The questions are answered by lawyers.
https://github.com/alfiedotwtf/AABillFAQ

InfoSec Week 20, 2018

Major (probably not only) US cell carriers are selling access to the real-time phone location data.
Because, you know the Electronic Communications Privacy Act only restricts telecommunication companies from disclosing data to the government, it doesn't restrict disclosure to other companies. Which can resell back to the gov. Hacker News discussion on a topic is quite informative.
https://www.zdnet.com/article/us-cell-carriers-selling-access-to-real-time-location-data/
https://news.ycombinator.com/item?id=17081684

Guardian wrote that according to the Oracle findings, Android devices send detailed information on searches, what is being viewed and also precise locations to the Google. Even if location services are turned off and the smartphone does not have a Sim card or application installed.
https://www.theguardian.com/technology/2018/may/14/australian-regulator-investigates-google-data-harvesting-from-android-phones

A new report details a widespread campaign targeting several Turkish activists and protesters by their government, using the government malware made by FinFisher.
https://motherboard.vice.com/en_us/article/wjb8g5/finfisher-turkey-twitter-spyware

A new set of vulnerabilities affecting users of PGP and S/MIME were published. The main problem lies in how email clients handle the output of the encryption tool, the protocol itself is not vulnerable, GnuPG should be fine.
https://efail.de/
https://www.benthamsgaze.org/2018/05/15/tampering-with-openpgp-digitally-signed-messages-by-exploiting-multi-part-messages/
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html

Cryptocurrency mining malware was found in the Ubuntu Snap Store.
https://blog.ubuntu.com/2018/05/15/trust-and-security-in-the-snap-store

Essential reading on how spies are able to shape narrative of a journalistic pieces by document leaking.
https://www.nytimes.com/2018/05/12/sunday-review/when-spies-hack-journalism.html

The US media has learned the identity of the prime suspect in the Vault7 WikiLeaks CIA breach. Should be a 29-year-old former C.I.A. software engineer, government malware writer.
https://www.nytimes.com/2018/05/15/us/cia-hacking-tools-leak.html

Great blog post about math behind and existing implementations of the homomorphic encryption.
https://blog.n1analytics.com/homomorphic-encryption-illustrated-primer/

There is an article about the common encryption workarounds in the criminal investigations written by Orin S. Kerr and Bruce Schneier.
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2938033

Sunder is a new desktop application for dividing access to secret information between multiple participants using Shamir's secret sharing method.
https://freedom.press/news/meet-sunder-new-way-share-secrets/

DARKSURGEON is a Windows packer project to empower incident response, malware analysis, and network defense.
https://medium.com/@cryps1s/darksurgeon-a-windows-10-packer-project-for-defenders-1a57759856b6

InfoSec Week 17, 2018

A loud sound emitted by a gas-based fire suppression system deployed in the data center has destroyed the hard drives of a Swedish data center, downing NASDAQ operations across Northern Europe.
https://www.bleepingcomputer.com/news/technology/loud-sound-from-fire-alarm-system-shuts-down-nasdaqs-scandinavian-data-center/

Signal for iOS, version 2.23.1.1 and prior, is vulnerable to the screen lock bypass (CVE-2018-9840).
The blog explains how the vulnerability can be exploited in practice.
http://nint.en.do/Signal-Bypass-Screen-locker.php

Good summary about the integrated circuits Counterfeiting, detection and avoidance methods by hardware engineer Yahya Tawil.
https://atadiat.com/en/e-introduction-counterfeit-ics-counterfeiting-detection-avoidance-methods/

A new python-based cryptocurrency mining malware PyRoMine (FortiGuard Labs) is using the ETERNALROMANCE exploit attributed to the NSA, to propagate Monero cryptocurrency miner.
https://securityboulevard.com/2018/04/python-based-malware-uses-nsa-exploit-to-propagate-monero-xmr-miner/

The Australian Bureau of Statistics tracked people by their mobile device data to enrich their collection of data.
https://medium.com/@Asher_Wolf/the-australian-bureau-of-statistics-tracked-people-by-their-mobile-device-data-and-didnt-tell-them-16df094de31

BGP hijack affected Amazon DNS and rerouted web traffic for more than two hours. Attackers used the hijack to serve fake MyEtherWallet.com cryptocurrency website.
https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f

Embedi researchers analyzed the security of a Huawei Secospace USG6330 firewall firmware. Good insight on how to analyze devices in general.
https://embedi.com/blog/first-glance-on-os-vrp-by-huawei/

The ISO has rejected SIMON and SPECK symmetric encryption algorithms designed and proposed by the NSA. They are optimized for small and low-cost processors like IoT devices.
https://www.schneier.com/blog/archives/2018/04/two_nsa_algorit.html

The Center for Information Technology Policy at Princeton Announced IoT Inspector - an ongoing initiative to study consumer IoT security and privacy.
https://freedom-to-tinker.com/2018/04/23/announcing-iot-inspector-a-tool-to-study-smart-home-iot-device-behavior/

There is a Proof of Concept for Fusée Gelée - a coldboot vulnerability that allows full, unauthenticated arbitrary code execution on NVIDIA's Tegra line of embedded processors. This vulnerability compromises the entire root-of-trust for each processor, leading to full compromise of on-device secrets where USB access is possible.
https://github.com/reswitched/fusee-launcher/blob/master/report/fusee_gelee.md