All about Security, News, Events and Incidents

Release of PoC Exploit for New Drupal Flaw Once Again Puts Sites Under Attack

Only a few hours after the Drupal team releases latest updates to fix a new remote code execution flaw in its content management system software, hackers have already started exploiting the vulnerability in the wild. Announced yesterday, the newly discovered vulnerability (CVE-2018-7602) affects ...



Hackers build a 'Master Key' that unlocks millions of Hotel rooms

If you often leave your valuable and expensive stuff like laptop and passports in the hotel rooms, then beware. Your room can be unlocked by not only a malicious staff having access to the master key, but also by an outsider. A critical design vulnerability in a popular and widely used electronic ...



Third Critical Drupal Flaw Discovered—Patch Your Sites Immediately

Damn! You have to update your Drupal websites. Yes, of course once again—literally it’s the third time in last 30 days. As notified in advance two days back, Drupal has now released new versions of its software to patch yet another critical remote code execution (RCE) vulnerability, affecting its ...



Police Shut Down World's Biggest 'DDoS-for-Hire' Service–Admins Arrested

In a major hit against international cybercriminals, the Dutch police have taken down the world's biggest DDoS-for-hire service that helped cyber criminals launch over 4 million attacks and arrested its administrators. An operation led by the UK's National Crime Agency (NCA) and the Dutch Police, ...



Google Redesigns Gmail – Here's a List of Amazing New Features

Google has finally been rolling out its new massively redesigned Gmail for desktop and mobile to 1.4 billion of users worldwide, which might be the most significant single upgrade in Gmail's history. This huge revamped version of the email service now offers plenty of new features such as ...

 

LATEST NEWS Apr 27, 2018

Amazon Alexa Has Got Some Serious Skills—Spying On Users!

"Alexa, are you spying on me?" — aaaa.....mmmm.....hmmm.....maybe!!! Security researchers have developed a new malicious 'skill' for Amazon's popular voice assistant Alexa that can turn your Amazon Echo into a full-fledged spying device. Amazon Echo is an always-listening voice-activated smart ...

 

@Dr. AMK , if you like news, check out bleepingcomputer.com, they put out a nice daily feed of hack infosec news.

 

Why not you can just help me to update our forum with all security events around the world, I can't do that alone. I want to build a reference for our members and outsiders who will find this thread using Google or any search engines. And nice feed BTW.

 

The name of this thread is a little bit tricky, and maybe some members get confused about it, hope that no one will misunderstand, it's not means that it's for teaching how to hack, it's all about information security awareness and news, to help us protecting our self, our privacy and our business.

 

Will do!
I also recommend reading krebsonsecurity.com. It's not as daily, but alot more indepth.
And for those who want a big infosec feed, check out @swiftonsecurity's infosec feed you can import.

Maybe change it to The Infosec News Thread.

 

Good suggestion, let us have more suggestions and then chose the best one, it's not good to ask moderators for changes many times. I created a vote.

I'll appreciate If I can get members opinions by voting on the top of this thread, or there are any other suggestions please post it in a comment.

 

The Case for a Secondary DNS Service (PDF) - Security Solutions Improved Security Strategies to Protect Your Online Assets

 

UK Health Agency Switches to Windows 10 Citing WannaCry Ransomware Outbreak


The UK Department of Health and Social Care has announced that it will transition all National Health Service (NHS) computer systems to Windows 10.

Officials cited the operating system's more advanced security features as the primary reason for upgrading current systems, such as the SmartScreen technology included with Microsoft Edge (a Google Safe Browsing-like system) and Windows Defender, Microsoft's sneakily good antivirus product.

WannaCry outbreak played a role
Department officials didn't ignore the elephant in the room, and also referenced the damages caused by the WannaCry ransomware outbreak last year as one of the reasons for upgrading their infrastructure.

The NHS was one of the first WannaCry victims last year, and one of the most harshly hit.

In a report published last year, NHS officials said WannaCry hit more than a third of all NHS trusts and led to the cancelation of over 6,900 medical appointments across the UK, including critical operations, albeit there was no loss of human life because of the cyber-attack.

According to Kaspersky and Microsoft telemetry, over 98 percent of all WannaCry victims were Windows 7 users.

By moving its infrastructure to Windows 10, NHS officials hope to leverage the plethora of new security features added in Windows 10 to safeguard NHS networks from similar future incidents.

UK govt plans to spend £150 million in the next three years
The UK government said it spent £60 million ($82 million) since last year's outbreak to bolster NHS' security systems and plans to spend £150 million ($205 million) more over the next three years. Department officials didn't reveal the value of the Microsoft "Windows 10 upgrade" deal, but they said it's a "multi-million pound" package.

Government officials also plan to create a new digital security operations center to prevent, detect and respond to similar cyber-security incidents. Other spending plans include:

ⵙ £21 million to upgrade firewalls and network infrastructure at major trauma center hospitals and ambulance trusts
ⵙ £39 million spent by NHS trusts to address infrastructure weaknesses
ⵙ New powers given to the Care Quality Commission to inspect NHS trusts on their cyber and data security capabilities
ⵙ A data security and protection toolkit which requires health and care organizations to meet ten security standards
ⵙ A text messaging alert system to ensure trusts have access to accurate information – even when internet and email services are down
For the past few years, UK antivirus maker has been the NHS' official antivirus provider. It is unclear if NHS plans to use Sophos products alongside Windows Defender on the upgraded Windows 10 systems.

At the time of the WannaCry attack, Sophos was heavily criticized for its tardy response to the whole incident.

 

PoC Code Published for Triggering an Instant BSOD on All Recent Windows Versions


A Romanian hardware expert has published proof-of-concept code on GitHub that will crash most Windows computers within seconds, even if the computer is in a locked state.

The code exploits a vulnerability in Microsoft's handling of NTFS filesystem images and was discovered by Marius Tivadar, a security researcher with Bitdefender.

NTFS bug & Windows autoplay feature don't go well together
The expert's PoC contains a malformed NTFS image that users can take and place it on a USB thumb drive. Inserting this USB thumb drive in a Windows computer crashes the system within seconds, resulting in a Blue Screen of Death (BSOD).

"Auto-play is activated by default," Tivadar wrote in a PDF document detailing the bug and its impact.

"Even with auto-play [is] disabled, [the] system will crash when the file is accessed. This can be done for [example,] when Windows Defender scans the USB stick, or any other tool opening it."

Microsoft declined to fix
Tivadar contacted Microsoft about the issue in July 2017, but published the PoC code today after the OS maker declined to classify the issue as a security bug.

Microsoft downgraded the bug's severity because exploiting it requires either physical access or social engineering (tricking the user).

The researcher doesn't agree with Microsoft's decision. He first argues that physical access isn't necessarily required, as an attacker could deploy the PoC from afar using malware.

NTFS bug also crashes locked PCs
Tivadar also explained that the NTFS bug was more dangerous than Microsoft thinks because it also works while the PC is locked, a state when the researcher argues the OS shouldn't be reading data from random USB drives that were inserted into its ports.

"I strongly believe that this behavior should be changed, [and] no USB stick/volume should be mounted when the system is locked," the researcher said. "Generally speaking, no driver should be loaded, no code should get executed when the system is locked and external peripherals are inserted into the machine."

Tivadar published two videos on his personal Google Photos account showing the NTFS bug crashing a PC in normal and locked down states. Another PoC is also available on his Google Drive account.

For now, Tivadar's PoC will become one of the hottest pieces of code on GitHub, as any prankster will be looking to add it to his arsenal.

 

Faulty Patch for Oracle WebLogic Flaw Opens Updated Servers to Hackers Again

 

Hmm, there already seems to be a Sticky thread on this topic:

Security and Anti-Virus Software Forum General Index Sticky ***PLEASE READ BEFORE POSTING***
http://forum.notebookreview.com/thr...dex-sticky-please-read-before-posting.202330/

Maybe the title of this thread can be used for that sticky to attract more interest and participation? That's they purpose of that sticky... it's name isn't encompassing enough to work though.

 

A war in cyberspace is already raging and could lead to 'armageddon' if banks get hit
http://www.businessinsider.com/inside-the-cyberspace-war-in-the-financial-system-2018-5

 

How DNS Leaks Reveal Your Browsing History

 

Update Google Chrome Immediately to Patch a High Severity Vulnerability
https://thehackernews.com/2018/06/google-chrome-csp.html

 

New versions of adobe flash are out.
Offline install for IE,FF and Chrome are available here

 

Using Cortana Smart Assistant to Hack Windows Password

Source: https://securingtomorrow.mcafee.com...-windows-10-device-ask-cortana-cve-2018-8140/

 

Epic Games Fortnite for Android–APK Downloads Leads to Malware
https://thehackernews.com/2018/06/fortnite-for-android-apk.html

 

OpenBSD Disables Intel Hyper-Threading to Prevent Spectre-Class Attacks
https://thehackernews.com/2018/06/openbsd-hyper-threading.html

 

Most Linux distros will follow suit.
Darn, compile speed will be slower on full loaded CPU.

 

Thousands of Mobile Apps Expose Their Unprotected Firebase Hosted Databases
https://thehackernews.com/2018/06/mobile-security-firebase-hosting.html

 

Android Gets New Anti-Spoofing Feature to Make Biometric Authentication Secure
https://thehackernews.com/2018/06/android-biometric-authentication.html

 

Apple iOS “Erase data” bypass attack
On IOS 12 you can only use this attack within the first hour, prior to IOS12 works great on IOS11 devices - use with rebirth to deploy an implant.

 

Nearly ALL Android Devices BUGGED??

 

Two New Spectre-Class CPU Flaws Discovered—Intel Pays $100K Bounty
https://thehackernews.com/2018/07/intel-spectre-vulnerability.html

 

Military Reaper #Drone Documents Leaked on the #DarkWeb
https://www.recordedfuture.com/reaper-drone-documents-leaked/

 

Microsoft Patch Tuesday Updates Fix Over 50 Vulnerabilities | SecurityWeek.Com
https://www.securityweek.com/microsoft-patch-tuesday-updates-fix-over-50-vulnerabilities via @SecurityWeek

 

Hackers Used Malicious MDM Solution to Spy On 'Highly Targeted' iPhone Users
https://thehackernews.com/2018/07/mobile-device-management-hacking.html via @TheHackersNews

 

Singapore's Largest Healthcare Group Hacked, 1.5 Million Patient Records Stolen
https://thehackernews.com/2018/07/singapore-healthcare-breach.html

 

A Botnet Compromises 18,000 Huawei Routers
http://www.ehackingnews.com/2018/07/a-botnet-compromises-18000-huawei.html

 

New Bluetooth Hack Affects Millions of Devices from Major Vendors
https://thehackernews.com/2018/07/bluetooth-hack-vulnerability.html

 

12 Security Hachs to Prevent Cyber Invaders

 

TSA's 'Quiet Skies' Program Tracks, Observes Travelers In The Air
https://www.npr.org/2018/07/30/6339...-program-tracks-observes-travelers-in-the-air

 

Let's Encrypt Is Now Officially Trusted by All Major Root Programs.

Let's Encrypt announced yesterday that they are now directly trusted by all major root certificate programs including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With this announcement, Let's Encrypt is now directly trusted by all major browsers and operating systems.

https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html


What is Let's Encrypt?
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

TL;DR: If you run a website, you can get a free Let's Encrypt certificate to make your site HTTP S:// secure.

 

Microsoft Adds Direct Trust for Let’s Encrypt
Author: Tara Seals, August 7, 2018 1:55 pm
https://threatpost.com/microsoft-adds-direct-trust-for-lets-encrypt/134761/

"...
This is the latest in a series of significant strides the CA has made towards a more secure web since its inception.

When Let’s Encrypt first entered public beta in December 2015, less than 40 percent of page loads used HTTPS.

Since then, two and a half years later, Let’s Encrypt is providing certificates for more than 115 million websites, and HTTPS percentages are above 70 percent across major browsers.

The most popular browser, Google Chrome, boasts 85 percent of traffic loaded with HTTPS.

It recently started labeling all HTTP sites as “not secure,” which should give some momentum to Let’s Encrypt going forward."

"The stakes remain high, as Aas recently told Threatpost: “ When someone visits a website that does not use HTTPS, the entire interaction is broadcast in the clear for anyone on the network path to see. Furthermore, the interaction can be tampered with to include anything from ads to malware.”

Subscribers of Let’s Encrypt don’t need to take action regarding the new milestone, other than ensuring that their ACME clients (such as Certbot or an alternative) are regularly receiving software updates."

 

Medical hack poses pacemaker risk - BBC News
BBC News
Published on Aug 9, 2018
Hackers from all over the world have descend on Las Vegas for two major security conferences.
BBC North America technology reporter Dave Lee met researcher Billy Rios who claims his company has uncovered a major vulnerability in a medical device that could have serious consequences.

 

Election cybersecurity takes center stage at hacker convention in Las Vegas
CBS News
Published on Aug 7, 2018
Top intelligence officials are warning of pervasive efforts to interfere with the 2018 midterm elections. CNET senior producer Dan Patterson spoke with CBSN from the hacking convetion Black Hat in Las Vegas about the potential new threats.

Annual Black Hat Convention in Las Vegas expected to draw the largest crowd ever this year
KSNV News 3 Las Vegas
Published on Aug 7, 2018
It's the largest conference of its kind in the United States, bringing together like-minded computer types with a singular purpose: Hackers!
The Black Hat Convention in Las Vegas aims to teach people how to stop them.
"As more information and resources are available electronically, the more attacks will be developed," said one attendee.
Story: http://bit.ly/2OhdNQj

 

The keynote opening starts at 9:47, Parisa Tabriz's, Project Zero Manager & Director of Engineering at Google, Security Princess - talk starts at 23:35.

Parisa Tabriz's lead in and discussion of Google's recent final push and fruition for the transition from http => https, starts at 39:00

https tipping points

progression of increases in https traffic in chrome os and android


Black Hat USA 2018 Keynote: Parisa Tabriz
Black Hat
Streamed live on Aug 8, 2018
Optimistic Dissatisfaction with the Status Quo: Steps We Must Take to Improve Security in Complex Landscapes
By Parisa Tabriz, Project Zero Manager & Director of Engineering at Google, Security Princess

Spoiler: Details...

Working in security is a principled decision. Many of us do this because we want to help make technology more reliable and safer for our friends, our family - for humanity. Your skills got you a job, but your principles and drive got you the skills.

Turning your ideals into real, concrete outcomes at scale is… daunting. Interconnected networks, billions of lines of ever-evolving code, third party dependencies and legacy requirements, competing priorities, conflicting incentives, snake oil solutions; these are just a few of the challenges that are familiar to security professionals, and that doesn’t even include the social and communication barriers or endless philosophical debates.

So, how do you actually make technology in complex landscapes safer, at scale?

This talk offers guiding advice that we as security practitioners and leaders must embrace in order to succeed. Drawing on her experiences leading some of the biggest, ongoing security efforts that aim to make technology safer for all users, Parisa will first share how throwing out the rule book on vulnerability disclosure has been moving giants of the software industry toward measurably faster patching and end-user security. Next, she will share how a grassroots side project grew to shift the majority of the web ecosystem to secure transport, nearly 25 years after the technology was first made available. Finally, she will review the major effort to implement an intern’s publication in one of today’s largest open source projects, and how they persevered for 5+ years of refactoring, avoiding efforts to defund the work along the way. (Coincidentally, this project helped the world’s most popular browser mitigate a new class of hardware vulnerabilities earlier this year!)

https://www.blackhat.com/us-18/briefi...

 

FBI warns banks of worldwide ATM hack threat
https://abc7news.com/fbi-warns-banks-of-worldwide-atm-hack-threat/3955881/

 

Foreshadow Attacks — 3 New Intel CPU Side-Channel Flaws Discovered
https://thehackernews.com/2018/08/foreshadow-intel-processor-vulnerability.html

 

Microsoft Releases Patches for 60 Flaws—Two Under Active Attack
https://thehackernews.com/2018/08/microsoft-patch-updates.html

 

16-Year-Old Teen Hacked Apple Servers, Stole 90GB of Secure Files
https://thehackernews.com/2018/08/apple-hack-servers.html


Well, there's something quite embarrassing for Apple fans.

 

T-Mobile Hacked — 2 Million Customers' Personal Data Stolen
https://thehackernews.com/2018/08/t-mobile-hack-breach.html

T-Mobile today confirmed that the telecom giant suffered a security breach on its US servers on August 20 that may have resulted in the leak of "some" personal information of up to 2 million T-Mobile customers.

 

Fortnite APK for Android Hack

 

Flaw in Fiserv’s web platform exposed bank account details of millions
https://www.teiss.co.uk/news/fiserv-web-app-flaw/

 

Sonic Attacks on U.S. Embassy Staff Could Have Been Weaponized Microwave Radiation
https://gizmodo.com/sonic-attacks-on-u-s-embassy-staff-could-have-been-wea-1828766430

 

Cuban scientist rejects microwaves as source of mysterious acoustic attacks on diplomats
By Patrick Oppmann, CNN, Updated 6:43 PM ET, Mon September 3, 2018
https://www.cnn.com/2018/09/03/health/cuba-microwaves-attacks-theory/index.html

"Havana (CNN)A Cuban government investigator looking into reports of mysterious acoustic attacks on US and Canadian diplomats on the communist-run island on Monday dismissed a US government theory that microwave weapons emitting concentrated beams of radiation may have been used in the incidents.

"If you look at the alleged events, there have been reports that there are several people in a room with thick walls and thick windows and only one person was targeted. This is a kind of weapon that doesn't exist," said Dr. Mitchell Valdes-Sosa, a well-known neurologist who is part of the Cuban special task force investigating the alleged attacks. "It's science fiction, not science," he said.

" First, it was sonic weapons, now microwave. What's next, kryptonite?" the investigator said in an interview with CNN at his research center in Havana, referring to an earlier theory that sonic weapons emitting high-powered ultrasound waves could have caused the injuries.

Valdes-Sosa said researchers and investigators are working on a paper to rebut the microwave weapons theory.
..."