A rather disturbing internal memo has been leaked from Google which reveals the details of Project Dragonfly, which is a search engine built at the behest of the People’s Republic of China government. Dragonfly has not been released yet, but is in development and the memo paints an Orwellian picture. Dragonfly tracks the real-time location of anyone using it and records this information, this on its own is not too different from how search engines geolocate users now. The difference is that Dragonfly has a list of terms that return “No Results Found” such as “Democracy”, “Freedom of Speech”, or “Right to Protest.” If a user searches for these terms then their location is sent to the appropriate authorities for observation and possible enforcement for the health of Chinese society. The Dragonfly memo was leaked after Google employees who weren’t supposed to know about the project became aware of it and voiced their dissent. This failed to yield results, so the memo was leaked to the public and it appears that Google is still unwilling to change their stance on the project. While Dragonfly is a legitimate request by a legitimate government it seems to fly in the face of Google’s own corporate guidelines of “Don’t Be Evil.”
Cyber Security News
One of the creators of Scan4You has been sentenced to 14 years in prison for his assistance in helping hackers cause over $20 Billion in damages with their innovative tool. Antivirus software works on a communal database and herd immunity, similar to how vaccines work, that uploads a copy of any malicious software whenever it detects something. In this way, if a computer detects a new threat, even if it can’t prevent the infection, the research and development teams are made aware and can start working on a solution. This allows for cyber research groups to see new attack vectors and malware strains as they are released into the wild, and this hopefully allows them to create countermeasures before the virus spreads. Scan4You is counter-antivirus software: it allowed users to upload their attack programs and run them against antivirus programs without the data being uploaded to the communal database. With this tool potential attackers were able to create attacks that they were reasonably sure would go undetected. This allowed for billions of dollars in damage and for personal information to be stolen on a scale that isn’t normally seen. While the Scan4You team didn’t sell malware, they did facilitate attacks and have been charged with hacking and selling malicious products.
Source: Operator of VirusTotal Like Malware-Scanning Service Jailed for 14 Years
Microsoft is working to patch an exploit, brought to their attention by the Zero Day Initiative, that allows for attackers to execute malicious code on any server running the JET Database Engine (JET). This vulnerability affects all known version of Windows and Windows Server Edition as well and there is currently no patch available. Microsoft did not release a patch for this vulnerability in September, so the nearest time it could arrive would be in the October patch. The JET exploit works by creating a database file that is too large and allows an attacker to create and execute malicious code in the memory buffer necessary to process the file.
Source: Researcher Discloses New Zero-Day Affecting All Versions of Windows
There’s a new malicious group trying to sell its Malware-as-a-Service (MaaS) known as Black Rose Lucy which targets Android devices. Black Rose Lucy is the product of the Russian speaking Lucy Gang, and currently, there is no known connection to APT 28 or other Russian hacking groups though such a connection is not out of the realm of possibility. According to researchers the Lucy Gang, while apparently new, shows signs of past hacking experience and business acumen that belies their otherwise unknown reputation. Black Rose Lucy allows additional software to be installed on to infected devices, which opens them up to further attacks. Black Rose Lucy has been developed to be easy to use according to researchers, which will increase the market that it can sold to. Additionally, Black Rose Lucy appears to be the original product of the Lucy Gang due to its clean code structure that is unusual in code that has been copied from somewhere else.
Source: Lucy Gang Debuts with Unusual Android MaaS Package
Equifax has been fined the maximum amount allowed by the Data Protection Act of 1988 because the data breach that caused hundreds-of-thousands of customers to have their data exposed occurred before GPDR went into full effect. With an operating revenue of $16,000,000,000 ($16 Billion), Equifax would have had to pay a fine of $640,000,000 ($640 Million) instead of the 0.003% fine they’re currently paying. The Equifax breach was incredibly damaging as the names, credit card numbers, dates of birth, social security, drivers license, addresses, credit cards, and other Personally Identifying Information was all taken. This sort of information is a literal goldmine for identity theft and with that much detail, it would be possible for malicious actors to impersonate their victims. Technically, Equifax could appeal the fine but the evidence of multiple failures is solid and may be seen as a waste of time by the company.
UnityPoint Health is reporting that a data breach may have exposed nearly 1.4 million patient’s personal health data, and all of this is because of a phishing attack. Phishing, and especially spear phishing, attacks are one of the easiest ways for potential attackers to gain access to secure systems. Phishing attacks rely on both human and digital vulnerabilities because while email software has gotten better at detecting and stopping phishing attacks automatically it’s impossible to catch everything. It eventually falls on the human operator to make a judgement call about what emails they open and unfortunately, many people fall victim to malicious emails that have the potential to sweep up secure networks. An initial phishing attempt will be aimed at gaining access to a trusted email address within a system and then use the infected, and still trusted, email address to phish other users. Knowing how to spot suspicious emails is critical, and there are a few simple rules that can be applied to determine which emails to trust.
– Do you know the sender?
– Are there are any obvious misspellings or other simple errors that the sender should not have made?
– Are they asking for an immediate reply or one within a day?
– Is the sender contacting you on an email address that isn’t associated with who they’re claiming to be?
– Are there any hyperlinks in the email that show different addresses when you hover over them?
If the email seems suspicious, or you want to follow best practices, just call or contact the sender and confirm that they really did send you the email. This simple verification process can save you and your company time, money, and prestige by stopping phishing attempts in their tracks.
Source: Phishing attack compromised the data of 1.4 million UnityPoint Health patients
Joel Oritz is being accused of stealing $2 Million in cryptocurrencies by hacking into cell phones. In at least one case he did so by pretending to be the victim and purchased a new SIM card for the victim’s phone which was used to steal personal identifying information (PII). The PII was then put to work breaking into the victims crypto wallet so that Mr. Oritz could drain their cryptocurrency. Mr. Oritz’s victim count is a minimum of 20 in the state of California with more in other states; he is currently on bail and is charged with computer hacking, identity theft, and grand theft.
Source: Valedictorian allegedly stole $2M in cryptocurrency by hacking cell phones
A spearphishing attack originating from Russia targeted some 400 companies and at least 800 devices at these companies, which were various industrial businesses. Targeting these businesses has been a running theme for attacks coming from Russia lately, and in Ukraine, they’ve become so devastating that whole cities have been left without power or utilities. It was recently reported that the US electrical grid had been thouroughly hacked and while there was no loss of service, it wasn’t outside the realm of possibility either. The focus of this set of attacks was stealing money rather than control of espionage, which was accomplished by gaining access to high-level accounts.
Source: Russian spearphishing campaign targeted nearly 800 PCs at more than 400 companies
The Russian Federation signed the “Yarovaya Laws” into effect on July 6th, and this package contains several severe implications for the cyber landscape. The Yarovaya Law(s) or Yarovaya Package is comprised of two laws, 374-FZ and 375-FZ, that modify Russias criminal code and cyber landscape under the guise of dealing with terrorism. In a rather dystopian twist, the Yarovaya Law makes it a crime to fail to report a crime you know is going to happen even if that crime doesn’t actually get committed. It changes the age at which children may be charged for terroristic acts to 14 and makes other sweeping changes to the punishments for acts of terror.
The Yarovaya Law effects the cyber landscape in Russia in a huge way, and it acts as a sort of “Nega-GDPR” that strips the rights and freedoms of Russian data subjects instead of increasing them. Namely, it requires all communications providers and Internet Service Providers (ISP) to keep a complete log of the metadata of their users for three years. Additionally, these same providers must record all communications, images, videos, reports, audio, and other data sent through their services for six months. Both of these databases must be made available to the FSB and other Russian agencies and may be used in investigative work. On top of this, these providers must also provide the decryption key for any encrypted data that they send. While this won’t necessarily mean that your data is decrypted automatically if you use your own encryption scheme, but if you rely on your ISP to encrypt then your data is not secure.
These regulations apply to any company that does business in Russia or any data subjects who reside in Russia. Companies that process data in Russia must establish and maintain a database in Russia and this database must be inspected to ensure that they’re being handled correctly. The Yarovaya laws allow for widespread monitoring that isn’t normally so blatant and it’s surprising to see laws like these passed.
Inmates in an Idaho prison discovered a vulnerability in the system that managed the commissary system in their prison, and by taking advantage of the tables they used to interface with it, which they used to credit themselves with hundreds-of-thousands of dollars in credit. This credit was used to purchase movies, music, and snacks. Prison officials discovered the hack in July, by which time the inmates had taken approximately $225,000. The prison managed to recoup over $60,000 of what was taken, but the rest wasn’t recoverable. The vulnerability has since been removed, and there is no word on what punishment, if any, was levied against the inmates.
Source: Idaho inmates hack prison tablets, steal $225,000 in commissary credits
In a terrifying turn of events, researchers have found a variant of the Spectre attack they’ve dubbed NetSpectre because it (unlike all other known Spectre variants) can attack through a network connection instead of requiring physical access. NetSpectre takes advantage of inherent design quirks that are present in modern machines that allows them to function with the speed we’ve grown used to. By monitoring the way a targeted machine responds to a tailored request it’s possible for NetSpecture to calculate the passkeys and other security information necessary to infiltrate the device without needing to learn the password. NetSpectre is capable of launching from cloud computing services, such as those hosted by Google or Amazon, and can work through Local Area Networks as well. NetSpectre sounds dangerous, and it is, but it was patched out by Intel earlier in the year. As long as your devices are kept up-to-date with security patches they should be safe from Spectre, Meltdown, NewSpectre, NetSpectre, and other derivatives.
Source: NetSpectre — New Remote Spectre Attack Steals Data Over the Network
Another miner malware is making the rounds, named Hidden Bee, which takes advantage of an Adobe Flash vulnerability to install itself. Hidden Bee’s primary attack vector is through advertisements on adult websites that redirect users to targeted pages designed to install the program. These ads appear to be targeted at users in Asian countries, and the attack itself shows an unusually high level of sophistication. The attack is encrypted and requires a hand-shake between the front and back ends of the website for it to actually initiate, which makes it difficult for researchers to analyze and for anti-virus software to catch. This type of attack, which is hidden by obfuscation, is not unknown to the cyber research community but it appears rarely and is an obstacle that makes it difficult to find a fix or even collect the program to study.
Source: Hidden Bee miner spread via download drive-by download toolkit
Apple has rolled out a new safety feature, USB Restricted Mode, in an attempt to counter the rise of password stealing and cracking services that have been used by criminal elements as well as the police. These services, like GrayKey, work by using the Lightning USB port on an iPhone to somehow steal the password of the device and allow the user access to it. USB Restricted Mode disables the data, and sometimes charging, capabilities of the Lightning USB port after an hour of inactivity. Unfortunately, there is a major flaw with this protective feature which is that the one-hour inactivity timer resets if the iPhone is connected to a new device even if that device is untrusted. This means that an iPhone could hypothetically be kept out of the restricted mode indefinitely until it can be transported to a place with the code software. If the device has been inactive for at least an hour then it is secure against codebreaking attempts that use the Lightning USB port as their method of entry, maybe. It’s not known how GrayKey actually gets the code for iPhones and it is only believed that it uses the data connection provided by the Lightning USB port.
Source: New iOS Security Feature Ripe for Defeat
Another old security issue has risen to the surface with the fitness app, Polar Flow, which tracks the position and movements of its users. If this sounds familiar, it should, because earlier this year the Strava fitness tracking app had the exact same problem. Smart devices allow a massive amount of data to be collected and used, but these devices aren’t always up to the safety specifications that the military or government requires. In high-security areas personal electronic devices have been banned entirely and even in less secure areas their use and features may be restricted. While blame mostly falls at the feet of the device manufacturers some of it does have to go towards the users, who should be more aware of the data they’re sharing. The best safety practice is to assume that anything transmitted has been compromised.
Source: Polar Flow Fitness App Exposes Soldiers, Spies
Ukranian officials are reporting that they’ve stopped a malware attack against a water purification plant that would have seen an overflow of chlorine had it gone undetected. Ukraine has accused Russian actors of being behind the attack, which used a well-known Russian malware vector known as VPNFilter; there have been multiple cyberattacks against Ukraine that have been linked to Russian groups such as APT 28. These attacks usually go after infrastructure, especially vital infrastructure such as hospitals and heating during the winter. In some ways, these attacks have been testing grounds for malware attacks and have served as a way to test new attack vectors. Cyber warfare is force multiplier that hasn’t seen widespread military use and every nation has worked to get into the field.
Source: Ukrainian officials blame Russia for VPNFilter attack on chlorine plant
California Governor Jerry Brown (D) signed the California Consumer Privacy Act (CCPA) into law yesterday. The CCPA borrows its overall tone and structure from the General Data Protection Regulation (GDPR) that was signed into law by the European Union, and both of these pieces of legislation seek to tightly control how companies interact with the personal data of their users. Like GPDR, the CCPA has a grace period of two years and it can still be modified or repealed before it takes effect. This gives corporations, like Google and AT&T, time to try and modify the bill but whether or not they’ll be successful remains to be seen. The CCPA being signed into law has started a conversation about a national level bill that would be enforced at the Federal level, which may have been the point of passing the CCPA. California’s standards tend to influence the rest of the nation, think of anything with the warning “X contains Y, a chemical known to the State of California to cause [cancer, and] birth defects or other reproductive harm.” Tech laws are especially powerful because California is home to Silicone Valley. It’d be like Kentucky passing a bourbon law: whatever happens, is going to carry a lot of weight behind it.
Source: The Cybersecurity 202: Why California could be the bellwether for the privacy movement
The CCPA Text: Assembly Bill No. 375
A hardware vulnerability that affects every Android and some Apple devices that have been produced since 2012 has been discovered by a group of researchers at three universities. This vulnerability is exploited by RAMpage, which is a subset of the Rowhammer malware family. RAMpage functions in a similar manner to SPECTRE in that it works on a known hardware vulnerability to gain access to otherwise secure files; once accessed those files can be used to locate and take all of a devices personal information as well as control of the device itself. RAMpage manipulates ION, Android’s memory management system, to provide access to itself that would normally be impossible. The researchers communicated with Google about the solution they had created, but Google told them that their fix would require more system overhead than they predicted and Google seems to have turned the researchers down.
Source: RAMpage vulnerability impacts every Android device since 2012
Source: Facebook quizzes may have exposed 120 million users personal information
As cyber attacks increase in volume and intensity, the demand for trained cyber professionals has grown as well. This demand has helped to create a booming cyber security sector, especially in the areas of training and management. Organizations and companies have realized that they’ll need someone who knows what they’re doing managing their cyber security programs, and this has become especially true as international laws such as GDPR have come into effect. Cyber security research and defense groups have proven their worth as they go through cyber forensic data to uncover how an attack occurred and who was responsible for it. These firms have allowed companies to strengthen their defenses, and their proactive attacks and services have prevented major breaches from occurring. The potential for malicious actors and products rife with backdoors has been in the news a lot lately, which has raised awareness towards the risk of lax cyber security. Companies such as ZTE and Kaspersky have both seen themselves lambasted for their connections and actions which would make them the ideal mole for foreign cyber attacks and intelligence gathering. While these scares are troubling and at times it seems like enough can’t be done to make things secure, each one has driven the development of cyber firms ever further as they rush to meet the rising demand. The problem now is the lack of supply as educational programs and certification courses rush to fill the huge gap in the supply of qualified cyber professionals.
Source: The cybersecurity sector is booming — but so are our enemies
There’s a new cyber security lab on the block: Cybercat, which is located in autonomous region of Spain known as Catalonia. Cybercat pulls its talent from a variety of universities, which had been running their own cyber programs without any coordination. Cybercat aims to unify these disparate groups and directives into a unified front that can tackle larger cyber issues. Cybercat will tackle the security issues that come with the rise of Internet of Things (IoT) technology in Spain as well as regulations such as GDPR. For now, the people involved with Cybercat will continue to work from their home universities but in a unified direction and with the capability to be called together in case of a crisis.
Source: Cybersecurity: Why this Spanish region has just created a new research center
Tens-of-thousands of Android devices have been infected with an ad-clicking malware program, according to RiskIQ which is a cyber security research firm. This malware not only takes private information from the infected device but also installs malware that forces the user to pay a fee or see their device drain itself of power. Users who think their phone has been infected can restart their phone and that should clear the malware from the device. If the user agrees to the “Battery Saving App” request than information such as their phone number (and the numbers of those in their contacts) along with other data will be transmitted to a server.
Source: 60,000 Android devices hit with ad-clicking bot malware
Beam Suntory, the company behind the well-known Jim Beam whiskey, has been busy working to upgrade their cyber security systems. This push towards more modern and adaptable security systems comes with the realization that their systems are vulnerable, and that it’s possible to create an explosion on the production line. Previously the entire system was set up so that it could only be accessed physically, but this meant that if something went wrong it might take too long for IT professionals to respond and reach the affected site before something damaging occurred. Jim Beam still keeps its most important systems air-gapped and off the web, but it has set up Virtual Private Network (VPN) access that it provides to select IT professionals so they can monitor the health of the Beam Suntory systems and respond as necessary. Beam Suntory has also invested in upgrading their production line with recent technologies such as drones and robotic forklifts. These changes allow for a safer workplace environment and easier tracking of the entire production process. Automation has allowed Beam Suntory to more effectively pursue its business practices and they are continuing to work with Cisco to increase the amount of automated work done at their sites.
Source: Cisco Live 2018: Avoiding distillery explosions with cybersecurity
In a survey by OpenVPN that asked 500 US employees about their online habits, it was found that many employees did not practice good cyber discipline despite increased awareness of the risks. The study showed that a quarter of those surveyed (125) reused the same password for all of their logins, and 23% (115) didn’t check whether links they had been sent were malicious or not. Cyber security is only as strong as the weakest link in the chain, and employees represent the largest amount of links in the corporate chain. Employees, especially those with access to critical data, have to practice their best online behavior. Companies can try to create better behavior by changing their security policies and compelling employees to follow them but safe cyber practices are a cultural issue as well as a regulatory one. Companies must foster an environment where employees understand the best way to keep important data safe through everyday practices and behaviors. Multiple layers of security can help, as well as bio-metric passwords and multi-factor authentication. Employees should be cautioned to always investigate who sent an email and where any links inside go. Phishing and Spear Phishing attacks are still popular with today’s hackers, and they can be easy to fall prey to if you aren’t prepared to deal with them. Several of the largest hacks and attacks in 2017 started with a malicious email that seemed harmless but contained malware, malicious files, or dangerous links. These emails can appear to come from legitimate senders, and they may send the recipient to mock-ups of normal websites so that the target enters security or personal information that allows the attackers to create a foothold in the corporation’s system. The email may send itself from the infected computer using the victim’s email address, which makes it harder to spot the attack since it’s now coming from what’s supposed to be a safe email address.
Source: Despite advancements training and fears of breaches, employees still practice bad cyber hygiene, study