The Exxon Valdez of cyberspace
> In 1989 the thin-hulled Exxon Valdez supertanker ran aground in Prince William Sound, Alaska, pouring a quarter of a million barrels of oil into the surrounding waters. At the time, it was America’s worst offshore spill, and a huge blow to the reputation of the ship’s owner, Exxon. The firm paid $3bn to clean up the area and settle legal claims, and to improve safety the American government ordered the phasing out of single-hull ships such as Exxon Valdez. All vessels used worldwide by Exxon’s corporate descendant, ExxonMobil, are now double-hulled. But that is not all. The disaster gave rise to a cultlike culture of discipline within ExxonMobil that helped turn it into the profitmaking beast it is today.
If we haven’t yet seen a sufficiently nasty data breach to motivate cleanups, I don’t think we want to.
Tricking the tricksters with a next level fork bomb
> Some people make a cruel sport out of tricking newbies into running destructive shell commands.
> Years ago, I came across someone doing this, and decided to trick them back.
I was 7 words away from being spear-phished
> I reflexively did some basic security hygiene checks. The email was from an @cam.ac.uk email address. I hovered over the link in the email - people.ds.cam.ac.uk/grh37/awards/Adam_Smith_Prize. It pointed to the same URL that the email text claimed it did, and was located on a valid cam.ac.uk subdomain. It did strike me as a little odd that the page was hosted inside gh327’s personal directory instead of the main economics department’s site; but hey, it’s probably less bureaucracy that way. I clicked on the link and read a little about the history of the Adam Smith prize.
John Deere's Promotional USB Drive Hijacks Your Keyboard
> Tractor-maker John Deere distributed USB drives that hijacked users’ keyboards and loaded its official website onto the browser. While the John Deere USB drive didn’t do anything to compromise the security of devices it was connected to, it used a method that’s similar to a malicious attack.
I think the real story here is that people still plug in strange devices.
Samsung TVs should be regularly virus-checked, the company says
> A how-to video on the Samsung Support USA Twitter account demonstrates the more than a dozen remote-control button presses required to access the sub-menu needed to activate the check. It suggested users should carry out the process “every few weeks” to “prevent malicious software attacks”.
Baltimore is not EternalBlue
> Recently a misleading and terribly researched article (via Nicole Perlroth and Scott Shane) came out in the NYT which essentially blamed the NSA and ETERNALBLUE for various ransomeware attacks on American city governments, including Baltimore. This then ballooned to PBS and the BBC and a bunch of other places, all of which parroted its nonsense.
The Persistence of Chaos
> Airgapped Samsung NC10-14GB 10.2-Inch Blue Netbook (2008), Windows XP SP3, 6 pieces of malware, power cord, restart script, malware
> (minimum bid: $1,200,750 - reserve met)
0day "In the Wild"
> Project Zero’s team mission is to “make zero-day hard“, i.e. to make it more costly to discover and exploit security vulnerabilities. We primarily achieve this by performing our own security research, but at times we also study external instances of zero-day exploits that were discovered “in the wild”. These cases provide an interesting glimpse into real-world attacker behavior and capabilities, in a way that nicely augments the insights we gain from our own research.
> Today, we’re sharing our tracking spreadsheet for publicly known cases of detected zero-day exploits, in the hope that this can be a useful community resource:
Hope is not a NOBUS strategy
> So typically the first thing I do when I get a new implant to look at is see if the authors implemented public key encryption into it, or if they just have some sort of password authentication, and then maybe a symmetric algorithm for protecting their traffic. This was, for a while, a good way to track nation states because people who wanted their implants “easier” to deploy did not put public keys in them, whereas those of us who wanted a NOBUS backdoor generated a new public key per target (like this amazing one, Hydrogen, from 2004).
Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support Portal
> A hacker or group of hackers had first broken into a customer support account for Microsoft, and then used that to gain access to information related to customers’ email accounts such as the subject lines of their emails and who they’ve communicated with.
> But the issue is much worse than previously reported, with the hackers able to access email content from a large number of Outlook, MSN, and Hotmail email accounts, according to a source who witnessed the attack in action and described it before Microsoft’s statement, as well as screenshots provided to Motherboard. Microsoft confirmed to Motherboard that hackers gained access to the content of some customers’ emails.
Security alert: pipdig insecure, DDoSing competitors
Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers
> The Taiwan-based tech giant ASUS is believed to have pushed the malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company’s server and used it to push the malware to machines.
How Hackers Are Stealing High-Profile Instagram Accounts
> But the link Brooks sent wasn’t to iconosquare.com—it was to lconosquare.biz, a cloned version of the site set up for phishing. Once the influencer logged in with the Instagram username and password, Brooks seized control of the account. Within minutes, he was spamming the influencer’s millions of followers with offers for a free iPhone.
> When reached for comment, Brooks replied by email: “becauze im a savage bitch Guciiiiii 4 lyyyffeee skrt skrt.”
See also: https://motherboard.vice.com/en_us/article/59vnvk/hacked-instagram-influencers-get-accounts-back-white-hat-hackers
The curious case of the Raspberry Pi in the network closet
> None of them knew anything about this so I asked my IT colleagues and they were as baffled as I was. I heard of people getting paid to put things like this in places they shouldn’t and for this reason I was very interested in finding out what it actually does.
Phishing template uses fake fonts to decode content and evade detection
> While encoded source code and various obfuscation mechanisms have been well documented in phishing kits, this technique appears to be unique for the time being in its use of web fonts to implement the encoding.
How Hackers Bypass Gmail 2FA at Scale
> They do this by automating the entire process, with a phishing page not only asking a victim for their password, but triggering a 2FA code that is sent to the target’s phone. That code is also phished, and then entered into the legitimate site so the hacker can login and steal the account.
> The news acts as a reminder that although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message, with some users likely needing to switch to a more robust method.
Windows Defender Antivirus can now run in a sandbox
> Putting Windows Defender Antivirus in a restrictive process execution environment is a direct result of feedback that we received from the security industry and the research community.
One might say finally, but here it is.
YOU HAVE BEEN RANDOMLY SELECTED BY MOZILLA TO WIN A FREE VPN SERVICE
Remote Mac Exploitation Via Custom URL Schemes
> Which also means custom URL scheme handlers:
> ■ are registered automatically by macOS as soon as application (that “advertises” support for such handlers) hits the file-system
> ■ will trigger the execution of the (automatically registered) handler application, when the custom url scheme is invoked
Kind of obvious in hindsight, making things too easy leads to runaway.
Spyware Company Leaves ‘Terabytes’ of Selfies, Text Messages, and Location Data Exposed Online
> A company that markets cell phone spyware to parents and employers left the data of thousands of its customers—and the information of the people they were monitoring—unprotected online.
> Motherboard was able to verify that the researcher had access to Spyfone’s monitored devices’ data by creating a trial account, installing the spyware on a phone, and taking some pictures. Hours later, the researcher sent back one of those pictures.