InfoSec News Nuggets – October 11, 2018

Home / InfoSec News Nuggets / InfoSec News Nuggets – October 11, 2018

Over nine million cameras and DVRs open to APTs, botnet herders, and voyeurs

Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today. All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou. But end users won’t be able to tell that they’re using a hackable device because the company doesn’t sell any products with its name on them, but ships all equipment as white label products on which other companies put their logo on top. Security researchers from EU-based SEC Consult say they’ve identified over 100 companies that buy and re-brand Xiongmai devices as their own.

Security researcher source in Supermicro chip hack report casts doubt on story

A security researcher cited in a recent Bloomberg report on the alleged compromise of Supermicro hardware for the purposes of cyberespionage has cast doubt on the validity of the story. Joe FitzPatrick, the founder of Hardware Security Resources LLC, is one of the few named sources in the story and was asked to contribute due to his expertise in hardware. However, in a podcast with Risky Business, the hardware security expert said the hardware backdoor described in the article described “didn’t make sense.” When asked about how such hardware implants work, FitzPatrick is quoted as saying, “the hardware opens whatever door it wants.” In terms of his own attributed quote, the researcher said it was “factually accurate in some contexts,”.

Google drops out of bidding for $10 billion Pentagon ‘JEDI’ data deal

Alphabet Inc’s Google said on Monday it was no longer vying for a $10 billion cloud computing contract with the U.S. Defense Department, in part because the company’s new ethical guidelines do not align with the project, without elaborating. Google said in a statement “we couldn’t be assured that [the JEDI deal] would align with our AI Principles and second, we determined that there were portions of the contract that were out of scope with our current government certifications.”

Fake Legoland Pages Duping Facebook Users

Several Facebook pages that have appeared in recent weeks are claiming that users can win holidays to Legoland, theme park tickets, and other prizes. Posts on the Facebook Pages claim that you can like, share, and comment and then follow a link to get a chance to win the promised prize.  They feature Legoland logos, images, and videos to make them appear authentic. However, these Pages are fraudulent and are not associated with Legoland. Those who participate have no chance of winning any Legoland holidays or tickets.

DHS Releases Strategy to Confront Potentially Devastating Electromagnetic Pulse Threat

“Essentially, any electronics system that is not protected against extreme EMP or GMD events may be subject to either the direct ‘shock’ of the blast itself or to the damage that is inflicted on the systems and controls upon which they are dependent,” says the strategy. “For these reasons, the potential severity of both the direct and indirect impacts of an EMP or GMD incident compels our national attention.” The strategy lays out a clear vision and an approach for DHS to take to protect critical infrastructure and prepare to respond and recover from potentially catastrophic electromagnetic incidents. The strategy also reflects a consensus Intelligence Community assessment of the EMP threat posed by our nation’s adversaries.

With Chrome 70, hundreds of popular websites are about to break

A lot of secure sites are set to grind to a halt with security error messages in the next version of Google Chrome, after the browser will drop trust for a major HTTPS certificate provider following a series of security incidents. Chrome 70 is expected to be released on or around October 16, when the browser will start blocking sites that run older Symantec  certificates issued before June 2016, including legacy branded Thawte, VeriSign, Equifax, GeoTrust and RapidSSL certificates. Yet despite more than a year to prepare, many popular sites are not ready.

U.S. officials say supply-chain threat is ‘very real’ regardless of Bloomberg story accuracy

FBI and Department of Homeland Security officials continued to push back Wednesday against a recent news story that described a devastating supply-chain attack on major U.S. technology companies, but their testimony in a Senate hearing also emphasized that such threats do remain “very real” in general. “This is a particularly pernicious threat … because it’s very difficult for the average citizen, company or government entity to understand every component that was put into a piece of equipment or network that they’ve purchased,” Homeland Security Secretary Kirstjen Nielsen said in a Homeland Security and Governmental Affairs Committee hearing that also featured FBI Director Christopher Wray.

Attorney Generals From 35 States Call on FCC To Stop Illegal Robocalls

Attorney Generals from 35 states have called on the FCC to put an end to the rising tide of the very annoying robocalls that people are receiving not only on their landlines, but also on their mobile numbers. This letter asks the FCC to push telephone providers to implement new protocols that can identity legitimate calls and filter out spoofed calls. “Virtually anyone can send millions of illegal robocalls and frustrate law enforcement with just a computer, inexpensive software (i.e., auto-dialer and spoofing programs), and an internet connection,” stated the letter to the FCC. “Because “technology enables a cheap and scalable model,” illegal robocalls remain the “number one consumer complaint”8 for many of our Consumer Protection Offices, the FCC, and the Federal Trade Commission (“FTC”). Despite the 2017 Call Blocking Order, which increased providers’ ability to block illegally spoofed calls, the robocall problem appears to be getting worse.”