InfoSec News Nuggets – September 26, 2018

Home / InfoSec News Nuggets / InfoSec News Nuggets – September 26, 2018

Beware of Hurricane Florence Relief Scams

If you’re thinking of donating money to help victims of Hurricane Florence, please do your research on the charitable entity before giving: A slew of new domains apparently related to Hurricane Florence relief efforts are now accepting donations on behalf of victims without much accountability for how the money will be spent. For the past two weeks, KrebsOnSecurity has been monitoring dozens of new domain name registrations that include the terms “hurricane” and/or “florence” and some word related to support (e.g., “relief,” “assistance,” etc.). Most of these domains have remained parked or dormant since their creation earlier this month; however, several of them became active only in the past few days, directing visitors to donate money through private PayPal accounts without providing any information about who is running the site or what will be done with donated funds.

UNITED NATIONS ACCIDENTALLY EXPOSED PASSWORDS AND SENSITIVE INFORMATION TO THE WHOLE INTERNET

THE UNITED NATIONS accidentally published passwords, internal documents, and technical details about websites when it misconfigured popular project management service Trello, issue tracking app Jira, and office suite Google Docs. The mistakes made sensitive material available online to anyone with the proper link, rather than only to specific users who should have access. Affected data included credentials for a U.N. file server, the video conferencing system at the U.N.’s language school, and a web development environment for the U.N.’s Office for the Coordination of Humanitarian Affairs. Security researcher Kushagra Pathak discovered the accidental leak and notified the U.N. about what he found a little over a month ago. As of today, much of the material appears to have been taken down.

USB threats from malware to miners

In 2016, researchers from the University of Illinois left 297 unlabelled USB flash drives around the university campus to see what would happen. 98% of the dropped drives were picked up by staff and students, and at least half were plugged into a computer in order to view the content. For a hacker trying to infect a computer network, those are pretty irresistible odds. USB devices have been around for almost 20 years, offering an easy and convenient way to store and transfer digital files between computers that are not directly connected to each other or to the internet. This capability has been exploited by cyberthreat actors, most famously by the Stuxnet worm in 2010, which used USB devices to inject malware into the network of an Iranian nuclear facility.

SHEIN fashion retailer announces breach affecting 6.42 million users

Online fashion store SHEIN announced a security breach last week that affected around 6.42 million of its customerbase. The North Brunswick-based company is currently in the process of contacting all affected users and asking them to change passwords for their online store accounts. The company says the breach occurred over the summer, sometime in June, when hackers carried out “a sophisticated criminal cyberattack on its computer network.” No technical details were provided about how the actual breach went down, but SHEIN said the intruders managed to gain access to customers’ email addresses and encrypted passwords for its online store accounts.

WHY HACKING ELECTRONIC VOTING MACHINES ISN’T THE ONLY WAY TO IMPACT AN ELECTION

Twitter accounts spreading fake news. Turning off a city’s closed-circuit cameras. Hacking self-driving cars and navigation apps. Targeting a city’s 911 call center with a DDoS attack. These are some of the tactics hackers used to impede voting in a tabletop exercise Cybereason held Thursday to show how cyberattacks could be used to interfere with elections. The exercise didn’t include hacking electronic voting machines, the method that’s usually mentioned in discussions on how threat actors could impact an election. Instead, this simulation focused on methods that are less obvious but equally effective: fake news, traffic jams, confusion around where and when to vote. With the midterm elections approaching and the prospect of foreign countries influencing how people vote, election integrity has become a key concern for local, state and federal governments.

NewsNow suffers security breach – passwords should be considered compromised

Online news aggregation service NewsNow has admitted that it has suffered a security breach. I could find no mention of the data breach on NewsNow’s website or Twitter account (the last news it shares on its Twitter account announces the 2017 engagement of Prince Harry to Meghan Markle, so perhaps they don’t consider Twitter a good way to communicate with users). But in an email entitled “Update on your account security” NewsNow acknowledges that an incident has occurred, and that “an encrypted version of your password may have been accessed”.

Man gets two years in prison for sabotaging US Army servers with ‘logic bomb’

A US judge has sentenced an Atlanta man to two years in prison followed by three years of supervised release for sabotaging one of the US Army’s payroll databases with a “logic bomb.” The man’s sentence is related to an incident that occurred in November 2014 and affected the US Army’s Regional Level Application Software (RLAS). According to court documents, Mittesh Das, 49, of Atlanta, Georgia, was hired by a company that was contracted by the US Army to manage one of the databases part of the country-wide RLAS system. The US Army Criminal Investigation Command, which investigated the case, says the code wiped data from five servers associated with the RLAS systems stored at Fort Bragg, North Carolina.

Cybercriminals Target Kodi Media Player for Malware Distribution

The Kodi media player has emerged as a malware distribution platform for cybercriminals, recently becoming the target for a cryptomining campaign that compromised about 5,000 machines before being thwarted. Those victims are still at risk, researchers warned. Kodi is free and open-source, and can be used to play videos, music, podcasts and other digital media files from local and network storage media and the internet/streaming sources. Users also can extend the software’s functionality by installing add-ons, found both in the official Kodi repository and in various third-party repositories. By targeting the various add-ons and relying on Kodi’s auto-update feature, it’s possible to stealthily spread bad code throughout the ecosystem.

Apple MacOS Mojave zero-day privacy bypass vulnerability revealed

A zero-day vulnerability in Apple Mojave has been disclosed on the day the latest version of the MacOS operating system leaves beta and becomes available to members of the public. The co-founder of Digita Security and creator of Objective-See Mac security tools Patrick Wardle revealed the security holes on Monday. Speaking to Bleeping Computer, Wardle said it was possible to use an app without any privileges to exploit the zero-day flaw due to how Apple has “implemented the protections for various privacy-related data.” The researcher, furthermore, described the vulnerability as a “trivial, albeit 100 percent reliable flaw in their implementation.” However, the zero-day flaw does not affect all of the new operating system’s privacy features.

HERMES suitcases revive phone networks after natural disasters

A project designed to bring telecoms networks back from the dead in emergency situations has been awarded $400,000 in an innovation competition. Launched by Mozilla and the National Science Foundation (NSF), the Wireless Innovation for a Networked Society (WINS) Challenges is a two-year competition designed to promote the creation of technological solutions for isolated and remote areas, as well as places which often face natural disasters. On Tuesday, the organizations said they have awarded over $1.6 million in prizes to entrants.

How to Protect Your Paycheck: FBI Issues Credential Phishing Alert as Attackers Target Direct Deposits

Last week the FBI issued an alert warning organizations that cybercriminals are actively using phishing emails to steal consumer log-in credentials for their online payroll accounts. At Proofpoint, we’ve seen this type of attack for a few years now, and unfortunately, all it takes is one credential phishing email to compromise an employee login. Once inside, that attacker can do significant damage, like requesting paychecks be rerouted to a new bank account or prepaid debit card the cybercriminal controls. As organizations migrate from legacy HR systems to new cloud-based alternatives, cybercriminals can leverage a stolen credential to impersonate an employee without ever compromising the corporate network. Below are best practice recommendations for employees and organizations to help thwart payroll attacks.

White House launches strategy to lead world in quantum

The White House yesterday launched a national strategic overview for Quantum Information Science (QIS) in a bid to secure global leadership in “the next technological revolution”. QIS – which covers quantum processors, sensors, materials, computing, algorithms and cyber-security systems – represents an opportunity for the US to “improve its industrial base, create jobs, and provide economic and national security benefits”, the National Science and Technology Council, which sits within the White House’s Office of Science and Technology Policy, said. “The Trump administration is committed to maintaining and expanding American leadership in QIS to enable future long-term benefits from, and protection of, the science and technology created through this research,” the council added.

Linux developers adopt proper Code of Conduct

Linux leader Linus Torvalds’ admission of anti-social behavior, and promise not to do it any more, has a sequel in the form of a new Code of Conduct for the Linux kernel development community. The new document is intended to replace the “Code of Conflict” that Torvalds created in 2015. The 220-word Code did not describe unacceptable behavior and offered no guidance other than “Try to keep in mind the immortal words of Bill and Ted, ‘Be excellent to each other’.” The post announcing the new rules says “The Code of Conflict is not achieving its implicit goal of fostering civility” and adds that “Explicit guidelines have demonstrated success in other projects and other areas of the [Linux] kernel.”

Full compliance with the PCI DSS drops for the first time in six years

After documenting improvements in Payment Card Industry Data Security Standard (PCI DSS) compliance over the past six years (2010 – 2016), Verizon’s 2018 Payment Security Report (PSR) now reveals a concerning downward trend with companies failing compliance assessments and perhaps, more importantly, not maintaining – full compliance. The PCI DSS helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data. PCI DSS compliance has been shown (via the Verizon Data Breach Investigations Report series) to help protect payment systems from both data breaches and theft of cardholder data, so this trend is alarming.

Chrome 70 Lets you Control Automatic Login and Deletes Google Cookies It has been a really bad week for Google and Chrome 69. First there was a large outcry about being forced to login to Chrome when you login to Google.com or one of their services. Then news came out that when you deleted all of the cookies in Chrome, the browser did not properly remove Google’s own authentication cookies. Let’s just say Chrome users are not happy. Google, though, appears to be listening and has decided to backtrack on some of these changes in the upcoming Chrome 70, which is slated to be released in the middle of October.