Security related News for week ending 2020 06 02

We start our weekly update with news of a couple of significant breaches and a Carnegie Mellon study whose results you may find a bit shocking.

We follow with Linus Torvalds throwing a bit of a wobbler at a proposed update to Linux from AWS, why you may not want to nick an iPhone, and then we finished with a story about a venerable news institution (25 years) that are dumping a load of editors in favor of AI.


US: Amtrak discloses data breach, potential leak of customer account data.

The National Railroad Passenger Corporation (Amtrak) has disclosed a data breach that may have resulted in the compromise of customer personally identifiable information (PII). The data breach was discovered on April 16, 2020. In a letter to the Attorney General’s Office of Vermont, made public on April 29, the rail service said that an unknown third party managed to fraudulently access Amtrak Guest Rewards accounts.

The attack vector involved was compromised usernames and passwords, which may suggest the use of credentials previously leaked or stolen, or the use of brute-force methods.


UK: Hackers Leak Data Stolen From Electricity Market Administrator Elexon

By Eduard Kovacs “highly sensitive and confidential files and data.” Were exposed information including passport copies, enterprise analysis data, and enterprise renewal application forms.

The REvil ransomware is designed to encrypt files on the compromised system and instruct the victim to pay a ransom to recover them. However, the hackers also steal data from victims to increase their chances of getting paid — victims are told that if they don’t pay up, their files will be made public.

When it disclosed the breach, Elexon said it had been working on restoring impacted IT systems, which suggests that they had no intention of paying the ransom — this is recommended by law enforcement and many cybersecurity professionals. It’s not uncommon for organizations in the electricity sector to be targeted in cyberattacks. Earlier this year, the European Network of Transmission System Operators for Electricity (ENTSO-E) admitted that hackers breached its corporate network, and an electric utility in Massachusetts reported being hit by ransomware.


UK: Contact-tracer spoofing is already happening

Gareth Corfield: British people will soon begin receiving random phone calls from so-called “contact tracers” warning them about having been in close proximity with potential coronavirus carriers. One of many problems with this scheme is it’s dangerously easy to pose as a government contact tracer. What safeguards are in place? They’ll call from a published phone number – 0300 013 5000 – and, UK.gov promises its hired call center won’t “disclose any of your personal or medical information to your contacts”.

SMS and caller line identification (CLI) information is straightforward to spoof if you know-how, and with UK.gov publishing the number its callers will be using, there’s now an increased level of risk; for the non-technically-adept, a call coming from a published government number is more likely to be taken at face value. It’s embarrassing that any random person who searches for ‘SMS spoofing’ can essentially become the UK government with no immediate way for the victim to tell the difference."

In the US, a group of US attorney-generals complained of 40 billion spoofed robocalls, automated phishing calls, being targeted at US citizens over the previous 12 months.

So remember these 3 rules:

  1. don’t respond to texts from unknown or unusual numbers;

  2. don’t click on any links in text messages;

  3. don’t share any banking information, usernames or passwords or other personal details after receiving a text message, unless you can verify who you are speaking with.


Researcher Gets $100,000 for Sign in with Apple Zero-Day

Let’s start by saying this has already been patched (if you have been applying your updates and if you haven’t you should). Bhavuk Jain discovered the zero-day bug in Sign in with Apple, the Cupertino giant’s supposedly a more privacy-centric version of Login with Facebook and Sign in with Google.

The system works in a similar way to OAuth 2.0: users can be authenticated with either a JSON Web Token (JWT) or a code generated by an Apple server which is then used to generate a JWT.

Once the authorization request has been submitted, Apple provides the user with an option, to share their Apple Email ID with the third-party app they’re trying to sign-in to, or not.

“If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID. Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this Email ID which is then used by the third-party app to log in a user,” explained Jain.

“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”

The repercussions are pretty serious: an attacker could have used this technique to effect a full takeover of user accounts.


IP-in-IP Vulnerability Affects Devices From Cisco and Others

By Ionut Arghire Cisco has released security updates to address the vulnerability in its NX-OS software. Tracked as CVE-2020-10136 and featuring a CVSS score of 8.6, the security flaw was identified in the network stack of the software and it can be exploited by a remote attacker, without authentication. “The vulnerability is due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address. An attacker could exploit this vulnerability by sending a crafted IP in IP packet to an affected device,” Cisco explains in an advisory.

An attacker could cause the impacted device to decapsulate the IP-in-IP packet and then forward the inner IP packet, thus causing IP packets to bypass input access control lists (ACLs) on the device or other security boundaries on the network.

“Under certain conditions, an exploit could cause the network stack process to crash and restart multiple times, leading to a reload of the affected device and a DoS condition,” Cisco also explains.


’Beyond stupid’: Linus Torvalds trashes 5.8 Linux kernel patch over opt-in Intel CPU bug mitigation

Tim Anderson: The patch from AWS engineer Balbir Singh was to provide “an opt-in (prctl driven) mechanism to flush the L1D cache on context switch. The goal is to allow tasks that are paranoid due to the recent snoop assisted data sampling vulnerabilities, to flush their L1D on being switched out. This protects their data from being snooped or leaked via side channels after the task has context switched out.”

Snoop-assisted L1 Data Sampling is one of a family of vulnerabilities where malware may be able to infer data via inspecting the cache. “Snoop-assisted L1D sampling requires the snoop to hit a modified cache line in the exact same single-core clock cycle window as the faulting/assisting/aborting load,” explains Intel.

Clearing the cache whenever the active thread or process switches out attempts to mitigate this and other potential threats but harms performance.

The patch was added to the code for the 5.8 kernel, which will be the next release but removed after review by Torvalds. “It looks to me like this basically exports cache flushing instructions to user space, and gives processes a way to just say ‘slow down anybody else I schedule with too’,” he said. "In other words, from what I can tell, this takes the crazy ‘Intel ships buggy CPU’s and it causes problems for virtualization’ code (which I didn’t much care about), and turns it into ‘anybody can opt in to this disease, and now it affects even people and CPUs that don’t need it and configurations where it’s completely pointless’.

AWS has a vast range of services all of which need to be secure. Torvalds said that he is “more than happy to be educated on why I’m wrong” but that “for now I’m unpulling it for lack of data.” …If AWS can convince him of the value of the patch, it may return.


Hackers Disrupt Minneapolis Systems, But No Evidence of Breach

By Ionut Arghire: A distributed denial-of-service (DDoS) attack crippled the websites and systems of Minneapolis late last week, but no data appears to have been breached.

On Thursday, both employees and residents had issues accessing the city’s website due to the cyberattack, which appears to have been fueled by the death of George Floyd, who died while being taken into custody after being identified as the suspect who used a counterfeit $20 bill in a convenience store.

Most of the systems were restored quickly, and Minneapolis CIO Fadi Fadhil said that the city had proactive measures in place to respond to and mitigate such attacks when they occur. He did not provide information on who was behind the attack.


Apple Warns Looters With Stolen iPhones: You Are Being Tracked

As protests continue across the U.S., a week on from the death of George Floyd while under arrest in Minneapolis on May 25, those campaigning against police brutality have condemned as “opportunistic” the violence that has escalated across the country. Sunday saw “the fifth straight of rioting and looting, resulting in another wave of arrests.” Apple, among other high-end retailers, has seen its fair share of attacks and has now taken action to protect staff and prevent further damage.

Apple stores were attacked or damaged in Washington D.C., Los Angeles, San Francisco, New York, and Philadelphia, with looters stealing whatever products were accessible at the time. But this being Apple, there is a sting in the tail for anyone stealing a boxed iPhone from one of those retail stores.

It has long been known that Apple operates some form of proximity software that disables a device when it is taken illegally from a store. Until now, though, little had been seen of that technology in action. Well, thanks to social media, we can now see the message that greets a looter powering up their new device: “This device has been disabled and is being tracked,” it says. “Local authorities will be alerted.” For users that lose their iPhones, Apple provides useful tips as to what to do next, but for those considering stealing one, the advice is simple… “don’t”.


Nest users now covered by Google’s ultra-secure Advanced Protection Program

DAN GOODIN: Accounts for Google’s Nest line of smart home devices are now covered by the company’s Advanced Protection Program

(APP), which traditionally has provided enhanced security for journalists, politicians, election workers, and other people who are frequently targeted by hackers. Now you can have that level of security for the products protecting your home.

Google rolled out APP in 2017. It requires users to have at least two physical security keys, such as those available from Yubico, Google’s Titan brand, or other providers. Typically, keys connect through USB slots or Near-field Communication or Bluetooth interfaces. Once registered, the keys provide cryptographic secrets that are unphishable and, at least theoretically, impossible to intercept through malware attacks or other types of hacking.

Once an account is enrolled and each device (including a phone) is authenticated through the physical-key process Google calls bootstrapping, people can use their iOS or Android devices as a security key. That’s usually easier, faster, and more convenient than using physical security keys. Typically, users must bootstrap only rarely after the bootstrapping process, such as when Google detects suspicious behavior. APP also pushes alerts to users’ devices and registered email accounts each time a new device connects.

Authenticator apps, which use temporary one-time passwords to provide a second factor of authentication, don’t work with APP accounts. Google imposes this restriction because the temporary passcodes are susceptible to phishing and attacks that compromise the app.


US/UK: 48% of employees are less likely to follow safe data practices when working from home

by Jonathan Greig: In a survey of 1,000 people from the US and 1,000 from the UK, cybersecurity firm Tessian; researchers found that 48% are less likely to follow safe data practices when working from home and 84% of IT leaders surveyed said data loss prevention is more challenging when employees are working from home. US employees are more than twice as likely as UK workers to send emails to the wrong person and are twice as likely to send company data to their personal email accounts than their UK counterparts. One-third of all employees surveyed take company documents with them when they leave a job, with US workers twice as likely as UK workers to do so.

When asked why they put their company and its data at risk, employees gave a variety of answers, with half saying “not being watched by IT” was their main reason for not following safe data practices. Another 47% said distractions at home caused them to take more chances and 51% say security policies impeded their productivity while 40% cited the pressure to get work done quickly as a reason. Of those surveyed, 54% said they would find workarounds if security policies stop them from doing their jobs.

A recent report on data breaches from Verizon found that 30% of breaches involve internal actors exposing company information as a result of negligent or malicious acts and the Tessian study confirms those Verizon findings.


After a breach, users rarely change their passwords, study finds

Only around a third of users usually change their passwords following a data breach announcement, according to a recent study published by academics from the Carnegie Mellon University’s Security and Privacy Institute (CyLab).

The study, presented earlier this month at the IEEE 2020 Workshop on Technology and Consumer Protection, was not based on survey data, but on actual browser traffic.

The research team’s dataset included information collected from the home computers of 249 participants. The data was collected between January 2017 and December 2018 and included not only web traffic, passwords used to log into websites, and stored inside the browser.

CyLab researchers said that of the users, only 33% visited the breached sites to change their passwords, and that of these, slightly more than half changed passwords within three months after the data breach announcement.

The research team said that of the users who changed passwords, only a third changed it to a stronger password, based on the password’s log10-transformed strength.

The rest created passwords of weaker or similar strength, usually by reusing character sequences from their previous password, or by using passwords that were similar to other accounts that were stored inside their browser.

The study, while small in scale, was considered more accurate in representing real-world user practices when it comes to user behavior following a data breach, as it was based on actual browsing data and traffic rather than survey responses that may sometimes be inaccurate or subjective.


The Octopus Scanner Malware: Attacking the open-source supply chain

Github Security Lab: On March 9, we received a message from a security researcher informing us about a set of GitHub-hosted repositories that were, presumably unintentionally, actively serving malware. After a deep-dive analysis of the malware itself, we uncovered something that we had not seen before on our platform: malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself.

In the course of our investigation, we uncovered 26 open source projects that were backdoored by this malware and that were actively serving backdoored code. The malware is capable of identifying the NetBeans project files and embedding malicious payload both in project files and build JAR files. Below is a high -level description of the Octopus Scanner operation:

Identify user’s NetBeans directory

Enumerate all projects in the NetBeans directory

Copy malicious payload cache.dat to nbproject/cache.dat

Modify the nbproject/build-impl.xml file to make sure the malicious payload is executed every time NetBeans project is build

If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected.

Even though the malware C2 servers didn’t seem to be active at the time of analysis, the affected repositories still posed a risk to GitHub users that could potentially clone and build these projects. Unlike other GitHub platform abuse cases, the repository owners were most likely completely unaware of the malicious activity, and therefore swiftly blocking or banning the maintainers was not an option for GitHub’s Security Incident Response Team (SIRT).

The malware would proceed to backdoor NetBeans project builds through the following mechanisms:

  • It makes sure that every time a project was built, any resulting JAR files got infected with a so-called dropper. A dropper is a mechanism that “drops” something to the filesystem to execute. When executed, the dropper payload ensured local system persistence and would subsequently spawn a Remote Administration Tool (RAT), which connects to a set of C2 servers.
  • It tries to prevent any NEW project builds from replacing the infected one, to ensure that its malicious build artifacts remained in place.
  • While infecting build processes is certainly not a new idea, seeing it actively deployed and used in the wild is certainly a disturbing trend.

GitHub is continuously thinking about ways we can improve the integrity and security of the OSS supply chain. This includes features such to help detect issues in your dependencies, using Dependency Graph, security alerts for vulnerable dependencies, and automated security updates; and features to help detect potential issues in your code, including code scanning and secret scanning. And of course, we maintain an active response channel and research capability through GitHub SIRT and GitHub Security Lab, as well as initiatives such as the Open Source Security Coalition.


***OpenSSH WILL DEPRECATE SHA-1 ***

By Dennis Fisher for Duo.com: In January, a pair of researchers published details of the first practical chosen prefix collision on SHA-1, showing that the aged hash algorithm, which had already far outlived its usefulness, was now all but useless. All of the major browsers had already abandoned SHA-1, as had most of the large certificate authorities, but it is still in use in many other places, including embedded systems and some cryptography systems.

One of the more widely deployed applications that still supports SHA-1 is OpenSSH, the open-source implementation of the SSH protocol that is included in a huge number of products, including Windows, macOS, many Unix systems, and several popular brands of network switches. On Wednesday, the OpenSSH developers said that a future version of the app will drop support for the use of the RSA public key algorithm, which uses SHA-1.

“It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the “ssh-rsa” public key signature algorithm by default in a near-future release,” the OpenSSH developers said in the release notes for version 8.3 on Wednesday.

“This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public-key signature algorithm specified by the original SSH RFCs.”


UK: Boris Johnson to reduce Huawei’s role in national 5G network

Early this year, the UK Government agreed on the involvement of Huawei in the national 5G network, while the United States expressed its disappointment for the Johnson decision and threatened to limit intelligence sharing with the ally.

“The Prime Minister plans to reduce Huawei’s involvement in Britain’s 5G network in the wake of the coronavirus outbreak, the Telegraph has learned.” reported The Telegraph.

“Boris Johnson has instructed officials to draw up plans that would see China’s involvement in the UK’s infrastructure scaled down to zero by 2023.”


New Android Flaw Affecting Over 1 Billion Phones Let Attackers Hijack Apps

Mohit Kumar: Norwegian cybersecurity researchers, last week, unveiled details of a new critical vulnerability (CVE-2020-0096) affecting the Android operating system that could allow attackers to carry out a much more sophisticated version of Strandhogg attack.

Dubbed ‘Strandhogg 2.0,’ the new vulnerability affects all Android devices, except those running the latest version, Android Q / 10, of the mobile operating system—which, unfortunately, is running on only 15-20% of the total Android-powered devices, leaving billions of rest of the smartphones vulnerable to the attackers.

StrandHogg 1.0 was resided in the multitasking feature of Android, whereas the new Strandhogg 2.0 flaw is basically an elevation of privilege vulnerability that allows hackers to gain access to almost all apps.

  • it is almost impossible for targeted users to spot the attack,
  • it can be used to hijack the interface for any app installed on a targeted device without requiring configuration,
  • it can be used to request any device permission fraudulently,
  • it can be exploited without root access,
  • it works on all versions of Android, except Q.
  • it doesn’t need any special permission to work on the device.

Besides stealing login credentials through a convincing fake screen, the malware app can also escalate its capabilities significantly by tricking users into granting sensitive device permissions while posing as a legitimate app.

“Utilising StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone’s camera and microphone,” the researchers said.

You can recognize an attack through the following actions on your phone:

  • an app you’re already logged into is asking for a login,
  • permission popups that do not contain an app name,
  • permissions asked from an app that shouldn’t require or need the permissions it asks for,
  • buttons and links in the user interface do nothing when clicked on,
  • The back button does not work as expected.

Joomla team discloses data breach

The incident took place after a member of the Joomla Resources Directory (JRD) team left a full backup of the JRD site (resources.joomla.org) on an Amazon Web Services S3 bucket owned by their own company.

The Joomla team said the backup file was not encrypted and contained details for roughly 2,700 users who registered and created profiles on the JRD website – a portal where professionals advertise their Joomla site-making skills.

Data includes:

Full name

Business address

Business email address

Business phone number

Company URL

Nature of business

Encrypted password (hashed)

IP address

Newsletter subscription preferences


NTT warns its Singapore cloud was hacked, Japanese customer data compromised

NTT was infiltrated on May 7 via Active Directory services running in its Singapore operations. The intrusion was confirmed on May 11. The Active Directory deployment was accessed remotely and then used internally as a stepping stone to other systems.

While a production server that ultimately came under attack was quickly triaged and the service provider quickly cut off its communications links, the hacker had managed to gain a toehold in an information management server, and reach into the company’s Japanese hosting and cloud services.


GE switches off light bulb business after almost 130 years

The lighting business is GE’s oldest segment, dating all the way back to the company’s founding through a series of mergers with Thomas Edison’s companies in the late 1880s and early 1890s. The company became a conglomerate early, investing in a wide array of technology and communications businesses. It moved toward aviation and energy and away from consumer products through the 1980s and 1990s under CEO Jack Welch. That industrial mindset lasted into the 21st century, under CEO Jeff Immelt, from 2001 through 2017 and then Larry Culp.

“Today’s transaction is another important step in the transformation of GE into a more focused industrial company,” Culp said in a written statement. “Together with Savant, GE Lighting will continue its legacy of innovation, while we at GE will continue to advance the infrastructure technologies that are core to our company and draw on the roots of our founder, Thomas Edison,” even though GE has now spun off the last of Edison’s original business.


US/UK: Microsoft lays off journalists to replace them with AI

Business Insider first reported the layoffs on Friday and says that around 50 jobs are affected in the US. The Microsoft News job losses are also affecting international teams, and The Guardian reports that around 27 are being let go in the UK after Microsoft decided to stop employing humans to curate articles on its homepages.

Microsoft has been in the news business for more than 25 years, after launching MSN all the way back in 1995. At the launch of Microsoft News nearly two years ago, Microsoft revealed it had “more than 800 editors working from 50 locations around the world.”

Microsoft has gradually been moving towards AI for its Microsoft News work in recent months and has been encouraging publishers and journalists to make use of AI, too. Microsoft has been using AI to scan for content and then process and filter it and even suggest photos for human editors to pair it with. Microsoft had been using human editors to curate top stories from a variety of sources to display on Microsoft News, MSN, and Microsoft Edge.


Is it possible to include links on these? I love reading a good Torvalds rant

1 Like

i have held off on links as they move and sometimes link to controversial content. Additionally, many of these articles are distilled to the essence of the new news. Often you can take a few of the subject words, place them in a search engine and return a number of articles on the topic. Hope that helps.

1 Like