Security related News

As an introduction to this periodic contribution, the team here believe the world around us can be shaped and reshaped by elements of security and risk.
In an effort to keep up to date with those dynamics, we will be contributing a smattering of stories centered around the realm of cyber security. The intent is to entertain and inform.

Nearly 2,000 malicious COVID-19-themed domains created every day
A new report from researchers with Palo Alto Networks’ Unit 42 found that more than 86,600 domains of the 1.2 million newly registered domain (NRDs) names containing keywords related to the COVID-19 pandemic from March 9, 2020 to April 26, 2020 are classified as “risky” or “malicious.”
Nearly 80% were hosted on Amazon Web Series, about 15% on Google Cloud Platform, 6% on Azure and less than 1% on Alibaba. The report is based on data collected by RiskIQ, which is tracking new domains that have the keywords “coronav,” “covid,” “ncov,” “pandemic,” “vaccine,” and “virus.”

Airplane Hack Exposes Weaknesses of Alert and Avoidance Systems
Tom Spring: Researchers were able to assemble an effective method for spoofing the TCAS using a $10 USB-based Digital Video Broadcasting dongle and a rogue transponder, for communicating with aircraft.
“We have shown that careful placing of fake aircraft through rogue transponder broadcasts can cause an aircraft under autopilot control to climb or descend towards legitimate traffic,” wrote Pen Test Partners’ Ken Munro in a blog post outlining his research.
Those “fake aircraft” can trigger an airplane’s collision avoidance system to kick-in. That will then alert a pilot to either climb in altitude or descend to avoid a mid-air collision. In some cases, mostly on Airbus, researchers said the aircraft automatically follows what is known as the TCAS “Resolution Advisory” (autopilot) and climbs or descends with no input from the pilot. For the record, Munro’s proof-of-concept attack was conducted on a flight simulator.
“TCAS uses responses from secondary surveillance radar transponders – there are two types used to compute the position of other aircraft. Mode S transmits a unique 24bit aircraft address along with altitude and GPS-derived position data, Mode C transmits a 4 digit transponder code and altitude information only so the TCAS unit itself calculates range and bearing based on these transmissions,” Munro wrote. “Data packets are sent over 1090MHz using Manchester encoded PPM at 1Mbps. The data structure is actually easy to decode and a cheap, $10, DVB USB dongle can pick them up for you to plot aircraft data yourself.” By creating a fake “wall” of airplanes, the researcher was able to coax a targeted airplane to climb and descend.
Next-generation TCAS, known as ACAS-X, will make TCAS spoofing much harder, once they are fitted into planes…

UK: The lowdown on the NHS COVID-19 contact-tracking app.
On Monday, the UK government explained in depth and in clearly written language how its iOS and Android smartphone application – undergoing trials in the Isle of Wight – will work, and why it is a better solution to the one by Apple and Google that other nations have decided to adopt. It has also released a more technical explanation.
Here’s what happening: there are broadly two types of coronavirus contact-tracing apps; those that are centralized and those that are decentralized. The first takes data from people’s phones and saves it on a central system where experts are trusted to make the best possible use of the data, including providing advice to people as and when necessary and never have a data breach.
The second, decentralized approach, as set out by Apple and Google, puts users in more control of their information, and alerts them automatically with no intervention from a third party. Apple and Google have also banned apps that use their decentralized and anonymized API from accessing location services to track and identify people, despite pressure to do so. And they have said they will only allow one app per country, or state in the US.
Both types use Bluetooth to detect other nearby phones also running the software. Thus, when someone catches the coronavirus, people can be warned if their phone was within 6ft of that patient’s phone for more than a few minutes.
The argument is that while the Apple-Google decentralized model protects people’s privacy, it leaves the authorities blind. It puts a public health disaster outside the reach of those who can help most through analysis of the population. Meanwhile, the undertone of the centralized NHS method, where people’s data is collected and analyzed together, is almost explicit: we all know how important privacy is but let’s leave this to the experts.
Despite what the NCSC has continued to imply, the app will not, as it stands, work all the time on iOS nor Android since version 8. The operating systems won’t allow the tracing application to broadcast its ID via Bluetooth to surrounding devices when it’s running in the background and not in active use. Apple’s iOS forbids it, and newer Google Android versions limit it to a few minutes after the app falls into the background. That means that unless people have the NHS app running in the foreground and their phones awake most of the time, the fundamental principle underpinning the entire system – that phones detect each other – won’t work. Australia learned that with their own COVIDSafe app.
The other big problem with the UK approach is that while it insists it will keep data private, and location data will not be stored nor attached to individuals, the truth is that it will only work as promised if that data is not kept private and location data is stored and attached to individuals.
The technical director of the National Cyber Security Centre (NCSC), Dr Ian Levy, repeatedly tried to square this circle, leading to some questionable assertions. He stated boldly in bullet points that the app “doesn’t have any personal information about you, it doesn’t collect your location and the design works hard to ensure that you can’t work out who has become symptomatic,” and that “it holds only anonymous data and communicates out to other NHS systems through privacy preserving gateways.” But what is literally the first thing the app does when you install and open it? It asks for your postcode, and logs the exact make of your phone.

US: Reveal the identities of alleged Music Pirates, court tells ISP
Last week, a court-appointed arbiter ordered the internet provider to give a group of major record labels the personal details of alleged pirates. Charter Communications, an ISP in the US, has been ordered to hand over personally identifying information (PII) for over 11,000 alleged pirates.
From an order issued by special master Regina M. Rodriguez on 28 April: “Defendant is ordered to produce information sufficient for Plaintiffs to match the IP addresses contained in infringement notices served on Charter with particular subscribers.”
Charter has until 1 June 2020 to satisfy all the discovery requests.

Tesla Car Parts Found on eBay Containing User Data
Security experts have discovered old Tesla car parts for sale on eBay still containing user data belonging to the previous owner, in a sign that the firm’s retrofitting service is failing customers on privacy. Media control units (MCUs) and autopilot hardware (HW) swapped out of old models by Tesla during upgrades are turning up for sale online.
Four samples purchased contained: the previous owner’s home and work address, all saved Wi-Fi passwords, calendar entries, call lists and address books from paired phones and Netflix and other stored session cookies.
When Tesla agrees to retrofit a customer’s car by upgrading such components, it takes the old units for disposal — customers aren’t usually allowed to keep them. However, it looks like technicians are either selling them online, or savvy parts hunters are dumpster-diving near Tesla service centers.
Users who have had retrofitting are therefore advised to change all relevant passwords on their devices and online accounts.

DE: German authorities charge Russian hacker for 2015 Bundestag hack
German prosecutors have issued an arrest warrant today for a hacker working for the Russian military on charges of hacking the German Parliament in the spring of 2015.
German newspaper the Sueddeutsche Zeitung, who broke the story today, says German authorities are looking for Dmitriy Sergeyevich Badin, 29, from Kursk, Russia.
German authorities believe that Badin is a member of a Russian military Unit 26165, a unit part of the Russian Main Intelligence Directorate (GRU), the military intelligence agency of Russia’s armed forces.
Badin is also wanted in the US, where authorities have charged him and six other APT28 members in 2018 with attacks against the Democratic National Committee (DNC) and the World Anti-Doping Agency (WADA) between 2016 and 2018.
Badin is one of the FBI’s most wanted cyber-criminals. He is still at large, believed to be living in Moscow.

AU: Government investigates data breach revealing details of 774,000 migrants
The home affairs and employment departments are investigating a data breach revealing the personal details of 774,000 migrants and people aspiring to migrate to Australia, despite playing down the seriousness of the breach.
On Sunday, Guardian Australia revealed the government’s SkillSelect app allowed users to see unique identifiers of applicants for skilled visas, including partial names, which could then be used through searches with multiple filters to reveal other information about applicants.
The employment department, which hosts the online platform, immediately took it down for maintenance but denied that the final reports generated by searches display personal information.
Information stored on the platform includes the applicants’ birth country, age, qualifications, marital status and the outcome of the applications.
On Monday a spokesman for the Office of the Australian Information Commissioner told Guardian Australia the notifiable data breach scheme requires that an agency that “suspects an eligible data breach may have occurred must conduct an assessment … generally within 30 days”.
“In this instance, the department of home affairs has advised that [it] and the department of education, skills and employment are investigating the matter.”

Got a TPLink cloud camera? It might be time to patch.
TP-Link has released firmware updates to address several vulnerabilities in its NC series cloud cameras, including bugs that could lead to the remote execution of arbitrary commands. CVE-2020-12109,12110,12111 all had fixes release April 29 that protect you against having the cameras taken over with commands run in the root context. You also get protection against sensitive data access on your network from the compromised device. Users are advised to install them as soon as possible to ensure that they remain protected.

US: Trump signs New Executive Order to protect the US power grid.
The U.S. government appears to be concerned that foreign adversaries could be trying to plant malicious or vulnerable equipment in the country’s power grid. That is why the latest executive order prohibits the acquisition of bulk-power system electric equipment that is designed, developed, manufactured or supplied by an entity that is “controlled by, or subject to the jurisdiction or direction of a foreign adversary.”
After the executive order was signed, the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) posted a tweet saying that “malicious actors have sought to leverage unauthorized access to the bulk power system against the U.S.for over a decade.”

Maximator: European signals intelligence cooperation, from a Dutch perspective
Bart Jacobs: 07 Apr 2020. The post-Second World War signals intelligence (SIGINT) cooperation between five Anglo-Saxon countries – Australia, Canada, the United Kingdom, New Zealand, and the United States – is well-documented. This alliance is often called Five Eyes and is based on the 1946 UKUSA Agreement. What is not publicly known so far is that there is a second, parallel, western signals intelligence alliance, namely in north-western Europe, also with five members. It has existed since 1976 and is called Maximator. It comprises Denmark, France, Germany, Sweden, and the Netherlands and is still active today.
Yes the name comes from a Bavarian bier and was of an earlier time that used hardwire for encryption. Of interest also, were the countries that were not allowed to join the alliance, namely Belgium and Italy, or the fact that the Maximator alliance told GCHQ how the Argentinian cypher worked, but made them figure it out themselves, which gave the Brits the upper hand in the Falklands war.

Have a great week!