Fact is stranger than fiction - Can you remotely spy on the content on a Screen with a Mic?

 Remote surveillance dubbed "Synesthesia": a side-channel attack that can reveal the contents of a remote screen, providing access to potentially sensitive information based solely on "content-dependent acoustic leakage from LCD screens."

https://arstechnica.com/information-technology/2018/08/researchers-find-way-to-spy-on-remote-screens-through-the-webcam-mic/

OWA Admins should take note of this -Enterprises running Exchange Server using two-factor authentication on Outlook Web Access (OWA) could be hacked due to a design flaw

The principal problem is that Outlook Web Access and Exchange Web Services run on the same web server and are both enabled by default, and often enterprises ignore it.

It appears that Outlook portals that are being protected by two-factor authentication might not be covering all of the authentication protocols to Microsoft Exchange

securityaffairs.co/wordpress/53147/hacking/outlook-web-access.html

CyberEdge 2018 Cyberthreat Defense Threat Report - Scary Stats: (Check the infographic for the top 3 major issues)

• Five million data records lost or stolen every day 
• Cybercrime pulling in a million bucks a minute.
• A full  77.2% of respondents  report that their company had been successfully breached at least once in 2017.
• with 27.4% reportedly breached more than six times. 
• More than 62% say they expect to be breached this year

Despite increasing security budgets and investing in the best cybersecurity tools, organizations today are subject to more successful breaches than ever before.

https://blog.knowbe4.com/infographic-the-problem-more-data-breaches-despite-increasing-security-budgets

Good News - Securing Wireless Infusion Pumps - NIST has a Special Publication for IoMT (Internet of Medical Things) - 1800-8:

NCCoE  developed this  by using standards-based, commercially available technologies and industry best practices to help healthcare delivers strengthen the security of the wireless infusion pump ecosystem within health care facilities.

https://csrc.nist.gov/publications/detail/sp/1800-8/final

Free - Gartner Guide to Deploying a SIEM

Get it here:

https://logrhythm.com/gartner-how-to-deploy-a-siem-successfully-analyst-report

Free Educational platform for Security Researchers - Bugcrowd University (BCU)

There are currently five webinars available.



https://www.welivesecurity.com/2018/08/24/bugcrowd-university-free-educational-security-researchers/

https://www.bugcrowd.com/university/

Watch Out - New Windows Zero Day Vulnerability (ALPC Bug) - If exploited, could allow local users to obtain elevated (SYSTEM) privileges. NO work around or patches yet.

The zero-day flaw has been confirmed working on a "fully-patched 64-bit Windows 10 system."

The vulnerability is a privilege escalation issue which resides in the Windows' task scheduler program and occured due to errors in the handling of Advanced Local Procedure Call (ALPC) systems.

Microsoft is likely to patch the vulnerability in its next month's security Patch Tuesday, which is scheduled for September 11.

https://thehackernews.com/2018/08/windows-zero-day-exploit.html

Server without a password? particulary, one that contains voter records !!!

voter records containing personal information on millions of Texas residents has been found online because, A single file containing an estimated 14.8 million records — was left on an "unsecured server without a password"


https://techcrunch.com/2018/08/23/millions-of-texas-voter-records-exposed-online/

Security Awareness training is important why?

 The 2018 Verizon Data Breach Investigations Report found that

• Phishing and financial pretexting represented 93 percent of all breaches investigated by Verizon.
• Email being the main entry point (96%).
• Ransomware accounts for 85 percent of the malware in healthcare
• Often phishing is the way attackers deploy ransomware.

Government backed phishing attack ? - This warning comes from Google.

Beyond phishing for the purposes of fraud, a small minority of users in all corners of the world are still targeted by sophisticated government-backed attackers. These attempts come from dozens of countries

If you receive a warning in Gmail, be sure to take prompt action. Get two-factor authentication on your account. And consider enrolling in the Advanced Protection Program.

https://security.googleblog.com/2018/08/a-reminder-about-government-backed.html

"Token Binding" - New upcoming RFC Standard - Token binding makes cookies, OAuth access tokens and refresh tokens, and OpenID Connect ID Tokens unusable outside of the client-specific TLS context in which they were issued

It turns out that cookies and tokens can be used outside of the original TLS context in all sorts of malicious ways. It could be hijacked session cookies or leaked access tokens, or sophisticated MiTM. This is why the IETF OAuth 2 Security Best Current Practice draft recommends token binding,


Normally  tokens are “bearer” tokens, meaning that whoever possesses the token can exchange the token for resources, but token binding improves on this pattern, by layering in a confirmation mechanism to test cryptographic material collected at time of token issuance against cryptographic material collected at the time of token use. Only the right client, using the right TLS channel, will pass the test. This process of forcing the entity presenting the token to prove itself, is called “proof of possession”.


https://cloudblogs.microsoft.com/enterprisemobility/2018/08/21/its-time-for-token-binding/

Are you sure that the app on your Android device is not a Trojan? - "Triout" spyware when repackaged with a valid version of the Android app keeps the appearance and feel of the original app and function exactly like it.

According to the researcher, Triout can perform many spying operations once it compromises a system, including:

• Recording every phone call, saving it in the form of a media file, and then sending it together with the caller id to a remote C&C server.
• Logging every incoming SMS message to the remote C&C server.
• Sending all call logs (with name, number, date, type, and duration) to the C&C server.
• Sending every picture and video to the attackers whenever the user snaps a photo or record video, either with the front or rear camera.
• Capability to hide itself on the infected device.

https://thehackernews.com/2018/08/android-malware-spyware.html

"Dark Tequila" - Advanced Keylogger that as been targeting customers of several Mexican banking institutions since at least 2013 and was discovered recently

Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars

The list of targeted sites includes "Cpanels, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services,"

Once executed, a multi-stage payload infects the victim's computer only after certain conditions are met, which includes checking if the infected computer has any antivirus or security suite installed or is running in an analysis environment.

Besides this, "the threat actor behind it strictly monitors and controls all operations. If there is a casual infection, which is not in Mexico or is not of interest, the malware is uninstalled remotely from the victim’s machine," the researchers say.


https://thehackernews.com/2018/08/mexico-banking-malware.html

Free Book from Microsoft - Designing Distribute Systems

Get it here

https://azure.microsoft.com/en-us/resources/designing-distributed-systems/?wt.mc_id=AID723299_QSG_SCL_266076

Catchy names - "USBHarpoon" and "USB Condom" .You should read this if you are used to borrowing USB charging cables.

 USBHarpoon  - Malicious version of a USB charging cable, one that can compromise a computer in just a few seconds. Once plugged in, it turns into a peripheral device capable of typing and launching commands.

The USBHarpoon / BadUSB cable attack is successful on unlocked machines, where it can launch commands that download and execute a payload. On Windows, the commands can run directly from the Run prompt; on Mac and Linux it could launch a terminal and work from there.

Solution is "USB Condom" , (I am not joking)- An electronic accessory like this blocks the data pins on a USB cable and allows only power to go through (but, they can be infected too)


https://www.bleepingcomputer.com/news/security/usbharpoon-is-a-badusb-attack-with-a-twist/

Blockchain - Everyone has heard of it and some of us know something about it. Here is an intro by Mark Russnovich (Microsoft)

Sweet and Simple

https://youtu.be/cYWal114BOw

Defense in-depth in a single picture

It feels good when we can show-off our new Internet enabled home gadgets . Just be aware that sometimes, a misconfigured DIY smart-home hubs for home automation could allow attackers to track owners’ movements, see if smart doors and windows are opened or closed, and even open garage doors.

The servers in question are 49,000 Message Queuing Telemetry Transport (MQTT) servers, which are publicly visible due to misconfigured MQTT protocol, according to research released Thursday from Avast. This includes more than 32,000 servers with no password protection.

“The MQTT protocol is used to interconnect and control smart-home devices, via smart-home hubs,”

While the MQTT protocol itself is secure, a lack of security awareness combined with poor built-in protections can create a number of threat vectors, even when a server is partially protected.

“It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern,” Hron said. “Consumers need to be aware of the security concerns of connecting devices that control intimate parts of their home to services they don’t fully understand and the importance of properly configuring their devices.”

https://threatpost.com/open-mqtt-servers-raise-physical-threats-in-smart-homes/136586/

What is Value At Risk (VaR)?

A Model that empowers a decision maker to understand more clearly important things: what threats the product or solution is attempting to mitigate; how often those threats appear on the organization’s landscape; and, the current capability of their organization to recognize, respond to, and mitigate the threats


https://www.infosecurity-magazine.com/opinions/real-security-question

FYI , if you are an Instagram User then, be aware that Instagram has been hit by a widespread hacking campaign that appears to stem from Russia.

According to victims, their account names, profile pictures, passwords, email addresses associated with their Instagram accounts, and even connected Facebook accounts are being changed in the attack

Instagram currently relies on text messages for two-factor authentication, which is believed to be less secure than other app-based 2FA methods, but the Facebook-owned company says it is working on improving its 2FA settings.


For more information, users are recommended to visit the Instagram Help Centre dedicated to hacked accounts, which includes security tips as well as steps they can take to restore their account.

https://thehackernews.com/2018/08/hack-instagram-accounts.html

Attn, windows 10 Cortana users - Here is one good reason why you should be applying the latest MS patches. (Microsoft has fixed this ) A locked PC with Cortana enabled on the lock screen allows an attacker with physical access to the device to launch two kinds of unauthorized exploits simply by querying her, researchers at McAfee said Tuesday.

Attn, windows 10 Cortana users - Here is one good reason why you should be applying the latest MS patches.  (Microsoft has fixed this ) A locked PC with Cortana enabled on the lock screen allows an attacker with physical access to the device to launch two kinds of unauthorized exploits simply by querying her, researchers at McAfee said Tuesday.

In the first case, the attacker can force Microsoft Edge to navigate to an attacker-controlled URL; in the second, the attacker can use a limited version of Internet Explorer 11 using the saved credentials of the victim,” the researchers said in a post.

In the first scenario, a Cortana privilege escalation leads to forced navigation for Microsoft Edge on a lock screen. Essentially, the flaw does not allow an attacker to unlock the device, but it does allow someone with physical access to ask Cortana to use Edge to navigate to a page of the attacker’s choosing, while the device is still locked.
“It is surprising that links are offered and clickable
when the device is locked,” researchers said. “If you start your favorite network sniffer or man-in-the-middle proxy, you will see that the links are visited as soon as the user clicks on them, irrespective of the device’s locked status.”


https://threatpost.com/microsoft-cortana-flaw-allows-web-browsing-on-locked-pcs/136558/

Are you sure that the video captured by Police Body cameras have not been manipulated ? - They are vulnerable to hacking, making several different nightmare scenarios possible: officers themselves could be tracked footage could be doctored/deleted and the cameras could be hijacked to spread ransomware/malware.

“The videos can be as powerful as something like DNA evidence, but if they’re not properly protected there’s the potential that the footage could be modified or replaced,” Mitchell told Wired. “I can connect to the cameras, log in, view media, modify media, make changes to the file structures. Those are big issues.”

“These are full-feature computers walking around on your chest, and they have all of the issues that go along with that,” Mitchell said. One issue that kept reoccurring in his research: a too-easy-to-guess default wifi password, a problem reaching near-ubiquity with IoT devices

Mitchell demonstrated vulnerabilities in cameras made by Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc. Cameras from Axon, the largest manufacturer in the US, weren’t examined for vulnerabilities, but Vievu was recently acquired by Axon.

They don’t use cryptographic mechanisms to confirm firmware updates or uploaded videos are legitimate. Mitchell found that the cameras don’t protect uploaded footage with digital signatures to ensure it hasn’t been manipulated. Without this verification, attackers could therefore download, edit, then re-upload footage to cloud storage without a trace. Mitchell also says that the cameras run firmware without verification, meaning a hacker could expose the cameras to malicious code by disguising it as a normal software update. 

https://gizmodo.com/hackers-can-turn-body-cameras-into-malware-spewing-mach-1828306760

Welcome to FAXSPLOIT - Remember good old FAX machines (300 million fax numbers and 45 million fax machines in use globally) - A remote attacker can simply send a specially-crafted image file via fax to exploit the reported vulnerabilities and seize control of an enterprise or home network

(Good news , HP has patches)

Faxploit, the attack involves two buffer overflow vulnerabilities—one triggers while parsing COM markers (CVE-2018-5925) and another stack-based issue occurs while parsing DHT markers (CVE-2018-5924), which leads to remote code execution.

All the attacker needs to exploit these vulnerabilities is a Fax number, which can be easily found simply by browsing a corporate website or requesting it directly


https://thehackernews.com/2018/08/hack-printer-fax-machine.html

Even Google’s own developers don’t necessarily follow Android Security guidelines.” So, we have a new "Man in the Disk" Attack - Which allows a bad actor to hijack the communications between privileged apps and the device disk, bypassing sandbox protections to gain access to app functions and potentially wreak havoc

“Some of the apps in question are made by Google themselves,” said Gan. “So even Google’s own developers don’t necessarily follow Android guidelines.”

Android’s OS makes use of two types of storage – internal storage which provides every app with its own sandbox; and an external storage mechanism that uses a removable SD card. This latter storage is shared across the OS, because it’s designed to enable apps to transfer data from one app to another. So, if a user takes a picture and then wants to send it to someone using a messaging app, the external storage is the platform that allows this to happen.


Google provides developer guidelines meant to provide a road map for security best practices. These include advice such as never writing critical data files to the external storage, and not using it to store executables or files that impact the way apps operate. Also, external storage files should be signed and cryptographically verified prior to dynamic loading,

In fact, roughly half of the Android apps in Google Play that Check Point examined did not comply with the guidelines. The firm examined Google Translate, Yandex Translate, Google Voice Typing, Google Text-to-Speech and Xiaomi Browser, among others.



https://threatpost.com/def-con-2018-man-in-the-disk-attack-surface-affects-all-android-phones/134993/

(Zero Day Hack for MacOS) What is "synthetic click"? - Programmatic and invisible mouse clicks that are generated by a software program rather than a human. Hack 2 lines of code in Mac OS (High Sierra) and this attack can be created.

To know, how dangerous it can go, Wardle explains: "Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? Click...allowed. Authorize keychain access? Click...allowed. Load 3rd-party kernel extension? Click...allowed. Authorize outgoing network connection? click ...allowed."

High Sierra incorrectly interprets two consecutive synthetic mouse "down" event as a legitimate click, allowing attackers to programmatically interact with security warnings as well that asks users to choose between "allow" or "deny" and access sensitive data or features.

The vulnerability can potentially be exploited to dump all passwords from the keychain or load malicious kernel extensions by virtually clicking "allow" on the security prompt and gain full control of a target machine.

One piece of good news is However, the Apple's next version of macOS, Mojave, already has mitigated the threat by blocking all synthetic events,

https://thehackernews.com/2018/08/macos-mouse-click-hack.html

Advice from Bug bounty hunters - ( read this, developers and architects) Each bug needs to be a lesson where a security lead needs to ask: “Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could of found it earlier? Who had access to this code and reviewed it and why, for whatever reason, didn’t they report it?”

Message to apple
“Undeniably these people have really strong engineering security skillsets. But, they don’t have an exploitation background… Their focus is on the design of the system and not on exploitation,” he said. “Please, we need to stop just spot-fixing bugs and learn from them, and act on that.”

https://threatpost.com/google-bug-hunter-urges-apple-to-change-its-ios-security-culture/134842/

Cybersecurity book bundle (almost Free)- Book bundles starting from $1 to $15. Think of it as charity as the proceeds go to EFF.

Offer valid for next 3 days.


https://www.humblebundle.com/books/cybersecurity-wiley-books

Be careful - There are multiple security issues with Online Stock Trading tools

Hernández (a security consultant) analyzed 16 desktop applications, 34 mobile apps, and 30 websites, comprising 40 trading platforms in all. That includes major legacy players like Fidelity and Charles Schwab, mobile-first upstarts like Robinhood, and less common names like Kraken and Poloniex. And while some companies, like Schwab and Merrill Edge, earned mostly high marks for their security hygiene, the overall picture seems bleak.


1. Apps transmitted some data in unencrypted form.

2. Mobile apps and a handful of desktop applications stored passwords unencrypted locally, or sent   them to logs in plain text

3. Multi Factor Authentication not enabled

4. logging out didn’t immediately end the server side session.

5. Several trading platforms let users create their own bots  making it relatively simple for a       
    malicious coder to hide a backdoor or other malware


Details:


Well over half of the desktop applications he examined, for instance, transmitted at least some data—things like balances, portfolios, and personal information—unencrypted.

(Here is the best part) Several mobile apps and a handful of desktop applications stored passwords unencrypted locally, or sent them to logs in plain text.

Two-factor authentication would prevent that scenario, but while most of the web platforms Hernández looked at offer it, they don’t enable it by default.

He found that on the web platforms of companies like Charles Schwab and E-Trade, logging out didn’t immediately end the session on the server side

Several trading platforms let users create their own bots through proprietary programming languages making it relatively simple for a malicious coder to hide a backdoor or other malware

https://www.wired.com/story/online-stock-trading-serious-security-holes/

It is illegal for you to scan a Bank's computer but, they can , at least according to Halifax. When you visit the Halifax login page, even before you've logged in, JavaScript on the site, running in the browser, attempts to scan for open ports on your local computer

Halifax explicitly says they'll run software to detect malware... but that's if you're a customer. Halifax currently scan everyone, as soon as you land on their site.


Moore said he wouldn't have an issue if Halifax carried out the security checks on people's computers after they had logged on. It's the lack of consent and the scanning of any visitor that bothers him. "If they ran the script after you've logged in... they'd end up with the same end result, but they wouldn't be scanning visitors, only customers," Moore said.

https://www.theregister.co.uk/2018/08/07/halifax_bank_ports_scans/

SIEM is a Monster - How can you successfully deploy it? - Check this Gartner Article

You will need to provide some basic details before you can download it.



https://logrhythm.com/gartner-how-to-deploy-a-siem-successfully-analyst-report/

Virus Attack - We have heard that before , how about this, the company expects the virus to Inflict 250 Million Loss in Revenue (does this get your attention?)

The world's largest makers of semiconductors and processors TSMC lost an entire day of production after several of its factories systems were halted by a computer virus in the middle of the ramp-up for chips to be used by Apple's future lines of iPhones.

TSMC expects the shutdown will result in shipment delays and additional costs, and estimated that two days of outages will impact revenue by about 3 percent (approx. 250 Million)


https://thehackernews.com/2018/08/tsmc-iphone-computer-virus.html

FREE - For would-be Pentesters and Hackers - How to Set up your own malware analysis lab with VirtualBox, INetSim and Burp

A Good starting point for would-be Pentesters and Hackers

https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/

You can have the best security controls in the world but, it will not help if, you do not understand the following statement - When an enterprise engages with a third party , they become responsible for that third party’s security controls.

ICBA Bancard Inc. subsidiary TCM Bank, a company that aids community banks in issuing credit cards to their customers, announced that the personal data of thousands of people who applied for credit cards with their local banks was exposed

The information that was leaked between early March and mid-July 2018 included the names, addresses, dates of birth and Social Security numbers of thousands of people across the more than 750 community banks that work with TCM Bank

In this instance, misconfiguration – a critical application-security risk – resulted in the a leak of customer information.

“When partnering with third parties, organizations cannot relieve themselves from the responsibility of security. In the eyes of the affected consumers, they provided the data to the organization and they hold that organization responsible.”




https://www.infosecurity-magazine.com/news/third-party-web-manager-exposes

Last year was "Targeted Attack" and "Phishing". 2018 is the year of "Targeted Phishing Attack" (used in a "Sextortion" scam)

A key component of a targeted phishing attack is personalization. 

This uses a inverted  threat model: Most phishing campaigns try to steal your password, whereas this one leads with it.

On July 12 a new "sextortion" based phishing scheme began and tricked dozens of people into paying anywhere from a few hundred to thousands of dollars in Bitcoin. What spooked people was that its salutation included a password that each recipient legitimately used at some point online.

https://krebsonsecurity.com/2018/08/the-year-targeted-phishing-went-mainstream/

Wake-up call to those who still rely on SMS-based authentication and believes it is secure (don't give up, just replace SMS with OTP apps)

According to Reddit, the unknown hacker(s) managed to gain read-only access to some of its systems that contained its users' backup data, source code, internal logs, and other files

According to Slowe, the most significant data contained in the backup was account credentials (usernames and their corresponding salted and hashed passwords), email addresses and all content including private messages.

The hack was accomplished by intercepting SMS messages that were meant to reach Reddit employees with one-time passcodes, eventually circumventing the two-factor authentication (2FA) Reddit had in place attacks.

https://thehackernews.com/2018/08/hack-reddit-account.html

SmartHome (meaning, home loaded with IoT) is the new craze. So far IoT manufacturers have not been concerned about security so, what can we do to protect our home.

Checkout  this short SANS newsletter 

https://www.sans.org/security-awareness-training/resources/smart-home-devices

What is the relationship between google and Dragonfly? - Dragonfly is Censored Google Search Engine for China

Since spring last year Google engineers have been secretly working on a project, dubbed "Dragonfly," which currently includes two Android mobile apps named—Maotai and Longfei—one of which will get launched by the end of this year after Chinese officials approve it

The mobile app reportedly aims to "blacklist sensitive queries" and filter out all websites (news, human rights, democracy, religion) blocked by the Chinese government, including Wikipedia, BBC News, Instagram, Facebook, and Twitter.

Google will also blacklist words like human rights, democracy, religion and peaceful protests in Chinese of its search engine ap

 The censorship will also be embedded in Google's image search, spell check, and suggested search features, which eventually means the search engine will not display Chinese users potentially "sensitive" terms or images banned by their government.

https://thehackernews.com/2018/08/censored-google-search-china.html