According to a blog post published Wednesday by Internet monitoring service BGPMon, the hijack lasted a total of six minutes and affected 80 separate address blocks. It started at 4:43 UTC and continued for three minutes. A second hijacking occurred at 7:07 UTC and also lasted three minutes. Meanwhile, a second monitoring service, Qrator Labs, said the event lasted for two hours, although the number of hijacked address blocks varied from 40 to 80 during that time.

While BGP rerouting events are often the result of human error rather than malicious intent, BGPMon researchers said several things made Wednesday’s incident “suspicious.” First, the rerouted traffic belonged to some of the most sensitive companies, which—besides Google, Facebook, Apple, and Microsoft—also included Twitch, NTT Communications, and Riot Games. Besides the cherrypicked targets, hijacked IP addresses were broken up into smaller, more specific blocks than those announced by affected companies, an indication the rerouting was “intentional.”

Source: “Suspicious” event routes traffic for big-name sites through Russia | Ars Technica

Tens of thousands, perhaps millions, of Google Chromebooks, widely prized by schools due to their low cost and ease of configuration, were reported to be offline for several hours on Tuesday. The apparent cause? A seemingly botched WiFi policy update pushed out by Google that caused many Chromebooks to forget their approved network connection, leaving students disconnected.

Source: Apparent Google update glitch disconnects student Chromebooks in schools across the U.S. – GeekWire

Ouch – the dangers of cloud!

System76 is one a handful of companies that sells computers that run Linux software out of the box. But like most PCs that have shipped with Intel’s Core processors in the past few years, System76 laptops include Intel’s Management Engine firmware.

Intel recently confirmed a major security vulnerability affecting those chips and it’s working with PC makers to patch that vulnerability.

But System76 is taking another approach: it’s going to roll out a firmware update for its recent laptops that disables the Intel Management Engine altogether.

Technically, that’s not something Intel wants you to do. Not only does the chip maker not tell you what’s in the code, but it doesn’t provide an off switch.

But independent researchers have recently discovered a way to disable the Intel Management Engine and companies including Google and Purism have already announced plans to do so.

What’s noteworthy in the System76 announcement is that the PC maker isn’t just planning to disable Intel ME in computers that ship from now on. The company will send out an update that disables it on existing computers with 6th, 7th, or 8th-gen Intel Core processors. System76 also notes that Intel ME “provides no functionality for System76 laptop customers and is safe to disable.”

Source: System76 will disable Intel Management engine on its Linux laptops – Liliputing

Come on Lenovo – do this for me too!

High-Tech Bridge used its free mobile app analysis software, called Mobile X-Ray, to peek under the hood of the top 30 cryptocurrency apps in the Google Play store at three different popularity levels: apps with up to 100,000 downloads, up to 500,000 downloads, and apps with more than 500,000 downloads. So, a total of 90 apps altogether. Of the most popular apps, 94 percent used outdated encryption, 66 percent didn’t use HTTPS to encrypt user information in transit, 44 percent used hard-coded default passwords (stored in plain text in the code), and overall 94 percent of the most popular apps were found to have “at least three medium-risk vulnerabilities.”

Source: 66 Percent of Popular Android Cryptocurrency Apps Don’t Use Encryption – Motherboard

The sensitive personal information of 246,000 Department of Homeland Security employees was found on the home computer server of a DHS employee in May, according to documents obtained by USA TODAY.

Also discovered on the server was a copy of 159,000 case files from the inspector general’s investigative case management system, which suspects in an ongoing criminal investigation intended to market and sell, according to a report sent by DHS Inspector General John Roth on Nov. 24 to key members of Congress.

The information included names, Social Security numbers and dates of birth, the report said.

The inspector general’s acting chief information security officer reported the breach to DHS officials on May 11, while IG agents reviewed the details.

.Acting DHS Secretary Elaine Duke decided on Aug. 21 to notify affected employees who were employed at the department through the end of 2014 about the breach.

Source: Former DHS employee had sensitive info stashed on home computer s

The patch addresses a flaw in its operating system that allows anyone sitting at a Mac to gain administrator access by entering “root” as the username and leaving the password box blank in authentication prompts. This works when altering system settings, logging into the machine, and accessing it remotely via VNC, RDP, screen sharing, and so on. It can also be used to log into system accounts, such as _uucp, and via the command line, which is useful for malware seeking to gain superuser privileges.

If you’re running High Sierra, you’re urged to install the update as soon as possible.

Source: As Apple fixes macOS root password hole, here’s what went wrong • The Register

Forget fingerprint computer identification or retinal scanning. A University at Buffalo-led team has developed a computer security system using the dimensions of your heart as your identifier.

The system uses low-level Doppler radar to measure your heart, and then continually monitors your heart to make sure no one else has stepped in to run your computer.

Source: Goodbye, login. Hello, heart scan. – University at Buffalo

On November 23, Imgur was notified of a potential security breach that occurred in 2014 that affected the email addresses and passwords of 1.7 million user accounts.

Imgur

Thanks to an investigation by third-party researchers into Intel’s hidden firmware in certain chips, Intel decided to audit its firmware and on Monday confirmed it had found 11 severe bugs that affect millions of computers and servers.

The flaws affect Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS).

Intel discovered the bugs after Maxim Goryachy and Mark Ermolov from security firm Positive Technologies found a critical vulnerability in the ME firmware that Intel now says would allow an attacker with local access to execute arbitrary code.

The researchers in August published details about a secret avenue that the US government can use to disable ME, which is not available to the public.

Intel ME has been a source of concern for security-minded users, in part because only Intel can inspect the firmware, yet many researchers suspected the powerful subsystem had bugs that were ripe for abuse by attackers.

Goryachy and Ermolov will present their research on an ME flaw at Blackhat in December, detailing how an attacker can run unsigned code in the microprocessor and remain invisible to the main CPU and any anti-malware software.

ME runs on its own microprocessor and, as a Google engineer recently revealed, a modified version of the MINIX operating system.

Google was so afraid of UEFI and Intel ME that it created NERF, or the Non-Extensible Reduced Firmware, which it uses to manage Chromebooks. NERF runs on a Linux kernel rather than MINIX and removes ME’s web server and IP stack, key EUFI drivers, and neuters the ability for ME and EUFI to self-reflash the firmware.

The ME engine supports Intel’s Active Management Technology (AMT), which allows admins to remotely manage and fix devices.

A flaw discovered this May in AMT, which affected chips from 2008, highlighted another problem: patching it required an ME firmware update on machines that hardware vendors had stopped supporting. Only enterprise machines with vPro were affected, but the bug prompted EFF’s demands for Intel to provide a way to disable ME.

ZDNET

There’s a company out there selling laptops with the ME disabled.

This is more than a little embarrassing for a business that supplies handmade leather goods to the British royal family. Founded in 1880 by brothers Thomas, John and William Loake, the firm has since sold more than 50 million pairs of Goodyear welted shoes in more than 50 countries.
[…]
Loake strangely described described the attack as “similar in nature to that which was suffered by the NHS a few months ago” – presumably the WannaCrypt ransomware worm that held systems across the world hostage through encryption.
[…]
“The fact that they have likened their data breach to the recent NHS ransomware attack – two completely different events – reduces my confidence in their ability to deal with the situation and it also makes me question their reassurance that my credit card details are safe,” the customer added.

Etienne Greef, managing director of integrator Secure Data, told The Register it was “unlikely” that the breach was similar to the NHS attack as WannaCry does not access email servers, but rather encrypts information.

He said drawing comparisons with the NHS attack implied that Loake was running old, vulnerable versions of an operating system.
Loake Shoes admits: We’ve fallen victim to cybercrims – the Register

A series of recently disclosed critical Bluetooth flaws that affect billions of Android, iOS, Windows and Linux devices have now been discovered in millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo.As estimated during the discovery of this devastating threat, several IoT and smart devices whose operating systems are often updated less frequently than smartphones and desktops are also vulnerable to BlueBorne.BlueBorne is the name given to the sophisticated attack exploiting a total of eight Bluetooth implementation vulnerabilities that allow attackers within the range of the targeted devices to run malicious code, steal sensitive information, take complete control, and launch man-in-the-middle attacks.

Source: Bluetooth Hack Affects 20 Million Amazon Echo and Google Home Devices

Getting into and hijacking the Management Engine means you can take full control of a box, underneath and out of sight of whatever OS, hypervisor or antivirus is installed. This powerful God-mode technology is barely documented and supposedly locked down to prevent miscreants from hijacking and exploiting the engine to silently spy on users or steal corporate data. Positive says it’s found a way to commandeer the Management Engine, which is bad news for organizations with the technology deployed.For some details, we’ll have to wait, but what’s known now is bad enough: Positive has confirmed that recent revisions of Intel’s Management Engine (IME) feature Joint Test Action Group (JTAG) debugging ports that can be reached over USB. JTAG grants you pretty low-level access to code running on a chip, and thus we can now delve into the firmware driving the Management Engine.With knowledge of the firmware internals, security vulnerabilities can be found and potentially remotely exploited at a later date. Alternatively, an attacker can slip into the USB port and meddle the engine as required right there and then.

Source: Intel’s super-secret Management Engine firmware now glimpsed, fingered via USB • The Register

There’s a wall of lava lamps in the lobby of our San Francisco office. We use it for cryptography. Here are the nitty-gritty technical details.
[…]
In cryptography, the term random means unpredictable. That is, a process for generating random bits is secure if an attacker is unable to predict the next bit with greater than 50% accuracy (in other words, no better than random chance).

We can obtain randomness that is unpredictable using one of two approaches. The first produces true randomness, while the second produces pseudorandomness.
[…]
In short, LavaRand is a system that provides an additional entropy source to our production machines. In the lobby of our San Francisco office, we have a wall of lava lamps (pictured above). A video feed of this wall is used to generate entropy that is made available to our production fleet.

We’re not the first ones to do this. Our LavaRand system was inspired by a similar system first proposed and built by Silicon Graphics and patented in 1996 (the patent has since expired).

The flow of the “lava” in a lava lamp is very unpredictable,6 and so the entropy in those lamps is incredibly high. Even if we conservatively assume that the camera has a resolution of 100×100 pixels (of course it’s actually much higher) and that an attacker can guess the value of any pixel of that image to within one bit of precision (e.g., they know that a particular pixel has a red value of either 123 or 124, but they aren’t sure which it is), then the total amount of entropy produced by the image is 100x100x3 = 30,000 bits (the x3 is because each pixel comprises three values – a red, a green, and a blue channel). This is orders of magnitude more entropy than we need.

Source: LavaRand in Production: The Nitty-Gritty Technical Details

“All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine,” Konovalov said.
Konovalov has found a total of 79 Linux USB-related bugsThe 14 flaws are actually part of a larger list of 79 flaws Konovalov found in Linux kernel USB drivers during the past months. Not all of these 79 vulnerabilities have been reported, let alone patched.
Most are simple DoS (Denial of Service) bugs that freeze or restart the OS, but some allow attackers to elevate privileges and execute malicious code.All bugs Konovalov discovered were found using syzkaller, a tool developed by Google that finds security bugs via a technique known as fuzzing.

Source: Linux Has a USB Driver Security Problem

Digitally signed malware can bypass system protection mechanisms that install or launch only programs with valid signatures. It can also evade anti-virus programs, which often forego scanning signed binaries. Known from advanced threats such as Stuxnet and Flame, this type of abuse has not been measured systematically in the broader malware landscape. In particular, the methods, effectiveness window, and security implications of code-signing PKI abuse are not well understood. We propose a threat model that highlights three types of weaknesses in the code-signing PKI.

Source: Signed Malware

Security researchers at the University of Maryland found 72 compromised certificates after analysing field data collected by Symantec on 11 million hosts worldwide. “Most of these cases were not previously known, and two thirds of the malware samples signed with these 72 certificates are still valid, the signature check does not produce any errors,” Tudor Dumitras, one of the researchers, told El Reg.

“Certificate compromise appears to have been common in the wild before Stuxnet, and not restricted to advanced threats developed by nation-states. We also found 27 certificates issued to malicious actors impersonating legitimate companies that do not develop software and have no need for code-signing certificates, like a Korean delivery service.”
Hackers abusing digital certs smuggle malware past security scanners – the Register

The personal information of more than 30 million South Africans has apparently been leaked online. This is according to Australian security researcher and creator of ‘Have I Been Pwned’, Troy Hunt. His website allows people to check if their personal information has been compromised in a data breach.He took to Twitter on Tuesday to say he had “a very large breach titled ‘masterdeeds’”.The title of the data led him and others commentators to speculate that the leak was likely from the deeds office. Identity numbersIf the information Hunt has is legitimate, it may be the biggest breach of Popi (Protection of Personal Information Act) to have ever taken place. Hunt said the database contained names of people, their gender, ethnicity, home ownership and contact information. The data also contained people’s identity numbers and other information like their estimated income and details of their employer. He said the information appeared to be from a government agency.MyBroadband reported that the database was a 27.2GB backup file that Hunt found on Torrent and he gained 31.6 million records before it crashed. He said there could be over 47 million records in the database.

Source: Millions of South Africans’ personal information may have been leaked online | Fin24

If the plan is approved, Firefox will not trust certificates issued by the Staat der Nederlanden (State of the Netherlands) Certificate  Authority (CA).

This CA is operated by PKIOverheid/Logius, a division of the Ministry of Interior and Kingdom Relations, which is the same ministry that oversees the AIVD intelligence service.

New law givers Dutch govt power to intercept Internet traffic

What’s got Mozilla engineers scared is the new “Wet op de inlichtingen- en veiligheidsdiensten (Wiv)” — translated to Information and Security Services Act — a new law voted this year that will come into effect at the start of 2018.

This new law gives Dutch authorities the powers to intercept and analyze Internet traffic. While other countries have similar laws, what makes this one special is that authorities will have authorization to carry out covert technical attacks to access encrypted traffic.

Such covert technical capabilities include the use of “false keys,” as mentioned in Article 45 1.b, a broad term that includes TLS certificates.

Back in September, IBM was left red-faced when its global load balancer and reverse DNS services fell over for 21 hours.At the time, IBM blamed the outage on a third-party domain name registrar that was transferring some domains to another registrar. The sending registrar, IBM said, accidentally put the domains in a “hold state” that prevented them being transferred. As the load balancer and reverse DNS service relied on the domains in question, the services became inaccessible to customers.IBM’s now released an incident summary [PDF] in which it says “multiple domain names were mistakenly allowed to expire and were in hold status.”The explanation also reveals that the network-layer.net domain was caught up in the mess, in addition to the global-datacenter.com and global-datacenter.net domains that IBM reported as messed up in September.It’s unclear if IBM or its outsourced registrar was responsible for the failure to renew registration for the domains.

Source: IBM broke its cloud by letting three domain names expire • The Register

The dangers of the Cloud ™

The Management Engine (ME), part of Intel AMT, is a separate CPU that can run and control a computer even when powered off. The ME has been the bane of the security market since 2008 on all Intel based CPUs, with publicly released exploits against it, is now disabled by default on all Purism Librem laptops.

Source: Purism Librem Laptops Completely Disable Intel’s Management Engine – Purism

To improve functionality between Uber’s app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user’s iPhone screen, even if Uber’s app was only running in the background, security researchers told Gizmodo. After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app.Setup Timeout Error: Setup took longer than 30 seconds to complete.The screen recording capability comes from what’s called an “entitlement”—a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn’t common and would require Apple’s explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn’t find any other apps with the entitlement live on the App Store.“It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature,” Strafach said. “Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this.”

Source: Researchers: Uber’s iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen

Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax.

At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that “Your personal information is protected.”

“With your consent your personal data can be retrieved only by credentialed verifiers,” Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits.

Sadly, this isn’t anywhere near true because most employers who contribute data to The Work Number — including Fortune 100 firms, government agencies and universities — rely on horribly weak authentication for access to the information.

To find out how easy it is to view your detailed salary history, you’ll need your employer’s name or employer code. Helpfully, this page lets you look that up quite easily (although if you opt to list employers alphabetically by the first letter of the company name, there are so many entries for each letter that I found Equifax’s database simply crashes half the time instead of rendering the entire list).

What’s needed to access your salary and employment history? Go here, and enter the employer name or employer code. After that, it asks for a “user ID.” This might sound like privileged information, but in most cases this is just the employees’s Social Security number (or a portion of it).

At the next step, the site asks visitors to “enter your PIN,” short for Personal Identification Number. However, in the vast majority of cases this appears to be little more than someone’s eight-digit date of birth. The formats differ by employer, but it’s usually either yyyy/mm/dd or mm/dd/yyyy, without the slashes.

Successful validation to the system produces two sets of data: An employee’s salary and employment history going back at least a decade, and a report listing all of the entities (ostensibly, the aforementioned “credentialed verifiers”) that have previously requested and viewed this information.

Until last week, a bug on a T-Mobile website let hackers access personal data such as email address, a customer’s T-Mobile account number, and the phone’s IMSI, a standardized unique number that identifies subscribers. On Friday, a day after Motherboard asked T-Mobile about the issue, the company fixed the bug.

The flaw, which was discovered by security researcher Karan Saini, allowed malicious hackers who knew—or guessed—your phone number to obtain data that could’ve been used for social engineering attacks, or perhaps even to hijack victim’s numbers.

“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,” Saini, who is the founder of startup Secure7, told Motherboard in an online chat. (T-Mobile said that, in fact, the company has 70 million customers, not 76).

“That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim,” he added.
[…]
Karsten Nohl, a cybersecurity researcher who has done work studying cellphone security, told Motherboard that, theoretically, by knowing someone’s IMSI number, hackers or criminals could track a victim’s locations, intercept calls and SMS, or conduct fraud by taking advantage of flaws in the SS7 network, a backbone communications network that is notoriously insecure. Still, Nohl added that “there is no obvious way to make money easily with just an IMSI,” so it’s hard to tell whether such an attack would be attractive to cybercriminals.
[…]
a blackhat hacker who asked to remain anonymous warned Motherboard that the recently patched bug had been found and exploited by other malicious hackers in the last few weeks.

“A bunch of sim swapping skids had the [vulnerability] and used it for quite a while,” the hacker told me, referring to the criminal practice of taking over phone numbers by requesting new SIM cards impersonating the legitimate owners by socially engineering support technicians.

To prove their claim, the hacker sent me my own account’s data.

Source: T-Mobile Website Allowed Hackers to Access Your Account Data With Just Your Phone Number

On the positive side, T-Mobile gave the discoverer a bug bounty and tried to close the hole with an update. On the negative side, their patch didn’t close the hole.

In November 2016, the Australian Signals Directorate (ASD) was alerted by a “partner organisation” that an attacker had gained access to the network of a 50-person aerospace engineering firm that subcontracts to the Department of Defence.

Restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and “a few Australian naval vessels” was among the sensitive data stolen from a small Australian defence contractor in 2016.

The secret information was restricted under the International Traffic in Arms Regulations (ITAR), the US system designed to control the export of defence- and military-related technologies, according to Mitchell Clarke, an incident response manager at the ASD who worked on the case
[…]
The victim’s network was small. One person managed all IT-related functions, and they’d only been in the role for nine months. High staff turnover was typical.

There was no protective DMZ network, no regular patching regime, and a common Local Administrator account password on all servers. Hosts had many internet-facing services.

Access was initially gained by exploiting a 12-month-old vulnerability in the company’s IT Helpdesk Portal, which was mounting the company’s file server using the Domain Administrator account. Lateral movement using those same credentials eventually gave the attacker access to the domain controller and the remote desktop server, and to email and other sensitive information.

“This isn’t uncommon,” Clarke said. “Only about 12 months old, if you look at government, that’s not that out of date, unfortunately.”

The attacker needn’t have bothered with that, however. The ASD’s investigation found that internet-facing services still had their default passwords, admin::admin and guest::guest.

An important aspect of this incident is that a small company, with resources that were clearly inadequate given the sensitivity of the data they held, still managed to obtain and hold ITAR certification.

According to Clarke, an application for ITAR certification is usually only “two or three pages”, and asks only basic questions about organisations’ security posture.

Source: Secret F-35, P-8, C-130 data stolen in Australian defence contractor hack | ZDNet

Equifax’s website is once again infected, this time with malvertising. Further investigation reveals TransUnion was also targeted.

Source: Malvertising on Equifax, TransUnion tied to third party script

Equifax, TransUnion Websites Served Up Adware, Malware