Category: privacy

NSA develops cyberweapons. Cyberweapons gets leaked. Everyone who’s unprotected gets compromised.

Thousands of Microsoft Windows machines worldwide are infected with an NSA-developed backdoor that hackers installed by reusing leaked executable code from an outdated hacking toolkit belonging to the spy agency, multiple security researchers tell CyberScoop. The mysterious Shadow Brokers group published a package of internal NSA documents last week, containing among other things the computer code for a series of exploits, implants and other hacking tools. In the days since the leak first became public, hackers have mulled over the trove and begun reverse-engineering and recycling some of the capabilities, CyberScoop previously reported. One of these hacking tools, a backdoor implant codenamed DOUBLEPULSAR — which is used to run malicious code on an already compromised box — has already been installed on 30,000 to 50,000 hosts, according to Phobos Group founder Dan Tentler. Other researchers have also engineered different detection scripts to quickly scan the internet for infected computers. John Matherly, […]

Source: That was fast: Thousands of computers now compromised with leaked NSA tools, researchers say – Cyberscoop

More IoT fun. Time to hack someone’s dishwasher. Yup, suddenly spying microwaves aren’t that crazy an idea.

Don’t say you weren’t warned: Miele went full Internet-of-Things with a dishwasher, gave it a web server and now finds itself on the wrong end of a bug report and it’s accused of ignoring.

Source: Dishwasher has directory traversal bug

Oh dear. Password manager with vulnerabilities. The team response is troubling to say the least. Lets hope they are really more competent than that.

In an eyebrow-raising declaration, according to Ormandy, LastPass had said they couldn’t get his code execution exploit to work, however the security researcher was calling the Windows Calculator executable in his code, while LastPass was examining the code on a Mac.

Google cyber-sleuth Tavis Ormandy has returned to examining LastPass, and a new lot of vulnerabilities have been discovered.

Source: LastPass hit by password stealing and code execution vulnerabilities | ZDNet

This is quite serious. A lot of small (and not so small) websites uses Cloudflare for CDN and DDoS protection. The issue reported by Google’s Project Zero team indicates that a bug in Cloudflare’s processing causes potentially sensitive information to be leaked. This is already bad, but it is made worse due to caching servers keeping a copy of those information. Someone is compiling a list of notable websites affected. You are advised to change your passwords on those affected websites.

Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare. It turned out that in some unusual circumstances, which I’ll detail below, our edge

Source: Incident report on memory leak caused by Cloudflare parser bug

Often your phone is the weakest link to all of your online and sometimes offline identity. Someone wrote a detailed and lengthy advisory on how to protect yourself against such attacks.

The security loophole these hackers are milking can be used against anyone who uses their phone number for security for services as common as Google, iCloud, a plethora of banks, PayPal, Dropbox, Evernote, Facebook, Twitter, and many others. The hackers have infiltrated bank accounts and tried to initiate wire transfers; used credit cards to rack up charges; gotten into Dropbox accounts containing copies of passports, credit cards and tax returns; and extorted victims using incriminating information found in their email accounts.

But the hackings should scare anyone with a mobile phone, an email account or an online bank account.

Source: Hackers Have Stolen Millions Of Dollars In Bitcoin — Using Only Phone Numbers

The tide of ransomware is gaining momentum. We will definitely see a lot more high profile cases of ransomware in 2017. As cyber-physical barrier becomes more fluid, so too will cyberattacks.

One of Europe’s top hotels has admitted they had to pay thousands in Bitcoin ransom to cybercriminals who managed to hack their electronic key system, locking hundreds of guests in or out of their rooms until the money was paid.

Source: Hotel ransomed by hackers as guests locked in rooms

Hear, hear. I’ve always regarding AV software by the usual suspects as bloatware and it’s always the first thing I uninstall on new machines that came with them. It’s ironic how the public – and shockingly some IT professionals – gives AV vendors a free pass just because they market themselves as a panacea to the malware out there.

At best, there is negligible evidence that major non-MS AV products give a net improvement in security. More likely, they hurt security significantly; for example, see bugs in AV products listed in Google’s Project Zero. These bugs indicate that not only do these products open many attack vectors, but in general their developers do not follow standard security practices. (Microsoft, on the other hand, is generally competent.)

Source: Eyes Above The Waves: Disable Your Antivirus Software (Except Microsoft’s)

Phishing attacks are getting more creative, relying on moments of weakness in human perception. The tried-and-tested phishing method normally includes the domain name of the target site as part of the URL (eg. paypal.com-privacyprotection.com) and hope that the user doesn’t notice the actual domain (com-privacyprotection.com). This method takes it to another level ‘cos you will see the actual URL of the target site.

A new phishing technique that affects GMail and other services and how to protect yourself.

Source: Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited

Oh yes. Smart TVs. We should really be looking at it as a computer with a large screen – which happens to be running Android OS most of the time. Needless to say malware/ransomware that “works” for existing Android devices will seamlessly work in the Smart TV.

Streaming TV has been a boon for consumers. Programming is everywhere, right at our fingertips, as soon as we get our screens online. But that connectivity comes with a big…

Source: Ransomware Spreading Onto Smart TVs, Is A Pain To Fix