Paramount group acquires 4 French dual seat Mirage F-1 fighters for agressor training

Paramount Aerospace Systems has been in negotiation with the French Government to acquire four Dual-Seater Mirage F1s. These aircraft are compatible with the existing fleet of Mirage F1 aircraft that was acquired by Paramount group from the South African Government.

The Company has extensive capability on this aircraft type with full airframe and engine overhaul capability, as well as the ability to upgrade, modernise avionics and mission systems.

Brian Greyling, CEO of Paramount Aerospace Systems said: “One of the most important trends in today’s military aviation market is the increasing utilisation of legacy aircraft for adversary training by air forces. The new acquisition of the Mirage F1 aircraft will inject additional ‘top gun’ capability into Paramount Group’s advanced pilot training programmes. Paramount Aerospace Systems is now recognised as the only privately-owned aerospace company in the world that is capable of offering military type aircraft training from ab initio to supersonic fighter capability.”

Paramount group

Disqus discovers its comments tool was hacked in 2012. 17.5m accounts involved, 2/3rds without passwords.

Disqus has confirmed its web commenting system was hacked.

The company, which builds and provides a web-based comment plugin for news websites, said Friday that hackers stole more than 17.5 million email addresses in a data breach in July 2012.

About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favor of stronger password scramblers. The data also contained sign-up dates and the date of the last login.

Some of the exposed user information dates back to 2007.

Many of the accounts don’t have passwords because they signed up to the commenting tool using a third-party service, like Facebook or Google.

The theft was only discovered this week after the database was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned, who then informed Disqus of the breach.

The company said in a blog post, posted less than a day after Hunt’s private disclosure, that although there was no evidence of unauthorized logins, affected users will be emailed about the breach.

Users whose passwords were exposed will have their passwords force-reset.

The company warned users who have used their Disqus password on other sites to change the password on those accounts

Source: Disqus reveals its comments tool was hacked

These guys obviously have a well thought out CERT in place. Unlike many others.

Dutch defence minister and top general step down for munition problem out of their control. How is this taking responsibility?

Due to an accident caused by a mortar exploding within the launch tube, both the Dutch minister of Defence, Jeanine Hennis-Plasschaert, and commander of the armed forces, Tom Middendorp have both fallen on their swords.

The incident involved the sloppy purchasing of a mortar grenade in 2006 (expedited for the Afghan war), which led to it being used in an unsafe manner. Rapport here

Both people stepping down were obviously nowhere near this purchase in 2006. It was also not their fault that the Ministry of Defence has been woefully underfunded for years. However political responsibility requires that they step down? I don’t really understand this.

The fact is that in a cabinet with jokers, the minister was doing a good job and the only minister in the NL who understands fully the necessity of broad co-operation – not only with NATO – but within the EU. Tom Middendorp is respected by his coalition partners. The Netherlands is losing two good people for political expediency. It’s a waste.

BLE is weak and can be used to map and hack sex toys, hearing aids. The rise of screwdriving

Using your favourite BLE sniffing hardware (we used a Bluefruit but an Ubertooth is just as great) you can visualise the BLE packets in Wireshark.

In this case we can see the app has caused the Hush to start vibrating when the handle 0x000e has “Vibrate:5” written to it.
We can also start to replay commands from within Kali, so no smartphone app is required.
BLE devices also advertise themselves for discovery, which anyone can find, in this case the Hush calls itself LVS-Z001 – this is the same across all Hush devices we’ve looked at, so it’s like a unique fingerprint.
Note that there is no PIN or password protection, or the PIN is static and generic (0000 / 1234 etc) on these devices. This isn’t a problem just with the Hush, we’ve found the same problem in the following:

Kiiroo Fleshlight
Lelo
Lovense Nora and Max

In fact, we’ve found this issue in every Bluetooth adult toy we’ve looked at!

The challenge is the lack of a UI to enter a classic Bluetooth pairing PIN. Where do you put a UI on a butt plug, after all?

The only protection you have is that BLE devices will generally only pair with one device at a time, but range is limited and if the user walks out of range of their smartphone or the phone battery dies, the adult toy will become available for others to connect to without any authentication.

[…]
It’s important at this point to say that we’ve not set out to kink-shame anyone for their use of these devices: adult toys appeal to a huge spectrum of people and their ubiquity allows people to enjoy a sex-positive life, however we think that these same people should be able to use them without fear of compromise or injury. Talking about these issues will hopefully lead the industry to improve the security of its toys.

Having an adult toy unexpectedly start vibrating could cause a great deal of embarrassment.
[…]
I managed to find them [hearing aids] broadcasting whilst we were having lunch one day. They have BLE in them to allow you to play back music, but also control and adjust their settings (like if you’re in a noisy restaurant or a concert hall). These things cost £3500 and need to be programmed by an audiologist so not only could an attacker damage or deprive someone of their hearing, but it’s going to cost them to get it fixed.

Azure fell over for 7 hours in Europe because someone accidentally set off the fire extinguishers

During a routine periodic fire suppression system maintenance, an unexpected release of inert fire suppression agent occurred. When suppression was triggered, it initiated the automatic shutdown of Air Handler Units (AHU) as designed for containment and safety. While conditions in the data center were being reaffirmed and AHUs were being restarted, the ambient temperature in isolated areas of the impacted suppression zone rose above normal operational parameters. Some systems in the impacted zone performed auto shutdowns or reboots triggered by internal thermal health monitoring to prevent overheating of those systems.
[…]
However, some of the overheated servers and storage systems “did not shutdown in a controlled manner,” and it took a while to bring them back online.

As a result, virtual machines were axed to avoid any data corruption by keeping them alive. Azure Backup vaults were not available, and this caused backup and restore operation failures. Azure Site Recovery lost failover ability and HDInsight, Azure Scheduler and Functions dropped jobs as their storage systems went offline.

Azure Monitor and Data Factory showed serious latency and errors in pipelines, Azure Stream Analytics jobs stopped processing input and producing output, albeit only for a few minutes, and Azure Media Services saw failures and latency issues for streaming requests, uploads, and encoding.

Source: Azure fell over for 7 hours in Europe because someone accidentally set off the fire extinguishers

ouch cloud!

Many Protostellar and cometary detections of organohalogens: probably not alien in origin.

Organohalogens, a class of molecules that contain at least one halogen atom bonded to carbon, are abundant on the Earth where they are mainly produced through industrial and biological processes1. Consequently, they have been proposed as biomarkers in the search for life on exoplanets2. Simple halogen hydrides have been detected in interstellar sources and in comets, but the presence and possible incorporation of more complex halogen-containing molecules such as organohalogens into planet-forming regions is uncertain3,4. Here we report the interstellar detection of two isotopologues of the organohalogen CH3Cl and put some constraints on CH3F in the gas surrounding the low-mass protostar IRAS 16293–2422, using the Atacama Large Millimeter/submillimeter Array (ALMA). We also find CH3Cl in the coma of comet 67P/Churyumov–Gerasimenko (67P/C-G) by using the Rosetta Orbiter Spectrometer for Ion and Neutral Analysis (ROSINA) instrument. The detections reveal an efficient pre-planetary formation pathway of organohalogens. Cometary impacts may deliver these species to young planets and should thus be included as a potential abiotical production source when interpreting future organohalogen detections in atmospheres of rocky planets.

Organohalogens are well known for their use in industry and for their detrimental effect on the ozone layer1. Some organohalogens are also produced naturally5, through different geological and biological processes. Because of their relationship to biology and industry on Earth, organohalogens have been proposed as biomarkers on other planets2,6,7. Methyl chloride (CH3Cl), the most abundant organohalogen in the Earth’s atmosphere, has both natural and synthetic production pathways. Its total production rate approaches 3 megatonnes per year, with most originating from biological processes8. Recent observations of Cl-bearing organic molecules, including methyl chloride, on Mars by the rover Curiosity, has challenged a straightforward connection between organohalides and biology; one proposed source of Cl-bearing organic molecules on Mars is meteoritic impacts9,10. This naturally raises the question of whether circumstellar and interstellar environments can produce organohalogens abiotically, and, if so, in what amounts

Source: Protostellar and cometary detections of organohalogens

ieit turns out that these co,pounds are fairly common in space and so probably don’t mean they come from alein beings, as previously thought.

Equifax breach: 2.5m US citizens larger than thought. A timeline.

Equifax said late Monday that an outside review determined about 2.5 million additional U.S. consumers were potentially impacted, for a revised total of 145.5 million.

The company said the review also found that just 8,000 Canadian citizens were impacted, rather than up to 100,000 Canadians, as previously announced.

Equifax was alerted to the breach by the U.S. Homeland Security Department on March 9, Smith said in the testimony, but it was not patched.
Related Coverage

On March 15, Equifax’s information security department ran scans that should have identified any systems that were vulnerable to the software issue but did not, the testimony said.

As a result, “the vulnerability remained in an Equifax web application much longer than it should have,” Smith said. “It was this unpatched vulnerability that allowed hackers to access personal identifying information.”

In his testimony, Smith said it appears the first date hackers accessed sensitive information may have been on May 13. He said “between May 13 and July 30, there is evidence to suggest that the attacker(s) continued to access sensitive information.”

Smith said security personnel noticed suspicious activity on July 29 and disabled the web application on July 30, ending the hacking. He said he was alerted the following day, but was not aware of the scope of the stolen data.

On Aug. 2, the company alerted the FBI and retained a law firm and consulting firm to provide advice. Smith notified the board’s lead director on Aug. 22.

Source: Equifax failed to patch security vulnerability in March: former CEO

Amateur Radio Hams get Satellite from the US to run BBS on

FalconSAT-3 was built in 2005 and 2006 by cadets and faculty in the Space Systems Research Center at the US Air Force Academy in Colorado Springs, CO.

In amateur service the downlink is at 435.103 MHz transmitting 1W into a ¼ whip that extends from a corner of the satellite near the Lightband separation ring. The uplink is at 145.840 MHz and the receive antenna is a ¼ whip on the opposite side of the satellite near the S-band antennas. All UHF and S-band equipment on NTIA licensed frequencies has been disabled. The ARS VHF receiver is very sensitive. Modulation is 9600 bps GMSK for the uplink and downlink. The broadcast callsign is PFS3-11, and the BBS callsign is PFS3-12, Unproto APRS via PFS3-1.

The core avionics were designed and built Mark, N4TPY, and Dino, KC4YMG at SpaceQuest and have performed remarkably well for 10 years on orbit. Jim, WD0E, was the lead engineer for FalconSAT-3 at the AFA and managed the design, construction, testing and early operations of the satellite. Inquiries about current operations should be directed to AMSAT VP Operations Drew Glasbrenner, KO4MA (ko4ma@amsat.org)

Amsat Falconsat 3 page

Kalashnikov Unveils Flying ‘Hovercycle’

A Russian defense manufacturer named after the inventor of the AK-47 showed off its “flying car” to company officials and the Internet. The “car,” which has sixteen sets of rotors, could have military applications down the road including scouting, communications, and other tasks.

The unnamed vehicle was demonstrated Monday by officials at Kalashnikov Concern, part of the Russian defense giant Rostec and named after AK-47 designer M.T. Kalashnikov. The company develops and manufactures a wide variety of military small arms, from modernized versions of the AK-47 in service with the Russian military today to sniper rifles and guided artillery rounds.
[…]
The new vehicle, dubbed a “flying car” by the Russian media, has eights pairs of rotors that provide lift. The vehicle has a skeletal metal frame and is controlled by a pair of joysticks.

A video released by Kalashnikov shows there is surprisingly little to the “car”—there is no gasoline or diesel engine. Two banks of what appear to be batteries are located under the rider and likely provide electricity to the eight pairs of rotors. A shell or chassis is shown superimposed over the vehicle at the end.

Source: Kalashnikov Unveils Flying ‘Hovercycle’

Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy ‘login details leaked’

Yes, that’s Gartner’s security consultancy of the year
[…]
On Tuesday, what seemed to be a collection of Deloitte’s corporate VPN passwords, user names, and operational details were found lurking within a public-facing GitHub-hosted repository. These have since been removed in the past hour or so. In addition, it appears that a Deloitte employee uploaded company proxy login credentials to his public Google+ page. The information was up there for over six months – and was removed in the past few minutes.
[…]
On top of these potential leaks of corporate login details, Deloitte has loads of internal and potentially critical systems unnecessarily facing the public internet with remote-desktop access enabled. All of this gear should be behind a firewall and/or with two-factor authentication as per industry best practices. And likely the best practices Deloitte recommends to its clients, ironically.

“Just in the last day I’ve found 7,000 to 12,000 open hosts for the firm spread across the globe,” security researcher Dan Tentler, founder of Phobos Group, told The Register today. “We’re talking dozens of business units around the planet with dozens of IT departments showing very different aptitude levels. The phrase ‘truly exploitable’ comes to mind.”

For example, he found a Deloitte-owned Windows Server 2012 R2 box in South Africa with RDP wide open, acting as what appears to be an Active Directory server – a crucial apex of a Microsoft-powered network – and with, worryingly, security updates still pending installation. Other cases show IT departments using outdated software, and numerous other security failings.

Source: Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy ‘login details leaked’

Ouch

Broadcom SoC allow remote code execution in many wifi equiped phones, routers

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS.
[…]
However, since the “Channel Number” field is not validated, an attacker can arbitrarily provide a large value. While the maximal allowed channel number is 0xE0, by providing a larger value (such as 0xFF), the function above will increment a 16-bit word beyond the bounds of the heap-allocated buffer, thereby performing an OOB write. Note that the same insufficient validation is also present in the internal function 0xAC07C.

I’ve been able to verify that this code path exists on various different firmware versions, including those present on the iPhone 7 and Galaxy S7 Edge.

Broadcom: OOB write when handling 802.11k Neighbor Report Response

comes with iphone PoC

Artificial intelligence just made guessing your password a whole lot easier

Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles. Yet the researchers say the technology may also be used to beat baddies at their own game.
[…]
The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they’d be at cracking them.

On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

Source: Artificial intelligence just made guessing your password a whole lot easier

BlueBorne: Turn off your bluetooth

Armis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them. The new vector is dubbed “BlueBorne”, as it spread through the air (airborne) and attacks devices via Bluetooth. Armis has also disclosed eight related zero-day vulnerabilities, four of which are classified as critical. BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware laterally to adjacent devices. Armis reported these vulnerabilities to the responsible actors, and is working with them as patches are being identified and released.
[…]
BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. Armis Labs has identified eight zero-day vulnerabilities so far, which indicate the existence and potential of the attack vector. Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth. These vulnerabilities are fully operational, and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution as well as Man-in-The-Middle attacks.

Source: BlueBorne Information from the Research Team – Armis Labs

Outlook.com looking more like an outage outbreak for Europe

Microsoft’s email services got hit with not one but two bugs today: in addition to an earlier blip with Exchange Online, Microsoft confirmed it is now probing “issues” with “some” Outlook.com users in Europe.

According to downdetector.com, more than a thousand users have reported problems such as trouble receiving messages and logging in to their webmail accounts (Outlook used to be Hotmail and Windows Live Hotmail) since around 9.00am.

The site, which provides a handy snapshot of partial and total service eclipses map, revealed most of the reports are coming from western Europe.

Source: Outlook.com looking more like an outage outbreak for Europe

Clouds!

Introducing: Unity Machine Learning Agents for Tensorflow

Unity Machine Learning Agents

We call our solution Unity Machine Learning Agents (ML-Agents for short), and are happy to be releasing an open beta version of our SDK today! The ML-Agents SDK allows researchers and developers to transform games and simulations created using the Unity Editor into environments where intelligent agents can be trained using Deep Reinforcement Learning, Evolutionary Strategies, or other machine learning methods through a simple to use Python API. We are releasing this beta version of Unity ML-Agents as open-source software, with a set of example projects and baseline algorithms to get you started. As this is an initial beta release, we are actively looking for feedback, and encourage anyone interested to contribute on our GitHub page. For more information on ML-Agents, continue reading below! For more detailed documentation, see our GitHub Wiki.

Source: Introducing: Unity Machine Learning Agents – Unity Blog

Deloitte hit by cyber-attack revealing clients’ secret emails

One of the world’s “big four” accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients, the Guardian can reveal.
[…]
One of the largest private firms in the US, which reported a record $37bn (£27.3bn) revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.

The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments.

So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.

The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016.

The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.

The account required only a single password and did not have “two-step“ verification, sources said.

Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft. This is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.

Source: Deloitte hit by cyber-attack revealing clients’ secret emails

A Literal Tree Illustration Shows How Languages Are Connected

Did you know that most of the different languages we speak today can actually be placed in only a couple of groups by their origin? This is what illustrator Minna Sundberg has captured in an elegant infographic of a linguistic tree which reveals some fascinating links between different tongues.

Source: This Amazing Tree That Shows How Languages Are Connected Will Change The Way You See Our World

Closed source corporate DRM for money grabbers is forced onto open source web with flimsiest of excuses

The trouble with DRM is that it’s sort of ineffective. It tends to make things inconvenient for people who legitimately bought a song or movie while failing to stop piracy. Some rights holders, like Ubisoft, have come around to the idea that DRM is counterproductive. Steve Jobs famously wrote about the inanity of DRM in 2007. But other rights holders, like Netflix, are doubling down. The prevailing winds at the consortium concluded that DRM is now a fact of life, and so it would be be better to at least make the experience a bit smoother for users. If the consortium didn’t work with companies like Netflix, Berners-Lee wrote in a blog post, those companies would just stop delivering video over the web and force people into their own proprietary apps. The idea that the best stuff on the internet will be hidden behind walls in apps rather than accessible through any browser is the mortal fear for open web lovers; it’s like replacing one library with many stores that each only carry books for one publisher. “It is important to support EME as providing a relatively safe online environment in which to watch a movie, as well as the most convenient,” Berners-Lee wrote, “and one which makes it a part of the interconnected discourse of humanity.” Mozilla, the nonprofit that makes the browser Firefox, similarly held its nose and cooperated on the EME standard. “It doesn’t strike the correct balance between protecting individual people and protecting digital content,” it said in a blog post. “The content providers require that a key part of the system be closed source, something that goes against Mozilla’s fundamental approach. We very much want to see a different system. Unfortunately, Mozilla alone cannot change the industry on DRM at this point.”

Source: Corporations Just Quietly Changed How the Web Works – Slashdot

And of course it just turns out that the EU knows that piracy doesn’t hurt sales, but decided to ignore that when designing policy.

It is a big dissappointment in Tim Berners-Lee, who has caved in to the money grabbers and has now set a precedence showing that the WWW Consortium is corruptible to anyone with enough money in their pockets.

Fortunately it won’t be long before this is hacked. And another new standard has to be introduced. Given the glacial speed at which the W3C works, this might give us a few years of freedom from DRM.

SVR Tracking leaks info for hundreds of thousands of vehicles. Turns out they have been tracking you even when your car wasn’t stolen.

Researchers discovered a misconfigured Amazon AWS S3 bucket that was left publically available. The breach has exposed information about their customers and re-seller network and also the physical device that is attached to the cars.

The repository contained over a half of a million records with logins / passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships. Interestingly, exposed database also contained information where exactly in the car the tracking unit was hidden.

The “SVR” stands for ‘stolen vehicle records”.
[…]
The software monitors everywhere the car has been back as far as 120 days, including a terrifying feature that pinpoints on the map all of the places a driver has visited. There is even an option that will show anyone with login credentials the top stops or locations where the vehicle has been. There is a “recovery mode” that can pinpoint every 2 min or create zone notifications. They claim to have a 99% success rate on recovery but what about when the customer logins and passwords for thousands of unsuspecting drivers are leaked online?
MacKeeper Security: Auto Tracking Company Leaks Hundreds of Thousands of Records Online

Equifax fooled again! Blundering credit biz directs hack attack victims to parody site

When news of the hack was published on September 7, over a month after its scale had been discovered, Equifax set up a website for worried customers to check if they had been affected – equifaxsecurity2017.com – rather than setting it up on the equifax.com domain.

As a bit of fun security researcher Nick Sweeting set up securityequifax2017.com with a familiar look and feel, just like phishers do every day. To make that point the headline on the website was “Cybersecurity Incident & Important Consumer Information which is Totally Fake, why did Equifax use a domain that’s so easily impersonated by phishing sites?”

Turns out he had a point, since the site fooled Equifax itself. Shortly after setting up the site, Equifax’s official Twitter feed started to link to Sweeting’s fake page and in a series of posts dating from September 9 Tim on Equifax’s social media team began tweeting out the wrong URL to customers concerned about their data.
equifax

Seriously, Tim?

The tweets (now removed by red-faced Equifax staff) continued until Sept 18 before they were spotted by stanleyspadowski on imgur and @aaronkkruse on Twitter. It’s not known how many people were directed to the site, and it has since been blocked by Google.

Source: Equifax fooled again! Blundering credit biz directs hack attack victims to parody site

Ccleaner infection: what happened? Turns out it was targeting companies & had been running for longer than thought

Ccleaner v5.33, software that allows you to clean up the cruft that comes with use and with newly installed machines, was infected with Floxif malware which installed itself on peoples machines together with the ccleaner. Floxif is a malware downloader that gathers information about infected systems and sends it back to its Command & Control server.
[…]
The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems. The malware also quit execution if the user was not using an administrator account.

Bleeping Computer: CCleaner Compromised to Distribute Malware for Almost a Month

In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.

Talos Intelligence: CCleaner Command and Control Causes Concern – with more technical details on the source and methodology of the malware

According to Avast, the database where the CCleaner hackers were collecting data from infected hosts ran out of space and was deleted on September 12, meaning information on previous victims is now lost to investigators and the number of computers infected with the second-stage backdoor payloads may be larger than initially believed.

This means there could still be — and there certainly are — more large technology firms that currently have a backdoor on their network.
[…]
The server would store this information into a MariaDB (MySQL fork), and would run a series of filters on each infected host to determine if to send a second-stage payload, a very stealthy backdoor trojan.

Based on analysis from Cisco Talos published yesterday, the C&C server looked for computers on the networks of large tech corporations.

Based on a list recovered by researchers, targeted companies included Google, Microsoft, HTC, Samsung, Intel, Sony, VMWare, O2, Vodafone, Linksys, Epson, MSI, Akamai, DLink, Oracle (Dyn), Gauselmann, and Singtel.

The attacker’s database recorded information on all computers infected with the first and second-stage malware. There were 700,000 entries for computers infected with the first-stage malware, and only 20 for the second-stage malware.
[…]
The new information was extracted from the server’s logs and shows that the server was set up just days before attackers embedded their malware to the CCleaner binaries.

Despite the server being up for more than a month, Cisco noted that the database contained information on infections that were active between September 12 and September 16, and nothing more.

Avast says that after a deeper analysis of the logs, they find evidence that the server’s disk storage had been filled, and attackers had to delete the collected data they recorded up to that point (they most likely downloaded it before deleting it).
[…]
What this means is that data for 28 days of infections is now lost. Investigators are now unable to determine if other tech companies have now backdoors on their networks.

This means that any company that has ever deployed CCleaner on its network must now wipe systems clear, just to be sure the second-stage malware is not hidden somewhere on its network.

Bleeping computer: Info on CCleaner Infections Lost Due To Malware Server Running Out of Disk Space

SEC’s EDGAR database hacked, hackers use data for insider trading.

In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. An internal investigation was commenced immediately at the direction of the Chairman.

Source: SEC.gov | SEC Chairman Clayton Issues Statement on Cybersecurity

Attention adults working in the real world: Do not upgrade to iOS 11 if you use Outlook, Exchange

Apple’s latest version of iOS, namely version 11, may struggle or flat-out fail to connect to Microsoft Office and Exchange mailboxes. That’s a rather annoying pain for anyone working in a typical Windows-based work environment.

The Cupertino idiot-tax operation admitted this week that iOS 11 contains a bug that potentially leaves users locked out of Microsoft Office 365, Outlook.com and Exchange inboxes, and that the mobile OS pops up an alert that reads “Cannot Send Mail. The message was rejected by the server.”

“If your email account is hosted by Microsoft on Outlook.com or Office 365, or an Exchange Server 2016 running on Windows Server 2016, you might see this error message when you try to send an email with iOS 11: ‘Cannot Send Mail. The message was rejected by the server’,” the owner of ClarisWorks claimed.

Source: Attention adults working in the real world: Do not upgrade to iOS 11 if you use Outlook, Exchange

Popular GO Android alternate Keyboard is spying on millions of Android users

Security researchers from Adguard have issued a warning that the popular GO Keyboard app is spying on users. Produced by Chinese developers GOMO Dev Team, GO Keyboard was found to be transmitting personal information about users back to remote servers, as well as “using a prohibited technique to download dangerous executable code.”

Adguard made the discovery while conducting research into the traffic consumption and unwanted behavior of various Android keyboards. The AdGuard for Android app makes it possible to see exactly what traffic an app is generating, and it showed that GO Keyboard was making worrying connections, making use of trackers, and sharing personal information.

Adguard notes that there are two versions of the keyboard in Google Play which it claims have more than 200 million users in total.

Source: Security researchers warn that GO Keyboard is spying on millions of Android users

EU Paid For Report That Said Piracy Isn’t Harmful — And Tried To Hide Findings

According to Julia Reda’s blog, the only Pirate in the EU Parliament, the European Commission in 2014 paid the Dutch consulting firm Ecorys 360,000 euros (about $428,000) to research the effect piracy had on sales of copyrighted content. The final report was finished in May 2015, but was never published because the report concluded that piracy isn’t harmful. The Next Web reports:
The 300-page report seems to suggest that there’s no evidence that supports the idea that piracy has a negative effect on sales of copyrighted content (with some exceptions for recently released blockbusters). The report states: “In general, the results do not show robust statistical evidence of displacement of sales by online copyright infringements. That does not necessarily mean that piracy has no effect but only that the statistical analysis does not prove with sufficient reliability that there is an effect. An exception is the displacement of recent top films. The results show a displacement rate of 40 per cent which means that for every ten recent top films watched illegally, four fewer films are consumed legally.”

On her blog, Julia Reda says that a report like this is fundamental to discussions about copyright policies — where the general assumption is usually that piracy has a negative effect on rightsholders’ revenues. She also criticizes the Commissions reluctance to publish the report and says it probably wouldn’t have released it for several more years if it wasn’t for the access to documents request she filed in July.
As for why the Commission hadn’t published the report earlier, Reda says: “all available evidence suggests that the Commission actively chose to ignore the study except for the part that suited their agenda: In an academic article published in 2016, two European Commission officials reported a link between lost sales for blockbusters and illegal downloads of those films. They failed to disclose, however, that the study this was based on also looked at music, ebooks and games, where it found no such connection. On the contrary, in the case of video games, the study found the opposite link, indicating a positive influence of illegal game downloads on legal sales. That demonstrates that the study wasn’t forgotten by the Commission altogether…”

Source: EU Paid For Report That Said Piracy Isn’t Harmful — And Tried To Hide Findings – Slashdot

 
Skip to toolbar