Indian officials acknowledged on October 30th that a cyberattack occurred at the country’s Kudankulam nuclear power plant. An Indian private cybersecurity researcher had tweeted about the breach three days earlier, prompting Indian authorities to initially deny that it had occurred before admitting that the intrusion had been discovered in early September and that efforts were underway to respond to it.

According to last Monday’s Washington Post, Kudankulam is India’s biggest nuclear power plant, “equipped with two Russian-designed and supplied VVER pressurized water reactors with a capacity of 1,000 megawatts each. Both reactor units feed India’s southern power grid. The plant is adding four more reactor units of the same capacity, making the Kudankulam Nuclear Power Plant one of the largest collaborations between India and Russia.”

While reactor operations at Kudankulam were reportedly unaffected, this incident should serve as yet another wake-up call that the nuclear power industry needs to take cybersecurity more seriously. There are worrying indications that it currently does not: A 2015 report by the British think tank Chatham House found pervasive shortcomings in the nuclear power industry’s approach to cybersecurity, from regulation to training to user behavior. In general, nuclear power plant operators have failed to broaden their cultures of safety and security to include an awareness of cyberthreats. (And by cultures of safety and security, those in the field—such as the Fissile Materials Working Group—refer to a broad, all-embracing approach towards nuclear security, that takes into account the human factor and encompasses programs on personnel reliability and training, illicit trafficking interception, customs and border security, export control, and IT security, to name just a few items. The Hague Communiqué of 2014 listed nuclear security culture as the first of its three pillars of nuclear security, the other two being physical protection and materials accounting.)

This laxness might be understandable if last week’s incident were the first of its kind. Instead, there have been over 20 known cyber incidents at nuclear facilities since 1990.

Source: Lessons from the cyberattack on India’s largest nuclear power plant – Bulletin of the Atomic Scientists

Trusted Platform Module (TPM) serves as a root of trust for the operating system. TPM is supposed to protect our security keys from malicious adversaries like malware and rootkits.

Most laptop and desktop computers nowadays come with a dedicated TPM chip, or they use the Intel firmware-based TPM (fTPM) which runs on a separate microprocessor inside the CPU. Intel CPUs support fTPM since the Haswell generation (2013). TPM chips are also used in other computing devices such as cellphones and embedded devices.

We discovered timing leakage on Intel firmware-based TPM (fTPM) as well as in STMicroelectronics’ TPM chip. Both exhibit secret-dependent execution times during cryptographic signature generation. While the key should remain safely inside the TPM hardware, we show how this information allows an attacker to recover 256-bit private keys from digital signature schemes based on elliptic curves.

[…]

here is a high chance that you are affected. This depends if any of your computing devices (laptop, tablet, desktop, etc.) use Intel fTPM or STMicroelectronics TPM chips.

Source: TPM-FAIL Attack

IT guru Bob Gendler took to Medium last week to share a startling discovery about Apple Mail. If you have the application configured to send and receive encrypted email—messages that should be unreadable for anyone without the right decryption keys—Apple’s digital assistant goes ahead and stores your emails in plain text on your Mac’s drive.

More frustrating, you can have Siri completely disabled on your Mac, and your messages will still appear within a Mac database known as snippets.db. A process known as suggested will still comb through your emails and dump them into this plaintext database. This issue, according to Gendler, is present on multiple iterations of macOS, including the most recent Catalina and Mojave builds.

As Gendler writes:

“I discovered this database and what’s stored there on July 25th and began extensively testing on multiple computers with Apple Mail set up and fully confirming this on July 29th. Later that week, I confirmed this database exists on 10.12 machines up to 10.15 and behaves the same way, storing encrypted messages unencrypted. If you have iCloud enabled and Siri enabled, I know there is some data sent to Apple to help with improving Siri, but I don’t know if that includes information from this database.”

Consider keeping Siri out of your email

While Apple is currently working on a fix for the issues Gendler raised, there are two easy ways you can ensure that your encrypted emails aren’t stored unencrypted on your Mac. First, you can disable Siri Suggestions for Mail within the “Siri” section of System Preferences.

Second, you can fire up Terminal and enter this command:

defaults write com.apple.suggestions SiriCanLearnFromAppBlacklist -array com.apple.mail

There’s also a third method you can use—installing a system-level configuration profile—which Gendler details out on his post.

Regardless of which option you pick, you’ll want to delete the snippets.db file, as disabling Siri’s collection capabilities doesn’t automatically remove what’s already been collected (obviously). You’ll be able to find this by pulling up your Mac’s drive (Go > Computer) and doing a quick search for “snippets.db.”

Apple also told The Verge that you can also limit which apps are allowed to have Full Disk Access on your Mac—via System Preferences > Security & Privacy > Privacy tab—to ensure that they can’t access your snippets.db file. You can also turn on FileVault, which will prevent your emails from appearing as plaintext within snippets.db.

Source: Prevent Your Mac from Making Plain-Text Copies of Your Encrypted Emails

Ubiquiti Networks is fending off customer complaints after emitting a firmware update that caused its UniFi wireless routers to quietly phone HQ with telemetry.

It all kicked off when the US-based manufacturer confirmed that a software update released this month programmed the devices to establish secure connections back to Ubiquiti servers and report information on Wi-Fi router performance and crashes.

Ubiquiti told customers all of the information is being handled securely, and has been cleared to comply with GDPR, Europe’s data privacy rules. Punters are upset they weren’t warned of the change.

“We have started to gather crashes and other critical events strictly for the purpose of improving our products,” the hardware maker said. “Any data collected is completely anonymized, GDPR compliant, transmitted using end-to-end encryption and encrypted at rest. The collection of this data does not and should not ever impact performance of devices.”

The assurance was of little consolation to UniFi owners who bristled at the idea of any of their data being collected, particularly without any notification nor permission. In particular, enterprise customers were less than thrilled to learn diagnostic data was being exfiltrated off their network.

“Undisclosed backdooring of my network is completely unacceptable and will result in no longer recommending, using, or selling of Ubiquiti gear,” remarked one netizen using the alias Private_.

“I realize that UBNT is too big to care about the few tens of $K per year that I generate for them, but I want to formally and clearly disclose my privacy policy/EULA, so that we understand each other. This is a stealth network intrusion and I don’t/won’t accept it.”

Source: Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it? • The Register

Oh dear, you really can’t be doing that Ubiquity!

Security researchers have discovered a vulnerability in Ring doorbells that exposed the passwords for the Wi-Fi networks to which they were connected.

Bitdefender said the Amazon-owned doorbell was sending owners’ Wi-Fi passwords in cleartext as the doorbell joins the local network, allowing nearby hackers to intercept the Wi-Fi password and gain access to the network to launch larger attacks or conduct surveillance.

“When first configuring the device, the smartphone app must send the wireless network credentials. This takes place in an unsecure manner, through an unprotected access point,” said Bitdefender. “Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network.”

But all of this is carried out over an unencrypted connection, exposing the Wi-Fi password that is sent over the air.

Amazon fixed the vulnerability in all Ring devices in September, but the vulnerability was only disclosed today.

Source: Amazon Ring doorbells exposed home Wi-Fi passwords to hackers | TechCrunch

A number of popular “camgirl” sites have exposed millions of sex workers and users after the company running the sites left the back-end database unprotected.

The sites, run by Barcelona-based VTS Media, include amateur.tv, webcampornoxxx.net, and placercams.com. Most of the sites’ users are based in Spain and Europe, but we found evidence of users across the world, including the United States.

According to Alexa traffic rankings, amateur.tv is one of the most popular in Spain.

The database, containing months-worth of daily logs of the site activities, was left without a password for weeks. Those logs included detailed records of when users logged in — including usernames and sometimes their user-agents and IP addresses, which can be used to identify users. The logs also included users’ private chat messages with other users, as well as promotional emails they were receiving from the various sites. The logs even included failed login attempts, storing usernames and passwords in plaintext. We did not test the credentials as doing so would be unlawful.

None of the data was encrypted.

The exposed data also revealed which videos users were watching and renting, exposing kinks and private sexual preferences.

In all, the logs were detailed enough to see which users were logging in, from where, and often their email addresses or other identifiable information — which in some cases we could match to real-world identities.

Not only were users affected, the “camgirls” — who broadcast sexual content to viewers — also had some of their account information exposed.

Source: A network of ‘camgirl’ sites exposed millions of users and sex workers | TechCrunch

Light Commands is a vulnerability of MEMS microphones that allows attackers to remotely inject inaudible and invisible commands into voice assistants, such as Google assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light.

In our paper we demonstrate this effect, successfully using light to inject malicious commands into several voice controlled devices such as smart speakers, tablets, and phones across large distances and through glass windows.

The implications of injecting unauthorized voice commands vary in severity based on the type of commands that can be executed through voice. As an example, in our paper we show how an attacker can use light-injected voice commands to unlock the victim’s smart-lock protected home doors, or even locate, unlock and start various vehicles.

Read the Paper Cite

Source: Light Commands

Google patched last month an Android bug that can let hackers spread malware to a nearby phone via a little-known Android OS feature called NFC beaming.

NFC beaming works via an internal Android OS service known as Android Beam. This service allows an Android device to send data such as images, files, videos, or even apps, to another nearby device using NFC (Near-Field Communication) radio waves, as an alternative to WiFi or Bluetooth.

Typically, apps (APK files) sent via NFC beaming are stored on disk and a notification is shown on screen. The notification asks the device owner if he wants to allow the NFC service to install an app from an unknown source.

But, in January this year, a security researcher named Y. Shafranovich discovered that apps sent via NFC beaming on Android 8 (Oreo) or later versions would not show this prompt. Instead, the notification would allow the user to install the app with one tap, without any security warning.

While the lack of one prompt sounds unimportant, this is a major issue in Android’s security model. Android devices aren’t allowed to install apps from “unknown sources” — as anything installed from outside the official Play Store is considered untrusted and unverified.

Source: Android bug lets hackers plant malware via NFC beaming | ZDNet

The new standard will work as an extension to TLS, a cryptographic protocol that underpins the more widely-known HTTPS protocol, used for loading websites inside browsers via an encrypted connection.

The TLS Delegate Credentials extension was specifically developed for large website setups, such as Facebook, or for website using content delivery networks (CDNs), such as Cloudflare.

How TLS Delegate Credentials works

For example, a big website like Facebook has thousands of servers spread all over the world. In order to support HTTPS traffic on all, Facebook has to place a copy of its TLS certificate private key on each one.

This is a dangerous setup. If an attacker hacks one server and steals the TLS private key, the attacker can impersonate Facebook servers and intercept user traffic until the stolen certificate expires.

The same thing is also valid with CDN services like Cloudflare. Anyone hosting an HTTPS website on Cloudflare’s infrastructure must upload their TLS private key to Cloudflare’s service, which then distributes it to thousands of servers across the world.

The TLS Delegate Credentials extension allows site owners to create short-lived TLS private keys (called delegated credentials) that they can deploy to these multi-server setups, instead of the real TLS private key.

The delegated credentials can live up to seven days and can be rotated automatically once they expire.

TLS Delegated Credentials shortens MitM attack window

The most important security improvement that comes with this new TLS extension is that if — in the worst-case scenarios — an attacker does manage to hack a server, the stolen private key (actually a delegated credential) won’t work for more than a few days, rather than weeks, months, or even a year, as it does now.

You can read more in-depth technical explanations about the new TLS Delegated Credentials extensions on the Facebook, Mozilla, and Cloudflare blogs.

The IETF draft specification is available here. TLS Delegated Credentials will be compatible with the TLS protocol v1.3 and later.

Source: Facebook, Mozilla, and Cloudflare announce new TLS Delegated Credentials standard | ZDNet

As many as 2,000 users of NordVPN, the virtual private network service that recently disclosed a server hack that leaked crypto keys, have fallen victim to credential-stuffing attacks that allow unauthorized access to their accounts.

In recent weeks, credentials for NordVPN users have circulated on Pastebin and other online forums. They contain the email addresses, plain-text passwords, and expiration dates associated with NordVPN user accounts.

I received a list of 753 credentials on Thursday and polled a small sample of users. The passwords listed for all but one were still in use. The one user who had changed their password did so after receiving an unrequested password reset email. It would appear someone who gained unauthorized access was trying to take over the account. Several other people said their accounts had been accessed by unauthorized people.

Over the past week, breach notification service Have I Been Pwned has reported at least 10 lists of NordVPN credentials similar to the one I obtained.

While it’s likely that some accounts are listed in multiple lists, the number of user accounts easily tops 2,000. What’s more, a large number of the email addresses in the list I received weren’t indexed at all by Have I Been Pwned, indicating that some compromised credentials are still leaking into public view. Most of the Web pages that host these credentials have been taken down, but at the time this post was going live, at least one remained available on Pastebin, despite the fact Ars brought it to NordVPN’s attention more than 17 hours earlier.

Without exception, all of the plain-text passwords are weak. In some cases, they’re the string of characters to the left of the @ sign in the email address. In other cases, they’re words found in most dictionaries. Others appear to be surnames, sometimes with two or three numbers tacked onto the end. These common traits mean that the most likely way these passwords became public is through credential stuffing. That’s the term for attacks that take credentials divulged in one leak to break into other accounts that use the same username and password. Attackers typically use automated scripts to carry out these attacks.

Source: NordVPN users’ passwords exposed in mass credential-stuffing attacks | Ars Technica

Though this somewhat-new “xHelper” malware has affected a low number of Android users so far (around 45,000, estimates Symantec), the fact that nobody has any clear advice on how to remove it is a worrisome fact. While the odds are good that you won’t get hit with this malware, given its low installation rate so far—even though it’s been active since March—you should still know what it does and how to (hopefully) avoid it.

As Malwarebytes describes, xHelper starts by concealing itself as a regular app by spoofing legitimate apps’ package names. Once it’s on your device, you’re either stuck with a “semi-stealth” version, which drops an xHelper icon blatantly in your notifications—but no app or shortcut icons—or a “full-stealth” version, which you’ll only notice if you visit Settings > Apps & notifications > App Info (or whatever the navigation is on your specific Android device) and scroll down to see the installed “xHelper” app.

What does xHelper do?

Thankfully, xHelper isn’t destructive malware in the sense that it’s not recording your passwords, credit card data, or anything else you’re doing on your device and sending it off to some unknown attacker. Instead, it simply spams you with pop-up advertisements on your device and annoying notifications that all try to get you to install more apps from Google Play—presumably how the xHelper’s authors are making cash from the malware.

The dark side, as reported by ZDNet, is that xHelper can allegedly download and install apps on your behalf. It doesn’t appear to be doing so at the moment, but if this were to happen—coupled with the app’s mysterious ability to persist past uninstallations and factory resets—would be a huge backdoor for anyone affected by the malware.

Wait, I can’t uninstall it?

Yep. This is the insidious part of xHelper. Neither Symantec nor Malwarebytes have any good recommendations for getting this malware off your device once it’s installed, as the mechanisms it uses to persist past a full factory reset of your device are unknown.

Source: This New Android Malware Can Survive a Factory Reset

Pagers used within the United Kingdom’s National Health Service are leaking sensitive patient information, and an amateur radio enthusiast has been broadcasting some of that medical data on a webcam livestream, a security researcher has found.

TechCrunch reports that Florida-based security researcher Daley Borda stumbled upon the strange confluence of archaic tech that flowed together to create a security nightmare.

Borda regularly scans the internet looking for concerning privacy and security activity. He recently discovered a grainy livestream showing a radio rig in North London that picked up radio waves and converted the transmissions into text that was displayed on a computer screen, according to TechCrunch. The hobbyist had set up a webcam that captured what was on the display, which showed medical emergencies as they were being reported. The webcam reportedly had no password, so anyone could find it and see the messages that showed directions meant for ambulances responding to emergency calls.

“You can see details of calls coming in—their name, address, and injury,” Borda told TechCrunch, which verified his discovery.

The tech news outlet reviewed several concerning messages that showed the location where people were reporting medical emergencies, including one that showed the address where a 49-year-old man was having chest pains and one that showed the address of a 98-year old man who had fallen.

[…]

A spokesperson for NHS told Gizmodo that the NHS consists of several different organizations, like hospital trusts and ambulances trusts, and “each organization is responsible for the technology it buys and uses (including pagers).” They pointed Gizmodo to a statement that Health and Social Care Secretary Matt Hancock issued in February instructed the NHS to stop using pagers by 2022. In his statement, he said the NHS uses 130,000 pagers.

Source: NHS Pagers Are Leaking Sensitive Medical Data

WASHINGTON (Reuters) – Senior government officials in multiple U.S.-allied countries were targeted earlier this year with hacking software that used Facebook Inc’s (FB.O) WhatsApp to take over users’ phones, according to people familiar with the messaging company’s investigation.

Sources familiar with WhatsApp’s internal investigation into the breach said a “significant” portion of the known victims are high-profile government and military officials spread across at least 20 countries on five continents. Many of the nations are U.S. allies, they said.

The hacking of a wider group of top government officials’ smartphones than previously reported suggests the WhatsApp cyber intrusion could have broad political and diplomatic consequences.

WhatsApp filed a lawsuit on Tuesday against Israeli hacking tool developer NSO Group. The Facebook-owned software giant alleges that NSO Group built and sold a hacking platform that exploited a flaw in WhatsApp-owned servers to help clients hack into the cellphones of at least 1,400 users between April 29, 2019, and May 10, 2019.

The total number of WhatsApp users hacked could be even higher. A London-based human rights lawyer, who was among the targets, sent Reuters photographs showing attempts to break into his phone dating back to April 1.

While it is not clear who used the software to hack officials’ phones, NSO has said it sells its spyware exclusively to government customers.

Some victims are in the United States, United Arab Emirates, Bahrain, Mexico, Pakistan and India, said people familiar with the investigation. Reuters could not verify whether the government officials were from those countries or elsewhere.

Some Indian nationals have gone public with allegations they were among the targets over the past couple of days; they include journalists, academics, lawyers and defenders of India’s Dalit community.

NSO said in a statement that it was “not able to disclose who is or is not a client or discuss specific uses of its technology.” Previously it has denied any wrongdoing, saying its products are only meant to help governments catch terrorists and criminals.

Cybersecurity researchers have cast doubt on those claims over the years, saying NSO products were used against a wide range of targets, including protesters in countries under authoritarian rule.

Source: Exclusive: Government officials around the globe targeted for hacking through WhatsApp – sources – Reuters

An open database exposing records containing the sensitive data of hotel customers as well as US military personnel and officials has been disclosed by researchers.

On Monday, vpnMentor’s cybersecurity team, led by Noam Rotem and Ran Locar, said the database belonged to Autoclerk, a service owned by Best Western Hotels and Resorts group.

Autoclerk is a reservations management system used by resorts to manage web bookings, revenue, loyalty programs, guest profiles, and payment processing.

In a report shared with ZDNet, the researchers said the open Elasticsearch database was discovered through vpnMentor’s web mapping project. It was possible to access the database, given it had no encryption or security barriers whatsoever, and perform searches to examine the records contained within.

The team says that “thousands” of individuals were impacted, although due to ethical reasons it was not possible to examine every record in the leaking database to come up with a specific number.

Hundreds of thousands of booking reservations for guests were available to view and data including full names, dates of birth, home addresses, phone numbers, dates and travel costs, some check-in times and room numbers, and masked credit card details were also exposed.

Data breaches are a common occurrence and can end up compromising information belonging to thousands or millions of us in single cases of a successful cyberattack.

What is more uncommon, however, is that the US government and military figures have also been involved in this security incident.
It appears that one of the platforms connected to Autoclerk exposed in the breach is a contractor of the US government that deals with travel arrangements.

vpnMentor was able to view records relating to the travel arrangements of government and military personnel — both past and future — who are connected to the US government, military, and Department of Homeland Security (DHS).

Within the records, for example, were logs for US Army generals visiting Russia and Israel, among other countries.

Source: Open database leaked 179GB in customer, US government, and military records | ZDNet

Mercedes-Benz car owners have said that the app they used to remotely locate, unlock and start their cars was displaying other people’s account and vehicle information.

TechCrunch spoke to two customers who said the Mercedes-Benz’ connected car app was pulling in information from other accounts and not their own, allowing them to see other car owners’ names, recent activity, phone numbers, and more.

The apparent security lapse happened late-Friday before the app went offline “due to site maintenance” a few hours later.

Source: Mercedes-Benz app glitch exposed car owners’ information to other users | TechCrunch

Japanese hotel chain HIS Group has apologised for ignoring warnings that its in-room robots were hackable to allow pervs to remotely view video footage from the devices.

The Henn na Hotel is staffed by robots: guests can be checked in by humanoid or dinosaur reception bots before proceeding to their room.

Facial recognition tech will let customers into their room and then a bedside robot will assist with other requirements. However several weeks ago a security researcher revealed on Twitter that he had warned HIS Group in July about the bed-bots being easily accessible, noting they sported “unsigned code” allowing a user to tap an NFC tag to the back of robot’s head and allow access via the streaming app of their choice.

Having heard nothing, the researcher made the hack public on 13 October. The vulnerability allows guests to gain access to cameras and microphones in the robot remotely so they could watch and listen to anyone in the room in the future.

The hotel is one of a chain of 10 in Japan which use a variety of robots instead of meat-based staff.

So far the reference is only to Tapia robots at one hotel, although it is not clear if the rest of the chain uses different devices.

The HIS Group tweeted: “We apologize for any uneasiness caused,” according to the Tokyo Reporter.

The paper was told that the company had decided the risks of unauthorised access were low, however, the robots have now been updated.

The chain has suffered a bunch of other issues with the robots, including problems with voice recognition systems reacting to guests snoring and a failure of the reception dinosaurs to understand guests’ names

Source: Japanese hotel chain sorry that hackers may have watched guests through bedside robots • The Register

As with browser add-ons, you’re entirely at the mercy of a developer. And should they use their powers for evil, you could be giving up everything you’re saying to your device to some random person.

At least, that’s the scenario presented by Germany’s Security Research Labs (SRLabs), who built a number of dummy Skills (Amazon) and Actions (Google) that passed both company’s checks and were actually listed for download to your Echo or Google Home devices. The catch? As Ars Technica describes:

“The malicious apps had different names and slightly different ways of working, but they all followed similar flows. A user would say a phrase such as: ‘Hey Alexa, ask My Lucky Horoscope to give me the horoscope for Taurus’ or ‘OK Google, ask My Lucky Horoscope to give me the horoscope for Taurus.’ The eavesdropping apps responded with the requested information while the phishing apps gave a fake error message. Then the apps gave the impression they were no longer running when they, in fact, silently waited for the next phase of the attack.

The security researchers actually developed two kinds of apps—one for eavesdropping, one for phishing—that both worked similarly. In the former, the app would simply do whatever it is you told it to, but it wouldn’t stop recording your voice; in the latter, the app would pretend to accomplish a task, wait a bit, then give you a fake message that your device was updated and you needed to provide your password for the update to complete. And any password you then provided was shuffled off to the developer’s servers.

Both Amazon and Google have since pulled the offending skills/actions—after being notified of their existence by SRLabs—and are working on extra “mechanisms” and “mitigations” to ensure these kind of exploits don’t make their way into other skills and actions

Source: Your Smart Speaker’s Skills Might Be a Huge Privacy Problem

The same common sense procedures work here for adding addons to Firefox or installing Apps on your smartphone.

It was recently discovered that the Samsung Galaxy S10 and S10+ have a major security flaw that makes it easy to bypass their fingerprint locks. On a scale of “one” to “not good,” we are definitely towards the right on this one.

To be fair, fingerprint sensors and other biometric security features aren’t ironclad; hackers can successfully get around these kinds of security measures, albeit with a fair amount of work. However, the Galaxy S10’s fingerprint sensor can be fooled with the simple addition of a screen protector or phone case made of silicone, tempered glass, or plastic. The interference from the protective material is apparently enough to confuse the sensor so anyone’s finger tap can unlock the phone. (Ugh.)

Source: The Samsung Galaxy S10’s Fingerprint Lock Isn’t Very Safe Anymore

Firefox is the only browser that received top marks in a recent audit carried out by Germany’s cyber-security agency — the German Federal Office for Information Security (or the Bundesamt für Sicherheit in der Informationstechnik — BSI).

The BSI tested Mozilla Firefox 68 (ESR), Google Chrome 76, Microsoft Internet Explorer 11, and Microsoft Edge 44. The tests did not include other browsers like Safari, Brave, Opera, or Vivaldi.

The audit was carried out using rules detailed in a guideline for “modern secure browsers” that the BSI published last month, in September 2019.

The BSI normally uses this guide to advise government agencies and companies from the private sector on what browsers are safe to use.

The German cyber-security agency published a first secure browser guideline in 2017, but reviewed and updated the specification over the summer.

The BSI updated its guide to account for improved security measures added to modern browsers, such as HSTS, SRI, CSP 2.0, telemetry handling, and improved certificate handling mechanisms.

Source: Germany’s cyber-security agency recommends Firefox as most secure browser | ZDNet

A user got his revenge on the ransomware gang who encrypted his files by hacking their server and releasing the decryption keys for all other victims.

This happened earlier today and involved the Muhstik gang. Muhstik is a recent strain of ransomware that has been active since late September, according to reports [1, 2, 3].

This ransomware targets network-attached storage (NAS) devices made by Taiwanese hardware vendor QNAP. The gang behind the Muhstik ransomware is brute-forcing QNAP NAS devices that use weak passwords for the built-in phpMyAdmin service, according to a security advisory published by the company last week.

After gaining access to the phpMyAdmin installation, Muhstik operators encrypt users’ files and save a copy of the decryption keys on their command and control (C&C) server. QNAP files encrypted by Muhstik can be recognized by each file’s new “.muhstik” file extension.

Annoyed software dev hacks back

One of the gang’s victims was Tobias Frömel, a German software developer. Frömel was one of the victims who paid the ransom demand so he could regain access to his files.

However, after paying the ransom, Frömel also analyzed the ransomware, gained insight into how Muhstik operated, and then retrieved the crooks’ database from their server.

“I know it was not legal from me,” the researcher wrote in a text file he published online on Pastebin earlier today, containing 2,858 decryption keys.

“I’m not the bad guy here,” Frömel added.

Free decryption method now available

Besides releasing the decryption keys, the German developer also published a decrypter that all Muhstik victims can use to unlock their files. The decrypter is available on MEGA [VirusTotal scan], and usage instructions are avaiable on the Bleeping Computer forum.

In the meantime, Frömel has been busy notifying Muhstik victims on Twitter about the decrypter’s availability, advising users against paying the ransom.

Source: White-hat hacks Muhstik ransomware gang and releases decryption keys | ZDNet

Basically sim swapping, man in the middle attacks and poor URL protections

FBI warns about SIM swapping and tools like Muraen and NecroBrowser.

“The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks,” the FBI wrote in a Private Industry Notification (PIN) sent out on September 17.

Past incidents of MFA bypasses

While nowadays there are multiple ways of bypassing MFA protections, the FBI alert specifically warned about SIM swapping, vulnerabilities in online pages handling MFA operations, and the use of transparent proxies like Muraen and NecroBrowser.

To get the point across, the FBI listed recent incidents where hackers had used these techniques to bypass MFA and steal money from companies and regular users alike. We cite from the report:

• In 2016 customers of a US banking institution were targeted by a cyber attacker who ported their phone numbers to a phone he owned-an attack called SIM swapping. The attacker called the phone companies’ customer service representatives, finding some who were more willing to provide him information to complete the SIM swap. Once the attacker had control over the customers’ phone numbers, he called the bank to request a wire transfer from the victims’ accounts to another account he owned. The bank, recognizing the phone number as belonging to the customer, did not ask for full security questions but requested a one-time code sent to the phone number from which he was calling. He also requested to change PINs and passwords and was able to attach victims’ credit card numbers to a mobile payment application.
• Over the course of 2018 and 2019, the FBI’s Internet Crime Complaint Center and FBI victim complaints observed the above attack-SIM swapping-as a common tactic from cyber criminals seeking to circumvent two-factor authentication. Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed. Many of these attacks rely on socially engineering customer service representatives for major phone companies, who give information to the attackers.
• In 2019 a US banking institution was targeted by a cyber attacker who was able to take advantage of a flaw in the bank’s website to circumvent the two-factor authentication implemented to protect accounts. The cyber attacker logged in with stolen victim credentials and, when reaching the secondary page where the customer would normally need to enter a PIN and answer a security question, the attacker entered a manipulated string into the Web URL setting the computer as one recognized on the account. This allowed him to bypass the PIN and security question pages and initiate wire transfers from the victims’ accounts.
• In February 2019 a cyber security expert at the RSA Conference in San Francisco, demonstrated a large variety of schemes and attacks cyber actors could use to circumvent multi-factor authentication. The security expert presented real-time examples of how cyber actors could use man-in-the-middle attacks and session hijacking to intercept the traffic between a user and a website to conduct these attacks and maintain access for as long as possible. He also demonstrated social engineering attacks, including phishing schemes or fraudulent text messages purporting to be a bank or other service to cause a user to log into a fake website and give up their private information.
• At the June 2019 Hack-in-the-Box conference in Amsterdam, cyber security experts demonstrated a pair of tools – Muraena and NecroBrowser – which worked in tandem to automate a phishing scheme against users of multi-factor authentication. The Muraena tool intercepts traffic between a user and a target website where they are requested to enter login credentials and a token code as usual. Once authenticated, NecroBrowser stores the data for the victims of this attack and hijacks the session cookie, allowing cyber actors to log into these private accounts, take them over, and change user passwords and recovery e-mail addresses while maintaining access as long as possible.

MFA is still effective

The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.

Source: FBI warns about attacks that bypass multi-factor authentication (MFA) | ZDNet

Attackers are exploiting a zero-day vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night.

There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero member Maddie Stone said in a post. NSO representatives, meanwhile, said the “exploit has nothing to do with NSO.” Exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.

“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Stone wrote. “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”

[…]

The use-after-free vulnerability originally appeared in the Linux kernel and was patched in early 2018 in version 4.14, without the benefit of a tracking CVE. That fix was incorporated into versions 3.18, 4.4, and 4.9 of the Android kernel. For reasons that weren’t explained in the post, the patches never made their way into Android security updates. That would explain why earlier Pixel models are vulnerable and later ones are not. The flaw is now tracked as CVE-2019-2215.

[…]

Project Zero gives developers 90 days to issue a fix before publishing vulnerability reports except in cases of active exploits. The Android vulnerability in this case was published seven days after it was privately reported to the Android team.

Source: Attackers exploit 0-day vulnerability that gives full control of Android phones | Ars Technica

The exploit has been seen being used in the wild, which is why it was disclosed after 7 days.

Social media platforms based in the U.S. including Facebook and WhatsApp will be forced to share users’ encrypted messages with British police under a new treaty between the two countries, according to a person familiar with the matter.

The accord, which is set to be signed by next month, will compel social media firms to share information to support investigations into individuals suspected of serious criminal offenses including terrorism and pedophilia, the person said.

Priti Patel, the U.K.’s home secretary, has previously warned that Facebook’s plan to enable users to send end-to-end encrypted messages would benefit criminals, and called on social media firms to develop “back doors” to give intelligence agencies access to their messaging platforms.

The U.K. and the U.S. have agreed not to investigate each other’s citizens as part of the deal, while the U.S. won’t be able to use information obtained from British firms in any cases carrying the death penalty.

Source: Facebook, WhatsApp Will Have to Share Messages With U.K. Police – BNN Bloomberg

Not being able to encrypt stuff ends up benifitting criminals just as much as it does the police, because they will also be able to access the poorly secured information.

T-shirt flogger CafePress has finally informed its customers about a serious data loss dating back to February and first reported last month.

Several CafePress punters told us they had received an email this morning warning them the company had lost customer names, emails, physical addresses, phone numbers and unencrypted passwords. Some customers have also had the last four numbers of payment cards and expiry dates nabbed by hackers.

The email, addressed to “Dear Valued Customer”, says that the incident happened “on or about February 19”. But fear not: “We have been diligently investigating this incident with the assistance of outside experts.”

The email claims that CafePress “recently discovered” the security hole. But in early August, the company ran a mass-password reset following reports that some 23 million user details were floating around on hacker forums.

Security researcher Jim Scott told The Register at the time: “Out of the 23 million compromised users, roughly half of them had their passwords exposed encoded in base64 SHA-1.” The hack was originally spotted by Troy Hunt, operator of the Have I Been Pwned website.

Today’s email says that an unidentified third party accessed a CafePress database and customer data. They may also have had access to CafePress accounts for a limited time and the information “could have been used for fraudulent activity”.

[…]

The company has not responded to our questions, which include why passwords were not properly encrypted and why it has taken so long to warn customers.

Source: Several months after the fact, CafePress finally acknowledges huge data theft to its customers • The Register