New computerized weapons systems currently under development by the US Department of Defense (DOD) can be easily hacked, according to a new report published today.

The report was put together by the US Government Accountability Office (GAO), an agency that provides auditing, evaluation, and investigative services for Congress.

Congress ordered the GAO report in preparation to approve DOD funding of over $1.66 trillion, so the Pentagon could expand its weapons portfolio with new toys in the coming years.

But according to the new report, GAO testers “playing the role of adversary” found a slew of vulnerabilities of all sort of types affecting these new weapons systems.

“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” GAO officials said.

The report detailed some of the most eye-catching hacks GAO testers performed during their analysis.

In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.

Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system.

In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.

Another test team reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating.

Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.

One test report indicated that the test t eam was able to guess an administrator password in nine seconds.

For example, in some cases, simply scanning a system caused parts of the system to shut down. One test had to be stopped due to safety concerns after the test team scanned the system.

Nearly all major acquisition programs that were operationally tested between 2012 and 2017 had mission-critical cyber vulnerabilities that adversaries could compromise.

Source: Pentagon’s new next-gen weapons systems are laughably easy to hack | ZDNet

Who would have thought it – after they decided to use  Windows (95) for Warships

Yet another IoT device vendor has been found to be exposing their products to attackers with basic security lapses.

This time, it’s Chinese surveillance camera maker Xiongmai who was named and shamed by researchers with SEC Consult for the poor security in the XMEye P2P Cloud service. Among the problems researchers pointed to were exposed default credentials and unsigned firmware updates that could be delivered via the service.

As a result, SEC Consult warns, the cameras could be compromised to do everything from spy on their owners, to carry out botnet instructions and even to serve as an entry point for larger network intrusions.

“Our recommendation is to stop using Xiongmai and Xiongmai OEM devices altogether,” SEC Consult recommended.

“The company has a bad security track record including its role in Mirai and various other IoT botnets. There are vulnerabilities that have been published in 2017, which are still not fixed in the most recent firmware version.”

Enabled by default, the P2P Cloud service allows users to remotely connect to devices via either a web browser or an iOS/Android app and control the hardware without needing a local network connection.

Source: World’s largest CCTV maker leaves at least 9 million cameras open to public viewing • The Register

A vulnerability in the Google+ social network exposed the personal data of up to 500,000 people using the site between 2015 and March 2018, the search giant said Monday.

Google said it found no evidence of data misuse. Still, as part of the response to the incident, Google plans to shut down the social network permanently.

The company didn’t disclose the vulnerability when it fixed it in March because the company didn’t want to invite regulatory scrutiny from lawmakers, according to a report Monday by The Wall Street Journal. Google CEO Sundar Pichai was briefed on the decision to not disclose the finding, after an internal committee had already decided the plan, the Journal said.

Google said it found the bug as part of an internal review called Project Strobe, an audit started earlier this year that examines access to user data from Google accounts by third-party software developers. The bug gave apps access to information on a person’s Google+ profile that can be marked as private. That includes details like email addresses, gender, age, images, relationship statuses, places lived and occupations. Up to 438 applications on Google Plus had access to this API, though Google said it has no evidence any developers were aware of the vulnerability.

Source: Google shutting down Google+ after exposing data of up to 500,000 users – CNET

The real story here is that they didn’t disclose.

In less than two years, anything that can connect to the internet will come with a unique password — that is, if it’s produced or sold in California. The “Information Privacy: Connected Devices” bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate.

The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a “physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”

The law is clearly aimed at stopping the spread of botnets made up of compromised network devices, such as routers, smart switches or even security cameras and other IoT equipment. Malicious software could often take control of them by trying easy-to-guess or publicly disclosed default login credentials. It’s not entirely clear yet as to how the new regulation will affect legacy industry hardware from the 1980s and 1990s where passwords are either hard-coded or next to impossible to change.

Source: California bans default passwords on any internet-connected device

A simple and very effective start to legislation on IoT

In its ongoing exploration of Intel’s Management Engine (ME), security biz Positive Technologies has reaffirmed the shortsightedness of security through obscurity and underscored the value of open source silicon.

The Intel ME, included on most Intel chipsets since 2008, is controversial because it expands the attack surface of Intel-based hardware. If compromised, it becomes side-channel threat to the main processor.

The Electronic Frontier Foundation last year called it a security hazard and asked for a way to disable it, a request that researchers from Positive Technologies subsequently met.

In a blog post on Tuesday, researchers Maxim Goryachy and Mark Ermolov, involved in the discovery of an Intel ME firmware flaw last year, reveal that Chipzilla’s ME contains an undocumented Manufacturing Mode, among its other little known features like High Assurance Platform mode.

“Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users,” explain Goryachy and Ermolov. “However, this mode and its potential risks are not described anywhere in Intel’s public documentation.”

Manufacturing Mode can only be accessed using a utility included in Intel ME System Tools software, which isn’t available to the public. It’s intended to configure important platform settings in one-time programmable memory called Field Programming Fuses (FPF) prior to product shipment and in ME’s internal MFS (Minux File System) on SPI (Serial Peripheral Interface) flash memory, via parameters known as CVARs (Configurable NVARs, Named Variables).

In chipsets prior to Apollo Lake, Goryachy and Ermolov observe, Intel kept access rights for its Management Engine, Gigabit Ethernet, and CPU separate. The SPI controllers in more recent chips, however, have a capability called a Master Grant which overrides the access rights declared in the SPI descriptor.

“What this means is that even if the SPI descriptor forbids host access to an SPI region of ME, it is possible for ME to still provide access,” the researchers explain.

And because it turns out that device makers may not disable Manufacturing Mode, there’s an opportunity for an attacker – with local access – to alter the Intel ME to allow the writing of arbitrary data.

At least one Intel customer failed to turn Manufacturing Mode off: Apple. The researchers analyzed notebooks from several computer makers and found that Apple had left Manufacturing Mode open. They reported the vulnerability (CVE-2018-4251) and Apple patched it in June via its macOS High Sierra 10.13.5 update.

Source: Apple forgot to lock Intel Management Engine in laptops, so get patching • The Register

Party chairman Brandon Lewis was planning to sell the “interactive” app – which will allow attendees to give feedback on speeches as they happen – as evidence that the ruling party was embracing tech in a bid to win over the youth vote (another idea was to have the culture secretary appear as a hologram).

But soon after its launch, users took to Twitter to point out that that not only were contact details and personal information visible – they could also be edited.

Particular targets appeared to be Michael Gove, whose picture was changed to that of his former boss Rupert Murdoch, and Boris Johnson, whose name and profile picture were reportedly changed during the incident.

Crowd Comms, the company behind the app, said the error “meant that a third party in possession of a conference attendee’s email address was able, without further authentication, to potentially see data which the attendee had not wished to share – name, email address, phone number, job title and photo”.

Since email addresses are often pretty easy to guess, or – in the case of MPs or other professionals registered on the app – a case of public record, the cock-up had a wide potential impact.

Source: UK ruling party’s conference app editable by world+dog, blabs members’ digits • The Register

Hackers probing America’s electronic voting systems have painted an astonishing picture of the state of US election security, less than six weeks before the November midterms.

The full 50-page report [PDF], released Thursday during a presentation in Washington DC, was put together by the organizers of the DEF CON hacking conference’s Voting Village. It recaps the findings of that village, during which attendees uncovered ways resourceful miscreants could compromise electoral computer systems and change vote tallies.

In short, the dossier outlines shortcomings in the electronic voting systems many US districts will use later this year for the midterm elections. The report focuses on vulnerabilities exploitable by scumbags with physical access to the hardware.

“The problems outlined in this report are not simply election administration flaws that need to be fixed for efficiency’s sake, but rather serious risks to our critical infrastructure and thus national security,” the report stated. “As our nation’s security is the responsibility of the federal government, Congress needs to codify basic security standards like those developed by local election officials.”

Criminally easy to hack

Researchers found that many of the systems tested were riddled with basic security blunders committed by their manufacturers, such as using default passwords and neglecting to install locks or tamper-proof seals on casings. These could be exploited by miscreants to do anything from add additional votes to create and stuff the ballot with entirely new candidates. It would require the crooks to get their hands on the machines long enough to meddle with the hardware.

Some electronic ballot boxes use smart cards loaded with Java-written software, which executes once inserted into the computer. Each citizen is given a card, which they slide in the machine when they go to vote. Unfortunately, it is possible to reprogram your card yourself so that when inserted, you can vote multiple times. If the card reader has wireless NFC support, you can hold your NFC smartphone up to the voting machine, and potentially cast a ballot many times over.

“Due to a lack of security mechanisms in the smart card implementation, researchers in the Voting Village demonstrated that it is possible to create a voter activation card, which after activating the election machine to cast a ballot can automatically reset itself and allow a malicious voter to cast a second (or more) unauthorized ballots,” the report read.

“Alternatively, an attacker can use his or her mobile phone to reprogram the smart card wirelessly.”

Source: DEF CON hackers’ dossier on US voting machine security is just as grim as feared

A vulnerability in Cisco Video Surveillance Manager (VSM) Software running on certain Cisco Connected Safety and Security Unified Computing System (UCS) platforms could allow an unauthenticated, remote attacker to log in to an affected system by using the root account, which has default, static user credentials.

The vulnerability is due to the presence of undocumented, default, static user credentials for the root account of the affected software on certain systems. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Source: Cisco Video Surveillance Manager Appliance Default Password Vulnerability

Incredible that this is still a thing, especially at Cisco, where it’s happened before.

If you’re one of the people who own a stylus or touchscreen-capable Windows PC, then there’s a high chance there’s a file on your computer that has slowly collected sensitive data for the past months or even years.

This file is named WaitList.dat, and according to Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs, this file is only found on touchscreen-capable Windows PCs where the user has enabled the handwriting recognition feature [1, 2] that automatically translates stylus/touchscreen scribbles into formatted text.

Source: This Windows file may be secretly hoarding your passwords and emails | ZDNet

More than 7,500 Mikrotik routers have been compromised with malware that logs and transmits network traffic data to an unknown control server.

This is according to researchers from 360 Netlab, who found the routers had all been taken over via an exploit for CVE-2018-14847, a vulnerability first disclosed in the Vault7 data dump of supposed CIA hacking tools.

Since mid-July, Netlab said, attackers have looked to exploit the flaw and enlist routers to do things like force connected machines to mine cryptocurrency, and, in this case, forward their details on traffic packets to a remote server.

“At present, a total of 7,500 MikroTik RouterOS device IPs have been compromised by the attacker and their TZSP traffic is being forwarded to some collecting IP addresses,” the researchers explained.

The infection does not appear to be targeting any specific region, as the hacked devices reside across five different continents with Russia, Brazil, and Indonesia being the most commonly impacted.

The researchers noted that the malware is also resilient to reboots.

Source: Mikrotik routers pwned en masse, send network data to mysterious box • The Register

mSpy, a commercial spyware solution designed to help you spy on kids and partners, has leaked over 2 million records including software purchases and iCloud usernames and authentication tokens of devices running mSky. The data appears to have come from an unsecured database that allowed security researchers to pull out millions of records.

“Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months,” wrote security researcher Brian Krebs.

Source: Mobile spyware maker leaks 2 million records | TechCrunch

BMCs can be used to remotely monitor system temperature, voltage and power consumption, operating system health, and so on, and power cycle the box if it runs into trouble, tweak configurations, and even, depending on the setup, reinstall the OS – all from the comfort of an operations center, as opposed to having to find an errant server in the middle of a data center to physically wrangle. They also provide the foundations for IPMI.

[…]

It’s a situation not unlike Intel’s Active Management Technology, a remote management component that sits under the OS or hypervisor, has total control over a system, and been exploited more than once over the years.

Waisman and his colleague Matias Soler, a senior security researcher at Immunity, examined these BMC systems, and claimed the results weren’t good. They even tried some old-school hacking techniques from the 1990s against the equipment they could get hold of, and found them to be very successful. With HP’s BMC-based remote management technology iLO4, for example, the builtin web server could be tricked into thinking a remote attacker was local, and so didn’t need to authenticate them.

“We decided to take a look at these devices and what we found was even worse than what we could have imagined,” the pair said. “Vulnerabilities that bring back memories from the 1990s, remote code execution that is 100 per cent reliable, and the possibility of moving bidirectionally between the server and the BMC, making not only an amazing lateral movement angle, but the perfect backdoor too.”

The fear is that once an intruder gets into a data center network, insecure BMC firmware could be used to turn a drama into a crisis: vulnerabilities in the technology could be exploited to hijack more systems, install malware that persists across reboots and reinstalls, or simple hide from administrators.

[…]

The duo probed whatever kit they could get hold of – mainly older equipment – and it could be that modern stuff is a lot better in terms of security with firmware that follows secure coding best practices. On the other hand, what Waisman and Soler have found and documented doesn’t inspire a terrible amount of confidence in newer gear.

Their full findings can be found here, and their slides here.

Source: Can we talk about the little backdoors in data center servers, please? • The Register

Security researchers have found more than 20 bugs in the world’s most popular open source software for managing medical records. Many of the vulnerabilities were classified as severe, leaving the personal information of an estimated 90 million patients exposed to bad actors.

OpenEMR is open source software that’s used by medical offices around the world to store records, handle schedules, and bill patients. According to researchers at Project Insecurity, it was also a bit of a security nightmare before a recent audit recommended a range of vital fixes.

The firm reached out to OpenEMR in July to discuss concerns it had about the software’s code. On Tuesday a report was released detailing the issues that included: “a portal authentication bypass, multiple instances of SQL injection, multiple instances of remote code execution, unauthenticated information disclosure, unrestricted file upload, CSRFs including a CSRF to RCE proof of concept, and unauthenticated administrative actions.”

Eighteen of the bugs were designated as having a “high” severity and could’ve been exploited by hackers with low-level access to systems running the software. Patches have been released to users and cloud customers.

OpenEMR’s project administrator Brady Miller told the BBC, “The OpenEMR community takes security seriously and considered this vulnerability report high priority since one of the reported vulnerabilities did not require authentication.”

Source: Critical OpenEMR Flaws Left Medical Records Vulnerable

The US Department of Homeland Security is once again accusing Russian government hackers of penetrating America’s critical infrastructure.

Uncle Sam’s finest reckon Moscow’s agents managed to infiltrate computers networks within US electric utilities – to the point where the miscreants could have virtually pressed the off switch in control rooms, yanked the plug on the Yanks, and plunged America into darkness.

The hackers, dubbed Dragonfly and Energetic Bear, struck in the spring of 2016, and continued throughout 2017 and into 2018, even invading air-gapped networks, it is claimed.

This seemingly Hollywood screenplay emerged on Monday in the pages of the Wall Street Journal (paywalled) which spoke to Homeland Security officials on the record.

The Energetic Bear aka Dragonfly crew – fingered in 2014 by Crowdstrike and Symantec – was inside “hundreds” of power grid control rooms by last year, it is claimed. Indeed, since 2014, power companies have been warned by Homeland Security to be on the look out for state-backed snoops – with technical details on intrusions published here.

The Russians hacked into the utilities’ equipment vendors and suppliers by spear-phishing staff for their login credentials or installing malware on their machines via boobytrapped webpages, it is alleged.

The miscreants then leveraged their position within these vendors to infiltrate the utilities and squeeze into the isolated air-gapped networks in control rooms, it is further alleged. The hacker crew also swiped confidential internal information and blueprints to learn how American power plants and the grid system work.

We’re told, and can well believe, that the equipment makers and suppliers have special access into the utilities’ networks in order to provide remote around-the-clock support and patch deployment – access that, it seems, turned into a handy conduit for Kremlin spies.

The attacks are believed to be ongoing, and some utilities may not yet be aware they’ve been pwned, we were warned. It is feared the stolen information, as well as these early intrusions, could be part of a much larger looming assault.

“They got to the point where they could have thrown switches,” Jonathan Homer, chief of industrial control system analysis for Homeland Security, told the paper.

Source: No big deal… Kremlin hackers ‘jumped air-gapped networks’ to pwn US power utilities • The Register

Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses.

According to a lawsuit filed last month in the Western District of Virginia, the first heist took place in late May 2016, after an employee at The National Bank of Blacksburg fell victim to a targeted phishing email.

The email allowed the intruders to install malware on the victim’s PC and to compromise a second computer at the bank that had access to the STAR Network, a system run by financial industry giant First Data that the bank uses to handle debit card transactions for customers. That second computer had the ability to manage National Bank customer accounts and their use of ATMs and bank cards.

Armed with this access, the bank says, hackers were able to disable and alter anti-theft and anti-fraud protections, such as 4-digit personal identification numbers (PINs), daily withdrawal limits, daily debit card usage limits, and fraud score protections.

National Bank said the first breach began Saturday, May 28, 2016 and continued through the following Monday. Normally, the bank would be open on a Monday, but that particular Monday was Memorial Day, a federal holiday in the United States. The hackers used hundreds of ATMs across North America to dispense funds from customer accounts. All told, the perpetrators stole more than $569,000 in that incident.

[…]

But just eight months later — in January 2017 according to the lawsuit — hackers broke in to the bank’s systems once more, again gaining access to the financial institution’s systems via a phishing email.

[…]

Prior to executing the second heist, the hackers used the bank’s Navigator system to fraudulently credit more than $2 million to various National Bank accounts. As with the first incident, the intruders executed their heist on a weekend. Between Jan. 7 and 9, 2017, the hackers modified or removed critical security controls and withdrew the fraudulent credits using hundreds of ATMs.

All the while, the intruders used the bank’s systems to actively monitor customer accounts from which the funds were being withdrawn. At the conclusion of the 2017 heist, the hackers used their access to delete evidence of fraudulent debits from customer accounts. The bank’s total reported loss from that breach was $1,833,984.

Source: Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M — Krebs on Security

A cryptographic bug in many Bluetooth firmware and operating system drivers could allow an attacker within about 30 meters to capture and decrypt data shared between Bluetooth-paired devices.

The flaw was found by Lior Neumann and Eli Biham of the Israel Institute of Technology, and flagged today by Carnegie Mellon University CERT. The flaw, which is tracked as CVE-2018-5383, has been confirmed to affect Apple, Broadcom, Intel, and Qualcomm hardware, and some Android handsets. It affects Bluetooth’s Secure Simple Pairing and Low Energy Secure Connections. Fortunately for macOS users, Apple released a patch for the flaw in July.

As the CERT notification explains, the vulnerability is caused by some vendors’ Bluetooth implementations not properly validating the cryptographic key exchange when Bluetooth devices are pairing. The flaw slipped into the Bluetooth key exchange implementation which uses the elliptic-curve Diffie-Hellman (ECDH) key exchange to establish a secure connection over an insecure channel.

This may allow a nearby but remote attacker to inject a a bogus public key to determine the session key during the public-private key exchange. They could then conduct a man-in-the-middle attack and “passively intercept and decrypt all device messages, and/or forge and inject malicious messages”.

Source: Bluetooth security: Flaw could allow nearby attacker to grab your private data | ZDNet

In the buzzing underground market for stolen social media and gaming handles, a short, unique username can go for between $500 and $5,000, according to people involved in the trade and a review of listings on a popular marketplace. Several hackers involved in the market claimed that the Instagram account @t, for example, recently sold for around $40,000 worth of Bitcoin.

By hijacking Rachel’s phone number, the hackers were able to seize not only Rachel’s Instagram, but her Amazon, Ebay, Paypal, Netflix, and Hulu accounts too. None of the security measures Rachel took to secure some of those accounts, including two-factor authentication, mattered once the hackers took control of her phone number.

In February, T-Mobile sent a mass text warning customers of an “industry-wide” threat. Criminals, the company said, are increasingly utilizing a technique called “port out scam” to target and steal people’s phone numbers. The scam, also known as SIM swapping or SIM hijacking, is simple but tremendously effective.

First, criminals call a cell phone carrier’s tech support number pretending to be their target. They explain to the company’s employee that they “lost” their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering—perhaps by providing the victim’s Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years)—the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card.

Game over.

“With someone’s phone number,” a hacker who does SIM swapping told me, “you can get into every account they own within minutes and they can’t do anything about it.”

Source: The SIM Hijackers – Motherboard

Remote-access software and modems on election equipment ‘is the worst decision for security short of leaving ballot boxes on a Moscow street corner.’

The nation’s top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them.

In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had “provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006,” which was installed on the election-management system ES&S sold them.

The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. “None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software,” the spokesperson said.

ES&S did not respond on Monday to questions from Motherboard, and it’s not clear why the company changed its response between February and April. Lawmakers, however, have subpoena powers that can compel a company to hand over documents or provide sworn testimony on a matter lawmakers are investigating, and a statement made to lawmakers that is later proven false can have greater consequence for a company than one made to reporters.

Source: Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States – Motherboard

That is incredible poor, especially with all the talk of hackable voting machines.

At arXiv, Singaporean and US researchers have published work, appropriately dubbed “007”, which checks code to see if it’s trying to exploit Spectre; and at Virus Bulletin, Fortinet’s Axelle Apvrille takes a look at the bug from an Android point of view.

Apvrille’s work backs up what we’ve heard from other researchers: so far, Spectre exploitation is theoretical, with no exploits in the wild. She wrote that while there was a flurry of “Spectre exploit” stories based on AV-Test sample collection, it turned out that all of the reported samples were proofs-of-concept rather than genuine malware.

She adds: “there is a significant difference between a PoC of Spectre and a piece of malware using Spectre. Turning a PoC into a malicious executable is far from a trivial process.”

That doesn’t make this kind of work pointless, though, since it’s a good thing to stay ahead of whatever nasties black hats might devise.

In developing a detection technique, Apvrille’s second conclusion was also good news: an attack against Spectre, she found, seems relatively easy to detect.

She wrote that “we had expected several false positives with this signature, but that was not the case: this imperfect signature turns out to be quite good in practice.”

The signature Apvrille searched for (using the in-practice impracticably-slow technique of searching whole binaries) was to identify “Flush+Reload cache attacks in ELF x86-64 executables”.

Source: ‘007’ code helps stop Spectre exploits before they exist • The Register

IBM Security on Wednesday released its latest report examining the costs and impact associated with data breaches. The findings paint a grim portrait of what the clean up is like for companies whose data becomes exposed—particularly for larger corporations that suffer so-called “mega breaches,” a costly exposure involving potentially tens of millions of private records.

According to the IBM study, while the average cost of a data breach globally hovers just under $4 million—a 6.4 percent increase over the past year—costs associated with so-called mega breaches (an Equifax or Target, for example) can reach into the hundreds of millions of dollars. The average cost of a breach involving 1 million records is estimated at around $40 million, while those involving 50 million records or more can skyrocket up to $350 million in damages.

Of the 11 mega breaches examined by IBM, 10 were a result of criminal attacks.

The average amount of time that passes before a major company notices a data breach is pretty atrocious. According to IBM, mega breaches typically go unnoticed for roughly a year.

[…]

Other key findings of the study include:

• The average time to identify a data breach is 197 days, and the average time to contain a data breach once identified is 69 days.
• Companies that contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days ($3.09 million vs. $4.25 million average total).
• Each lost or stolen record costs roughly $148 on average, but having an incident response team (surprising, not every company does) can reduce the cost per record by as much as $14.
• The use of an AI platform for cybersecurity reduced the cost by $8 per lost or stolen record.
• Companies that indicated a “rush to notify” had a higher cost by $5 per lost or stolen record.
• U.S. companies experienced the highest average cost of a breach at $7.91 million, followed by firms the Middle East at $5.31 million.
• Lowest total cost of a breach was $1.24 million in Brazil, followed by $1.77 million in India.

Source: ‘Mega’ Data Breaches Cost Companies a Staggering Fortune, IBM Study Finds

Sensitive US Air Force documents have leaked onto the dark web as part of an attempted sale of drone manuals.

Threat intel firm Recorded Future picked up on an auction for purported export-controlled documents pertaining to the MQ-9 Reaper drone during its regular work monitoring the dark web for criminal activities last month. Recorded Future’s Insikt Group analysts, posing as potential buyers, said they’d engaged the newly registered English-speaking hacker before confirming the validity of the compromised documents.

Further interactions allowed analysts to discover other leaked military information available from the same threat actor. The hacker claimed he had access to a large number of military documents from an unidentified officer.

These documents included a M1 Abrams tank maintenance manual, a tank platoon training course, a crew survival course, and documentation on improvised explosive device mitigation tactics.

[…]

Two years ago researchers warned that Netgear routers with remote data access capabilities were susceptible to attack if the default FTP authentication credentials were not updated

[…]

The hacker first infiltrated the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech [Air Force Base] in Nevada, and stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper [Aircraft Maintenance Unit]. While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.

The captain, whose computer had seemingly been compromised recently, had completed a cybersecurity awareness course, but he did not set a password for an FTP server hosting sensitive files. This allowed the hacker to easily download the drone manuals, said the researchers. The precise source of other the other dozen or so manuals the hacker offered for sale remains undetermined.

[…]

The hacker let slip that he was also in the habit of watching sensitive live footage from border surveillance cameras and airplanes. “The actor was even bragging about accessing footage from a MQ-1 Predator flying over Choctawhatchee Bay in the Gulf of Mexico.”

Source: US military manuals hawked on dark web after files left rattling in insecure FTP server • The Register

Norwegian programmer Roy Solberg came across an enumeration bug that leaked the full name of all travelers on a booking, the email addresses used, and flight details from Thomas Cook Airlines’ systems using only a booking reference number. Simply changing the booking number unveiled a new set of customer details.

The exposed info covered trips booked through the travel agency Ving, which is owned by Thomas Cook.

Thomas Cook Airlines has closed the privacy hole, technically known as a Insecure Direct Object Reference (IDOR), a common enough and basic problems on poorly-designed web applications.

Solberg reckoned on Sunday that data of bookings made with Thomas Cook Airlines through Ving Norway, Ving Sweden, Spies Denmark and Apollo Norway were affected by the vulnerability. Data going back to 2013 was obtainable before the hole was closed. Simple scripts might easily have been used to download the exposed data before the security hole was resolved, he adds.

Everything’s fine! Nothing to see here

A spokeswoman for Thomas Cook was at pains to emphasise “this did not affect UK customers,” before forwarding a canned statement further downplaying the incident, which it is not treating as a notifiable privacy breach.

Source: Thomas Cook website spills personal info – and it’s fine with that • The Register

Israeli hacking firm NSO Group is mostly known for peddling top-shelf malware capable of remotely cracking into iPhones. But according to Israeli authorities, the company’s invasive mobile spy tools could have wound up in the hands of someone equally, if not far more, devious than its typical government clients.

A 38-year-old former NSO employee has been accused of stealing the firm’s malware and attempting to sell it for $50 million in cryptocurrency on the dark net, according to a widely reported indictment first published by Israeli press.

The stolen software is said to be worth hundreds of millions of dollars.

According to Israel’s Justice Ministry, the ex-employee was turned in by a potential buyer. The suspect was arrested on June 5, Reuters reported. The accused has been charged with employee theft, attempting to sell security tools without a license, and conduct that could harm state security

Source: Former NSO Group Employee Accused of Stealing Phone Spy Tools

Obviously security holes found will be exploited, which is why responsible disclosure is a good idea. It’s much better for devices to be secure than for intelligence agencies to be able to exploit holes – because non-nation state actors (read: criminals, although there are nations who think other nations are criminal) also have access to these holes.