secureboot is a part of the uefi firmware, when enabled, it only lets stuff run that’s signed by a cert in db, and whose hash is not in dbx (revoked). As you probably also know, there are devices where secure boot can NOT be disabled by the user (Windows RT, HoloLens, Windows Phone, maybe Surface Hub, and maybe some IoTCore devices if such things actually exist — not talking about the boards themselves which are not locked down at all by default, but end devices sold that may have secureboot locked on). But in some cases, the “shape” of secure boot needs to change a bit. For example in development, engineering, refurbishment, running flightsigned stuff (as of win10) etc. How to do that, with devices where secure boot is locked on?

Source: Secure Golden Key Boot: (MS16-094 / CVE-2016-3287, and MS16-100 / CVE-2016-3320)

This kind of golden key is what the FBI is pushing for. Now the cat is out of the bag, we can’t put it back in, though.

“We believe that online voting, especially online voting in large scale, introduces great risk into the election system by threatening voters’ expectations of confidentiality, accountability and security of their votes and provides an avenue for malicious actors to manipulate the voting results,” Neil Jenkins, an official in the Office of Cybersecurity and Communications at the Department of Homeland Security, said at a conference of the Election Verification Network this spring.

Thirty-two states have some form of electronic transmission of ballots over the Internet, compared with no states with online voting in 2000. In Alaska, for example, all voters can submit an absentee elections ballot online from computers in their own homes.

Missouri offers electronic ballots for members of the military who are serving in a “hostile zone” overseas. North Dakota permits overseas citizens or military members deployed overseas to vote online. And in 20 other states and the District of Columbia, certain voters living abroad will be allowed to return their absentee ballots via email or fax in the upcoming presidential election.

Source: More than 30 states offer online voting, but experts warn it isn’t secure – The Washington Post

Well, it isn’t secure and it can’t be made to be. However, is showing up to vote that secure? Is handcounting that secure? In the US, Florida has consistently shown that the current process is corrupt and unreliable. How do the risks weigh up?

Shapeways. In a statement, it said that some email addresses, usernames, and shipping addresses were exposed, but that the hackers didn’t get a full run of their servers and no 3D printing plans were stolen.

“The intruders did not access credit card information because Shapeways does not store such information on their systems,” said a spokeswoman.

Source: 3D print biz Shapeways hacked, home and email addresses swiped

The passwords were hashed. So not much useful stuff got taken. They are recommending customers change their passwords anyway. Shapeways apparently takes security seriously. Not often you see that everything is being done properlyh.

These nodes — ordinary nodes, not exit nodes — sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over.

The researchers used “honeypot” .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions’ existence. They didn’t advertise the honions’ existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits.

boingboing

These nodes — ordinary nodes, not exit nodes — sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over.

The researchers used “honeypot” .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions’ existence. They didn’t advertise the honions’ existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits.

boingboing

Polish security consultancy Exatel warns [PDF] that Maxthon is phoning home information such as the computer’s operating system and version number, the screen resolution, the CPU type and speed, the amount of memory installed, the location of the browser’s executable, whether ad-block is running, and the start page URL.

Source: Maxthon web browser blabs about your PC all the way back to Beijing

For several years, Eddie Tipton, the former security director of the US Multi-State Lottery Association, installed software code that allowed him to predict winning numbers on specific days of the year, investigators allege. The random-number generators had been erased, but new forensic evidence has revealed how the hack was apparently done.

[…]

The number generator had apparently been hacked to produce predictable numbers on three days of the year, after the machine had gone through a security audit.

All six prizes linked to Tipton were drawn between 2005 and 2011 on either 23 November or 29 December.

Investigators were able to recreate the draws and produce “the very same ‘winning numbers’ from the program that was supposed to produce random numbers,” said the Iowa Division of Criminal Investigation agent Don Smith.

Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt.

The FI9286P, a Foscam camera that includes P2P communication by default.
The FI9286P, a Foscam camera that includes P2P communication by default.

This is the nightmare “Internet of Things” (IoT) scenario for any system administrator: The IP cameras that you bought to secure your physical space suddenly turn into a vast cloud network designed to share your pictures and videos far and wide. The best part? It’s all plug-and-play, no configuration necessary!

The research of Yang Yu, founder of Tencent’s Xuanwu Lab, has helped Microsoft patch a severe security issue in its implementation of the NetBIOS protocol that affected all Windows versions ever released.

Yu says an attacker could leverage this vulnerability to pass as a WPAD or ISATAP server and redirect all the victim’s network traffic through a point controlled by the attacker.

By network traffic, Yu refers to all traffic, not just Web HTTP and HTTPS. This includes OS updates, software upgrades, Certificate Revocation List updates via Microsoft’s Crypto API, and other OS maintenance operations.

Source: BadTunnel Bug Hijacks Network Traffic, Affects All Windows Versions

because nobody regards the vibration sensor as sensitive, smartphones typically leave it with wide-open permissions.

What Nirupam Roy and Romit Roy Choudhury did was to hack an Android phone so its vibration sensor acted as a microphone. Well: a vibration sensor is half-way to being a microphone anyhow, in terms of its basic function.

As they note in this paper, “any vibrating object should respond to air vibrations”. What makes a microphone different is that the diaphragm is very light, and therefore responds well to quiet sounds and high frequencies. The vibration sensor, on the other hand, doesn’t respond much to either.

As the pair says in their paper, “VibraPhone is attempting a different problem altogether – instead of learning a motion signature, it attempts to reconstruct the inherent speech content from the low bandwidth, highly distorted output of the vibra-motor.”

Source: Boffins shake up smartphone with motion-sensor as microphone

Apple’s U.S. web page showed all applications had resumed as of 11:55 p.m.

“There are no reported issues at this time,” the company said a few minutes later on its web page.

The iPhone maker said services related to iCloud and the Photos application have also resumed.

The issues appear to have started just before 4 p.m., according to a timeline provided on the tech giant’s support page.

Source: Apple Offers No Explanation for Outage, but Says All Services Back to Normal – NBC News

Isn’t the cloud great sometimes?

A court or police officer could legally compel you to press your finger onto your smartphone to unlock it, but if your phone is locked with a passcode, no one can legally compel you to open it, says William J. Cook, an attorney and partner at law firm Reed Smith in Chicago, who specializes in information technology, privacy, and data security. Cook explains that the difference between a password and a biometric identifier is great under the law–you have a right not to reveal the contents of your mind, which includes things like a password, but your fingerprints are a part of who you are and you expose them to the public every day. This is why when a person gets arrested, he or she must consent to fingerprinted while retaining the right to remain silent. Thoughts are protected, biometric identifiers (fingerprints, face, hair) are not.

Source: Here’s Why Lawyers Suggest You Stop Using Your Finger to Unlock Your Phone

ERPScan, the ERP security specialist firm which originally discovered the misconfiguration flaw (research pdf here), said that Onapsis’s figures on exposure to the vulnerability are optimistic by more than an order of magnitude.

Alexander Polyakov, CTO at ERPScan, told El Reg that its research suggests as many as 533 organisations are at risk.

“Onapsis said that 36 organizations were actually breached,” Polyakov told El Reg. “Our assumption is that all of them were just examples of vulnerable systems which white-hats publish on their forum.”

“Onapsis’ assumption that those publications on Chinese forum are examples of cyberattacks is wrong. I agree with them is that there are many vulnerably systems (533 at least) and some people probably hacked them for real profit. Not just published a screenshot of potential deface but really performed [a} cyberattack.”

Source: 36 firms at risk from that unpatched 2010 SAP vuln? Try 500+

Millions of people around the world now use ATMs every day to withdraw cash, pay in to their account or make a variety of payments. Unfortunately, ATM manufacturers and their primary customers – banks – don’t pay much attention to the security of cash machines.

Source: Malware and non-malware ways for ATM jackpotting. Extended cut – Securelist

Cisco’s Talos security intelligence and research group has come across a piece of software that installed backdoors on 12 million computers around the world.The software, which exhibits adware and spyware capabilities, was developed by a French online advertising company called Tuto4PC. The firm, previously known as Eorezo Group and apparently linked to another company called Wizzlabs, has been targeted by French authorities over its questionable practices regarding the installation of unwanted software and harvesting of users’ personal details.
[…]
Researchers determined that the application, installed with administrator rights, was capable not only of downloading and installing other software, such as a known scareware called System Healer, but also of harvesting personal information. Furthermore, experts found that the software is designed to detect the presence of sandboxes, antiviruses, security tools, forensic software and remote access doors.

These “features” have led Cisco Talos to classify the Tuto4PC software as a “full backdoor capable of a multitude of undesirable functions on the victim machine.”

Source: Cisco Finds Backdoor Installed on 12 Million PCs | SecurityWeek.Com

A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in a position to have access to any account and data, including emails and files stored in the cloud-based service. Microsoft pushed through a mitigation to the service on Jan. 5, seven hours after being notified by researchers Yiannis Kakavas and Klemen Bratec. “The attack surface was quite big (Outlook Online, OneDrive, Skype for Business, OneNote — depending on what the company has paid for in terms of licensing),” Kakavas and Bratec told Threatpost via email. “And a malicious user exploiting this vulnerability could have gained access to very sensitive private and company information (emails, internal documents etc. ).” Office 365 users who had configured domains as federated were affected. The list includes British Airways, Microsoft, Vodafone, Verizon and many others, as mentioned in a report published late Wednesday.

Source: Office 365 Flaw Allowed Anyone To Log In To Almost Any Business Account – Slashdot

Oops, don’t you love the cloud? 🙂

The issue lies in the wireless USB dongles that the keyboards and mice use to communicate over radio frequencies with the host computer. Bastille says that while communication from most keyboards to the dongle is encrypted, none of the mice it tested encrypt their wireless communication. The dongle, therefore, will accept commands from an attacker in close physical proximity the same way it would from the user.

The attacker can, therefore, transmit malicious packets that generate keystrokes rather than mouse clicks, so long as the victim’s computer is turned on, Bastille said.

“Depending on the speed of the attack and how closely the victim is paying attention, it can happen pretty quickly,” said researcher Marc Newlin, who said that an attack could simulate 1,000 words-per-minute typing and install a rootkit in 10 seconds, or eight milliseconds-per-keystroke.

Bastille founder Chris Rouland said that an attacker could exploit the vulnerability with a $15 USB dongle and 15 lines of Python code against any Windows, Mac or Linux machine and gain full control.

“At this point, they can inject malware, or compromise an air-gapped network by turning on Wi-Fi on the target,” Rouland said. “We have been working with the vendors for more than 90 days. More than half of the mice are not able to be updated and will not be patched. And likely won’t be replaced. There will be vulnerable devices everywhere.”

Source: Mousejack Attacks Abuse Vulnerable Wireless Keyboard, Mouse Dongles | Threatpost | The first stop for security news

The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack. Google has found some mitigations that may help prevent exploitation if you are not able to immediately patch your instance of glibc. The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is fo

Source: Google Online Security Blog: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

More than two months after release, it’s still not possible to pirate Just Cause 3. The same is true for Rise of the Tomb Raider, released for PC in late January. Cracking computer games used to be measured in hours or days, but now, it’s turning into weeks and months. The nature of piracy is changing in a big way.

Source: The Anti-Piracy Tech That’s Giving Hackers Fits

Fraudsters, armed with stolen social security numbers and other personal information on nearly half a million people, used malware to systematically request PINs corresponding to those taxpayers, allowing the crooks to potentially file paperwork on their behalf. The swindlers could put their own bank account details on the tax returns, thus channelling people’s rebates into the thieves’ pockets.

“Using personal data stolen elsewhere outside the IRS, identity thieves used malware in an attempt to generate E-file PINs for stolen social security numbers. An E-file PIN is used in some instances to electronically file a tax return,” the IRS said in a statement today.

“Based on our review, we identified unauthorized attempts involving approximately 464,000 unique SSNs, of which 101,000 SSNs were used to successfully access an E-file PIN.”

Source: Crims unleashed IRS-stabbing malware in bid to rob 464,000 people

Enterprise tech distributor Arrow Inc will take a $13m charge on the chin after a fraudster posing as a company exec transferred money from the corporate bank account to an external one.
[…]
Deloitte has previously highlighted what it reckoned is the growing threat from ‘fake president frauds, “affecting many companies at the moment”.

It involves convincing an employee to make emergency bank transfers to a third party, “in order to obey an alleged order of a leader under the pretext of a debt to pay, a provision in contract or a deposit”.

Organised crims are suspected of perpetrating these scams, “with a complete knowledge regarding the market, structure and customers of the companies they are attacking”.

Source: Arrow: Fraudsters impersonated one of our execs to steal money • The Channel

Rare public appearance from Tailored Access Operations leader

NSA tiger teams follow a six-stage process when attempting to crack a target, he explained. These are reconnaissance, initial exploitation, establish persistence, install tools, move laterally, and then collect, exfiltrate and exploit the data.

Source: NSA’s top hacking boss explains how to protect your network from his attack squads

Maybe not all accurate, considering where it came from, but interesting points anyway.