LA Times knocked out, HackerOne slips up and – amazingly – router security still sucks
Welcome to 2019, just a few days into the year and we already have Chromecast chaos, Skype backdoors, and a Weather Channel privacy suit.
We also have plenty of other news to catch up on.
Stop the presses! LA Times grinds to a halt over ransomware
Most of us made a point of unplugging from the news over the holidays, but for those who read the LA Times, a ransomware infection nearly made that unplugging mandatory.
Late last week, a mysterious malware attack crippled key parts of the Times infrastructure and other papers in its parent Tribune Company, including portions of its printing systems. This sparked fears of state-sponsored or terrorist hackers at work.
How bad was it? El Reg has learned that, at its worst point, the Tribune Company was seriously considering asking the publishers of the San Francisco Chronicle to print their papers for them so that the weekend editions could get out on time.
Eventually, the panic settled and the issue was traced back to a ransomware infection that had managed to bork the systems that link the papers editorial office with those of the printing plants.
UK military withdraws from Gatwick drone duty
Anyone who had the misfortune of having to travel to, from, or in the general vicinity of London Gatwick airport over the holidays is by now familiar with the “drones” that menaced the airport.
As The Register reported, there was panic over the possibly non-existent drones that were thought to be buzzing planes on the airfield. This caused the airport to temporarily shut down and kicked off a man..er.. dronehunt to catch the rogue copter and its operator. The military was also called in to bring a calm to the situation.
We assume this all happened to the tune of Yakkity Sax.
Fortunately, the worst of the microflyer crisis seems to have passed, and the men and women of the RAF can finally make their triumphant homecoming from the harrowing fields of Gatwick.
There have to date been no arrests made, save for the Sussex couple who were released without charges on December 23.
HackerOne flaw vets cop to rookie mistake
A note to all the developers out there: Don’t beat yourselves up too much over security flaws, as even the bug-brokers at HackerOne fall victim to the occasional slip-up.
An in-house researcher discovered that the RFC2142 system HackerOne uses for its @wearehackerone.com email forwarding service hadn’t properly reserved key names such as “security” or “admin”.
This would have, potentially, allowed someone who was up to no good to register a name like “admin@wearehackerone” or “abuse@wearehackerone” and then use the address to cause chaos.
To its credit, HackerOne not only acknowledged and addressed the vulnerability, but published a report on it on their ‘hacktivity’ feed.
Israeli security shop wants to be a pain in the dong
A secretive security firm exposed in Israel has a highly unusual name.
The outfit wants to sell hacking tools to governments and law enforcement, although experience has shown these aren’t just used to track down criminals but also people governments find tiresome.
The group calls itself Candiru, after the small fish in the Amazon which, legend has it, can swim up a stream of urine and embed itself in a victim’s urethra using a barbed head.
Presumably the name is a reference to how the biz’s malware is both highly invasive and difficult to remove. No doubt someone in marketing no doubt thought this was a terribly clever and/or funny idea. We’d go with the former.
Nice patch Google, too bad it only took three years to arrive
Tardy patching is nothing new in the security industry, but Google is usually thought to be better than most at getting stuff fixed. Not so in this case.
According to flaw finders Nightwatch Cybersecurity there was a serious flaw in the Chrome browser used by Android which would allow an attacker to work out the hardware a particular handset is using. It did this thanks to flaws in WebView and Tabs for Android, which could show the hardware model, firmware version and security patch level of a phone.
Such information is obviously invaluable for an attacker and in May 2015 Nightwatch reported the issue to Google, but the security team at the Chocolate Factory said it wasn’t really an issue.
However, in October the new build of Chrome, version 70, appears to have finally fixed the issue – at least in part. The firmware build information isn’t now readable but the device model number. Better than nothing, but still not good enough.
Whose switch is it anyway?
Anonymous switches pose a little known, but significant, threat to security. Don’t believe us? Check out this report into the prevalence of unauthenticated HP and Aruba switches that can be found using Shodan.
Unauthenticated switches pose a danger because they do not log activity and could be accessed over Web UI or, even worse, Telnet.
“From Telnet, an attacker could do a number of things from this switch, from redirecting traffic/ports, to serving malware, to pivoting within the network that the switches live in,” the report, authored by one of the hosts of the ThugCrowd podcast reads.
Admins are advised to set usernames and passwords, and disable WebUI if it is not needed.
Insinia pulls mass Twitter ‘hack’ to prove a point
Call it the Twitter security crisis that wasn’t. Earlier this week, mobile security company Insinia pulled something of a cross between a publicity stunt, protest, and a proof of concept when it kicked out a number of fake Tweets to various celebrity accounts.
The company would later explain that it did not actually take over any accounts, but rather exploited a little-known feature on Twitter that lets users send tweets over SMS.
The idea is that a user who has their phone number linked to their account could send an SMS from that number and have the message contents automatically posted as a Tweet from their account.
This also means that anyone who could spoof that number, as Insinia did with the celebrity accounts, could post Tweets as well.
Insinia is urging Twitter to kill the feature and for users to unlink their accounts from their phone numbers.
Luas website hacked, ransom set at $4,000.. er… $3,500… er… $3,800
Irish tram operator Luas is the latest transit agency to fall victim to ransom-demanding hackers. The exact price of that ransom depends on whatever the cryptocurrency market is doing at the moment.
In this case, someone took over the train company’s official website and said they would only hand it back if they were paid one Bitcoin. If the company opted not to pay up within five days, the hacker also threatened to release company emails.
By late Friday, the site was not yet back online, though Luas has apparently been able to regain control of the domain.
“Luas technicians are still investigating [the attack] and are working to restore the site,” the notice reads.
“Luas has contacted the Commissioner for Data Protection and we have in accordance with best practice contacted everyone whose information may have been compromised.”
Bad news from OSnews
Long-running tech news site OSnews appears to have fallen victim to data thieves.
The site announced this week that some or all of its data had apparently been lifted by an intruder. This after readers reported getting spam and phishing emails. It was eventually concluded the site had been breached and OSnews went offline for a few days before returning with an explanation.
“Our best guess is that someone was able to exploit a vulnerability in old, unmaintained code in the site’s content management system, and made off with at least some user data, which may be as little as a few user records or, at worst, our entire database,” the site said.
“Your email addresses were in there, and the encryption on the passwords wasn’t up to modern standards (unsalted SHA1). The truth is that once we concluded it was likely that we were breached, our small volunteer team decided it was better to go offline than it was to learn the avenue of exploit, given that we had no interest in continuing to rely on the aged codebase.”
How many times do we have to do this? Fix your terrible router security, vendors!
Yet again, we have a damning report on the state of security in home wireless routers.
This time, it is Cyber-ITL who peered into (PDF) the safety of 28 popular home routers and found that, depending on the architecture, the state of security was either grim… or totally hopeless.
In the latter category are routers based on MIPS SoCs, which were all found to contain a flaw that renders data execution prevention (DEP) in effective, potentially allowing an attacker to feed in and execute malicious code.
ARM-based routers fared a bit better, but only slightly.
“Though the Linux/ARM stack is completely unaffected by the aforementioned bug, for many devices it makes almost no difference,” the report reads.
“Of the access points and routers we reviewed, not a single one took full advantage of the basic application armoring features provided by the operating system. Indeed, only one or two models even came close, and no brand did well consistently across all models tested.”
And on that cheery note, we hope everyone enjoys the weekend! ®
READ MORE HERE