Rowhammer strikes networks, Bolton strikes security jobs, and Nigel Thornberry strikes Chrome, and more
Roundup Here’s a roundup of everything that’s happened in the world of infosec this week, beyond what we’ve already covered.
7Zip gets 7Ripped
Researchers have poked a hole in the 7-Zip archiving tool, and you’ll want to update the software as soon as possible.
The bug, discovered by researcher landave, allows remote code execution by way of poisoned RAR files, though the RAR payload can also be disguised as other archive formats.
Because the flaw can be exploited fairly easily on fully patched Windows 10 machines, you will want to update to 7-Zip version 18.05 or later.
Russian positioned to hack US voting systems
The US Senate Intelligence Committee said this week that Kremlin-linked hackers at least tried to “alter or delete voter registration data” for a small number of America’s states before the 2016 presidential election. There is no evidence votes were changed, and Homeland Security warned last year that Russia had targeted voting systems in 21 states during the White House race.
Most the “attacks” were scans for vulnerabilities and open services, but against at least six states, Moscow’s miscreants “conducted malicious access attempts on voting-related websites.” The upshot is: Russia tried to meddle with the computer systems running the elections, and thus voting systems must be tightly secured in future.
Rowhammer swings again with network-based attacks
It has been three years since the infamous ‘Rowhammer‘ technique was first disclosed, and the menace of the bit-slamming memory attack is still being exploited in new and devious ways.
This time it is network connections that have been found vulnerable to brute-force memory corruption trick. Researchers from Vrije Universiteit in Amsterdam found [PDF] that network packets can be used to trigger the address error conditions on any machine that has remote direct memory access (RDMA) enabled.
This means that, for the first time, Rowhammer has been shown to be remotely exploitable and an attacker no longer requires local access to a machine in order to take advantage of the vulnerability.
What’s worse, RDMA is a favorite technique for low-latency network setups, meaning the vulnerable systems are high-value targets like cloud providers and data centers.
iOS 11.4 leaves USB port USBricked when inactive
Apple has added a new security measure to the next version of iOS that will make it harder to get around the unlock screen of a handset, particularly one that hasn’t been used for some time.
Elcomsoft explains that under iOS 11.4 (now in beta) the lightning/USB port on the iPhone will become partially locked down during long idle periods.
Specifically, when the iPhone hasn’t been unlocked in seven days, the port will go into-power only mode and will not make any data transmissions until it is unlocked again via key code. This means people who seize a phone (via legal or other means) will not be able to use the USB connection to get around locks unless they do so immediately.
It remains to be seen what this could mean for law enforcement tools like GrayKey that are used to get around iPhone lock screens via Lightning.
Georgia comes to its senses, kills stupid ‘hacking’ bill
The infamous Georgia state legislation that would have criminalized many forms of white hat hacking has been put on ice.
Governor Nathan Deal on Tuesday vetoed SB315 amidst pressure from the software and IT industries in the state. The bill would have tightened restrictions on unauthorized access, including criminalizing cases where someone got into a system but did not steal any data.
Many security professionals had opposed the bill arguing that it would have a chilling effect on network security testing and bug-hunting practices.
‘Electrum Pro’ caught lifting coins
Cryptocoin investors will want to make sure they’re not running the malicious ‘ElectrumPro’ wallet, which researchers believe is stealing coins from users.
As BlockExplorer explains, the wallet app is apparently a malware in disguise, as it is has been caught lifting the seed code of users. This, potentially, would allow the controller of the malware’s domain to get into user wallets.
The site recommends that anyone who has been using the infected wallet should immediately find and move their cryptocoins to a new, secure wallet, as anyone who had access to the ElectrumPro domain would now potentially be able to remote access and steal user coins.
Bolton considering eliminating top cybersec job
Sentient mustache John Bolton is reportedly looking to eliminate one of Washington DC’s top infosec jobs.
A report citing sources familiar with the matter says that the White House cybersecurity coordinator position will soon be no more. Security guru Rob Joyce currently holds the position, but is set to step down.
When that happens, Bolton is reportedly planning to leave the position unfilled, effectively doing away with the job altogether and handing over many of its responsibilities to Mira Ricardel, Bolton’s deputy National Security Advisor.
As with many of the Trump administration’s hatchet jobs, the cybersecurity coordinator position was a creation of the Obama regime.
Government cybersecurity experts are, not surprisingly, said to be less than enthused about this move as it suggests the NSA is putting less of a focus on cybersecurity – or at least employing one less cybersecurity experts in its ranks.
State department hacking bill approved
Elsewhere in Washington, DC, the House of Representatives has advanced a bill to invite security researchers into the State Department’s folds.
The excellently named Hack Your State Department Act was approved by the Foreign Affairs committee, meaning the bill is one step closer a full vote.
The act would establish a research and bug bounty program for white hats who wish to seek out security vulnerabilities in US State Department websites.
The bill is being championed by the bi-coastal, bi-partisan duo of the Teds Lieu (D-CA) and Yoho (R-FL).
Bad Panda makes you a sad panda
F5 Labs has uncovered a new banking malware strain that uses a cute name to hide a scary attack.
Dubbed ‘Panda’, the account-stealing malware is actually a variant on the infamous Zeus trojan that targets banks and cryptocurrency exchanges. In addition to web injects (adding content to otherwise legitimate pages), the malware is able to capture screenshots and log keystrokes. It also has a remote access component that could allow the attacker to break into your machine and get anything they couldn’t lift via the surveillance components.
F5 recommends keeping all anti-malware software up to date in order to prevent infection.
Google Play hit with more malware woes
No, this is not a repeat. More malware nasties have been found lurking in the Google Play store. This time, researchers at Symantec say, it is educational apps and games that are being used as the trojans for the Android infections.
Researchers May Ying Tee and Martin Zhang found more than three dozen examples of such apps having snuck through the Play Store’s screening process, serving Android users additional downloads of Adware and click fraud apps that covertly load up other web pages and blogs in order to inflate affiliate traffic.
Wild pwnberries blossom on Chrome
Elsewhere in Google malware woes, we have a Chrome plug-in attack based on a children’s cartoon. How quaint.
Researchers with Radware say the malicious plugin, dubbed ‘Nigelthorn’, also hijacks infected machines to mine cryptocurrency. Disguising itself as ‘Nigelify’, a Chrome plug-in that turns images on a web page into cartoon character Nigel Thornberry of ‘Wild Thornberrys’ fame, the malware is being spread through Facebook spam and phony YouTube pages.
Both Windows and Linux versions of Chrome are vulnerable to the nasty add-on.
Tor pedo ‘glad to be caught’
The fallout from the FBI’s Playpen operation with another pervert being jailed for using the child abuse site, but this one says he’s happy to be sent down.
Irishman Conor Emmet, 20, was jailed for 156 months on Friday after the FBI passed his IP address to Dublin police. He was found with 5,919 images and 328 video files of child abuse, including one video involving an 18-month old child. Police used that video to identify and rescue the child in Thailand.
Emmet admitted his crimes, saying he was glad the police caught him, and has already begun a treatment program. For that reason the judge only gave him half the maximum sentence and suspended a portion of it. Nevertheless one more child-abuse enabler is off the streets.
In brief
The source code to sales-terminal-infecting malware TreasureHunt has leaked, according to FlashPoint, meaning that miscreants can get their hands on blueprints to credit-card-stealing spyware. Also, Signal pushed out a fix for its Electron-based desktop client after someone found a remote cross-site scripting vulnerability.
And finally, UK telco EE was accused of leaving two million lines of internal source code, plus AWS account keys, out in the open with the username-password pair of admin-admin, allowing crims to skim the files for vulnerabilities. EE insisted no customer data was lost or stolen. ®
Sponsored: Minds Mastering Machines – Call for papers now open
READ MORE HERE