Security Briefing – 12.12.2017
Germany’s spy agency – Bundesamt für Verfassungsschutz (BfV) – has published eight of the most active profiles it says are used on LinkedIn to contact and lure German officials for espionage purposes. No surprises here – the young professionals the profiles portray are hot, enticing, and fake. BfV alleges that they’re just fronts used by Chinese intelligence to gather personal information about German officials and politicians. Virtual Personas (VP) are common.
According to security researcher Michael Myng, HP made another debug-code-in-real-build mistakethis year, leaving a deliberately-created keylogger built into the keyboard drivers on a number of HP laptop models. Myng says he started disassembling HP’s keyboard driver to help a friend, who wanted to figure out how to take control of the keyboard backlight. Fortunately, Myng reports “I messaged HP about the finding. They replied terrifically fast, confirmed the presence of the keylogger (which actually was a debug trace) and released an update that removes the trace.”
Confidence has been growing in the ‘cloud first’ initiative the Federal Government started in 2011. Federal IT managers have concluded that cloud technology will meet — and even exceed — government data protection requirements, two recent reports indicate. Importantly, there also is an emerging trend among agencies toward using cloud technology by itself, either as a complete cyberprotection system, or as a tool to provide both specialized and comprehensive cybersecurity capabilities. (Azure)
Researchers from security firm 4iQ have now discovered a new collective database on the dark web (released on Torrent as well) that contains a whopping 1.4 billion usernames and passwords in clear text. Researchers said the 41GB massive archive contains 1.4 billion usernames, email, and password combinations—properly fragmented and sorted into two and three level directories. The archive had been last updated at the end of November and didn’t come from a new breach—but from a collection of 252 previous data breaches and credential lists. The collective database contains plain text credentials leaked from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in.
As promised last week, Google’s Project Zero researcher Ian Beer now publicly disclosed an exploit that works on almost all 64-bit Apple devices running iOS 11.1.2 or earlier, which can be used to build an iOS jailbreak, allowing users to run apps from non-Apple sources. The Project Zero researcher responsibly reported these vulnerabilities to Apple in October, which were patched by the company with the release of iOS 11.2 on 2nd December.
Researchers at Dell Secureworks are warning a vulnerability in two keyless entry products could allow local attackers to lock and unlock doors and create illegitimate RFID badges by sending unauthenticated requests to affected devices. Impacted are two AMAG Technology Symmetry IP-based access door controllers used in keyless door models EN-1DBC and EN-2DBC. Researchers say if the devices deployed with default configurations, attackers could abuse the systems by sending unauthenticated requests to door controllers via serial communication over TCP/IP.
Among the four dozen vulnerabilities Google patched this week was a fix for a bug that allowed attackers to inject malicious code into Android apps without affecting an app’s signature verification certificate. The technique allows an attacker to circumvent device anti-malware protection and escalate privileges on targeted device with a signed app that appears to be from a trusted publisher, according to researchers. The vulnerability, dubbed Janus, was discovered earlier this summer by Eric Lafortune, CTO of GuardSquare. He reported the bug (CVE-2017-13156) to Google in July. Google patched the vulnerability as part of its December Android Security Bulletin. Public disclosure of the bug was Thursday.
Worldwide IT security spending is expected to climb 8% next year to $96.3 billion, fueled by investments in identity access management and security services – two areas on tap to rise faster than the overall spending growth rate, according to a Gartner report released this week. Identity access management (IAM), the smallest slice in the overall IT security spending pie, is expected to jump 9.7% to $4.7 billion in 2018 over the previous year. Security services, the largest slice of the spending pie, is projected to increase 8.8% to $57.7 billion in 2018, compared with the previous year. And within the security services sector, spending on outsourcing services is expected to jump 11% to $18.5 billion in 2018.