Apple Steps Up Encryption to Thwart Police Cracking of iPhones*:
- Apple is strengthening encryption on its iPhones to thwart police efforts to unlock handsets without legitimate authorization.
- This is the latest in an ongoing clash with law enforcement, and comes amid reports of growing use of a tool known as GrayKey which can enable police to bypass iPhone security features.
- Apple said the new features are not designed to frustrate law enforcement but prevent any bypassing of encryption by good or bad actors.
- Apple said in a statement, we put the customer at the center of everything we design. We're constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data.
- It was working a fix to mitigate the possibility of accessing data from GrayKey or similar tools.
- The company has been a target of some in law enforcement for rejecting efforts to allow easy access to iPhones.
*Source: Bank Info Security, June 13, 2018
5.9 Million Card Details Accessed in Dixons Carphone Hack*:
- Dixons Carphone, announced today that it is investigating "unauthorised access to certain data held by the company."
- It describes this access as "an attempt to compromise 5.9 million cards in one of the processing systems of Curry’s PC World and Dixons Travel stores," and "1.2m records containing non-financial personal data, such as name, address or email address."
- This may turn out to be the biggest ever breach in the UK.
- There are reports that the incursion started in July 2017, but it is not yet known whether the incident will be considered under the UK Data Protection Act 1998 or GDPR that came into effect this year.
- If the whole incident is considered under GDPR rules, the ICO could potentially fine Dixons Carphone up to 4% of its annual global revenue.
- The fact that this breach has only just been identified through a routine security review can be viewed from two sides – it’s great that this breach was identified as it proves that the review process and scanning for vulnerabilities works; on the other hand, why did it take almost a year for the breach to be discovered.
- The scale and time-frame of this data breach is staggering, initial attempts to access data began in July last year, yet this was only discovered over the past week, indicating that the company lacks vital threat detection capabilities.
- Many other companies are much less courageous to tell the truth, as even in light of GDPR enforcement, the new law cannot monitor proper disclosure of inconspicuous data breaches.
- Others, however, fear that the statement attempts to minimize actual harm over and above warning the victims about potential future harm.
- The statement also implies that victims needn't worry about their card details, since by far the majority are chip and PIN cards, and no CVVs were included.
- While Dixons has said that there is no evidence of fraud taking place, now the data is in the criminal sphere, it's unlikely to be long before it starts being shopped around amongst criminals, with ensuing phishing and brute force attacks launched.
- While victims will need to monitor their bank accounts closely and be suspicious of all incoming Dixons Carphone-related emails; businesses in general and the cybersecurity industry in particular will be monitoring the reaction of the data protection regulator.
- If the ICO finds that Dixons Carphone was negligent in its protection of customer data, it could levy a significant fine.
*Source: Security Week, June 13, 2018
Weaponing IPv6 to Bypass IPv4 Security *:
- Just because you're not yet using IPv6 doesn't mean you're safe from the protocol's attack vectors.
- Circa 1996, the Internet Engineering Task Force (IETF) took proactive steps to develop a successor to IPv4 in the form of IPv6.
- In stark contrast to the 4.3 billion addresses allowed by IPv4's 32-bit design, IPv6 theoretically delivers 7.9 x 10 to the 28th power more addresses.
- IPV6 Attack Vectors: As of last year, IPv6 has become an Internet standard, meaning that technology and processes are now in place allowing organizations to make a relatively smooth transition.
- Researchers ran a test to find out whether organizations would still be susceptible to IPv6 attack vectors, even if they had a high degree of security maturity from an IPv4 standpoint and did not explicitly use IPv6.
- The key takeaway from this experiment is that when either IPv6 or IPv4 is set up for auto-configuration but no configuration servers are on the network, other attacks are possible by introducing rogue servers to answer configuration requests.
- Modern operating systems prefer IPv6 over legacy IPv4 and will use a rogue IPv6 connection by default if one is available.
- This allows an attacker to hijack traffic such as Domain Name System lookups, creating a potentially bad security problem.
- There are already tools widely available to exploit this type of configuration attack.
- It would seem that the best way to guard against these types of IPv6 style attacks would be to disable IPv6 – however, this is not recommended for several reasons.
- Many newer applications will now fail to work correctly if IPv6 is disabled.
- Similarly, although your organization may not yet be using IPv6, it's only a matter of time before it becomes a requirement.
- Instead of disabling IPv6, consider its presence and ensure that any security rules applied to IPv4 are being replicated to IPv6 and monitored in the same ways.
- Consider deploying and using IPv6 (at least on small portions of the network) as soon as possible to gain valuable experience working with the protocol and learning its nuances before finding yourself in a situation playing catch-up.
*Source: Dark Reading, June 12, 2018
Banco de Chile Lost $10 Million While Battling Virus Infection*:
- Hackers infiltrated the IT systems of Banco de Chile with disk-wiping malware, causing chaos and distracting from the theft of $10 million via the international Swift network.
- The Chilean bank in late May reported that it needed to disconnect work stations and interrupt certain regular procedures to control the spread of a virus that crashed branch and telephone banking systems across the country as it wormed its way onto desktop computers.
- The KillDisk virus is believed to have infiltrated a large part of the bank's 9000 computers and 500 servers, wiping hard drives and leaving them in a non-rebootable state.
- A recent report connected the modus operandi used by the attackers to a recent attempt by hackers to steal over $110 million from Bancomext.
- The attack was used only as a distraction, and the end goal was to access the systems connected to the bank’s local Swift network.
- Banco de Chile has confirmed that four fraudulent transactions were carried out during the incident.
- The bank is taking legal action against an unidentified correspondent in Hong Kong in an attempt to retrieve the stolen funds.
*Source: Fine Extra, June 11, 2018
Windows Users Attacked via Critical Flash Zero-Day: Patch Now, Urges Adobe*:
- Advanced hackers have demonstrated that you really don't need browsers to exploit Flash Player vulnerabilities on Windows – Office does the job just fine.
- Adobe has released an update to address a critical flaw affecting Flash Player that is actively being exploited, otherwise known as a zero-day flaw.
- Adobe is urging users to update from Adobe Flash Player 184.108.40.206 to the patched version, 220.127.116.11.
- An exploit for the flaw, CVE-2018-5002, is stealthily delivered in emailed Excel attachments using a novel technique designed to minimize the risk of detection by antivirus and frustrate forensic analysis.
- Instead of embedding malicious Flash content directly in the Office document, which might be detected by analysing its code, the Excel file calls in the Flash exploit from a remote server.
- The remote inclusion helps evade detection because the document doesn't contain any malicious code.
- After opening the malicious Excel document, it will request a malicious Shock Wave Flash (SWF) file that is downloaded from an attacker-created domain.
- The SWF file then requests encrypted data and decryption keys, which the attacker uses to open and run the Flash exploit.
- Once the Flash vulnerability is triggered, the file requests malicious shell code from the remote server and executes it on the victim's machine, which delivers a Trojan that probably establishes a backdoor on the machine.
- The combined use of remote inclusion and public-key cryptography to conceal the exploit makes it extremely difficult for responders to analyse an infection.
- All data transmitted from the attacker's server to the target machine is shielded by a symmetric AES cipher, while the symmetric AES key is protected by an asymmetric RSA cipher.
- While browsers such as Chrome block Flash, Office for now supports embedded Active X controls for Flash.
- Microsoft's advisory for Adobe's latest update offers instructions for admins to prevent Flash Player from running in Office.
*Source: ZD NET, June 9, 2018
China Hacked a Navy Contractor and Secured a Trove of Highly Sensitive Data on Submarine Warfare*:
- Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare — including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020.
- The breaches occurred in January and February.
- The hackers targeted a contractor who works for the Naval Undersea Warfare Centre, a military organization headquartered in Newport, R.I., that conducts research and development for submarines and underwater weaponry.
- Taken were 614 gigabytes of material relating to a closely held project known as Sea Dragon, as well as signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library.
- The data stolen was of a highly sensitive nature despite being housed on the contractor’s unclassified network.
- The material, when aggregated, could be considered classified, a fact that raises concerns about the Navy’s ability to oversee contractors tasked with developing cutting-edge weapons.
- The breach is part of China’s long-running effort to blunt the US advantage in military technology and become the preeminent power in East Asia.
- The Navy is leading the investigation into the breach with the assistance of the FBI.
- A Navy spokesman said, “There are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information.”
- The Sea Dragon project is an initiative of a special Pentagon office stood up in 2012 to adapt existing U.S. military technologies to new applications.
- Sea Dragon will introduce a “disruptive offensive capability” by “integrating an existing weapon system with an existing Navy platform.”
- The Pentagon has requested or used more than $300 million for the project since late 2015 and plans to start underwater testing by September.
- In recent years, the United States has been scrambling to develop new weapons or systems that can counter a Chinese naval build-up.
- For years, Chinese government hackers have siphoned information on the U.S. military, underscoring the challenge the Pentagon faces in safeguarding details of its technological advances.
- Investigators say the hack was carried out by the Chinese Ministry of State Security, a civilian spy agency responsible for counterintelligence, foreign intelligence and domestic political security.
- In September 2015, in a bid to avert economic sanctions, Chinese President Xi Jinping pledged that China would refrain from conducting commercial cyberespionage against the United States.
- Following the pact, China appeared to have curtailed much, although not all, of its hacking activity against US firms.
*Source: Washington Post, June 9, 2018