Hacking and infosec news: February 21, 2017
This past week in security saw a jaw-dropping study come out on exposed cyber assets in US cities, Hacking Team tools allegedly surface in DNC hack samples, Google's Project Zero swipes at Microsoft (again), some RSA attendees were pwned, and more. 

You'll see a few RSA-related items here as well, but stay tuned for a juicy RSA wrap-up post I'll be publishing here in the next few days.

Cover y(our) assets

Trend Micro published a new paper on which cities have the most "exposed cyber assets" -- including Industrial Control Systems (ICS) -- and it's as alarming as anyone can imagine. They define exposed cyber assets as "Internet-connected devices and systems that are discoverable on Shodan or similar search engines and can be accessed via the public Internet." 

Their study US Cities Exposed: Industries and ICS found that in the emergency services sector, Houston, Texas and Lafayette, Louisiana had the highest number of exposed cyber assets. In the financial services sector, New York City, the financial hub of the US, had the most; in the education sector there are a lot -- Philadelphia alone had more than 65,000 exposed devices. "With the proliferation of cyberterrorism by rogue nations and terrorist groups," the authors emphasized, "exposed cyber assets pose serious threats to both national security and the daily functioning of cities."

Hacking Team tools used on DNC?

Patrick Wardle, an ex-NSA staffer currently helming the bug hunting at Synack, is convinced that the Mac warez used by the Russian group said to have pulled off the DNC hacks is from Hacking Team's toolkit. Last week, "malware said to belong to the Russian group behind the hack of the Democratic National Committee, known as APT28 or Fancy Bear, leaked online." 

The APT28 code resembled Hacking Team's malware in many ways, Wardle told press. Specifically, that the two malware samples used the same techniques for injecting code onto a target system. Indeed, Russia's "Intelligence Kvant Research" was listed in Hacking Team's client base, and along with Sudan was marked by HT as "not officially supported."

File under 'mergers and acquisitions'

Announced last Thursday (and lost amid the RSA swirl), F-Secure acquired Inverse Path, a hardware and embedded system security firm. Just a day before, Ghostery announced it was acquired by Cliqz, a German privacy-focused browser (backed by Firefox) that plans to use the ad-tracker tool to help expand its user base. 

The financial terms of both deals are still undisclosed. "The Ghostery business will split along a clear seam: The consumer-facing privacy extension will go to Cliqz, while the B2B digital governance side of the business will function as a separate entity under Evidon, the company’s original name." This should please critics of Ghostery's (now former) alliance with ad companies.

Don't pass on the update

If you use 1Password, take note: This weekend AgileBits announced that any customers who downloaded 1Password for Mac will need to update the software manually to the latest version. The company explains it's due to "an expired provisioning profile and format change in the developer certificate." Anyone using 1Password from the Mac App Store is not affected.

Oops they did it again

Google's Project Zero has once again spanked Microsoft for failing to patch a critical Windows vuln, derestricting publication of the 0day's proof of concept code for all to see and enjoy. The vuln affects Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10, and is still a live exploit. 

Last October, the Project Zero hackers previously disclosed a different critical Windows 0day ten days after reporting it to Microsoft, saying that they'd published the PoC because they'd seen the vuln being exploited in the wild. With this new issue, Google claims Microsoft has been sitting on the issue sans patch since Zero reported it to them on June 9th of last year.

Hack an app, win a free car!

Turns out there are a lot of security problems with apps for connected cars, and no one is terribly surprised. Still, researchers made a few headlines at RSA last week when they presented on car app issues in two separate instances. 

For one talk, Kaspersky hackers published their findings on six car apps that have "unencrypted user credentials, and all of them had little in the way of protection against reverse-engineering or the insertion of malware into apps." 

In another room, IBM's X-Force Red leader Charles Henderson demonstrated through his own personal experience that used cars can still be controlled by their previous owners' apps. Henderson pointed out a few more troubling things in his talk, such as the fact that dealers hold the reset passcodes on these apps, and that assurances about distance preventing former owners controlling used cars are preventive measures that can easily be spoofed.

Microsoft's Digital Geneva Convention

Also during the RSA noise, Microsoft shared a screed that caught it a lot of flak in online infosec circles. The company published The need for a Digital Geneva Convention, citing the global overwhelm of hacks and hacking to bring everyone in the industry together to "call on the world’s governments to implement international rules to protect the civilian use of the internet." The piece came out the day after The Conversation asked in an opinion piece, Should cybersecurity be a human right?

Just like how civilians are protected during times of war by the Fourth Geneva Convention, Microsoft thinks we're in a time of cyberwar and that should be extended similarly, somehow. There's a lot to digest in the manifesto, which calls on governments as much as the infosec sector, and there's quite a bit of boasting about what Microsoft has done to make the world cyber-safer. It also digresses into a heavy emphasis on protecting "customers," losing its language that began with protecting citizens, making perhaps some of the company's interests a bit too transparent.

Maybe they should keep up with patching those Project Zero bugs first, eh?

Not feeling very Yankee Doodle Dandy, thanks

Woe to the hacker who travels to the US for a job interview. Our favorite headline mangler (kidding guys, love you, maybe) published The Register's guide to protecting your data when visiting the US. The results aren't great, and we can only expect this issue to increasingly have an impact on that "pipeline" problem with cybersecurity jobs everyone keeps talking about. 

Trump security still sucks

Trump's fundraising site subdomain was defaced, with claim going to an Iraqi hacker. Apparently it was done with a subdomain takeover technique documented by Detectify Labs back in 2014.

Pwned at RSA

Vendor Pwnie Express discovered multiple rogue access points on the show floor that were used to hack the RSA conference attendees. Pwnie was apparently killing time on the RSA Conference show floor passively scanning the airwaves (as you do) and found multiple instances of EvilAP attacks. This is when a rogue access point tricks people's devices into thinking they're connecting to a known, safe access point.

EsecurityPlanet has a video

Access to universities and government orgs for sale

Recorded Future reports that a Russian-speaking hacker is selling SQLi for unauthorized access to over 60 universities and government agencies. Named Rasputin, the hacker group was behind a recent breach of the Election Assistance Commission. 

The federal agencies and Rasputin's other targets cover more than two dozen colleges, a few UK universities, state and local agencies, and the Fermi National Accelerator Laboratory, and the U.S. Department of Housing and Urban Development. 

The UK universities include Cambridge, Edinburgh, Leeds and Oxford; US universities include Cornell, Virginia Tech, NYU, UCLA, and Purdue. All were, and some still are, vulnerable to a SQL injections attack. RF's post lists all the universities and government orgs in the SQLi sale, but regretfully didn't notify everyone on the list before hitting "publish."

Thank you!

Thank you for reading, but most especially, thank you for supporting this little labor of love. I appreciate it more than you know.

Main post image via Trend Micro's report, US Cities Exposed: Industries and ICS.