Hacking and infosec news: March 27, 2017
This week's brief sees Apple dissing Wikileaks and iCloud extortionists, DC cops prepping to crack 100 Trump protestor phones, British authorities demanding encryption backdoors, the ongoing phishing scandal eating Let's Encrypt from within, and much more.

Apple slaps WikiLeaks, disses iCloud extortionists

As you may have heard, malicious hackers have threatened to screw over 200 million iCloud account holders if Apple doesn't pay a $75,000 ransom in bitcoin, or $100,000 in iTunes gift cards by April 7. 

Despite clickbaity bloggers claiming that some of the account logins obtained in a sample are valid, security professionals have been calling BS on the matter. Many, including Apple, believe the credentials to be sourced from among the many breaches and dumps for sale -- an increasingly common tactic.

"There have not been any breaches in any of Apple's systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services," an Apple spokesperson told SC Media. It doesn't make matters easier, SC added, that some press outlets are being really helpful about hyping the validity of the blackmailer's claims.

While we're on the subject of Apple, the company had no time to play patty-cakes in the press with Julian Assange last week when WikiLeaks dropped more docs with vulns for iPhone and Mac. The company issued a statement that was a straightforward slap to WikiLeaks, saying all the bugs were not only super old, but that they'd all been fixed long ago. "Thus far," Apple said, "we have not received any information from them that isn’t in the public domain."

D.C. cops to crack Trump inauguration protester phones

Back in February I posted here about one of the individuals who was arrested at protests over the inauguration of Donald Trump, who received an email from Facebook’s “Law Enforcement Response Team.” At least one other inauguration arrestee was also targeted for social media investigation. Over 230 people were arrested in D.C. at the protests (including press and medics), and all of their phones were confiscated and retained.

Well, that particular vulture is coming home to roost. The Register reports that court documents now reveal the authorities' efforts to crack around 100 of the arrestees' phones, and access the contents. 

"The government is in the process of extracting information from the rioters' cellphones pursuant to lawfully issued search warrants, and expects to be in a position to produce all of the data from the searched rioter cellphones in the next several weeks," the filing reads. The prosecutors also plan to try the accused en masse to save time, which many believe to be a violation of everyone's right to a fair trial, because it totally is.

"All of the rioter cellphones were locked, which requires more time-sensitive efforts to try and obtain the data."

Terror in London reignites demand to break encrypted apps

The call for backdoors in encrypted apps has reignited in Britain, after a top British security official told press that the Westminster Bridge attacker sent an unknown WhatsApp message before the attack. Home Secretary Amber Rudd used appearances on BBC and Sky News to rail against WhatsApp and other encrypted services, saying it was “completely unacceptable” that WhatsApp is was enabling terrorists.

"We need to make sure that organisations like WhatsApp – and there are plenty of others like that – don’t provide a secret place for terrorists to communicate with each other."

Telegraph reports that Rudd also confirmed the UK Government is considering legislation to force online firms to take down extremist material.

Let's Phish

Let's Encrypt has a phishing problem -- or more accurately, phishers really love the free security certificate service. According to SSL/TLS reseller The SSL Store, "between January 1st, 2016 and March 6th, 2017, Let’s Encrypt has issued a total of 15,270 SSL certificates containing the word PayPal."

The SSL Store's Vincent Lynch wrote in a blog post that the "vast majority of this issuance has occurred since November – since then Let’s Encrypt has issued nearly 100 “PayPal” certificates per day."

Based on a random sample, Lynch said, 96.7% of these certificates were intended for use on phishing sites. This is not going to end well for consumers, since the security industry and digital liberties groups have taught users to think of HTTPS and the green padlock as signifying a safe site. 

Lynch adds that while their analysis has focused on fake PayPal sites, his firm's findings have spotted other SSL phishing fakers that include Bank of America, Apple IDs, and Google. 

Speaking of certs, Google's Chrome team said they're now going to restrict TLS certificates sold by Symantec-owned issuers effective immediately, citing "a continually increasing scope of misissuance." 

Google's Ryan Sleevi wrote that they "no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years" and that Symantec has "created significant risk for Google Chrome users."

When good antivirus goes bad

Security firm Cybellum found an attack that turns antivirus programs into dirty, dirty agents of attack, and they've named it DoubleAgent to reflect the way it flips something you trust. They tell us that DoubleAgent "exploits a 15 year old vulnerability which works on all versions of Microsoft Windows, starting from Windows XP right up to the latest release of Windows 10." 

From there, it can be leveraged to do all kinds of nasties to your beloved bits, including turning your antivirus into malware or ransomware, and other scary stuff.

All vendors were notified 90 days ago, but most have dragged their feet in coming out with fixes. The affected antivirus companies include AVG, Malwarebytes, Avast, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, McAfee, Panda, Quick Heal and Norton. Network World has an updated list of who has fixed their products and includes the companies' statements in their post.

No, it'll be just fine to let IoT self-regulate

Refrigergeddon is finally upon us, according to an entertaining and depressing piece called "This is the dishwasher with an unsecured web server we deserve." This weekend brought news of CVE-2017-7240, courtesy of Jens Regel of Schneider & Wulf, who spotted a directory traversal vuln on a Miele dishwasher. Regel notified Miele 90 days ago, and despite this, "We are not aware of an actual fix," he wrote on SecLists. 

North Korea gets pinned with SWIFT heists

If you're keeping up with the SWIFT bank heists, developments appear to be happening -- with the caveat that the reporting is based on "sources close to the matter." Regardless, The U.S. Federal Bureau of Investigation believes that North Korea is responsible for the heist, an official briefed on the probe told Reuters. 

And now, CNBC tells us U.S. prosecutors "are building potential cases that would accuse North Korea of directing the theft of $81 million from Bangladesh Bank's account at the Federal Reserve Bank of New York last year, and that would charge alleged Chinese middlemen." 

Meanwhile, researcher Simon Choi made a fancy SWIFT  hacks chart. SWIFT, meanwhile, has cut off North Korea and is generally cranky about the matter.

Senators defining vulns, what could go wrong?

It seems like everyone and their cat has an opinion on the U.S. government’s vulnerabilities equities process (VEP) these days -- including lawmakers. 

Now there's a bill in the works from Senators Brian Schatz (D-Hawaii), and Ron Johnson (R-Wis) that sets a standard definition for "software vulnerability" and the creation of "a central office or authority would be responsible for reaching out to companies." At least one security figurehead thinks this is a really stupid idea.

Oh Deere

Two great longreads you might've missed include a detailed breakdown on the new necessity in America's heartland of tractor hacking, and a superb profile on Russia's most notorious cybercriminal.

"To avoid the draconian locks that John Deere puts on the tractors they buy, farmers throughout America's heartland have started hacking their equipment with firmware that's cracked in Eastern Europe and traded on invite-only, paid online forums." (Motherboard)

"In 2015, the State Department put a $3 million bounty on Bogachev’s head, the highest reward the US has ever posted for a cyber­criminal. But he remains at large." (Wired)

We could've predicted it with tea leaves

Remember the mini-storm that raged about the Slate article claiming that Donald Trump's Russia connections were confirmed with the discovery of a secret email server and a Russian bank? News outlets took the bait and ran with it, while the infosec community took about ten minutes to debunk the story

Now the bank in question is going after the source of the accusations, researcher L. Jean Camp and their cohort, "tea leaves." CyberScoop reports "Alfa Bank notified Indiana University computer researcher L. Jean Camp that it’s pursuing “all available options” after Camp’s research suggested the bank engaged in some form of communication with the Trump Organization." 

Those options include using the CFAA. Additionally, "the bank issued a press release saying it had discovered three attempts to spoof its DNS requests in order make it appear it was still communicating with a Trump Organization server."

Thank you!

Thank you for reading and sharing this little labor of love! It wouldn't be possible without your donations and support -- and for that I am deeply, happily, and truly grateful. 

Main post image: Screencap of a tweet by @kallisti5.

Tier Benefits
Recent Posts