Enjoy my handpicked highlights below of the week that was in hacking and infosec -- and please consider a Patreon donation to keep this roundup going. Or, of course, a link back or share if you find this helpful. Spreading the word helps a lot, especially since I seem to be the only woman doing something like this.
As you know, the ODNI Declassified IC Assessment of Russian Activities and Intentions doc was released last week, in which the CIA, FBI and NSA published what may be the most high-profile intel assessment in our country's history. Still, the Atlantic called the 25-page report "An Intelligence Report That Will Change No One’s Mind," though there is a bit of pressure for Trump to soften his pro-Russia rhetoric.
The FTC made waves when it announced it was taking D-Link to court for making false promises about wireless router and webcam product security -- and chose the timing to also announce its "IoT Home Inspector Challenge" bug bounty. D-Link clapped back hard mere hours later with a salty and snappy statement noting that the FTC didn't point out any specific cases of product breach in the US.
"The FTC speculates that consumers were placed 'at risk' to be hacked," D-Link said, "but fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries." The company said it "maintains a robust range of procedures to address potential security issues, which exist in all Internet of Things (IOT) devices."
But by the way the FTC has come out swinging in 2017, I believe we can expect to see much more from the agency this year.
Of interest to our hacker family in New York, and those interested in presenting at NYC hackerspaces as well as conferences like HOPE: New York Gov. Andrew Cuomo announced cybersecurity proposals in his 2017 State of the State address on Sunday.
He said that New York's "laws must keep pace in order to combat these increasingly sophisticated criminal acts" and he proposed updating NY's cybercrime and identity theft laws, including ramping up computer tampering laws and punishments for ID theft. Cuomo announced the creation of an incident response team to "serve as a go-to resource for non-executive agencies, local governments and public authorities in how to better protect their information technology assets, critical operating systems and data from cyberattacks, malware and ransomware."
Shadow Brokers just keep on brokering... The Brokers say they're now selling the NSA's Windows 0days and assorted exploits (which are, of course at least three years old, but still appear to be in working condition).
The confusing, heated St. Jude pacemaker drama reared its ugly head again this week, when St. Jude Medical announced it's going to deploy the latest release of patches/updates for its Merlin remote monitoring system ... while saying it's not aware of any cyber security incidents related to a St. Jude Medical device. To be clear: Some outlets are reporting that St. Jude has fixed its heart-monitoring devices, but the company is actually just rolling out a fix, to be then updated by admins or users.
This comes five months after the U.S. government launched a probe into claims they were vulnerable to potentially life-threatening hacks. Reuters writes, "Doctors and patients have been waiting for action from the FDA and St. Jude since August when short-selling firm Muddy Waters and cyber security firm MedSec Holdings claimed the implanted heart devices were riddled with potentially lethal security bugs."
When the report first hit the news, and shares of St. Jude immediately fell 5 percent. At the time, St. Jude called the Muddy Waters report "absolutely untrue," saying most of the findings applied to older and unpatched versions of its devices. MedSec received loads of criticism for identifying the medical device vulns and approaching Muddy Waters so it would short St. Jude, and gave MedSec a percentage of the profits.
In the realm of interesting attacks, Daniel Miessler writes, "I think one of the coolest new attack surfaces in coming years will be figuring out cool ways to trick our new AI buddies into doing things they shouldn’t. Here are a couple of examples ..."
Artem I. Baranov announced the release of their Wingbird rootkit analysis. "Recently one security company that investigates activity of various cybergroups, has shared with me droppers of rootkits," Baranov wrote.
"I've been surprised during its analysis, because the rootkit is well protected from the analysis as well as its dropper. Analysis of both rootkits took enough time, because it contain various anti-research capabilities. Size of rootkit and dropper files was significantly increased due to using code obfuscation and the presence of much garbage instructions. Moreover, both rootkits belong to one cybergroup, were developed in targeted manner and are intended for specific victims."
Conventional wisdom in the realm of preventing ransomware has been to educate the typical end user to practice good cyber hygiene to both avoid the invasive attack and to do forward thinking backups... but some news this week points to a trend that might encourage companies to skip the education and rely on insurance to cover their asses instead.
Last Friday, Valley College paid a ransom of $28,000 -- or rather, their insurance policy paid -- to get their files out of hock, after a week of their files being held hostage by ransomware. "The college used a cyber-security insurance policy held by the Los Angeles Community College District to pay the ransom."
Speaking of ransomware, CSO decided to demonstrate "the speed and devastation that comes with a Ransomware attack" by infecting one of our own systems, and published this video.
After bizarrely failing to score what everyone thought would be a position as Trump's new attorney general, Rudolph W. Giuliani has continued his personal mission to "solve cyber" (something he actually said he would do). Instead, the business he built around making as much money off cronyism and cyber as possible, Giuliani Partners, has moved boldly forward into enterprise security solutions.
BlackBerry, making its shift from hardware to becoming a security platform, has been selected by Giuliani Partners to support cyber security consulting services to the government and to private firms. The recently released BlackBerry Secure platform will provide the underlying software for the firm’s cyber security consulting product. The partnership was announced at the CES 2017 conference in Las Vegas.
After founding Giuliani Partners, former New York City Mayor Rudy Giuliani became the global chair of law firm Greenberg Traurig's cybersecurity and crisis management practice in January 2016. Shortly after joining Greenberg Traurig, he did a press junket comparing hackers to Mafia and cybersecurity to cancer.
The MongoDB database ransom attacks you may have read about last week have seen the number of compromised systems more than double to 27,000 in a day. "Norway-based security researcher and Microsoft developer Niall Merrigan says the attacks have soared from 12,000 earlier today to 27,633, over the course of about 12 hours."
The FBI released docs related to San Bernardino iPhone, as provided in response to a federal lawsuit brought by The Associated Press, Vice Media and Gannett. The 100 pages were heavily censored, showing that the agancy signed a nondisclosure agreement with whichever vendor popped the phone. "The records also show that the FBI received other inquiries from companies interested in developing a product to unlock the phone."
Among more cool stuff to come out of CCC includes the presentation, "Talking Behind Your Back: On the Privacy & Security of the Ultrasound Tracking Ecosystem."
The researchers describe, "In the last two years, the marketing industry started to show a fast increasing interest in technologies for user cross-device tracking, proximity tracking, and their derivative monetization schemes. To meet these demands, a new ultrasound-based technology has recently emerged and is already utilized in a number of different real-world applications. Ultrasound tracking comes with a number of desirable features (e.g., easy to deploy, inaudible to humans), but alarmingly until now no comprehensive security analysis of the technology has been conducted."
A hacker called CyberZeist say they hacked the FBI's CMS -- claiming to have owned the Plone CMS system. The hacker dedicated the hack to Anonymous. CyberZeist said they nabbed creds for 155 users, including encrypted passwords and email addresses along with usernames, which they posted to Pastebin.
That's it for this week -- so far. Subcribers: stay tuned for a special ShmooCon guide, available in the next day.
And hey journalist! Yes you, the one cherry-picking this post for an article. Remember that I'm a colleague and doing this out of my own pocket, and toss me a link back. Thank you for reading :)
Pledge $0 or more per month
Pledge $0.01 or more per month
You get access to my private posts.
You get access to my private posts.
You also get access to my private posts.