Phone Motion Sensors: The New Attack Vector
Quite likely, this subterfuge attack, utilizing one of the more clever methods to evade detection to date, is the new attaque-du-jour.
Quite likely, this subterfuge attack, utilizing one of the more clever methods to evade detection to date, is the new attaque-du-jour.
Kevin Hartnett, Senior Writer at Quanta Magazine, expounds on the notion of formal code verification when used to provide assurance of attack-proof code... Similar to unsinkable ocean liners? Or, is it only a matter of time before a successful attack is mounted thereupon? Is attack-proof code provable utilizing proofs (as in mathematical proofs)? You be the judge.
'“They were not able to break out and disrupt the operation in any way,” said Kathleen Fisher, a professor of computer science at Tufts University and the founding program manager of the High-Assurance Cyber Military Systems (HACMS) project. “That result made all of DARPA stand up and say, oh my goodness, we can actually use this technology in systems we care about.”' - via Kevin Hartnett, Senior Writer at Quanta Magazine
Dan Goodin, writing at ArsTechnica, provides us with the surreptitious history of the malice-filled code-miscreant APT monikered Slingshot; of which, is apparently an alternatative mwthod of describing the devil's offspring in code-complete form. More, here.
"The researchers still don't know precisely how Slingshot initially infected all its targets. In several cases, however, Slingshot operators got access to routers made by Latvian manufacturer MikroTik and planted a malicious code in it." - via Dan Goodin, slaving away over a sizziling keyboard at ArsTechica
Felix Krause, well-known founder of fastlane, has discovered a procedural + programmatic heretofore undiscussed attack vector of rather gaping proportions... Namely, the capability of any Mac application to leverage connectivity to the desktop screen grab routine (presumably the CGImageRef routine, as reported by Mr. Krause). Bad news for all users of Apple Hardware and software. Indeed. Read Mr. Krause's Open Radar (rdar://37423927) entry. Listen up Apple Inc...
Erudite write-up by Adam Meyers (opining at 38North) in which, Adam details the cyberweapons of mass disruption (in this case the primary weapons discussed are WannaCry, the Wiper Attack and who-can't-forget the electronic Bonnie-and-Clyde aka the 2016 SWIFT attack on the Bank of Bangladesh). Enjoy!
"North Korean offensive cyber operations have been conducted to collect sensitive political and military intelligence information, to lash out at enemies who threaten their beliefs and interests, and most interestingly, to generate revenue." - Adam Meyers writing at 38North)
Today's Must Read - Ira Winkler's 'How to Hack a Navel Vessel' - Ira's well-crafted, on-target and plausible thought piece discussing the potential for electronic systems intrusion utilizing a Denial of Service modus related to the four reported damage incidents and the tragic loss of life of our Navy personnel and fellow citizens while United States Navy Vessels were underway.
Well, looks like there is a bit of bother at npm, what with the security failures of recent import. Read Adam Shostack's well-crafted piece detailing what's broken, and what to do about it (it being fairly obvious once you read his thoughtful post). Enjoy.
"In June, security researcher ChALkeR explained how he "obtained direct publish access to 14% of npm packages (including popular ones). The estimated number of packages potentially reachable through dependency chains is 54%." Then, there was a typo-squatting attack that went undetected for two weeks. And just a few days ago, Ivan Akulov reported on malicious packages in npm." - via Adam Shostack, writing at IANS
John Leyden, writing at El Reg, tells the tale of the latest ATM SNAFU. All based on CVE-2017-6968... Astonishing, indeed.
"To exploit the vulnerability, a criminal would need to pose as the control server, which is possible via ARP spoofing, or by simply connecting the ATM to a criminal-controlled network connection," said Georgy Zaytsev, a researcher with Positive Technologies. "During the process of generating the public key for traffic encryption, the rogue server can cause a buffer overflow on the ATM due to failure on the client side to limit the length of response parameters and send a command for remote code execution." - via John Leyden, at El Reg
via the eponymous Richard Chirgwin, whilst writing at El Reg, comes this unfortunate tale of security flaws within Splunk Enterprise (now, happily patched). First discovered by John Page (aka hyp3rlinx), and published via an advisory at Full Discosure. Here's hyp3rlinxs' source.
For the Record: We have always been pleased with Splunk products, and, most importantly, they are fast and focused when fixing issues.
The takeway? Make an effort to be extraordinarily cognizant of the threats posed by log and machine generated data aggregation in the enterprise. That is all.
News, via Finnish site Metropolitan, of a DDoS attack on computer-managed HVAC systems in the town of Lappeenranta, Finland. In a country situated geographically as Finland, this attack should be construed as a life safety issue. H/T
News from the Past (the recent past, that is) - Apple Inc. (NasdaqGS: AAPL) Safari drops the drawbridge, and is summarily PWND at POC PwnFest 2016. The exploit took twenty seconds to work its magic... Cruft, the gift that keeps on giving; hearty congratulations to PANGU for their outstanding effort.
Apple Inc. (NasdaqGS: AAPL) iPhone passcode protection defeated by NAND Mirroring... Ooops.
News, via Robert Abel, writing at SC Magazine, of the refusal of Alphabet Inc. (NasdaqGS: GOOG) to remediate a login page redirect poisoning flaw (recently discovered by Aidan Woods) on the search leviathan's primary page. Oops.