PuTTY Multiple Security Vulnerabilities
 
QEMU CVE-2019-8934 Local Information Disclosure Vulnerability
 
IBM Java SDK CVE-2018-1890 Local Privilege Escalation Vulnerability
 

Posted by InfoSec News on Mar 21

http://www.startribune.com/750-000-medtronic-defibrillators-vulnerable-to-hacking/507470932/

By Joe Carlson
Star Tribune
March 21, 2019

As many as 750,000 heart devices made by Medtronic PLC contain a serious
cybersecurity vulnerability that could let an attacker with sophisticated
insider knowledge harm a patient by altering programming on an implanted
defibrillator, company and federal officials said Thursday.

The Homeland Security...
 

Posted by InfoSec News on Mar 21

https://www.cyberscoop.com/pwn2own-2019-day-one-apple-oracle-vmware/

By Joe Warminsky
CYBERSCOOP
March 21, 2019

The white-hat hacking team of Amat Cama and Richard Zhu, together known as
“Flouroacetate,” took home the majority of the prize money available on the
first day of this year’s Pwn2Own competition in Vancouver, demonstrating
zero-day exploits against Apple’s Safari browser as well as virtualization
software from Oracle and...
 

Posted by InfoSec News on Mar 21

https://www.barrons.com/articles/how-michigans-dna-shaped-populist-start-up-duo-security-51553084081

By Mary Childs
Barron's
March 20, 2019

Dug Song had worked at three security companies and he was increasingly sure
the industry was failing people.

As cybersecurity became "the biggest geopolitical problem of our time," he
says, companies were prioritizing other companies, leaving regular people
behind, coping with old clunky...
 

Posted by InfoSec News on Mar 21

https://www.nytimes.com/2019/03/21/us/politics/government-hackers-nso-darkmatter.html

By Mark Mazzetti, Adam Goldman, Ronen Bergman and Nicole Perlroth
The New York Times
March 21, 2019

The man in charge of Saudi Arabia's ruthless campaign to stifle dissent went
searching for ways to spy on people he saw as threats to the kingdom. He knew
where to go: a secretive Israeli company offering technology developed by
former intelligence...
 

Posted by InfoSec News on Mar 21

https://www.zdnet.com/article/hacked-tornado-sirens-taken-offline-in-two-texas-cities-ahead-of-major-storm/

By Catalin Cimpanu
Zero Day
ZDNet News
March 18, 2019

A hacker set off the tornado emergency sirens in the middle of the night last
week across two North Texas towns. Following the unauthorized intrusion, city
authorities had to shut down their emergency warning system a day before major
storms and potential tornados were set to hit the...
 

Microsoft is bringing its Windows Defender anti-malware application to macOS—and more platforms in the future—as it expands the reach of its Defender Advanced Threat Protection (ATP) platform. To reflect the new cross-platform nature, the suite is also being renamed to Microsoft Defender ATP, with the individual clients being labelled "for Mac" or "for Windows."

Microsoft Defender ATP for Mac will initially focus on traditional signature-based malware scanning.

Microsoft Defender ATP for Mac will initially focus on traditional signature-based malware scanning.

macOS malware is still something of a rarity, but it's not completely unheard of. Ransomware for the platform was found in 2016, and in-the-wild outbreaks of other malicious software continue to be found. Apple has integrated some malware protection into macOS, but we've heard from developers on the platform that Mac users aren't always very good at keeping their systems on the latest point release. This situation is particularly acute in corporate environments; while Windows has a range of tools to ensure that systems are kept up-to-date and alert administrators if they fall behind, a similar ecosystem hasn't been developed for macOS.

One would hope that Defender for Mac will also trap Windows malware to prevent Mac users from spreading malware to their Windows colleagues.

Read 4 remaining paragraphs | Comments

 
Despite what you may have read, Epic says this is not spyware.

Enlarge / Despite what you may have read, Epic says this is not spyware.

This week, certain corners of the gaming Internet have been abuzz with a bit of self-described "amateur analysis" suggesting some "pretty sketchy," spyware-like activity on the part of the Epic Game Store and its launcher software. Epic has now stepped in to defend itself from those accusations, while also admitting to an "outdated implementation" that can make unauthorized access to local Steam information.

The Reddit post "Epic Game Store, Spyware, Tracking, and You!" points to a wide-ranging set of implications based on some broad file and network access traffic observations when the Epic Game Store is running. But much of the post is focused on Epic's association with Chinese gaming giant Tencent, which owns a share of the company.

"Tencent is a significant, but minority shareholder in Epic," co-founder and CEO Tim Sweeney wrote in response to the conspiracy theory in one Reddit thread. "I'm the controlling shareholder of Epic... The decisions Epic makes are ultimately my decisions, made here in North Carolina based on my beliefs as a game developer about what the game industry needs!"

Read 6 remaining paragraphs | Comments

 
Google, Microsoft work together for a year to figure out new type of Windows flaw

Enlarge (credit: Marco Verch / Flickr)

One of the more notable features of Google Project Zero's (GPZ) security research has been its 90-day disclosure policy. In general, vendors are given 90 days to address issues found by GPZ, after which the flaws will be publicly disclosed. But sometimes understanding a flaw and developing fixes for it takes longer than 90 days—sometimes, much longer, such as when a new class of vulnerability is found. That's what happened last year with the Spectre and Meltdown processor issues, and it has happened again with a new Windows issue.

Google researcher James Forshaw first grasped that there might be a problem a couple of years ago when he was investigating the exploitability of another Windows issue published three years ago. In so doing, he discovered the complicated way in which Windows performs permissions checks when opening files or other secured objects. A closer look at the involved parts showed that there were all the basic elements to create a significant elevation of privilege attack, enabling any user program to open any file on the system, regardless of whether the user should have permission to do so. The big question was, could these elements be assembled in just the right way to cause a problem, or would good fortune render the issue merely theoretical?

The basic rule is simple enough: when a request to open a file is being made from user mode, the system should check that the user running the application that's trying to open the file has permission to access the file. The system does this by examining the file's access control list (ACL) and comparing it to the user's user ID and group memberships. However, if the request is being made from kernel mode, the permissions checks should be skipped. That's because the kernel in general needs free and unfettered access to every file.

Read 15 remaining paragraphs | Comments

 
Mozilla Firefox MFSA2019-01 Multiple Security Vulnerabilities
 
Atlassian SourceTree CVE-2018-20234 Arbitrary Code Execution Vulnerability
 
Atlassian SourceTree CVE-2018-20235 Arbitrary Code Execution Vulnerability
 

In many internal assessments or "recon mission" style engagements, you'll need to figure out what all the internal subnets are before you can start assessing that address space for issues, targets or whatever you are looking for in that project.  Or, as I had this week, the request was for enumeration of all the hosts that AREN'T in AD.

In many environments, the DHCP server is quick to find, and you can dump the scopes out Easy as Pi (or pie if you prefer) - we covered this a while back: https://isc.sans.edu/forums/diary/DNS+and+DHCP+Recon+using+Powershell/20995/

But say the DHCP servers are dispersed throughout the environment, it's still pretty common to see DHCP servers in each remote location for instance.  Or if you have subnets that don't have a DHCP scope.  How can you enumerate those remote subnets?

Well, you could certainly hijack the routing protocol and dump the routing table, but that's often a tough thing to get permission for.  

How about from the individual host entries in AD?  The IP address is listed there, and in a lot of shops you can assume a /24 for all subnets.  Or if not, larger subnets will just show up as contiguous /24's in your list if you make that assumption.  How does this look like in Powershell?

Let's start by collecting all the IPv4 addresses in play.  This is a "quick and dirty" collection, and will only collect the "first" adapter if  you have any multi-homed windows windows hosts.  We'll start with our old pal "get-ADComputer"

$addrs = get-adcomputer -filter * -property IPV4Address

Now, there are a ton of ways to get the /24's from this list, but since I'm lazy I'll use the "[IPAddress]" construct in PowerShell.  Let's take one element in the list above, and cast it into the "IPv4Address" type, then look at what's there:

[IPAddress] $addrs[6].IPv4Address


Address            : 873890058
AddressFamily      : InterNetwork
ScopeId            :
IsIPv6Multicast    : False
IsIPv6LinkLocal    : False
IsIPv6SiteLocal    : False
IsIPv6Teredo       : False
IsIPv4MappedToIPv6 : False
IPAddressToString  : 10.129.22.52

Perfect, that "Address" member is a straight numeric representation of the IP, and we can do a binary mask of it with the "-band" operator:
 

[ipaddress] ((([Ipaddress] $pcs.ipv4address[6]).address -band ([Ipaddress] "255.255.255.0").address))


Address            : 1474826
AddressFamily      : InterNetwork
ScopeId            :
IsIPv6Multicast    : False
IsIPv6LinkLocal    : False
IsIPv6SiteLocal    : False
IsIPv6Teredo       : False
IsIPv4MappedToIPv6 : False
IPAddressToString  : 10.129.22.0

That final member, IPAddressToString is the final value we want top use going forward!  Let's add "/24" to that, and dump it to a file.  Cleaned up, with a bit of error checking, our final code looks like:

$pcs = get-adcomputer -filter * -property IPV4Address
$subnets = @()
foreach ($addr in $pcs.ipv4address) {
    if ($addr.length -ne 0) {          # because lots of $pcs will have a null address
        $sub = [ipaddress] ((([ipaddress] $addr).address -band ([Ipaddress] "255.255.255.0").address))
        $subnets += $sub.IPAddressToString + "/24"
        }
    }
$subnets | sort | get-unique > subnets.csv

But what if we wanted just the AD members?  That's easy:

$pcs.ipv4address | sort > AD-hosts.csv


Or just the IP Addresses that are *NOT* AD?  This one is particularly useful in finding things on the network that may have been "flying under the radar" - computers that don't belong to the company for instance, or gear that was purchased by other departments.  Or even gear that was purchased by IT, but never properly inventoried so is now "lost".  Or (perish the thought) malicious hosts!

$targetnets = $subnets | sort  | get-unique
$domainips = $pcs.ipv4address | sort | get-unique
$NonADIPs = @()

foreach ($t in $targetnets) {
    $netbits = $t.Substring(0,($t.length-4))
    for ($hostbits = 1; $hostbits -le 254; $hostbits++) {
        if ( -not $domainips.contains($netbits+$hostbits)) {
            $NonADIPs += ($netbits+$hostbits)
            }
        }
    }
$NonADIPs > non-adips.csv

Next step?  Now that we have these lists, take the file of choice and dump it into nmap.  For instance, using the "nonad-ips.csv" file will scan any hosts that are not AD members.
for a simple ping scan:

nmap --open -sn -iL non-adips.csv -oA non-adips.pingscan

or for a simple tcp port scan (note that this not a scan of all ports):

nmap --open -Pn -iL non-adips.out -oA non-adips.scanned

or, if you are looking for non-firewalled windows hosts that aren't AD members (this is one of the concerns that had me writing this in the first place)

nmap -p445,139 --open -Pn -iL nonadips.out -oA nofw-win-non-ad.scanned

Pretty this up as needed - maybe add "--top-ports n" for the top "n" ports, or "-p0-65535" for all ports, but the defaults give you decent coverage to "see what's out there" fairly quickly.  Or if you're looking for something more specific, maybe non-ad hosts with SMBv1 enabled, run

nmap -p445,139 --open -Pn -iL nonadips.out --script smb-protocols.nse -oA nofw-win-non-ad-smb1.out

Then filter the output for just the problem children with:

type smb1.out.nmap | grep "scan report\|SMBv1"

Of course, you can use the subnets file for a more complete scan (which will include AD members), or you could also use the ad-hosts file to scan only AD members for whatever today's target of interest might be.

Or if you (or your client) is in a hurry, use MASSCAN (don't forget to use that bandwidth limiter!!!).  Play with the rate value a bit so that you end up with decent scan results without saturating any WAN or VPN links.  

Using a faster scanner means that you can maybe also scan the complete tcp port range, depending on your time budget and requirements:

masscan -p0-65535 --rate=1000 -iL non-adips.out -oX scan.out.xml

Note that you can still use --top-ports in masscan, so if you only want to hit the top 1000 ports, use "--top-ports 1000" in your final command.  

Finally, no matter what scanner you use, if you have enough information and enough bandwidth you can usually run multiple scans at different rates, depending on the architecture of the network.

If you're digging a bit deeper, of course you can take those same lists and use them as input to Nessus, OpenVAS or any other tool that you have in your arsenal, or whatever tool, script or playbook you may need to write that day.

Note that in any consulting engagement, time matters!  While your scanner is running, you should be off doing other things, not drinking coffee waiting for that scan to finish.  If this is an internal penetration test, you should be off getting domain admin and will likely have obtained all of your engagement targets by the time the scan finishes.  If this is an assessment, the subnet list will be useful, but most likely your final report will be mostly done by the time the scan wraps up - - or 90%-ish done if you needed those scan results for something specific, or if the scans find something surprising.

Keep in mind that this method will only find subnets that AD knows about directly.  So if you've got subnets that are dedicated to non-AD members - things like IP Phones, scales, shipping printers, scanners and the like (stuff that we call "IoT" these days), those subnets are "ships in the night" to AD.  You might find them using DNS or DHCP recon ( https://isc.sans.edu/diary/DNS+and+DHCP+Recon+using+Powershell/20995 ), or you may need to look at actual routing tables for that (stay tuned for that).

Back to the PowerShell bits, the final scripts above are the ones I've been using for a while, mostly because they took all of 20 minutes to bust out, and they work well and "fast enough" for me, so I never did optimize them further.  I'm sure that there's a one-liner here or there that you could use to make it more efficient - please, use our comment form if you've got some suggestions there!  Or if you've found something spectacular with a portscan that didn't show up in the get-adcomputer list (we all have I'm sure), we're all kinds of interested in that too!!

===============
Rob VandenBrink
Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

I've received several samples of malicious spreadsheets with Excel 4.0 macros over the last weeks, like this one: 7df15be35bd8fd1a98adc24e6be7bfcd.

Excel 4.0 macros predate VBA. When you take a look with oledump.py, you will notice that these spreadsheets do not contain streams with VBA code:

To check if a spreadsheet contains Excel 4.0 macros, you can use plugin plugin_biff with option -x (xlm, e.g. Excel 4.0 macros):

When a spreadsheet contains Excel 4.0 macros, you will get output like in the screenshot above:

  • There's a hidden Excel 4.0 macro sheet
  • There's a cell with label Auto_Open to achieve automatic execution upon opening of the spreadsheet (and clicking away the warnings)
  • There's a formula with a call to the EXEC function
  • In this sample the command executed by the EXEC function is concatenated from string fragments: msiexec is started to download and execute a msi file

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

In this video, I provide more context to diary entry "Maldoc: Excel 4.0 Macros" by showing how to distinguish VBA and Excel 4.0 macros.

Then I proceed with the analysis of the Excel 4.0 macro sample.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

I received a couple of questions regarding Wireshark and Npcap.

First of all, it's not a requirement to install Npcap if you want to upgrade to Wireshark 3.

You can just deselect the toggle to install Npcap:

And then Wireshark 3 will use WinPcap (installed with prior versions of Wireshark).

If you go to Help / About Wireshark, you can see what capture library is currently used by Wireshark on Windows:

Actually, you don't even have to install a packet capture library on the Windows machine you install Wireshark on, as long as you don't have to capture packets with Wireshark on that machine.

WinPcap is no longer maintained, and that is reflected in the version that comes bundled with Wireshark 2:

It dates from 2013.

Johannes also remarked that the Npcap license allows free use of Npcap on up to 5 Windows machines. If you have more in your organisation, you need to obtain a commercial license:

The standard version is also limited to installation on five systems.

However, there is an exception for Wireshark (and Nmap)

Copies of Npcap do not count toward the five copy, five computer, or five user limitations imposed by this section if they are installed and used solely in conjunction with any of the following software:

o The Nmap Security Scanner, as distributed from https://nmap.org

o The Wireshark network protocol analyzer, as distributed from https://www.wireshark.org/

If you install Wireshark with Npcap, and you use Npcap exclusively with Wireshark and/or Nmap, then the standard license still applies even with more than 5 machines.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The extortion attempts haved moved to another step recently. After the “sextortion” emails that are propagating for a while, attackers started to flood people with a new type of fake emails and their imaginnation is endless... I received one two days ago and, this time, they go one step further. In many countries, child pornography is, of course, a very strong offense punished by law. What if you received an email from a Central Intelligence Agency officer who reveals that you’re listed in an international investigation about a case of child pornography and that you’ll be arrested soon? Hopefully, the agent is a “nice guy” and, if you pay $10K in Bitcoin, he will be happy to delete your name from the list of bad guys?

Here is a copy of the received email:

From: "Huey Ferguson" <[email protected][.]ga>
To: <redacted>
Subject: Central Intelligence Agency Case 61587423

Case #61587423
Distribution and storage of pornographic electronic materials involving
underage children.

My name is Huey Ferguson and I am a technical collection officer working for
Central Intelligence Agency.

It has come to my attention that your personal details including your email
address (<redacted>) are listed in case #61587423.

The following details are listed in the document's attachment:

- Your personal details,
- Home address,
- Work address,
- List of relatives and their contact information.

Case #61587423 is part of a large international operation set to arrest more
than 2000 individuals suspected of paedophilia in 27 countries.

The data which could be used to acquire your personal information:

- Your ISP web browsing history,
- DNS queries history and connection logs,
- Deep web .onion browsing and/or connection sharing,
- Online chat-room logs,
- Social media activity log.

The first arrests are scheduled for April 8, 2019.

Why am I contacting you ?

I read the documentation and I know you are a wealthy person who may be
concerned about reputation.

I am one of several people who have access to those documents and I have
enough security clearance to amend and remove your details from this case.
Here is my proposition.

Transfer exactly $10,000 USD (ten thousand dollars - about 2.5 BTC) through
Bitcoin network to this special bitcoin address:

3EcEvozxnYvDX9EX3QR4PEYpdKbUKphLpv

You can transfer funds with online bitcoin exchanges such as Coinbase,
Bitstamp or Coinmama. The deadline is March 27, 2019 (I need few days to
access and edit the files).

Upon confirming your transfer I will take care of all the files linked to
you and you can rest assured no one will bother you.

Please do not contact me. I will contact you and confirm only when I see the
valid transfer.

Regards,
Huey Ferguson
Technical Collection Officer
Directorate of Science and Technology
Central Intelligence Agency

The mail includes also several times the same logo in a very poor quality:

Note also that pedophilia is written as “paedophilia”[1] (which is an alternative spelling but not usual). The only relevant information found about Huey Ferguson is coming from ca.gov[2].

Here is a copy of the SMTP headers:

Return-Path: <[email protected]>
X-Original-To: <redacted>
Delivered-To: <redacted>
Received: by <redacted> (Postfix, from userid 65534)
    id 1270B1A8008F; Mon, 18 Mar 2019 21:54:15 +0100 (CET)
Received: from mx.wysa.cia-us-govn.ga (mx.wysa.cia-us-govn.ga [54.39.181.120])
    (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by <redacted> (Postfix) with ESMTPS id 2AB631A80088
    for <redacted>; Mon, 18 Mar 2019 21:54:14 +0100 (CET)
Received: from [127.0.0.1] (mx.wysa.cia-us-govn.ga [127.0.0.1])
    by mx.wysa.cia-us-govn.ga (Postfix) with ESMTP id 44NT1t4GJLz2nKD
    for <redacted>>; Mon, 18 Mar 2019 20:54:10 +0000 (UTC)
Date: Mon, 18 Mar 2019 20:54:09 +0000
From: "Huey Ferguson" <[email protected]>
To: <redacted>
Subject: =?UTF-8?Q?Central=20Intelligence?==?UTF-8?Q?=20Agency=20-?= =?UTF-8?Q?=20Case=20#61587423?=
List-Unsubscribe: <http://wysa.cia-us-govn.ga/unsubscribe/WFFUV2c0bUl2ZkV3TCt6aXdBQkY1cWNNZ3Y4Z0EzbytueUxWQ1hsY3M5ZjF3dktzdXRiRUpWZ2FMZ0xDMkphRUlQVzZkYjI2cVhVcHlrNHRRc2hxUDRwbEordHdtYnBOUGpvNVpRL0RNVkU9>
Reply-To: <[email protected]>
User-Agent: Postfix 3.3.11
X-Sender: [email protected]
X-Mailer: Postfix 3.3.11
X-Priority: 3 (Normal)
Message-ID: <[email protected]>

The email address uses a domain name with the .ga TLD (Gabon, Africa) but does not exist. The SMTP server is located at OVH, Canada (%%ip:54.39.181.120%%). 

As usual with this kind of emails, same conclusion: just delete them and do not pay! But feel free to report more Bitcoin addresses to us!

[1] https://www.urbandictionary.com/define.php?term=paedophilia
[2] https://appellatecases.courtinfo.ca.gov/search/case/dockets.cfm?dist=0&doc_id=2266518&doc_no=S251894&request_token=NiIwLSIkXkg%2FWyBVSCNdUEJIQDw0UDxTJiJOJzNSMCAgCg%3D%3D

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Posted by InfoSec News on Mar 18

https://www.reuters.com/investigates/special-report/usa-politics-beto-orourke/

By Joseph Menn
Reuters
March 15, 2019

(This article is adapted from a forthcoming book, "Cult of the Dead Cow: How
the Original Hacking Supergroup Might Just Save the World")

Some things you might know about Beto O'Rourke, the former Texas congressman
who just entered the race for president:

The Democratic contender raised a record amount for a...
 

Posted by InfoSec News on Mar 19

https://www.securityweek.com/dragos-acquires-nexdefense-releases-free-ics-assessment-tools

By Eduard Kovacs
SecurityWeek.com
March 18, 2019

Industrial cybersecurity firm Dragos on Monday announced the acquisition of
NexDefense, a company that specializes in visibility technology for industrial
control systems (ICS), and the launch of free ICS security assessment tools.

NexDefense, one of the earliest ICS security companies, was initially...
 

Posted by InfoSec News on Mar 18

https://www.zdnet.com/article/singapore-public-sector-reports-yet-another-security-lapse/

By Eileen Yu
By The Way
ZDNet News
March 16, 2019

Following a spate of security breaches affecting healthcare patients in the
country, another Singapore public sector agency has reported that personal
information of 808,201 blood donors was left vulnerable after a third-party
vendor failed to securely protect a server containing the data. The database...
 

Posted by InfoSec News on Mar 19

https://www.zdnet.com/article/round-4-hacker-returns-and-puts-26mil-user-records-for-sale-on-the-dark-web/

By Catalin Cimpanu
Zero Day
ZDNet News
March 17, 2019

A hacker who has previously put up for sale over 840 million user records in
the past month, has returned with a fourth round of hacked data that he's
selling on a dark web marketplace.

This time, the hacker has put up for sale the data of six companies, totaling
26.42 million...
 

Posted by InfoSec News on Mar 19

https://wtop.com/tracking-metro-24-7/2019/03/why-metro-is-trying-to-hack-into-its-own-railcars/

By Max Smith
WTOP.com
March 15, 2019

Metro plans to hack its own new 7000 Series railcars over the next few months
to figure out whether missing cybersecurity requirements in the contract left
Metro data exposed or riders at risk.

The "penetration testing" will be completed by the end of August, a response to
Metro’s Office of...
 

Posted by InfoSec News on Mar 18

https://venturebeat.com/2019/03/16/cisos-you-need-to-manage-by-walking-around/

By Joseph Schorr
Venture Beat
March 16, 2019

Chief information security officers (CISOs) today have replaced chief
information officers (CIOs) as the most under-valued C-level executives. In
fact, according to research from the Enterprise Strategy Group (ESG) and the
Information Systems Security Association (ISSA), nearly one-third (29 percent)
of corporations today...
 

Posted by InfoSec News on Mar 18

https://techcrunch.com/2019/03/17/medical-health-data-leak/

By Zack Whittaker
TechCrunch.com
March 17, 2019

A health tech company was leaking thousands of doctor’s notes, medical records,
and prescriptions daily after a security lapse left a server without a
password.

The little-known software company, California-based Meditab, bills itself as
one of the leading electronic medical records software makers for hospitals,
doctor’s...
 

Posted by InfoSec News on Mar 18

https://www.cyberscoop.com/dmsniff-glitchpos-malware-cybercrime-flashpoint-talos/

By Jeff Stone
CYBERSCOOP
March 14, 2019

Sometimes the little things can help cybercriminals separate their wares
from the pack. It could be an uncommon feature in the malware itself, or
it could just be a new way to market a familiar strategy.

In unrelated reports Wednesday, cybersecurity companies detailed DMSniff,
which takes a new approach to remaining...
 

Posted by InfoSec News on Mar 18

https://arstechnica.com/information-technology/2019/03/how-hackers-pulled-of-a-20-million-bank-heist/

By Lily Hay Newman
Wired.com
3/17/2019

In January 2018 a group of hackers, now thought to be working for the North
Korean state-sponsored group Lazarus, attempted to steal $110 million from the
Mexican commercial bank Bancomext. That effort failed. But just a few months
later, a smaller yet still elaborate series of attacks allowed hackers...
 

Posted by InfoSec News on Mar 18

https://www.jpost.com/Opinion/Act-on-the-hack-583767

By JPost Editorial
The Jerusalem Post
March 17, 2019

The report that Blue and White leader and former IDF chief of staff Benny
Gantz's phone was hacked raises many questions. Who broke into his phone? What
did they find there? Does it leave him susceptible to blackmail and other
pressures? Why are we only finding out about it now, four months after the Shin
Bet (Israel Security...
 

Posted by InfoSec News on Mar 19

https://www.fedscoop.com/cybersecurity-budget-2020-trump-white-house/

By Joe Warminsky
FEDSCOOP
March 18, 2019

Federal cybersecurity spending would increase by about 5 percent overall in
fiscal 2020 under President Donald Trump’s proposed budget, with the Department
of Defense getting a big boost and many civilian agencies seeing small cuts or
relatively flat funding.

As part of the White House’s plan to significantly expand military...
 

Posted by InfoSec News on Mar 19

https://www.theregister.co.uk/2019/03/18/gchq_enigma_emulator/

By Thomas Claburn in San Francisco
The Register
18 Mar 2019

UK signals intelligence agency GCHQ, celebrating its centenary, has released
emulators for famed World War II-era cipher machines that can be run within its
web-based educational encryption app CyberChef.

"We've brought technology from our past into the present by creating emulators
for Enigma, Typex and the...
 

Posted by InfoSec News on Mar 19

https://gizmodo.com/the-botnet-malware-behind-some-of-the-biggest-ddos-atta-1833388261

By Dell Cameron
Gizmodo
March 18, 2019

Mirai malware, which can infect and grant even unsophisticated actors control
over hundreds of thousands of IoT devices, is responsible for some of the most
devastating distributed denial-of-service (DDoS) attacks ever seen.

Just a few years ago, millions of people on the U.S. East Coast were basically
left without...
 

Posted by InfoSec News on Mar 19

https://www.cnbc.com/2019/03/18/heres-how-cybersecurity-vendors-drive-the-hacking-news-cycle.html

By Kate Fazzini
CNBC.com
March 18, 2019

The cybersecurity vendor marketplace is growing so crowded that some companies
have been resorting to extreme tactics to get security executives on the phone
to pitch their products, including lying about security emergencies and
threatening to expose insignificant breaches to the media.

The aggressive...
 
Internet Storm Center Infocon Status