Week 08: Malware

A flaw that means any fingerprint can unlock a Galaxy S10 phone has been acknowledged by Samsung.

It promised a software patch that would fix the problem.

The issue was spotted by a British woman whose husband was able to unlock her phone with his thumbprint when it was stored in a cheap case.

When the S10 was launched, in March, Samsung described the fingerprint authentication system as “revolutionary”.

Air gap

The scanner sends ultrasounds to detect 3D ridges of fingerprints in order to recognise users.

Samsung said it was “aware of the case of S10’s malfunctioning fingerprint recognition and will soon issue a software patch”.

South Korea’s online-only KaKao Bank told customers to switch off the fingerprint-recognition option to log in to its services until the issue was fixed.

Previous reports suggested some screen protectors were incompatible with Samsung’s reader because they left a small air gap that interfered with the scanning.

Thumb print

The British couple who discovered the security issue told the Sun newspaper it was a “real concern”.

I am not an android user but it is interesting to know that some methods were taken to prevent cross-sit scripting. Tech company started to focus on mobile device security more nowadays, because mobile device is more portable and versatile, which is convenient to the customers but, at the same time, makes them more vulnerable to and brings more angle of flaws to attackers. When using incognito and private mode is not enough to protect PII of customer, more isolated solution should be implemented to build barriers.

zdnet.com

I posted earlier this month How the US Air Force at this year’s Defcon conference brought along an F-15 fighter jet data system to be evaluated for vulnerabilities. The US Air Force is changing the way it looks at cybersecurity and is embracing external cybersecurity experts to assist in securing military technology. They also agreed to allow a number of researches to attempt to hijack an orbiting satellite. https://www.wired.com/story/air-force-defcon-satellite-hacking/

Well, another branch of the US Military is changing its way of working in a silo and embracing external input. The Department of Defense (DoD) , the Defense Digital Service (DDS), and HackerOne are launching the second Hack the Army bug bounty challenge. The bug bounty challenge allows external hackers to attack 60 plus public web assets to determine if vulnerabilities exist and improve the DoD’s cyber defenses. Hackers participating in the bug bounty challenge are individuals invited by HackerOne and active U.S. military members and government civilians.

From the article, “It is our duty to ensure our citizens are protected from cyber threats, and finding new and innovative ways to do so is vital,” said Romero. “Our adversaries are determined and creative, so we must be every bit more of both. This latest HackerOne Challenge allows us to continue to harden the Army’s attack surfaces with the talent and diverse perspectives of HackerOne’s vetted hacker community.”

https://www.meritalk.com/articles/second-hack-the-army-bug-bounty-challenge-underway/

The US is claiming they launched a cyber attack against Iran’s propaganda infrastructure.One official claimed the attack affected physical hardware but no further details were provided. The attack was in retaliation for Iran’s suspected attack on the Aramco Abqaiq oil refinery a few weeks ago. Iran is denying the cyber attack ever took place. This would be the second Cyber attack the US has claimed against Iran after the US original attacked their computing infrastructure used to plan attacks on tankers in the Persian gulf.

https://arstechnica.com/information-technology/2019/10/us-claims-cyber-strike-on-iran-after-attack-on-saudi-oil-facility/

This story is kind of funny imo. One of the biggest marketplace for stolen credit card data called Biransclub recently got hacked which led to a theft of more than 26 million records. It’s speculated that the name Brian has been used after Brian Krebs (Krebsonsecurity.com guy). Per the article, “Last month, KrebsOnSecurity was contacted by a source who shared a plain text file containing what was claimed to be the full database of cards for sale both currently and historically through BriansClub[.]at, a thriving fraud bazaar named after this author. Imitating my site, likeness and namesake, BriansClub even dubiously claims a copyright with a reference at the bottom of each page: “© 2019 Crabs on Security.”

Multiple people who reviewed the database shared by my source confirmed that the same credit card records also could be found in a more redacted form simply by searching the BriansClub Web site with a valid, properly-funded account.

All of the card data stolen from BriansClub was shared with multiple sources who work closely with financial institutions to identify and monitor or reissue cards that show up for sale in the cybercrime underground.”

The article provides more detail on the timeline of the events.

Source Link: https://krebsonsecurity.com/2019/10/briansclub-hack-rescues-26m-stolen-cards/

Apple integrated the “Tencent Safe Browsing” service to power its “Fraudulent Website Warning” feature in the Safari web browser for both iOS and macOS. Just like the Safe Browsing feature in Chrome and Mozilla Firefox, Safari’s fraudulent website warning feature has also been designed to protect users from various online threats by simply checking every website they visit against a regularly updated list of malicious websites. Now having Tencent on the same list, Apple is also giving the same privileges to the Chinese company as of Google.

This article addressed people’s concerns about the safety issue of sharing their data with Tencent. It is true, but I think Apple uses business strategy because Google services are banned in China and they tried to protect Chinese users’ privacy. Apple uses a smart to comfort users’ concern by offering users the manual approach to turn off fraudulent website warnings.

https://thehackernews.com/2019/10/apple-safari-safebrowsing-tencent.html

 

The “sudo” command (that lets Linux or Unix-based users run tasks with elevated permissions) had a flaw that allowed a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.  This bug can be exploited by an attacker to run commands as root just by specifying the user ID “-1” or “4294967295”.  The function that converts user id into username incorrectly treats -1 or 4294967295 (its unsigned equivalent) as 0, which is the user ID of root.  Users can fix this flaw by updating the sudo package to 1.8.28 or newer.

sudo -u#-1 id -u
or
sudo -u#4294967295 id -u

Source:

https://thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html

https://www.sudo.ws/alerts/minus_1_uid.html

https://www.afcea.org/content/?q=node/17477/

I found this article interesting because it gives some insight into how we, as a society, can deal with the modern cyber climate/ransomware, by learning from what we did with the last major hurdle to hit the IT space: Y2K. Looking back, many say that Y2K was a “non-event” that was over-hyped. The reality is that it was a non-event, because of the massive efforts that organizations put in, to fix the problem before it happened.

“Several themes common with Y2K play out today. CIOs and CISOs need to know what applications and devices they actually have—it is time for asset discovery and documentation. It is also time to move away from an “if it isn’t broken, don’t fix it” mentality that keeps outdated equipment and software, increasing cyber risk. While Y2K was the single biggest driver for adopting packaged, off-the-shelf software, today cyber concerns are moving data to the cloud. And as with Y2K, cybersecurity has stirred up fears, becoming a board room discussion. Among C-suite executives, it has generated a lot of review and exercise of business contingency plans.

In some ways, it seems as if we are back at the same starting point as with Y2K: having to convince the powers that be that we have a continuing and growing problem amid actions that are not congruent with a holistic national or global framework to achieve the required objective. The cyber bug appears to be larger than life because we neither approach it in a synergistic way, nor are U.S. and international laws in place to address underlying causes. Lawmakers cannot even agree on common security standards for the IoT.”

Cyber attackers infected 800,000 users with banking information stealing malware – but mistakes have allowed researchers to look behind the scenes of a successful hacking campaign.

A giant botnet and banking trojan malware operation has infected hundreds of thousands of Android users since at least 2016 – but mistakes by the group have revealed details of the campaign and how they operate.

Dubbed the Geost botnet after a name repeatedly found in the attackers’ command and control servers, the operation has been discovered by researchers from Czech Technical University, UNCUYO University in Argentina, and cybersecurity company Avast, who detailed their findings at the Virus Bulletin 2019 conference in London.

The campaign is believed to have infected up to 800,000 Android users and has potentially provided the attackers with access to bank accounts along with information about the names of victims, their type of phone and their location.

https://www.zdnet.com/article/a-huge-android-trojan-malware-campaign-was-discovered-after-the-gang-behind-it-made-basic-security-mistakes/