CyberSecurity: The Rest of the Week’s Cyber News

Bitcoin Stolen From Electrum Wallets (December 27, 2018)
  More than 200 bitcoin has been stolen from Electrum wallets since December 21. The attacker or attackers exploited a vulnerability in the Electrum architecture that allows Electrum servers to trigger custom pop-ups in users’ wallets. The attack involves adding malicious servers to the Electrum network. When legitimate transactions initiated by other users reached one of the malicious servers, they would display a message urging them to download a malicious wallet update from an unauthorized GitHub repository. GitHub admins have taken down the repository, but the pop-up issue has not been fixed.
Read more in:
: Article Users report losing Bitcoin in clever hack of Electrum wallets
Shamoon Sample Signed with Expired Baidu Certificate (December 27, 2018)
  A new sample of the Shamoon disk-wiping malware was uploaded to VirusTotal. It uses an expired digital certificate issued by Baidu. The Shamoon sample is disguised as a Baidu system optimization tool.
Read more in:
: New Shamoon Sample from France Signed with Baidu Certificate
FBI Warns of Port 1911 Vulnerability in Buildings’ Control Systems (December 27, 2018)
  In a recent industry advisory, the FBI warned that port 1911, which is used to communicate with control systems in buildings could be used to access unpatched devices on those networks. The report warns that “successful exploitation could lead to data leakage and possible privilege escalation.”
  Read more in:
: FBI warns industry that hackers could probe vulnerable connections in building systems
Guardzilla Home Security System Has Hard-Coded Credentials (December 27, 2018)
  A vulnerability in the GZ501W Guardzilla home security device could be exploited to access stored video data. The device uses a shared Amazon S3 credential for storing video in the cloud. Guardzilla learned of the vulnerability on October 24.
Editor’s Note

The hard-coded credentials provide access to multiple Guardzilla S3 buckets, rather than a device specific storage location. The additional buckets include free and premium storage as well as development and test buckets. The device firmware root account had an easily cracked DES encoded password. The root password and AWS have been published. Mitigation is dependent on a firmware update from Guardzilla. Changing the firmware to use an intermediate system to limit devices to specific storage with end-user supplied credentials as well as resolving any vulnerabilities in supporting software will be a significant change for Guardzilla, who is keeping tight-lipped about their response to the issue.
Read more in:
: Flaw in Guardzilla home security devices allows outsiders to view stored video, researchers say
– 0DayAllDay Hackers Go Godzilla On Guardzilla To Reveal A Real Video Nasty
– R7-2018-52: Guardzilla IoT Video Camera Hard-Coded Credential (CVE-2018-5560)
San Diego Unified School District Discloses Data Breach (December 25 & 26, 2018)
  On Friday, December 21, the San Diego (California) Unified School District has posted a notice on its website acknowledging that a hacker stole personally identifiable information of 500,000 students and staff members from its network. The hacker was able to gain access to the school district’s system through a phishing attack. Some staff members reported the suspicious emails to the IT department, which discovered the breach in October. The system was compromised from January 2018 through November 1, 2018. The hacker stole data dating back to the 2008-2009 school year. A suspect has been identified.
Editor’s Note

A concern here is that the school district data may be used to pressure parents to respond to false threats against their children. The school district is notifying those impacted and advising them to take measures to prevent fraud and identity-theft.

If you read to the bottom of the data safety note, they lost control of fairly sensitive data on minors and aren’t doing anything to help the victims. It gives weak advice in the form of “you can”.

In a world of “advanced persistent threat,” one person taking bait should not be sufficient to compromise so much sensitive data. I do not like the term “zero trusts” security but its principle, “never trust, always verify,” and the measures that it identifies, e.g., least privilege, strong authentication, end-to-end application layer encryption, are now essential practices. New tools, including network defined security services, make this more convenient than it sounds.
Read more in:
: Hacker steals ten years worth of data from San Diego school district
– San Diego Unified School District data breach exposed 500,000 students, staff, parents
– Data Safety
Schneider Fixes EVLink Parking Charging Station Flaws (December 24, 2018)
  Schneider Electric has fixed a critical vulnerability affecting its EVLink Parking electric vehicle charging stations. The hard-coded credential flaw could be exploited to gain access to the device. Schneider fixed two other flaws in EVLink Parking: a code injection vulnerability and an SQL injection vulnerability.
  Read more in:
: Critical Bug Patched in Schneider Electric Vehicle Charging Station
– Security Notification – EVLink Parking (PDF)
Orange LiveBox ADSL Modems Leak Credentials (December 24 & 26, 2018)
  A vulnerability affecting Orange LiveBox ADSL modems can be exploited to obtain the devices’ SSIDs and WiFi passwords with a simple GET request. More than 19,000 modems in France and Spain are affected.
Editor’s Note

Many of these routers are using default credentials (admin/admin) and are discoverable in Shodan. Once you have the credentials for the targeted SSID, a service such as WiGLE can be used to obtain the exact geolocation of that network. Possible mitigations for this threat include changing both the default credentials as well as the WiFi passwords or possibly moving to a separate WiFi access point and ADSL modem.

Read more in:
: Over 19,000 Orange modems are leaking WiFi credentials
– 19K Orange Livebox Modems Open to Attack
– Orange LiveBox Modems Targeted for SSID and WiFi Info
Indian Government Gives Agencies Authority to Intercept, Monitor, and Decrypt Data (December 21, 2018)
  The Indian government has issued an order that gives ten agencies the authority “to intercept, monitor or decrypt information generated, transmitted, received or stored in any computer.” Individuals and organizations that refuse to comply with an interception, monitoring and access requests could face fines or prison sentences of up to seven years.
  Read more in:
: India authorizes 10 agencies to intercept, monitor, and decrypt citizens’ data
– MHA authorizes following agencies for the purpose of interception, monitoring & decryption of any Information

Categories: Cyber news, cyber security news

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.