Coronavirus: More Companies Backing Out of RSA Conferences

AT&T Cybersecurity and Verizon have decided not to attend the RSA Conference in San Francisco this week, citing concerns about the coronavirus. IBM announced its decision not to attend RSA on February 15. The conference is taking place this week as scheduled. Sony and Facebook’s Oculus have pulled out of the Game Developer Conference scheduled for March 16-20 in San Francisco. Coronavirus worries have already caused the cancellation of the World Mobile Congress that was to have taken place in in Barcelona February 24-27. Black Hat Asia 2020 has been postponed to fall 2020, and Cisco has cancelled its Cisco Live! Conference that was scheduled to be held in Melbourne, Australia early next month.

Read more in:
– www.scmagazine.com: AT&T, Verizon join RSA exodus over Coronavirus fears

Car Thieves Disabling OnStar, Replacing Vehicle Computers(February 11, 2020)
 In “a recent string of stolen Chevrolet Silverado pickups,” thieves disabled the OnStar anti-theft technology almost immediately, reducing the likelihood of the vehicles’ recovery. Surveillance video has shown how fast the thieves operate – pop the lock, open the hood, change the computer, and disable OnStar tracking.
Read more in:
– gmauthority.com: Chevrolet Silverado Thieves Disable OnStar Tracking

Median Dwell Time for Breaches is Falling Worldwide

According to the M-Trends 2020 Report, the global median “dwell time” – the time from initial intrusion to detection – fell from 78 days to 56 days in just one year. The report also found that while intrusions are being detected more quickly, they are more often discovered by third parties rather than internally.

Read more in:
– content.fireeye.com: M-Trends 2020 (PDF)
– www.zdnet.com: Cybersecurity: Hacking victims are uncovering cyberattacks faster – and GDPR is the reason why

U.S. Defense of Department DISA Breach Exposed PII of 200,000 People(February 20 & 24, 2020)
 The US Department of Defense’s (DoD’s) Defense Information Systems Agency (DISA) has acknowledged a network breach that compromised the personal information of at least 200,000 individuals. On February 11, 2020, DISA sent letters to the people whose data were compromised, telling them that the breach occurred between May and June 2019. DISA secures and manages White House communications.
Read more in:
– threatpost.com: Data Breach Occurs at Agency in Charge of Secure White House Communications

Wyden Pushing for Release of ShiftState Voatz Audit Results

US Senator Ron Wyden (D-Oregon) is asking a company that conducted an audit on the Voatz mobile voting app to disclose the results. While ShiftState’s audit gave Voatz “high marks,” researchers at MIT recently published a paper enumerating security concerns present in Voatz. Specifically, Wyden wants to know how many “ShiftState personnel that audited Voatz [have] experience in election security, cryptographic protocol design and analysis, side channel analysis, and blockchain security;” whether ShiftState detected the same flaws the MIT researchers found; and whether the company agrees or disagrees with the MIT findings and why.

Read more in:
– www.meritalk.com: Sen. Wyden Questions ShiftState on Voatz Audit

Bitcoin Stolen From Electrum Wallets (December 27, 2018)   More than 200 bitcoin has been stolen from Electrum wallets since December 21. The attacker or attackers exploited a vulnerability in the Electrum architecture that allows Electrum servers to trigger custom pop-ups in users’ wallets. The attack involves adding malicious servers to the Electrum network. When legitimate transactions initiated by other users reached one of the malicious servers, they would display a message urging them to download a malicious wallet update from an unauthorized GitHub repository. GitHub admins have taken down the repository, but the pop-up issue has not been fixed.   Read more in: – www.zdnet.com: Article Users report losing Bitcoin in clever hack of Electrum wallets

Shamoon Sample Signed with Expired Baidu Certificate (December 27, 2018)   A new sample of the Shamoon disk-wiping malware was uploaded to VirusTotal. It uses an expired digital certificate issued by Baidu. The Shamoon sample is disguised as a Baidu system optimization tool.   Read more in: – www.bleepingcomputer.com: New Shamoon Sample from France Signed with Baidu Certificate

FBI Warns of Port 1911 Vulnerability in Buildings’ Control Systems (December 27, 2018)   In a recent industry advisory, the FBI warned that port 1911, which is used to communicate with control systems in buildings could be used to access unpatched devices on those networks. The report warns that “successful exploitation could lead to data leakage and possible privilege escalation.”   Read more in: – www.cyberscoop.com: FBI warns industry that hackers could probe vulnerable connections in building systems

Guardzilla Home Security System Has Hard-Coded Credentials (December 27, 2018)   A vulnerability in the GZ501W Guardzilla home security device could be exploited to access stored video data. The device uses a shared Amazon S3 credential for storing video in the cloud. Guardzilla learned of the vulnerability on October 24.   Editor’s Note [Neely] The hard-coded credentials provide access to multiple Guardzilla S3 buckets, rather than a device specific storage location. The additional buckets include free and premium storage as well as development and test buckets. The device firmware root account had an easily cracked DES encoded password. The root password and AWS have been published. Mitigation is dependent on a firmware update from Guardzilla. Changing the firmware to use an intermediate system to limit devices to specific storage with end-user supplied credentials as well as resolving any vulnerabilities in supporting software will be a significant change for Guardzilla, who is keeping tight-lipped about their response to the issue. Read more in: – www.cyberscoop.com: Flaw in Guardzilla home security devices allows outsiders to view stored video, researchers say – www.forbes.com: 0DayAllDay Hackers Go Godzilla On Guardzilla To Reveal A Real Video Nasty – blog.rapid7.com: R7-2018-52: Guardzilla IoT Video Camera Hard-Coded Credential (CVE-2018-5560)

San Diego Unified School District Discloses Data Breach (December 25 & 26, 2018)   On Friday, December 21, the San Diego (California) Unified School District has posted a notice on its website acknowledging that a hacker stole personally identifiable information of 500,000 students and staff members from its network. The hacker was able to gain access to the school district’s system through a phishing attack. Some staff members reported the suspicious emails to the IT department, which discovered the breach in October. The system was compromised from January 2018 through November 1, 2018. The hacker stole data dating back to the 2008-2009 school year. A suspect has been identified.   Editor’s Note [Neely] A concern here is that the school district data may be used to pressure parents to respond to false threats against their children. The school district is notifying those impacted and advising them to take measures to prevent fraud and identity-theft. [Northcutt] If you read to the bottom of the data safety note, they lost control of fairly sensitive data on minors and aren’t doing anything to help the victims. It gives weak advice in the form of “you can”. [Murray] In a world of “advanced persistent threat,” one person taking bait should not be sufficient to compromise so much sensitive data. I do not like the term “zero trusts” security but its principle, “never trust, always verify,” and the measures that it identifies, e.g., least privilege, strong authentication, end-to-end application layer encryption, are now essential practices. New tools, including network defined security services, make this more convenient than it sounds. Read more in: – www.zdnet.com: Hacker steals ten years worth of data from San Diego school district – www.scmagazine.com: San Diego Unified School District data breach exposed 500,000 students, staff, parents – www.sandiegounified.org: Data Safety

Schneider Fixes EVLink Parking Charging Station Flaws (December 24, 2018)   Schneider Electric has fixed a critical vulnerability affecting its EVLink Parking electric vehicle charging stations. The hard-coded credential flaw could be exploited to gain access to the device. Schneider fixed two other flaws in EVLink Parking: a code injection vulnerability and an SQL injection vulnerability.   Read more in: – threatpost.com: Critical Bug Patched in Schneider Electric Vehicle Charging Station – download.schneider-electric.com: Security Notification – EVLink Parking (PDF)

Orange LiveBox ADSL Modems Leak Credentials (December 24 & 26, 2018)   A vulnerability affecting Orange LiveBox ADSL modems can be exploited to obtain the devices’ SSIDs and WiFi passwords with a simple GET request. More than 19,000 modems in France and Spain are affected.   Editor’s Note [Neely] Many of these routers are using default credentials (admin/admin) and are discoverable in Shodan. Once you have the credentials for the targeted SSID, a service such as WiGLE can be used to obtain the exact geolocation of that network. Possible mitigations for this threat include changing both the default credentials as well as the WiFi passwords or possibly moving to a separate WiFi access point and ADSL modem. Read more in: – www.zdnet.com: Over 19,000 Orange modems are leaking WiFi credentials – threatpost.com: 19K Orange Livebox Modems Open to Attack – www.bleepingcomputer.com: Orange LiveBox Modems Targeted for SSID and WiFi Info

Indian Government Gives Agencies Authority to Intercept, Monitor, and Decrypt Data (December 21, 2018)   The Indian government has issued an order that gives ten agencies the authority “to intercept, monitor or decrypt information generated, transmitted, received or stored in any computer.” Individuals and organizations that refuse to comply with an interception, monitoring and access requests could face fines or prison sentences of up to seven years.   Read more in: – www.zdnet.com: India authorizes 10 agencies to intercept, monitor, and decrypt citizens’ data – twitter.com: MHA authorizes following agencies for the purpose of interception, monitoring & decryption of any Information