Roundup Phew, we made it to the weekend. Let's take a look at everything that went down in IT security beyond what we've already covered this week.
The week started badly after an anonymous individual managed to bork the Parity Ethereum wallet and lock up $280m with of the crypto-currency – an act that may or may not have been accidental. And speaking of alt-coins and non-accidents, criminals are really keen to get you mining digital cash for them, using your computers and your electricity supply.
Heads up - the creators of ‘full undetectable’ cryptominer in a browser emailed me. You might want to filter their domain. pic.twitter.com/CETXYTi5MR— Kevin Beaumont 🤨 (@GossiTheDog) November 7, 2017
Thankfully many antivirus and ad-blocking programs are getting good at spotting and blocking such code, but we're certainly not out of the woods yet. Mining code running on smartphones is also on the rise, with one researcher finding that Google's Play Store was once again hosting crafty coin crafters.
One example is an Android crossword puzzle that was worryingly smart. To evade detection it only runs the coin mining code at night, when people are asleep, or when the phone is plugged in to charge – nothing kills a battery like persistent coin mining, so digging up cyber-dosh when hooked up to the mains is a neat idea.
Another miner was found in an Android app called Reward Digger: this one actually told users the coins were being generated for the user, while not mentioning that it was also secretly mining coins for the developer. Mobile phone users are going to become increasingly popular as processor speeds increase and due to the fact few people use security software on their smartphones.
Over to the Windows desktop world, and the headache of miscreants hijacking PCs via Dynamic Data Exchange (DDE) documents is getting much, much worse.
DDE has been around for decades, first making an appearance in Windows 2.0 back in 1987 and was a good idea at the time, allowing, for instance, an Excel spreadsheet to be embedded and editable in a Word document. The downside is that hackers have realized that this is a very handy way to trick marks into executing malicious code smuggled into the files.
Now McAfee has spotted that APT28 – aka the Fancy Bear crew thought to be part of Russian military intelligence – has adopted the technique. There are patches available from Microsoft to combat techniques exploiting DDE, so make sure you are fully protected.
Speaking of potential state-sponsored hacking, Symantec has spotted a new crew called Sowbug that's going after government targets in South America and Southeast Asia, with successful attacks against Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia in a two-year campaign.
The group is looking for specific government data relating to Asian police, and is very stealthy, in some cases hiding out on networks for up to six months. It obfuscates its custom malware – dubbed Felismus – by pretending to be file extension for Windows and Adobe.
It's not known who is behind Sowbug, but it would be a country with advanced hacking capabilities interested in global policy towards Asia. Any guesses?
Meanwhile hackers managed to hijack and deface hundreds of school websites across the US with a pro-Daesh-bag message and images of Saddam Hussein on Monday.
"Team System Dz" – a hacking crew with plenty of form in this area – claimed responsibility for the mass defacements. Most of the affected organizations were hosted by web hosting firm SchoolDesk. An example of one of the hacks was recorded by defacement archive Zone-h here.
On the flaw front there's news of an old flaw that might be much worse than first thought. Earlier in the month we reported on a flaw found in the library code of Infineon trusted platform modules, which are used to generate encryption keys in a huge amount of devices, from computers and phones to security keys and identity cards.
At first people weren't too worried because the keys generated weren't that weak – you'd need around $30,000 of computer time to crack data secured by the vulnerable modules. But better techniques have since been developed, and as a precaution Estonia has announced that it is cancelling and reissuing every ID card in the country, because the cards rely on Infineon's busted code.
Estonia is particularly touchy about it because it has one of the most internet-focused governments out there and is highly dependent on the cards. It also has Russia as a neighbor, and fears President Putin and his pals are coming to claim back the Baltic States – and may kick things off with a little meddling in the national ID card system.
Bracket Computing has added detection of advanced persistent threats to its Bracket Security Software product.
Dubbed ServerGuard, the software runs in what the company calls a metavisor, an agent-like software layer that sits between guest VMs and the hypervisor. The metavisor can monitor activity in a guest VM, but is immutable.
ServerGuard takes advantage of that position to inspect guests for changes that suggest the presence of malware, such as changes to files that can only be written with root access. Bracket's CEO told The Register he feels that watching that sort of thing would have stopped plenty of recent attacks.
If ServerGuard sees the fingerprints of such an attack, policy-driven responses such as snuffing out a VM come into play. ServerGuard and the metavisor can run alongside on-prem or cloudy VMs.
Another flaw story just came in, although this one is more psychological. For years we have been told to trust HTTPS sites as more secure, but hacklers have got wise to that.
A lot of new phishing webpages are being set up with HTTPS enabled – about one every two minutes according to security shop Wandera. The company scanned new security certificate applications for a day and found new TLS/SSL cert registrations came in at an average rate of 587,436 an hour, and of those 38 were affiliated with phishing sites.
Wandera warns that mobile users are particularly at risk, since the small screen makes URL checking a pain, and users may just see the HTTPS padlock on the phishing page and assume it is legit. The top domains for phishers were Apple, WhatsApp, Amazon and Netflix.
And finally, a story that will send shivers down your spine in more ways than one. It turns out a software flaw might be recording remote lover's most intimate moments.
The problem comes with an app controlling a vibrator from teledildonics maker Lovense. The sex toy is designed so it can be controlled remotely over the internet and monitors the phone's microphone to let you can whisper sweet nothings in your partner's ear while pleasuring them from afar.
One small problem however – the Android version of the app was also taking temporary audio recordings of the sounds around the smartphone, recording potentially telling noises. Thankfully the manufacturer assures us the sounds stay on your phone, not its servers, and the app has now been fixed to avoid generating the recordings. ®