Rowhammer strikes networks, Bolton strikes security jobs, and Nigel Thornberry strikes Chrome, and more

Hacking laws in the limelight in Georgia and DC, plus new iPhone anti-tampering

Roundup Here's a roundup of everything that's happened in the world of infosec this week, beyond what we've already covered.

7Zip gets 7Ripped

Researchers have poked a hole in the 7-Zip archiving tool, and you'll want to update the software as soon as possible.

The bug, discovered by researcher landave, allows remote code execution by way of poisoned RAR files, though the RAR payload can also be disguised as other archive formats.

Because the flaw can be exploited fairly easily on fully patched Windows 10 machines, you will want to update to 7-Zip version 18.05 or later.

Russian positioned to hack US voting systems

The US Senate Intelligence Committee said this week that Kremlin-linked hackers at least tried to "alter or delete voter registration data" for a small number of America's states before the 2016 presidential election. There is no evidence votes were changed, and Homeland Security warned last year that Russia had targeted voting systems in 21 states during the White House race.

Most the "attacks" were scans for vulnerabilities and open services, but against at least six states, Moscow's miscreants "conducted malicious access attempts on voting-related websites." The upshot is: Russia tried to meddle with the computer systems running the elections, and thus voting systems must be tightly secured in future.

Rowhammer swings again with network-based attacks

It has been three years since the infamous 'Rowhammer' technique was first disclosed, and the menace of the bit-slamming memory attack is still being exploited in new and devious ways.

This time it is network connections that have been found vulnerable to brute-force memory corruption trick. Researchers from Vrije Universiteit in Amsterdam found [PDF] that network packets can be used to trigger the address error conditions on any machine that has remote direct memory access (RDMA) enabled.

This means that, for the first time, Rowhammer has been shown to be remotely exploitable and an attacker no longer requires local access to a machine in order to take advantage of the vulnerability.

What's worse, RDMA is a favorite technique for low-latency network setups, meaning the vulnerable systems are high-value targets like cloud providers and data centers.

iOS 11.4 leaves USB port USBricked when inactive

Apple has added a new security measure to the next version of iOS that will make it harder to get around the unlock screen of a handset, particularly one that hasn't been used for some time.

Elcomsoft explains that under iOS 11.4 (now in beta) the lightning/USB port on the iPhone will become partially locked down during long idle periods.

Specifically, when the iPhone hasn't been unlocked in seven days, the port will go into-power only mode and will not make any data transmissions until it is unlocked again via key code. This means people who seize a phone (via legal or other means) will not be able to use the USB connection to get around locks unless they do so immediately.

It remains to be seen what this could mean for law enforcement tools like GrayKey that are used to get around iPhone lock screens via Lightning.

Georgia comes to its senses, kills stupid 'hacking' bill

The infamous Georgia state legislation that would have criminalized many forms of white hat hacking has been put on ice.

Governor Nathan Deal on Tuesday vetoed SB315 amidst pressure from the software and IT industries in the state. The bill would have tightened restrictions on unauthorized access, including criminalizing cases where someone got into a system but did not steal any data.

Many security professionals had opposed the bill arguing that it would have a chilling effect on network security testing and bug-hunting practices.

'Electrum Pro' caught lifting coins

Cryptocoin investors will want to make sure they're not running the malicious 'ElectrumPro' wallet, which researchers believe is stealing coins from users.

As BlockExplorer explains, the wallet app is apparently a malware in disguise, as it is has been caught lifting the seed code of users. This, potentially, would allow the controller of the malware's domain to get into user wallets.

The site recommends that anyone who has been using the infected wallet should immediately find and move their cryptocoins to a new, secure wallet, as anyone who had access to the ElectrumPro domain would now potentially be able to remote access and steal user coins.

Bolton considering eliminating top cybersec job

Sentient mustache John Bolton is reportedly looking to eliminate one of Washington DC's top infosec jobs.

A report citing sources familiar with the matter says that the White House cybersecurity coordinator position will soon be no more. Security guru Rob Joyce currently holds the position, but is set to step down.

When that happens, Bolton is reportedly planning to leave the position unfilled, effectively doing away with the job altogether and handing over many of its responsibilities to Mira Ricardel, Bolton's deputy National Security Advisor.

As with many of the Trump administration's hatchet jobs, the cybersecurity coordinator position was a creation of the Obama regime.

Government cybersecurity experts are, not surprisingly, said to be less than enthused about this move as it suggests the NSA is putting less of a focus on cybersecurity - or at least employing one less cybersecurity experts in its ranks.

State department hacking bill approved

Elsewhere in Washington, DC, the House of Representatives has advanced a bill to invite security researchers into the State Department's folds.

The excellently named Hack Your State Department Act was approved by the Foreign Affairs committee, meaning the bill is one step closer a full vote.

The act would establish a research and bug bounty program for white hats who wish to seek out security vulnerabilities in US State Department websites.

The bill is being championed by the bi-coastal, bi-partisan duo of the Teds Lieu (D-CA) and Yoho (R-FL).

Bad Panda makes you a sad panda

F5 Labs has uncovered a new banking malware strain that uses a cute name to hide a scary attack.

Dubbed 'Panda', the account-stealing malware is actually a variant on the infamous Zeus trojan that targets banks and cryptocurrency exchanges. In addition to web injects (adding content to otherwise legitimate pages), the malware is able to capture screenshots and log keystrokes. It also has a remote access component that could allow the attacker to break into your machine and get anything they couldn't lift via the surveillance components.

F5 recommends keeping all anti-malware software up to date in order to prevent infection.

Google Play hit with more malware woes

No, this is not a repeat. More malware nasties have been found lurking in the Google Play store. This time, researchers at Symantec say, it is educational apps and games that are being used as the trojans for the Android infections.

Researchers May Ying Tee and Martin Zhang found more than three dozen examples of such apps having snuck through the Play Store's screening process, serving Android users additional downloads of Adware and click fraud apps that covertly load up other web pages and blogs in order to inflate affiliate traffic.

Wild pwnberries blossom on Chrome

Elsewhere in Google malware woes, we have a Chrome plug-in attack based on a children's cartoon. How quaint.

Researchers with Radware say the malicious plugin, dubbed 'Nigelthorn', also hijacks infected machines to mine cryptocurrency. Disguising itself as 'Nigelify', a Chrome plug-in that turns images on a web page into cartoon character Nigel Thornberry of 'Wild Thornberrys' fame, the malware is being spread through Facebook spam and phony YouTube pages.

Both Windows and Linux versions of Chrome are vulnerable to the nasty add-on.

Tor pedo 'glad to be caught'

The fallout from the FBI's Playpen operation has led to another pervert being jailed for using the child abuse site, but this one says he's happy to be sent down.

Irishman Conor Emmet, 20, was jailed for 156 months on Friday after the FBI passed his IP address to Dublin police. He was found with 5,919 images and 328 video files of child abuse, including one video involving an 18-month old child. Police used that video to identify and rescue the child in Thailand.

Emmet admitted his crimes, saying he was glad the police caught him, and has already begun a treatment program. For that reason the judge only gave him half the maximum sentence and suspended a portion of it. Nevertheless one more child-abuse enabler is off the streets.

In brief

The source code to sales-terminal-infecting malware TreasureHunt has leaked, according to FlashPoint, meaning that miscreants can get their hands on blueprints to credit-card-stealing spyware.

Also, Signal pushed out a fix for its Electron-based desktop client after someone found a remote cross-site scripting vulnerability – you should update your installation to the latest version ASAP.

And finally, UK telco EE was accused of leaving two million lines of internal source code, plus AWS account keys, out in the open with the username-password pair of admin-admin, allowing crims to skim the files for vulnerabilities to exploit. EE insisted no customer data was lost or stolen. ®

Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022