Roundup Summer rolls on, Reg vultures are making the most of their hols before the September rush hits, and in the past week, we saw Lazarus malware targeting Macs, Adobe scrambling to get an emergency patch out, and Democrats losing their minds over a simple training exercise.
Here's what else went down...
Researchers at Project Insecurity have detailed a vulnerability in SOLEO's IP relay technology that disclosed sensitive files on affected installations. For example, the following HTTPS request to a vulnerable service...
...would potentially return the hashed password file for the system. The bug was fixed by SOLEO on August 10, and pushed out to ISPs and other communications providers using the technology. We're told by Project Insecurity that "essentially every internet service provider in Canada uses Soleo’s IP Relay service," which means – it is claimed – tens of millions of Canadians were at risk until it was patched.
Slapped in the face with a Triout
Security researchers have unearthed a toolkit, dubbed Triout, for building extensive spying capabilities into seemingly benign Android applications.
A seemingly innocuous app was found repackaged using Triout to hide the presence of malicious code on a device, record phone calls as a media file, log incoming text messages, record videos, copy all photos taken by the front and rear cameras, and collect GPS coordinates. Harvested information was transmitted back to a miscreant-controlled command-and-control server.
Researchers at Bitdefender this month identified and described in detail the Triout code.
Blast from the past
ES&S ticks ballot for better security
A voting machine maker previously called out for its weak security is kicking off a campaign to harden its products from hackers.
ES&S announced it was expanding its work with the US government's Homeland Security and the Information Sharing and Analysis Centers (ISAC) to improve its security protections. The effort includes the installation of advanced threat monitoring and network security monitoring for ES&S products and services as well as membership in a threat-sharing network that will allow the company to both send and receive alerts on new attacks.
One could ask why the manufacturer waited this long to improve the security protections in its stuff, but hey… better late than never. Also, it came a day after it was leaned on by US politicians, so there's that.
Uncle Sam puts out a call for supply-chain security
Speaking of Homeland Security, the agency is looking to bring in outside vendors who have fresh ideas on securing IoT devices and supply chains.
Nextgov spotted a request from the department for proposals from IT suppliers who can help it make sure that foreign governments aren't tampering with the individual components that get sold to organizations who, in turn, sell to government agencies.
As the report notes, this comes as the government has slapped bans on Chinese electronics vendors over fears that those companies were working a bit too closely with the government of their home country.
More industrial controllers left wide open to attacks
A team of researchers with Positive Technologies have disclosed a set of four exploitable security flaws in programmable logic controllers (PLCs) made by Schneider Electronics and sold to heavy industries such as power plants, water departments, and oil refineries.
The four vulnerabilities would allow for things like authentication bypass, arbitrary code execution from web servers, and denial of service attacks. The flaws were disclosed in March, but are only now being detailed by Positive.
According to the researchers, the flaws would not be particularly difficult for an attacker to exploit, and could be used as a gateway to larger attacks, or just to cause general chaos at the targeted facility.
There is one saving grace here: the industrial controllers in question are all in the range of 20 years old. It's not unheard of for embedded tech to stay in the field that long, but any device containing these bugs could probably do with a replacement, or at least a good update that includes new security protections.
Fortnite bribes kids to turn on 2FA
Runaway hit build'n'shoot game Fortnite has found a novel way to get players to make their accounts more secure. Developer Epic Games says that players who turn on two-factor authentication for their accounts will get access to a new dance move.
Adding the option for a verification code on your account now lets players perform an emote called "boogiedown" that, as its name implies, involves… erm… boogying down.
El Reg ran this by one of our Fortnite playing Vultures and, apparently, yes, an in-game dance move is something that the yoofs these days value enough to go through the hassle of two-factor login. Good work, Epic.
Speaking of Fortnite, Googlers have discovered that the game's Android app installer – which famously sidestepped Google's official Play Store – can be hijacked by malicious software on a device to install further dodgy code.
Darkness Falls on darknet drug-pushers
The FBI says it has nabbed a suspected dealer as part of a dark-web market takedown.
This time, it's a Cleveland-based person they say was the largest online fentanyl dealer in the US, and the fourth-largest in the world. The alleged dealer, going by the handle MH4Life, was actually couple Matthew and Holley Roberts, both 35, it is claimed.
The pair were charged with using accounts on Silk Road, Dream Market, Aplhabay, and others to deal drugs from 2011 to 2018. The arrest was the headline of the FBI's Operation Darkness Falls, a drug takedown focusing on dark net dealers.
OpenSSH clears up 'enumeration' bug
The OpenSSH project has patched a vulnerability that could potentially allow an attacker to, without any authentication, work out the usernames of user accounts on a server.
The flaw, designated CVE-2018-15473, is an information-disclosure bug stemming from the way OpenSSH servers handle failures during login attempts. If you break a connection between a client and a server in a particular way while attempting a login, the response from the server differs depending on whether you were attempting to login as a user that exists in the system, or an unknown username. Thus, an attacker could in theory work their way through all the possible usernames on a system, keeping a note of the ones that exist. This information can be leveraged to pull off other attacks, social engineering tricks, and so on.
It's not exactly a critical bug, and OpenSSH decided to quietly patch it without making a big deal out of the whole thing.
"We have and will continue to fix bugs like this when we are made aware of them and when the costs of doing so aren't too high," explained developer Damien Miller, "but we aren't going to get excited about them enough to apply for CVEs or do security releases to fix them."
Sales terminals in some Cheddar’s Scratch Kitchen restaurants may well have been hacked in 23 US states to steal payment card information between November 3, 2017, and January 2, 2018. A technique to steal crypto-keys from electromagnetic radiation from a very nearby device has been detailed here. The described attack targeted OpenSSL, which was patched in May to thwart the snooping. ®