Voting machine maker vows to step up security, Fortnite bribes players to do 2FA – and more

Plus: Feds break up another 'dark-net drugs op'

Roundup Summer rolls on, Reg vultures are making the most of their hols before the September rush hits, and in the past week, we saw Lazarus malware targeting Macs, Adobe scrambling to get an emergency patch out, and Democrats losing their minds over a simple training exercise.

Here's what else went down...

SOLEO mission

Researchers at Project Insecurity have detailed a vulnerability in SOLEO's IP relay technology that disclosed sensitive files on affected installations. For example, the following HTTPS request to a vulnerable service...


...would potentially return the hashed password file for the system. The bug was fixed by SOLEO on August 10, and pushed out to ISPs and other communications providers using the technology. We're told by Project Insecurity that "essentially every internet service provider in Canada uses Soleo’s IP Relay service," which means – it is claimed – tens of millions of Canadians were at risk until it was patched.

Slapped in the face with a Triout

Security researchers have unearthed a toolkit, dubbed Triout, for building extensive spying capabilities into seemingly benign Android applications.

A seemingly innocuous app was found repackaged using Triout to hide the presence of malicious code on a device, record phone calls as a media file, log incoming text messages, record videos, copy all photos taken by the front and rear cameras, and collect GPS coordinates. Harvested information was transmitted back to a miscreant-controlled command-and-control server.

Researchers at Bitdefender this month identified and described in detail the Triout code.

Blast from the past

This is not strictly security related, other than involving an operating system wasn't considered particularly secure: Windows 95 has showed up as an Electron app for Linux, macOS, and Windows. It uses the x86 virtualization JavaScript tech dubbed v86 to run the OS. You can also, by the way, boot Windows 2000 in a browser window, using JavaScript, as well as Linux and FreeDOS, thanks to Qemu supremo Fabrice Bellard.

ES&S ticks ballot for better security

A voting machine maker previously called out for its weak security is kicking off a campaign to harden its products from hackers.

ES&S announced it was expanding its work with the US government's Homeland Security and the Information Sharing and Analysis Centers (ISAC) to improve its security protections. The effort includes the installation of advanced threat monitoring and network security monitoring for ES&S products and services as well as membership in a threat-sharing network that will allow the company to both send and receive alerts on new attacks.

One could ask why the manufacturer waited this long to improve the security protections in its stuff, but hey… better late than never. Also, it came a day after it was leaned on by US politicians, so there's that.

Uncle Sam puts out a call for supply-chain security

Speaking of Homeland Security, the agency is looking to bring in outside vendors who have fresh ideas on securing IoT devices and supply chains.

Nextgov spotted a request from the department for proposals from IT suppliers who can help it make sure that foreign governments aren't tampering with the individual components that get sold to organizations who, in turn, sell to government agencies.

As the report notes, this comes as the government has slapped bans on Chinese electronics vendors over fears that those companies were working a bit too closely with the government of their home country.

More industrial controllers left wide open to attacks

A team of researchers with Positive Technologies have disclosed a set of four exploitable security flaws in programmable logic controllers (PLCs) made by Schneider Electronics and sold to heavy industries such as power plants, water departments, and oil refineries.

The four vulnerabilities would allow for things like authentication bypass, arbitrary code execution from web servers, and denial of service attacks. The flaws were disclosed in March, but are only now being detailed by Positive.

According to the researchers, the flaws would not be particularly difficult for an attacker to exploit, and could be used as a gateway to larger attacks, or just to cause general chaos at the targeted facility.

There is one saving grace here: the industrial controllers in question are all in the range of 20 years old. It's not unheard of for embedded tech to stay in the field that long, but any device containing these bugs could probably do with a replacement, or at least a good update that includes new security protections.

Fortnite bribes kids to turn on 2FA

Runaway hit build'n'shoot game Fortnite has found a novel way to get players to make their accounts more secure. Developer Epic Games says that players who turn on two-factor authentication for their accounts will get access to a new dance move.

Adding the option for a verification code on your account now lets players perform an emote called "boogiedown" that, as its name implies, involves… erm… boogying down.

El Reg ran this by one of our Fortnite playing Vultures and, apparently, yes, an in-game dance move is something that the yoofs these days value enough to go through the hassle of two-factor login. Good work, Epic.

Speaking of Fortnite, Googlers have discovered that the game's Android app installer – which famously sidestepped Google's official Play Store – can be hijacked by malicious software on a device to install further dodgy code.

Darkness Falls on darknet drug-pushers

The FBI says it has nabbed a suspected dealer as part of a dark-web market takedown.

This time, it's a Cleveland-based person they say was the largest online fentanyl dealer in the US, and the fourth-largest in the world. The alleged dealer, going by the handle MH4Life, was actually couple Matthew and Holley Roberts, both 35, it is claimed.

The pair were charged with using accounts on Silk Road, Dream Market, Aplhabay, and others to deal drugs from 2011 to 2018. The arrest was the headline of the FBI's Operation Darkness Falls, a drug takedown focusing on dark net dealers.

OpenSSH clears up 'enumeration' bug

The OpenSSH project has patched a vulnerability that could potentially allow an attacker to, without any authentication, work out the usernames of user accounts on a server.

The flaw, designated CVE-2018-15473, is an information-disclosure bug stemming from the way OpenSSH servers handle failures during login attempts. If you break a connection between a client and a server in a particular way while attempting a login, the response from the server differs depending on whether you were attempting to login as a user that exists in the system, or an unknown username. Thus, an attacker could in theory work their way through all the possible usernames on a system, keeping a note of the ones that exist. This information can be leveraged to pull off other attacks, social engineering tricks, and so on.

It's not exactly a critical bug, and OpenSSH decided to quietly patch it without making a big deal out of the whole thing.

"We have and will continue to fix bugs like this when we are made aware of them and when the costs of doing so aren't too high," explained developer Damien Miller, "but we aren't going to get excited about them enough to apply for CVEs or do security releases to fix them."

And finally...

Sales terminals in some Cheddar’s Scratch Kitchen restaurants may well have been hacked in 23 US states to steal payment card information between November 3, 2017, and January 2, 2018. A technique to steal crypto-keys from electromagnetic radiation from a very nearby device has been detailed here. The described attack targeted OpenSSL, which was patched in May to thwart the snooping. ®

Other stories you might like

  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – and – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Former chip research professor jailed for not disclosing Chinese patents
    This is how Beijing illegally accesses US tech, say Feds

    The former director of the University of Arkansas’ High Density Electronics Center, a research facility that specialises in electronic packaging and multichip technology, has been jailed for a year for failing to disclose Chinese patents for his inventions.

    Professor Simon Saw-Teong Ang was in 2020 indicted for wire fraud and passport fraud, with the charges arising from what the US Department of Justice described as a failure to disclose “ties to companies and institutions in China” to the University of Arkansas or to the US government agencies for which the High Density Electronics Center conducted research under contract.

    At the time of the indictment, then assistant attorney general for national security John C. Demers described Ang’s actions as “a hallmark of the China’s targeting of research and academic collaborations within the United States in order to obtain U.S. technology illegally.” The DoJ statement about the indictment said Ang’s actions had negatively impacted NASA and the US Air Force.

    Continue reading

Biting the hand that feeds IT © 1998–2022