Gits exposed, kinky app devs spanked, Feds spy on spyware buyers, etc

Mac APT unearthed and other infosec bits and bytes summarized just for you

Roundup This week brought with it a Supermicro shoring up firmware security, a North Korean hacking charge, and a spying anti-adware macOS tool getting yanked by Apple from its App Store. Elsewhere, we had…

BrokenType broken out with source code release

A software vulnerability probing tool called BrokenType had appeared in public on GitHub for folks to use.

Developed by Googler Mateusz Jurczyk – though it is not an official Chocolate Factory project – BrokenType lets you fuzz code that handles OpenType and TrueType fonts to find memory corruption errors can could be exploited to execut malicious software (such as the ones behind critical Microsoft patches).

Users can download the entire three-piece toolset directly from GitHub.

Mac security foiled by... URLs

Apple security guru Patrick Wardle has detailed a recently spotted campaign to commander and control macOS machines.

Dubbed Windshift APT, the attack uses multiple exploits to infect Apple-powered computers mostly in the Middle East. One of those exploits abuses the way macOS passes URLs to applications to open.

Wardle said that, just like the way an app can be assigned to open a specific file type, it can also be associated with a URL protocol. As soon as an application lands on a filesystem, it is parsed by the operating system, and if it declares, say, it can handle foo:// URLs, then macOS automatically registers it as a handler.

That way, if you get someone to simply download an app – and not even run it – it can register itself for a custom protocol, and then be automatically activated when that protocol is invoked in a webpage. Thus, it is possible to install malware or spyware, if the user clicks OK in a popup to confirm they want to launch the special URL.

Wardle recommends that users either switch to a browser that does not automatically open .zip archives of applications, such as Chrome, or at least turn off the “open safe files after downloading” option in Safari.

Gmail users freak over FBI notification

A Reddit thread has popped up in recent days with netizens upset about a notification they received from Google that the FBI had requested access to their messages.

As it turns out, the notifications were likely the result of a 2017 investigation into a remote administration tool (RAT) known as Luminosity that lets the controller covertly spy on the activity of the PC on which the software is installed. It's basically a utility that you sneak onto a victim's computer, and use to snoop on them, and was sold on underground hacker forums. Luminosity’s creator was convicted in a US court earlier this year.

As the Reddit users eventually worked out, the notifications were likely sent after the expiration of a one-year nondisclosure agreement placed on Google by the Feds, and, with that having lapsed, Gmail users were then sent a notification that the FBI had asked for their account info. The agents were quite possibly after the messages of people who may have bought copies of Luminosity using their Gmail accounts. The FBI was able to obtain its customer database.

The moral of the story: don’t mess around with RATs. Especially ones sold on hacker forums and marketplaces.

Egghead maps out exposed .Git repos

A Czech researcher has scanned the internet's web servers to log the world’s exposed Git repositories.

Vladimír Smitka of Lynt Services said he started the project first as a scan just for Czech sites, but eventually expanded it to a global project that took around four weeks to complete and ended up returning 390,000 web pages that had left the critical files exposed.

Smitka said that locking down a site’s Git repository is a critical security task that is all too often overlooked by developers.

“If you use git to deploy your site, you shouldn't leave the .git folder in a publicly accessible part of the site. If you already have it there for some reason, you need to ensure that access to the .git folder is blocked from the outside world,” he explained.

Smitka is advising developers to keep a close eye on files and scripts they upload via Git and make sure they lock down access to the files.

Kink shame: Sex app bares passwords for all to see

Whiplr, a hookup app for kinksters, has been found to be awfully naughty when it comes to password security.

An Engadget report claimed the app’s developer was storing user accounts and passwords in a backend database as plain text.

“Should hackers have gained access to this database, they could've potentially figured out the real identities of users either through the app itself or through other services where those credentials are identical,” the blog noted.

As you can imagine, most people on the site would not want their identities revealed to prudish family and peers, and even fewer would want to have their passwords in the hands of hackers. If you’ve downloaded the app, you will probably want to make sure your password is unique and any personal information scrubbed.

Schneider Electric crash

Industrial control equipment maker Schneider Electric has fixed a remotely exploitable device-crashing flaw in its Modicon Controller.

The CVE-2018-7789 vulnerability can be abused by hackers to remotely disconnect Modicon M221 units from host networks simply by sending malformed packets. Obviously, a miscreant needs network access to the device to knacker it.

Such an attack would leave an operator with "no way to view and control the physical processes on the OT [operational technology] network,” according to Radiflow, the industrial control specialist that uncovered the bug. Attacked equipment would have to be powered off and on again to recover.

"The recovery from such an attack would require a reboot of the attacked PLCs and physical access to the controllers, which would cause significant downtime to the ICS network," Radiflow advised.

Radiflow discovered and reported this vulnerability to Schneider Electric approximately two months ago, prior to its recent remediation. ICS-CERT’s write-up explained that "successful exploitation of this vulnerability could allow an unauthorised user to remotely reboot the device" alongside remediation advice.

Russian hacker extradited for massive financial fraud case

The US District Attorney’s office in Manhattan, New York, said this week it has secured the extradition of Russian national Andrei Tyurin, an alleged hacker wanted in connection with a string of attacks on financial companies.

The DA claimed Tyurin was one of four hackers behind, among other shenanigans, the massive computer security breach at JPMorgan that saw the details on roughly 80 million user accounts stolen back in 2014. Tyurin was also said to have behind a string of attacks on other financial firms and at least one breach of a business news site.

“Andrei Tyurin allegedly engaged in a long-running effort to hack into the systems of U.S. based financial institutions, brokerage firms and financial news publishers, all from the perceived safety of operating outside our borders,” said FBI Assistant Director William Sweeney.

“As alleged, his illegal acts included the historically largest theft of customer data from a U.S. financial institution.”

When he does reach the US and appears in court on September 25, Tyurin will be charged with computer hacking, wire fraud, conspiracy to commit computer hacking, conspiracy to commit wire fraud, identity theft, and violating the Unlawful Internet Gambling Enforcement Act. ®

Similar topics

Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022