LA Times knocked out, HackerOne slips up and – amazingly – router security still sucks

Plus, London Gatwick drone comedy quiets down

Welcome to 2019, just a few days into the year and we already have Chromecast chaos, Skype backdoors, and a Weather Channel privacy suit.

We also have plenty of other news to catch up on.

Stop the presses! LA Times grinds to a halt over ransomware

Most of us made a point of unplugging from the news over the holidays, but for those who read the LA Times, a ransomware infection nearly made that unplugging mandatory.

Late last week, a mysterious malware attack crippled key parts of the Times infrastructure and other papers in its parent Tribune Company, including portions of its printing systems. This sparked fears of state-sponsored or terrorist hackers at work.

How bad was it? El Reg has learned that, at its worst point, the Tribune Company was seriously considering asking the publishers of the San Francisco Chronicle to print their papers for them so that the weekend editions could get out on time.

Eventually, the panic settled and the issue was traced back to a ransomware infection that had managed to bork the systems that link the papers editorial office with those of the printing plants.

UK military withdraws from Gatwick drone duty

Anyone who had the misfortune of having to travel to, from, or in the general vicinity of London Gatwick airport over the holidays is by now familiar with the "drones" that menaced the airport.

As The Register reported, there was panic over the possibly non-existent drones that were thought to be buzzing planes on the airfield. This caused the airport to temporarily shut down and kicked off a dronehunt to catch the rogue copter and its operator. The military was also called in to bring a calm to the situation.

We assume this all happened to the tune of Yakkity Sax.

Fortunately, the worst of the microflyer crisis seems to have passed, and the men and women of the RAF can finally make their triumphant homecoming from the harrowing fields of Gatwick.

There have to date been no arrests made, save for the Sussex couple who were released without charges on December 23.

HackerOne flaw vets cop to rookie mistake

A note to all the developers out there: Don't beat yourselves up too much over security flaws, as even the bug-brokers at HackerOne fall victim to the occasional slip-up.

An in-house researcher discovered that the RFC2142 system HackerOne uses for its email forwarding service hadn't properly reserved key names such as "security" or "admin".

This would have, potentially, allowed someone who was up to no good to register a name like "admin@wearehackerone" or "abuse@wearehackerone" and then use the address to cause chaos.

To its credit, HackerOne not only acknowledged and addressed the vulnerability, but published a report on it on their 'hacktivity' feed.

Israeli security shop wants to be a pain in the dong

A secretive security firm exposed in Israel has a highly unusual name.

The outfit wants to sell hacking tools to governments and law enforcement, although experience has shown these aren't just used to track down criminals but also people governments find tiresome.

The group calls itself Candiru, after the small fish in the Amazon which, legend has it, can swim up a stream of urine and embed itself in a victim's urethra using a barbed head.

Presumably the name is a reference to how the biz's malware is both highly invasive and difficult to remove. No doubt someone in marketing no doubt thought this was a terribly clever and/or funny idea. We'd go with the former.

Nice patch Google, too bad it only took three years to arrive

Tardy patching is nothing new in the security industry, but Google is usually thought to be better than most at getting stuff fixed. Not so in this case.

According to flaw finders Nightwatch Cybersecurity there was a serious flaw in the Chrome browser used by Android which would allow an attacker to work out the hardware a particular handset is using. It did this thanks to flaws in WebView and Tabs for Android, which could show the hardware model, firmware version and security patch level of a phone.

Such information is obviously invaluable for an attacker and in May 2015 Nightwatch reported the issue to Google, but the security team at the Chocolate Factory said it wasn't really an issue.

However, in October the new build of Chrome, version 70, appears to have finally fixed the issue - at least in part. The firmware build information isn't now readable but the device model number is. Better than nothing, but still not good enough.

Whose switch is it anyway?

Anonymous switches pose a little known, but significant, threat to security. Don't believe us? Check out this report into the prevalence of unauthenticated HP and Aruba switches that can be found using Shodan.

Unauthenticated switches pose a danger because they do not log activity and could be accessed over Web UI or, even worse, Telnet.

"From Telnet, an attacker could do a number of things from this switch, from redirecting traffic/ports, to serving malware, to pivoting within the network that the switches live in," the report, authored by one of the hosts of the ThugCrowd podcast reads.

Admins are advised to set usernames and passwords, and disable WebUI if it is not needed.

Insinia pulls mass Twitter 'hack' to prove a point

Call it the Twitter security crisis that wasn't. Earlier this week, mobile security company Insinia pulled something of a cross between a publicity stunt, protest, and a proof of concept when it kicked out a number of fake Tweets to various celebrity accounts.

The company would later explain that it did not actually take over any accounts, but rather exploited a little-known feature on Twitter that lets users send tweets over SMS.

The idea is that a user who has their phone number linked to their account could send an SMS from that number and have the message contents automatically posted as a Tweet from their account.

This also means that anyone who could spoof that number, as Insinia did with the celebrity accounts, could post Tweets as well.

Insinia is urging Twitter to kill the feature and for users to unlink their accounts from their phone numbers.

Luas website hacked, ransom set at $4,000.. er… $3,500… er… $3,800

Irish tram operator Luas is the latest transit agency to fall victim to ransom-demanding hackers. The exact price of that ransom depends on whatever the cryptocurrency market is doing at the moment.

In this case, someone took over the train company's official website and said they would only hand it back if they were paid one Bitcoin. If the company opted not to pay up within five days, the hacker also threatened to release company emails.

By late Friday, the site was not yet back online, though Luas has apparently been able to regain control of the domain.

"Luas technicians are still investigating [the attack] and are working to restore the site," the notice reads.

"Luas has contacted the Commissioner for Data Protection and we have in accordance with best practice contacted everyone whose information may have been compromised."

Bad news from OSnews

Long-running tech news site OSnews appears to have fallen victim to data thieves.

The site announced this week that some or all of its data had apparently been lifted by an intruder. This after readers reported getting spam and phishing emails. It was eventually concluded the site had been breached and OSnews went offline for a few days before returning with an explanation.

"Our best guess is that someone was able to exploit a vulnerability in old, unmaintained code in the site’s content management system, and made off with at least some user data, which may be as little as a few user records or, at worst, our entire database," the site said.

"Your email addresses were in there, and the encryption on the passwords wasn’t up to modern standards (unsalted SHA1). The truth is that once we concluded it was likely that we were breached, our small volunteer team decided it was better to go offline than it was to learn the avenue of exploit, given that we had no interest in continuing to rely on the aged codebase."

How many times do we have to do this? Fix your terrible router security, vendors!

Yet again, we have a damning report on the state of security in home wireless routers.

This time, it is Cyber-ITL who peered into (PDF) the safety of 28 popular home routers and found that, depending on the architecture, the state of security was either grim... or totally hopeless.

In the latter category are routers based on MIPS SoCs, which were all found to contain a flaw that renders data execution prevention (DEP) ineffective, potentially allowing an attacker to feed in and execute malicious code.

ARM-based routers fared a bit better, but only slightly.

"Though the Linux/ARM stack is completely unaffected by the aforementioned bug, for many devices it makes almost no difference," the report reads.

"Of the access points and routers we reviewed, not a single one took full advantage of the basic application armoring features provided by the operating system. Indeed, only one or two models even came close, and no brand did well consistently across all models tested."

And on that cheery note, we hope everyone enjoys the weekend! ®

Similar topics

Other stories you might like

  • Chip shortage forces temporary Raspberry Pi 4 price rise for the first time

    Ten-buck increase for 2GB model 'not here to stay' says Upton

    The price of a 2GB Raspberry Pi 4 single-board computer is going up $10, and its supply is expected to be capped at seven million devices this year due to the ongoing global chip shortage.

    Demand for components is outstripping manufacturing capacity at the moment; pre-pandemic, assembly lines were being red-lined as cloud giants and others snapped up parts fresh out of the fabs, and the COVID-19 coronavirus outbreak really threw a spanner in the works, so to speak, exacerbating the situation.

    Everything from cars to smartphones have been affected by semiconductor supply constraints, including Raspberry Pis, it appears. Stock is especially tight for the Raspberry Pi Zero and the 2GB Raspberry Pi 4 models, we're told. As the semiconductor crunch shows no signs of letting up, the Raspberry Pi project is going to bump up the price for one particular model.

    Continue reading
  • Uncle Sam to clip wings of Pegasus-like spyware – sorry, 'intrusion software' – with proposed export controls

    Surveillance tech faces trade limits as America syncs policy with treaty obligations

    More than six years after proposing export restrictions on "intrusion software," the US Commerce Department's Bureau of Industry and Security (BIS) has formulated a rule that it believes balances the latitude required to investigate cyber threats with the need to limit dangerous code.

    The BIS on Wednesday announced an interim final rule that defines when an export license will be required to distribute what is basically commercial spyware, in order to align US policy with the 1996 Wassenaar Arrangement, an international arms control regime.

    The rule [PDF] – which spans 65 pages – aims to prevent the distribution of surveillance tools, like NSO Group's Pegasus, to countries subject to arms controls, like China and Russia, while allowing legitimate security research and transactions to continue. Made available for public comment over the next 45 days, the rule is scheduled to be finalized in 90 days.

    Continue reading
  • Global IT spending to hit $4.5 trillion in 2022, says Gartner

    The future's bright, and expensive

    Corporate technology soothsayer Gartner is forecasting worldwide IT spending will hit $4.5tr in 2022, up 5.5 per cent from 2021.

    The strongest growth is set to come from enterprise software, which the analyst firm expects to increase by 11.5 per cent in 2022 to reach a global spending level of £670bn. Growth has fallen slightly, though. In 2021 it was 13.6 per cent for this market segment. The increase was driven by infrastructure software spending, which outpaced application software spending.

    The largest chunk of IT spending is set to remain communication services, which will reach £1.48tr next year, after modest growth of 2.1 per cent. The next largest category is IT services, which is set to grow by 8.9 per cent to reach $1.29tr over the next year, according to the analysts.

    Continue reading
  • Memory maker Micron moots $150bn mega manufacturing moneybag

    AI and 5G to fuel demand for new plants and R&D

    Chip giant Micron has announced a $150bn global investment plan designed to support manufacturing and research over the next decade.

    The memory maker said it would include expansion of its fabrication facilities to help meet demand.

    As well as chip shortages due to COVID-19 disruption, the $21bn-revenue company said it wanted to take advantage of the fact memory and storage accounts for around 30 per cent of the global semiconductor industry today.

    Continue reading
  • China to allow overseas investment in VPNs but Beijing keeps control of the generally discouraged tech

    Foreign ownership capped at 50%

    After years of restricting the use and ownership of VPNs, Beijing has agreed to let foreign entities hold up to a 50 per cent stake in domestic VPN companies.

    China has simultaneously a huge market and strict rules for VPNs as the country's Great Firewall attempts to keep its residents out of what it deems undesirable content and influence, such as Facebook or international news outlets.

    And while VPN technology is not illegal per se (it's just not practical for multinationals and other entities), users need a licence to operate one.

    Continue reading
  • Microsoft unveils Android apps for Windows 11 (for US users only)

    Windows Insiders get their hands on the Windows Subsystem for Android

    Microsoft has further teased the arrival of the Windows Subsystem for Android by detailing how the platform will work via a newly published document for Windows Insiders.

    The document, spotted by inveterate Microsoft prodder "WalkingCat" makes for interesting reading for developers keen to make their applications work in the Windows Subsystem for Android (WSA).

    WSA itself comprises the Android OS based on the Android Open Source Project 1.1 and, like the Windows Subsystem for Linux, runs in a virtual machine.

    Continue reading
  • Software Freedom Conservancy sues TV maker Vizio for GPL infringement

    Companies using GPL software should meet their obligations, lawsuit says

    The Software Freedom Conservancy (SFC), a non-profit which supports and defends free software, has taken legal action against Californian TV manufacturer Vizio Inc, claiming "repeated failures to fulfill even the basic requirements of the General Public License (GPL)."

    Member projects of the SFC include the Debian Copyright Aggregation Project, BusyBox, Git, GPL Compliance Project for Linux Developers, Homebrew, Mercurial, OpenWrt, phpMyAdmin, QEMU, Samba, Selenium, Wine, and many more.

    The GPL Compliance Project is described as "comprised of copyright holders in the kernel, Linux, who have contributed to Linux under its license, the GPLv2. These copyright holders have formally asked Conservancy to engage in compliance efforts for their copyrights in the Linux kernel."

    Continue reading
  • DRAM, it stacks up: SK hynix rolls out 819GB/s HBM3 tech

    Kit using the chips to appear next year at the earliest

    Korean DRAM fabber SK hynix has developed an HBM3 DRAM chip operating at 819GB/sec.

    HBM3 (High Bandwidth Memory 3) is a third generation of the HBM architecture which stacks DRAM chips one above another, connects them by vertical current-carrying holes called Through Silicon Vias (TSVs) to a base interposer board, via connecting micro-bumps, upon which is fastened a processor that accesses the data in the DRAM chip faster than it would through the traditional CPU socket interface.

    Seon-yong Cha, SK hynix's senior vice president for DRAM development, said: "Since its launch of the world's first HBM DRAM, SK hynix has succeeded in developing the industry's first HBM3 after leading the HBM2E market. We will continue our efforts to solidify our leadership in the premium memory market."

    Continue reading

Biting the hand that feeds IT © 1998–2021