Open in app

Sign up

Sign in

Write

Sign up

Sign in

Photo credit: Annie Spratt

Top Security and Privacy News: Scrambled Bits Vol. 33

Fancy Bear Gets Sued, Car Wash Attacks, Russia Bans VPNs, and More

Patrick Walsh
The Salty Hash
Published in
8 min readAug 8, 2017

--

This is the Scrambled Bits weekly newsletter, a quick summary of the week’s most interesting news at the intersection of security, privacy, encryption, technology, and law.

Top Stories

Russian Hackers Under Siege… from Microsoft Lawyers

The Russian Government-backed hacking group known as “Fancy Bear” frequently registers bogus domains like livemicrosoft.net and then uses those domains to host command and control (C&C) servers. So when they get a target to install their malware, that malware sends stolen data and gets instructions and updates from these servers.

Microsoft has been using the courts to try to track down the true owners of these servers, without luck. But they’ve been sending legal notices to the disposable email accounts associated with the domains, and the lawyers added tracking bugs to the emails to see if they were read. They were — 30 times.

After 52 subpoenas in the U.S., and 46 informal inquiries abroad, Microsoft ended up no closer to unmasking a Fancy Bear hacker. Payment records showed the domains were registered using BitCoin or disposable, pre-paid credit cards; server logs only traced the hackers as far as a Tor exit node.

Most importantly, Microsoft has been seizing the domains, effectively dismantling Fancy Bear’s ability to control its own malware. It’s a cat and mouse game, but it’s helped Microsoft to identify victims and to stop further damage. The legal onslaught is now causing the Russian hackers to change tactics to avoid the lawyers dogging their steps: they’ve reduced the number of new Microsoft-themed domains they are registering and using more generic names instead.

WannaCry Researcher Arrested Leaving DEFCON

On Wednesday August 2nd, U.S. authorities detained Marcus Hutchins, aka MalwareTech, for his alleged role in creating and distributing the Kronos banking trojan. This has stunned the security community, since MalwareTech has been a consistent force in fighting malware. Most notably he helped to stop the spread of the WannaCry worm. We don’t know much about the Government’s case, but it came very shortly after the FBI took down AlphaBay, the dark web marketplace where the Kronos banking trojan was sold. We’re left with two possibilities:

  1. Hutchins, in his role as a security researcher and malware analyst, did something that has made the Feds erroneously think he’s behind the Kronos malware. This sort of mistake has happened before, and many in the security community expect this is the case here. A crowdfunding campaign has been started for his defense.
  2. Hutchins did, in fact, walk on the dark side and write and sell the Kronos malware. The malware was written three years ago, and Marcus would have been 20 years old at that time. Perhaps a youthful mistake?

Bottom line: a lot of folks are upset, but there just isn’t enough information to know yet what really happened.

Privacy

Google’s Data Hunger Draws FTC Complaint

As we reported previously, Google’s tracking crossed from the electronic world and into the real world. Google now correlates real-world purchasing in brick-and-mortar stores with online accounts. They have access to over 70% of all credit card transactions in the U.S. and are using that data to build comprehensive, privacy-invading profiles of consumers. Google’s assurances about security are not reassuring to the Electronic Privacy Information Center, who just filed a complaint with the FTC.

About That Bug You Bought

Amazon’s Echo is always listening, and now hackers who can access the device can, too. A researcher was able to use a debugging interface to modify the Echo to send all captured sound to a remote server. The vulnerability exists in the 2015 and 2016 models, but a software patch can’t fix it. Since the exploit uses a hardware interface meant for debugging, the only remedy is to buy a new model Echo. Or alternately to reconsider having always-on microphones in your private spaces.

Vacuuming Up Data

iRobot CEO Colin Angle divulged plans to sell the floor plans of the homes of iRobot customers to the highest bidder. Angle subsequently updated the wording of his statement from “sell” to “share its maps for free with customer consent,” but the damage was already done. The company is planning to capture data from customers and to send that data back to iRobot. Companies are moving from the collection of electronic data to the collection of real-world data at the expense of customer privacy. As more and more “smart” devices invade the home, the expectation of privacy there continues to erode.

De-anonymized Data Reveals Highly Personal Information

Two journalists proved once again that anonymized data can be de-anonymized. Using an AI tool on public anonymized browsing data, they were able to link specific people to their browsing history, uncovering a German judge’s porn-browsing habits and a German MP’s medication regime.

Black Hat and DEF CON Digest

DEF CON Hackers Vote Down the Machines

The DEF CON conference this year had a new feature: the Voting Machine Hacking Village, where hackers were invited to try their hand at cracking a voting machine. In less than 90 minutes, they succeeded. But most articles on the subject failed to note that most of the machines were old and unpatched, which made them easier targets. That said, the machines were purchased at Government auctions and on eBay, and attackers found records on over 650,000 voters still on the boxes.

Bubbles Burst Industrial Pumps

How much damage can bubbles do? Turns out quite a lot, as a Honeywell security researcher recently demonstrated. She was able to hack a $50,000 industrial pump and cause bubbles in the pump. Within an hour, the bubbles could wear pits in the pump’s metal surface and render the entire device useless.

Attack of the Car Wash

Everything else is connected to the Internet, so why not car washes? Here’s why not: researchers demonstrated vulnerabilities that allowed them to open and close bay doors to trap vehicles inside the car wash chamber, and to use the cleaning equipment to severely damage the vehicle. Meh, those things don’t do a very good job cleaning cars, anyway. One more reason to pull out the hose and sponge at home.

Notable Vulnerabilities and Breaches

  • Hacked Box Office — Did you know HBO stands for “Home Box Office”? We didn’t. But we’re about to learn much more than that if the hackers who hacked HBO follow through on their threats. They claim to have stolen some 1.5 terabytes of data including emails, employee personal and financial information, pre-release show videos and scripts, and more. The company denied that its email system was compromised, but acknowledged the breach. The hacker released bits and pieces of the data, including some emails, and is reportedly demanding money or they will release more.
  • Anthem Customers Breached Again — Immediately after agreeing to settle a lawsuit from their last breach, which affected around 80 million current and previous Anthem customers, Anthem was breached again. This time, the breach was smaller in scope and the result of an insider at a partner company. This breach exposed sensitive health and personal information of over 18,500 people.
  • 73,000 Memcached Servers Still Unpatched — Reminder: if you are running memcached, please patch it. And for pity's sake, don't expose it directly to the Internet. In February, some 85,000 vulnerable memcached servers were identified by the security research team at Cisco. Of those servers, almost 80% didn't require any kind of authentication. Cisco emailed the owners of these servers to let them know of the issues, and now, five months later, there are still over 73,000 vulnerable servers facing the public.
  • Sweden’s Transparency Agency — Sweden’s Transport Agency just caused the “worst known governmental leak ever” after uploading databases of highly classified information to third-party servers in other countries. Czech and Serbian citizens without Swedish clearances had full access to the databases. Worse, some of that data, including information on people in witness protection, was emailed to marketers. The administrator responsible for moving top secret data onto third-party “cloud” servers has been docked half a month’s pay.

Bottom of the News

  • Russia Bans Proxy Services and VPNs — Following in the footsteps of China, Russia is now also banning standard tools that give individuals and companies privacy and security. VPNs and proxies are being outlawed, ostensibly to fight “extremist content.” In practice, this makes it much easier for Russia to censor what sites people visit. It also takes away standard corporate security measures and makes businesses in Russia far more susceptible to hacking.
  • The CIA’s Break-in Toolkit — WikiLeaks unveiled another classified CIA project, “Dumbo,” which gives CIA agents control of security webcams and microphones so they can be disabled during physical break-ins. While this sounds like something straight out of a spy movie, the actual attack is far less glamorous, since it requires physical access to a Windows machine that controls the cameras. This presents something of a chicken and egg problem for the infiltrators, who can only disable the cameras after breaking in.
  • No Pockets? No Problem. — A Wisconsin company is using technology to turn its employees’ bodies into bar codes by implanting tiny radio-frequency ID chips into employees’ hands. The implant will allow employees to unlock doors, pay for snacks in vending machines, and unlock computers simply by waving their hands near RFID scanners. The program is voluntary, but the company expects around 50 employees to participate. The data on the chip is reportedly encrypted, but questions of privacy, of financial theft via handshake, and of security abound.
  • DJI Drones Banned from U.S. Military because Cyber — DJI drones, made for commercial use by a Chinese company, are being pulled out of military service due to the information these drones gather while in flight. The data includes the geographic location of the flight path, along with audio and video. DJI insists that it doesn’t have access to this data, but the military is not reassured.
  • Boom! You’re Owned — Players of the popular online games Counter Strike, Team Fortress 2, and Left 4 Dead 2 are vulnerable to a hack that can allow an opposing player to take over their computer after killing them when playing on a custom map.
  • NIST Warns On Bluetooth SecurityNIST has issued a report recommending that companies using Bluetooth Low Energy devices make sure they use version 4.2 or higher. Unfortunately, few devices yet use 4.2. The full report gives more details on issues and a long checklist for companies using bluetooth technologies to make sure they’re secure. Suddenly those old USB mice and keyboards are looking good again.

If you liked this, please click the 💚 below. If you’re reading this in an email, please go to the article on the web first. Liking the article will help other people see it on Medium. You might also be interested in last week’s summary compliments of IronCore Labs.

Subscribe to our email digest to avoid missing another update.

Privacy
News
Infosec
Security
Legal

--

--

Patrick Walsh
The Salty Hash
Follow

Written by Patrick Walsh

5.1K Followers
Editor for

Scholar, dreamer, creator, adventurer, hacker, leader and observer. Advocate for privacy and security. CEO IronCore Labs.

Follow

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams