The CyberWire Daily Briefing 1.5.18

Cyber Attacks, Threats, and Vulnerabilities

Mozilla Confirms Web-Based Execution Vector for Meltdown and Spectre Attacks (BleepingComputer) Mozilla has officially confirmed that the recently disclosed Meltdown and Spectre CPU flaws can be exploited via web content such as JavaScript files in order to extract information from users visiting a web page.

Spectre and Meltdown: What You Need to Know Right Now (SANS Internet Storm Center) By now, you've heard about the processor vulnerabilities affecting almost every processor in common use today; those vulnerabilities are called Meltdown and Spectre.

What You Need to Do Because of Flaws in Computer Chips (New York Times) Hackers can exploit two major security flaws in microprocessors running virtually all machines on Earth. What do you do now?

Spectre and Meltdown chip flaws pose big issues for businesses (CNNMoney) Spectre and Meltdown, two flaws in the basic building blocks of billions of computing devices, are haunting the internet.

Meltdown and Spectre Flaws in Intel CPUs: Collateral Damage to OS & Cloud Services Unavoidable (HackRead) Meltdown and Spectre flaws are impacting almost all Intel CPUs and to solve the issue tech giants have started to address these flaws.

Hackers could guess your computer password unless you take action immediately (Metro) Update your devices immediately or you could end up in a world of pain

Critical computer flaws set up security challenge in Washington (TheHill) Two critical vulnerabilities that affect modern computer processing chips are about to become a huge headache for governments worldwide.

Apple says Meltdown and Spectre flaws affect ‘all Mac systems and iOS devices,’ but not for long (TechCrunch) Apple isn't immune to Meltdown and Spectre, the major bugs in basic computing architecture that were announced yesterday to widespread amazement and horror...

Google: Almost All CPUs Since 1995 Vulnerable To "Meltdown" And "Spectre" Flaws (BleepingComputer) Google has just published details on two vulnerabilities named Meltdown and Spectre that in the company's assessment affect "every processor [released] since 1995."

That Intel chip problem? It's now a far worse security issue (Silicon Valley Business Journal) Google researchers on Wednesday confirmed that they had uncovered a set of major security flaws in devices containing chips from Intel Corp., Advanced Micro Devices and ARM Holdings — potentially affecting virtually every computer and smart phone on the planet.

Intel blasts 'incorrect' reports over its chip security issues (CRN) Vendor giant claims its 'products are the most secure in the world' after accusations of security problems in chips

Meltdown and Spectre: Data theft hardware bugs affect most modern CPUs (Help Net Security) Meltdown and Spectre are two separate attacks that can result in exploitation of different issues affecting most CPUs in use today.

Understanding Those Alarming Computer Chip Security Holes: 'Meltdown' and 'Spectre' (Fortune) The vulnerabilities affect almost every computer—and some have no available fixes.

Almost Every Computer and Smartphone Has a Big Security Flaw (Money) Here's what you need to know

What steps can you take to prevent hackers from gaining access? (NBC News) The technology industry is scrambling to fix a massive security flaw found in hardware contained on almost every computer in the world.

India’s national ID database is reportedly accessible for less than $10 (TechCrunch) The nightmare is a reality in India. Reports from the country suggest that the government's national ID system -- Aadhaar, which holds personal data belonging..

Zero-Day Vulnerabilities in Dell EMC Data Protection Suite Family Products Disclosed by Digital Defense, Inc. Researchers (GlobeNewswire News Room) Digital Defense, Inc., a leading security technology and services provider today announced that its Vulnerability Research Team (VRT) uncovered three previously undisclosed vulnerabilities within Dell EMC Data Protection Suite Family products. Combining the three identified vulnerabilities, full compromise of the affected system is possible by modifying the configuration file.

What Would Really Happen If Russia Attacked Undersea Internet Cables (WIRED) The world’s internet infrastructure is vulnerable, but snipping a couple of lines is the least of your concerns.

Google Apps Script Vulnerability Exposes Malware Risks (eWEEK) Security firm Proofpoint discloses a mechanism by which Google Apps Scripts can be used to deliver malware.

Google Apps Script vulnerability could lead SaaS apps to download malware (TechRepublic) Hackers are leveraging Software as a Service platforms including Google Drive to download malware to victims, according to Proofpoint.

Free Phishing Kits Come With A Cost For Beginner Cybercriminals (Tom's Hardware) Imperva released a detailed report into the backstacking world of phishing kit providers and users.

Search engine shenanigans: Malwarebytes mentions aren’t what they seem (Security Boulevard) Hunting for information on Malwarebytes, including blog posts or researcher names on Google's search engine? Be wary of websites stuffed with keywords designed to send you into an ad blizzard. Categories: Cybercrime Social engineering Tags: adadsadvertsredirectsearch engine (Read more...) The post Search engine shenanigans: Malwarebytes mentions aren’t what they seem appeared first on Malwarebytes Labs.

InfoShot: Most blacklisted mobile apps (IDG Connect) WhatsApp, Pokémon Go, WinZip, and Wild Crocodile Simulator are amongst the most blacklisted mobile apps within the enterprise, according to a new report.

New Adware Discovered in 22 Apps in Google Play (Dark Reading) The 'LightsOut' adware is found is flashlight and utility apps, which have been downloaded between 1.5 million to 7.5 million times.

PyCryptoMiner ropes Linux machines into Monero-mining botnet (Help Net Security) A Linux-based botnet that has been mostly flying under the radar has earned its master at least 158 Monero (currently valued around $63,000).

Huawei router vulnerability exploited, most are unlikely to be patched (SC Media UK) An amateur hacker who titled himself 'Nexus Zeta' has managed to exploit the Huawei home router HG532 by finding the information on online forums.

Quick Heal spots malware that imitates Indian banks’ apps (The Financial Express) Quick Heal Security Labs has spotted an Android banking Trojan that imitates more than 232 apps including those offered by Indian banks.

Why are cyber-criminals dumping Bitcoin? (SC Media UK) Cyber-crime players are not stupid, which is probably why they are dumping Bitcoin and going with the smart(er) money...

Security Patches, Mitigations, and Software Updates

Vendors Share Patch Updates on Spectre and Meltdown Mitigation Efforts (Threatpost) Intel, Amazon, ARM, Microsoft and others have shared patch updates to keep customers informed on their mitigation efforts to protect against the far reaching Spectre and Meltdown vulnerabilities impacting computers, servers and mobile devices worldwide.

Meltdown and Spectre: Here’s what Intel, Apple, Microsoft, others are doing about it (Ars Technica) Intel, Microsoft, ARM, and others have responded. We dig in.

Intel reveals 'comprehensive' threat mitigation response to Spectre and Meltdown vulnerabilities (CRN Australia) Includes operating system and firmware updates coming within weeks.

Intel issues updates to protect systems from Spectre and Meltdown (Help Net Security) Intel is issuing updates for all types of Intel-based computer systems - including personal computers and servers - that render those systems immune from Spectre and Meltdown.

Intel patch hampers performance of AWS EC2 servers (Computing) AWS customers complain of server slowdowns following implementation of Meltdown patch

UPDATE 1-Apple to issue fix for iPhones, Macs at risk from 'Spectre' chip flaw (Reuters) (Adds timing details and quotes from experts)

Browser makers move to mitigate risk of Spectre browser attacks (Help Net Security) Mozilla, Google, Microsoft and Apple have pushed out or announced updates that mitigate the risk of Spectre browser attacks.

AWS, Google and Microsoft respond to 'Meltdown' and 'Spectre' chip flaw (CRN Australia) Cloud giants work on updates to their platforms.

Meltdown & Spectre: Microsoft releases emergency patches (CSO Online) Two major vulnerabilities in processors — Meltdown and Spectre — affect most modern systems. Security advisories and patches are being issued.

Microsoft patches Windows to cool off Intel's Meltdown – wait, antivirus? Slow your roll (Register) Check your anti-malware tool unless you like BSoDs

Here's what every Chrome user should do in the wake of #Spectre (Mashable) It's an easy step to take.

Google’s Mitigations Against CPU Speculative Execution Attack Methods (Google Help) This document lists affected Google products and their current status of mitigation against CPU speculative execution attack methods. Mitigation Status refers to our mitigation for currently known vectors for exploiting the flaw described in CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754.

Site Isolation (The Chromium Projects) Home of the Chromium Open Source Project

Charring, melting laptop batteries cause HP to issue voluntary recall (Ars Technica) The company will replace the battery for free and send a technician to do so.

Cyber Trends

2018 IT Security Outlook: Attacks and Threats Get More Sophisticated (eSecurity Planet) 2018 will bring more high-profile data breaches, with attacks and threats getting increasingly sophisticated. We outline 10 security trends to watch.

Marketplace

Threatcare Secures $1.4 Million in Seed Funding Led by Moonshots Capital to Scale Proactive Cyber Defense Platform (Daily Telescope) Companies today must think like the attacker and anticipate threats before they happen.

Louisville-based Swimlane raises $1.35 million (BizWest) Swimlane LLC, a Louisville-based software company, has raised $1.35 million in capital. The funding comes from an equity offering, according to a Form D filed Dec. 29 with the Securities and Exchange Commission. Swimlane did not respond to a request for more information. Swimlane produces an automated security platform that allows companies to automatically respond to cyber attacks and to automate tasks. In December 2016, Swimlane raised about $3 million in another equity offering.

Cybersecurity remains essential as KPMG buys identity security business (Mergers and Aqusitions) This is KPMG’s second acquisition in the cybersecurity space since the firm's purchase of assets from Qubera in 2014.

Newton tech company buys New Jersey security software unit (Charlotte Business Journal) A Catawba County security software company is on the acquisition trail again.

Crypto Craze! A $10 Trillion Bull Case, Seriously? (Barron's) One man's speculative mania is another's digital treasure.

Cryptanalysis: Bitcoin arbitrage a big draw, but pitfalls seem bigger (The Financial Express) The spawning of bitcoin exchanges is throwing up big opportunities for arbitrage in prices, of no less than 10-13%.

Happy Birthday Bitcoin, and Don’t Forget About Cypherpunks - Keiser (Cointelegraph) As the world celebrates the ninth birthday of Bitcoin’s genesis block, Max Keiser reminds us to be mindful of the 40-year history of cryptography.

Two promoted at KPMG cyber security practice (Economia) KPMG UK’s cyber security practice has promoted former civil servant David Ferbrache to chief technology officer and Matthew Martindale to partner.

Products, Services, and Solutions

Gemalto launches a new contactless credit card with a fingerprint reader (ZDNet) The new biometric-powered contactless cards use fingerprint recognition to authenticate the cardholder, in an effort to cut down on in-store fraud.

ERPScan Releases a Guideline on How to Make SAP Systems GDPR Compliant (PRNewswire) ERPScan, the most credible company providing business application...

ConsentCheq LiveStart Gives Enterprises Rapid 'Pain Relief' for GDPR Consent Management (PRNewswire) Today, PrivacyCheq announced the immediate availability of ConsentCheq...

Technologies, Techniques, and Standards

After security disasters, banks using SWIFT messaging platform face new regulations in 2018 (TechRepublic) Banking organizations using the SWIFT global messaging platform face some new requirements in 2018. Here are the details, and how they'll affect business.

The Evolution of Corporate Authentication (Infosecurity Magazine) While it’s easy to feel overconfident if you’ve been lucky enough to avoid this type of problem, complacency can harm your business.

Design and Innovation

Who the Hell Is This 'Crypto-Genius?' (Motherboard) James Altucher is the man behind the stare.

Artificial Intelligence to listen for suicidal thoughts on social media (Naked Security) Individuals won’t be identified. Nor will intervention be attempted. The aim is, rather, to proactively spot regional trends.

Facebook ditches fake news flag, admits it was making things worse (Naked Security) The red flag was waving in the faces of bullishly entrenched, deeply held beliefs, so instead Facebook is just going to give “more context.”

I Spent a Week Living With Chatbots—Did All That Self-Help Help? (WIRED) While self-help as a genre can feel limited, a new class of digital counselors can feel impossible to ignore.

Mark Zuckerberg is right to explore the potential of the blockchain for Facebook (TechCrunch) In what is Mark Zuckerberg's now-traditional New Year speech, the Facebook supremo pledged to fix the social network's many problems which bubbled up in 2017...

Legislation, Policy and Regulation

A bipartisan group of US senators has a plan to secure future elections (Futurism) “We must act now to fortify our election system against attacks by foreign powers...”

Critics worry as Trump voter probe goes to Homeland Security (Arizona Daily Star) Voting rights advocates and some state election officials cheered President Donald Trump's announcement that he was disbanding his election fraud commission, but their celebration could be

FCC issues final version of order eliminating net neutrality rules (TechCrunch) The FCC has released the final text of the order it voted on last month that is set to undo the net neutrality rules established in 2015. This is the text..

The FCC Says Consumer Backlash Will Protect Net Neutrality (Motherboard) As opposed to, you know, the rules it just gutted.

“Vote out” congresspeople who won’t back net neutrality, advocates say (Ars Technica) “If they don’t vote for net neutrality, let’s vote them out,” new campaign says.

Litigation, Investigation, and Enforcement

After Meltdown and Spectre revelation, questions arise about timing of Intel CEO’s stock sales (TechCrunch) The timing of Intel CEO Brian Krzanich’s large sale of shares in November is raising questions because a Securities and Exchange Commission filing appeared..

Intel CEO sold all the stock he could after Intel learned of security bug (Ars Technica) Intel claims sale was unrelated, but he planned sale after researchers disclosed bugs.

Wauchos may finally be coming to an end with a little help from ESET (WeLiveSecurity) We interviewed an ESET researcher who helped to disrupt Wauchos at the end of last year to find out what happens next with the infamous malware family.

Online retailers warn of significant losses, as chargeback loophole proves unstoppable (Computing) High-end retailers have warned that they are losing significant revenue to fraud, with card companies, payment acquirers and the government all seemingly unwilling to help

Social media namer and shamer charged (Naked Security) Sometimes, if not most times, silence on social media is golden.

Meltdown and Spectre updates, including patches and consequences. Aadhaar compromised: India's PII exposed.