Friday Five: 10/4 Edition
News on new vulnerabilities - both in the PDF format and a network protocol, and why fighting cyber crime is a focal point of the U.S. Secret Service.
1. Researchers Find New Hack to Read Content Of Password Protected PDF Files by Mohit Kumar
Interesting attack vector here that relies on abusing the partial encryption in PDF files without needing a password if one's required to exfiltrate data. Researchers from Ruhr-University Bochum and Münster University in Germany discovered the attack vector, something they're calling PDFex. 27 popular desktop and PDF viewer apps were vulnerable in one way or another when the researchers tested them. The PDF format was vulnerable to two attack types, one that involves abusing how PDF files only partially encrypt the contents of a file to directly exfiltrate. The second takes advantage of the fact that many readers don't have integrity protection, which allows attackers to modify plaintext data directly within an encrypted object. The full breakdown of the research can be found at a site the researchers set up, pdf-insecurity.org.
2. Google Faces iPhone Privacy Lawsuit After Court Reinstates Case by Jonathan Browning and Ellen Milligan
A data collection case that was thought to have been done and over after a judge threw it out was reinstated this week. The case rests on a group of iPhone users who allege that Google bypassed Apple's iPhone default privacy settings to collect personal data on them without their consent. The case actually dates back years ago, from June 2011 and February 2012. A High Court judge blocked the group litigation last year but a court of appeal judge ruled this week that by collecting data from users' browsing history, Google technically took something of value from them. "That meant all users suffered the same loss and could be counted as one group," Bloomberg writes.
3. Fighting Cyber Crime is Critical for National Security, Says Secret Service Chief by Jack Corrigan
Cyber criminals shouldn't be overlooked when it comes to halting election interference, meddling with geopolitics, and the like. That's per the director of the Secret Service, James Murray, at the Aspen Cyber Summit this week in New York City. According to NextGov, which had a reporter on the scene, cybercrime is still very much a focus of the agency. In fact it goes hand in hand with ensuring national security threats are kept at bay, according to Murray, who stressed that the presence of transnational organized crime groups online now rivals the threat posed by nation-states.. “We see the arrest and conviction of transnational organized criminals as an indispensable component of addressing the wider challenge,” Murray said during his opening keynote on Wednesday, “It is an essential element of the whole-of-government approach to reducing the full range of cybersecurity threats, including those threats posed by nation-states.”
4. Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC by Kim Zetter
A good read here via Kim Zetter in Vice's Motherboard this week on some serious missteps by a threat actor believed to be Uzbekistan's intelligence agency, the State Security Service, or SSS. The group has made a handful of gaffes, in the process burning at least four zero days. In one the group mistakenly registered a domain used in its attack infrastructure using the name of a miltary group it works with. It also, inexplicably, used a machine with Kaspersky's antivirus software on it to write malware, something which enabled the company to detect and grab malicious code while it was still in development. Kaspersky made the connection while looking into a type of malware, Chainshot, which also used a zero day. It linked the group, which the company's Global Research and Analysis Team calls SandCat, after KL's telemetry reporting feature shot malicious files being developed on the machines back to the company. “As a developer you don’t upload to Virus Total, [but] if you do, don’t do it from the same IP addresses that you’re conducting your operations from,” Kaspersky Lab’s Brian Barthomew told Zetter.
5. Decades-Old Code Is Putting Millions of Critical Devices at Risk by Lily Hay Newman
These stories about archaic protocols from in some instances, the internet's infancy, are always fascinating to me. This one, via Wired, pulls the cover back on a series of network protocol bugs in real-time operating systems used in healthcare scenarios, involving patient monitors, routers, and security cameras. Of course, since all big-time vulnerabilities need a name, this group of bugs is dubbed Urgent/11. The bugs technically exist in IPnet, a network protocol stack created by Interpeak and subsequently absorbed by a company named Wind River. "Once Wind River acquired Interpeak and dissolved the company there was no more support for IPnet licenses, so whatever bugs were already there lived on, unbeknownst to Wind River or Interpeak's old customers," WIRED’s Lily Hay Newman wrote this week. The Food and Drug Administration warned hospitals and healthcare providers about the vulnerabilities this week, encouraging manufacturers to run a risk assessment and identify if a patch is available; some firms are advising facilities to add a firewall rule to block remote access attempts. Armis, the firm that discovered the 'BlueBorne' vulnerabilities a few years back, released an open source detection tool on GitHub to help sniff out vulnerable devices, too.