Week in review: Hacking smart cities, leaked hacking tools, and detecting hardware Trojans

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

Here’s an overview of some of last week’s most interesting news and articles:

eBook: Defending against crypto ransomware
Download your copy of the Defending against crypto ransomware eBook and get a walkthrough on how ransomware is delivered to a user’s computer, stages of crypto-ransomware infection, and best practices that can be applied immediately.

Proxy authentication flaw can be exploited to crack HTTPS protection
Mistakes made in the implementation of proxy authentication in a variety of operating systems and applications have resulted in security vulnerabilities that allow MitM attackers to effectively hijack HTTPS sessions, security researcher Jerry Decime has discovered.

New method for detecting hardware Trojans
Modern computer chips are made up of hundreds of millions – often billions – of transistors. Such complexity enables the smartphone in your back pocket to perform all manner of powerful computations, but it also provides lots of places for tiny malicious circuits, known as hardware Trojans, to hide. Magnifying this security risk is the increasingly distributed and globalized nature of the hardware supply chain, which makes it possible for a Trojan to be introduced at any point along the way.

Continuous security in the web application space
In this podcast recorded at Black Hat USA 2016, Jason Kent, VP of Product Management, Web Application Security, Qualys, talks about what continuous security means, how you can use it to identify all of the problems, and understand how to fix them.

Windows users will no longer be able to apply individual patches
Since Microsoft began pushing Windows 10 on consumers and enterprise users, it has consistently worked towards minimizing the choices they can make about the installation.

Hacking smart cities: Dangerous connections
Many organizations around the world are working on innovative solutions that aim to make smart cities more comfortable, energy efficient, and safe. Unfortunately, not many are seriously considering the IT security of their products.

Researchers pinpoint best times for delivering security messages
A group of researchers from Brigham Young University has been tracking users’ neural activity while they are using a computer, and have discovered that security warnings are heeded more if they don’t pop-up right in the middle of a task or action that requires the users’ attention.

Leaked hacking tools can be tied to NSA’s Equation Group
The batch of data released by the Shadow Brokers, an entity that claims to have hacked the Equation Group, contains attack tools that can be tied to the group. Cisco and Fortinet have released security advisories confirming that some of the exploits leaked work as intended.

New wave of targeted attacks focus on industrial organizations
Kaspersky Lab researchers discovered a new wave of targeted attacks against the industrial and engineering sectors in 30 countries around the world. Dubbed Operation Ghoul, these cybercriminals use spear-phishing emails and malware based on a commercial spyware kit to hunt for valuable business-related data stored in their victims’ networks.

Banking customers hesitant to use mobile features due to security concerns
Banking customers are hesitant to use mobile features due to fraud and security concerns, according to Kaspersky Lab and IDC Financial Insights.

Compromising Linux virtual machines via FFS Rowhammer attack
A group of Dutch researchers have demonstrated a variant of the Rowhammer attack that can be used to successfully compromise Linux virtual machines on cloud servers.

Employee awareness training: Key component of IT security initiatives
Especially when budgets are tight, companies choose to educate staff informally if at all. This approach is rarely effective.

Sn1per: Automated pentest recon scanner
Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.

Spammers modify sites’ core WordPress files for long-lasting compromise
In their quest to compromise WordPress installations and prevent site owners from discovering it and cleaning up the website, blackhat SEO spammers have turned to modifying core WordPress files.

myLG: Open source command line network diagnostic tool
myLG (my Looking Glass) is an open source utility that combines the functions of different network probes into one network diagnostic tool.

Shark Ransomware-as-a-Service: A real threat, a scam, or both?
A new Ransomware-as-a-Service project has sprung up, and the “service providers” are allowing others to use it for free, but take a 20 percent cut out of every ransom that gets paid by the victims.

Incident response challenge: How to get out of Firefighter Mode
Realistically, IT and security staff may not be experts at all in incident response and because of the inherent organizational pressure to react to an attacker in their environment, will move to Firefighter Mode – the approach of prematurely taking corrective actions to a security incident without proper understanding the scope of attacker presence and access mechanisms to an environment.

Bug in Rockwell’s PLCs allows attackers to modify firmware
There is an undocumented SNMP community string in Rockwell Automation’s MicroLogix 1400 programmable logic controllers that can be exploited by attackers to remotely change settings or modify the device firmware, and therefore compromise the PLCs.

What’s your security strategy?
In this podcast recorded at Black Hat USA 2016 in Las Vegas, Chris Drake, CEO at Armor, talks about how corporate IT is being stretched thin.

Attackers can hijack unencrypted web traffic of 80% of Android users
The recently revealed security bug (CVE-2016-5696) in the TCP implementation in the Linux kernel that could allow attackers to hijack unencrypted web traffic without an MitM position also affects some 1.4 billion Android devices, Lookout researchers have warned.

Google Duo: Simple, encrypted, video calling app
Google Duo is a simple 1-to-1 video calling app available for Android and iOS. In order to use Google Duo all you need is your phone number, no separate account is necessary.

Organizations still unprepared for malicious insiders
Organizations globally believe they are their own worst enemy when it comes to cybersecurity, with 45 percent saying they are ill-equipped to cope with the threat of malicious insiders and twice as many, 90 percent, calling malicious insiders a major threat to the organizations’ security, according to Mimecast.

Build serverless, secure apps in the cloud
Swirlds released the SDK for the hashgraph distributed consensus platform, which is free for download.