Rowhammer returns, Spectre fix unfixed, Wireguard makes a new friend, and much more

Roundup This week we dealt with buggered bookies, trouble at Ticketmaster, and a compromised Linux build from Gentoo.

Here's what else went down during the week.

Trustwave sued

Some breaking news as we were typing away: two insurance companies, Lexington Insurance Co and Beazley Insurance Co in the US, are suing infosec biz Trustwave regarding a 2008 hack of payment processing company Heartland Payment Systems.

The insurers are furious they had to fork out $148m in claims, legal fees, and other costs, as a result of the network intrusion. Trustwave was, prior to the hack, hired to assess Heartland's security defenses, and has ended up in the firing line.

We're told Trustwave countersued the two insurers in Delaware after the pair tried to extract money from the infosec biz, and as a result, the insurance duo sued again, this time in Illinois.

"Trustwave did not manage Heartland’s information security, and at no time did Heartland assign blame for the breach or make any claim against Trustwave," a spokesperson for Trustwave told us in a statement.

"The insurers’ demand related to a decade-old breach is entirely without merit. Trustwave initiated the lawsuit in order to obtain a resolution of these baseless demands and intends to pursue this matter vigorously."

Exactis doxxes pretty much all of America

340 million people are now a bit more in the public eye, thanks to a screw-up by marketing company Exactis.

The Florida-based outfit was caught out by researcher Vinny Troia, who dug up an unencrypted ElasticSearch database that held about two terabytes of details on the personal interests of "pretty much every US citizen".

In addition to personal interests (things like your hobbies or pets), the database contained names, addresses, age, and gender information on hundreds of millions of people. Troia says the database has since been taken down.

At least social security numbers weren't included (looking at you, Equifax).

Wyden stumps for Wireguard

The Wireguard VPN protocol got a new champion this week after powerful US Senator Ron Wyden pitched it as the next government security tech of choice.

The Oregon Democrat issued the dreaded "open letter" (PDF) to National Institute of Standards and Technology Director Walter Copan asking that that he consider making the open source Wireguard the official VPN for government use.

"Two aging technologies, IPsec and OpenVPN, are currently used for most government VPNs," Wyden told Copan. "Cybersecurity researchers now know that the complexity of these old technologies can completely undermine their security."

Wyden stops short of demanding Wireguard be adopted as the replacement, but he does list the tech as one of the "appropriate replacements" to be considered for IPSec and OpenVPN.

A BFD for BSD

Zerodium is offering up huge cash payouts to anyone who can manage to break BSD.

The bug bounty outfit said this week it was stepping up its efforts to find zero-day flaws in OpenBSD, FreeBSD, Ubuntu, CentOS, Debian, and Tails.

We're currently acquiring #0day exploits (privilege escalation or RCE) for the following operating systems: OpenBSD, FreeBSD, NetBSD, Ubuntu, CentOS, Debian, and Tails. For related inquiries or submissions, contact us: https://t.co/8NeubPvSdj

— Zerodium (@Zerodium) June 27, 2018

The payouts are given out either as standard wire transfers or as Bitcoin, if that's your thing. People on US/UN sanctions lists are ineligible, though if you're under UN sanctions, collecting a bug bounty is probably not a huge concern.

Stop us if you've heard this one: Rowhammer flaw abused

Rowhammer, the Phil Collins of security vulnerabilities, is back yet again. This time it's Android mobes that can have their DRAM contents slurped.

Researchers in Amsterdam, France, Santa Barbara, and India teamed up to explain in a paper [PDF] how memory contents could be brute-forced, and also how they could be thwarted by strictly limiting memory access.

"We propose a practical, isolation-based protection that stops DMA-based Rowhammer attacks by carefully surrounding DMA buffers with DRAM-level guard rows," the researchers say.

If it means an end to having to write any more Rowhammer stories, we're all for it.

Spectre patches may need a patch

When is a fix not a fix? When it's an attempt patch up the Spectre vulnerability, apparently.

Researchers Noam Hadad and Jonathan Afek of Aleph Security said this week that they had devised a way to work around some of the measures browser vendors have used to mitigate the vulnerability.

It turns out the data-timing tricks browsers use to help prevent exploits can be overcome, provided the attackers don't mind a little performance hit.

"In our research we were able to overcome the cache access timing specific mitigations. Although these mitigations cause a serious slowdown in our POC, they are not effective in preventing this attack," the duo write.

"These mitigations also have some negative performance implications and are hurting the functionality of some legitimate JavaScript web application use-cases."

NSA admits massive call slurp

So, the bad news is that Uncle Sam has been hoarding your phone records. The worse news is that those government agencies are now racing to delete the evidence.

This according to the Daily Beast, who says the NSA is now wholesale deleting records of people's phone calls and text message that it had illegally harvested. According to the report, the government security bod is blaming "technical irregularities" for the unauthorized data collection.

Apparently, the government cockup meant hundreds of millions of phone records made their way into NSA hands without any review or authorization.

"Despite the sweeping remedy for the overcollection, the NSA did not estimate how many records it had purged, let alone how many Americans were affected," the not at all concerning Beast Report reads.

"The scale is certain to be massive."

The NSA itself has its own statement, here, noting: "The root cause of the problem has since been addressed."

Interactive World Cup match ball not much of a hack risk

An IoT football for knockout games in the World Cup is just a marketing gimmick rather than a potential target for mischievous hackers, according to an expert

Adidas has taken the wraps off a IoT-enabled or interactive ball, the Telstar Mechta, that it said would be used in the knock-out stages of the World Cup, days ahead of keenly-awaited sudden death games that begin on Saturday. Smart things are often hackable, mostly because they are made without any consideration of information security basics.

But a 1966-style Russian linesman* is it/isn't it over the line hack scenario has ruled out by experts. PTP’s Ken Munro, an expert in IoT security who has hacked everything from a smart kettle to an electric car, pointed out the ball only had a near-field communication (NFC) chip and therefore was out of range of internet hackers.

The utility of an NFC-enabled football, in general, remains unclear. Munro dismissed the concept as a “marketing gimmick”.

Russian cybercrime bust

A pair of Russian suspected of looting the accounts of loyalty program members from popular online stores, payment systems and bookmakers have been arrested by Russian police.

The targets of the attack were websites of dozens of companies, including PayPal, Ulmart, Biglion, KupiKupon and Groupon. In total, about 700,000 accounts were compromised, 2,000 of which the hackers put up for sale for $5 each, or 20-30 per cent of the nominal balance of the accounts. The duo had a sideline in changing the phone numbers and emails on the compromised online accounts they resold, for a 10 per cent fee.

Upon arrest, the pair admitted on the spot that they had earned at least 500,000 rubles (US$7,961). However, the real amount of damage remains to be determined.

Investigation into the case began in November 2015, after a large-scale cyberattack was made on the website of a large online store, targeting the personal accounts of the store’s loyalty program members. In a month, about 120,000 accounts were compromised through a credential stuffing attack that relied on password reuse.

Administration "K" of the MIA of Russia, with the assistance of Moscow-based infosec firm Group-IB, led the investigation, which led to a pair of arrests. The leader of the group was identified as a resident of Ryazan Region, born in 1998. His partner, who provided technical support for their joint online store, resided in Astrakhan Region and was born in 1997.

Both suspects have confessed. Neither has been named. Their arrests took place last month but news of the case was only released this week. ®