Slack slings crypto-keys at big biz, union gets worked over, VPN owners probed, trolls trouble vets, and more

Plus, two crooks craft a veritable fraudocopia

Roundup This week we got freaked out about heart implant hacks, welcomed a new Microsoft security tool, and endured yet another Facebook fsck up.

Here's what else happened along the way:

Slack pack give keys a whack

Large enterprise customers will now have more control over the security of their Slack channels.

This after the workplace chat giant announced it would let companies bring their own security keys into their Slack channels. The feature, called Enterprise Key Management, works through AWS, letting businesses push their keys to AWS key management system then use them with their own Slack installations.

"What actually makes the design of our system so unique is that, in the case of an incident let’s say, rather than revoking access to the entire product, admins can choose to revoke access in a very granular, highly targeted manner," said Slack CSO Geoff Belknapp.

"That granular revocation ensures that teams continue working while admins suss out any risks."

Scare in Texas over hacked sirens

Earlier this month, residents in two Texas towns were awoken at 0230 when storm sirens suddenly went off. According to Dallas-area TV station CBS-DFW, authorities are convinced the late-night wailing was the work of hackers.

The station cites officials in the cities of DeSoto and Lancaster who report that an unknown person(s) were somehow able to get into the city's network and trigger storm sirens across the two cities. This, in turn, prompted officials to shut down the emergency siren system for several days while the matter was sorted.

"Based on the widespread impact to the outdoor sirens located in two separate cities, including Lancaster, it has become evident that a person or persons with hostile intent deliberately targeted our combined outdoor warning siren network," Lancaster city hall said.

"Sabotage against a public warning system is more than vandalism."

In brief...

State-backed hackers in Vietnam are said to be compromising car makers for info. A Sprint website glitch revealed US cellular subscribers' info to strangers. Scientific journal giant Elsevier exposed to the public internet the passwords of some of its users via a poorly secured server. And a child-tracking app for parents left a MongoDB of youngsters' real-time location data facing the public web, too.

Metal workers in deep sheet following data breach

A California division of the Sheet Metal Workers Union is sending out warnings to its members following the disclosure of a data breach related to equipment theft.

Local 104 told (PDF) the state Attorney General's office that on February 5 one of its administrators had their car broken into.

Among the items stolen from the vehicle were a backpack, laptop, and a flash drive containing the names, driver's license numbers, and social security numbers for members of the local union.

As a result, the union now says it will offer those who were exposed the standard two-year enrollment in a credit monitoring service. It is recommended that anyone who gets a notification letter from the union should keep a close eye on their bank statements and seriously consider enrolling in the monitoring service.

Spyware linked to journalist's killing in Mexico

A journalist in Mexico suspected to have been murdered by a local drug cartel was also the subject of a targeted spyware campaign.

Citizen Lab reports that in the week after the killing of Javier Valdez, attempts were made to infect the phones of two of Valdez' former colleagues, as well as his widow, Griselda Triana, with spyware. Researchers eventually linked the malware to an ongoing attempt by a government-connected group to monitor journalists with tools developed by the NSO Group.

"The spyware, developed by Israeli company NSO Group, is designed to infect and remotely monitor mobile phones," the report notes.

"In that investigation, we linked the infection attempts to a group that we call RECKLESS-1, which we linked to the Mexican government."

Pick a type of fraud: Chances are one of these two blokes engaged in it

Two US men have been convicted of carrying out a remarkable range of online and real-world fraud schemes.

The DOJ has announced guilty verdicts against two men who were found to have engaged in a series of scams ranging from dating to email compromise and even sham marriages.

Olufolajimi Abegunde and Javier Luis Ramos-Alonso were found to have engaged in, among other things, dating site "catfishing" scams where people were tricked into sending cash, money mule scams where marks were told to cash out stolen funds and send wire transfers, and even business email compromise attacks where funds were drained from companies.

Abegunde was also said to have helped launder the stolen cash through black market currency trades and helped support the whole thing by keeping two separate marriages.

"Abegunde was married during his studies at Texas A&M, but divorced his wife in 2016 to marry a US service member through whom he could obtain immigration and health care benefits and also open new bank accounts," the DOJ said.

"He continued to live with his first wife in Atlanta while his US service member wife was deployed to South Korea."

Trolls target veterans groups

In case you wondered how social media could get any more toxic and miserable, the US government is now worried that troll groups are targeting American veterans.

Rep Ted Lieu (D-CA) is calling on the FBI to open an investigation into suspected organized troll campaigns focusing on manipulates both vets' groups and those still serving in uniform.

The congressman says the troll farms are creating fake veterans' groups, then using the bogus profiles to manipulate vets and service members much in the same way political groups did in the run-up to the 2016 election.

Meet the new VPN, same as the old VPN

Users looking to get a new VPN could be in for a shock when they find their old and new service are run by the same company.

A report from reviews site VPNPro shared with The Register examined 97 popular VPN products and found that all were the work of just 23 companies. In most instances, developers maintained multiple VPN apps.

Why is this a big deal? VPNPro researchers note that with so much consolidation, users have far less choice than they think, and by hiding the owners of an app the chances of being exposed to surveillance increase dramatically.

"If they are in Russia, China, and other authoritarian/repressive governments, they are forced to provide their data to the governments on a default basis," the report notes.

"The parent company may also be willing to sell user data."

Norsk Hydro bouncing back from ransomware attack

When last we left Norsk Hydro, the industrial and electric giant had disconnected much of its network in order to contain a ransomware attack.

A few days later, and things are looking up for the company. A news update reports that most of Norsk's business units have resumed normal activity, and staff have entered the forensics portion of the event, with Microsoft coming in to help investigators.

"There have been no reported safety incidents as a result of the cyber attack, and most operations are running, ensuring deliveries to customers according to specification, with some more manual operations than normal," Norsk said.

"The attack has been reported to Norway’s National Investigation Service (Kripos) and the police have opened an investigation. Although progressing from day to day, it is still not clear how long it might take to restore stable IT operations."

Meanwhile, chemicals manufacturers Hexion and Momentive both also appear to have been ransacked this month by the same, or similar, file-scrambling nasty as the one that hit Norsk Hydro. It is speculated this ransomware is LockerGoga.

Pwn2Own wraps up

The CanSecWest conference is winding down, and we now have a list of the winners from this year's Pwn2Own contest.

The event pits researchers against a series of fully patched PCs, browsers, mobile devices, and even cars, with the goal being to compromise and hijack the gear via previously unknown vulnerabilities. The first person(s) to show a working full zero-day exploit for the target devices, and thus achieve typically remote code execution, get to take home big cash prizes.

Below are some of this year's big winners, as well as their payouts, after successfully hacking the following products:

  • Apple Safari: Amat Cama and Richard Zhu. $55,000.
  • Oracle VirtualBox: Amat Cama and Richard Zhu. $35,000.
  • Oracle VirtualBox: Phạm Hồng Phi. $35,000.
  • Oracle VirtualBox: Amat Cama and Richard Zhu. $35,000.
  • VMWare Workstation: Amat Cama and Richard Zhu. $70,000.
  • Apple Safari: Niklas Baumstark, qwertyoruiop, Bruno Keith. $45,000.
  • Mozilla Firefox: Amat Cama and Richard Zhu. $50,000.
  • Microsoft Edge on VMWare Workstation: Amat Cama and Richard Zhu. $130,000.
  • Mozilla Firefox: Niklas Baumstark. $40,000.
  • Microsoft Edge: Arthur Gerkis. $50,000.
  • Tesla Model 3: Amat Cama and Richard Zhu. $35,000.

Congrats to all the winners. The vendors involved have been privately informed of the flaws so they can be patched before anyone else finds them. Standby for patches to arrive when developed. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019