Friday, March 16, 2018

Russians target US power companies and other infrastructure with creeping malware; reputable journals jacked with malware placed

US Cert has sent out a major advisory TA 18-074A warning on how the Russian government is targeting power companies and other infrastructure components (like pipelines, water systems) with phishing attacks. Here is the basic link
The report incudes the disturbing story that articles in some legitimate academic or professional journals seem to have been hacked and compromised with malware.  These sites would have been rated as safe by security companies and generally have SSL (https) access already.

This time the malware seems to try to steal credentials, rather than use brute force (like ransomware)or play some kind of targeted psychological warfare online.

Bloomberg has a detailed story by Dlouhy and Riley. 

Wednesday, March 07, 2018

Cortana could allow a major security hole (Israeli research)

A site called Motherboard on Vice reports that Israeli researchers have found a hole in Microsoft’s assistant Cortana whereby an attacker could bypass normal security with voice commands.

Furthermore it is possible to use supersonic commands (what the Chinese call a “dolphin attack”).

Microsoft normally sends voice requests through web pages through Bing.

The idea of doing things only with voice (common in automated telephone customer service) poses some obvious security hazards in business processing online in traditional IT shops, and there were circumstances in my own career where this could have been very dangerous.

Tuesday, March 06, 2018

"Porting" of smartphones seems to undermine 2-step verification

Smart phone holders may now need to add a port validation feature to their accounts.  At this moment, I’m not sure how you do this. 
Marshall Zelinger at 9News in Denver reports on several cases of cell phone number theft by “porting” with subsequent theft of bank accounts even with 2-step verification.
One case in detail with MetroPCS and a T-mobile was described in detail.  It appears that the customer got his money back but lost a day of work and plans to sue T-mobile.
It’s not clear how the C-number porting was done so easily.  This story needs to be followed.