Richi Jennings Industry analyst and editor, RJAssociates
This week brings yet more examples of poor design. Specifically: Two apps trusting phone numbers without properly authenticating the actual user.
First, a deadly denial-of-service attack on WhatsApp, in which combining two subtle side effects can lock out users from their accounts. And second, a really dumb authentication bug in a wireless provider’s app.
Watch out these things come in threes. In this week’s
Security Blogwatch, we got the 411 (ask your parents).
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:
Cracking Enigma.
What’s the craic, Zak? Mister Doffman reports
A Chinese group known as APT31 … somehow gained access to and used a Windows-hacking tool known as EpMe created by the Equation Group … widely understood to be a part of the NSA. … The Chinese hackers then used that tool … from 2015 until March 2017, when Microsoft patched the vulnerability.
…
APT31 had access to the … privilege escalation exploit … long before the late 2016 and early 2017 Shadow Brokers leaks. … APT31 s [version] appears to have been built by someone with hands-on access to the Equation Group s compiled program.
And Kieren McCarthy wonders if this illustrates
It could be that Beijing obtained a copy of Equation Group s EpMe, or observed it being used and recreated it, and used it while the hole in Microsoft s Windows remained unfixed. Or the Chinese could have found the same bug within the OS.
…
A vulnerability broker he had known for a while and trusted had introduced him to a new researcher called James Willy from New York, Caceres [said]. We hopped in a group chat, the three of us, and he sent me a Visual Studio project to take a look at a driver bug that caused a blue screen of death.
… James [said] it was linked to Google Chrome – an instant attention-grabber for bug hunters. Vulns affecting software used by tens of millions worldwide are rare and command hefty rewards. … The code was all legit, it was a real crash with potential security implications, but I wasn t careful when I opened the Visual Studio project. [But] opening some Visual Studio projects can cause code to execute, which was the North Koreans attack vector.
Richi Jennings Industry analyst and editor, RJAssociates
FireEye the huge security company, with revenues of $900 million and countless US federal agencies on its customer roll confessed this week that it had been hacked. Its proprietary red-teaming tool set was stolen.
Officially, the firm’s not saying who perpetrated the intrusion. But secret-squirrel sources say it was Russia APT29 to be precise.
It’s being seen as revenge for outing Russia as the culprit for other high-profile shenanigans. In this week’s
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:
RC in PH.
What’s the craic? Dustin Volz and Robert McMillan report