Information Technology

Academics have developed a new technique for attacking secure computer systems by abusing speculative execution, a CPU mechanism that’s normally used for performance optimizations.
The technique, named BlindSide, was detailed in a paper [PDF] published last week by a team of academics from the Stevens Institute of Technology in New Jersey, ETH Zurich, and the Vrije University in Amsterdam.
Researchers say that BlindSide can be used to craft exploits that bypass ASLR (Address Space Layout Randomization) on modern operating systems.
BlindSide can bypass ASLR
Memory addresses are important for an attacker. If an attacker knows where an app executes its code inside the memory, a hacker can fine-tune exploits that attack particular applications and steal sensitive information. As its name hints, ASLR works by randomizing the location where code executes inside memory, effectively neutralizing attacks until attackers find a way around ASLR.
To bypass ASLR, an attacker typically needs to find an “information leak” type of vulnerability that leaks memory locations; or the attacker can probe the memory until they find the proper location where another app runs and then modify their code to target that memory address space.
Both techniques are hard to pull off, and especially the second, which often leads to system crashes or to the attacker’s noisy probing being detected by security systems.
The new BlindSide attack works by moving this probing behavior into the realm of speculative execution.
Speculative execution, to the rescue!
Speculative execution is a performance-boosting feature of modern processors. During speculative execution, a CPU runs operations in advance and in parallel with the main computational thread.
When the main CPU thread reaches certain points, speculative execution allows it to pick an already-computed value and move on to the next task, a process that results in faster computational operations. All the values computed during speculative execution are discarded, with no impact on the operating system.
Academics say that this very same process that can greatly speed up CPUs can also “[amplify] the severity of common software vulnerabilities such as memory corruption errors by introducing speculative probing.”
Effectively, BlindSide takes a vulnerability in a software app and exploits it over and over in the speculative execution domain, repeatedly probing the memory until the attacker bypasses ASLR.
Since this attack takes place inside the realm of speculative execution, all failed probes and crashes don’t impact the CPU or its stability as they take place and are suppressed and then discarded.
All the attacker needs is a simple memory corruption vulnerability they can exploit on a system. In their research paper, the team used a single buffer overflow on the Linux kernel to:
Break KASLR with BlindSide to mount a reliable ROP exploit;
Break arbitrary randomization schemes with BlindSide to mount an architectural data-only exploit (leaking the root password hash);
Break fine-grained randomization and kernel execute-only memory to dump the full kernel text and mount a reliable ROP exploit.
[embedded content]
The researchers said that BlindSide effectively allows attackers to “hack blind,” without needing to worry about ASLR.
BlindSide attacks also work regardless of architecture, being tested on both Intel and AMD CPUs alike.
In addition, BlindSide attacks also work despite the recent mitigations that CPU vendors have added against speculative execution attacks like Spectre, Meltdown, and others.
The team’s research paper proposes several mitigations that OS makers could deploy to counter BlindSide attacks. More

The owner of controversial video-sharing app TikTok has a September 15 deadline to either sell to a US company or see the service banned from the US market, following President Donald Trump’s executive order that labelled the platform as a “national emergency”.
Microsoft threw its hat in the ring prior to the official announcement from the president, saying it wanted to scoop up TikTok and add “world-class security, privacy, and digital safety protections” to the app if it did.
It soon reportedly joined forces with Walmart to co-bid for the Chinese company’s US, Canadian, Australian, and New Zealand operations.
Microsoft officials had characterised the discussions as “preliminary”, noting it was not intending to provide any further updates on the discussions until there was a definitive outcome.
But in approaching the deadline, ByteDance said it would not include TikTok’s algorithm as part of the sale, according to a South China Morning Post report. The Chinese company has also told Microsoft it would not be its new owner.
“ByteDance let us know today they would not be selling TikTok’s US operations to Microsoft,” the company said in a blog post.
“We are confident our proposal would have been good for TikTok’s users, while protecting national security interests.”
Sunday’s blog post reiterated what Microsoft has stated from the start — that the potential acquisition would have required “significant changes” to the app’s current state.
“To do this, we would have made significant changes to ensure the service met the highest standards for security, privacy, online safety, and combatting disinformation, and we made these principles clear in our August statement,” it said.
“We look forward to seeing how the service evolves in these important areas.”
Following Microsoft’s bid, Oracle also began holding talks with ByteDance, showing its interest in the video-sharing app.
The Wall Street Journal on Monday morning reported Oracle would shortly be announced as TikTok’s “trusted tech partner” and that the video-sharing platform’s sale would not exactly be structured as an acquisition.
As of the start of August, TikTok has clocked over 175 million downloads in the US, and around 800 million globally.
“TikTok automatically captures vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search histories,” the executive order made by Trump said.
“This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information — potentially allowing China to track the locations of federal employees and contractors, build dossiers of personal information for blackmail, and conduct espionage.”
TikTok struck back, confirming it would launch a lawsuit against the US government with regards to its ban. Any potential lawsuit, however, would not prevent the company from being compelled to sell off the app in the US market. 
TikTok also reiterated its previous stance that it has worked to engage the Trump administration for almost a year to “provide a construction solution” to resolve concerns the latter had about the app. 
“We strongly disagree with the Administration’s position that TikTok is a national security threat,” it said.
HERE’S MORE More

An online database left exposed online without a password has leaked the personal details of hundreds of thousands of users who signed up for online dating sites.
The leaky database, an Elasticsearch server, was discovered at the end of August by security researchers from vpnMentor.
The database was taken offline on September 3 after vpnMentor tracked down its owner in Mailfire, a company that provides online marketing tools.
vpnMentor researchers said the database stored copies of push notifications that various online sites were sending to their users via Mailfire’s push notification service.
Push notifications are real-time messages that companies can send to smartphone or browser users who agreed to receive such messages.
The leaky database stored more than 882 GB of log files pertaining to push notifications sent via Mailfire’s service, with the logs being updated in real-time, as new notifications were being sent out.
In total, vpnMentor said the log files contained details for 66 million individual notifications sent over the previous 96 hours, with personal details for hundreds of thousands of users.
vpnMentor, who analyzed the leaked data while searching for the database owner, said it found notifications belonging to more than 70 websites.
Some of the sites where e-commerce stores and classified ads networks from Africa; however, the vast majority of notifications originated from domains linked to dating sites.
These dating sites promised men the opportunity to find a young female partner in various areas of the globe, such as Eastern Europe or Eastern Asia.
Most of these sites used visually-looking designs, and while using different domains, appeared to be part of a larger network.
Without any doubt, the notifications sent by this network of dating sites was just spam, trying to lure users to return to the site, claiming that a new user had sent them a message.
But while spamming users with push notifications is not actually an issue, especially if the users agreed to receive these messages, the problem was that personal data was also involved.
According to copies of the exposed logs seen by ZDNet, the leaky Elasticsearch server didn’t only contain copies of the notifications but they also included a “debug” area where personal information for the user receiving the notification was also included.
Some of the data we found in these debug fields included names, age, gender information, email addresses, general geographical locations, and IP addresses.
Furthermore, the notifications also contained links back to the user’s profile, in case the user clicked or tapped on the notification. These links also contained authentication keys, meaning anyone with this URL would have been able to access a user’s profile on the dating site without needing a password.
Image: ZDNet
Anyone who would have found this database over the course of the past few weeks would have been able to learn the identities of users who signed up on these dating sites and access their profiles to read private messages or see past connections.
As vpnMentor researchers have pointed out, this leaky server was a disaster waiting to happen. If this data leaks online, the users of these sites would most likely face extortion attempts, similar to how Ashley Madison users faced blackmail attempts for years. These extortion attempts had a severe toll on Ashley Madison users, with some taking their own lives after their personal love life was exposed to the public.
Mailfire did not return a request for comment. Some of the dating sites that we found in the leaky server included Kismia, Julia Dates, Emily Dates, Asian Melodies, Ukrainian Charm, Asia Charm, JollyRomance, OneAmour, ValenTime, Rondevo, Victoria Brides, Loveeto, Oisecret, WetHunt, Cum2Date, Jolly.me, and many more. More

In 2018, a security researcher discovered a major vulnerability in Bitcoin Core, the software that powers the Bitcoin blockchain, but after reporting the issue and having it patched, the researcher opted to keep details private in order to avoid hackers exploiting the issue.
Technical details were published earlier this week after the same vulnerability was independently discovered in another cryptocurrency, based on an older version of the Bitcoin code that hadn’t received the patch.
Bitcoin Inventory Out-of-Memory Denial-of-Service Attack
Called INVDoS, the vulnerability is a classic denial-of-service (DoS) attack. While in many cases, DoS attacks are harmless, they are not for internet-reachable systems, which need to have stable uptime in order to process transactions.
INVDoS was discovered in 2018 by Braydon Fuller, a Bitcoin protocol engineer. Fuller found that an attacker could create malformed Bitcoin transactions that, when processed by Bitcoin blockchain nodes, would lead to uncontrolled consumption of the server’s memory resources, which would eventually crash impacted systems.
“At the time of the discovery, this represented more than 50% of publicly-advertised Bitcoin nodes with inbound traffic, and likely a majority of miners and exchanges,” Fuller said in a paper [PDF] published on Wednesday.
Furthermore, INVDoS also impacted more than Bitcoin nodes (servers) running the Bitcoin Core software. Bitcoin nodes running Bcoin and Btcd were also impacted by the same bug as well.
Other cryptocurrencies that were built on the original Bitcoin protocol were also impacted, such as Litecoin and Namecoin.
Fuller said the bug was dangerous because it could “contribute to a loss of funds or revenue.”
“This could be through a loss of mining time or expenditure of electricity by shutting down nodes and delaying blocks or causing the network to temporarily partition,” he said.
“It could also be through disruption and delay of time-sensitive contracts or prohibiting economic activity. That could affect commerce, exchanges, atomic swaps, escrows and lightning network HTLC payment channels,” Fuller added.
Bug re-discovered two years later
The INVDoS bug was reported to all the responsible parties and patched, at the time, under the generic identifier of CVE-2018-17145, which didn’t include that many details, so as not to tip off attackers.
However, the same bug was re-discovered over the summer by Javed Khan, another Bitcoin protocol engineer, while hunting bugs in the Decred cryptocurrency.
Khan reported the bug to the Decred bug bounty program and was eventually disclosed to the broader world last month.
Full details about the entire INVDoS vulnerability were published earlier this week, so other cryptocurrencies that forked older versions of the Bitcoin protocols could check and see if they were impacted as well.
“There has not been a known exploitation of this vulnerability in the wild,” Fuller and Khan said. “Not as far as we know.” More

Image: Devin Edwards

A cybercrime group has been busy over the past months placing malicious ads on adult-themed websites in order to redirect users to exploit kits and infect them with malware.
Named Malsmoke, the group has operated on a scale far above similar other cybercrime operations and has abused “practically all adult ad networks.”
According to cyber-security firm Malwarebytes, which has been tracking Malsmoke’s attacks, for most of the time, the group has managed to place malicious ads (malverts) on mid-tier adult portals, but they recently “hit the jackpot” when they managed to sneak malverts on xHamster, one of the biggest adult video portals today, and one of the biggest sites on the internet, with billions of visitors each month.
The role of the group’s malicious ads was to use JavaScript trickery and redirect users from the adult portal to a malicious site that was hosting an exploit kit.
The exploit kits would then use vulnerabilities in Adobe Flash Player or Internet Explorer to install malware on the user’s computers, with the most common payloads being Smoke Loader, Raccoon Stealer, and ZLoader.
Naturally, only users still using Internet Explorer or Adobe Flash were targeted by these malicious ads.
The attacks can be considered as a last hurrah attempt to infect users with old-school hacking tools like exploit kits, whose usage has declined in recent years as modern browsers have become harder to hack.
Most exploit kits are built around vulnerabilities in Flash and IE, which has made them less efficient as most internet users have now either uninstalled Flash or moved to Chrome and Firefox.
With Flash being scheduled to reach end-of-life (EOL) at the end of the year, and with IE being slowly phased out by Microsoft, these are the last few months when malware gangs can still rely on exploit kits.
“Despite recommendations from Microsoft and security professionals, we can only witness that there are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and fully supported browser,” Malwarebytes said in a report published earlier this week.
“As a result, exploit kit authors are squeezing the last bit of juice from vulnerabilities in Internet Explorer and Flash Player.” More

The business of cybersecurity companies is to keep users safe from hackers and cyber attacks but almost all cybersecurity providers have themselves had data leaked or stolen and published on dark web forums.
Research by application security company  Immuniweb found that nearly all of the top cybersecurity companies have had corporate data exposed and shared on the cyber criminal underground – including login credentials like usernames and passwords.
Compromised servers, social engineering and password re-use are among the reasons for data spillages.
“The cases really vary across the victims, ranging from compromised servers that were apparently forgotten by the victims, to targeted attacks against employees leveraging social engineering and phishing. A considerable number of incidents stems from third parties where employees of the victims were using their professional email addresses to sign in,” Ilia Kolochenko, CEO of Immuniweb told ZDNet.
Researchers were able to uncover over 600,000 records containing plain text credentials or personal information.
And while the majority of passwords discovered in these breaches are described as strong, 29 percent would be considered weak, containing less than eight characters, no numbers, no special characters and no capital letters.
Common weak passwords like ‘password’ and ‘123456’ appear over 1,000 times each in the data analysed, while others like ‘password1’ ‘12345678’ and ‘qwerty’ appear hundreds of times.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
It seems that cybersecurity companies suffer from the same password problems that other organisations have to deal with – in that some systems might just be forgotten about or they have simple passwords for some accounts.
“Some of these accounts were probably not designed to gatekeep access to critical data, and were occasionally just used to login to different non-critical systems that were eventually compromised,” Kolochenko explained.
“One also needs to consider that not all employees of cybersecurity companies are security professionals – a number of employees have nothing to do with cybersecurity practice and have insufficient internal training. The bigger the company is, the more human risk it will inevitably have to address,” he added.
The findings serve as a reminder that cyber crime poses a risk to everyone and that organisations should ensure that they follow best practices when it comes to security.
This includes using complex passwords, not re-using them for other accounts and that businesses should remain aware of which third-party organisations have access to their data, because that in itself can create risk.
However, organisations – no matter what sector they operate in – can take steps to ensure they’re operating as securely as possible.
“No one is immune from surging cybercrime but we can effectively fix this by implementing informed, risk-based and threat-aware cybersecurity programs in a continuous and holistic manner,” Kolochenko said.
READ MORE ON CYBERSECURITY More

The US Internal Revenue Service (IRS) is soliciting proposals from contractors that believe they can develop technologies able to shatter the privacy surrounding cryptocurrency transactions. 

The IRS solicitation was made public last week, as reported by Coin Telegraph, and has been made on behalf of the IRS’ Criminal Investigation department (IRS-CI). 
IRS-CI is involved in criminal investigations and has played a role in the takedown of Dark Web marketplaces, money laundering programs, and trafficking rings.
Cryptocurrency-related crimes, too, are on the department’s radar. Virtual coins including Bitcoin (BTC), Ethereum (ETH), and Monero (XMR) are often demanded as blackmail payments by ransomware operators; cryptocurrency trading posts are targeted by threat actors and funds stolen; exchange operators perform exit scams and run off with user coins, and crypto may also be used in the Dark Web to purchase illegal items.  
See also: Slovak cryptocurrency exchange ETERBASE discloses $5.4 million hack
While cryptocurrency has rapidly become a legitimate and innovative industry in its own right, the use of blockchain technologies and the emergence of privacy-focused coins that aim to prevent transaction tracing is of concern to the IRS and law enforcement.
The agency says that Monero, in particular, is rapidly becoming popular with cybercriminal groups, noting that ransomware group Sodinokibi has now moved from Bitcoin to Monero due to “privacy concerns.”
“The use of privacy coins is becoming more popular for general use, and is also seeing an increase in use by illicit actors,” the IRS says. “Currently, there are limited investigative resources for tracing transactions involving privacy cryptocurrency coins such as Monero, Layer 2 network protocol transactions such as Lightning Labs, or other off-chain transactions that provide privacy to illicit actors.”
IRS-CI is asking for proposals from one or more contractors to “provide innovative solutions for tracing and attribution of privacy coins and Layer 2 off-chain transactions,” including tools, software, data, and algorithms.
Prototypes and suggested methods to trace cryptocurrency transactions should including tracking capabilities for law enforcement, predictive analytics, and should have as little reliance on vendor-specific technologies as possible. 
CNET: Avoid the new text message scam about package deliveries
“All solutions must support cryptocurrency transactions that occurred in 2020,” the proposal reads. “All solutions must support open standards for interoperability (common file formats, REST APIs, etc. as appropriate) to facilitate easy integration into internally developed IRS-CI cryptocurrency analytic systems and data.”
The IRS is offering a $500,000 grant after a prototype and an “initial working system” has been submitted. Contractors are then given eight months to work on their projects, with a further $125,000 awarded on deployment. 
A deadline of September 16, 2020, has been set for applications. 
TechRepublic: How to manage app permissions in Android 11
In August, CipherTrace claims to have developed a Monero-tracking tool for the US Department of Homeland Security (DHS). According to the company, the tracing tools are able to “visualize Monero transaction flows for criminal investigations.”
Earlier this week, cryptocurrency exchange ETERBASE disclosed a security incident in which $5.4 million in funds was allegedly stolen. The organization said the lost cryptocurrency — including Bitcoin, Ether, and Ripple — was held in hot wallets, storage facilities with active internet connections. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

ThreatConnect has acquired Nehemiah Security to bring Cyber Risk Quantification (CRQ) to the firm’s existing cybersecurity solutions range. 

Announced on Thursday, the deal — made through ThreatConnect’s purchaser entity NS Holdings LLC — will see all of Nehemiah Security’s assets transferred over to ThreatConnect. 
The financial terms of the deal were not disclosed. 
Founded in 2015, Washington DC-based Nehemiah Security is a startup that focuses on the CRQ space. 
According to the company, cybersecurity concerns may “block or suffocate” business initiatives, however, they can also “fuel and empower business initiatives” when staff have a strong grasp on what resources and business-critical processes they need to protect — as investments can be funneled into the correct channels and disruption can be kept to a minimum.
See also: Secureworks acquires vulnerability management platform Delve
“This is no simple task,” the company said in a blog post. “Many security teams dive in headfirst and get lost in the weeds. Starting this change from the bottom-up is a grind, one that doesn’t get far. A successful program starts from the top, with a CISO that understands the business proportionately to cyber and can communicate, in financial terms, how security investment underpins business operations.”
This is where CRQ comes in. By implementing risk assessment methodologies and solutions at the start of the security lifecycle, this can give enterprises a clearer idea of the cybersecurity risks a company faces, and how best to balance investment while maintaining shareholder value. 
CNET: Avoid the new text message scam about package deliveries
Nehemiah Security’s CRQ solutions will be added to ThreatConnect’s existing Threat Intelligence Platform (TIP), which includes security orchestration, automation, and threat response technologies. Specifically, Nehemiah’s Risk Quantifier (RQ) is now under the ThreatConnect brand. 
RQ leverages different sets of risk models including the Factor Analysis of Information Risk (FAIR) model. ThreatConnect says a risk-based approach “makes prioritization easy for security teams, enabling them to filter out noise and focus on what matters most.”
TechRepublic: How to manage app permissions in Android 11
“The decision to acquire Nehemiah was an easy one as they are ahead of the market in terms of their ability to automate cyber risk quantification,” commented Adam Vincent, ThreatConnect CEO. “They help overcome much of the pain felt by early CRQ adopters where manual data collection and lengthy professional services engagements are the norm.”
Earlier this week, Secureworks announced the acquisition of Delve, a provider of an AI and machine learning-based platform for vulnerability assessment and prioritization. Financial details were not disclosed. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More