Wednesday, January 15, 2025
Home Blog Page 8

Scientists may have found the first water worlds

By
RiSec.Mitch
-
0

Two planets that were originally discovered by the Kepler mission may not be what we thought they were. Based on an initial characterization, it was thought these planets were rocky bodies a bit larger than Earth. But continued observation has produced data that indicates the planets are much less dense than we originally thought. And the only realistic way to get the sort of densities they now seem to have is for a substantial amount of their volume to be occupied by water or a similar fluid.

We do have bodies like this in our Solar System—most notably the moon Europa, which has a rocky core surrounded by a watery shell capped by ice. But these new planets are much closer to their host star, which means their surfaces are probably a blurry boundary between a vast ocean and a steam-filled atmosphere.

Let’s revisit that

There are two main methods for finding an exoplanet. One is to watch for dips in the light from their star, caused by planets with an orbit that takes them between the star and Earth. The second is to track whether the star’s light periodically shifts to redder or bluer wavelengths, caused by the star moving due to the gravitational pull of orbiting planets.

Either of those methods can tell us whether or not a planet is present. But having both gives us a lot of information about the planet. The amount of light blocked by the planet can give us an estimate of its size. The amount of red- and blue-shifting of the star’s light can indicate the planet’s mass. With both of those, we can find out its density. And density limits what sorts of materials it can be composed of—low density means rich in gas, high density means rocky with a metal-rich core.

That’s exactly what we were able to do at the Kepler-138 system. Data from both these methods suggested that the system contains three planets. Kepler-138b appears to be a small, Mars-sized rocky body. Kepler-138c and Kepler-138d both fell into the category of super-Earths: rocky planets that were somewhat larger than Earth and considerably more massive. All of them orbited quite close to Kepler-138a, a red dwarf star, with the most distant (Kepler-138d) orbiting at 0.15 astronomical units (an AU is the typical distance between Earth and the Sun).

In the grand scheme of things, there was nothing unusual about this system that would demand a second look. But researchers thought that it made a good candidate for studies of the planet’s atmospheres. While the planet will block all light as it transits in front of its host star, a small amount of light will pass through the atmosphere on its way to Earth. And the molecules in that atmosphere will absorb some specific wavelengths, allowing us to discern their presence.

To perform that study, a team of researchers obtained data from the Hubble and Spitzer space telescopes, timed for when Kepler-138d was transiting in front of the star. And that’s when things started to get weird.

Revisions upon revisions

With three planets packed into a small area near the red dwarf, they’re close enough to each other that they can influence their orbits. These create what are called “transit timing variations,” meaning that a planet doesn’t show up in front of its host start at exactly the time its orbit would normally take it there. For example, one of the planets might be in a position where its gravitational pull will slow down another, causing its transit to start a bit later than calculations might otherwise suggest.

This can provide limits for planet mass estimates, as well, so precise measurements of transit timing variations are good to have. And, because the Hubble and Spitzer observations came quite a while after the Kepler data, it meant that we could calculate variations across a seven-year span.

As it turned out, however, we couldn’t. If you estimated the masses based on Kepler measurements and then tried to use that to predict the transits in later measurements, you’d fail. In fact, everything was messed up. “No three-planet model can simultaneously reproduce the Kepler, HST, and Spitzer transit times of Kepler-138 d,” the researchers conclude.

That probably seems awkward. But if a three-planet model failed, the researchers had an obvious backup: trying a four-planet model instead. And that managed to make sense of the data. It also provided an estimate of the fourth planet’s location and mass: about half the size of Earth, orbiting roughly 0.2 astronomical units from the star. The planet, Kepler-138e, doesn’t appear to transit in front of the host star, so its presence hasn’t been confirmed yet.

Assuming it’s accurate, however, the presence of Kepler-138e has consequences. It would also be exerting a gravitational pull on the star, which would contribute to all the red and blue shifts in the star’s light that were used to determine the mass of the other planets. So all of the mass estimates based on the earlier data had to be completely revised in light of the presence of another planet. And things continued to get weird when that was done.

Water, water, everywhere

The two larger planets, Kepler-138c and Kepler-138d, were originally thought to be quite different: both rocky but with metal cores that differed greatly in size. With the revised measurements, however, they were essentially twins. And they were considerably less dense than the earlier estimates.

One way for that to work is if they have a large, hydrogen-rich atmosphere. But the planets are so close to their host star that this isn’t a viable option; radiation from the star is intense enough that the atmosphere would be stripped away within 50 million years, and the system is estimated to be over a billion years old.

An alternative is a planet rich in what are called volatiles, things like water or ammonia that can be found as gases, ices, and liquids under the conditions found in different parts of the Solar System. While a number of potential chemicals could account for the planets’ density, the researchers think in terms of water since there are several water-rich worlds in our Solar System, most notably Jupiter’s moon, Europa.

Matching the density of the two planets produces a model that has a bit over 10 percent of the planet’s mass composed of water. This, however, means that about half the planet’s volume is water. While some of that might be incorporated into the rocky core, it likely means a planet-wide ocean that’s kilometers deep. And, unlike the icy moons, the planet is close enough that much of the water would be liquid, and the atmosphere would be filled with water vapor. Due to the planet’s mass, the pressure of the atmosphere would be immense and could create a layer of supercritical water between the atmosphere and the ocean.

The water-filled moons of the outer Solar System are easy to explain, because they formed in a region where water would exist as ice, and thus could condense onto smaller bodies that merged to form the moons. But these planets are orbiting in an area where water is either liquid or, more likely, remains gaseous. How could they possibly form?

The researchers suggest that the orbital periods of the planets provide a clue. They are in resonance, meaning that the ratios of their orbital period can be expressed as a ratio of two single-digit numbers (i.e., 5:3). Resonant orbits are considered stable, as the regular gravitational interactions among the planets keep them from getting out of alignment. So the researchers suggest that the planets likely formed in an area of their exosolar system where ice predominated and then migrated inward toward the star until the resonance stabilized their orbits and stopped the migration.

Obviously, given that we haven’t confirmed that a fourth planet exists, there’s a lot here that needs to be verified before we can be comfortable saying we’ve definitely found water worlds. But even in its current tentative state, the results suggest that there’s still a lot of potential for new findings in places where the data seemed to point to a rather run-of-the-mill collection of planets. Given that Kepler identified thousands of exosolar systems like that, there seems to be immense potential for revisiting data and looking for surprises.

Nature Astronomy, 2022. DOI: 10.1038/s41550-022-01835-4  (About DOIs).

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Microsoft discovers Windows/Linux botnet used in DDoS attacks

By
RiSec.Mitch
-
0

Microsoft researchers have found a hybrid Windows-Linux botnet that assaults other platforms with distributed denial-of-service attacks and uses a highly effective method to bring down Minecraft servers.

Dubbed MCCrash, the botnet infects Windows machines and devices running various distributions of Linux for use in DDoS attacks. Among the commands the botnet software accepts is one called ATTACK_MCCRASH. This command populates the user name in a Minecraft server login page with ${env:random payload of specific size:-a}. The string exhausts the resources of the server and makes it crash.

“The usage of the env variable triggers the use of Log4j 2 library, which causes abnormal consumption of system resources (not related to Log4Shell vulnerability), demonstrating a specific and highly efficient DDoS method,” Microsoft researchers wrote. “A wide range of Minecraft server versions can be affected.”

Currently, MCCrash is hardcoded to target only version 1.12.2 of the Minecraft server software. The attack technique, however, will take down servers running versions 1.7.2 through 1.18.2, which run about half of the world’s Minecraft servers. If the malware is updated to target all vulnerable versions, its reach could be much wider. A modification in Minecraft server version 1.19 prevents the attack from working.

The initial infection point for MCCrash is Windows machines that have installed software that purports to give pirated licenses for the Microsoft OS. Code hidden in the downloaded software surreptitiously infects the device with malware that eventually installs malicious.py, a python script that provides the main logic for the botnet. Infected Windows devices then scan the Internet in search of Debian, Ubuntu, CentOS, and IoT devices that accept SSH connections.

“The wide range of at-risk Minecraft servers highlights the impact this malware could have had if it was specifically coded to affect versions beyond 1.12.2,” Microsoft researchers wrote. “The unique ability of this threat to utilize IoT devices that are often not monitored as part of the botnet substantially increases its impact and reduces its chances of being detected.”

When found, MCCrash uses common default login credentials in an attempt to run the same malicious.py script on the Linux device. Both the Windows and Linux devices are then part of a botnet that performs the Minecraft attack as well as other forms of DDoSes. The graphic below shows the attack flow.

A breakdown of devices infected by MCCrash shows that most of them are located in Russia. Microsoft didn’t say how many devices are infected. Company researchers said they believe the botnet operators use it to sell DDoS services on crime forums.

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Customers are urged by Fortinet to address actively exploited FortiOS SSL-VPN flaw

By
RiSec.Mitch
-
0

An actively exploited FortiOS SSL-VPN weakness that would have allowed a remote, unauthenticated attacker to run arbitrary code on devices been addressed by Fortinet

In order to address an actively exploited FortiOS SSL-VPN vulnerability, identified as CVE-2022-42475, which might be used by an unauthenticated, remote attacker to execute arbitrary code on devices, Fortinet recommends users to update their setups.

The CVE-2022-42475 flaw is a heap-based buffer overflow issue that resides in FortiOS sslvpnd.

“A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.” reads the advisory published by the security vendor. “Fortinet is aware of an instance where this vulnerability was exploited in the wild,”

Fortinet recommends its customers of checking the following indicators of compromise >>

Multiple log entries with:


Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]“

Presence of the following artifacts in the filesystem:

/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

Connections to suspicious IP addresses from the FortiGate:

188.34.130.40:444
103.131.189.143:30080,30081,30443,20443
192.36.119.61:8443,444
172.247.168.153:8033

The vulnerability was first disclosed by cybersecurity firm Olympe Cyberdefense

Below is the list of affected products:

  • FortiOS version 7.2.0 through 7.2.2
  • FortiOS version 7.0.0 through 7.0.8
  • FortiOS version 6.4.0 through 6.4.10
  • FortiOS version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 7.0.0 through 7.0.7
  • FortiOS-6K7K version 6.4.0 through 6.4.9
  • FortiOS-6K7K version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 6.0.0 through 6.0.14

Fortinet addressed the issue with the release of FortiOS 7.2.3.

Bookmark
Please login to bookmarkClose

CommonSpirit says 623K patients are affected by the data compromise

By
RiSec.Mitch
-
0
data breach

623,774 patients’ personal information were exposed as a result of the security incident that occurred in October, according to CommonSpirit Health.

One of the biggest hospital chains in the US, Common Spirit, was the victim of a ransomware hit at the beginning of October that severely inconvenienced both the patients and the facilities.

The chain had to rearrange medical appointments across the nation as a result of the security compromise, which also caused delays in patient treatment and delayed surgeries.

“CommonSpirit Health has identified an IT security issue that is impacting some of our facilities. We have taken certain systems offline. We are continuing to investigate this issue and follow existing protocols for system outages.” reads the statement published by the company.

CommonSpirit Health confirmed it had experienced an IT security issue that forced it to take part of its infrastructure offline.

NBC News, citing a person familiar with its remediation efforts, revealed that the organization suffered a ransomware attack.

“While CommonSpirit declined to share specifics, a person familiar with its remediation efforts confirmed to NBC News that it had sustained a ransomware attack.” reported NBC News.

NBC News added that multiple facilities have been impacted the ransomware attacks. The media reported that CHI Memorial Hospital (Tennessee), some St. Luke’s hospitals (Texas), and Virginia Mason Franciscan Health (Seattle) were impacted.

Now the company confirmed that threat actors had access to the personal data of 623,774 patients during the ransomware attack. Exposed data includes full name, address, phone number(s), date of birth, and a unique ID used only internally by the organization.

The exact number of impacted individuals was reported through the U.S. Department of Health breach portal.

“As you are aware, on October 2, 2022, CommonSpirit Health experienced a ransomware attack that impacted some of our systems. Our ongoing investigation shows that the unauthorized third party gained access to certain files, including files that contained personal information.” reads an update provided by the company on December 1st, 2022. “While our review of these files is ongoing, we identified that some of these files contained personal information for individuals who may have received services in the past, or affiliates of those individuals, from Franciscan Medical Group and/or Franciscan Health in Washington state.”

CommonSpirit Health added it has no evidence that any personal information has been misused by the threat actors. The company is notifying the impacted individuals.

According to the data breach notification sent to impacted individuals, an unauthorized third party gained access to the company’s network between September 16, 2022 and October 3, 2022. Threat actors gained access to certain files, including files that contained personal information.

CommonSpirit quickly adopted measures to contain the incident and notified law enforcement, it also added to have adopted additional security and monitoring tools.  

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

UK detains 5 people for supplying questionable point-of-sale software

By
RiSec.Mitch
-
0

The use of “electronic sales suppression software,” which are programmes that misrepresent point-of-sale data to assist businesses in avoiding paying taxes on their actual revenue, has been the subject of a joint investigation by tax officials from Australia, Canada, France, the UK, and the USA

The Joint Chiefs of Global Tax Enforcement (also known as the J5) announced on Friday that the investigation “resulted in the arrest of five individuals in the United Kingdom who are allegedly responsible for designing and marketing electronic sales suppression devices abroad.”

Those allegedly responsible started to export their wares during the COVID-19 pandemic.

“These dodgy sales suppression tools allow retailers to keep a separate set of books and launder the money in one transaction,” explained J5 chief and Australian Taxation Office deputy commissioner John Ford.

“They conceal and transfer this income anonymously, sometimes offshore.”

“So what might happen is that the customer orders a $60 steak and a $100 bottle of wine,” Ford explained, at which point the software changes the transaction so it is recorded in the point of sale system as “a $10 bowl of chips and a $4 bottle of soft drink.”

Customers, who continue to pay the entire amount, are unaware of such pranks. However, the shop is left with $14 in recorded revenue and $146 to clean up.

According to the J5’s statement regarding its investigation, ESS was created in the UK and afterwards exported by its creators to the USA and other countries.

“This was a highly sophisticated, truly global attack on the international tax system,” said Simon York, director of His Majesty’s Revenue & Customs (HMRC) Fraud Investigation Service. “The group behind this activity is suspected of enabling thousands of businesses to evade tax in what is a large scale, technologically enabled fraud.”

York added: “This is just the beginning of our work in this area, and we already have other suspected suppliers in our sights. We are urging all users of these types of systems to come to us before we come to them.”

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest InfoSec News

Cybersecurity Academy

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Experts developed a method to bypass multiple companies’ web application firewalls (WAF)

By
RiSec.Mitch
-
0

Researchers at the industrial and IoT cybersecurity company Claroty developed an attack method for getting past the web application firewalls (WAF) of a number of top manufacturers

The method was found while working on the wireless device management platform of Cambium Networks for unrelated research.

A Cambium SQL injection flaw was found by the researchers, who then leveraged it to steal user sessions, SSH keys, password hashes, tokens, and verification codes.

The experts noted that while attempts to hack the cloud version were thwarted by the Amazon Web Services (AWS) WAF, they were successful in exploiting the SQL injection vulnerability against the on-premises version.

The specialists then began looking into ways to get around the AWS WAF.
The researchers found that because the WAF cannot parse JSON syntax, it is possible to get around it by attaching it to SQL injection payloads.

“Using JSON syntax, it is possible to craft new SQLi payloads. These payloads, since they are not commonly known, could be used to fly under the radar and bypass many security tools.” reads the report published by Claroty. “Using syntax from different database engines, we were able to compile the following list of true statements in SQL:

  • PostgreSQL: ‘{“b”:2}’::jsonb <@ ‘{“a”:1, “b”:2}’::jsonb Is the left JSON contained in the right one? True.
  • SQLite: ‘{“a”:2,”c”:[4,5,{“f”:7}]}’ -> ‘$.c[2].f’ = 7 Does the extracted value of this JSON equals 7? True.
  • MySQL: JSON_EXTRACT(‘{“id”: 14, “name”: “Aztalan”}’, ‘$.name’) = ‘Aztalan’ Does the extracted value of this JSON equals to ‘Aztalan’? True.”

Claroty researchers used the JSON operator ‘@<’ to throw the WAF into a loop and supply malicious SQLi payloads.

The researchers verifies that the bypass attack technique also worked against firewalls from other vendors, including Cloudflare, F5, Imperva, and Palo Alto Networks.

“We discovered that the leading vendors’ WAFs did not support JSON syntax in their SQL injection inspection process, allowing us to prepend JSON syntax to a SQL statement that blinded a WAF to the malicious code.” the report concludes.

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Microsoft PlayReady security research

By
RiSec.Mitch
-
0
Microsoft PlayReady is one of the key technologies used by PayTV
industry and OTT platforms for Digital Rights Management and content
security in general. According to Microsoft, PlayReady Server SDK has
several hundred service provider licensees.

Security Explorations conducted security analysis of Microsoft Play
Ready content protection technology in the environment of CANAL+ SAT
TV provider. As a result, complete access to movie assets and content
keys available in CANAL+ VOD library could be gained with the use of a
fake client device identity.

Below, a summary of discovered issues is given:
1) weak security of CANAL+ STB (unpatched 3 years old vulnerabilities)
made it possible to acquire STB PlayReady private group ECC key (its
plaintext value),
2) PlayReady license server did not check whether the client device
identity used in a certificate chain corresponded to the valid
subscriber (fake MAC and SERIAL values could be used for license
requests),
3) PlayReady license server did not verify whether client device had
access to target content (any VOD content / collection could be
accessed, this includes paid content that was available though 48h
rentals only or collections of movies from channels to which the
subscriber didn’t have access to),
4) PlayReady license server was not synced with Content Delivery
Network (CDN), as such access to content could be made outside of the
granted license period (outside of the rental period, etc.),
5) there has been no key rotation observed (same, static content keys
were returned by the PlayReady license server for given content),
6) PlayReady protected content was not watermarked (same content was
returned for requests corresponding to different client identities),
7) PlayReady license server could be crawled in an automatic fashion
for content keys,
8) there has been no detection and blacklisting observed as a response
to invalid / malicious license requests  (some triggered license
server exceptions),
9) PlayReady certificate chain in use by target STB device didn’t have
any time / expiration attribute.

PlayReady security model relies on the security of the link between
client device and a license server. As such, a compromised client
device can implicate compromise of the security of content.

This security model should take into account such a compromise. As
such, reversing PlayReady operation should be more challenging too.
Acquiring PlainReady client secrets such as group keys should not be
straightforward either.

Unfortunately, this was not the case for CANAL+ STB devices as:
1) multiple symbol names were left in a PlayReady binary (Linux ELF file),
2) the binary didn't contain any reverse engineering countermeasures
such as code obfuscation, etc.
3) PlayReady functionality was implemented at the application layer.
This implicated no need to break security of the kernel or HW chip
(PlayReady compromise from user level application). This made runtime
hooking and tracing PlayRedy operation easy.

It was interesting to find out that instead of the usual code and
symbols obfuscation, Microsoft likely decided to build DRM strength on
the strength of ECC crypto and associated math in general (my
impression). They tweaked standard NIST P-256 ECC curve parameters and
conducted whole computations in an affine space (it is called a "MOD"
space in binary).

The ECC curve parameters were embedded in a binary in a non-standard
way (affine transformation to MOD space). All calculations were
conducted with respect to that transformation too (and with certain
optimizations such as Montgomery ladder). Yet, this hasn't been an
obstacle as long as fundamentals of ECC cryptography were acquired.

The crucial weak point was the P256 symbol and subroutine verifying
whether a given point is on curve. This subroutine indirectly leaked
curve parameters (and type).

The ECC formula for NIST P-256 curve is the following:

Y^2 = X^3 + A*x + B

This formula can be used to check whether a given point (X,Y) lies on ECC curve.

For points transformed to the MOD space

Y = y*F
X = x*F

This yields the following:

(y*F)^2 = (x*F)^3 + A*x + B

y^2 * F^2 = x ^3 * F^3 + A*x + B // multiplying by the F^-1 (inverse)

y^2 * F^2 * F^-1 = x ^3 * F^3 * F^-1 + A*x*F^-1 + B*F^-1

y^2 * F^2 * F^-1 = x ^3 * F^3 * F^-1 + (A*F^-1)*x + B*F^-1

which yields the curve parameters used for points transformed to MOD space:

real_a=(A*F^-1)
real_b=B*F^-1

While the private group key and group certificates were embedded in
PlayReady binary in an encrypted form (possible to decrypt with the
use of device root key), their plaintext content could be retrieved in
runtime with the help of user level API too (access to encrypted file
system through symbols exposed by a shared library).

In Jul 2022, I contacted Microsoft and offered to share the results of
my research with the company. To me it looked like a bug at license
server end, but Microsoft closed the case on the basis "this is not a
server-side compromise".

As a result of Microsoft evaluation and multiple communication
problems during report handling process (mails not reaching MS,
automated MSRC system not showing MS responses in the message chat,
advice to contact "breach" team while this should be MS job to forward
any relevant information to proper team such as PlayReady), I decided
not to get into further discussion with Microsoft and did not explain
in particular that server side compromise did not matter for the given
case as Microsoft Play Ready license server was verified to provide
license (and content keys) to any content (not authorized, not rented,
not paid, etc.), it was not synced with CDN and had no watermarking in
place.

I tried to reach out to CANAL+ instead, but without much success.
CANAL+ company was clearly not interested to talk to me over this (no
responses to e-mails and/or requests to establish an official
communication channel for the reporting, discussion and
vulnerabilities disclosure purposes).

Although Microsoft evaluated the issue as no bug in PlayReady, the
overall attack exposes both a significant PlayReady limitation and a
fault at CANAL+ end (no server side auth checks, no watermarking in
place, no license server syncing with CDN, etc.). The demonstrated
technique might potentially constitute a significant risk for content
providers as compromise of a single device or presence of the
unpatched device is sufficient for a large scale, distributed piracy
of a high premium content coming from CANAL+, HBO, FOX, WARNER, etc.
(18K+ assets in CANAL+ VOD library).

Microsoft is aware of that and points out that Microsoft Azure Media
Services (AMS) are free of the above limitations. What I am not sure
is whether Microsoft PlayReady licensees are.

According to Microsoft, PlayReady Server SDK has several hundred
service provider licensees. They should implement security features
missing in PlayReady such as authentication, authorization,
watermarking, etc. on their own in order to avoid the situation
encountered in CANAL+ environment.

As such, there is clearly the value in releasing details of the
research, so that others can either learn, evaluate or prepare for the
risks of the demonstrated content theft whenever PlayReady client
compromise occurs.

Microsoft agreed with the above (on the value of disclosure), but
preferred that the issue got released when STB fixes are in place.

As there is no bug claimed at Microsoft end, the STB issues have been
known for 3 years and CANAL+ hasn’t reached out to me over the topic
of disclosure (last contact with the company in late Aug 2022), I see
no reason to wait with the release of technical details.

More information regarding Microsoft, CANAL+ and Sygnal anti-piracy
organizations response along sample demo movies illustrating POC
operation can be found at the following pages:

https://security-explorations.com/mspr_cplus_info.html

Brief technical details in a form of a README.md file can be
downloaded from this location:

https://security-explorations.com/mspr_cplus_details.html

Thank you.

Best Regards,
Adam Gowdiak

----------------------------------
Security Explorations -
AG Security Research Lab
https://security-explorations.com
----------------------------------
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

From: Security Explorations <contact () security-explorations com>
Date: Sat, 10 Dec 2022 12:23:11 +0100

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

The Top Hacks and Breaches of 2022, Ranked

By
RiSec.Mitch
-
0

Folks, it’s officially that time of year. Yes, the time has come to rank the greatest (read: worst, most terrible, most absurd) hacking incidents of the year as we inch closer to December and toward 2023. The year 2022 wasn’t quite as severe as others in recent years in terms of cybersecurity catastrophes. This year saw fewer prominent ransomware assaults. Even if there weren’t any massive controversies in the vein of SolarWinds, things weren’t all that fantastic.

Millions of large organisations were exposed as having poor digital security due to cryptocurrency attacks, which resulted in billions of dollars in damages. At the same time, cybercriminals once more showed that their business model is incredibly lucrative. Let’s face it, the digital security situation in the US was a shitshow as usual.

Join us as we quickly look back at this year’s most notable hacking incidents and data breaches. Please take this as a reminder to upgrade your browser and buy a password manager (but be selective, as they may also be hacked numerous times in a year, check out this guide on password managers).

1] The Lapsus$ Hacks

The most distinctive cyberattacks of the year were carried out by a new gang calling itself “Lapsus$.” The group, which is reputed to be composed mostly of teenagers, claimed impressive hacking victories against some of the world’s biggest companies: MicrosoftSamsungNvidiaUbisoft, and a slew of other major tech companies that all suffered serious data breaches. While the supposed leader of the gang—a teenager from the United Kingdom—was arrested back in March, Lapsus$ appears to have continued to its reign of terror, claiming victories against more and more large companies. Despite its big splash in the world of cybercrime, we still don’t know much about the group or its members. To date, no members of the group have been publicly identified, even the ones arrested. See more on the Lapsu$ group

2] The Uber Breach

The Uber hack was one of the most memorable hacks of the year. It also may have been carried out by the cybercriminals from the previous slide—the Lapsus$ gang. In short: someone hacked into the network of the rideshare giant back in September and caused all sorts of mischief. Whoever it was certainly had a sense of humor. In addition to defacing an internal website with a picture of a dick, the hacker also screwed with employees via Slack and leaked pictures of the company’s internal environment to the web. The company later blamed Lapsus$. See more on the Uber Hacks

3] The Rockstar Breach

Another potential Lapsus$ episode: the unfortunate hacking of Rockstar Games. This summer, a cybercriminal group managed to get inside the gaming giant’s network and subsequently stole and leaked early development footage of the upcoming Grand Theft Auto VI. A 17-year-old was arrested for the crime in London “on suspicion of hacking, as part of an investigation” into the incident. The teenager is thought to have been connected to the cybercrime gang Lapsus$. See more on the Rockstar Hacks

4] The LA School District Ransomware Attack

America’s second largest school district got pillaged by ransomware hackers earlier this year, and, boy, was it a bummer. Yes, the Los Angeles Unified School District got hacked in September by a group calling itself Vice Society. The attack paralyzed certain IT systems and made a real mess of things for district schools. The hackers demanded a ransom, which the school district refused to pay. The hackers later released 500 gigabytes of the district’s data in response.

5] The $620 Million Axie Infinity Hack

One of the biggest cryptocurrency hacks of all time happened earlier this year. The crypto video game company Axie Infinity ended up getting pillaged for a whopping $620 million worth of crypto. Authorities later claimed that North Korean cybercriminals tied to the hacker group Lazarus were behind the massive theft. See more on the Infinity Hacks

5] The California Gun Owners Doxxing Episode

In a bizarre episode, the state of California accidentally doxxed every single legal gun owner in the state. The incident took place this summer, after the California Justice Department launched a new website that was designed to be a portal for anonymous and aggregated information on gun owners. The website, it turned out, was not so anonymous. Instead, public information on gun owners—including sensitive info like names, birthdays, and addresses—was left exposed to the internet. The website was swiftly taken down, and the state government apologized for the mistake.

7] The Wormhole Bridge Attack

Another giant cryptocurrency hack this year was the Wormhole bridge attack. A decentralized finance (DeFi) platform that helped customers with asset transfer, Wormhole was quite the success story for a time. Unfortunately, in February, someone hacked it, and *poof* $325 million in crypto went up in smoke. Oddly, the hacker later returned a lot of the funds, but the whole thing remains an example of how money can evaporate in the course of a day when it comes to the DeFi world.

8] The Conti Ransomware Leaks

One of the most interesting data breaches of the year involved a well-known group of hackers getting hacked. The Conti ransomware group, which has been tied to some very major hacking episodes, was itself hacked by Ukrainian hacktivists. The Ukrainians spilled internal chats and other information from the ransomware group onto the web. The contents of the leak provided some of the most comprehensive insights yet into the way major ransomware groups conduct their lucrative business. See more on the Conti Hacks

9] Everything Associated With Log4j

Last December, one of the most catastrophic bugs ever popped up: a nasty vulnerability in the widely used open source software program Log4j. The bug quickly panicked the internet—and for good reason. Since that time, companies have been getting hacked left, right, and center. See more on the Log4J vulnerability

10] The Goatse/Elementary School Debacle

Okay, okay, this may not have been the biggest, nor one of the most expensive, cyber incidents of the year, but it was the funniest. To make a long story short: some joker hacked an app that was widely used by elementary school administrators and parents throughout the country. What did they do once they had hacked it? Naturally, they decided to spam users with the infamous Goatse meme—a horrendous image of a man bending over and spreading his butt cheeks wide open to expose his gaping dark hole to the world. Naturally, the apps’ users were mortified. It’s somewhat unclear how many schools were affected by this horrendous practical joke, but it might have been a lot.

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

5 British businesses were penalised for making 500,000 unwanted calls

By
Steven Black (n0tst3)
-
0

Five businesses have been fined a total of £435,000 (about $529,000) by Britain’s data watchdog after it was discovered that they made over half a million marketing calls to customers who had registered with the Telephone Preference Service (TPS).

Businesses are not allowed to call TPS subscribers live for marketing purposes in accordance with local rules.

Applianceservices UK Ltd (AUKL), Boiler Cover Breakdown Ltd (BCBL), Boiler Breakdown Ltd (BBL), Repair Plans UK Ltd (RPUK), and Utility Guard Ltd. are among the violators, according to the Information Commissioner’s Office (ICO) (UGL).

Andy Curry, head of ICO investigations, said: “We will not stop investigating and taking robust action against companies, to protect people and especially the vulnerable, where we find blatant disregard for the law.”

The probe by the team at the ICO found, in certain instances, the companies were homing in on specific demographics, namely homeowners aged 60 and over.

AUKL UK, a Brighton-based company, called TPS users 99,313 times between the beginning of January 2021 and the middle of June of that same year without their consent. It received an £85,000 ($103,000) penalties.

The Financial Conduct Authority, according to the ICO, was how it learned about the company, and it “appeared” to utilise coercive techniques to obtain payment card details. One caller had dementia, and another had diminished capacity as a result of a stroke.

RPUK, which has its headquarters in Brighton as well, made 21,347 marketing calls during the period ending on September 7th. According to the ICO, it specifically purchased data on people 60 and older and used false and deceptive statements when making marketing calls.

The ICO found one incident in which RPUK had needlessly taken £180 from a person’s bank account. It was fined £70,000 and issued with an enforcement notice, and has 30 days to comply.

BCBL made 9,075 marketing calls between January and August 2020, and BBL made 348,724 nuisance calls, the ICO claimed. Both companies are registered at the same address, share the same directors and the phone lines are rented by one company and used by the two companies.

The ICO claimed both were “specifically” targeting vulnerable people, and fined BCBL £120,000 (c $146,000) and BBL £140,000 (c $170,000). It issued them with an enforcement notice. The two businesses have appealed the monetary value of the penalty notices.

The final name in the rogues gallery is UGL, situated in Chichester, West Sussex. The ICO said it made 1,932 calls between August 2020 and July 2021. UGL did not have a TPS license and took money from someone with dementia. It showed a “willful disregard” for the law, and was fined £20,000 and must comply with the enforcement notice.

“The pressure tactics, and sometimes false or misleading statements these companies used were completely unacceptable. To be made to feel as though you have to hand over your bank details simply to get someone off the phone is nothing short of shameful, and that is why we have taken action against these companies,” said Curry.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest InfoSec News

Cybersecurity Academy

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

End 2 End Encryption (E2EE) Is Finally here, kind of, for Apple Device Backups

By
Steven Black (n0tst3)
-
0

According to a new optional feature called Advanced Data Protection, end-to-end encryption will soon be available for the majority of iCloud.

iCloud previously had 14 kinds of protected data. With the addition of this new feature, there are now 23 items, including pictures, voice memos, notes, reminders, Safari bookmarks, and iCloud backups of the data on your devices.

However, not all data is encrypted in this manner. Importantly, the mail and calendar are unaffected.

Apple says they are not covered “because of the need to interoperate with the global email, contacts, and calendar systems.”

Advanced-Data Protection is now available to Apple Beta Software Program users in the US, and it will be made available to additional US citizens before the end of the year. According to Apple, anyone living outside of the US will have to wait until around 2023.

Advanced-Data Protection is the major news for most people, but Apple also revealed two other iCloud privacy and security features. First, YubiKeys-style hardware security keys are now permitted for usage with iCloud. Plug-in and NFC keys are both supported.

Second, there is iMessage Contact Key Verification, which, in some circumstances, can warn “people who confront extraordinary digital threats,” such as journalists, if third parties with governmental backing are intercepting or listening in on their talks.

Along with today’s announcements, Apple confirmed something that most of us already knew: the company is no longer working on a contentious system that was designed to find user-owned iPhones that contained child sexual abuse material. The company changed its mind in response to public concerns about privacy and security.

Suggest an edit to this article

Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
1...789...79Page 8 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.