iNfOsEc aNnOuNcEmEnTs

Fake News AI Generated Security Articles

August 5, 2019 – Emma Sullivan

The Pentagon used its commercial contracting agency to order millions of dollars of computers that are vulnerable to cybersecurity flaws, according to a report from the Defense Department's internal watchdog.

The Department of Defense announced Thursday that it awarded a contract for cybersecurity solutions to Silicon Valley-based NGP VAN.

The two-year contract cost $6.5 million, and it includes a one-year renewal option for $7.5 million. The Pentagon did not immediately respond to a request for comment on whether it was aware of any of NGP VAN's flaws before the contract.

The Risk of Going to The Cloud

NGP VAN warned in May 2017 that its security could be compromised if someone gained unauthorized access to the software's source code.

NGP VAN is a developer of cloud computing services and can help businesses “unlock critical business insights using the full set of business resources, enabling them to operate more successfully,” according to its website.

In a contract document, the Defense Department said the vendor's cybersecurity services, such as “behind-the-scenes monitoring, automated automated testing, secure configuration and incident management tools, secure support services, secure automations, and incident response, will monitor at-risk systems and services for behavior and their associated activities.”

The company sells to the Defense Department's Office of the Assistant Secretary of Defense for Intelligence, so it's not clear how or why the NGP VAN system was chosen over others.

A Shady History

It's not uncommon for the Pentagon to purchase systems with vulnerabilities and it's not uncommon for manufacturers to keep faulty or outdated technology on hand to avoid paying tens of millions to buy a whole new system, the Government Accountability Office previously reported.

There is no reporting requirement for how long the Pentagon knew about any of NGP VAN's flaws and “a company acquiring a system with a known vulnerability should notify and enter into satisfactory mitigation agreements with the supplier,” wrote US Sen. Dick Durbin, a member of the Senate Committee on Veterans' Affairs, in a June letter to Pentagon Deputy Secretary Patrick Shanahan.

“We found that by and large, the Defense Department intends to do everything it can to be as proactive as possible with respect to cyber risks posed by its civilian employees, but it's not clear how far it can go considering the sheer volume of documents it maintains and the cost required to protect these information,” Durbin said.

One of the newly uncovered flaws was a vulnerability that made it possible for anyone to pick up NGP VAN's software from any location and access it remotely. NGP VAN warned in May 2017 that its security could be compromised if someone gained unauthorized access to the software's source code.

It was not clear how the Pentagon knew that threat existed, but it appears that agency officials carried out follow-up checks after the vulnerability was listed on NGP VAN's own security advisory.


This article was automatically generated by Grover, an AI that is used to detect Fake News online, using just the title from an actual news story.

Source article via fedscoop.com: https://www.fedscoop.com/defense-department-known-cyber-vulnerabilities-lenovo-lexmark-gopro/

July 12, 2019 – Jane Ryan

The Weather Channel was attacked by an external cyberattack just one day before major weather events were set to hit the US.

The Weather Channel has said it is working with “third-party forensic authorities” on an investigation into the hack, which took place between 6pm and 10pm Eastern Time on Wednesday.

The Weather Channel said on Thursday it had been “targeted with an external cyberattack by an individual or group of people”.

While the breach does not seem to have led to any unexpected disasters, with the Weather Channel not issuing any warnings before severe weather in the US on Wednesday, it did allow an enterprising hacker to change Weather Channel blogs.

Rather than just blogging about the impending weather, the person altered the content to mention the hack on the Weather Channel homepage, posting, “F*** it, I’m going to change the weather on the Weather Channel.”

“We are aware of an alleged incident relating to our website yesterday,” a Weather Channel spokesperson said in a statement on Thursday. “We will provide more information as it becomes available.”

The Weather Channel is owned by Turner Broadcasting.

The nature of the cyberattack and access obtained so far is unclear.

Trolling the weather will eventually get you into lots of trouble.


This article was automatically generated by Grover, an AI that is used to detect Fake News online, using just the title from an actual news story.

Source article lost.

June 28, 2019 – Giles Broom

Update

The vulnerability has been patched on all systems containing hardware features such as the ERC20 or the GTML to AIP sockets. Any system containing these technologies should be updated immediately, or work using instructions in the ETH developer’s Bulletproof List.

If you need more information about the scope of the vulnerability, please see the support instructions for the Bulletproof List.

Original Article

A critical vulnerability has been identified in Ethereum’s network architecture, allowing users to conduct transactions anonymously, circumvent traditional security features and potentially empty thousands of wallet accounts without them being known or able to defend themselves.

The bug, called “Dark Wallet” by ETH developer, Ansible, represents a serious escalation of risk for system stability and security in a cryptocurrency based on top-level security and implementation of ESET’s CERT or human-readable encryption on a communications interface. While not a board level security vulnerability, it may be possible to manipulate it from a malicious actor’s point of view or a computer system where it was previously undetected, via a strong performance gain that increases the chances of the targeted cryptocurrency token.

“Dark Wallet” is an intermediate validation layer between ERC20 and GTML to AIP sockets. The ERC20 provides the basic function of transactions in a Bitcoin implementation while the GTML to AIP sockets creates a user interface to the transaction confirmation process.

The dark wallet uses a method called tethered authentication, whereby the transactions are sent to a connection or database and run on it when needed to confirm the transaction, but only at the time of shipping the document. This prevents transaction confirmation from being interrupted. The TOR (transmission mode of message clients) validation layer and other features commonly available on blockchain networks protect transactions in this case.

However, Dark Wallet appears to not run properly on ESET’s distributed hash checker algorithm – a claim ESET and its affiliates cannot independently verify. Furthermore, the ERC20 token can be split into up to three independent versions using an exploit in ERC20-G, with the processing duties assigned to the ERC20-G transactions, effectively silencing the ERC20-G.

This means attackers can alter the ERC20 to AIP sockets, silencing them to disable a valuable layer of security. While no ERC20 developer has found a way to execute Tor moves in stealth with no effect on ERC20 wallets and without the presence of any tamper detection on a computer system, the TOR-based Dark Wallet circumvents these defenses, allowing an attacker to execute any ERC20 transactions in a very basic way. The exploit potentially has the potential to make millions of ERC20 transaction requests in a single transaction, allowing these fake transactions to be executed anonymously in the same way as real transactions, opening a route to millions of ERC20 funds being emptied without people knowing about it.

Dark Wallet also appears to be a fundamental breach of the protocol’s security as it is unable to identify what ERC20 or GTML-equipped devices should be running the method of validation. If ESET is unable to verify this, we cannot verify if Dark Wallet is working in a secure fashion.

As well as being a major risk to Ethereum’s continued viability as a viable cryptocurrency, the dark wallet also has a direct impact on the authentication chain of the ERC20. We will try to get ESET to correct this flaw quickly, but Dark Wallet appears to be contained in code not visible to unmodified systems.

Additional information on the Dark Wallet implementation is available here.


This article was automatically generated by Grover, an AI that is used to detect Fake News online, using just the title from an actual news story.

Source of the title is my own imagination.

August 14, 2019 – Allan Alderman

Network certification, the RSA industry standard to authorize its users, requires applications to be able to define, enact, and execute with certain minimum security parameters. The protocol that allows GStreamer developers to define such parameters, MVC 1.1, (participation identification model) was intended to adhere to the necessary security standards, but some developers have been able to circumvent the requirement.

For example, with MVC 1.1, GStreamer developers can specify that the protocol includes 256-bit PII, PL0, and string object numeric value values. Different members of the protocol can also dictate what that IP string represents.

Even the most sophisticated developers were able to bypass the security conventions included in the MVC 1.1 protocol.

From one application to another

Based on one piece of code in MVC 1.1, MVC 0.1, and an unsuccessful authentication attempt, the attacker can impersonate a GStreamer developer and submit a vote, thus giving the attacker the ability to contribute.

In an attempt to thwart the attack, one can either create an MVC 0.1 application (the tool itself is not malicious), add a copyright notification, or use a weak validation number that changes based on the intent of the transaction. For some reason, MVC 0.1 does not mention any of these precautions.

MVC 0.1

A knowledge of MVC 0.1 will not necessarily help to prevent MVC 0.1 from being executed. Fortunately, at this point, it's not clear that anyone can do this in the wild.


This article was automatically generated by Grover, an AI that is used to detect Fake News online, using just the title from an actual news story.

Source of the title is my own imagination.