Search
Home Blog

iPhone and iPad, update them immediately to avoid hacker attacks

By
Mark Kelly
-
0
hacker attacks

Anonymous researchers have reported two errors in Apple’s operating systems that could be exploited for highly targeted and high-profile sophisticated attacks. The danger is malware infection with high administrative privileges in our iPhones. But the patch is already there

Apple released a security update on Thursday, with emergency patches (for macOS Monterey 12.5.1, iOS 15.6.1 and iPadOS 15.6.1), as a mitigation action against two major vulnerabilities, heavily exploited by cyber-criminals in its systems. peak operations.

This clearly has far-reaching implications. Apple products have become a mainstay of everyday life, facial recognition, banking apps, health data, and pretty much everything we care about resides in our Apple products. And now it’s at high risk of attack if we don’t install the available updates right away.

Apple iPhone, the two bugs

As reported, the two patches affect the Phone 6s and later, all models of iPad Pro, iPad Air 2 and later, iPad V generation and later, iPad mini 4 and later, and iPod touch 7

The first bug is tracked as CVE-2022-32894. This is an out-of-bounds write vulnerability in the operating system kernel. This problem, not easily exploitable (it is in fact well-targeted attacks and of a sophisticated level in order to be able to successfully exploit it) has been solved, according to Apple itself, by improving the control of limits.

An application, such as malware, could exploit this vulnerability by remote code execution (RCE) with kernel privileges.

Since this is the highest level of privilege, a process can execute any command on a device, effectively taking full control of it.

The second zero-day bug found, called CVE-2022-32893, is an overflow vulnerability in WebKit, the web browser engine used by Safari and other web applications.

Apple claims that this latest vulnerability would allow an attacker to execute arbitrary code and could be deployed remotely during a visit to a maliciously crafted website.

Need to update right away

The errors were reported by anonymous researchers. As per well-established company policy by now, Apple has not released any details on real-time operations or any indicators of compromise useful for sniffing out the details.

It is likely that these zero-days have been used in targeted attacks and given the vulnerability application that is backdated up to iPhone 6S (we are talking about 2015!) It is possible that they have been known for some time, but it is still recommended to install the latest updates security as soon as possible, as the only truly effective mitigation action.

Unfortunately, we live in a world where software developers continually have to make fixes. Likewise, users also need to apply those patches, often (as now) with some urgency to overcome vulnerabilities.

Catch up on more articles here

Follow us on Twitter here

New Android 13 security checks, BugDrop malware tries to bypass them

By
Mark Kelly
-
0
New Android 13

The new security feature introduced for Android 13 tries to protect against malware infections but worries about the result of new research that has found a recently created payload designed to bypass those checks.

Researchers from cybersecurity firm Threat Fabric have discovered a new malware called BugDrop, which is a candidate to be the first to bypass the latest new security checks that Google rolled out in Android 13 less than a week ago.

BugDrop and Google security, the weak point is in the Accessibility Services

The recent publication of the details of Android 13 has brought with it numerous updates and among these also some technical improvements on the security side of mobile devices. Specifically, to protect smartphones based on the Google operating system and prevent malware infection that can take over the victim, it was decided to add a “Limited settings” function.

In fact, in most cases, the malware designed to target Android acts on the abuse of the functions offered by the Accessibility Services , which guarantee extremely high levels of user permissions and privileges on the device, useful for causing damage and data loss depending on the functionality of the malware you are using.

On Android 13, due out next fall, the Restricted Settings function will allow you to disable this granting of privileges to applications, thus seeking a solution to this escalation. As the Threat Fabric report highlights, however, in the cyber scenario there is already malware, still in its embryonic state, called that tries to circumvent this new security feature introduced.

How BugDrop malware works on Android 13

The BugDrop malware, just discovered and still under development which lacks many features to be considered usable, has attracted the attention of researchers in its implementation in a QR code reader app, which requires the grant immediately upon launch. of permissions on Accessibility Services. Alarm bell for a QR Code reader does not justify the use of these excessively high permissions, which would even allow you to manage touches and movements on the touch screen, instead of the user.

From the analysis of its structure, this malware presents code similar to another Android malware, from which it inherits some sources: Brox, its spread took place in the last months of 2021.

The most critical part of the malware is when the string ” com.example.android.apis.content.SESSION_API_PACKAGE_INSTALLED ” is used, the use of which is aimed at installing applications using the API session method, normally used by App Stores.

Returning in fact to the newly implemented “limited settings” feature on Android 13, please note that this works with restrictions for all apps that are not installed using this method, so for example those outside the Play Store.

“With that in mind, it’s clear what the criminals are trying to achieve. What is probably happening is that the actors are using pre-built malware, capable of installing new APKs on an infected device, to test a session-based installation method, which would then be incorporated into a more elaborate and refined dropper “, researchers warn.

The functionality of BugDrop seems to emulate the installation method, to complete the setup of malicious payloads, even when the user has enabled the restrictions and acts with the maximum privileges that can be granted, in any case. In this way, in fact, the device will recognize the installation method as legitimate and will not apply security restrictions.

The end result of this research is that once BugDrop’s operating problems are resolved and all implementations made, the new security measures designed for Android 13 by Google will not be sufficient to ward off a malware infection, leading to if once again some intrinsic risks also in the apparently legitimate applications on the Play Store

Catch up on more articles here

Follow us on Twitter here

Hackers hacked into a space satellite to show movies: anyone can repeat

By
Mark Kelly
-
0
space satellite

A group of Shadytel hackers hacked into a commercial satellite to broadcast movies and talks from a cybersecurity conference. It is reported by Motherboard.

On August 13, Karl Koscher spoke at the DEF CON conference in Las Vegas and told how, together with friends, he legally took control of the Anik F1R satellite located in geostationary orbit at an altitude of 35,786 km from the Earth’s surface. According to the hacker, they gained access to a small room with equipment needed for a satellite connection, which was not in use at the time. The team was able to hack into the system using Hack RF, a software-defined radio costing about $300, and then broadcast the signals to the decommissioned spacecraft.

Hacker added that the team obtained an uplink license and leased a satellite transponder, which is a device that opens a channel between the receiving and transmitting antennas. This helped set up streaming (streaming) of talks presented at the 2021 hacker conference ToorCon in San Diego, while classic hacker movies such as WarGames were broadcast at night.

The Anik F1R’s service life came to an end in 2020, and it was supposed to be sent to the so-called “graveyard orbit” in November 2021. As Kosher explained, the abandoned satellite could be used by anyone who would establish contact with it. During his speech, he informed the rest of the hackers that it was possible to control the spacecraft both with access to the outgoing communication line and without it.

“Satellites basically just reflect whatever signal they send. There’s no authentication or anything. If you’re talking loud enough and if there’s another user on that transponder, you have to yell louder than that. But if there’s no one there, the machine just repeats after you,” said Karl Kosher.

Belgian engineer Lennert Wouters hacked SpaceX’s Starlink terminal with a $25 chip. The specialist discovered a critical vulnerability in the protection system, which can only be fixed by a complete replacement of the microcircuits.

At the beginning of the year, hackers hacked the Viasat satellite Internet system. As a result of the attack, Ukraine and other European countries suffered.

Catch up on more articles here

Follow us on Twitter here

Intel SA-00086 vulnerability and CPU firmware security: what impacts in the cyber landscape

By
Mark Kelly
-
0
CPU firmware security

Intel SA-00086 vulnerability and CPU firmware security: what impacts in the cyber landscape

Discovered in 2017, the Intel SA-00086 vulnerability represents an important case study: it allows, in fact, to get hold of the private key used to decrypt the CPU security patches and can therefore be used to open a backdoor by exploiting the flaws that the same patches intend to fix. Therefore, with significant impacts in the cyber security landscape

In 2017, researchers managed to extract the private key used to crack security patches for Intel CPUs based on the Goldmont architecture. It is thus possible to reverse engineer the updates or write a custom firmware allowing a hostile actor to open a backdoor by exploiting the flaws that the patches intend to solve

Three Positive Technologies researchers managed to extract the private key used to decrypt the security patches released by Intel. A patch, also known as a fix or bugfix, is a code update aimed at fixing a vulnerability in the system, commonly referred to as a bug.

The key allows, therefore, to decrypt the updates of the microcode that makes up the firmware of the central processors (CPU). The firmware takes over the operation of the CPU in relation to the instructions it receives. Intel periodically releases updates aimed at fixing flaws within the firmware. By decrypting the updates, it is possible to trace the corrections made and to know the vulnerabilities. Any hostile actor could then open a backdoor by exploiting the flaws that the patch intends to fix.

The details of the Intel SA-00086 vulnerability

Beginning in 2017, Intel had started its own Bug Bounty Program, an initiative to incentivize researchers to report flaws in its products, including firmware, in exchange for a fee. As part of this project, the company has collaborated with over 250 researchers from around the world. In 2020, 105 of the 231 common vulnerabilities and exposures (CVEs) were reported through this program.

The discovery of Positive Technologies researchers dates back to 2017. Through this flaw, known as INTEL SA-00086, it was possible to enter the “Red Unlock” mode, used by Intel engineers to debug before releasing the chip to market. Once this mode was started, the experts were able to identify the microcode present in the ROM (read-only memory). Consequently, a reverse engineering process was initiated which led to the discovery of the decryption key.

The researchers in question, of Russian origin, are Maxim Goryachy, Dmitry Sklyarov, and Mark Ermolov. Maxim Goryachy is an embedded systems programmer, specializing in cryptography processes, virtualization technologies, reverse engineering, and hardware; Mark Ermolov is a systems programmer who specializes in the security aspects of hardware, firmware, and low-level system software; Dmitry Sklyarov is Head of Reverse Engineering at Positive Technologies. He was a security researcher at ElcomSoft and a lecturer at Moscow State Technical University.

The latter was accused in 2001 of alleged violation of the Digital Millennium Copyright Act (DMCA), as part of the United States trial against ElcomSoft and Dmitry Sklyarov . The case ended with the charges against Sklyarov dropped and ElcomSoft was not found guilty under the applicable jurisdiction.

The impacts in the cyber security landscape

Intel officials said the issue did not pose a customer safety exposure. The private key used to authenticate the microcode does not reside on the chip, and an attacker cannot remotely upload an unauthenticated patch.

This means that hackers cannot use the Chip Red Pill debugger and its decryption key to remotely hack vulnerable CPUs, at least not without chaining patches to other currently unknown vulnerabilities. Likewise, malicious actors cannot use these techniques to infect the supply chain of devices based on the Goldmont chip architecture.

However, the technique opens up several possibilities for hackers who have physical access to a computer that has one of these CPUs. Attackers could carry out an “evil-maid” attack, a form of tampering with an unattended device, in which an attacker with physical access imperceptibly alters it for later access. Specifically, Chip Red Pill could be used to tamper with CPUs to steal secret information or to install remote access tools.

Although the INTEL SA-00086 flaw has been identified and reported, the risks of compromising the chips and using them for malicious purposes remain high. One of them concerns the possibility that malicious chips are placed in the hardware of a device where it is possible to manipulate fundamental operating instructions.

In this way, attackers could alter the functioning of a device in minute detail without any anomalies being detected. Such chips can also steal encryption keys for secure communications, block security updates, and open any backdoors to malicious actors.

Conclusions

In today’s context, this problem has assumed considerable importance as numerous technology companies engage in commercial relations or subcontract part of their production to companies accused of having links with hostile governments, primarily the Chinese one.

In 2010, anomalous activity was discovered in servers supplied to the Pentagon by Super Micro Computer, a San Jose company founded in 1993 by Taiwanese engineer Charles Liang with some manufacturing sites in China. On the case, it was noted that unauthorized instructions had been loaded that allowed the data to be secretly copied and sent to the Beijing authorities. There is no evidence that details of military operations were stolen. However, the attackers gained access to a partial map of the Department of Defense’s unclassified networks.

Four years later, Intel’s security team also spotted a breach in the corporate network due to a tampered firmware update downloaded from the Supermicro website. Analysts linked this interference to the activities of APT 17, a hacker group close to the Beijing government.

Finally, in 2018, Supermicro came into the spotlight again after a Bloomberg Businessweek investigation revealed how the company had supplied some major companies, such as Apple and Amazon, with devices with chips inside used by the People’s Liberation Army. PLA) for espionage operations.

US intelligence agents were able to trace the malicious components by following the Supermicro supply chain backwards, since the device cards have serial numbers that lead back to specific factories.

While these issues have prompted a review of agreements signed with Chinese suppliers, the global shortage of chips has prompted numerous companies, including Intel, to increase their production in China, raising concerns from Washington.

To address this criticality, the United States Congress recently enacted the Chips and Science Act, which allocates more than $ 52 billion for the domestic production of computer chips, as well as billions more in tax credits to encourage investments in the sector.

Catch up on more articles here

Follow us on Twitter here

The Code Dark, to limit hacks to hospitals: what it is and how it works

By
Mark Kelly
-
0
The Code Dark

The Code Dark is a monitoring system implemented by the Children’s National Hospital of Washington DC to prevent a cyber attack and mitigate its consequences by signaling when to unplug or turn off devices connected to the Internet to prevent the spread of the infection. Here’s how it works

It is called Code Dark and is the new monitoring and alarm system adopted in an American hospital to counter the significant increase in cyber attacks that have hit healthcare facilities in recent months.

It is, therefore, an extra effort to limit hacks to hospitals and breaches of health data.

Cyber ​​attacks on hospitals: the numbers

The Code Dark fits into a context in which the complex of medical devices, systems and applications present in a healthcare reality is incredibly vast and heterogeneous: in fact, there are desktops, servers, computer terminals, diagnostic imaging devices, and self-service kiosks. , implantable medical devices, electronic health record systems (EHR), management software, image storage and transmission systems (PACS), medical billing systems, patient portals, and public clouds; and to these are often added several other dated systems.

This vast array of machinery and applications, which clinicians increasingly rely on to do their jobs, represent an ever-growing attack surface for the diverse hacker and/or Advanced Persistent Threat (APT) groups.

According to a report from cybersecurity firm Sophos, the number of cyber attacks on US healthcare organizations increased by 94% from 2021 to 2022. The study says more than two-thirds of healthcare organizations in the US reported having suffered an attack cyber in 2021, up from 34% in 2020.

Research by International Business Machines Corp. also found that the healthcare sector, for the twelfth consecutive year, accounted for the highest average cost in the country for breaching its infrastructure, costing more than $ 10 million.

The frequency of damage caused by cyber criminals to this type of infrastructure has warned several health institutions that have taken various measures in this regard.

The Code Dark: how it works

The system implemented by the Children’s National Hospital of Washington DC is particularly interesting. The hospital’s IT staff has in fact instituted a new type of code that alerts healthcare professionals to the presence of an ongoing IT problem. If the blue code indicates a medical emergency and the red code indicates a fire outbreak, the “Code Dark” warns of the presence of a hack on the medical devices in use.

Healthcare professionals have been trained to recognize cyber threats and have a protocol reminder at their disposal. The obligation is to notify security in the event of failures or suspicious movements on IT devices; upon the occurrence of this circumstance, the security personnel activates the Code Dark.

The start-up of the code causes an alarm for all employees who will have to turn off and disconnect the hospital IT devises to secure the infrastructure network: this will prevent the spread of infection, making the healthcare staff the first to carry out the computer rescue.

Phil Englert, director of medical device safety at the Health Information Sharing and Analysis Center, a nonprofit that coordinates safety between healthcare organizations, said hospitals should develop comprehensive plans to primarily manage isolation and the restoration of individual medical devices, as they are easy access points to hospital networks for cybercriminals.

The Board of Directors of the Children’s National Hospital in Washington DC then asked the IT security staff to find ways to mitigate the long-term effects of cyber attacks, which if normally take weeks or months to recover, in which case they should have. be limited to a few weeks. For this reason the Code Dark is fundamental, it warns employees of the ongoing threat in advance by reducing the number of compromised devices, downtime and recovery times.

Code Dark: strengthening the cyber perimeter of healthcare facilities

The introduction of the Dark Code represents an important step forward in strengthening the security perimeter of healthcare infrastructures. The attacks carried out in recent years have made it increasingly urgent to increase the level of preparedness of personnel in the face of these threats.

The priorities that hospitals must face , in addition to safeguarding patient information, concern increasing the protection of medical equipment, the possibility for operators to access data remotely, training and constant updating of healthcare personnel on the subject of cybersecurity and the replacement of obsolete equipment.

If even one of these conditions is absent, there is a risk that a malicious action paralyzes a structure in a significant way.

Particularly exposed are medical devices, especially those that operate through the Internet of Things (IoT). In addition to their design weaknesses, many of these devices are provided by third parties, which exposes them to supply chain vulnerabilities, putting a wide range of patient personal data at risk.

The growth of connected devices in hospitals and the convergence of IT and operational technology (OT) domains has made the problem even more pressing.

The challenge from a cybersecurity perspective is that unlike corporate systems, hospital networks are designed to facilitate access from different networks. In an IT environment, a cybersecurity strategy aims to protect the confidentiality, integrity and availability of information systems (CIAs).

IT / OT convergences in hospitals: the issues

In hospitals, the convergence of IT and OT technologies also places an emphasis on protecting the security of a range of different trades, ranging from sending critical patient data, which requires immediate delivery and response, to administrative information. general.

As well as other critical infrastructures, hospitals place an emphasis on network availability. For IT organizations, one of the first lines of defense is shutting down the entire system.

In hospitals, however, life-saving medical devices must be able to function permanently to ensure patient safety. In addition, these devices must be able to communicate freely throughout the facility. The same goes for other essential services, such as pharmacies and care stations. Closing is therefore not a viable option.

However, the emphasis on maintaining an open network, with the ability to quickly respond to patients’ medical needs, makes hospitals relatively easy targets for cybercriminals.

The risks are twofold: at worst, attacks could prevent critical medical devices from functioning properly; a hacked medical device could also provide access to the hospital network to steal sensitive data.

In the event that an attack does occur, security fixes on embedded devices typically require a full firmware update from the vendor, which is then manually installed on the device.

This process can greatly increase patch delays due to the time it takes for vendors to prepare and test new firmware that does not interfere with the operation of the medical device.

Also, in many cases, devices may not receive updates, because the operating system would not be supported and memory, storage, and processing limits could prevent the tools from working effectively with newer software.

similar situation occurred in 2017, when the WannaCry ransomware attack compromised some radiological examination tools, as well as causing some surgeries to be canceled.

Conclusions

To avoid such scenarios, it is, therefore, necessary to monitor the supply chain of hospital equipment to ensure that patches are continuously updated.

In addition to this, investments in the IT security of hospitals and the dissemination of best practices among staff, such as the use of strong passwords or constant backup of data on devices, play a central role.

Catch up on more articles here

Follow us on Twitter here

Microsoft updates August 2022: there is also the patch for a zero-day already under attack

By
Mark Kelly
-
0
Microsoft updates

With Patch Tuesday in August 2022, Microsoft fixed 121 security vulnerabilities in Windows and related software. Once again, a zero-day vulnerability has been fixed in the Microsoft Support Diagnostics Tool (MSDT), a service built into Windows. Here are all the details

Like every second Tuesday of the month (in America), also for August 2022 Microsoft has published Patch Tuesday to fix 121 vulnerabilities in its Windows operating systems and related software.

Once again, a zero-day vulnerability has been corrected in the Microsoft Support Diagnostics Tool (MSDT), a service integrated into Windows that had already been exposed in the past due to the Follina bug, which was then corrected with Patch Tuesday in June 2022.

Of the 121 vulnerabilities, 17 were classified as critical (i.e. they can be exploited to compromise a Windows PC remotely with limited or no user interaction), 102 as important, one with moderate severity, and finally one with a low severity level.

In particular, the vulnerabilities are classified as follows:

  • 64 are of the EoP (Elevation of Privilege) type;
  • 6 allow the safety functions to be bypassed;
  • 31 are of the RCE (Remote Code Execution) type;
  • 12 of type ID (Information Disclosure);
  • 7 Denial of Service type;
  • 1 spoofing type.

Full details on the cumulative update package are available on the official Microsoft page.

The details of the zero-day vulnerability

The most serious of the vulnerabilities fixed on Patch Tuesday in August 2022 is CVE-2022-34713 (which achieved a CVSS score of 7.8 out of 10).

This is a remote code execution problem that, as we said, affects the Microsoft Support Diagnostic Tool (MSDT) service, making it the second flaw in the same component after Follina (traced as CVE-2022-30190) to be armed in actual attacks within three months.

From the first technical analysis, the vulnerability appears to be a variant of the flaw publicly known as DogWalk, originally revealed by security researcher Imre Rad in January 2020.

As stated in the related security bulletin published by Microsoft, exploitation of the vulnerability requires a user to open a file specially created and sent to the victim, for example via a phishing e-mail.

In an alternate attack scenario, however, the attacker could exploit an already compromised website containing a malicious file designed to exploit the vulnerability and then trick potential targets into clicking a link in an email or an instant message to open the document.

The exploitation of the vulnerability, therefore, takes place through an attack vector, that of malicious documents and links, which is very common and this once again underlines the need to update and train employees to recognize and prevent this cyber attack methodology.

The other bugs fixed with Patch Tuesday of August 2022

Microsoft also fixed three privilege escalation vulnerabilities in Exchange Server with Patch Tuesday in August 2022: CVE-2022-21980, CVE-2022-24477, and CVE-2022-24516.

If exploited, they would have allowed an attacker to read targeted emails and download attachments.

Also in Exchange Server, an information disclosure vulnerability traced as CVE-2022-30134 and already publicly known before the patch was released, has also been fixed. At the moment, however, there is no news of its exploitation in real attacks.

Microsoft updates August 2022: how to install them

In light of the analysis of the critical vulnerabilities corrected by Patch Tuesday of August 2022, it is important to update your systems as soon as possible in order not to expose them to a high risk of cyber attack.

As we know, Windows is already configured to periodically check for critical and important updates, so there is no need to manually check. When an update is available, it is automatically downloaded and installed, keeping your device up to date with the latest security features and enhancements.

To immediately check the availability of Microsoft updates for August 2022, in Windows 10 simply click on the Start button, then go to the Settings / Update and security / Windows Update section and select Check for updates .

In Windows 11, on the other hand, simply click on the Start button, select Settings / Windows Update, click on Check for updates and proceed, if necessary, with the installation of the patches.

In all other recent versions of Windows, however, it is advisable to enable the Windows Update service from the Control Panel and configure it to automatically download and install updates released by Microsoft for both the operating system and individual applications.

The advice is to back up your system or at least your most important files and folders before applying any of the updates in the newly released cumulative package.

Catch up on more articles here

Follow us on Twitter here

DDoS attacks on Taiwanese government sites during Pelosi visit

By
Mark Kelly
-
0
Taiwanese government sites

Several Taiwanese government websites were hit by DDoS (distributed denial of service ) attacks on Tuesday. This is reported by the government of Taiwan on Facebook. Among other things, the official website of Taiwan’s presidential palace was the target of an attack. As a result, the site was offline for some time.

The attacks took place hours before Nancy Pelosi’s visit. The Speaker of the US House of Representatives paid a much-discussed visit to the country.

DDoS attacks on government websites

In a DDoS attack, a cybercriminal usually sends a huge amount of internet traffic to targeted servers via a botnet. These servers cannot handle this gigantic number of ‘visitors’, making them difficult to reach or even completely offline.

The presidential palace website was offline for about twenty minutes. Chang Tun-Han, a spokesman for Taiwanese President Tsai Ing-wen, said in a statement on Facebook that Taiwanese government agencies were monitoring the situation in light of “information warfare.”

Also, a government portal website and the website of the Taiwan Ministry of Foreign Affairs have been temporarily taken offline. In a statement, the ministry said, according to Reuters news  agency, both websites have been hit by 8.5 million requests per minute from a “large number of IPs from China, Russia and other places.”

The website of Taiwan’s largest airport,  Taoyuan International Airport, is also said to have been hit by the DDoS attacks.

Chinese hacktivists

According to  Reuters, security researchers believe the attacks were not from the Chinese government. For example, Johannes Ullrich, Dean of Research at the SANS Technology Institute, argues that the attacks were the work of Chinese ‘hacktivists’, who presumably acted on their own initiative and were inspired by what the Chinese press writes.

The DDoS attacks are said to come from hundreds of thousands of IP addresses. These IP addresses would be linked to devices registered in the Chinese commercial internet space, Ullrich said.

A similar group of Chinese IP addresses searched for vulnerabilities a few days earlier. This behavior was not in line with the usual activity of Chinese government hackers, Ullrich said.

Visit Nancy Pelosi to Taiwan

The cyber attacks come at a time of rising tensions between China, Taiwan and the United States. They coincide with a visit to Taiwan by US House Speaker Nancy Pelosi. According to Pelosi, Taiwan’s independence is an important spearhead of US foreign policy. The Chinese authorities strongly disapprove of Pelosi’s visit and see it as a provocation. China previously threatened, among other things, with ‘targeted military actions’ around Taiwan.

Defense Ministry data for sale on Russian forums, but it sounds like a false alarm: what do we know

By
Mark Kelly
-
0
Defense Ministry data

The cyber gang that signs itself with the nickname “adrastea” is claiming possession of data relating to confidential projects of the Italian Army and our Ministry of Defense. From the samples, however, it seems to be an unfounded alarm. Let’s analyze what happened and the activity of this underground group

Data relating to confidential projects of the Italian Army and the Ministry of Defense would be for sale online: the claim is signed by the criminal group that calls itself Adrastea and has been published, complete with a sales announcement, on some underground forums in the language Russian.

From a first analysis of the samples, however, the claim seems to be without foundation.

Adrastea sells sensitive data from the Ministry of Defense

“We sell confidential data from“ guerra.difesa.it ”(Italian Ministry of Defense) relating to the command management system of the units of the Italian Ministry of Defense C2EIEVO, SIACCON”. This is the text that can be read on the opening post of the new thread, which since Friday does not seem to have received any replies.

The author “adrastea” continues by reporting that he is in possession of information on the activities of military intelligence units (RAIT – integrated terrestrial analysis department), the exchange and collection system used by them of intelligence data (HUMINT, SIGINT, OSINT) – FAS JISR – Joint intelligence, surveillance and reconnaissance, of the systems of organization and control of analytical intelligence data IKM, as well as information in relation to the military project NATO programs “MAJIIC-2”.

The post is written in English, although the forum, on which it was traced, is typically Russian-speaking. From initial evidence and from the samples published to demonstrate the hypothetical data breach, however, it does not seem to be a leak of sensitive data, even the screenshots seem to refer to documents publicly available and available directly from official sources.

Activities of the cyber gang “adrastea”

The one who appears to be the spokesperson for a cybercriminal group signs his claims in the name of “adrastea”. This entity made itself known about a week ago with the exposure of a further claim, again through underground forums, in which an attempt was made to sell about 84 GB of sensitive data concerning MBDA, the main European consortium for the missile production of the defense sector. . Based in Paris, the consortium is also owned, for its 25% by Italy through Leonardo SpA.

In this case, however, the MBDA consortium officially denied “the hacker attack on its computer systems”, with the publication of a press release confirming that there have been no external tampering with the infrastructure network.

However, from a careful reading the press release itself confirms at the same time the real existence of the claimed data breach, asserting with certainty that it has traced the data for sale online with those contained in an external hard disk, of which (we imagine) control has been lost. physicist.

It is, therefore, necessary to remember that the alert “bar” on this kind of event is not changed, especially in the case of strategic sectors for national security, such as defense.

In fact, a data breach, caused by cyber intrusion or theft/loss of physical devices, is always a loss of data. And if that data contains sensitive information (employee data, internal contacts, internal documents of non-public projects), it is and remains a security problem that, in fact, are still continuing investigations in this regard.

Catch up on more articles here

Follow us on Twitter here

British Parliament suspends TikTok account over data security concerns

By
Mark Kelly
-
0
British Parliament

The British Parliament can no longer be found on TikTok. Members of parliament called for the closure of the TikTok account in a letter due to data security risks. They feared that data would end up in the hands of the Chinese government. The BBC reported this in a news report. The TikTok account of the British Parliament was only active for a few days.

Concerns about data transfer to China

Creating a TikTok account was a pilot initiative by the British Parliament to reach a younger audience. Several MPs were “surprised and disappointed” by this decision. In a letter to both the House of Commons and the House of Lords, they expressed their concerns about “significant” risks to data security.

The MPs said TikTok executives were unable to convince them “that the company could prevent a data transfer to ByteDance, should the parent company make a request.” They called for the account to be deleted until TikTok gave “credible assurances” that no data could be handed over to China.

TikTok is owned by the Chinese company ByteDance, which denies it is owned by the Chinese government. Still, MPs wrote: “The prospect of Xi Jinping’s government accessing personal data on our children’s phones should be a cause for great concern.”

As a result of data security concerns, the British Parliament closed the TikTok account earlier than planned. The account has been locked and all content has been removed.

TikTok’s response

The  BBC  spoke with a TikTok spokeswoman. She called it “disappointing” that Parliament is now unable to contact TikTok users in the UK. She also offered to reassure the MPs concerned. According to her, TikTok is willing to “clarify inaccuracies about our platform”.

According to the  BBC, TikTok has contacted all MPs who signed the letter. The company would like a meeting where it can explain its data protection processes.

Privacy Policy TikTok

The British Parliament is not the first party to express its concerns about TikTok. The platform is known for many violations of user privacy. There are also security concerns as TikTok is a Chinese company and the Chinese government exercises strict control over companies in the country, among other things.

The service was previously fined by the Dutch Data Protection Authority for violating the privacy of children. TikTok recently postponed the introduction of a new privacy policy. Here too, there were concerns from various regulators about user privacy.

Catch up on more articles here

Follow us on Twitter here

123...92Page 1 of 92

Editor's choice

Popular

About us