Cyber Security Headlines – November 15, 2021

FBI email system reportedly hacked to send fake DHS cyberattack messages

The hack happened on Saturday morning amid several reports of messages sent from the agency’s email infrastructure purporting to be a warning from the Department of Homeland Security (DHS) about a cyberattack. The agency quickly remediated the vulnerability, and warned partners to disregard the fake emails. An updated statement from the FBI stated there was “a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails…While the illegitimate email originated from an FBI operated server, that server…was not part of the FBI’s corporate email service.”

(Newsweek and Shannon Vavra, The Daily Beast via Twitter)

FBI email hacker blames poor coding

Following up on this FBI story, the person who claims responsibility for the hack, whose Twitter handle is Pompompurin, says the spam messages were sent by abusing insecure code in the LEEP portal. Speaking with KrebsOnSecurity, Pompompurin said the hack was done to point out a glaring vulnerability in the FBI’s system, which, in the interest of sharing between agencies, allowed anyone to apply for an account. A one-time password that was supposed to be sent by email was also embedded into the HTML of the page. Pompompurin said they were able to send themselves an email from ic.fbi.gov by editing the request sent to their browser and changing the text in the message’s “Subject” field and “Text Content” fields.

(Security Boulevard)

US Education Department urged to boost K-12 schools’ ransomware defenses

The call for action comes from four US Senators and was prompted by a Government Accountability Office (GAO) report released on Friday, assessing the Education Dept’s current plan for addressing K-12 school threats — issued in 2010 — to be significantly outdated and primarily focused on mitigating physical threats. “K-12 schools are increasingly coming under cyberattacks from a diverse set of actors, driven largely by the rapid rise of ransomware,” the four US Senators said. 2019 saw almost three times more incidents than 2018 and 2020 saw a further 18 percent increase over 2019. 

(Bleeping Computer)

Surveillance firm pays $1 million fine after ‘spy van’ scandal

The Office of the Commissioner for Personal Data Protection in Cyprus has collected a $1 million fine from intelligence company WiSpear for gathering mobile data from various individuals arriving at the airport in Larnaca. In 2019, a Chevrolet van packed with at least $3.5 million worth of equipment that could hack Android smartphones and steal data including WhatsApp and Signal messages, was stationed near the airport. The van had been in the area for months when politicians in Cyprus criticized the government for being passive about the activity of the vehicle after seeing its capabilities in action close to the airport in a video from Forbes.

(Bleeping Computer)

Thanks to our episode sponsor, Vulcan Cyber

Cyber risk isn’t easy to quantify, much less mitigate. Use the same approach endorsed by leading security teams at Honeywell, Zoom, and Wells Fargo to tackle cyber risk. Attend the Vulcan Cyber virtual summit on December 9th and learn how the new Vulcan Security Posture Rating will give you the insights you need to reduce risk and secure your business. Go to vulcan.io and click the button at the top of the screen to register for the event.

Stolen access key exposes customer data stored in the Aruba Central Environment

Aruba Networks, part of HPE (Hewlett Packard Enterprises), detailed the November 2 breach, which was a result of an access key that had been stolen from a staffer, stating that exposed network telemetry data for most Aruba Central customers included MAC addresses, IP addresses, and Wi-Fi network user names. In a statement, Aruba said, “the unauthorized actor did not view, download, or transfer out of the repositories any significant amount of data.” When the incident was discovered, HPE had already decommissioned and rotated the access key in question as part of a regular security exercise.

(CISO Mag)

Costco confirms: a data skimmer’s been ripping off customers

Costco has discovered a payment card skimming device at one of its retail stores and has sent out notification letters informing customers that their card data may have been compromised if they shopped there recently. Some customers had been aware for weeks that something was wrong and had been sharing their suspicions on social media. Costco said that it found the skimmer during a routine inspection of its PIN pads. Costco is offering victims 12 months of credit monitoring, a $1 million insurance reimbursement policy and ID theft recovery services.

(ThreatPost)

President tightens restrictions on Huawei and ZTE

US President Joe Biden has signed legislation that stops companies judged to be a security threat from receiving new telecoms equipment licences. The Secure Equipment Act says the Federal Communications Commission (FCC) should no longer review applications from companies ruled a threat. It means equipment from Huawei, ZTE and three other Chinese companies cannot be used in US telecoms networks, going forward.

(BBC News)

What happens if time gets hacked?

At Black Hat Europe in London, security expert Adam Laurie revealed what he calls a “fragile ecosystem, by using a Raspberry Pi device outfitted with an RFID antenna to alter clocks reveiving atomic clock synchronization from Britain’s National Physical Laboratory. The demonstration underscored how easily RFID can be abused and how that potentially could wreak havoc by altering time on a wider scale affecting financial transactions, industrial systems, time-stamped network packets on the Internet and on IoT devices. And unlike other security issues, he says, this risk to time-hacking isn’t rooted in software or hardware vulnerabilities: It’s more about an aging technology and process.

(Dark Reading)