Inside Security | Inside

[ Inside Security ]

David Strom's in-depth cybersecurity news and analysis

David’s take

My local hospital has been hacked. BJC notified its patients that more than 30,000 records were vulnerable due to a configuration error and available from May 2017 until January 2018. The data includes patient IDs and treatment-related documents that were collected during hospital visits years ago. BJC staff indicated that no actual data was leaked and will be sending out free ID theft protection notices shortly.

As we mentioned earlier in the week, we want to thank our sponsors for their support of this newsletter. If you are interested in understanding more about FIDO and stronger authentication, a recent Nok Nok Labs report shows how Ericsson reduced password reset requests from its users by integrating Nok Nok’s S3 Authentication Suite into their internal identity management platform for millions of its customers.

If you aren't yet a Premium subscriber, you missed yesterday's report on the interesting and innovative security research coming out of Ben-Gurion University in Israel.  Go to our Premium page and sign up, subscription plans start at $10/month with multiple newsletters and corporate plans available. Premium subscribers get an additional Thursday newsletter, usually with a single analysis topic.

--David Strom, editor of Inside Security

Last August, a Saudi-owned petrochemical plant was hit by cybersabotage. According to the NYT, a coding error prevented any physical damage to the plant. The target was a series of Triconex industrial controllers made by Schneider, of which there are about 13,000 in use today around the world in all sorts of critical infrastructure roles. – NY TIMES

The energy sector has also been targeted by Russian hackers, and the US government has issued alerts. The attacks include malware and spear phishing, remote access to systems, and credential and other network reconnaissance.  – US CERT BULLETIN

Subscribe to Inside Security

Many thanks to Inside Security's corporate supporters.  Please go check them out!


Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more


Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more


Air gapped computer hacking

The amazing research from Ben-Gurion University in Israel

My daughter lives across the street from Ben-Gurion University in Beersheva, Israel and I am fortunate enough to have visited her and her husband (who is an alum of the university) many times since she moved there. I have gotten to know some of the principal researchers in their computer science departments and research labs, and seen first-hand some of their very interesting research. This special edition of my newsletter summarizes two of their latest projects.

The first project resulted in a paper entitled Opening Pandora’s Box, and looks at various methods for obtaining passwords and access to 16 different IoT devices, including webcams, smart doorbells, and an Ecobee smart thermostat. In their paper, they describe several low-cost black-box techniques for reverse engineering these devices, including software and fault injection based techniques for bypassing password protection.

All of these devices were built with full Linux OS stacks, including web servers. The researchers found that it only took 30 minutes for them to find passwords for most of the devices and some of them were found merely through a Google search of the brand. Other security aspects of these devices were easily obtained, such as WiFi, telnet server and SSH credentials and embedded private encryption keys. They have several recommendations for IoT device makers to better secure their products, such as disabling ports, using stronger passwords and encrypting the device’s entire memory space.

The second effort was another research project to transmit information between two seemingly unconnected PCs, what is commonly called an air gap. The PCs only had a pair of earbuds connect to the output audio jacks, but the researchers were able to construct a communications channel that turned one of the earbuds into a microphone and sent sound waves containing a data stream through the air. The project is called Mosquito, and their paper was published here.

These are just two of many other projects that the BGU researchers have done, and this post on Bleeping Computer lists a dozen others that they have covered over the years, such as using LEDs that display network or hard disk activity, the computer’s cooling fans, and infrared light signals. It is well worth reviewing the collection, and seeing how vulnerable your systems are.

The port of Longview Wash. was the target of a cyber attack and notified by the FBI earlier this year. A potential 400 employees and vendors could be at risk. Investigators traced the attack to internet service provider addresses in Russia, Liberia and Kazakhstan. ID theft monitoring has been offered to those affected. – TDN NEWS

New POS-based malware called PinkKite has been identified. It is a potent adversary because it can persist past reboots, uses powerful encryption mechanisms and other methods to steal credit card data. -- THREATPOST

Just for fun

I am not sure that this is humorous, but more funny-sad, about this tweet-stream of a recent episode involving a contractor of the National Reconnaissance Office.  – SEAMUS HUGHES @ TWITTER

David’s Take

This newsletter is distributed thanks to our sponsors, Endgame and Nok Nok. Today I want to highlight this blog post on how Endgame’s MalwareScore engine works and some of how it was constructed, along with the announcement that it is now available for MacOS. The engine examines executable files for exploits, and required an entirely new data structure to handle the Mac file formats because of the changes in Mac CPU families down through the years. For malware hunters it makes for some fascinating reading. Given the rise of MacOS-based malware (the McAfee Threat report cited below shows a 240 percent increase during 2017), this is a timely effort.

-- David Strom, editor of Inside Security

Snh v6410pn

Top Story

If you ever wanted to read just one blog post about the numerous ways that an IoT device can leave you open for hacking, check out the latest reports about the Hanwha Techwin “smart” webcam (shown here branded by Samsung). It has so many security holes that it is hard to keep them all straight as you review the article. The flaws range from insecure HTTP to weak credentials to buffer overflows, and more than two thousand of them are in use with open IP addresses, mostly in Europe and South Korea. The main architectural design flaw is based on the IM protocol Jabber. “An attacker could register an arbitrary account on the Jabber server and gain access to” everything on the camera’s server. -- THREATPOST



Here is a description of a complex VMware exploitation technique using uninitialized buffers and variables. It uses a variety of exploits, including a heap overflow in Edge browsers, a type confusion in the Windows kernel and a buffer escape trick. – ZERO DAY INITIATIVE

Samba servers from v4 onwards should be patched immediately, thanks to two new vulnerabilities discovered by the engineers maintaining the versatile code base. The software is used to allow non-Windows PCs to share files and printers with Windows computers and is in wide use. – SAMBA

Slingshot modules 800x426

Researchers have discovered malware so stealthy it remained hidden for six years despite infecting at least 100 computers worldwide. It is called Slingshot  and was reported on by Kaspersky Lab in this paper. It has been active since at least 2012 and remained operational through last month.

The Italian malware group Hacking Team has a new tool that has been discovered in more than a dozen countries. It can extract files from a target, intercept emails and IMs, and remotely activate a laptop’s camera and microphone. -- WELIVESECURITY

Gooligan overview

At its peak last fall, the Android OAuth stealing botnet Gooligan had hijacked more than a million credentials to be used for various fraudulent activities. This is the story of how it was discovered and how the botnet was taken down. There are three separate blog posts: one on the botnet’s origins, one on its inner workings, and how it made money and was eventually neutralized.– SECURITY BLVD.

Picking the right version of Office 365

If you are trying to decide which bundle of features of Microsoft Office 365 is right for you, you might want to read at least the first part of this post (before the vendor self-promotion kicks in) to understand the subtle differences between E3 and E5 options. – VARONIS BLOG

Sp foocorp a


This post goes into very interesting details about the latest DDoS amplification attacks, using visuals to show how the attacks spread across the Internet. The authors explain IP spoofing concepts, how IP address ranges are consumed by various networks, and other things that you probably forget you once learned in your Intro to TCP/IP classes.  – CLOUDFLARE BLOG

A new report based on interviewing Australian CISOs say`s that instead of focusing on the number of people who still click on malicious links, there’s great value in encouraging people to report suspicious emails and track those who report these incidents. “Many company directors aren’t adequately informed and place too much faith in the security measures implemented by their organization.”  There is a lot more to be gleaned from the interviews. -- MICROSOFT  (reg. req.)

Email x1 nerds

Just for fun

Light bright!  -- 50 NERDS of GREY @ TWITTER

David’s Take

Our top story today is about the work done by The Citizen Lab in finding a very nasty threat in the Middle East found in Sandvine network routers. Sadly, the vendor has decided to deploy lawyers rather than fix their equipment, and play loose with the facts and criticize the group’s efforts. If you haven’t come across the Lab’s work before, they are a very well-respected Toronto group of researchers that examine Internet censorship and state-wide illegal network monitoring around the world. I urge you to read their report and decide for yourself who’s version of events you would believe.

ERRATA: In my newsletter last week, I mistakenly said that Casey Ellis was CEO of BugCrowd. That hasn’t been true since last August. Ashish Gupta has the job now. My apologies.

-- David Strom, editor of Inside Security

Aes structure

Beginner’s corner

Here is a primer on what it takes to break encryption, and how to look for implementation flaws such as weak algorithms or server-side vulnerabilities.  -- MALWAREBYTES

load more stories