Security News Bites for the Week Ending July 28, 2017
Zip Slip Vulnerability Affects Thousands of Projects
Researchers discovered a flaw in almost all zip-style file decompressors – RAR, TAR, 7ZIP-APK and others.
The problem is caused by a very old attack vector called directory traversal that these libraries do not handle correctly.
The decompressor libraries were likely downloaded from places like Github and Stack Overflow and developers used them in thousands of projects used by millions of users without a clue that the vulnerability has existed for years, maybe decades.
And, likely, most of those developers are completely blind to the fact their their software is vulnerable due to a software supply chain issue – assuming they are even still involved with those software projects.
Software supply chain is the Achilles heel of the entire industry and the industry is not doing much to fix it. (Source: Bleeping Computer)
NSA Forms Group to Counter Russian Threat in Cyberspace
In what would appear to be a difference of opinion with his boss, the head of the NSA has created a special task force to address Russian threats in cyberspace. The Washington Post reported that the NSA and its sister Cybercom will collaborate against Russian threats to the security of the U.S. midterm elections – a threat which his boss, the President, has said does not exist any more, if it ever did. The President has called the threat fake news many times. It would appear that General Nakasone has a difference of opinion with his boss. Source: Bloomberg
Level One Robotics Leaves Tens of Thousand of Sensitive Docs Unprotected
Canadian robotics vendor Level One is the most recent vendor to leave tens of thousands of sensitive documents – apparently including non disclosure agreements – belonging to multiple automakers including Tesla, Toyota and Volkswagen – unprotected online. The material includes documents from over 100 companies and includes blueprints, factory schematics and other materials.
The data was found by Chris Vickery of Upgard. Chris has found dozens of unprotected data sets just in recent months, usually on Amazon. Chris DOES NO HACKING. All he does is walk around the digital neighborhood jiggling doorknobs, looking for ones that are unlocked. In this case, the material was an unprotected backup – 157 gigabytes of data made up of over 47,000 files. If hackers found it before Chris did, and they may have, they are likely celebrating. That quantity of data on the design of cars and car assembly could give them a significant advantage in hacking into automobiles from a wide range of companies. Source: NY Times
Federal Officials Tell WSJ That Ruskies Have Already Hacked the US Power Grid
The Department of Homeland Security reported Monday that hackers, working for Russia, hacked into the US power grid as early as 2013 and are likely still inside the grid with the ability to turn off the lights. DHS says there were likely hundreds of victims and one of the attack vectors is by compromising trusted vendors of the power companies (third party vendor cyber risk management). Homeland Security said that some of the power companies don’t know that they have been hacked (why not – don’t their telephones work?). Maybe that will be a topic of discussion when Putin visits President Trump in the White House this fall. For all businesses, if you do not have an aggressive vendor cyber risk management program already, now is the time. Source: CNET
Russian Hackers Attack Senator Claire McCaskill
Reports have surfaced today that Russian intelligence agency GRU attacked the re-election campaign of Senator Claire McCaskill of Missouri. The Senator says that the attack was not successful. McCaskill is a vocal opponent of Russia. This is happening as the President continues to say that Russia is not hacking us and before the campaign season really warms up. Source: The Daily Beast
by 