Researchers Discovered the Control Console of a Ski Lift Open Online

The control panel of a Ski lift in Austria was exposed online, the disconcerting discovery was made on March 16 by the security experts Tim Philipp Schäfers and Sebastian Neef with security organization InternetWache.org.

The ski lift is Patscherkofelbahn, a sky facility that connects the village of Igls with the Patscherkofel resort.

The two researchers promptly reported the discovery to the Austrian Computer Emergency and Response Team (CERT).

“We have also done in this case: we received the message on a Friday afternoon, we passed it on later in the evening to our contact in Innsbruck.” reported the CERT in a blog post.

Officials from the city of Innsbruck have shut down the ski lift after the security duo has reported their findings.

“The control of the Patscherkofelbahn was accessible via a web interface unencrypted and without the need for authentication via the Internet. In addition, the corresponding control software was not up to date, but pointed to one of us found and reported to the manufacturer vulnerability, “says Schäfers.

The experts discovered the Human Machine Interface used to control the ski lift was exposed online without authentication.

An attacker with access to the Human Machine Interface is in the position to control several settings for the sky facility, including the speed, the distance between cable cars, and the cable tension.

The two researchers promptly reported the discovery to the Austrian Computer Emergency and Response Team (CERT) that passed their contact to the authorities at the city of Innsbruck.

As a precautionary measure, the authorities shut down the Patscherkofelbahn ski lift and started a security audit, at the time of writing the facility is still offline.

While the experts were reporting their discovery to Innsbruck officials, the NBC media outlet shared a footage of a malfunctioning ski lift in the ski resort of Gudauri, Georgia.

Even if the Gudauri accident is not linked to any other event occurred at Patscherkofelbahn. media noticed that the ski lifts in both facilities are manufactured by the Austrian firm Doppelmayr.

The CERT Austria confirmed that the problem has been solved and Innsbruck officials are plans to deploy a secure system before the summer season opens.

Amazon Alexa Has Got Some Serious Skills—Spying On Users!

Security researchers have developed a new malicious 'skill' for Amazon's popular voice assistant Alexa that can turn your Amazon Echo into a full-fledged spying device.

Amazon Echo is an always-listening voice-activated smart home speaker that allows you to get things done by using your voice, like playing music, setting alarms, and answering questions.

However, the device doesn’t remain activated all the time; instead, it sleeps until the user says, "Alexa," and by default, it ends a session after some duration.

Amazon also allows developers to build custom 'skills,' applications for Alexa, which is the brain behind millions of voice-activated smart devices including Amazon Echo Show, Echo Dot, and Amazon Tap.

However, security researchers at cybersecurity firm Checkmarx created a proof-of-concept voice-driven 'skill' for Alexa that forces device to indefinitely record surround voice to secretly eavesdrop on users’ conversations and then also sends the complete transcripts to a third-party website.

Disguised as a simple calculator for solving maths problems, the malicious skill, if installed, immediately gets activated in the background after a user says "Alexa, open calculator."

"The calculator skill is initialized, and the API\Lambda-function that's associated with the skill receives a launch request as an input," researchers said in its report.

In a video demonstration, researchers show that when a user opens up a session with the calculator app (in the background), it also creates a second session without verbally indicating the user that the microphone is still active.

By design, Alexa should either end a session or ask the user for another command to keep the session open. However, the hack could allow attackers to keep the second session active for spying on users while ending the first when user interaction get overs.

Luckily, you can still spot the spy red handed if you notice the blue light on your Echo device activated for a longer period, especially when you are not chit-chatting with it.

Checkmarx reported the issue to Amazon, and the company has already addressed the problem by regularly scanning for malicious skills that "silent prompts or that listen for unusual lengths of time" and kicking them out of their official store.

Instagram Launches “Data Download” Tool To Let You Leave

Two weeks ago users called on Instagram to build an equivalent to Facebook’s “Download Your Information feature so if you wanted to leave for another photo sharing network, you could. The next day it announced this tool would be coming and now is rolling out to users. Instagram’s  “Data Download” feature can be accessed here or through the app’s privacy settings. It lets users export their photos, videos, archived Stories, profile, info, comments, and non-ephemeral messages, though it can take a few hours to days for your download to be ready.

The download contains you profile info, photos, videos, archived Stories (those posted after December 2017), your post and story captions, your uploaded contacts, the usernames of your followers and people you follow, Direct messages, non-ephemeral Direct message photos and videos, comments, Likes, searches, and settings.

The tool’s launch is necessary for Instagram to comply with the data portability rule in European Union’s GDPR privacy law that goes into effect on May 25th. But it’s also a reasonable concession. Instagram has become the dominant image sharing social network with over 800 million users. It shouldn’t need to lock up users’ data in order to keep them around.

Hackers Behind Healthcare Espionage Infect X-Ray and MRI Machines

Security researchers have uncovered a new hacking group that is aggressively targeting healthcare organizations and related sectors across the globe to conduct corporate espionage.

Dubbed "Orangeworm," the hacking group has been found installing a wormable trojan on machines hosting software used for controlling high-tech imaging devices, such as X-Ray and MRI machines, as well as machines used to assist patients in completing consent forms.

After getting into the victim's network, attackers install a trojan, dubbed Kwampirs, which opens a backdoor on the compromised computers, allowing attackers to remotely access equipment and steal sensitive data.

While decrypting, the Kwampirs malware inserts a randomly generated string into its main DLL payload in an attempt to evade hash-based detection. The malware also starts a service on the compromised systems to persist and restart after the system reboots.

Kwampirs then collects some basic information about the compromised computers and send it to the attackers to a remote command-and-control server, using which the group determines whether the hacked system is used by a researcher or a high-value target.

Besides health-care providers and pharmaceutical companies that account for nearly 40% of targets, Orangeworm has also launched attacks against other industries including information technology and manufacturing sectors, agriculture, and logistics.

City of Atlanta Ransomware Attack Proves Disastrously Expensive

Over the course of the last week, it has become apparent that the City of Atlanta, Georgia, has paid out nearly $3 million dollars in contracts to help its recovery from a ransomware attack on March 22, 2018 -- which (at the time of writing) is still without resolution.

Precise details on the Atlanta contracts are confused and confusing -- but two consistent elements are that SecureWorks is being paid $650,000 for emergency incident response services, and Ernst & Young is being paid $600,000 for advisory services for cyber incident response. The total for all the contracts appears to total roughly $2.7 million. The eventual cost will likely be more, since it doesn't include lost staff productivity nor the billings of a law firm reportedly charging Atlanta $485 per hour for partners, and $300 per hour for associates. The ransom demand was for around $51,000.

The ransomware used in the attack was SamSam. In February this year, SecureWorks published a report on SamSam and attributes it to a group it knows as Gold Lowell. Gold Lowell is unusual in its ransomware attacks since it typically compromises its victim networks in advance of encrypting any files. 

SecureWorks makes two specific points about Gold Lowell that might be pertinent to the Atlanta incident. Firstly, "In some cases where the victim paid the initial ransom, GOLD LOWELL revised the demand, significantly increasing the cost to decrypt the organization's files in an apparent attempt to capitalize on a victim's willingness to pay a ransom." Atlanta officials have always declined to comment on whether they paid, or attempted to pay, the ransom

Secondly, "GOLD LOWELL is motivated by financial gain, and there is no evidence of the threat actors using network access for espionage or data theft." Atlanta officials were quick to claim that no personal data was lost in the attack.

Also worth considering is the SamSam attack on Hancock Health reported in January this year. Hancock chose to pay a ransom of around $55,000, and recovered its systems within a few days. It later admitted that it would not have been able to recover from backups since the attackers -- which sound like the Gold Lowell group -- had previously compromised them. 

The extended dwell time by the Gold Lowell group prior to encrypting files and making a ransom demand would explain the extreme difficulty that Atlanta is experiencing in trying to recover from the attack. The Hancock incident suggests that rapid payment might have resulted in file recovery, but SecureWorks also suggests it might have led to a further demand.

There are also indications that Gold Lowell's dwell time could have been extensive and effective. According to WSB-TV, Atlanta officials had been warned months in advance that at least one server was infected with malware, and that in February it contacted a blacklisted IP address associated with known ransomware attacks. Whether the incidents are directly connected will only come out with forensic analysis.

However, the few facts that are known raises a very complex ethical issue. Atlanta seems to have chosen to pay nearly $3 million of taxpayer money rather than just $51,000, possibly on a point of principle. That principle is supported by law enforcement agencies around the world who advise that ransoms should not be paid. In this case, the sheer disparity between the cost of the ransom and the ransomware restitution (more than 50-to-1 and growing), all of which must be paid with someone else's money, makes it reasonable to question the decision.