115831610
submission
Trailrunner7 writes:
Researchers have identified a previously unknown attack group that targeted IT providers as an early stage of a supply chain attack operation. Researchers found the group had targeted 11 IT providers, mostly in Saudi Arabia, over the past year.
With heightened geo-political tensions in the Middle East and growing cyberattack capabilities for a number of nation-states in the region, it would be appealing to link TortoiseShell to a specific nation-state or attack group. However, Symantec does not believe Tortoiseshell has ties to previously identified nation-state espionage campaigns or existing cybercrime operations.
"We currently have no evidence that would allow us to attribute Tortoiseshell's activity to any existing known group or nation state," Symantec researchers wrote in their threat report.
Symantec said the fact that IT providers were targeted suggest this was an early stage in a supply-chain attack. Researchers were unable to determine whether Tortoiseshell’s plans involved compromising as many of the IT providers’ customers as possible or if the group was looking for ways to compromise one or few specific organizations. Compromising the IT provider would have likely given the group elevated privileges onto customer networks, specifically because of the nature of the services they offer. Attacks against third-party suppliers are classic supply chain attacks as organizations generally do not scrutinize activity from the suppliers as closely.
IT providers are an ideal target for attackers given their high level of access to their clients' computers,” Symantec said. “This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines.
114660768
submission
Trailrunner7 writes:
The security of IoT devices has been a running joke for many years, so much so that some researchers have given up trying to point out the weaknesses and get vendors to address the problems. Some vendors have pledged to do better and improve their development practices, but a year-long analysis of the security features in the firmware of 22 IoT device manufacturers found that not only are the vendors not making progress on security, they’re actually going backward.
The study is the work of the Cyber Independent Testing Lab, a small non-profit that performs rigorous testing of the security features and properties of a variety of products and platforms. The team wanted to see how IoT vendors were faring in adding standard hardening features to their firmware binaries, so it developed a special methodology that began with downloading available firmware updates from vendor websites, extracting Linux filesystems from the firmware, and then running each binary through the CITL’s custom analytic tools. The dataset comprises more than 3.3 million individual binaries from nearly 5,000 firmware updates from 22 vendors, including ASUS, D-Link, Belkin, QNAP, and Mikrotik, and goes back as far as 2003.
What the team found is dispiriting, if not surprising: IoT firmware hardening is getting worse rather than better. Firmware updates are more likely to remove binary hardening features than to add them, and overall there hasn’t been any trend in a positive direction for security in the 15 years covered by the CITL dataset.
114166298
submission
Trailrunner7 writes:
On August 17, the developer of the popular Webmin and Usermin Unix tools pushed out an update to fix a handful of security issues. Normally that wouldn’t generate an avalanche of interest, but in this case, one of those vulnerabilities was introduced intentionally by someone who was able to compromise the software build infrastructure used by the developers.
Webmin author Jamie Cameron said that the Webmin build system was compromised sometime in April 2018 and the attacker was able to add the malicious code into the codebase. The attacker then rolled the timestamp on the build back to prevent anyone from noticing the new addition.
“It appears that a build/test system was compromised some time last year and the exploited added to code in the directory from which packages are built (and file timestamps modified to make this change not show up in a git diff),” Cameron said in an email.
112407408
submission
Trailrunner7 writes:
A researcher has discovered that some cookies used for authentication on Amazon Web Services remain valid even after the victim has changed the password and logged out of the account. That means that an attacker who is able to phish a victim’s username and password will have persistent access to the victim’s AWS account, even with multi-factor authentication enabled.
In many phishing scenarios, the use of MFA is a solid defense, but there are lots of different MFA factors and some established methods for obtaining MFA codes that allow attackers to circumvent some of those protections. One way to do that is to force victims through a reverse proxy on the way to the phishing page the attacker has set up. That enables the attacker to intercept the victim’s traffic and record both the credentials and any MFA code she would enter when prompted. Spencer Gietzen, lead cloud pen tester at Rhino Security Labs, discovered on a recent customer engagement that this method not only worked against AWS accounts with MFA enabled, but also collected the victim’s AWS authentication cookie. In his research, Gietzen used Modlishka, a reverse-proxy framework released earlier this year.
“For AWS users in particular, going with a hardware-based MFA device (like a Yubikey) is the way to go. It would prevent this attack because of some additional security features that are used by those devices and modern web browsers (URL verification mainly). Another option would be to remove IAM users completely from your AWS environment, and to only rely on IAM roles/temporary credentials, rather than long-lived usernames and passwords,” Gietzen said.
111233938
submission
Trailrunner7 writes:
There’s an interesting and troubling attack happening to some people involved in the OpenPGP community that makes their certificates unusable and can essentially break the OpenPGP implementation of anyone who tries to import one of the certificates.
The attack is quite simple and doesn’t exploit any technical vulnerabilities in the OpenPGP software, but instead takes advantage of one of the inherent properties of the keyserver network that’s used to distribute certificates. Keyservers are designed to allow people to discover the public certificates of other people with them they want to communicate over a secure channel. One of the properties of the network is that anyone who has looked at a certificate and verified that it belongs to another specific person can add a signature, or attestation, to the certificate. That signature basically serves as the public stamp of approval from one user to another.
Last week, two people involved in the OpenPGP community discovered that their public certificates had been spammed with tens of thousands of signatures--one has nearly 150,000--in an apparent effort to render them useless. The attack targeted Robert J. Hansen and Daniel Kahn Gillmor, but the root problem may end up affecting many other people, too.
Matthew Green, a cryptographer and associate professor at Johns Hopkins University, said that the attack points out some of the weaknesses in the entire OpenPGP infrastructure.
"PGP is old and kind of falling apart. There's not enough people maintaining it and it's full of legacy code. There are some people doing the lord's work in keeping it up, but it's not enough," Green said. "Think about like an old hospital that's crumbling and all of the doctors have left but there's still some people keeping the emergency room open and helping patients. At some point you have to ask whether it's better just to let it close and let something better come along.
"I think PGP is preventing the development of better stuff and the person who did this is clearly demonstrating this problem."
110539342
submission
Trailrunner7 writes:
It took only a few days since the vulnerability in Exim mail transfer agent was made public for a Linux worm to begin exploiting the vulnerability in Exim email servers. Microsoft said some Azure customers have already been affected.
Designed to receive, route and deliver email messages from local users and remote hosts, Exim run “almost 57 percent of the Internet’s email servers,” said researchers from Cybereason, who discovered the worm. The flaw was introduced in version 4.87 and fixed in Exim 4.92 and an estimated 3.5 million servers are at risk, worldwide.
The worm scans for servers running unpatched versions of Exim to infect. Once the machine has been infected, the worm drops a cryptocurrency miner. The flaw lets attackers execute remote commands on the vulnerable server, so as long as the worm remains on the infected machine, the attacker can execute remote commands.
“As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected version of Exim,” said JR Aquino, manager of Azure Incident Response at Microsoft Security Response Center (MSRC).
109806324
submission
Trailrunner7 writes:
All of the current versions of Docker have a vulnerability that can allow an attacker to get read-write access to any path on the host server. The weakness is the result of a race condition in the Docker software and while there’s a fix in the works, it has not yet been integrated.
The bug is the result of the way that the Docker software handles some symbolic links, which are files that have paths to other directories or files. Researcher Aleksa Sarai discovered that in some situations, an attacker can insert his own symlink into a path during a short time window between the time that the path has been resolved and the time it is operated on. This is a variant of the time of check to time of use (TOCTOU) problem, specifically with the “docker cp” command, which copies files to and from containers.
“The most likely case for this particular vector would be a managed cloud which let you (for instance) copy configuration files into a running container or read files from within the container (through "docker cp"),,” Sarai said via email.
“However it should be noted that while this vulnerability only has exploit code for "docker cp", that's because it's the most obvious endpoint for me to exploit. There is a more fundamental issue here — it's simply not safe to take a path, expand all the symlinks within it, and assume that path is safe to use.”
109598606
submission
Trailrunner7 writes:
There’s yet another effort underway in Washington to establish an enforceable Do Not Track system that would provide a one-click mechanism for people to opt out of persistent web tracking by advertisers and social media platforms.
The latest push comes in the form of the Do Not Track Act, a bill unveiled this week by Sen. Josh Hawley (R-Mo.) that emulates the structure of the Do Not Call registry. It would establish a method for consumers to send a signal to online companies that would block them from collecting any information past what is necessary to deliver their services. The bill also would stop companies from building profiles of the people who activate the DNT mechanism or discriminating against them if they use the option.
Hawley’s bill makes the Federal Trade Commission the enforcement authority for the system and any person who violates the measure would be liable for penalties of $50 per user affected by a violation for every day that the violation is ongoing.
108139804
submission
Trailrunner7 writes:
A highly capable and resourceful attack team has been targeting national security organizations, telecommunications providers, ISPs, and energy companies in the Middle East and Africa via a DNS-hijacking campaign that stretches back to at least January 2017. The group uses a variety of techniques to manipulate the DNS system and is responsible for the only known DNS registry compromise, as well as a number of other successful intrusions.
The attackers behind this campaign, known as Sea Turtle. have compromised more than 40 separate organizations over the course of the last two years and have shown the ability to use several different tactics to accomplish their goals, including exploiting known vulnerabilities in web applications, routers and switches, stealing SSL certificates to set up man-in-the-middle servers, and spoofing VPN apps to steal credentials. Researchers from the Cisco Talos Intelligence Group have been tracking the attackers and said in a new report the group is distinct from the team behind previous DNS-hijacking operations such as DNSpionage and likely has backing from a nation state.
106424336
submission
Trailrunner7 writes:
Apple is enabling some new security and privacy features for Safari that will improve the browser’s protections against pervasive tracking and phishing and attack sites, and simplify the login process. The biggest change is the removal of support for the Do Not Track standard, a controversial feature that has been the subject of a years-long fight involving, at various times, browser vendors, privacy advocates, advertising groups, and the federal government.
DNT was designed as a way for browser to send a signal to sites that individuals didn’t want to be tracked, whether by the site operator itself or advertisers on the site. But there are a number of problems with the standard, chief among them the fact that there is no requirement for site owners to respect the DNT signal from a given visitor. Also, finding the setting in the browser to enable DNT wasn’t always an easy task, so plenty of people never got around to turning it on. In the last few years, browser vendors have begun to disable DNT by default and privacy groups and individuals have soured on it serving as a functional defense against pervasive tracking.
106016124
submission
Trailrunner7 writes:
Twitter, like a lot of platforms and services, is facing something of an identity crisis. Not in the traditional, Why are we all here sense, but in the ultra-modern, Who is running the accounts on our platform, sense.
From the beginning, Twitter’s creators made the decision not to require real names on the service. It’s a policy that’s descended from older chat services, message boards and Usenet newsgroups and was designed to allow users to express themselves freely. Free expression is certainly one of the things that happens on Twitter, but that policy has had a number of unintended consequences, too.
The service is flooded with bots, automated accounts that are deployed by a number of different types of users, some legitimate, others not so much. Many companies and organizations use automation in their Twitter accounts, especially for customer service. But a wide variety of malicious actors use bots, too, for a lot of different purposes. Governments have used bots to spread disinformation for influence campaigns, cybercrime groups employ bots as part of the command-and-control infrastructure for botnets, and bots are an integral part of the cryptocurrency scam ecosystem. This has been a problem for years on Twitter, but only became a national and international issue after the 2016 presidential election.
Twitter CEO Jack Dorsey said this week that he sees potential in biometric authentication as a way to help combat manipulation and increase trust on the platform.
“If we can utilize technologies like Face ID or Touch ID or some of the biometric things that we find on our devices today to verify that this is a real person, then we can start labeling that and give people more context for what they’re interacting with and ideally that adds some more credibility to the equation. It is something we need to fix. We haven’t had strong technology solutions in the past, but that’s definitely changing with these supercomputers we have in our pockets now," Dorsey said.
105815388
submission
Trailrunner7 writes:
The SCP clients in a number of Linux distributions have a pair of vulnerability that an attacker could use to write arbitrary malicious files to the target directory on the client machine and change the permissions on the directory to allow further compromises. The bugs are 35 years old, but have just now been brought to light.
SCP (secure copy protocol) is an older network protocol that’s implemented in many Linux distributions. It uses SSH for file transfers and users can employ SCP to upload files to or download files from a remote server. One of the vulnerabilities in SCP, discovered by researcher Harry Sintonen of F-Secure, is a result of the clients failing to verify the validity of the objects that are returned to it after a download request. The upshot of that is that an attacker who controls the server, or has a man-in-the-middle position on the network, can drop arbitrary files into the directory from which the user runs SCP.
The vulnerability affects the SCP client implementations in Debian, Red Hat, and SUSE Linux, OpenSSH version 7.9 and earlier, as well as some versions of WinSCP.
103362736
submission
Trailrunner7 writes:
A small team of engineers is building a line of hardware security key that is completely open source and supports the new FIDO2 standard and can be used with mobile phones to provide strong two-factor authentication.
The effort started as an educational project for Conor Patrick, a hardware engineer, who wanted to see if he could build an affordable security key from scratch. He designed and built a key using commodity components and his own custom firmware. After building some prototypes, Patrick ordered a large batch of the tokens from a third-party provider and then programmed them himself with the firmware. He then set up shop of Amazon and began selling them as the U2F Zero tokens. They sold out.
So Patrick decided to take the next step and develop a fully realized set of security keys for the general marketplace. Known as the Solo, there a couple of different versions of the key, but all of them use open source software and hardware designs. The line includes the Solo, which comes in both USB-A and USB-C versions, and the Solo Tap, an NFC-based key for use with mobile devices. Patrick and his collaborators set up a Kickstarter project for Solo, which the hopes of raising $5,000 to fund the manufacturing process. They met their goal in 20 minutes and so far have raised more than $50,000.
102765260
submission
Trailrunner7 writes:
Stock prices typically drop after a breach is disclosed, but they tend to bounce back within a few weeks, suggesting that investors don’t punish companies for security mistakes. Analysis by UK-based Comparitech found that breaches can impact—but it's muted—the company's stock performance.
Even though the stock price went back up after the initial breach disclosure, the prices weren’t as high as they would have been if the breach hadn’t happened. Three years after the data breach was disclosed, the stock price for the companies on average had risen 28.71 percent, but was down 15.58 percent compared to the NASDAQ index, which Comparitech used as a proxy for the wider market.
“In the longer term, share prices continue to grow, but not fast enough to keep up with the NASDAQ,” said Comparitech analyst Paul Bischoff.
The analysis focused on the closing share prices on the New York Stock Exchange for 24 companies that reported a data breach with at least a million records lost, including TJ Maxx, Apple, Yahoo, and LinkedIn.
102510454
submission
Trailrunner7 writes:
Researchers have discovered a weakness in all version of Android except 9, the most recent release, that can allow an attacker to gather sensitive information such as the MAC address and BSSID name and pinpoint the location of an affected device.
The vulnerability is a result of the way that Android broadcasts device information to apps installed on a device. The operating system uses a mechanism known as an intent to send out information between processes or applications, and some of the information about the device’s WiFi network interface sent via a pair of intents can be used by an attacker to track a device closely.
A malicious app--or just one that is listening for the right broadcasts from Android--would be able to identify any individual Android device and geolocate it. An attacker could use this weaknesses to track a given device, presumably without the user’s knowledge. Although Android has had MAC address randomization implemented since version 6, released in 2015, Yakov Shafranovich of Nightwatch Cybersecurity said his research showed that an attacker can get around this restriction.
