chicksdaddy - Slashdot User

Submission + - Precision Agriculture Has Its Cassandra. His Name Is Kevin. (substack.com) 1

Submitted by chicksdaddy on Monday February 12, 2024 @03:59PM

chicksdaddy writes: Farming in the United States is in the midst of a major transformation — the biggest since the arrival of mechanized agriculture more than a century ago.The transformative technology back then was the internal combustion engine, which allowed farmers to power a wide range of new machines and mechanize previously manual implements from tractors and reapers to combine harvesters.The transformative technology now? Precision agriculture, a catch-all term that describes a constellation of technologies that includes Internet- and GPS connected agricultural equipment, highly accurate remote sensors, “big data” analytics and cloud computing.

Once it is broadly adopted, precision agriculture technology promises to further reduce the need for human labor to run farms even more than the combustion engine did. (Autonomous equipment means you no longer even need drivers!) But the risks it poses to small farms and farming communities are much bigger than that. First, as the USDA notes on its website (https://www.nifa.usda.gov/grants/programs/precision-geospatial-sensor-technologies-programs/adoption-precision-agriculture): the scale and high capital costs of precision agriculture technology tend to favor large, corporate producers over smaller farms. Then there are the systemic risks to U.S. agriculture of an increasingly connected and consolidated agriculture sector, with a few major OEMs having the ability to remotely control and manage access to- and maintenance of vital equipment on millions of U.S. farms. That includes the risk of disruption due to cyber attacks on precision farming hardware, software and services — an issue that agricultural equipment makers are scrambling to address (https://www.forbes.com/sites/paulfroberts/2021/06/20/under-scrutiny-big-ag-scrambles-to-address-cyber-risk/), but reluctant to discuss.

The biggest risk, however, comes from the reams of valuable and proprietary operational data that precision agriculture equipment generates and collects about the operation of a farm — from soil quality to the application of fertilizers and other agents, to crop yields. For centuries, such information resided in farmers’ heads, or on written or (more recently) digital records that they owned and controlled exclusively, typically passing that knowledge and data down to succeeding generation of farm owners. Precision agriculture technology wrests it from the farmer’s control and shares it with equipment manufacturers and service providers — often without the explicit understanding of the farmers themselves, and almost always without monetary compensation to the farmer for the data. Over time, this massive transfer of knowledge from individual farmers or collectives to multinational corporations risks beggaring farmers by robbing them of one of their most vital assets: data, and turning them into little more than passive caretakers of automated equipment managed, controlled and accountable to distant corporate masters.

That’s a dark view of the future — and one that its hard to hear over the “rah rah rah!” of precision agriculture’s (corporate funded) boosters. But its not like nobody sees the writing on the wall, or is sounding the alarm bell. The blog Fight to Repair News (http://fighttorepair.news) recently interviewed Kevin Kenney an Alternative Fuel Systems Engineer at Grassroots Energy in Nebraska and one of the loudest voices warning about the dangers posed by precision agriculture technologies, including the wholesale theft and monetization of proprietary farmer data.

Submission + - Citing danger of "ink spills" Epson programs printers to stop operating (substack.com)

Submitted by chicksdaddy on Monday August 01, 2022 @10:42AM

chicksdaddy writes: Printer maker Epson has programmed some models of its inkjet printers to "stop operating" at a pre-determined time, citing the risk of property damaged linked to "ink spills," the Fight to Repair newsletter reports. (https://fighttorepair.substack.com/p/citing-danger-of-ink-spills-epson).

Epson printer owners have complained (https://twitter.com/marktavern/status/1550605262700122112?s=20&t=8AjU1bZ_f9o-r37VkJn8Ig) that their functioning printers have suddenly stopped working, displaying an error message declaring that a component of the printer has "reached the end of its service life" and that the device needs to be serviced. According to Epson's website (https://epson.com/Support/wa00369), the message is linked to ink pads, which Epson describes as “porous pads in the printer that collect, distribute, and very importantly contain the ink that is not used on printed pages.” Over time, these pads become saturated with ink though generally not “before the printer is replaced for other reasons” (??!)

“Like so many other products, all Epson consumer ink jet products have a finite life span due to component wear during normal use... The printers are designed to stop operating at the point where further use without replacing the ink pads could create risks of property damage from ink spills or safety issues related to excess ink contacting an electrical component,” the company said on its website.

Rather than measure the saturation of the ink pads to determine when that point is reached, however, Epson appears to have programmed a counter on its printers that disables the device when a threshold has been reached. For printer owners who use Windows, Epson makes a reset utility that can reset the counter though it can "only be used once and will allow printing for a short period of time.” For Mac users, or Windows users who have already run the reset utility once, Epson urges them to have the printer serviced by an Epson authorized service shop or — preferably — to replace the printer with a new printer. “Repair may not be a cost-effective option for lower-cost printers because other components may also be near the end of their usable life," the company said. Despite the company's claims about the unfixability of the ink pad issue, YouTube videos suggest that the ink pads are, in fact, simple to replace, as this video illustrates. https://youtu.be/EocI_8awj38

Legal experts say that Epson's hard coding an end of life for its printers may be illegal — an example of "Deceptive trade practices," unless it is clearly disclosing the existence of the programmed end of life to consumers prior to purchase.

“Without some very clear warning to consumers, it wouldn’t surprise me to see some pushback along the lines of the FTC’s intervention in the Revolv bricking incident a few years back,” said Aaron Perzanowski of University of Michigan Law School, referring to Nest’s “smart home hub,” which the company decided to stop supporting in 2016 after purchasing Revolv in 2014. (https://www.perzanow.ski/blog/2016/7/14/ftcs-revolv-investigation)

The decision to shut down servers supporting the Revolv devices effectively “bricked” the devices. That, the FTC decided, caused “unjustified, substantial consumer injury that consumers themselves could not reasonably avoid.” The FTC ultimately refrained from an enforcement action against Nest noting, in a letter, that the company had already offered full refunds to affected customers (after the outcry, it should be noted), but reserved the right to “take further action as the public interest may warrant.”

Submission + - Cyberattack Halts Production at Ag Equipment Maker AGCO/Fendt (securityledger.com)

Submitted by chicksdaddy on Monday May 09, 2022 @08:10AM

chicksdaddy writes: A cyber attack has disrupted the operations of AGCO/Fendt, a major manufacturer of agricultural equipment, the company has acknowledged.

AGCO/Fendt, headquartered in Duluth, Georgia, said in a statement to the Security Ledger (https://securityledger.com/2022/05/cyber-attack-halts-production-at-ag-equipment-maker-agco-fendt/) that it was the subject of a cybersecurity incident that “has impacted some of our production facilities. We are working to address the issues. Our first priority is to restore those critical activities needed to keep farmers farming.” The company first acknowledged the attack on Thursday, May 5.

That followed published reports in German and French publications (https://france3-regions.francetvinfo.fr/hauts-de-france/oise/beauvais/piratage-informatique-le-site-d-assemblage-de-tracteurs-massey-fergusson-agco-beauvais-victime-d-une-cyber-attaque-2537316.html) stemming from unexpected shutdowns of manufacturing facilities in those countries.

Fendt employees at the Marktoberdorf, Germany site were temporarily sent home according to a report in the Allgäuer Zeitung. (https://www-allgaeuer--zeitung-de.translate.goog/allgaeu/marktoberdorf/fendt-hackerangriff-bei-traktoren-hersteller-produktion-stark-beeintraechtigt_arid-417649) Disruption of the company’s computer network has suspended production and transportation of tractors at the facility. Subsequent reports have identified other AGCO/Fendt facilities in Germany and France that have been crippled by the attacks, including one in Bäumeheim, Germany.

So far there is little information on who or what is behind the attack on the manufacturing sites. However, law enforcement and officials in the U.S. have been warning about the prospect of heightened attacks on agriculture. After a string of ransomware attacks on grain coops in September and October, the FBI recently warned of more cyber attacks targeting the agricultural sector as planting season commenced.

The FBI said a number of attacks have targeted grain coops and other food and agriculture supply chain players already in 2022 (https://www.ic3.gov/Media/News/2022/220420-2.pdf) They include a March 2022 Lockbit 2.0 ransomware attack on what’s described as a “multi-state grain company” that also provides seed, fertilizer, and logistics services and a February 2022 attempted attack on a “company providing feed milling and other agricultural services.”

Comment Re:They all do it on the cheap (Score 1) 48

by chicksdaddy on Tuesday August 10, 2021 @09:48AM (#61675849) Attached to: DEF CON: Security Holes In Deere, Case IH Shine Spotlight On Agriculture Cyber Risk

Yes. 35 open recs at John Deere that contain “cyber security” in the job description. Prior to these stories coming to light, the company had hardly any embedded device security and cyber talent on staff - and most of the Deere employees with infosec in their title had been at the company for decades (that is: maybe looked at things through tinted lenses) and didn’t have ‘traditional’ infosec backgrounds. https://jobs.deere.com/search/...

Submission + - DEF CON: Security Holes in Deere, Case IH Spotlight Agriculture Cyber Risk (securityledger.com)

Submitted by chicksdaddy on Sunday August 08, 2021 @10:27PM

chicksdaddy writes: A lot has changed in the agriculture sector in the last decade. And farm country’s cybersecurity bill has come duein a big way. A (virtual) presentation (https://www.youtube.com/watch?v=zpouLO-GXLo) at the annual DEF CON hacking conference (https://defcon.org/) in Las Vegas on Sunday described a host of serious, remotely exploitable holes in software and services by U.S. agricultural equipment giants John Deere and Case IH, The Security Ledger reports. (https://securityledger.com/2021/08/def-con-security-holes-in-deere-case-ih-shine-spotlight-on-agriculture-cyber-risk/) Together, the security flaws and misconfigurations could have given nation-state hackers access to Deere’s global product infrastructure, sensitive customer and third party data and, potentially, the ability to remotely access critical farm equipment like planters and harvesters that are the lynchpin of the U.S. food chain.

The talk is the most detailed presentation, to date, of a range of flaws in Deere software and services that were first identified and disclosed to the company in April. The disclosure of two of those flaws (https://sick.codes/leaky-john-deere-apis-serious-food-supply-chain-vulnerabilities-discovered-by-sick-codes-kevin-kenney-willie-cade/) in the company’s public-facing web applications set off a scramble by Deere and other agricultural equipment makers (https://www.forbes.com/sites/paulfroberts/2021/06/20/under-scrutiny-big-ag-scrambles-to-address-cyber-risk/) to patch the flaws, unveil a bug bounty program and to hire cyber security and embedded device security talent.

In addition to a slew of common web flaws like Cross Site Scripting- and account enumeration bugs linked to Deere’s web site and public APIs, the researchers discovered a vulnerability (CVE-2021-27653) in third party software by Pega Systems, a maker of customer relationship management (CRM) software that Deere uses. A misconfiguration of that software gave the researchers administrative access to the remote, back end Pegasystems server. With wide ranging, administrative access to the production backend Pega server, the researchers were able to obtain other, administrative Pegasystems credentials including passwords, security audit logs, as well as John Deere’s OKTA signing certificate for the Pegasystems server, according to the presentation.

In an email statement to The Security Ledger, a John Deere spokesperson said that “none of the claims – including those identified at DEF CON — have enabled access to customer accounts, agronomic data, dealer accounts, or sensitive personal information,” though data included in the presentation as well as prior, public disclosures make clear that sensitive data on Deere employees, equipment, customers and suppliers was exposed.

Submission + - Developer Workstation Exposed State Dept. Network Data, Researchers Find (forbes.com)

Submitted by chicksdaddy on Friday August 06, 2021 @08:39AM

chicksdaddy writes: Sensitive systems and data for the U.S. Department of State could have been exposed by a third party development workstation running the eXide software (https://exist-db.org/exist/apps/eXide/index.html), according to researchers for the hacking crew Sakura Samurai (https://sakurasamurai.pro/). According to a report in Forbes (https://www.forbes.com/sites/paulfroberts/2021/08/05/new-vuln-disclosure-policy-pays-dividends-for-federal-agencies/?sh=59a0cdc125be), the researchers took advantage of a new State Department Vulnerability Disclosure Program (https://www.state.gov/vulnerability-disclosure-policy/) to look for security flaws in one of 8 wild-carded State Department domains included in the program. Using automated tools to do reconnaissance on one of the subdomains the State Department had included in its VDP, researcher Jackson Henry discovered a vulnerable workstation running the open source, web based eXide IDE. It was linked to a third party doing work for the State Department and contained a number of serious security holes including Cross Site Scripting (XSS), Remote File Inclusion (RFI), and Server Side Request Forgery (SSRF) flaws. All are powerful weapons in the hands of a sophisticated cyber adversary.

After reporting their findings to the State Department on April 27th, researcher Jackson Henry (https://www.twitter.com/JacksonHHax) and Sakura Samurai received acknowledgement of their report on April 29th. The vulnerable endpoint in question was taken offline by the State Department by May 13th. Henry and Sakura Samurai then began working with the State Department on public disclosure of the vulnerabilities, while also communicating with the developers responsible for the open source project to get the flaws fixed, according to communications shared with Forbes.

The discovery of flaws buried in an open source development tool underscores the risks that federal agencies face as more and more government business shifts to the web. “The State Department can’t audit every open source package it uses,” Henry said. “That’s why the VDP is such a big thing (and) a step in the right direction.”

It is also an endorsement of the benefits of a quiet security revolution within the federal government in recent months, as agencies have responded to Binding Operational Directive 20-01 (https://cyber.dhs.gov/bod/20-01/), a new requirement from the CISA, the Cybersecurity and Infrastructure Security Agency, that Executive Branch agencies publish and maintain public vulnerability disclosure programs, or VDPs — a kind of front door for bug hunters and “white hat” cybersecurity professionals.

Submission + - Colorado Lawmakers Sing a Familiar Tune in Opposing Right to Repair: Google's (substack.com)

Submitted by chicksdaddy on Wednesday May 19, 2021 @07:57AM

chicksdaddy writes: Fight To Repair adds a new wrinkle to the now notorious March hearing by the Colorado State Assembly on a proposed right to repair law in which heart wrenching testimony by disabled Coloradans was tossed aside in favor of pro-industry, anti-repair blather about intellectual property violations and interstate commerce (https://www.vice.com/en/article/wx8w7b/colorado-denied-its-citizens-the-right-to-repair-after-riveting-testimony).

The newsletter Fight to Repair has obtained emails that show how “concerns” voiced by a lobbyist for tech giant Google sprang from the lips of at least two members of the committee considering the legislation. (https://fighttorepair.substack.com/p/colorado-lawmakers-sing-a-familiar).
From Fight to Repair:

“In other exchanges, the arguments made by legislators were more than just in line with Big Tech’s point of view. They were straight out off of Big Tech’s list of talking points. Case in point, Committee Chairman Dylan Roberts (D-26) put the following question to the bill’s two sponsors:

‘I have a question about the warranty aspect of this. If someone buys a product in either Colorado or out of state and they come to Colorado and they are able to do this repair, does that violate the warranty and if it doesn’t how is that warranty protected with regard to interstate commerce?’

“Cross border warranty issues? Interstate commerce? It’s a really curious question for a hearing on a state consumer protection law. In fact, it was one that I’d never heard posed before in a Right to Repair hearing, by either side. (And I’ve attended a lot of them.) There’s a good reason for that: the Federal Magnusson Moss Warranty Act already makes it pretty clear that so-called “carry back” provisions that require you to return warrantied products to the point of service are illegal. (https://www.findlaw.com/consumer/consumer-transactions/warranty-laws-and-the-magnuson-moss-warranty-act-.html)

“So where did that question come from? We don’t know exactly. What we do know is that the question about honoring warranties for products that cross state lines was included in an email sent to the bill’s sponsors shortly before the hearing by Mary Kay Hogan of the Fulcrum Group, a communications and political consulting firm based in Denver that was hired by Google.

‘There are two main issues I cannot figure a way around,” Hogan wrote in a March 18 email relaying Google’s concerns to the bill’s sponsor, Rep. Brianna Titone. “The first is how this works with a warranty contract for a phone that someone buys in another state, then moves to (Colorado), and by moving here the terms of that contract executed in another state about a warranty being voided by non-authorized repair are no longer recognized. I am not sure how this would play out.’

“Roberts himself appears to have had a Zoom meeting with Hogan on March 12, according to emails obtained by Fight to Repair and other committee members raised the issue of cross-border warranty conflicts during the hearing as well, where the Right to Repair bill was put on hold, essentially killing it.”

As Fight to Repair notes: “The really depressing part of all this isn’t so much that lobbyists have the ear of lawmakers. (Duh!) Rather, its how large the interests, priorities and words of large corporations and their phalanxes of lobbyists, PR flacks and media consultants loom in the minds of the men and women who are ostensibly elected by the people to serve in the best interests of the people. As Vice ably noted in their article, lawmakers seemed utterly incurious about the plight of disabled Coloradans who were literally immobilized by a lack of adequate repair choices for motorized wheelchairs. Repair proponent after repair proponent testified and, when the Chair asked if there were any questions, there were none. Where lawmakers did engage, it was around noodling issues of legal precedent, intellectual property law or copyright — exactly the kinds of things that corporations, not voters, care about.”

Submission + - Flaws in John Deere's Website Provides a Map to Customers, Equipment (securityledger.com)

Submitted by chicksdaddy on Thursday April 22, 2021 @01:26PM

chicksdaddy writes: Web sites for customers of agricultural equipment maker John Deere contained vulnerabilities that could have allowed a remote attacker to harvest sensitive information on the company’s customers including their names, physical addresses and information on the Deere equipment they own and operate, The Security Ledger reported. (https://securityledger.com/2021/04/deere-john-researcher-warns-ag-giants-site-provides-a-map-to-customers-equipment/)

The researcher known as “Sick Codes” (@sickcodes) published two advisories on Thursday warning about the flaws in the myjohndeere.com web site and the John Deere Operations Center web site and mobile applications. In a conversation with Security Ledger, the researcher said that a he was able to use VINs (vehicle identification numbers) taken from a farm equipment auction site to identify the name and physical address of the owner. Furthermore, a flaw in the myjohndeere.com website could allow an unauthenticated user to carry out automated attacks against the site, possibly revealing all the user accounts for that site.

Sick Codes disclosed both flaws to John Deere and also to the U.S. Government’s Cybersecurity and Infrastructure Security Agency (CISA), which monitors food and agriculture as a critical infrastructure sector. (https://www.cisa.gov/food-and-agriculture-sector) The information obtained from the John Deere websites, including customer names and addresses, could put the company afoul of data security laws like California’s CCPA or the Personal Information Protection Act in Deere’s home state of Illinois. However, the national security consequences of the company’s leaky website could be far greater. Details on what model combines and other equipment is in use on what farm could be of very high value to an attacker, including nation-states interested in disrupting U.S. agricultural production at key junctures, such as during planting or harvest time.

The consolidated nature of U.S. farming means that an attacker with knowledge of specific, Internet connected machinery in use by a small number of large-scale farming operations in the midwestern United States could launch targeted attacks on that equipment that could disrupt the entire U.S. food supply chain, researchers warn.

The Agriculture sector and firms that supply it, like Deere, lag other industries in cyber security preparedness and resilience. A 2019 report released by Department of Homeland Security (https://www.dhs.gov/sites/default/files/publications/2018%20AEP_Threats_to_Precision_Agriculture.pdf) concluded that the “adoption of advanced precision agriculture technology and farm information management systems in the crop and livestock sectors is introducing new vulnerabilities” (and that) “potential threats to precision agriculture were often not fully understood or were not being treated seriously enough by the front-line agriculture producers.”

Submission + - 184 Years On, John Deere Awaits Its First Software Vulnerability

Submitted by chicksdaddy on Wednesday April 14, 2021 @07:08PM

chicksdaddy writes: Agricultural equipment maker John Deere has many firsts in more than a century and a half of operations. Today, Moline, Illinois based Deere & Co. (DE) is a $120 billion giant in the heavy equipment industry that makes everything from diesel engines to combines to lawn mowers. One thing the company hadn’t managed to create in all that time? A software vulnerability in any of its products — at least one that the company has disclosed to the public.

A search of the U.S.’s National Vulnerability Database (https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=%E2%80%9CDeere%E2%80%9D&search_type=all) reveals not a single software vulnerability attributed to Deere & Co. for any of that company’s products. That’s a confounding fact, given that Deere, today, is as much a software maker and data broker as an agricultural equipment maker. Millions of lines of software code run its GPS-directed and Internet-connected precision farming machinery. Furthermore, its equipment relays terabytes of data via satellite- and cellular connections from customer farms to Deere’s cloud servers, which the company has turned into a lucrative new revenue stream. And yet: not a single software flaw. What gives?

According to one researcher with experience conducting security audits of specialized equipment, the absence of any publicly disclosed software vulnerabilities shouldn’t be taken as evidence that Deere’s software or software powered agricultural equipment is cyber secure. “The absence of CVEs tells you nothing about whether the security is good or bad,” said Billy Rios of Whitescope.io, a security research firm. Rios’s research has encompassed medical devices, SCADA systems and automobiles.

The absence of any security vulnerabilities for Deere’s extensive catalog of sophisticated machinery is reflective of an agricultural equipment industry that has moved aggressively in recent decades to connect heavy equipment to the Internet and to monetize, but has faced little scrutiny over the cyber security of its products. None of its main competitors have any CVEs to their names and few have even published vulnerability disclosure policies.

Submission + - IPv4 Parsing Flaw in NPM Netmask Could Affect 270,000 Apps 1

Submitted by chicksdaddy on Tuesday March 30, 2021 @06:29PM

chicksdaddy writes: Independent security researchers analyzing the widely used open source component netmask have discovered security vulnerabilities that could leave more than a quarter million open source applications vulnerable to attack, according to a report released Monday, The Security Ledger reports. (https://securityledger.com/2021/03/critical-flaws-found-in-widely-used-netmask-open-source-library/)

According to a report by the site Sick Codes (https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/) the flaws open applications that rely on netmask to a wide range of malicious attacks including Server Side Request Forgeries (SSRF) and Remote- and Local File Includes (RFI, LFI) that could enable attackers to ferry malicious code into a protected network, or siphon sensitive data out of one. Even worse, the flaws appear the stretch far beyond a single open source module, affecting a wide range of open source development languages, researchers say.

Netmask (https://www.npmjs.com/package/netmask) is a widely used package that allows developers to evaluate whether a IP address attempting to access an application was inside or outside of a given IPv4 range. Based on an IP address submitted to netmask, the module will return true or false about whether or not the submitted IP address is in the defined “block.” According to the researcher using the handle “Sick Codes,” (https://www.twitter.com/sickcodes), the researchers discovered that netmask had a big blind spot. Specifically: it evaluates certain IP addresses incorrectly: improperly validating so-called “octal strings” rendering IPv4 addresses that contain certain octal strings as integers. For example, the IP4 address 0177.0.0.1 should be evaluated by netmask as the private IP address 127.0.0.1, as the octal string “0177” translates to the integer “127.” However, netmask evaluates it as a public IPv4 address: 177.0.0.1, simply stripping off the leading zero and reading the remaining parts of the octal string as an integer.

The implications for modules that are using the vulnerable version of netmask are serious. According to Sick Codes, remote attackers can use SSRF attacks to upload malicious files from the public Internet without setting off alarms, because applications relying on netmask would treat a properly configured external IP address as an internal address. Similarly, attackers could also disguise remote IP addresses local addresses, enabling remote file inclusion (RFI) attacks that could permit web shells or malicious programs to be placed on target networks. But researchers say much more is to come. The problems identified in netmask are not unique to that module. Researchers have noted previously that textual representation of IPv4 addresses were never standardized (https://blog.dave.tf/post/ip-addr-parsing/), leading to disparities in how different but equivalent versions of IPv4 addresses (for example: octal strings) are rendered and interpreted by different applications and platforms.

Submission + - Flaws in Zoom's Keybase App Kept Chat Images From Being Deleted

Submitted by chicksdaddy on Monday February 22, 2021 @10:44AM

chicksdaddy writes: The Security Ledger reports (https://securityledger.com/2021/02/exclusive-flaws-in-zooms-keybase-app-kept-chat-images-from-being-deleted/ ) that a flaw in Zoom’s Keybase (https://keybase.io/blog/keybase-joins-zoom) secure chat application left copies of images contained in secure communications on Keybase users’ computers after they were supposedly deleted, according to researchers from the group Sakura Samurai. (https://sakurasamurai.pro/)

The flaw in the encrypted messaging application, CVE-2021-23827(https://johnjhacking.com/blog/cve-2021-23827/) does not expose Keybase users to remote compromise. However, it could put their security, privacy and safety at risk, especially for users living under authoritarian regimes in which apps like Keybase and Signal are increasingly relied on as a way to conduct conversations out of earshot of law enforcement or security services. It comes as millions of users have flocked to apps like Keybase, Signal and Telegram in recent months.

Sakura Samurai researchers Aubrey Cottle (@kirtaner), Robert Willis (@rej_ex) and Jackson Henry (@JacksonHHax) discovered an unencrypted directory, /Cache, associated with the Keybase client that contained a comprehensive record of images from encrypted chat sessions. The application used a custom extension to name the files, but they were easily viewable directly or simply by changing the custom file extension to the PNG image format, researcher John Jackson told Security Ledger.

In a statement, a Zoom spokesman said that the company appreciates the work of the researchers and takes privacy and security “very seriously.”

“We addressed the issue identified by the Sakura Samurai researchers on our Keybase platform in version 5.6.0 for Windows and macOS and version 5.6.1 for Linux. Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates,” the spokesman said.

In most cases, the failure to remove files from cache after they were deleted would count as a “low priority” security flaw. However, in the context of an end-to-end encrypted communications application like Keybase, the failure takes on added weight, Jackson wrote.

“An attacker that gains access to a victim machine can potentially obtain sensitive data through gathered photos, especially if the user utilizes Keybase frequently. A user, believing that they are sending photos that can be cleared later, may not realize that sent photos are not cleared from the cache and may send photos of PII or other sensitive data to friends or colleagues.”

Submission + - Researchers Test UN's Cybersecurity, Find Personal Data on 100k Employees

Submitted by chicksdaddy on Monday January 11, 2021 @04:30PM

chicksdaddy writes: Independent security researchers testing the security of the United Nations were able to compromise public-facing servers and a cloud-based GitHub development account used by the U.N. and lift data on more than 100,000 staff and employees, according to a report by The Security Ledger (https://securityledger.com/2021/01/researchers-test-uns-cybersecurity-find-data-on-100k/).

Researchers affiliated with Sakura Samurai (https://sakurasamurai.pro/) a newly formed collective of independent security experts, exploited an exposed GitHub repository belonging to the International Labour Organization and the U.N.’s Environment Programme (UNEP) to obtain “multiple sets of database and application credentials” for UNEP applications, according to a blog post by one of the Sakura Samurai researchers, John Jackson, explaining the group’s work.(https://johnjhacking.com/blog/unep-breach/)

Specifically, the group was able to obtain access to database backups for private UNEP projects that exposed a wealth of information on staff and operations. That includes a document with more than 1,000 U.N. employee names, emails; more than 100,000 employee travel records including destination, length of stay and employee ID numbers; more than 1,000 U.N. employee records and so on.

The researchers stopped their search once they were able to obtain personally identifying information. However, they speculated that more data was likely accessible.

Submission + - Neopets is still a thing...and its leaking lots of sensitive data

Submitted by chicksdaddy on Monday December 28, 2020 @10:48AM

chicksdaddy writes: Neopets (http://www.neopets.com), a website that allows children to care for “virtual pets,” has exposed a wide range of sensitive data online including credentials needed to access company databases, employee emails, and even repositories containing the proprietary code for the site, according to information shared with The Security Ledger. (https://securityledger.com/2020/12/neopets-is-still-a-thing-and-its-exposing-sensitive-data/)

The data includes the IP addresses of Neopets visitors, information that could be used to target Neopets users, according to independent researcher John Jackson (https://www.twitter.com/johnjhacks), who said he discovered the information after scanning the company’s website with a security tool.

Neopets is a “virtual pet website” that first launched in 1999. It permits users – many of them children – to care for virtual pets and buy virtual items for them using virtual points earned in-game (Neopoints) or with “Neocash” that can be purchased with real-world money, or won in-game. Purchased by Viacom for $160 million in 2005, in 2017, it was acquired by the Chinese company NetDragon.

In an email to The Security Ledger, Jackson said that he noticed Neopets accounts being offered for sale on an online forum. That prompted him to run a scan on the Neopets site using a forensics tool. That scan revealed a Neopets subdomain that exposed the guts of the Neopets website. “We looked through and found employee emails, database credentials and their whole codebase,” he said.

Jackson shared screen shots of the Neopets directory as well as snippets of code captured from the site that suggest credentials were “hard coded,” or embedded in the underlying code of the website. Working with security researcher Nick Sahler (https://www.twitter.com/nicksahler), Jackson was able to download Website’s entire codebase, revealing database credentials, employee emails, user IP addresses and private code repositories. The two researchers also uncovered internal IP addresses and the underlying application logic for the entire Neopets application.

“This is extremely bad because even though we didn’t attempt to access PII (personally identifying information), with these codebases we can undoubtedly do so,” Jackson said. “They need to fix the root issues, otherwise they will suffer yet another threat-actor related breach.”

Neopets did not respond to requests for comment.

Comment Re:brand loyalty (Score 3, Interesting) 85

by chicksdaddy on Wednesday December 23, 2020 @09:17AM (#60859524) Attached to: DHS Is Looking Into Backdoors In Smart TVs By China's TCL

As the author of the story, not sure what you mean by Betteridge Law-my headline doesn't pose a question. As to "what bad thing they would do" might depend on who you are. If you're a research scientist or a senior executive at a corporation involved in R&D or mining and exploration, the back-doored TCL set is basically a surveillance node with both camera and mic. With access to a global network of similar devices, plus ML and AI to sort out the interesting bits of data from the uninteresting bits, the PRC and PLA could do _a lot_ - a lot of espionage, a lot of data mining, a lot of mischief. When you have Alibaba advertising "Uighur detection features" in its platform, its pretty clear we're not dealing with business as usual with China-based, government controlled firms.

Submission + - DHS Is Looking Into Backdoors in Smart TVs by China's TCL 2

Submitted by chicksdaddy on Tuesday December 22, 2020 @04:50PM

chicksdaddy writes: The acting head of the U.S. Department of Homeland Security said the agency was assessing the cyber risk of smart TVs sold by the Chinese electronics giant TCL, following reports last month in The Security Ledger and elsewhere that the devices may give the company “back door” access to deployed sets, The Security Ledger reports. (https://securityledger.com/2020/12/dhs-looking-into-cyber-risk-from-tcl-smart-tvs/)

Speaking at The Heritage Foundation, a conservative think tank, Acting DHS Secretary Chad Wolf said that DHS is “reviewing entities such as the Chinese manufacturer TCL.” (https://www.dhs.gov/news/2020/12/21/acting-secretary-chad-f-wolf-remarks-prepared-homeland-security-and-china-challenge)

“This year it was discovered that TCL incorporated backdoors into all of its TV sets exposing users to cyber breaches and data exfiltration. TCL also receives CCP state support to compete in the global electronics market, which has propelled it to the third largest television manufacturer in the world,” Wolf said, according to a version of prepared remarks published by DHS. His talk was entitled “Homeland Security and the China Challenge.”

As reported last month (https://securityledger.com/2020/11/security-holes-opened-back-door-to-tcl-android-smart-tvs/), independent researchers John Jackson, (@johnjhacking) -an application security engineer for Shutter Stock – and a researcher using the handle Sick Codes (@sickcodes) identified and described two serious software security holes affecting TCL brand television sets and would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned.

Both flaws affect TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below, according to the official CVE reports. In an interview with The Security Ledger, the researcher Sick Codes said that a TCL TV set he was monitoring was patched for the CVE-2020-27403 vulnerability without any notice from the company and no visible notification on the device itself.

In a statement to The Security Ledger, TCL disputed that account. (https://securityledger.com/2020/11/tv-maker-tcl-denies-back-door-promises-better-process/) By TCL’s account, the patched vulnerability was linked to a feature called “Magic Connect” and an Android APK by the name of T-Cast, which allows users to “stream user content from a mobile device.” T-Cast was never installed on televisions distributed in the USA or Canada, TCL said. For TCL smart TV sets outside of North America that did contain T-Cast, the APK was “updated to resolve this issue,” the company said. That application update may explain why the TCL TV set studied by the researchers suddenly stopped exhibiting the vulnerability.

In his address on Monday, Acting Secretary Wolf said the warning about TCL will be part of a broader “business advisory” cautioning against using data services and equipment from firms linked to the People’s Republic of China (PRC).

This advisory will highlight “numerous examples of the PRC government leveraging PRC institutions like businesses, organizations, and citizens to covertly access and obtain the sensitive data of businesses to advance its economic and national security goals,” Wolf said.

“DHS flags instances where Chinese companies illicitly collect data on American consumers or steal intellectual property. CCP-aligned firms rake in tremendous profits as a result,” he said.

Slashdot Top Deals