Table of Contents
- Pen Testing Ships. A year in review
- New Critical RCE Bug in OpenBSD SMTP Server Threatens Linux Distros
- Zyxel Fixes 0day in Network Storage Devices
- Apple Takes Heat Over ‘Vulnerable’ iOS Cut-and-Paste Data
- Google fixes Chrome zero-day flaw exploited in the wild
- Duplicator WordPress Plugin Vulnerability Exploited in the Wild
- Airbnb Just Launched New Surveillance Bugs To Make Sure Guests Behave
- MI5 chief asks tech firms for 'exceptional access' to encrypted messages
- Leaked reports show EU police are planning a pan-european network of facial recognition databases
- Privacy Concerns Raised Over New Google Chrome Feature
- New Mexico Sues Google for Mining Children's Data
- WhatsApp, Telegram Group Invite Links Leaked in Public Searches
Pen Testing Ships. A year in review
PenTestPartners have spent the last year performing penetration tests for International Maritime Organization, testing multiple ships and looking for vulnerabilities. As expected, the security on those things is terrible. "The more vessels we review, the more we see that ship operators genuinely believe there is an air gap between the traditional IT systems and the on-board OT. That is almost never the case. On only one of the fifteen or so vessels I've been on, there was a genuine air gap."
New Critical RCE Bug in OpenBSD SMTP Server Threatens Linux Distros
Security researchers have discovered a new critical vulnerability in the OpenSMTPD email server. An attacker could exploit it remotely to run shell commands as root on the underlying operating system. OpenSMTPD is present on many Unix-based systems, including FreeBSD, NetBSD, macOS, Linux (Alpine, Arch, Debian, Fedora, CentOS). Bug present since late 2015Tracked as CVE-2020-8794, the remote code execution bug is present in OpenSMTPD's default installation. They explain that leveraging it for code execution with root privileges is possible only on OpenSMTPD versions released after May 2018. On previous releases, shell commands can run as non-root. On the client-side, the glitch can be exploited remotely if OpenSMTPD with a default configuration. When OpenSMTPD connects back to deliver the bounce, the attacker can take advantage of the client-side vulnerability. The fix is delivered in OpenSMTPD 6.6.4p1, which the developer recommends installing "AS SOON AS POSSIBLE."
Zyxel Fixes 0day in Network Storage Devices
Based in Taiwan, Zyxel Communications Corp. (a.k.a "ZyXEL") is a maker of networking devices, including Wi-Fi routers, NAS products and hardware firewalls. KrebsOnSecurity first learned about the flaw on Feb. 12 from Alex Holden, founder of Milwaukee-based security firm Hold Security. KrebsOnSecurity first contacted Zyxel on Feb. 12, sharing a copy of the exploit code and description of the vulnerability. The advisory includes additional mitigation instructions, including a proof-of- concept exploit that has the ability to power down affected Zyxel devices. Holden said 500mhz was offering the Zyxel exploit for $20,000 on cybercrime forums, although it's not clear whether the Emotet gang paid anywhere near that amount for access to the code. The vulnerability was assigned the CVSS score of 10.0.
Apple Takes Heat Over ‘Vulnerable’ iOS Cut-and-Paste Data
Software developer builds a malicious proof-of-concept iOS app that can read data temporarily saved to the device's clipboard. Any cut-and-paste data temporarily stored to an iPhone or iPad's memory can be accessed by all apps installed on the specific device - even malicious ones. That data can then reveal private information such as a user's GPS coordinates, passwords, banking data or a spreadsheet copied into an email. One caveat to the developer's research was that iOS can only allow apps to read clipboard data when the apps are active and in the foreground.
Google fixes Chrome zero-day flaw exploited in the wild
Duplicator WordPress Plugin Vulnerability Exploited in the Wild
Last week the development team behind the popular Duplicator WordPress plugin, the Snap Creek, addressed a zero-day vulnerability that affected at least 1 million websites. Now researchers at security firm WordFence are warning of a new wave of attacks attempting to exploit the vulnerability in the popular plugin. The Duplicator plugin allows WordPress users to migrate, copy, move or clone a site from one location to another and also serves as a simple backup utility. Duplicator has more than 15 million downloads and is active on over 1 million sites. Wordfence has reportedly blocked over 60,000 attempts to download the wp-config.php file using this vulnerability. They note that of the 60,000 attempts, 50,000 occurred before February 12, prior to Snap Creek releasing a fix for the vulnerability, indicating this was exploited in the wild as a zero-day.
Safari will no longer trust certs valid for more than 13 months
Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. That means websites using long-life SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple's browser. The policy was unveiled by the iGiant at a Certification Authority Browser Forum (CA/Browser) meeting on Wednesday. Specifically, according to those present at the confab, from September 1, any new website cert valid for more than 398 days will not be trusted by the Safari browser and instead rejected. Older certs, issued prior to the deadline, are unaffected by this rule. By implementing the policy in Safari, Apple will, by extension, enforce it on all iOS and macOS devices. This will put pressure on website admins and developers to make sure their certs meet Apple's requirements - or risk breaking pages on a billion-plus devices and computers. No public announcement has been made by Apple, it seems. Digicert's Dean Coclin has issued a memo about the policy.
Apple may be forced to disclose censorship requests from China
Apple could be forced to disclose details of censorship requests from China and other nations after two major shareholder groups backed a proposal that would force the tech firm to make new human rights commitments. If approved by investors, the scheme could have implications beyond China and potentially expose details of tensions between Apple and other jurisdictions. The California-headquartered tech giant has regularly clashed with the US government, including most prominently over requests for iPhones to be unlocked. In 2017, it removed several virtual private network (VPN) apps, which were used by Chinese citizens to bypass state censorship apparatus. And last year the company removed HKMap.Live, a controversial crowdsourced mapping app that was being used by Hong Kong protesters to track police activity. The company currently publishes transparency data disclosing the number of government requests it receives by country for customer data and app removal. For instance, Apple reported that between January and June last year, 288 apps were removed in mainland China for "legal" or "platform" violation. Apple stated that the majority of these requests related to pornography, "illegal content" and gambling.
Airbnb Just Launched New Surveillance Bugs To Make Sure Guests Behave
Airbnb, the world's leading short-term rental platform has put aside the stories of hosts secretly spying on guests to promote a range of guest surveillance devices. "We want to help you protect your space, maintain the privacy of your guests, and preserve your relationship with neighbors," the company says on its website. "This means helping you detect issues in real time." Airbnb is encouraging its hosts to purchase noise surveillance devices in an effort to crack down on parties. As part of its "party prevention" campaign, the home-sharing service is offering discounts on devices designed to alert hosts when there's an irregular level of noise in their homes.
MI5 chief asks tech firms for 'exceptional access' to encrypted messages
Sir Andrew Parker says cyberspace 'inaccessible to authorities' and spies need access to stop serious harm. MI5's director general has called on technology companies to find a way to allow spy agencies "exceptional access" to encrypted messages, amid fears they cannot otherwise access such communications. Sir Andrew Parker is understood to be particularly concerned about Facebook, which announced plans to introduce powerful end-to-end encryption last March across all the social media firm's services. The result, he says, is that cyberspace has become "a wild west, unregulated, inaccessible to authorities", as he repeated calls that have been made by Britain's spy agencies in recent years for special access to encrypted messages. In November 2018, Ian Levy, the technical director of GCHQ's National Cyber Security Centre, proposed that tech companies send a copy of encrypted messages when requested following a warrant to spy agencies, a technique known as the "ghost protocol". That was rejected six months later by a group of technology companies, including Apple and WhatsApp, which said it would risk misleading users because it would secretly turn "a two-way conversation into a group chat where the government is the additional participant". That controversy led tech companies to begin developing stronger privacy protections, using end- to-end encryption of the type that, in theory, is very difficult for law enforcement agencies to access without knowledge of the encoding key.
Leaked reports show EU police are planning a pan-european network of facial recognition databases
According to leaked internal European Union documents, the EU could soon be creating a network of national police facial recognition databases. A report drawn up by the national police forces of 10 EU member states, led by Austria, calls for the introduction of EU legislation to introduce and interconnect such databases in every member state. The report, which The Intercept obtained from a European official who is concerned about the network's development, was circulated among EU and national officials in November 2019. If previous data-sharing arrangements are a guide, the new facial recognition network will likely be connected to similar databases in the U.S., creating what privacy researchers are calling a massive transatlantic consolidation of biometric data.
Privacy Concerns Raised Over New Google Chrome Feature
With the release of Google Chrome 80, Google quietly slipped in a new feature that allows users to create a link directly to a specific word or phrase on a page. A Brave Browser researcher, though, sees this as a potential privacy risk and is concerned Google added it too quickly. A new web feature created by Google called 'Scroll To Text Fragment' allows users to create links to a specific word on a web page and automatically highlight it. At first glance, this feature seems very useful as it makes it easy to share specific locations on a web page with someone else. Brave Browser security researcher Peter Snyder, though, thinks this feature introduces privacy risks that Google did not address before making the feature live.
New Mexico Sues Google for Mining Children's Data
Google is facing a new lawsuit for allegedly using its Google for Education platform to gather the personal and private data from students under the age of thirteen. As part of the Google for Education platform, United States schools are offered free Google Chromebooks and access to the G Suite for Education service. This service gives students access to Gmail, Classroom, online word processing, and presentation applications to do schoolwork, homework, communicate with teachers and submit assignments. In a lawsuit filed Thursday, New Mexico Attorney General Hector Balderas states that Google is allegedly attempting to bypass this law through Google Education to mine the data of the students who use it. "Outside of its Google Education platform, Google forbids children under the age of 13 in the United States from having their own Google accounts. But Google attempts to get around this by using Google Education to secretly gain access to troves of information about New Mexican children that it would not otherwise have," the lawsuit states. G Suite for Education allows schools to control account access and requires that schools obtain parental consent when necessary. We do not use personal information from users in primary and secondary schools to target ads. School districts can decide how best to use Google for Education in their classrooms and we are committed to partnering with them," a Google spokesperson told BleepingComputer.
WhatsApp, Telegram Group Invite Links Leaked in Public Searches
Invite links for WhatsApp and Telegram groups that may not be intended for public access are available through simple lookups on popular web search engines. Links to groups for illegal porn, far-right, and anti-government movements could be found. By sharing them on the surface web - the internet that is indexed by conventional search engines - is a sure way to have them indexed by public search services. Google's public search liaison Danny Sullivan explained that this is normal behavior, the same as when "a site allows URLs to be publicly listed." It is unclear whether the admins made the invite links discoverable knowingly or in error.
US, UK formally blame Russia for mass-defacement of Georgian websites
The US and UK governments have issued official statements today formally accusing Russia's military intelligence agency, GRU, with carrying out a coordinated cyber-attack on thousands of Georgian websites in October 2019. On October 28, 2019, the Russian General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST, also known as Unit 74455 and Sandworm) carried out a widespread disruptive cyberattack against the country of Georgia. The incident, which directly affected the Georgian population, disrupted operations of several thousand Georgian government and privately-run websites and interrupted the broadcast of at least two major television stations. This action contradicts Russia's attempts to claim it is a responsible actor in cyberspace and demonstrates a continuing pattern of reckless Russian GRU cyber operations against a number of countries. These operations aim to sow division, create insecurity, and undermine democratic institutions. The United States calls on Russia to cease this behavior in Georgia and elsewhere. The stability of cyberspace depends on the responsible behavior of nations. We, together with the international community, will continue our efforts to uphold an international framework of responsible state behavior in cyberspace. Russia's Foreign Ministry denied the allegations. "Russia did not plan and is not planning to interfere in Georgia's internal affairs in any way," the RIA news agency cited Deputy Foreign Minister Andrei Rudenko as saying.
FBI Makes Arrest in DDoS Attack on Candidate's Website
The FBI has arrested a suspect who's charged in connection with waging distributed denial-of-service attacks against the campaign website of an unsuccessful 2018 Democratic candidate for the U.S. House in California. The FBI arrested Dam on charges of "intentionally damaging and attempting to damage a protected computer." As a result of the cybersecurity incident, the victim reported spending between $27,000 and $30,000 to restore systems and saw a reduction in campaign donations, according to the FBI. The DDoS attacks originated from an Amazon Web Services account that was used by Dam, the complaint says. The FBI says it found that Dam had conducted "extensive research" on the victim as well as on various types of cyberattacks, including DDoS attacks and DNS amplification attacks. Web-hosting service SiteGround, which hosted the victim's website, informed the campaign about observed DDoS activity, according to the complaint. SiteGround told the victim that the high levels of activity could be either due to a malicious DDoS attack or due to the "Slashdot effect," which is when a popular website links to a smaller site, hence directing large amounts of traffic to the smaller website. The FBI investigated 61 of the IP addresses involved in the DDoS attack and found that they all were tied to AWS, the filing said, adding that AWS identified 46 of those IP addresses to a single account. Earlier this month, the FBI warned that attackers were trying to disrupt one state's voter registration website with a DDoS attack.
Google plans to move UK users' accounts outside EU jurisdiction
Google is planning to move its British users' accounts out of the control of European Union privacy regulators, placing them under U.S. jurisdiction instead, the company confirmed late on Wednesday. Alphabet Inc's Google intends to require its British users to acknowledge new terms of service including the new jurisdiction, according to people familiar with the plans. Ireland, where Google and other U.S. tech companies have their European headquarters, is staying in the EU, which has one of the world's most aggressive data protection rules, the General Data Protection Regulation. If British Google users have their data kept in Ireland, it would be more difficult for British authorities to recover it in criminal investigations. The recent Cloud Act in the United States, however, is expected to make it easier for British authorities to obtain data from U.S. companies. Britain and the United States are also on track to negotiate a broader trade agreement.
TSA Bans Employees From Using TikTok
The Transportation Security Administration told employees to stop posting to TikTok on Sunday, after New York Senator Chuck Schumer raised security concerns about the China-owned app. The Verge reports: The TSA's announcement to ban employees from using TikTok came shortly after Sen. Chuck Schumer (D-NY) penned a letter to its administrator, David Pekoske, requesting that the agency halt its use. According to The Hill, TSA employees have used TikTok to create and post videos explaining some of the agency's boarding processes and rules. The Department of Homeland Security, which houses the TSA, banned the use of TikTok from government-issued devices last month. Schumer cited this policy in his letter on Saturday. In December, the US Army banned soldiers from using the app too. "TSA has never published any content to TikTok nor has it ever directed viewers to TikTok," a TSA spokesperson told The Verge. "A small number of TSA employees have previously used TikTok on their personal devices to create videos for use in TSA's social media outreach, but that practice has since been discontinued."
FBI Recommends Passphrases Over Password Complexity
For more than a decade now, security experts have had discussions about what's the best way of choosing passwords for online accounts. There's one camp that argues for password complexity by adding numbers, uppercase letters, and special characters, and then there's the other camp, arguing for password length by making passwords longer. This week, in its weekly tech advice column known as Tech Tuesday, the FBI Portland office leaned on the side of longer passwords. "Instead of using a short, complex password that is hard to remember, consider using a longer passphrase," the FBI said. "This involves combining multiple words into a long string of at least 15 characters," it added. "The extra length of a passphrase makes it harder to crack while also making it easier for you to remember."
Romanian Hackers Sentenced
In 2007, an Ohio woman wired thousands of dollars to an eBay seller thinking she was buying a used car. The car never arrived. When she went to her local police department, the listing did not appear on the officers' computers. That's because the woman was on a fraudulent version of the online auction site that mimicked the real one. Members of Bayrob criminal enterprise infected thousands of computers with malware, stole millions of dollars. A break finally came when a Bayrob participant accidentally logged into his personal email instead of his criminal one. AOL, who was investigating his abuse of their network, connected the two accounts. That personal account led to online profiles in Romania and on social media-essentially the first action tying one of the suspects to the crimes. That small mistake helped set investigators, in partnership with the Romanian National Police, on a path toward discovering the identities of all three hackers.
Critical PayPal Security Hack: Multiple Thefts Now Reported–Check Your Settings
"We have found a serious issue in PayPal's contactless payment," security researcher Markus Fenske explained. According to multiple reports, the issue is behind thefts over recent days from numerous German PayPal users - fraudulent transactions with U.S. stores. Both issues appear linked to the way Google Pay is set up on a PayPal user's account. The security researchers say the attack vector they disclosed "is not limited in validity or amount." And the thefts in Germany are reported to run to as much as €1,000 per transaction.
Android App Fraud – Haken Clicker and Joker Premium Dialer
The infamous Joker malware has found a way to bypass the security checks to be published in the official Play Store, new clicker was found by experts. In January, Google revealed it successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware. Most recent versions of the Joker malware were involved in toll fraud that consists of tricking victims into subscribing to or purchasing various types of content via their mobile phone bill. Unfortunately, the malware is under constant development, and new samples that have been found in the official Play Store were specifically designed to avoid Google's store checks. Experts from Check Point researchers have recently discovered a new clicker malware family, named "Haken", along with some fresh samples of the Joker spyware in Google Play. The new samples in the Play Store found by the experts are four that were downloaded over 130,000 times.
New Mozart Malware Gets Commands, Hides Traffic Using DNS
A new backdoor malware called Mozart is using the DNS protocol to communicate with remote attackers to evade detection by security software and intrusion detection systems. Using HTTP/S communication to communicate, though, has its drawbacks as security software normally monitors this traffic for malicious activity. If detected, the security software will block the connection and the malware that performed the HTTP/S request. In the new Mozart backdoor discovered by MalwareHunterTeam, the malware uses DNS to receive instructions from attackers and to evade detection. The Mozart attackers are using DNS TXT records to store commands that are retrieved by the malware and executed on the infected computer.
Racoon Malware Steals Your Data From Nearly 60 Apps
An infostealing malware that is relatively new on cybercriminal forums can extract sensitive data from about 60 applications on a targeted computer. The malware was first seen in the wild April 2019 and it is distributed under the MaaS (malware-as-a-service) model for $75/week or $200/month. For this money, the attackers get access to an administration panel that lets them customize the malware, access stolen data, and download the builds of the malware. However, it can steal sensitive and confidential information from almost 60 programs (browsers, cryptocurrency wallets, email and FTP clients). From the email client software category, Raccoon looks for data from at least Thunderbird, Outlook, and Foxmail. Additional capabilities in the malware include collecting system details (OS version and architecture, language, hardware info, enumerate installed apps). Additionally, the malware can act as a dropper for other malicious files, essentially turning it into a stage-one attack tool. Recorded Future notes in a report from July 2019 that it was one of the best-selling malware in the underground economy.
HackerOne's Bug Bounties Skyrocketed To $40 Million in 2019
Bug bounty platform HackerOne paid out $40 million in bounties in 2019, roughly equal to the total for all previous years combined. From a report: Moreover, the company announced that its community almost doubled in the past year to 600,000 registered hackers. The announcement comes as the cybersecurity industry struggles with a workforce shortage, which is in turn compounded by growing cyberattacks that could cost the industry $6 trillion by 2021. As companies invest significant resources in battling external threats, HackerOne aims to pay good actors to find bugs before bad actors enter the fray, reducing the need for costly remediation measures further down the line. Founded in 2012, HackerOne essentially connects companies with security researchers, or "white hat hackers," who receive cash incentives to find and report software vulnerabilities.
“We found PayPal vulnerabilities and PayPal punished us for it”
Researchers complain about HackerOne platform and reporting vulnerabilities to PayPal, that got fixed without crediting researchers, or marking the issue as duplicate and closed. In the blog post they describe their findings and PayPal's response.
Google's Jigsaw Assembler
A few weeks ago, a working group within Google called "Jigsaw" made an announcement about a new endeavor called "Assembler". Google's Jigsaw Assember is hoping to help detect deepfake image and video alterations. Of course, most media outlets grabbed the headline, jumped to the wrong conclusion, and ran with a half-accurate story. The author of FotoForensics website wrote a blog post criticizing media coverage and the project's focus on deepfakes instead of much more common image altered fakes.
Defeating a Laptop's BIOS Password
Researchers have found a way to bypass BIOS password for an unnamed vendor. Since the deadline has passed with no fixes, they have published the findings on GitHub.
Slickwraps discloses data leak that impacted 850,000 user accounts
Slickwraps has disclosed a data breach that impacted over 850,000 user accounts, data were accidentally exposed due to security vulnerabilities. Slickwraps is an online store that offers for sale skins mobile devices, laptops, smartphones, tablets, and gaming consoles. The data leak was disclosed last week, on February 21st the company that customer records were accidentally exposed online via an exploit. Exposed records include names, email addresses, physical addresses, phone numbers, and purchase histories. "On February 21st, we discovered customer data in some of our non-production databases was mistakenly made public via an exploit. The company confirmed that records were accessed by an unauthorized party, but pointed out that exposed data information did not contain passwords or personal financial data. The message sent by the attacker included a part of the exposed user data and suggested customers contact the company. The expert reported the incident to the FBI, the company identified the exploit and secured the vulnerable servers exposing the customers' data. February 21st, 2020 - The exploit was repaired and all data is secured. The exposed records have been added to Have I Been Pwned data breach notification service operated by Hunt.