STE WILLIAMS

An internet-wide scan on 230 million domains found 390,000 exposed source code directories.

The results, obtained by security researcher Vladimír Smitka, are a problem because access to the .git folder within the file versions repository contains a lot of information about the website’s structure or worse.

“Sometimes you can get very sensitive data such as database passwords, API keys, development IDE settings, and so on,” Smitka said. “This data shouldn’t be stored in the repository, but… I have found many many developers that do not follow these best practices.”

There are exceptions where the repository’s accessibility isn’t a problem – all the content is already shared on GitHub, or it is composed of only a few static files. In most cases, however, such exposure, inadvertent or not, creates an unnecessary risk.

“If you use git to deploy your site, you shouldn’t leave the .git folder in a publicly accessible part of the site,” Smitka advised. “If you already have it there for some reason, you need to ensure that access to the .git folder is blocked from the outside world.”

Smitka ran the worldwide scan after completing smaller ones in the Czech Republic and neighbouring Slovakia. The global effort turned out to be a much tougher task that was stymied by tar pits, response timeouts and various other cyber-logistical problems.

The whole effort took around four weeks. Smitka then set about the semi-automated process of drawing up an email list, and notifying developers at affected sites about his discoveries and remediation advice, receiving a mixed response to his efforts.

“After sending the emails, I exchanged about 300 additional messages with affected parties to clarify the issue,” Smitka reported. “I have received almost 2,000 thank-you emails, 30 false positives, two scammer/spammer accusations, and one threat to call the Canadian police.”

In his write-up, Smitka went on to break down the prevalence of potentially insecure systems uncovered through his scan by programming language, web server operating and other metrics. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/04/web_site_source_code_disclosure/

Reg Webcast It’s a big bad world out there. Ransomware attacks are taking over as first among IT security worries, cryptojackers are hacking hardware to mine bitcoin holders’ assets and phishing websites are becoming more ingenious than ever.

To make matters worse, the dark web is helping cybercriminals to flourish as they exchange their tips and techniques, the better to rob businesses large and small.

So how do you keep on top of an escalating and fast-changing wave of IT security threats? Who are the cybercriminals trying to target organisations like yours and where is an attack likely to come from?

As many well-primed organisations already know, information is power. But you can’t just deploy a threat intelligence capability that links data feeds into a security incident and event management system, then sit back and relax.

In this Reg webinar, we bring together industry and domain experts to look at the five strands of activity that can help you bring your threat intelligence up to a higher level and strengthen your control.

The webinar covers the following strategies:

• Evaluate the various threat intelligence options on the market
• Be aware that one size does not fit all
• Decide whether an on-premise or cloud solution best fits your organisation
• Set reasonable expectations for your new system
• Remember that attack is the best form of defence

If you are looking to move your threat intelligence from passive and reactive to pre-empting security challenges before they happen, tune in and bring any questions you may have.

Register here, and we’ll remind you to tune in before we go live. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/04/five_steps_that_raise_your_security_defences_to_the_next_level/

Internet-connected 3D printers are at risk of being tampered with or even sabotaged because users fail to apply security controls, a researcher has warned.

Xavier Mertens, a senior handler for the SANS Internet Storm Center (ISC) and freelance cybersecurity consultant, found more than 3,700 3D printers directly connected to the internet.

“These printers are controlled using the open source software package ‘OctoPrint’ but it’s likely there are other tools that are similarly affected. OctoPrint is not meant to be exposed in this way, and it explains in its documentation how to deploy the software in a safe way,” Mertens explained.

OctoPrint is a web interface for 3D printers that allows users to control and monitor the printer. As things stand, many OctoPrint instances are not properly configured and do not enforce authentication, according to Martens. Once they have access to the printer, an attacker would be able to download the files that describe parts being printed.

Some of these G-code files may be proprietary, copyrighted or contain trade secrets. An attacker would also be able to swap out these files, replacing them with files that describe similar parts that are “weakened” to produce substandard or unsafe parts.

In response to questions from The Register, an OctoPrint dev emphasised the need for user education.

“This really has nothing to do with ‘lack of security controls’, the controls (e.g. ACL) are there, it’s been recommended over and over again that users should NOT just port forward! The problem here is users going out of their way to expose internal services on the public net.

“There’s no way to prevent people from exposing internal services on the net. I try to educate, I’m working on yet another prominent warning, but I can’t force people to perform proper (and inconvenient) network security.”

3D printers are used to make anything from toys to medical components so if a part’s dimensions were meddled with, it could have serious safety implications.

“The problem is not related to the printer, rather if OctoPrint is incorrectly configured and left open on the internet,” Mertens told El Reg. In addition, some printers do not have safety switches to prevent them from overheating, which means an attacker could attempt to start a fire by uploading a malicious file.

Mertens said both 3D printers and the files for parts being printed can be protected by ensuring network segmentation; enabling the security controls provided by the tool; and other access controls.

More on his thoughts on the subject can be found in an ISC blog post here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/04/3d_printers_hackable/

Google has placed restrictions on tech support ads after admitting it’s increasingly hard to tell promos for legit services from deceptions.

Tech support scams come via either cold calls to unsuspecting users or bogus web pages showing made-up, fake alert messages usually about dummy virus infections. Cold-callers posing as techies from Microsoft attempt to trick targets into thinking they have a problem with their PC.

Both efforts are geared towards getting marks to subscribe to high-priced subscription services they don’t need or worse. The potential returns are rich enough for scammers to invest in ads, which evidently pass muster.

In response, Google has introduced restrictions on ads in the tech support category worldwide ahead of the rollout of a verification programme, as explained in a blog post by David Graff, Google’s director of global product policy.

We’ve seen a rise in misleading ad experiences stemming from third-party technical support providers and have decided to begin restricting ads in this category globally. For many years, we’ve consulted and worked with law enforcement and government agencies to address abuse in this area. As the fraudulent activity takes place off our platform, it’s increasingly difficult to separate the bad actors from the legitimate providers.

That’s why in the coming months, we will roll out a verification program to ensure that only legitimate providers of third-party tech support can use our platform to reach consumers.

These efforts alone won’t stop all bad actors trying to game our advertising systems, but it will make it a lot harder.

Google said that last year it took down more than 3.2 billion ads that violated its advertising policies. It has banned ads for payday loans and bail bonds services — and developed advanced verification programmes to fight fraud in areas like local locksmith services and addiction treatment centers.

Plenty of firms offer SEO services for tech support, usually as one of many potential services. These consultancies will be affected by Google’s clampdown, which evidence from fraud reporting centers suggested is justified and perhaps even overdue.

In 2017, the FBI’s Internet Crime Complaint Centre received approximately 11,000 complaints related to tech support fraud. The claimed losses amounted to nearly $15m, which represented an 86 per cent increase from 2016.

The March 2018 sitrep goes on to report that scammers have invested upfront in ads – among other tactics – in a bid to pull in more victims.

“Individuals in need of tech support may use online search engines to find technical support companies. Criminals pay to have their fraudulent tech support company’s link show higher in search results hoping victims will choose one of the top links in search results.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/03/tech_support_ads/

It’s common knowledge that Google knows when we click on ads. But now, it also knows what we buy in brick-and-mortar shops, due to a previously unreported deal it cut with Mastercard to get our transaction histories, Bloomberg has discovered.

The offline credit card spending data, which anonymous Google insiders said cost millions of dollars, gives Google an unprecedented advantage over competitors such as Amazon, by helping it track users’ offline spending in stores.

The deal hasn’t been made public. The two companies reportedly hammered it out over the course of four years, according to four people with knowledge of the agreement, three of whom worked directly on it.

Mastercard has denied suggestions that the data could be used to identify exact purchases, but the Open Rights Group told the BBC that the confidential nature of the deal raises privacy issues.

Open Rights Group legal director Myles Jackman wondered – given that Google can now tell advertisers that people’s clicking on ads led to actual store sales – whether the company will cut any of those people in on the profit:

This raises serious concerns regarding the use of private financial data. Will Mastercard be compensating their clients for the data they have given away to Google for their own financial gain?

Don’t count your micropayments before they microhatch: The answer, of course, is that it will likely be a cold day in retail hell before that happens.

Christine Bannan, counsel with Electronic Privacy Information Center (EPIC), told Bloomberg that this is surprising news for consumers, and it’s not coming with enough context regarding what’s being done with our data or what we can do about it:

People don’t expect what they buy physically in a store to be linked to what they are buying online. There’s just far too much burden that companies place on consumers and not enough responsibility being taken by companies to inform users what they’re doing and what rights they have.

At any rate, both Mastercard and Google are claiming that shoppers’ individual details aren’t being tied to the buying profiles.

A Mastercard spokesman told Bloomberg that the payment company shares transaction trends with merchants and their service providers to help them measure “the effectiveness of their advertising campaigns.” He said that the information – including sales volumes and average purchase size – is shared only with merchants’ permission, and that it’s not tied to individuals:

No individual transaction or personal data is provided. We do not provide insights that track, serve up ads to, or even measure ad effectiveness relating to, individual consumers.

Google declined to comment on the partnership, but it did address a powerful new ads tool – called Store Sales Measurement – that its select partners have accessed over the past year. The tool lets retailers track whether their online ads led to a sale at a physical store in the US: information reliant on a “stockpile of Mastercard transactions” that Google purchased, according to Bloomberg.

From a statement about the anonymization in Store Sales Measurement, provided by a Google spokeswoman:

Before we launched this beta product last year, we built a new, double-blind encryption technology that prevents both Google and our partners from viewing our respective users’ personally identifiable information.

We do not have access to any personal information from our partners’ credit and debit cards, nor do we share any personal information with our partners.

People can opt out of ad tracking using Google’s Web and App Activity controls, the company said.

Mastercard likewise told the BBC that the data it provides to retailers – via its own “media measurement services” – is stripped of personally identifiable information (PII):

We only provide merchants and their designated service providers trends based on aggregated and anonymized data, such as the merchant’s average ticket size and sales volumes.

The “it’s anonymized” line is a familiar one, and it’s one that Big Data researchers love to skewer by doing things like pinpointing people after looking at a bunch of supposedly anonymized credit card transactions.

Bloomberg reports that multiple Google staffers objected to the fact that the Web and App Activity control didn’t provide people with a more obvious way for cardholders to opt out of this kind of tracking.

In the past year, we’ve seen Google employees protest work on both a censored search engine for China and artificial intelligence-enhanced targeting of drone strikes for the Pentagon.

Will Google employees similarly raise ruckus over Google’s hush-hush deal with Mastercard? If so, we’ll let you know.

In the meantime, it’s unknown whether Google has struck similar deals with other payment companies, though one of Bloomberg’s sources said that it’s approached other credit card companies. What we do know is what Google has already bragged about: it claims to have access to about 70% of US credit and debit cards information, shared through partners, though it hasn’t named those partners.

Make of that what you will, but it sounds like Google has brokered its way into knowing an awful lot about the majority of US consumers’ spending activity and is on track to know the same about even more of us. From Bloomberg:

That 70 percent could mean that the company has deals with other credit card companies, totaling 70 percent of the people who use credit and debit cards. Or it could mean that the company has deals with companies that include all card users, and 70 percent of those are logged into Google accounts like Gmail when they click on a Google search ad.

Google has approached other payment companies about the program.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rT2kdUFuZWY/

A 20 year-old man has been indicted for computer crimes by a federal court in Alaska. Evidence suggests that he could be linked to the Satori botnet that exploited a previously unknown bug in a Huawei router. If so, one of the most virulent botnets in recent times might have been engineered not by a sophisticated organized criminal or nation state actor, but by a relatively inexperienced dabbler who happened across a zero-day vulnerability.

Kenneth Currin Schuchman of Vancouver, Washington, has been indicted in an Alaskan federal court on two charges. Firstly, from August through November 2017, he allegedly:

Knowingly caused the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally caused damage without authorization to protected computers; the offense caused damage affecting 10 or more protected computers during a 1-year period.

The second charge mirrors the first but focuses on a specific unnamed victim. Both of these offenses happened in Alaska, the indictment alleges.

Possible Satori link

Reporting by the Daily Beast speculates that Schuchman may have created the Satori botnet. This botnet, also tracked as Okiru, was identified in the wild on November 23 2017 exploiting a zero-day vulnerability in Huawei HG532 routers.

The person responsible for the Satori botnet went by the online handle Nexus Zeta. One security researcher on Twitter had identified a botnet binary calling itself ‘Satori’ in July 2017, three weeks after the registration of the nexusiotsolutions.net domain. A Twitter user called Nexus_Zeta responded that this was a test, based on the Mirai source code.

@michalmalik That was only ever up.as a test. And it is based off mirai source fyi.

—
Nexus Zeta (@nexus_zeta) July 18, 2017

Two days earlier Nexus_Zeta also said:

@Jihadi4Potus Why do you all still use Mirai. You’re all getting botkilled by my bot so idk why people bother

—
Nexus Zeta (@nexus_zeta) July 16, 2017

A member of the Hack Forums hacking community who joined in 2015 and also went by the name Nexus Zeta seemed surprisingly inexperienced. On November 22 2017, that person posted a request to the forum::

hello, im looking for someone to help me compile the mirai botnet, i heard all you have to do is compile it and you have access to 1 terabit per second so please help me setup a mirai tel-net botnet

A day later, security researchers from Check Point noticed activity related to the previously unknown Huawei vulnerability, dubbing it Satori.

Satori was a variant of the Mirai botnet that originally infected various IoT devices and disrupted DNS services in October 2016. During its initial infection phase, Satori simply looked for more targets to infect, suggesting that its creator was expanding the base of infected machines as quickly as possible. It infected over 260,000 IP addresses in just 12 hours, according to researchers who analysed its activities.

Then, in January 2018, a variant called Satori.Coin.Robber started scanning for machines mining Ethereum using the Claymore mining software. Upon finding them, it replaced their wallet addresses with the bot owner’s own. Two more botnets, Masuta and PureMasuta, also appeared. Researchers linked the botnets to Satori because they used the same command and control server.

Several variants followed. One in May targeted Dasan GPON home routers, and in June, researchers noticed a resurgence of Satori infections using a new exploit that targeted the D-Link DSL-2750B router. It is unclear whether Satori’s original author also owned the subsequent variants, especially as the original source code was widely distributed via Pastebin in January.

Exploring the evidence

It is also far from clear that Schuchman was really behind Satori. The indictment doesn’t mention Satori specifically, but the Daily Beast believes that “all signs” point to it. In particular, their report references a post on Pastebin from a group of angry hackers calling themselves T0rnado and Disciple.

The Pastebin post, titled “Nexus Zeta”, dated February 1 2018, contained what the hackers claimed was old personal contact information for Schuchman, a prior conviction, and a news report about the then-15 year old running away from home. They added:

…since he has extremely poor opsec (uses home IP on everything), we have decided to dox him.

The anonymous documents on Pastebin make unsubstantiated allegations about Schuchman’s character but don’t provide any direct evidence linking him to the Nexus Zeta account or to Satori. Other than taking their word for it, what evidence do we truly have?

There are some pointers in historical whois records.

Researchers who first discovered Satori in action exploiting the Huawei vulnerability revealed that its command and control traffic flowed through nexusiotsolutions.net. This domain was registered to ‘liam mcpike’ using the email address [email protected], on June 13 2017, and expired a year later.

Nexusiotsolutions.net was registered with a Washington state phone number. The same phone number was used to register another site called Zetastress.net in November 2016. The registrant for that site used the name Kenny Schuchman and the email [email protected], and an address in Vancouver, Washington.

Even this evidence is not conclusive. People can (and frequently do) register domains with fake details. So while we have suggestive evidence, it is impossible to say for sure whether Schuchman is linked to Satori. No doubt things will become clearer as court proceedings unfold. As of last week, he was due to appear in Alaskan court via video link from Washington.

Until then, his conditions of release included home detection with a location tracking device and no access to an internet-enabled computer without supervision. He has pled not guilty to the charges, which carry a potential prison sentence of up to ten years.

Follow @DannyBradbury
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sO86j8J4kPY/

If you use Google’s Chrome browser after 4 September the latest update will make it even harder to use in-browser Adobe Flash.

Starting with Chrome update 69, the browser will require users to explicitly enable Flash every single time they want to use it. Chrome will no longer remember this preference between sessions, so every time a user hits a site that uses Flash, they’ll have to say “yes, I really want to enable this extension.”

If it sounds annoying, it absolutely is, and that’s by design. This is just another step on the timeline that Chrome and many other browsers have set upon to slowly, slowly wean the public off Flash in anticipation of Adobe’s official plan to end support for the plugin by 2020.

Flash may have been the plugin of choice some time ago for fun in-browser games and interactive features, but it was also the go-to plugin for many attackers, as it was notoriously vulnerable to exploitation.

After years of Adobe releasing patches to try and plug the holes, browser makers took matters into their own hands and started to slowly pull support in order to protect users (and their products) from nasty attacks. Adobe similarly saw the writing on the wall and decided to stop the madness by announcing Flash’s end of life.

Flash’s near-ubiquity online has made it tricky to kill though, and the timeline for its depreciation has been (or at least felt) long indeed. Even while browsers continue to take measures to pull their support for the plugin, the vulnerabilities still roll in – and the pleas from security pros to “update your Flash now!” continue unabated.

The next step in Chrome’s timeline – summer 2019 – is to completely disable Flash by default, requiring users to go into their settings to enable the plugin every time they want it to run. After that, in 2020, it’s game over for Flash entirely. Hopefully.

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SEFDNnRdAfw/

Yes, said a 38-year-old troll in the UK: he does deserve jail time, admitting to making Facebook posts falsely calling a tragically killed 20-year-old university student a “sex worker” and “prostitute”, among similarly offensive lies about others.

The South East Northumberland Magistrates’ Court heard on Thursday that the admitted troll – Paul Hind, from Westacres in Wark – posted offensive material about four people to Facebook, according to The Telegraph.

One of his high-profile targets was Olivia Burt, a Durham University student who died of head injuries in February when she was trapped under a fence in a crush of people outside of Durham’s Missoula nightclub.

Beyond calling the dead woman a prostitute, Hind also doctored one of her images and posted pictures of children who were “clearly terminally ill” on her Facebook page on 20 April.

Sky News reports that Ms. Burt’s father, Nigel, called Hind’s trolling a “desecration” of his daughter’s memory. He told the court that the posts had made him and Ms. Burt’s mother “physically sick” even after they’d been removed and that the perpetrator must be a “sick sadist”:

The person who carried out this trolling can only be described as a sick sadist who knows that they are adding to our anguish and gets enjoyment out of this.

Even though the Facebook posts have now gone, we keep expecting them to reappear on some other social media platform.

This is causing us continuing anxiety and distress.

Hind also admitted to targeting a tribute page for Hannah Witheridge, a 23-year-old who was killed on the Thai island of Koh Tao in 2014.

Another target was Joe Tilley, a 24-year-old reality star who was found dead at the bottom of the Fin del Mundo waterfall in Colombia in May. Hind’s fourth target was 19-year-old Duncan Sim, a Scottish college student whose remains were found at West Sands in St Andrews in June.

District Judge Kate Meek sent the case to Newcastle Crown Court for sentencing on 27 September. She thanked Burt’s parents for sitting through the proceedings and said they had her “deepest condolences” for the loss of their daughter. Hind had only added to the “already unimaginable” pain that they were suffering, the judge said.

Outside of court, Hind told reporters that he was “deeply sorry” for his actions and that he had done them “for attention”. He apologized to his targets’ families, saying that he was suffering from mental health issues and had been “highly intoxicated” at the time he left the sick posts.

All I can say to the families for the actions I have committed is sorry. That is all I can say: sorry.

Hind said he didn’t expect that they’d accept his apology. When asked if he should be jailed for his offenses, he said that yes, it’s what he deserved:

From my point of view, personally, and for what I did, I would say yes.

I do deserve a punishment, and I don’t just deserve a punishment of being banned from social media, trying to apologize to the parents and forgetting about the whole thing.

I have to be punished accordingly for causing people the anxiety and the stress I have caused them, there’s no question about that.

Burt’s father is blaming Facebook for making things worse, given that the platform only deals with malicious posts in a one-off fashion, rather than responding to “overall trolling.”

According to Sky News, Nigel Burt described Facebook’s method of dealing with such trolling as being “hopeless”.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_zB4VHfGBM8/

Mozilla has announced plans to tweak Firefox’s privacy controls so that advertising trackers will be blocked by default. Trackers, it is often said, compromise privacy and have a big negative impact on performance, and yet browser makers have often seemed unable or unwilling to put blocks in place.

It’s a phenomenon that has driven a growing number of internet users to start using adblockers and privacy plug-ins, but many of these have commercial interests of their own that allow some advertising systems to continue their activities.

It certainly makes sense to do the ad-control from within the browser itself, but this is not offered by all browser makers, and where it is, it is usually not turned on by default.

Performance and cross-site tracking

Future versions of Firefox will assume the user wants tracking controls turned on, starting with version 63 in September which will automatically block slow-loading trackers of the sort that bog down page loading speeds.

From version 65 in January, the same will apply to cross-site trackers, a spying technique advertisers use to ‘follow’ users from site to site while building profiles based on their activity.

Firefox has offered general tracking protection since the Quantum overhaul last November, and by default on its mobile products since April, which means that from Firefox 65, this setting will become the default across all versions.

Fingerprinting

Firefox will also block (or attempt to block) the way advertisers fingerprint users’ computers during browsing using cross-device tracking.

This is done by polling metadata associated with each user’s computer, for example IP address, time zone, operating system version, screen resolution, and default language. It can even look at which software versions are installed on a device, which together with the former data offers a unique fingerprint for that device.

Mozilla hasn’t revealed how it will stop this beyond stating:

Future versions of Firefox will block these practices by default.

Let’s bear in mind that as good as these layers sound, this doesn’t mean that sites won’t continue to find ways around them. The simplest way to do this would be to ask users to permit tracking, perhaps by making it inconvenient if they don’t. (You encounter a version of this today on sites that ask visitors to turn adblockers off or face being asked to take their browsing elsewhere.)

A future for anonymity mode?

Adding more and more protections to the browser as defaults does beg the question of whether Firefox’s anonymity mode – called Private Browsing’ – will be needed in future.  The answer is probably yes. Because some users will want or need to turn off the tracking controls discussed here for various reasons, having a way of quickly stepping back into private browsing will always be useful from time to time.

After years of stagnation, Firefox has recently accelerated its focus on privacy and security. In June, it announced Privacy Monitor, a forthcoming tool that will allow Firefox users to check whether their email address has been spotted in breached data collected by Troy Hunt’s Have I Been Pwned? (HIBP) database. That followed the Facebook container extension: a tool to stop Facebook tracking users from site-to-site using cookies.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WN_h71q5S0w/

We went on camera to discuss some fascinating research that set out to meaure what your video screen lets slip about you behind your back.

Enjoy…

(Watch directly on YouTube if the video won’t play here.)

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xk7xJhmW82E/