STE WILLIAMS

The file type used to link to Windows 10’s settings page can be abused to run malicious executables or commands in a way that bypasses the OS’s defences.

Researcher Matt Nelson of SpecterOps made the discovery while he was looking for new formats for attackers to abuse now that the HTML Applications (HTA files), Visual Basic programs (VBS), JavaScript (JS), PDF and Office files are tightly controlled by Office 365 and Windows 10.

Nelson came across a format that few beyond Microsoft will have heard of: .SettingContent-ms, used to create shortcuts to the settings page, the successor to the Control Panel.

A file with this extension is simply an XML file that contains paths to the programs used to configure Windows 10’s settings.

That brings with it some power through an option in .SettingContent-ms called “DeepLink”, which specifies the disk location that gets invoked when opening the Settings page or the Control Panel.

Nelson discovered that “DeepLink” could be used to open anything, for example CMD.EXE, PowerShell, or even a chain of commands, triggered by an internet link:

So, we now have a file type that allows arbitrary shell command execution and displays zero warnings or dialogs to the user.

Office would normally block commonly-abused file types when they’re referenced externally, but this file format is apparently seen as risky.

Given this, perhaps it’s not surprising that .SettingContent-ms currently also seems to offer a way around recent security features such as Attack Surface Reduction (ASR), which can optionally be enabled as part of Windows Defender Exploit Guard from Windows 10 Build 1709 onwards.

Aimed at enterprises, ASR is a collection of behaviour rules, including one for Child Process Creation, which Nelson found could be used to stop .SettingContent-ms from running programs.

Unfortunately, this can be fooled simply by using an allowlisted path to an app called AppVLP.exe that’s already allowed to start child processes:

Perfect! We are able to abuse AppVLP to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule.

When Nelson reported the potentially vulnerability to Microsoft:

MSRC responded with a note that the severity of the issue is below the bar for servicing and that the case will be closed.

Presumably, this is because it’s really a configuration issue that could be dealt with using an ASR rule or via Office’s blocking of OLE. Nelson offers his own suggestions for mitigation, including monitoring child processes using Sysmon.

Nelson concludes that for all its improvements, Windows 10’s evolution is always likely to offer up new and unexpected elements to exploit:

After looking into ASR and the new file formats in Windows 10, I realized that it is important to try and audit new binaries and file types that get added in each release of Windows.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/p4-xpq5Myps/

Two nuisance callers were today named and shamed – only one was fined – by the UK’s data watchdog for illegal marketing activities.

Our Vault Ltd in Chorley, Lancashire, was hit with a £70,000 penalty by the Information Commissioner’s Office (ICO) for making more than 55,000 unsolicited calls to householders that had registered with the Telephone Preference Service (TPS).

The insurance biz claimed its personal data was verified against the TPS register. However, an ICO probe found this was not the case and no licence was held.

The phone calls were intended to flog financial products of STR Ltd, a sister company, but masqueraded as market research.

Our Vault was handed an Enforcement Notice to stop being phone pests, as was another business, Horizon Windows, which was found to have made 104 unsolicited marketing calls to people registered with TPS between January 2016 and January 2017.

“Both of these firms have shown disrespect for the law and people’s privacy,” said the ICO’s head of enforcement, Steve Eckersley.

He said that Our Vault Ltd’s actions were “unacceptable” and used one example in which it had called a house 19 times to peddle its products.

“We continue to target the companies and individuals responsible and hold them to account, but we can’t crack down on these organisations without the public’s help. I’d urge anyone who has been targeted by nuisance calls, emails or texts, to report them to the ICO.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/28/our_vault_horizon_windows_nuisance_call_ico_fines/

Blockchain offers a proactive approach to secure a new generation of digital platforms and services for both enterprises and individuals.

As the computing environment becomes more open and diverse, and as threats become more sophisticated, enterprises need a way to validate identities and transactions without having to resort to cumbersome, obstructive blacklists. IT validation and regulatory compliance pose similar challenges. Complex, resource-intensive governance mechanisms burden IT, slow business innovation, and divert attention from the company’s core mission. How can we simplify validation in every step in the execution of a transaction, process, or contract? How can we make it impossible to steal or compromise an identity, whether of a user or a “thing”? How can we put users — not companies — in control of their own identities?

Blockchain offers an exciting new way forward. It is a ledger architecture that can protect identities, data, and transactions against compromise by recording across links in a highly distributed digital ledger. If any link in the chain is altered, added, or removed, the entire chain is suspect. As an example, if the identity of each node of a network is recorded on a blockchain, the network can be trusted. Conversely, if an unauthorized node enters a network, a compromise has occurred. Blockchain offers a proactive approach to secure a new generation of digital platforms and services.

Blockchain and Identity
Cryptocurrency applications have gained the most attention during the early days of blockchain, but these only scratch the surface of its potential for the secure transfer and storage of value — and in particular, the validation of trust. 

To date, enterprise IT, security, audit, and support functions have struggled to provide adequate protection of data, transactions, and digital and physical assets. In a highly converged, cloud and on-premises enterprise, the next revolutionary step in security will come from the realization digital transactions that are highly distributed, tamperproof, encrypted, and fault tolerant. That’s exactly what blockchain enables. In this way, blockchains can bring unprecedented security to events, title, financial/medical/legal records, Internet of Things connectivity, management activities, process verification, data transfers, identity management, transaction processing, provenance — the list goes on.

Some of the most fundamental trust validation applications for blockchain will focus on identity. Today, identity theft is a pervasive and seemingly intractable problem. How can we eliminate that risk? To begin with, blockchain makes it possible to put users in control of their own privacy. That’s a simple yet radical concept — so radical, in fact, that it seems obvious only in retrospect. Why shouldn’t we be able to manage our own identities instead of leaving such a crucial matter to companies whose priorities and agendas may be quite different? Why shouldn’t we be the ones to determine who can access our personal information, or when our credit should be locked, or how our identity is used by third parties? In that sense, blockchain’s distributed ledger can do more than just make it nearly impossible for thieves to change or steal our information on login attempts. It also solves a more fundamental problem we didn’t even know we had: restoring our control over our own digital identities.

The mechanism is straightforward: By applying blockchain technology as a kind of digital watermark to identity applications from birth certificates and passports to online account logins, we can make individual identities nearly impossible to compromise. As individuals interact with businesses, governments, and other organizations, the personal information we provide to establish trust can be hashed and distributed, then called back only in partial elements as needed, leaving the complete identity safe from compromise. Providing both privacy and transparency, this approach can also help organizations meet the requirements of regulations like Open Banking in the UK and the General Data Protection Regulation in the EU for customer control, as well as simplifying compliance with financial industry know-your-customer rules.

Blockchain Bridges Borders
Unlike past approaches in which companies have sought to own the platforms and dominate the technologies used for security and validation, the highly distributed nature of blockchain promises a more open future. By disenfranchising security, identity, and trust from corporations and countries, blockchain has the potential to bring about a truly global economy. Cryptocurrencies such as Bitcoin and Ethereum have already decoupled currency from state control; now, a new generation of blockchain-based companies are working to provide a broader range of services traditionally provided only through government agencies.

The potential of blockchain is equally exciting for both enterprises and individuals. Companies can radically improve security, compliance, efficiency, and control across virtually any process or transaction. From the consumer’s perspective, blockchain enables control of personal information and individual identities to shift from companies to their customers; allows governmental monopolies on currency and public services to be broken; and safeguards individuals against fraud and identity theft. It’s a future worth looking forward to — and it’s coming fast.

Related Content:

• Cybersecurity Buzz Phrase Bingo
• The Good Bad News about Blockchain
• Threat Actors Turn to Blockchain Infrastructure to Host Hide Malicious Activity
• Tracking Bitcoin Wallets as IOCs for Ransomware
  

Stan Black, CISSP, is CSIO of Citrix where he is in charge of the secure delivery of applications and data to some of the world’s largest organizations in healthcare, financial services, public sector, and manufacturing. Black defines a converged cyber security posture … View Full Bio

Article source: https://www.darkreading.com/cloud/redefining-security-with-blockchain-/a/d-id/1332167?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Customers who bought tickets through the site are advised to check for fraudulent transactions with Uber, Netflix, and Xendpay.

Ticketmaster UK has notified tens of thousands of customers that they might be at risk for identity theft and credit card fraud due to a data breach, potentially affecting anyone who bought concert, theater, or sporting event tickets between February 2018 and June 23, 2018, The Guardian reports.

On June 23, Ticketmaster detected malware on a customer support tool hosted by Inbenta Technologies exporting UK customer data (names, physical and email addresses, phone numbers, payment details, and Ticketmaster logins) to an unknown party. Less than 40,000 of its reported 230 million global customers were compromised in the incident, it says.

However, Ticketmaster could come under fire for not disclosing the breach sooner. Monzo, a digital bank, first spotted customers’ cards being misused in April and figured out all those affected had shopped at Ticketmaster. Monzo claims it notified Ticketmaster but couldn’t get a response. It told customers who had purchased through the site to replace their cards and watch for fraudulent activity from sites including Uber, Netflix, and Xendpay.

Jeannie Warner, security manager at WhiteHat Security, says businesses can prevent third-party software breaches by working with stakeholders to establish vendor security standards, and then communicating those standards to vendors and regularly monitoring vendors’ security.

“Educate them, answer their questions, and get their commitment to meeting the standards,” she explains. “Establish a timeline to make them achieve compliance, if they are not already compliant.”

Read more details here.

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/ticketmaster-uk-warns-thousands-of-data-breach/d/d-id/1332172?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Institute of Electrical and Electronics Engineers (IEEE) has joined the ranks of objectors to proposed law enforcement measures that would compromise access to strong cryptography.

The august engineering body went beyond merely opposing the popular understanding of what constitutes a “backdoor”, instead framing its opposition in terms of the broader expression“ exceptional access mechanisms”.

According to the statement the Institute issued this week, its reasoning is:

• ”Exceptional access mechanisms” weaken systems and embed vulnerabilities, creating risk for end users;
• Such mechanisms don’t stop bad actors from using strong encryption, either created specifically for them, or obtained from countries that don’t require access mechanisms;
• Busting crypto would hamper companies’ ability to compete globally; and
• ”Efforts to constrain strong encryption or introduce key escrow schemes into consumer products can have long-term negative effects on the privacy, security and civil liberties of the citizens so regulated.”

The IEEE does, however, acknowledge law enforcement requirements, and accepts that cleartext data on corporate servers should be available under warrant.

Likewise, and possibly controversially, the Institute listed “targeted exploits on individual machines” among the options it feels should be available to law enforcement, along with the less-worrying “forensic analysis of suspected computers, and compelling suspects to reveal keys or passwords.”

While none of this represents new thinking, it puts the IEEE firmly alongside individuals and organisations who have also criticised the idea that cryptography can be undermined without putting people at risk, en masse.

Most notably, Stanford professor Martin Hellman, of Diffie-Hellman fame and who helped invent the foundations of today’s crypto systems; Columbia professor and USENET co-creator Steve Bellovin; top cryptographer Paul Kocher; and information security guru Bruce Schneier panned the FBI’s repeated assertions that there’s a crypto magic bullet.

Meanwhile with much less fuss, Internet engineers have talked far less, issuing RFC 7258 and stating that “Pervasive Monitoring is an Attack”, That document has informed dozens of drafts and RFCs since, most designed to eventually make strong crypto ubiquitous. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/28/ieee_defending_crypto/

Gambling site BetVictor has been caught leaving what appears to be the administrator credentials for its website out on the public internet.

Security researcher Chris Hogben today said the Gibraltar-based betting site had left help articles online that included usernames and passwords for its internal systems. His secret for pulling up the data: searching for the term “admin”.

Back of the net…work.

Hogben said that by entering the word into BetVictor’s own site search and combing through help articles, he was able to pull up 19 username and password combinations for 22 different URLs on the site.

“I think that’s the digital equivalent of leaving the key under the mat,” he said of the gaffe.

“Information about BetVictor’s back-end systems and portals — usernames, passwords, URLs — is there, just a few clicks away, right on the homepage.”

Hogben said he did not try to use the credentials, so he can’t be sure they work or what data they would allow an attacker to see. He does, however, believe the accounts are used for support, identity verification, and trading.

Busted Russian casino hackers had an appetite for drugs and chocolate

READ MORE

Hogben reckoned this is only the tip of the galling security lapse iceberg for the Liverpool-connected bookies, who now will never walk unpwned.

“It should also be noted that this was just one document located within the BetVictor knowledge base,” Hogben noted. “With more extensive searching, further documents may have been discovered containing even more confidential data.”

If BetVictor is aware of the issue, they’re not talking about it. Hogben said that while it appears the sensitive login info has been scrubbed from the site, he was unable to get verification from the company that the problem has been plugged up. BetVictor did not return a Reg request for comment on the matter. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/27/researcher_wagers_betvictor_is_lax_on_password_protection/

Mobile devices can be more secure than traditional desktop machines – but only if the proper policies and practices are in place and in use.

(Image: oneinchpunch)

Computing and mobile computing are, to an ever-growing degree, the same thing. According to research by StoneTemple, at the beginning of 2018, 63% of Web traffic comes from mobile devices; they expect the number to pass 2/3 of all traffic by the end of the year.

Most users, and most security professionals, seem to think that mobile platforms are inherently more secure than traditional desktop and laptop computers. In many circumstances that’s correct, but that assumption can lead to behaviors that carry significant risks.

Fortunately, there are steps a security team can take secure mobile devices: Some of these are actions that the security team should take, while others are actions that should be taught to users. Many of these steps fall squarely in the “it just makes common sense” category of things. That doesn’t mean that security pros and users alike don’t need a reminder to check for each of these to be on their list of positive behaviors — and on the list of results to be enforced by policy on all devices.

There are many behaviors that can contribute to mobile device security or risk. We’d be interested in hearing about the behaviors that you see as important — but that didn’t make our list. Use the comment section to let us know what we missed.

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/mobile/10-tips-for-more-secure-mobile-devices/d/d-id/1332156?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Companies running Sophos security clients will want to update their software following the disclosure of seven privilege escalation flaws in the the security suite.

Sophos says its SafeGuard Enterprise Client, LAN Crypt client and Easy software are all vulnerable to the bugs, which would allow an attacker to run code at System (aka admin) level privileges.

In other words, the software you use to keep your PC from getting pwned can get your pwned.

The bugs, designated CVE-2018-6855, CVE-2018-6857, CVE-2018-6852, CVE-2018-6851, CVE-2018-6856, CVE-2018-6853, and CVE-2018-6854 were discovered in the Sophos driver software and reported to the British company by researchers with security shop Nettitude Labs.

According to the researchers, at least one flaw would allow an attacker to create an input/output control (IOCTL) that could modify token privileges. This would result in the attacker being able to run commands with system privileges on any PC running Windows.

Microsoft downplays alarm over Windows Defender ‘flaw’

READ MORE

“When some conditions are not met, the driver writes an error code (0x2000001A) to user-controlled address. Also, note that all the aforementioned IOCTLs use transfer type METHOD_NEITHER, which means that the I/O manager does not validate any of the supplied pointers and buffer sizes,” Nettitude explains.

“So, even though the driver checks for input/output buffer sizes, it doesn’t validate if the pointers to those buffers are actually valid. So, we can supply a pointer for the output buffer to a kernel address space address, and the error code will be written there.”

In response Sophos has kicked out an update for the vulnerabilities. Users and admins can get the fixes for SafeGuard Enterprise 8.0, 7.0, 6.10. 6.0x, SafeGuard Easy 7.0, 6.10, 6.0x, and SafeGuard LAN Crypt 3.9x.

Sophos is recommending users and admins update their software as soon as possible to get the fixes. The bugs do not affect Sophos Mac antivirus. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/26/sophos_safeguard_flaws/

Ticketmaster UK has warned punters that malware infected one of its customer support systems – and may have siphoned off their personal information and payment details.

Anyone in Britain who bought, or tried to buy, a ticket from the biz between February and June 23 this year, and international customers who purchased, or attempted to purchase, tickets from September 2017 to this month, are at risk.

If you used Ticketmaster International, Ticketmaster UK, GETMEIN!, and TicketWeb websites to go to concerts and other gigs, that potentially means you. Folks in North America are unaffected, we’re told.

The malware is understood to have had access to people’s names, addresses, email addresses, telephone numbers, payment details, and Ticketmaster login details. Affected users should change their passwords.

In a notice issued today, and sent to Reg readers who forwarded it on to us, the ticket seller said a software nasty got “on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster.”

Inbenta, based in California, USA, is a maker of AI-based chat bots and search engines that offer customer support information and help. A spokesperson for Inbenta was not available for immediate comment. Inbenta’s website at one point listed Ticketmaster as a case study – explaining it provided a dynamic FAQ and searchable knowledge base for the ticket slingers – but that page has been taken down, and Ticketmaster has cut Inbenta’s tech from its services.

‘Malicious software’

“On Saturday, June 23, 2018, Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster,” the biz said in a statement.

“As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites. Less than five percent of our global customer base has been affected by this incident. Customers in North America have not been affected.

“As a result of Inbenta’s product running on Ticketmaster International websites, some of our customers’ personal or payment information may have been accessed by an unknown third-party.

“We have contacted customers who may have been affected by the security incident. UK customers who purchased, or attempted to purchase, tickets between February and June 23, 2018 may be affected as well as international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018.”

Alert … A copy of the notice sent today by Ticketmaster to gig-goers affected by the malware infection

Punters are being offered 12 months of identity-theft monitoring by Ticketmaster. If you have not received a message from Ticketmaster about the security cockup, your details are probably safe from the malware.

It’s unclear exactly how many customers records are affected: we have asked for more details. It is estimated up to 45,000 people in the UK have been hit by the cyber-intrusion. A staffer at UK data privacy watchdog, the ICO, confirmed it was aware of the network infiltration, and is investigating.

The spokesperson said: “Organisations have a legal duty to ensure that people’s personal information is held securely. We have been made aware of an issue concerning Ticketmaster and will be making enquiries.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/27/ticketmaster_support_bot_hack/

In news that will surprise no one who has had internet access in the last 25 years, crooks have been using online souks to tout drugs, weapons, and, shockingly, other illicit goods.

The Feds announced Tuesday they had busted a $23.6m contraband-peddling operation spread over a handful of dark-web marketplaces. US prosecutors said more than 35 vendors were collared, and are now facing charges, in a sting that had some 65 targets.

The arrests were part of a year-long undercover operation during which Uncle Sam’s drug squad agents posed as money launderers offering to transfer cash as virtual currencies. In the process, they were able to get the dirt on dozens of cyber-baddies.

The targeted markets included the now-defunct Silk Road, AlphaBay, Hansa, and Dream dark-web bazaars.

“Criminals who think that they are safe on the Darknet are wrong,” said America’s Deputy Attorney General Rod Rosenstein. “We can expose their networks, and we are determined to bring them to justice.”

Dark web souks are so last year: Cybercrooks are switching to Telegram

READ MORE

We’re told a veritable Keith Richards medicine cabinet worth of illegal chems was recovered by the Feds: 70 search warrants were issued recovering 333 bottles of synthetic opioids, “over 100,000” tramadol pills, 100 grams of fentanyl, more than 24 kilos of Xanax, and “additional seizures” of Oxycodone, MDMA, cocaine, LSD, marijuana, and a single psychedelic mushroom farm.

Cops also seized more than 100 firearms, $3.6m in US currency and gold bars, 2,000 Bitcoins and other cryptocurrency with a market value of around $20m, and a handful of cryptocoin mining devices, pill presses, and vacuum sealers.

In total, the Feds said they identified more than 50 seller accounts, and went after alleged scumbags in 50 federal districts from New York to California. Here are some of those accused, according to the US government:

• Antonio Tirado, 26, and Jeffrey Morales, 32, of the Bronx, New York, were arrested on June 18, and separately charged with distribution and possession with intent to distribute narcotics, including cocaine, LSD, marijuana, and hashish oil. Additionally, Tirado was charged with possession of a firearm.
• Jian Qu, 30; Raymond Weng, 24; and Kai Wu, 22, all of Queens, New York, along with Dimitri Tseperkas, 22, and Cihad Akkaya, 22, of Middle Island and Port Jefferson, New York, respectively, were each arrested on June 18, and charged with participation in a conspiracy to distribute more than 1,000 kilograms of marijuana. Tseperkas and Akkaya were also charged with firearms offenses relating to the drug conspiracy.
• Ryan Farace, 34, of Reisterstown, Maryland, and Robert Swain, 34, of Freeland, Maryland, were charged related to a scheme to manufacture and distribute alprazolam tablets, which are typically sold under the brand name Xanax.
• Nicholas J. Powell, 32, and Michael Gonzalez, 27, former and current residents of Parma, Ohio, respectively, were charged with conspiracy to distribute controlled substances and laundering money using the dark web.
• Jose Robert Porras III, 21, and Pasia Vue, 23, both of Sacramento, California, were charged with drug distribution, money laundering, and illegally possessing firearms, in a 16-count indictment.
• Sam Bent, 32, of St Johnsbury, Vermont, and formerly of East Burke, Vermont, and his cousin, Djeneba Bent, 26, also of St Johnsbury, and formerly East Burke, were charged with conspiracy to distribute LSD, MDMA, cocaine, and marijuana.
• Daniel Boyd McMonegal, 35, of San Luis Obispo and Mariposa, California, was charged with drug distribution and money laundering in an 11-count indictment.

“At this crucial time of unprecedented drug related deaths, one of the greatest threats we face is cyber drug trafficking,” said US Drug Enforcement Agency Special Agent James Hunt, who led the sting.

“Because the Darknet invites criminals into our homes, and provides unlimited access to illegal commerce, law enforcement is taking steps to identify and arrest those involved.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/06/27/darknet_drugs_bust/