STE WILLIAMS

Attackers are using a serious bug in Citrix products to scan the internet for weaknesses, according to experts.

The flaw, CVE-2019-19781, affects the company’s NetScaler ADC Application Delivery Controller and its Citrix Gateway. The first product is a piece of network equipment that ensures online applications perform well, using load balancing and application monitoring. The second provides remote access to applications on a company’s network or in the cloud. An attacker could use the bug to execute arbitrary code, according to Citrix, which published an advisory on 17 December.

Positive Technologies, which wrote a report of the bug on 23 December, warned that 80,000 companies were at risk. NIST gave it a 9.8 (Critical) CVSS 3.0 score.

A bug that lets attackers execute arbitrary code without even needing an account is particularly serious. Positive Technologies explained:

This vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company’s internal network from the Citrix server.

Although Citrix hasn’t released details of the bug in its advisory, several researchers have suggested that it is a directory traversal vulnerability that allows someone from the outside to reach a directory that they shouldn’t access.

There are no known proof-of-concept exploits at the moment, but the SANS Internet Storm Center demonstrated on 31 December its ability to exploit weaknesses in the code and upload files to the system without “any special tools or advanced skills”.

Security researcher Kevin Beaumont tweeted on Tuesday that he had picked up multiple scans on his honeypot network, indicating that people were trying to read sensitive files using directory traversal:

He told us:

I had a bunch of IPs from China and Hong Kong, they also spray other exploits.

Johannes Ullrich, head of SANS ISC, also saw scans coming in from China, along with others from a French DSL and colocated servers in Europe and the US. The scanners used a simple GET request to download smb.conf, which is a configuration file for Samba, the Windows file and print interoperability system for *nix boxes. Some scanners were also trying (and thankfully so far failing) to POST scripts to boxes on the SANS honeypot.

Tripwire’s principal security researcher Craig Young, who had been running non-malicious scans this week to enumerate the base of target machines, found around 39,000 vulnerable IP addresses. Indexing them against certificate data revealed high-value targets including 141 distinct .gov domains in the US, and another 351 across ccTLDs (primarily Australia and the UK).

He said:

It is alarming that so many organizations are currently at risk in such a sensitive part of their organization. Each one of these devices is an opportunity for criminals or spies to gain access to restricted networks and impersonate authorized users.

What to do

There’s no patch for this vulnerability yet, but Citrix has provided some mitigation steps to help protect systems for the time being. If you’re a Citrix user and haven’t deployed these yet, there’s no time to waste.

There’s also a detection rule for Sigma, a generic signature format for security incident and event management (SIEM) systems, that will help detect people trying to hit your Citrix products with an exploit.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BEbNovinqjA/

Cisco has released a fresh batch of security updates for its networking and comms gear lines.

The high-priority patch this month is the fix for CVE-2019-16009, a cross-site request forgery, in the web UI of Cisco IOS and Cisco IOS XE that can be exploited to steal credentials from users via malicious links.

“A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user,” Cisco said of the bug. “If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device.”

Also getting a high-risk designation was CVE-2019-16005, a command injection vulnerability in WebEx Video Mesh. In that case, an attacker would need to already have admin privileges in WebEx, but then would be able to use the app’s interface to send commands to the host machine. In other words, you go from being an admin on one app to being an admin on the whole machine, and there are no workarounds, so patch this one fast.

Among the less serious flaws Cisco’s UCS platform was the subject of CVE-2019-16003, a bug that lets an unauthenticated user to view log files over the web interface due to an authentication logic error.

New year, new critical Cisco patches to install – this time for a dirty dozen of bugs that can be exploited to sidestep auth, inject commands, etc

READ MORE

CVE-2019-15255 describes a security bypass flaw in the Cisco Identity Services Engine. The bug can be exploited by way of a specially-crafted URL, provided you have admin access.

Companies using the AnyConnect mobile service will want to pay close attention to CVE-2019-16007, a flaw in the Android mobility client that would allow an attacker to either hijack a user session (and get access to confidential information) or simply cause a denial of service.

CVE-2019-16025 is a vulnerability in the Cisco Emergency Responder suite that potentially allows cross-site scripting. While not a particularly severe flaw in and of itself, this is definitely not something you want occurring within a police, fire, or paramedic service.

Admins would be well-advised to test and install all applicable Cisco patches before next Tuesday, when Microsoft, Adobe, and SAP are all set to drop their scheduled January security updates. ®

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/10/cisco_january_patches/

Electric utilities continue to be a target of nation-state attackers, even before the latest tensions between Iran and the United States, says a critical-infrastructure security firm.

The companies responsible for the generation, transmission, and distribution of electricity have attracted the attention of an increasing number of cyberattack groups, industrial-control system security firm Dragos said in a report published on Jan. 9.

In recent months, four groups have expanded their activities to conduct early reconnaissance and attack efforts against electric utilities. Two of the groups, which Dragos refers to as Parasite and Magnallium, appear to have links to an Iranian state-sponsored cyber-espionage group, dubbed APT33 and Elfin by other security firms. Dragos does not attribute attacks to specific actors, but noted in the report that Magnallium’s “increased activity coincides with rising escalations between the US … and Iran in the Middle East.”

Overall, seven of the 11 groups that Dragos tracks now appear interested in reconnoitering and compromising electric utilities, says Amy Bejtlich, director of intelligence analysis for Dragos.

“Across the board we are seeing an increase in activity, an increase in targeting, and an increase in sophistication,” she says. “Adversary groups are recognizing the value of targeting industrial environments, so as defenders, we have to be aware of activity, not just in one sector, but across all sectors.”

The report comes as tensions continued to rise between the United States and Iran, following the US assassination of Iranian Gen. Qasem Soleimani, the subsequent Iranian missile attack on military bases housing American soldiers in Iraq, and the revelation that the downing of a Ukraine International Airlines plane flying from Iran was likely due to an anti-missile system. Security experts have worried that the tensions may manifest as cyberattacks against US companies and infrastructure, and the US Department of Homeland Security warned firms this week to be on heightened alert.

The Dragos report, a summary of the current threat landscape, had been completed before the latest events, however. 

“Historically, adversaries have demonstrated the capabilities to significantly disrupt electric operations in large-scale cyber events through specialized malware and deep knowledge of targets’ operations environments,” the report stated. “Although North America has not experienced similar attacks, ICS-targeting adversaries exhibit the interest and ability to target such networks with activities that could facilitate such attacks.” 

Two of the activity groups — Parasite and Wassonite — are new entries into Dragos’s pantheon of threats, but are not new groups. Parasite has operated since at least 2017, targeting utilities, aerospace firms, and oil-and-gas companies. Wassonite focuses on electric generation, nuclear energy and manufacturing targets in Asia. 

The groups’ decisions to target North American power companies is not surprising. The North American electric grid is a favored target of attackers. Two-thirds of the groups tracked by Dragos are focused on reconnaissance and disruption of the grid, according to the firm. For example, Xenotime has focused on oil-and-gas companies, but shifted its targeting to also include power companies in the US, Dragos stated in the report.

Critical infrastructure firms take cybersecurity seriously, but many are not ready for focused attackers. A Ponemon Institute survey found that more than half of respondents had suffered a “shutdown or operational data loss” in the past year. Only 42% of those surveyed felt their organization was prepared for an attack, despite the fact that a quarter of utilities and industrial companies had been targeted by nation-state actors, according to the report.  

Utilities, and any company with an operational network, should learn about cyber actors targeting not just their industry, but adjacent verticals as well, says Selena Larson, an intelligence analyst with Dragos.

“We want to get the point across to utilities that you should be aware of the tactics, techniques and procedures, and the behaviors we are observing from these groups, regardless of whether they are targeting your specific vertical or not,” she says. “At any point, they could expand or change focus.” 

The cautionary tale for companies in the power industry is the December 2015 cyberattack on a utility’s power distribution capabilities, causing an hours-long black out for hundreds of thousands of people in the Ukraine. The following year, the same attackers — called Sandworm by many companies, but Electrum by Dragos — caused failures in the generator systems in Kiev, Ukraine.

“Although adversaries have not disrupted electric distribution operations in North America, the behaviors and tool use exhibited by activity groups including Sandworm and Electrum could be deployed in electric distribution facilities within North America,” Dragos stated in its report.

 

Related Content

• DHS Warns of Potential Iranian Cyberattacks
• Utilities’ Operational Networks Continue to Be Vulnerable
• Iran Ups its Traditional Cyber Espionage Tradecraft
• Attackers Continue to Exploit Outlook Home Page Flaw
• Triton Attackers Seen Scanning US Power Grid Networks

 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Car Hacking Hits the Streets“

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/iot/attackers-increase-focus-on-north-american-electric-utilities-report/d/d-id/1336772?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dixons Retail is facing a £500,000 penalty from the Information Commissioner’s Office (ICO) after a hacker installed malware that infected thousands of point of sale tills and scooped up 5.6 million payment card details.

A probe by the UK’s data watchdog said the computer system managing the till was compromised, impacting 5,390 machines at Curries PC World and Dixons Travel stores between July 2017 and April 2018 when the attack was finally spotted.

As a result, a total of 5,646,417 cards were exposed, including 5,529,349 chip and PIN cards that showed the primary account number and expiry date, and 52,788, non EMV protected cards likely from shoppers outside of the UK and EU that revealed the primary amount number, expiry date and cardholder name.

The ICO told us that in addition to the aforementioned personal financial data, Dixons had initially found that roughly 10 million non-financial records had also been pilfered (name, postal address, mobile and home phone numbers, email address, date of birth and failed credit check details) from the retailer’s internal servers and exfiltrated.

Dixons later discovered that another 2.9 million records had been snatched, along with 73 per cent of database housing 4.7 million records. The ICO said the store had been unable to confirm with any certainty how many customers were impacted but estimated it affected around 14 million “data subjects”.

As a result, Dixons broke the Data Protection Act 1998 by running a “poor security arrangement and failing to take adequate steps to protect personal data”, including insufficient software patching, absence of a local firewall, a lack of network segregation and routine security testing, the ICO added.

“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data,” said ICO director of investigations Steve Eckersley. “It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.”

The fine is the maximum the ICO could levy under the previous data laws but had it occured following the roll-out of GDPR legislation Dixons may have found itself slapped with a bigger fine, he added.

As of March 2019, some 3,300 customers had contacted the company about the security screw-up. “Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud,” said Eckersley.

Dixons’ CEO Alex Baldock, said in a statement to the London Stock Exchange:

“We are very sorry for any inconvenience this historic incident caused to our customers. When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result.”

In light of the incident, Dixons upgraded its detection and response systems, he said. Baldock added that the company is “disappointed” in some of the ICO’s “key findings” it had previously challenged and “continue to dispute”. He didn’t specify particular areas but is “considering our ground for appeal”.

The ICO fined Carphone Warehouse some £400,000 in January 2018 for “similar security vulnerabilities”. The breach at the mobile retailer – now part of Dixons Store Group – happened in August 2015. ®

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/09/dixons_store_group_fined_500000_by_ico_for_crap_security_that_exposed_56_millino_customers_payment_cards/

Exclusive A database containing the personal details of 56.25m US residents – from names and home addresses to phone numbers and ages – has been found on the public internet, served from a computer with a Chinese IP address, bizarrely enough.

The information silo appears to belong to Florida-based CheckPeople.com, which is a typical people-finder website: for a fee, you can enter someone’s name, and it will look up their current and past addresses, phone numbers, email addresses, names of relatives, and even criminal records in some cases, all presumably gathered from public records.

However, all of this information is not only sitting in one place for spammers, miscreants, and other netizens to download in bulk, but it’s being served from an IP address associated with Alibaba’s web hosting wing in Hangzhou, east China, for reasons unknown. It’s a perfect illustration that not only is this sort of personal information in circulation, but it’s also in the hands of foreign adversaries.

It just goes to show how haphazardly people’s privacy is treated these days.

A white-hat hacker operating under the handle Lynx discovered the trove online, and tipped off The Register. He told us he found the 22GB database exposed on the internet, including metadata that links the collection to CheckPeople.com. We have withheld further details of the security blunder for privacy protection reasons.

The repository’s contents are likely scraped from public records, though together provide rather detailed profiles on tens of millions of folks in America. Basically, CheckPeople.com has done the hard work of aggregating public personal records, and this exposed NoSQL database makes that info even easier to crawl and process.

“In and of itself, the data is harmless, it’s public data, but bundled like this I think it could actually be worth a lot to some people,” Lynx told El Reg this week. “That’s what scares me, when people start combining these with other datasets.”

While CheckPeople.com also offers criminal record searches, Lynx did not find that information among the cache.

AWS has new tool for those leaky S3 buckets so, yeah, you might need to reconfigure a few things

READ MORE

The Register has repeatedly attempted to reach a human at CheckPeople to alert it to the leak, and the site’s administrators have yet to respond. Its customer-support call center directed us to email the company, although our messages were subsequently ignored, it appears. Similarly, Lynx told us he has been unable to get hold of anyone beyond a third-party call center worker.

You would think a company trafficking in personal records would care a bit more about being able to be reached.

Whether this is data somehow obtained by a Chinese outfit from CheckPeople and dumped lazily online, or a CheckPeople server hosted in China, is unclear.

However, under the laws of the People’s Republic, government agencies can more or less search any machine at any time in the Middle Kingdom, meaning profiles on 56.5 million American residents appear to be at the fingertips of China, thanks to CheckPeople – we assume Beijing has files on all of us, though, to be fair.

Again, repeated attempts to contact CheckPeople for its side of the story were unsuccessful. Should the company decide to get in touch, we will update this story as needed. We have also pinged Alibaba to alert it to the exposed database, should it care about Americans’ privacy. ®

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/09/checkpeoplecom_data_exposed/

On Wednesday, more than 50 advocacy groups accused Google of exploiting poor people by failing to police misbehaving Android apps on cheap phones.

The advocacy groups, including the American Civil Liberties Union, Amnesty International, the Electronic Frontier Foundation, and Privacy International, to name a few, published an open letter to Google (and Alphabet) CEO Sundar Pichai asking him “to take action against exploitative pre-installed software on Android devices.”

Their concern is that almost all (91 per cent) Android apps installed on devices by Google’s Android partners prior to sale do not face the same security scrutiny as Android apps distributed to device users through Google Play. These pre-installed apps cannot be deleted and may collect user user data without consent or perform other undesired functions. And they play by a different set of rules than Google Play apps.

“These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model,” the letter says. “This means permissions can be defined by the app – including access to the microphone, camera and location – without triggering the standard Android security prompts. Users are therefore completely in the dark about these serious intrusions.”

The groups are particularly concerned about “the exploitative business practices of cheap smartphone manufacturers.” They argue that lack of income should not mean Android users lose their privacy rights.

They want Google to provide a way to uninstall pre-installed apps and related background services permanently, to apply the same security review that Play-submitted apps receive, to support an update mechanism for these apps without a user account, and to actually refuse to certify partner devices if they contain exploitative software.

Smoking gun

Underscoring these concerns, security vendor Malwarebytes said that Assurance Wireless by Virgin Mobile, supported by the US government’s Lifeline Assistance program, distributes the $35 UMX U686CL phone with two pre-installed apps that appear to be malicious.

The first is an updater named Wireless Update that shows up in Malwarebytes’ threat database as as Android/PUP.Riskware.Autoins.Fota.fbcvd. The app is “a variant of Adups, a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers,” said senior malware intelligence analyst Nathan Collier in a blog post.

The second is the phone’s Settings app, which incorporates obfuscated malware that the security biz identifies as Android/Trojan.Dropper.Agent.UMX. The dubious code shares similarities with other known Trojan droppers; in this instance, according to Collier, it installs malware called Android/Trojan.HiddenAds.

Attempting to remove this software can pose problems. Without Wireless Update, the phone no longer gets updates automatically. Removing the Settings app, however, may cripple the device. Collier offers remediation guidance, but it involves command line fiddling that demands some technical sophistication and may not work.

Collier reaches the same conclusion as the civic groups haranguing Google’s CEO: “Budget should not dictate whether a user can remain safe on his or her mobile device.”

Virgin Mobile did not immediately respond to a request for comment and Assurance Wireless’s website returned an error at the time this story was filed, possibly due to the unexpected public attention following from the Malwarebytes report.

Google also did not immediately respond to a request for comment.

Incidentally, in March, the search biz will offer Android customers in the European Economic Area (which includes Britain) a limited menu of default search providers on new devices as a result of European Commission antitrust action last year.

The Chocolate Factory on Thursday published its list of rivals – determined by periodic auctions, with proceeds paid to Google – that will be featured (through June) in the search choice menu presented in each EEA country. Android users, when setting up their devices, will be able to use the menu to select a default search engine other than Google, if they wish. ®

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/09/google_poor_privacy_android/

PowerTrick is sort of a custom-version of PowerShell Empire and can be used to download additional malware, SentinelOne says.

Russia’s infamous TrickBot organized cybercrime group has a new trick up its sleeve for high-value targets — a custom fileless PowerShell-based backdoor designed for stealth, persistence, and reconnaissance inside infected networks.

SentinelOne, which has been tracking the malware, has dubbed it PowerTrick. In a blog post Thursday, the vendor described the new malware as having similar capabilities as the PowerShell Empire open source penetration-testing tool but being harder to detect because it is custom developed.

Vitali Kremez, lead cybersecurity researcher at SentinelOne’s SentinelLabs, says PowerTrick is a fileless post-exploitation tool that TrickBot operators are using to stealthily drop additional malware on systems belonging to organizations the group perceives as being of high value.

The malware is being used to enable mass data collection, reconnaissance, persistence, and lateral movement on infected networks. “We assess with high confidence at least some of the initial PowerTrick infections are being kicked off as a PowerShell task through normal TrickBot infections,” Kremez says.

TrickBot is a Russia-based group that initially specialized in bank fraud activities but over the years has increasingly begun targeting enterprise organizations as well. The group is believed to have broken into numerous enterprise networks and gathered a massive amount of information on each of them, including credentials, network, and domain controller data.

In recent years, the group has been selling access to that data to other financially motivated cybercrime groups and more recently to advanced persistent threat (APT) groups such as North Korea’s Lazarus operation. According to SentinelOne, TrickBot has processed and indexed data on victims it has compromised in such a manner that its customers can quickly identify high-value targets or the least-protected organizations.

In addition to selling access to compromised networks, TrickBot in recent years has also let other vetted groups use its custom malware to carry out attacks and distribute other malware. One example is Anchor, a collection of custom and existing tools for everything from post-exploit malware installation to cleanup and removal of all evidence of a break-in. Like many other cybercrime and APT groups, TrickBot also has extensively leveraged legitimate admin tools and services — notably PowerShell, Metasploit, Cobalt Strike, and PowerShell Empire — in its post-exploit operations.

“PowerTrick is a private solution that the TrickBot group leverages for the deployment of additional targeted malware,” Kremez says. Similar to how PowerShell Empire’s stager component works, PowerTrick can be used to download a larger, more powerful backdoor for executing other commands such as those for harvesting credentials, moving laterally or for installing more backdoors. TrickBot Anchor and another backdoor called TerraLoader are two examples of malware that attackers are deploying via PowerTrick, Kremez says.

The end goal of the PowerTrick backdoor is to bypass restrictions and security controls and exploit strongly protected and secure high-value networks. Like its other malware products, TrickBot appears to have made PowerTrick available to other cybercrime and APT groups as well, according to Kremez.

SentinelLabs has developed a mock command-and-control panel that organizations can use to test for PowerTrick related infections. The security vendor has also released indicators of compromise related to the threat.

Related Content:

• Trickbot Operators Now Selling Attack Tools to APT Actors
• TrickBot Expands in Japan Ahead of the Holidays
• New Trickbot Variant Uses URL Redirection to Spread
• 6 Security Team Goals for DevSecOps in 2020

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “In App Development, Does No-Code Mean No Security?“

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/trickbot-group-adds-new-powershell-based-backdoor-to-arsenal/d/d-id/1336769?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers found unremovable malware preinstalled in the Unimax U686CL, a budget Android device sold by Assurance Wireless.

Budget Android smartphones offered through a US government initiative for low-income Americans come with preinstalled, unremovable Chinese malware, researchers report.

These low-cost smartphones are sold by Assurance Wireless, a federal Lifeline Assistance program under Virgin Mobile. Lifeline, supported by the federal Universal Service Fund, is a government program launched in 1985 to provide discounted phone service to low-income households. The Unimax (UMX) U686CL ($35) is the most inexpensive smartphone it sells.

In October 2019, Malwarebytes began to receive complaints in its support system from users of the UMX U686CL who reported some pre-installed apps on their government-funded phones were malicious. Researchers purchased one of these smartphones to verify customers’ claims.

The first suspicious app they detected is Wireless Update, which is capable of updating the device – it’s the only way to update the phone’s operating system – but also is a variant of the Adups malware. Adups is also the name of a Chinese company caught gathering user data, creating backdoors for mobile devices, and developing auto-installers, researchers report.

Years ago, Adups began partnering with budget phone companies to provide wireless phone updates, explains Nathan Collier, senior malware intelligence analyst for Malwarebytes Labs. For some reason, he notes, Google doesn’t provide updates for budget smartphones.

“Adupts provides wireless updates so people can update their operating system, but they’re also just installing random stuff without any user permission whatsoever,” Collier explains. Not all of this content is malicious, he notes; sometimes the app simply installs hidden ads. Still, from the time the device is first activated, Wireless Update starts auto-installing apps.

“This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time,” Collier writes in a blog post on the findings.

Wireless Update isn’t the only unremovable app on the UMX U686CL. The phone’s Settings app also functions as heavily obfuscated malware detected as Android/Trojan.Dropper.Agent.UMX, which shares characteristics with two other variants of known mobile Trojan droppers.

“It has a lot of elements that are very similar to other elements of Trojan droppers that we know for sure are dropping hidden ads,” Collier explains. Hidden ads are growing more popular in the malware community, as attackers generate a little revenue with each click. On one device this may not amount to much, he adds, but it can add up over time as the victim pool grows.

Malwarebytes has a way to uninstall preinstalled apps for current users; however, this could have consequences on the UMX. Uninstalling Wireless Update could cause users to miss critical updates, which the company says is worth the tradeoff. Unfortunately, removing the Settings app would essentially render the device useless.

Researchers informed Assurance Wireless of the problem and have not heard a response at the time of writing. Customers were also reaching out to UMX, Collier says, noting this problem falls on Assurance. It’s worth noting UMX devices are made by a Chinese company; however, it has not been confirmed whether the device makers know there is Chinese malware preinstalled.

The issue of preinstalled malware has grown over the past several years. Now, as it starts to affect the Settings app and other critical parts of device software, it’s becoming more of a challenge for users. Unlike apps that can be deleted and forgotten, the apps affected here cannot be simply uninstalled without irreversibly damaging the phone.

“This has been an issue for quite a while and it’s getting worse and worse,” Collier says. “We’re seeing it on a lot of different budget carriers around the world.”

Related Content:

• 7 Free Tools for Better Visibility Into Your Network
• Car Hacking Hits the Streets
• TikTok Bugs Put Users’ Videos, Personal Data At Risk
• In App Development, Does No-Code Mean No Security?

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “In App Development, Does No-Code Mean No Security?“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/chinese-malware-found-preinstalled-on-us-government-funded-phones/d/d-id/1336771?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google’s Project Zero bug-hunting team has tweaked its 90-day responsible disclosure policy to help improve the quality and adoption of vendor patches.

Project Zero is a group of researchers that looks for zero-day vulnerabilities in technology products and services. When it finds a bug, the team informs the vendor responsible for the product and opens an internal bug report known as a tracker, shielded from public view.

The vendor then has 90 days to fix the bug before Project Zero lifts the veil. This policy, known as responsible disclosure, sits at the midpoint compared to other organizations. US CERT, for example, goes public 45 days after discovering a bug, while the Zero Day Initiative waits 120 days.

Google says that 97.7% of the bugs it reports are fixed within deadline, up from the 95.5% that it reported in the period between February 2015 and July 2019. So now, it’s expanding its focus from faster bug fixes to better ones. With that in mind, the Project Zero team has outlined some changes to its disclosure policy that it hopes will tighten up its handling of security bugs.

The most significant sees it switch to a standard policy of disclosing a vulnerability after 90 days. In the past, it has used that cutoff as the latest possible disclosure time, but has revealed a bug as soon as a vendor announced a fix. Now, in an effort to ensure that vendors thoroughly test their patches rather than rushing them out the door, it will wait for the full 90-day period before disclosing a flaw, even if the vendor has fixed it weeks beforehand.

Holding off on public bug reports should also make it easier to get patches out to users. Google explained:

…some vendors hold the view that our disclosures prior to significant patch adoption are harmful. Though we disagree (since this information is already public and being used by attackers per our FAQ here), under this new policy, we expect that vendors with this view will be incentivised to patch faster, as faster patches will allow them “additional time” for patch adoption.

Project Zero is also taking a harder line with vendors who release poor patches. In the past, it has sometimes filed an incomplete fix as a separate vulnerability rather than adding it to the existing bug report, effectively resetting the clock for a vendor to get it right a second time.

It did this with Microsoft back in 2017, for example. In the future, vendors with dodgy patches won’t get a second chance. Project Zero will add incomplete fixes to the existing bug report, even if it has been made public. If the report has not yet been released, Project Zero will not extend the vendor’s deadline. It said:

We expect to see iterative and more thorough patching from vendors, removing opportunities that attackers currently have to make minor changes to their exploits and revive their zero-day exploits.

The Project Zero team is also providing more clarity on how it handles the grace period. Announced in 2015, this is a 14-day window following the official 90 day window during which Google researchers would avoid going public with the bug as long as the vendor promised to deliver a fix.

In the past, Project Zero would go public with the bug “sometime after” a vendor shipped a patch during the grace period. In future, it will open its tracker report immediately after the release of a patch. The seven-day deadline that it imposes for zero-days being exploited in the wild is unchanged.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/45XsE2-NHPY/

The FBI has asked Apple to help it unlock two iPhones that belonged to the murderer Mohammed Saeed Alshamrani, who shot and killed three young US Navy students in a shooting spree at a Florida naval base last month.

Alshamrani also injured eight others before he himself was shot to death.

Late on Monday, FBI General Counsel Dana Boente sent the letter to Apple’s general counsel. The letter hasn’t been made public, but the FBI shared it with NBC, which first reported on it.

In the letter, the FBI said that it’s got a subpoena allowing it to search content on the iPhones, both of which are password-protected (and one of which Alshamrani reportedly shot and damaged, further complicating forensics on the device and its data). But so far, investigators haven’t had any luck at guessing the passcodes, the letter said.

And yes, the FBI has tried the tactics it used when it was trying to unlock the iPhone of San Bernardino terrorist Syed Farook. Namely, the bureau says that it’s asked for help from other federal agencies – it sent the iPhones to the FBI’s crime lab in Quantico, Virginia – and from experts in other countries, as well as “familiar contacts in the third-party vendor community.”

That could be a reference to the tool that the FBI used to finally break into Farook’s encrypted phone and thereby render moot the FBI versus Apple legal battle over encryption.

Though the killer was believed to have been acting alone, the FBI said in its letter that it’s not ruling anything out before the investigation is complete:

Even though the shooter is dead, [agents want to search his phones] out of an abundance of caution.

Apple sent a statement to NBC saying that it’s helping the government:

We have the greatest respect for law enforcement and have always worked cooperatively to help in their investigations. When the FBI requested information from us relating to this case a month ago, we gave them all of the data in our possession and we will continue to support them with the data we have available.

Why a letter and not the usual court battle?

Last month, responding to Apple and Facebook reps who testified about the worth of intact encryption, Sen. Lindsey Graham had this to say about the government’s ongoing quest for a backdoor:

You’re going to find a way to do this or we’re going to do this for you.

The letter might be part of a strategy to “do this for you.” As in, it could well be yet another way to get Apple to put in a backdoor that will bypass the iPhone encryption that stymies agents’ investigative work. Backdoors are a product-crippling move that Apple has declined to take in spite of the FBI’s many demands to do so since the case of the San Bernardino terrorists.

Throughout that encryption battle and beyond, Apple CEO Tim Cook has taken a firm stand, publicly stating Apple’s refusal to break its own encryption. So why is the FBI asking now, when it already knows the answer?

The Register reports that some are seeing the letter as part of a new strategy. In a cogent commentary, it noted that there are four things that have changed since the 2015 San Bernardino case:

1. The state where the crime happened. Florida now has case law forcing password disclosure. In 2017, Florida ordered reality TV star Hencha Voigt to unlock her iPhone in an extortion case. Miami-Dade Circuit Judge Charles Johnson ruled that she and an alleged accomplice could be forced to hand over their smartphone passcodes without violating their constitutional right against self-incrimination.
2. The country’s top prosecutor. US Attorney General William Barr has made it clear that he wants encryption backdoors. In October, he and officials from the UK and Australia signed an open letter calling on Facebook to back off from its “encryption on everything” plan until it figures out a way to give law enforcement officials backdoor access so they can read messages. (Facebook said no.)
3. Tim Cook’s charm offensive. Apple’s head has been deliberately making nice with the GOP, touting the company’s contributions to the US economy …during the course of Donald Trump’s tenure.
4. This time, the FBI really did try everything. In March 2018, the US Department of Justice’s internal inspector general came out with a rather damning report about the San Bernardino investigation, noting that the FBI “did not pursue all possible avenues in the search for a solution” before contacting Apple.

This time, as the FBI letter makes clear, it has indeed explored all possible avenues to crack iOS encryption. That leaves only one possible next step: backdoors. Meanwhile, the stars are aligned with Florida case law, the country’s top legal brass is itching for an encryption fight, and it could well be that to the DOJ’s way of thinking, Apple has taken on the aroma of appeasement.

The bricks have been carefully laid. The US has learned its lessons from the 2015 San Bernardino tussle over encryption and won’t make the same mistakes. The atmosphere, both legally and politically, has shifted since 2015.

What could come next: a court fight to force Apple to unlock Alshamrani’s iPhones.

Readers, your thoughts: would the FBI have a better chance to win this time?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TYQ-v0iT5FM/