STE WILLIAMS

Attackers could take advantage of simple design flaws in widely distributed drivers to gain control over Windows systems.

Eclypsium researchers today disclosed new vulnerabilities in widely distributed Windows drivers, which could be exploited to take over Windows systems, including the device’s system and component firmware. These vulnerable drivers directly affect Intel devices, they report.

The findings, published today, build on previous research shared in August, when Eclypsium detailed how attackers could abuse simple design flaws in widely distributed drivers to modify the Windows kernel or device firmware. In doing so, they could access and persist in the deepest levels of a machine, gaining high privileges while avoiding traditional security tools.

“Drivers that provide access to system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component can allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host,” researchers wrote in their August findings.

An attacker or malware in the user space of a device (ring 3) could take advantage of a vulnerable driver to read and write data to kernel space (ring 0) and even lower-level firmware components. “You can compromise the integrity of Windows [and] can get privilege escalation from a user application into the kernel,” says principal researcher Jesse Michael. “You can also use this kind of direct device access to modify firmware maliciously.”

These vulnerable drivers, they note, are all valid tools that vendors release to help manage or update machines. They are properly sealed and meant to be trusted on almost any device.

Many of the drivers Eclypsium found flawed were disclosed in the August research; however, two drivers from Intel were held until a fix and advisory were ready. These were released later in August and are now public at Intel Processor Identification Utility for Windows Advisory (INTEL-SA-00281) and Intel Computing Improvement Program Advisory (INTEL-SA-00283).

The Intel PMx driver, also called PMxDrv, was also held under embargo due to complexities of the issue, researchers report today. Analysis of the driver revealed it was “incredibly capable” and contained a “superset” of capabilities previously seen in drivers. PMxDrv can read/write to physical memory, read/write to model specific registers, read/write to control registers, read/write to the interrupt descriptor table and global descriptor able, read/write to debug registers, arbitrarily gain I/O access, and arbitrarily gain PCI access, they wrote in a blog post on today’s news. Michael calls it a “Swiss army knife” driver: Attackers can use it to do whatever they want.

“This level of access can provide an attacker with near-omnipotent control over a victim device,” the researchers explained. The flawed driver has been included in many Intel ME and BIOS related toolsets dating back to 1999. A tool released by Intel to mitigate a recent AMT flaw contained this driver as part of the toolset; as a result, someone who downloaded and ran the tool to see whether a system was vulnerable unintentionally compromised the system, Michael adds.

Eclypsium has been working with Intel’s PSIRT team on this problem; as of today, it has released updated versions of the driver to mitigate the vulnerability.

Defending Against Compromised Admins
Most drivers the researchers analyzed could be exploited by an unprivileged user to modify device firmware or attack the running kernel with unfiltered IO, PCI, or MMIO access. However, they say, some drivers had restrictions to only allow use by processes with admin privileges.

Microsoft’s Windows security model for driver developers explains security boundaries in how drivers operate within Windows. This model describes the path between an admin process and a kernel driver as a “noteworthy trust boundary.” However, according to Microsoft’s Security Servicing Criteria for Windows, processes running in user space with admin privileges are treated the same as in the Windows kernel. There is no security boundary between the two.

Researchers found fault with this. While an admin has control over the device, there are security-related operations that even the admin can’t touch. Once Secure Boot is enabled, a reboot and process to verify physical presence should be required to disable it, they explain. Many security controls can’t be disabled at runtime without a system reboot.

“Allowing a compromised Administrator process to read and write kernel memory and otherwise launch attacks against the kernel renders these controls ineffective and leaves a gaping security hole,” researchers say.

Other companies have taken steps to protect against compromised admins, Michael points out. Apple’s System Integrity Protection was built to protect macOS components from malicious software, even running as root with full admin privileges. Admins can disable this, but not at runtime, and they must turn the system off and reboot into Recovery OS to disable protection.

Linux has Kernel Lockdown to prevent a root user from performing operations that could harm the integrity of the kernel. Most Linux distributions have been shipping versions of the protection for years, and the patch has been accepted into the mainline Linux Kernel.

As of now, there is no universally applicable way to prevent Windows from loading any of the bad drivers Eclypsium has disclosed so far. Researchers report Microsoft is addressing the problem through its HVCI technology, which will let Microsoft act as a virtual firewall to protect the kernel. Right now, admins’ best option is to block or blacklist old, known-bad drivers.

Related Content:

• 6 Small-Business Password Managers
  
• Why Cyber-Risk Is a C-Suite Issue
• Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’
• Ring Flaw Underscores Impact of IoT Vulnerabilities

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/researchers-disclose-new-vulnerabilities-in-windows-drivers/d/d-id/1336338?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Organizations without MFA are wide open to attack when employees fall for phishing scams or share passwords. What’s holding them back?

Compromised credentials are a huge threat to companies today. Why? The attacker is actually using valid (that is, stolen but valid) credentials, so why would your antivirus, firewall, and other technologies you might have in place flag anything unusual? Your tools assume people accessing your network are who they say they are.

This threat is now well known among organizations, but many of them still are not doing what needs to be done about password security. A couple of years ago, we surveyed 500 IT security managers in the US and UK, and the results showed that only 38% of organizations use multifactor authentication (MFA) to better secure network credentials. Sadly, more recent research shows that things haven’t changed much.

Why Are Organizations Reluctant to Adopt MFA?
Here are some myths that plague MFA:

Only large enterprises should use MFA.
This is a common misconception. Many organizations believe that a company needs to be a certain size to be able to benefit from MFA. They’re wrong. Using MFA should be a key security measure for any company, regardless of size. The data to protect is as sensitive and the disruption as serious in any company. And using MFA doesn’t have to be complex, costly, or frustrating.  

MFA should only be used to protect privileged users.
Wrong again. In most organizations, most employees are considered to have access to valuable data, so they rely only on local Windows credentials. It seems a bit exaggerated to require them to use MFA to log in. But it’s not. Those “nonprivileged” employees actually have access to data that can be harmful to the company. For example, let’s take a nurse who could sell a celebrity patient’s data to a newspaper. This shows the value of data and the possible harm that can come from it being inappropriately used.

But that’s not all. Cybercriminals usually don’t start with a privileged account; they take advantage of any account that falls victim to phishing scams to then laterally move within the network in order to find, access, and exfiltrate valuable data.

MFA is not perfect.
OK, no security solution is perfect — but MFA is close. As you may have heard, the FBI issued a warning recently regarding situations where cybercriminals were able to bypass MFA. There were two main authenticator vulnerabilities: “channel jacking,” involving taking over the communication channel that is used for the authenticator, ⁠and “real-time phishing,” ⁠which uses a machine-in-the-middle that intercepts and replays authentication messages. According to experts, such attack types require considerable costs and effort. Most hackers who encounter MFA prefer to move on to their next (easier) victim than trying to bypass this security measure. You can also take simple precautions to avoid some vulnerabilities, such as choosing MFA authenticators that don’t rely upon SMS authentication. (The National Institute of Standards and Technology discourages SMS and voice in its latest Digital Identity Guidelines).

Despite recent events, the FBI affirms that MFA is still effective and that it’s one of the simplest steps an organization can take to improve security.

MFA disrupts users’ productivity.
It doesn’t have to. With new technology, there is always the same challenge: implementing it in a way that least disrupts employees’ productivity. If it’s too disruptive, users will find a way to circumvent security controls. Without this sensitivity, adoption can slow or even stop. Therefore, MFA requires flexibility. Administrators may want to avoid prompting users for MFA each time they log in. That’s why MFA should be customized according to each company’s needs.

Anyone can be victim of compromised credentials — whether you are a privileged or nonprivileged user. Using MFA should be a key security measure for any company, regardless of size, and can be one of the easiest ways to keep accounts secured.

Related Content:

• 8 Tips for More Secure Mobile Computing
• Office 365 Multifactor Authentication Done Right
• Twitter Slip-Up Spills MFA Phone Numbers, Emails to Advertisers
• A Password Management Report Card

 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’“

François Amigorena is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues. IS Decisions software makes it easy to protect against unauthorized access to networks and the sensitive files within. Its customers include the FBI, the US … View Full Bio

Article source: https://www.darkreading.com/endpoint/authentication/the-myths-of-multifactor-authentication/a/d-id/1336262?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Attackers over the past month have been using a rarely seen approach to disrupt services at large organizations in several countries.

Cybercriminals appear to have finally figured out a way to launch highly effective distributed denial-of-service (DDoS) attacks using TCP amplification — something most attackers have typically avoided under the assumption it cannot be done efficiently.

Security vendor Radware this week said its researchers over the past 30 days have observed multiple criminal campaigns involving the use of a new type of TCP reflection attack against large organizations. The victims of these massive attacks include European sports gambling website Eurobet, Korea Telecom, Turkish financial services company Garanti, and SK Broadband of South Korea.

The attacks not only impacted the intended targets but also the networks that were used to generate the DDoS flood, causing a ripple effect that impacted many businesses around the world. The method of TCP reflection being used in the campaigns has made the attacks particularly hard to mitigate, Radware noted.

“This attack is unique because it creates collateral damage,” says Daniel Smith, head of security research with Radware’s emergency response team. “The secondary victim in this attack is actually the first to see the attack traffic.”

In DDoS attacks, threat actors use different methods to try and amplify the volume of attack traffic generated by a compromised system. The goal is to try and turn small queries and packets into much larger payloads that can then be used to flood a target network.

With TCP SYN-ACK reflection, attackers send a SYN packet — designed to appear like it originated from the target network’s IP address — to a wide number of random or preselected IP addresses, or reflection services. The IP addresses respond to the spoofed SYN packet with a SYN-ACK packet that is sent to the target network. If the target network does not respond in the expected manner, the reflection IP will continue to retransmit the SYN-ACK packet in an attempt to establish a three-way handshake, Radware said.

The extent of amplification possible depends on the number of SYN-ACK retransmits the reflection service can perform. The more times the reflection IP sends the SYN-ACK requests to the target IP, the more the amplification.

Ripple Effect
Attackers have avoided TCP reflection because they have long believed the default setting for Linux systems is five retransmits, which is not enough to amplify traffic to the extent that UDP-based reflections can, Radware said. The reality, as demonstrated by an independent security researcher in 2014, is that many devices on the Internet can be manipulated to retransmit more than 5,000 SYN-ACK packets in 60 seconds, if needed.

Such attacks can overwhelm target networks and also cause other problems for victims, Smith says. In the latest campaigns involving TCP reflection attacks, the intended targets were also the victims of improper blacklisting, Smith says.

“The original spoofed SYN flood sent to the reflectors misrepresented the victims IP range,” he notes. “As a result of the spoofed SYN flood on the reflectors network, operators moved to blacklist networks that were misrepresented.” Some network administrators, for instance, blacklisted networks like Eurobet not just because of the spoofed SYN flood from the attacker, but also the return flood of TCP RST and ICMP packets from Eurobet, Smith said.

Since the attack was spoofed, blacklisting the victim’s network only helps to further accomplish the attacker’s goals he notes. 

Because of how TCP reflection attacks work, the networks that were used as reflection services also experienced network congestion and service degradation. Many companies that were unaware of their networks being used as TCP reflectors were left wondering why they were being flooded with SYN traffic, Radware said.

From a mitigation standpoint, the most challenging aspect to dealing with a TCP reflection attack is preventing network exhaustion, Smith says.

“These attacks produce high volumes of packets per second, requiring a large amount of resource from network devices to process the traffic,” he notes. “If resources become exhausted, networks will fail resulting in an outage.”

Related Content:

• Massive DDoS Attack Generates 500 Million Packets per Second
• Attackers Try to Evade Defenses with Smaller DDoS Floods, Probes
• 3 Drivers Behind the Increasing Frequency of DDoS Attacks
• 7 Things to Know About Today’s DDoS Attacks

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-ddos-attacks-leverage-tcp-amplification-/d/d-id/1336339?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The November Patch Tuesday update fixed 13 critical flaws, including a zero-day bug in Internet Explorer.

Patch Tuesday is back once again, bringing with it 74 security fixes, 61 of which are classified as Important and 13 as Critical, including one Internet Explorer bug under active attack.

Microsoft today released fixes for CVEs across Windows, Internet Explorer, Microsoft Edge, Office and Office 365, ChakraCore, Exchange Server, Open Source Software, and Visual Studio.

The vulnerability currently being exploited in the wild is CVE-2019-1429, a scripting engine memory corruption vulnerability in Internet Explorer. A remote code execution flaw exists in the way the scripting engine handles objects in memory in IE, and it could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Attackers who successfully exploited this vulnerability could gain the same user rights as the current user. If the user is logged in with administrator privileges, the attackers could exploit the vulnerability to take control of an affected system. From there, they could install programs; view, edit, or delete data; or create new accounts with full user rights.

To do this, the attackers could host a website designed to exploit the bug through Internet Explorer and convince the target to visit the site. Alternatively, they could embed an ActiveX control labeled “safe for initialization” within an app or Office document that hosts the IE rendering engine and trick someone into opening it. In the latter scenario, the victim wouldn’t need to use IE to be infected, meaning they should patch even if they don’t rely on the browser.

Today’s patch fixes the flaw, reported by Clément Lecigne of Google’s Threat Analysis Group, by changing the way the Internet Explorer scripting engine handles objects in memory.

“Security training on common phishing and user-targeted attack methods could further reduce the risk of this vulnerability being exploited, but as it is already being exploited in the wild, it is highly recommended to get the patch rolled out quickly to resolve the vulnerability completely,” says Chris Goettl, director of security product management at Ivanti.

Microsoft also patched four Critical flaws (CVE-2019-1389, CVE-2019-1397, CVE-2019-1398, CVE-2019-0721) in Hyper-V and Hyper-V Network Switch. These would enable an authenticated user on a guest system to run potentially malicious code on the host. “Microsoft notes that exploitation of these vulnerabilities is less likely, but these patches should still be prioritized for all Hyper-V systems,” says Jimmy Graham, director of product management at Qualys.

Today’s roundup included a fix for CVE-2019-1457, a security feature bypass bug that exists in Office for Mac due to improper enforcement of macro settings in Excel files. To exploit this, an attacker would have to embed a control in an Excel worksheet that specifies a macro should be run, and then convince a user to open a specially crafted file with an affected version of Excel. This update fixes the vulnerability by enforcing macro settings on Excel documents.

Also worth noting is Microsoft’s advisory ADV190024 on a vulnerability in certain Trusted Platform Module (TPM) chipsets from STMicroelectronics. This is a TPM firmware flaw, not a vulnerability in the Windows operating system or any specific application. The vulnerability affects key confidentiality in the ECDSA cipher; a firmware update to TPM may be needed.

“Currently no Windows systems use the vulnerable algorithm,” Microsoft says. “Other software or services you are running might use this algorithm. Therefore if your system is affected and requires the installation of TPM firmware updates, you might need to re-enroll in security services you are running to remediate those affected services.”

Related Content:

• 8 Tips for More Secure Mobile Computing
• Researchers Disclose New Vulnerabilities in Windows Drivers
• Why Cyber-Risk Is a C-Suite Issue
• Researchers Find New Approach to Attacking Cloud Infrastructure

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/microsoft-patches-ie-zero-day-among-74-vulnerabilities/d/d-id/1336341?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A 33-year-old businessman from Toronto got jumped by a sextortionist who got at his phone’s sex tapes via SIM-swap fraud.

CBC News on Sunday reported that the victim, Randall Baran-Chong, knew trouble had come knocking when he got a message last week his phone carrier about his phone service being cut off.

Baran-Chong said that around 3:30 a.m., he started to get emails warning about changes made to his Microsoft account: his password had been reset, and his email address had been removed as a verification method.

I knew things were about to go badly.

What followed: the attacker locked down his laptop, bought an Xbox video game gift card and charged it to Baran-Chong’s credit card, accessed his personal files, and threatened him with sextortion: all possible because whoever it was had stolen his mobile phone number.

How the crooks swing a SIM swap

As we’ve explained, SIM swap fraud, also known as phone-porting fraud, works because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your telephonic identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.

But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.

By stealing your phone number, the crooks start receiving your text messages along with your phone calls, and if you’ve set up SMS-based two-factor authentication (2FA), the crooks now have access to your 2FA codes – at least, until you notice that your phone has gone dead, and manage to convince your account providers that somebody else has hijacked your account.

Baran-Chong tried to do just that, but he wasn’t able to get his number back until the following day.

The fraudster had managed to transfer Baran-Chong’s phone number to that of a prepaid customer with another carrier. According to CBC News, the fraudster apparently used “a password retrieval process involving text message verification” to gain access to Baran-Chong’s Microsoft account, which was tied to his computer’s operating system and to a cloud-based file backup service.

By the time Baran-Chong regained control of his accounts, the extortionist already had plenty of time to go through his cloud account content and threaten to release it.

Pay up, or I’ll drop the sex tapes

In one message, the fraudster threatened that if Baran-Chong didn’t send two bitcoins (about $25,000), they’d “[drop] your sex tapes to all of your coworkers, investors and relatives.”

Baran-Chong said that his cloud account had years’ worth of photos and videos. That includes tapes of what he said was consensual sex. He said that the women involved have already been informed of the breach.

Another threatening message included a scan of his passport, which he says he saved when applying for a travel visa, along with screen captures of the intimate videos the fraudster was threatening to release.

Baran-Chong said that he hasn’t paid the ransom. Nor have the videos been sent to anybody he knows – at least, not yet. But it’s like living “under the sword of Damocles,” he said: “It’s going to hang over my head for the rest of my life.”

The thin silver lining

There are two upsides to this attack: for one thing, the scumbag who did this to him also provoked Baran-Chong’s entrepreneurial creativity, he told CBC News:

The entrepreneur in me is saying, ‘This person may have helped me start a new business,’ because I’m going to tell my story. I know the holes in the system, and there are two things I’m determined to do: to create a business that protects anyone who is in this situation, and second is to create the legislation, the first of its kind in the world, starting with Canada, to essentially create a digital identity bill of rights.

We should be protected. Don’t let the bullies win.

The other silver lining is that his carrier, Rogers, is going to add some protection to stop these attacks.

After the first attack Baran-Chong did add a four-digit PIN to his account. The second time around, Rogers has offered to contact Baran-Chong if anybody tries to transfer his number again, and CBC News reports that Rogers is rolling out a text message notification service if there’s a request to port a customer’s number, but as it stands, “Canadian cellphone users have limited options for safeguarding their number.”

What to do?

Limited options doesn’t mean none, and we have tips that can help to protect you. We’ve handed them out far too often. Unfortunately, they’re still fresh as daisies, since SIM swap fraud is still going strong, with crooks aiming high and low: recent celebrity SIM-jacking victims include British food writer and activist Jack Munroe, as well as Twitter CEO Jack Dorsey. Twitter actually turned off SMS texting soon after the @Jack-hijack, given that it was one of the possible ways Dorsey’s Twitter account got taken over by racist/anti-semitic/bomb-hoaxing hijackers in August 2019.

Here’s our advice on how to avoid having your sex tapes whisked out from under you, or your bank account balance melt, or your Bitcoin wallet drain, as you stand by helplessly and watch it all go:

• Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
• Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a 87X4TNETENNBA.
• Use an on-access (real-time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific web pages such as your bank’s login page, then springs into action to record what you type while you’re logging on. A good real-time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
• Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they’re also having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service center in person if you can, and take ID and other evidence with you to back yourself up.
• Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of login codes.

Having said that, Naked Security’s Paul Ducklin advises that we shouldn’t think of switching from SMS to app-based authentication as a panacea:

Malware on your phone may be able to coerce the authenticator app into generating the next token without you realizing it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WC2UWpWBTyQ/

Nvidia’s November 2019 update just fixed 11 mainly high-severity security flaws in its Windows and GeForce graphics card drivers, including three in the program used to update them.

Users often associate driver updates for graphics cards with performance, stability and general bug fixes but security has become almost as big an issue in recent years.

The three with the highest severity – CVE‑2019‑5690, CVE‑2019‑5691 and CVE‑2019‑5692 – are kernel mode flaws in the Nvidia Windows GPU display driver and which could be exploited to cause a crash or escalation of privileges.

The same component features a further four lower-rated flaws, CVE‑2019‑5692, CVE‑2019‑5693, CVE‑2019‑5695, and CVE‑2019‑5694, the latter requiring local access.

In addition to all this, Nvidia’s GeForce Experience application is vulnerable to two flaws of its own, CVE‑2019‑5701 and CVE‑2019‑5689, plus one, CVE‑2019‑5695, shared with the Windows driver discussed above.

The first one of these is the highest priority and applies when GameStream is enabled for Nvidia Shield devices.

Not all Nvidia users use GeForce Experience, the purpose of which is to act as an automatic update and optimisation tool for Nvidia drivers. Anyone who doesn’t use that tool can search for new drivers manually via Nvidia’s website.

Those who do, however, simply need to run the application to receive the correct updates addressing its own flaws (v441.12) and those of the drivers.

These are drivers Nvidia users should grab as soon as possible. The last clutch of security fixes for the brand turned up in August, which added to a similar set of patches in February.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dRHL2MrNvkw/

Apple may care about your privacy but that doesn’t mean it gets it right all the time, especially when it comes to training its Siri AI assistant. Last week, a researcher went public with a glaring security hole in the way that Siri gets to know you.

Apple IT specialist Bob Gendler was tinkering around in the macOS operating system to understand more about how Apple personalizes Siri for each user. During the process, he found that the operating system was storing portions of user emails in plaintext, even when they were supposed to be encrypted.

According to Gendler’s Medium post revealing the issue, Apple uses a system process called suggestd. Apple explains (as part of a help file system in the underlying BSD OS) that the program, which runs constantly, slurps content from various apps. These include Spotlight (the macOS indexing system), Mail, and Messages. It uses them to learn how you work and what you’re interested in, using it for things like news personalization.

When it read this information, it stores it in the snippets.db file inside the macOS Suggestions folder. Even emails encrypted with Secure/Multipurpose Internet Mail Extension (S/MIME), a technology that uses public and private keys to digitally sign and protect emails, didn’t escape. Suggestd stored the plaintext versions with no encryption at all in the database.

An attacker would need full disk access to your system files to look at this information, because macOS protects it with its System Integrity Protection feature, an OS X El Capitan-era security measure that ring fences important system files. However, we know from recent problems that some people have needed to turn this off, and Gendler says that any program with full disk access in macOS could potentially harvest the data. Because Apple’s Finder (the equivalent of Windows File Explorer) has full access, a rogue AppleScript program could do it.

What to do?

How do you stop macOS from storing your secret emails in plaintext? Simply turning off Siri won’t do it, because suggestd is still working behind the scenes. Instead, you can do it manually by entering a command in your terminal window (you don’t need to have root access to do it):

defaults write com.apple.suggestions SiriCanLearnFromAppBlacklist -array com.apple.mail

If you want to quickly stop Siri learning from all of your apps, open System Preferences, and then Siri. Click About Siri Privacy, and then deselect all your apps in turn.

These solutions only work on a per-user basis, but Gendler also provides a longer script that you can run to turn off Siri-based Apple Mail snooping for all users on the system.

If an attacker could get malware on a victim’s Mac with full disk access, there is a chance they could read sensitive material from the snippets.db file, but the stars would have to align. It’s serious, but perhaps not as serious and visible a privacy issue as Apple’s revelation earlier this year that it was letting contractors listen to Siri recordings. It revised its policy on that quickly enough, but Gendler complains that it dragged its heels for 100 days after he reported this new issue, omitting a fix from several security updates across more than one OS version. He said:

For a company that prides itself on security and privacy, the lack of attention to detail on an issue like this completely and totally surprises me. It brings up the question of what else is tracked and potentially improperly stored without you realizing it.

Eventually, Apple sent him the instructions for turning off Siri-based app learning via system preferences that we’ve just given you.

Apple said it’s aware of the issue and says it will address it in a future software update.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TwQGoS3CLXs/

BT Security managed to commit the most basic blunder of all after emailing around 150 infosec professionals who attended a jobs fair – using the “cc” field instead of “bcc”.

The email, shown to The Register by a non-trivial number of aggrieved recipients, thanked them for attending the Westminster Cyber Expo and popping by the BT Security stand.

“As the importance of security and the scale of the threat grows, we’ll be increasing the size of our security team by 25 per cent over the next five years and need people like you to join our team around the UK,” boasted the email, which also exhorted its readers to follow BT Security on LinkedIn.

Instead of following basic data protection advice, however, BT Security cc’d it to all ~150 recipients – allowing them to read each other’s email addresses and identities.

Some of the email addresses exposed were obviously work email addresses, including from police and central government employees as well as the usual cross-section of people you’d expect to find at a cybersecurity expo.

One recipient even reply-all’d to the original email asking to be taken off it, citing GDPR.

Reply-all email chains are no laughing matter. The NHS suffered one in 2017 that nearly KO’d the national NHSmail system, while Cisco suffered a similar storm in 2015. Most of the problem in those cases arose from unthinking people clicking “reply all”, perpetuating the problem of messages bouncing around the ether. A poorly configured list server can produce the same effect.

As for the data breach here, the impact is relatively limited – though this will be cold comfort for anyone now worried that their boss might find out they’re actively pursuing other means of gainful employment.

A penitent BT press officer told The Register: “We’re sincerely sorry that this issue has occurred. We take the protection of data extremely seriously, and our Data Privacy team have taken immediate steps to speak with both the individual concerned and wider teams to ensure this doesn’t happen again.”

BT also emailed the list again – this time correctly using BCC, which stands for “blind carbon copy” – to say:

We sent you an email at 10:18pm on Thursday 7th of November after our chat at the Cyber Security Expo in Westminster, London. The subject was: Thank you for visiting the BT Security Stand – Westminster October 2019

Unfortunately we cc’d rather than bcc’d the email. We’re really sorry about that. But we know that’s not enough so…

• If you haven’t already opened it, could you delete the email straightaway without opening
• If you’ve opened the email, please just delete it
• And finally, if you’ve forwarded or shared it, could you recall the message, delete it and ask the people you sent it to, to do the same.

Once again, we’re so sorry this happened. It was an honest mistake – it was a simple human error. We have taken steps to make sure that it doesn’t happen again.

These things, annoying and inconvenient as they are, do happen from time to time. But they rarely happen to the actual security teams of proper businesses like BT.

Last December BT Security lost its then-CEO to DXC Technologies. While the unit has periodically been hiring over the years, British Telecom itself set about getting rid of 13,000 staff in May 2018. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/12/bt_security_cc_bcc_email_fail/

The UK’s Labour Party says its campaign site has been the target of “sophisticated and large-scale cyber-attack” and has informed GCHQ’s National Cyber Security Centre.

Jeremy Corbyn’s party said the attack took place yesterday, adding that security systems ensured there was no data breach.

A spokeswoman said: “We have experienced a sophisticated and large-scale cyber-attack on Labour digital platforms. We took swift action and these attempts failed due to our robust security systems. The integrity of all our platforms was maintained and we are confident that no data breach occurred.

“Our security procedures have slowed down some of our campaign activities, but these were restored this morning and we are back up to full speed. We have reported the matter to the National Cyber Security Centre.”

In a letter sent to the party’s campaigners, Niall Sookoo, the party’s exec director of elections and campaigns, said: “Yesterday afternoon our security systems identified that, in a very short period of time, there were large-scale and sophisticated attacks on Labour Party platforms which had the intention of taking our systems entirely offline.

“Every single one of these attempts failed due to our robust security systems and the integrity of all our platforms and data was maintained. I would like to pay tribute to all the teams at Labour HQ who identified this risk and acted quickly to protect us.”

However, subsequent reports have suggested it was actually a DDoS attack. “It was really very everyday, nothing more than what you would expect to see on a regular basis,” a security official with knowledge of the matter told Reuters.

This is a developing story and The Register will update as information comes to light. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/12/labour_party_reports_cyber_attack/

Three of McAfee’s anti-malware tools have been found to contain a vulnerability that could potentially allow an attacker to bypass its security protections and take control of a PC.

The team with SafeBreach says that it has already privately reported the bug to McAfee, and the security shop was able to release a patch on Tuesday prior to the report going public. Users and admins running McAfee Total Protection, Anti-Virus Plus, and Internet Security are all advised to update their software to version 12.0.R22 Refresh 1 or later.

According to SafeBreach, the vulnerability can be traced back to an error in the McAfee software that causes the security tools to try and load a DLL file (wbemcomn.dll) from the wrong file path.

This means an attacker could write their own poisoned version of wbemcomn.dll, insert it into the directory where the software tries to look, and then could have the file automatically loaded and run without any checks.

“We suspected that a vulnerability could be exploited if we could load an arbitrary unsigned DLL into these processes,” SafeBreach Labs researcher Peleg Hadar explains in a write-up.

We’re almost into the third decade of the 21st century and we’re still grading security bugs out of 10 like kids. Why?

READ MORE

“This would enable us to bypass the self-defense mechanism of the antivirus software, mainly because the folders of the McAfee software are protected by a mini-filter filesystem driver, which restricts writing operations even by an Administrator.”

In practice, this means an attacker could use the vulnerability to execute commands on the target machine, with system level privileges, without having to worry about the McAfee anti-malware tools catching or stopping the operation.

Additionally, because the DLL file would be loaded every time the security suite runs, it would be a good way for an attacker to gain persistence on the machine and survive a reboot.

The vulnerability, first reported to McAfee in early August, has been designated CVE-2019-3648.

The release of this patch will come at what is already a busy time for administrators. Microsoft, Adobe, and SAP are all set to release their own monthly patch bundles today, while Intel has also posted a microcode update to help protect against yet another variation on the ZombieLoad side channel attack. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/12/mcafee_av_vulnerability/