STE WILLIAMS

53% of businesses using cloud storage services unintentionally expose them to the public.

More than half of organizations using cloud services like Amazon Simple Storage Service (S3) have inadvertently exposed at least one of these services to the public, up from 40% earlier this year.

The data comes from cloud security firm RedLock, which has released its latest “Cloud Security Trends” report examining major threats and vulnerabilities in the public cloud from June through September 2017. Their findings indicate more businesses are exposing data, neglecting vulnerabilities in the cloud, and not paying attention to how compromised users are putting them at risk.

Researchers determined 38% of organizations have experienced the potential compromise of an administrative user account in their public cloud computing environment. More than 80% of businesses are not managing host vulnerabilities in the cloud, and 37% of databases accept inbound connection requests from the Internet. Seven percent of those receive requests from suspicious IP addresses, a sign they have been compromised.

They also discovered cybercriminals are using the computing power of British insurance company Aviva to mine bitcoin. They did this by taking over the organization’s Kubernetes administration consoles, which lacked password protection, in the public cloud.

Read more details here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/more-businesses-accidentally-exposing-cloud-services-/d/d-id/1330072?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Apple iPhones have a neat feature called Control Centre that gives you easy access to settings and features you typically use a lot.

Amongst other things, you can quickly set your screen rotation lock, turn on the torch (flashlight), set the screen brightness and volume, and, perhaps most conveniently of all, control your wireless connectivity settings.

Until iOS 11, you couldn’t customise the Control Centre screen, and you had to jump to the main screen first by pressing the Home button before you could activate the Control Centre.

Now, you can change its appearance, as well as give yourself access to Control Centre from everywhere, making it likely you’ll use it more often:

You open the Control Centre simply by swiping up from the bottom of the screen:

As you can see above, I’ve got Airplane mode turned on (the icon goes orange to indicate that in this mode, “on” effectively means that connectivity is off).

If I tap the plane icon, Airplane mode goes off and Wi-Fi (blue) and mobile data (green) are automatically activated:

In my case, however, Bluetooth remains off.

That’s because I have it turned off in my iPhone settings – apart from a brief flirtation with a Bluetooth mouse a few years ago, which cost me far more in batteries and late-night trips to the convenience store than I recovered in utility, I’ve simply never used or needed it:

Now assume that I briefly wanted to use Bluetooth, and I decided that the new access-from-anywhere Control Centre screen would be a handy way to control it.

I’d tap the Bluetooth icon on (left), and then later tap it off (right):

But look what’s happened when I go back into the iPhone settings screens.

Bluetooth shows up as “Not Connected”, and the Bluetooth page itself shows that it is actually active, but in a halfway-house mode where “new Bluetooth connections have been turned off”:

In other words, the Bluetooth button on the Control Center page isn’t an off-on toggle as its visual appearance suggests; it’s an off-on-sort-of-off-but-not-really-off-at-all toggle that doesn’t work as you might expect.

It’s the same with Wi-Fi: if you turn it off from Control Center, you don’t actually turn it off, as the grey icon suggests, but simply drop it into a similar halfway-house mode, causing it to disconnect from the network you’re on right now but leaving the Wi-Fi hardware active:

To be fair to Apple, this behaviour is officially documented in Apple support article HT208086, entitled Use Bluetooth and Wi-Fi in Control Center with iOS 11, but in our opinion, you’d be forgiven for thinking that those those grey “off” icons on the Control Centre screen really meant “off”.

As the support article explains it, “off” in this context means something much more nebulous, namely:

Both Wi-Fi and Bluetooth will continue to be available, so you can use these important features: AirDrop, AirPlay, Apple Pencil, Apple Watch, Continuity features, like Handoff and Instant Hotspot, Instant Hotspot and Location Services.

Curiously, the support article also documents that both Wi-Fi and Bluetooth will automatically come back on when one of these happens:

• You walk or drive to a new location. (Wi-Fi only.)
• It’s 05:00 local time.
• You restart your device.

What’s special about 5am? We have no idea – please share your best guess, or your worst nightmare, in the comments below. Tell us why why you think Apple hard-wired that particular time into the system.

What to do?

• You can hold your finger on one of the Control Centre connectivity buttons for a moment to pop up a screen to check directly whether a grey Bluetooth or Wi-Fi icon means “off” or “sort-of off”:

Above, the annotation “Not connected” below the grey Wi-Fi button means it isn’t really off at all, and will magically reactivate in the morning (or if you move to a new location); the word “Off” below the grey Bluetooth button means it really is off, and won’t reawaken until you activate it in Settings.

• You can control Wi-Fi and Bluetooth decisively from the Settings page, where each one has a toggle between “on” and “off” in the conventional sense of those words:

Be careful out there: it turns out that “on” means “on”, but “off” may mean “coming on again soon”.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/u0Q7ILCaFaw/

Virtual private network provider PureVPN helped the FBI track down an Internet stalker, by combing its logs to reveal his IP address.

The Department of Justice announced on Friday the arrest of Ryan Lin, a 24-year-old from Newtown, Massachusetts, on charges that he cyber-stalked a former room-mate.

According to the complaint [PDF] against Lin in the Massachusetts District Court, Lin’s campaign against Jennifer Smith included doxxing (including posting passwords to her online accounts), posting intimate photos with the suggestion they were of Smith (though without her face), rifling her personal journal and emailing private information to her contacts, posting fake profiles of her to sites “dedicated to prostitution, sexual fetishes, and other sexual encounters”, bomb threats, tricking a friend of Smith’s into calling the police to her house, death and rape threats, and sending “images that likely constitute child pornography” to her family and friends.

Lin used various privacy services to maintain his cover: logging in via Tor, to conceal his IP address; VPN services; anonymised international texting services; and offshore private e-mail providers.

However, the complaint revealed, he made a fundamental error by using a work computer for some of his campaign, and even though he’d been terminated and the OS reinstalled on the machine, there were footprints left behind for investigators to associate Lin with the 16-month campaign against Smith.

Key details turned up by investigators included:

“Further, records from PureVPN show that the same email accounts – Lin’s Gmail account and the teleprtfx Gmail account – were accessed from the same WANSecurity IP address,” the document stated.

And that’s where the surprise came in – at least for those that believed a VPN is a complete protection: “Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses” (those IP addresses were at Lin’s work and home addresses).

As the investigators note, Tweets from Lin showed he knew there was some risk of logging from VPN providers. As recently as June, he posted a Tweet critical of provider IPVanish about its logging claims:

“There is no such thing as a VPN that doesn’t keep logs. If they can limit your connections or track bandwidth usage, they keep logs.”

If found guilty, Lin faces up to five years in prison and up to three years of supervised release. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/08/vpn_logs_helped_unmask_alleged_net_stalker_say_feds/

Flickr, the massive online photo sharing site, lets you email photos to your account. You get your own, unique address to email content directly into your Flickr account from your cameraphone or your email program.

But before Yahoo remediated the situation, a high schooler who was poking it to see what it does found that the app was cooking up those account-specific email addresses using a stubby little dictionary that was a pushover for brute-force attacks.

An attacker could have exploited it by easily uploading pictures and videos, stuffing Flickr accounts with their own content, be it spammy, porny, trolly or anything else you can think of.

The finding comes from Jazzy, a high school senior with an interest in information security. He said in a blog post on Thursday that he reported the bug as soon as he verified it. Yahoo (owner of Flickr) quickly fixed it, and Jazzy got a $4000 bounty for his efforts.

Jazzy had been poking at Flickr for only about 30 minutes when he stumbled on the feature that lets you email photos to your account by sending an email to a specific address.

Hmm, Jazzy mused, what if an attacker could figure out the emails used with each account? You don’t even need a password to upload photos and videos to victims’ accounts.

He couldn’t figure out a way to get the system to leak email addresses, but he did find a button for changing the email address and getting a new one. Click it, and bam, he instantly got a new email address. Do it again, and again, and again, and Jazzy started to see a pattern.

It looked like this:

[Random dictionary word][Random number 0-100][Random Dictionary word]@photos.flickr.com

Jazzy noticed that the length of the dictionary word was always less than 6 characters. That’s when thoughts of brute-forcing the address came to mind. He didn’t expect it to work, he assumed that Flickr would use a big dictionary – one that made guessing a real email address very unlikely. Still, he gave it a go: he whipped up a Python script that changed his email address over and over and waited.

He set it up to run overnight and by morning Flickr had returned about 20,000 email addresses. He spun up a quick script to sort through the addresses and found only 935 unique words were used across all of them.

This actually Blew my mind. Out of 23,000 email address, only 935 unique words were used. This was that “WHAAAATTT!!!” moment.

By his calculations, if Jazzy generated email addresses himself from the permutations of the dictionary words he enumerated, one out of two of the emails would be a valid Flickr email: he had better than a 50% chance of generating a valid email.

An attacker could exploit the situation quite efficiently, Jazzy said:

We could generate all the 87.5 million emails, and then just write a script which would mass mail each one of those emails. Flickr doesn’t verify what address the email came from, so we can send emails from any random address and they would still get uploaded.

It won’t even take more than 3 hours to send 87.5 million emails using a multithreaded script and some power. And we can even send a single email to multiple addresses by CC/BCC, which would further reduce the amounts of emails to send.

Now by exploiting this, an attacker can easily upload pictures and videos [to] any Flickr account.

Jazzy reported the bug as soon as he had verified it. Yahoo, to its credit, marked it as P1 – a critical bug that needs an immediate fix. And that’s what Jazzy’s bug got: a fast fix.

So until the next P1 pops up, we have Jazzy to thank for our Flickr accounts not getting overloaded with somebody else’s garbage. Thanks, Jazzy!

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Sg6Xy8D3lCQ/

Webcam, I gotta tell ya: this is not the way to sweet-talk a random woman into cyber-rubbing up against you:

What did that person see from me? My house, my personal effects..
During dinner, I was amazed at a friend of mine who wondered how this was possible.. We decided to put the camera down 1 times with the lens to the wall. Would there be any response?
In 1 minutes, it was hit…
– hello
– Do you speak French?
I’m sorry.
– Do you speak French?
Me, no, englisch!
………
lk: What did you do?
– it’d good?
lk: no!
Get the f*** out of my house, now!
Shut the f*** off!
– I don’t know?
lk: shut the f*** out of my house, go away!
– hello, miss!
Me, yeah, f*** you!
– ohhhhhhh s*** – my d***!

We pulled the plug and pt the camera back in the box..
Crying, upset..
My privacy, my house, my personal stuff and myself… I’m scared.. terrified.

That suave chat is a translation of what webcam owner and shocked F-bomb flinger Rilana Hamer, of the Netherlands, related in a 1 October Facebook post.

Hamer says that a month or two ago, she picked up a Wi-Fi enabled camera to keep an eye on the house. Most particularly, to keep an eye on her puppy, who has a penchant for turning everything upside down. She bought the device at Action—a local discount-chain store that mostly sells low-budget convenience utilities.

So there she was, putting away her groceries, cleaning, singing as she went about her chores, when she heard a “rumbling” from the living room.

She went to check on the noise and it was the camera, swiveling around. Her phone, which she uses to control the webcam, was on her bed.

Huh, she thought, it must be updating, so she went back to what she’d been doing. But that’s when the hacker who’d taken control of the webcam decided to ramp up the interactive aspect of his creepiness with a greeting:

Bonjour, madame!

The camera was moving back and forth. Hamer moved back and forth, and it followed her. Then, it asked her if all was well with her:

Bonjour madame, tout bien avec vous?

Understandably enough, Hamer was freaked out. She ran to the camera, pulled out its plug, and threw it in a box. From her Facebook post:

I was full of fear and thought I was crazy. I’m being watched, but for how long? What has that person seen from me? My house, my personal possessions…

What restraint! I would have crushed it like a bug.

Over dinner, a friend wondered how it was possible. She and Hamer decided to plug the camera in again, this time with the lens to the wall and a camera phone on hand to record its actions (the video of the encounter is on Hamer’s Facebook post).

It only took a minute before her chatty hacker was back—well, if not the bonjour guy, then another guy, who knows? This time, it tried out its Google Translate Spanish:

Hola, señorita.

The conversation cited above unfurled, ending with the charming invitation to, well, go on a date, or something.

Whenever stories like this emerge we ask ourselves: is it real or could it be a hoax? The truth is we don’t know, but our instinct is that it’s real. As we mulled what little evidence we have, we agreed that the “suck my d*ck” at the end sounded more like the stock response of a socially inept adolescent being rebuffed than something scripted.

It wouldn’t be the first time that an unsecured webcam has started swivelling around on its own, nor the first time somebody’s privacy has been invaded by an idiot spitting base insults through one.

Sadly there are people out there who get a kick out of spying on strangers and there is a trove of easily discovered, poorly secured cameras for them to peek through.

In fact, there are sites where e-marauders can choose from a variety of feeds being pirated from devices. In 2014, we wrote about a site that offered feeds from baby monitors in nurseries, as well as from security webcams delivering live feeds from bedrooms, offices, shops, restaurants, bars, swimming pools and gymnasiums.

There is also Shodan, a search engine for the IoT (Internet of Things). Shodan makes it easy to find connected devices of all kinds, including vulnerable cameras, and it puts the most recently connected devices at the top. Perhaps Hamer was just the first accessible target in a lurker’s search results.

If you have a webcam, make sure it’s secure. If you can password protect it, choose a strong password. If it came with a default password, change it. IoT devices are notorious for shipping with default passwords that are easily discovered by crooks.

Assume that using a default password with an an internet-connected device is the same as using no password at all.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8uFAx_tzapQ/

Microsoft is silently patching security bugs in Windows 10, and not immediately rolling out the same updates to Windows 7 and 8, potentially leaving hundreds of millions of computers at risk of attack.

Flaws and other programming blunders that are exploitable by hackers and malware are being quietly cleaned up and fixed in the big Windows 10 releases – such as the Anniversary Update and the Creator’s Update. But this vital repair work is only slowly, if at all, filtering back down to Windows 7 and Windows 8 in the form of monthly software updates.

This is all according to researchers on Google’s crack Project Zero team. The fear is that miscreants comparing the various public builds of Windows will notice these vulnerabilities are being silently fixed in Windows 10, realize the same holes are present in earlier versions of Windows – which are still used in homes and businesses worldwide – and thus exploit the bugs to infect systems and spy on people. And if hackers haven’t realized this, they will now: Google staffers have publicly blogged about it.

Redmond engineers are quietly addressing these Windows security flaws as part of their efforts to improve components within the Windows 10 operating system. For instance, a team may be tasked with improving memory management in the kernel, and as a result, will rewrite chunks of the source code, boosting the software’s performance while squashing any pesky exploitable bugs along the way. For the marketing department, this is great news: now they can boast about faster loading times. Malware developers, meanwhile, can celebrate when they discover the programming blunders are still present in Windows 8 and 7.

“Microsoft is known for introducing a number of structural security improvements and sometimes even ordinary bug fixes only to the most recent Windows platform,” Google Project Zero researcher Mateusz Jurczyk said on Thursday.

Azure fell over for 7 hours in Europe because someone accidentally set off the fire extinguishers

READ MORE

“This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows.”

As an example of the problem, Jurczyk highlighted the wobbly use of memset() within the kernel. This is a function that is supposed to overwrite bytes in a specific area of memory to a specific value, such as zero, thus scrubbing away whatever was previously stored in that portion of memory.

When the kernel is told by an application, via the NtGdiGetGlyphOutline system call, to fill an area of memory with information, and copy it into the app’s memory space, the OS doesn’t fully overwrite the area using memset() prior to the copy operation. This means the kernel ends up copying into the application’s memory space left over private kernel data, thus leaking information it really shouldn’t. This can be useful to snoop on the OS and other programs, or gain enough knowhow of the system’s internal operations to pull off more damaging exploits.

This information-disclosure bug was fixed in Windows 10, but remained present in Windows 7 and Windows 8.1 – until it was reported by Project Zero to Microsoft at the end of May this year and fixed in patches for Windows 7 and 8.1 systems in September. Google typically gives vendors, including Microsoft, 90 days to address any reported security shortcomings before going public, forcing developers and manufacturers to play their hand.

This months-long lag in deploying patches to previous flavors of Windows is leaving systems vulnerable to attack. By broadly upgrading the security defenses in Windows 10, Microsoft is making it easier for hackers to see where they could exploit weak spots in older versions.

“Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security,” Jurczyk explained.

“This is especially true for bug classes with obvious fixes, such as kernel memory disclosure and the added memset calls.”

While it’s not realistic to expect a vendor to maintain major updates and produce patches indefinitely for older software versions, as many as half of all Windows users are still running Windows 7 and 8 – meaning millions of people are being put at risk by Windows 10’s security improvements, ironically.

Windows 8.1 is supposed to receive monthly security fixes until January 10, 2023, and for Windows 7, January 14, 2020.

“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” a Microsoft spokesperson told The Register.

“Additionally, we continually invest in defense-in-depth security, and recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

Translation: please, please stop using Windows 7 and 8. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/06/researchers_say_windows_10_patches_punch_holes_in_older_versions/

Disqus, the developer of website comment systems used worldwide, is playing the old “bury bad news late on a Friday” card – as it just confessed one of its databases was swiped by hackers.

The software maker, which produces reader comment boards for blogs and newspapers everywhere, admitted at 4pm Pacific Time, Friday, that a network intruder was able to grab a copy of a database snapshot from 2012 – which contained nearly 18 million account records, from email addresses to, in about a third of them, SHA1-hashed passwords.

“While we are still investigating the incident, we believe that it is best to share what we know now. We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed,” Disqus founder Jason Yan said today.

“The snapshot includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5m users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included.”

4pm PT on a Friday, and… DING DING we have a bury-bad-news winner: It’s Disqus. Which was hacked https://t.co/oPAOF13MSo pic.twitter.com/qcHcG2XdTL

— The Register (@TheRegister) October 6, 2017

According to Yan, the security breach was only discovered Thursday at 4.18pm PT, when Australian Microsoft manager and HaveIBeenPwned overlord Troy Hunt spotted the lifted data in the wild. Within an hour, Yan said, the Disqus team had analyzed and verified the data as authentic.

Now, San Francisco-based Disqus said, after spending the day notifying users of the hack, it went public with the finding in the interest of prompt disclosure and definitely not as an effort to minimize coverage of the issue.

Yan said his biz has reset the passwords for all Disqus accounts exposed to the database thieves, and is advising users to do the same for any other accounts that shared the same password. Disqus noted that since 2012 it has not stored any of its passwords hashed with SHA1, opting instead for the more secure bcrypt.

“Our team is still actively investigating this issue, but we wanted to share all relevant information as soon as possible,” Yan said.

“If more information surfaces we will update this post and share any updates directly to users.”

Hopefully those updates come a bit earlier in the day. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/06/disqus_hacked/

“Operation Resume Hoard” was going well. Initiated around April 1, 2015, it represented David W. Kent’s plan to build the membership of his oil and gas industry networking site Oilpro.com.

Court documents indicate that Kent, 41, of Spring, Texas, USA, had a buyer in mind: DHI Group, the employment data biz that in 2010, when known as Dice Holdings, had purchased an oil and gas industry networking site he had founded a decade earlier, Rigzone.com, for $51 million.

Kent wanted more and hoped to get it by growing Oilpro.com – a site he founded around October 2013, shortly after the expiration of the non-compete agreement that followed from the Rigzone sale – into an attractive acquisition target.

By January 2016, Oilpro’s membership database had grown to at least 500,000 members. It would have been an impressive feat of marketing but for the fact that Kent hacked Rigzone to obtain the email addresses he would use to build membership at Oilpro.

His sales pitch to the DHI Group attributed the site’s growth to reaching out to the contacts of Oilpro members, traditional marketing techniques, and “network effects.”

Had DHI Group gone through with the deal – at a suggested cost of $20 million or more – it would have bought data is already had.

But as it happened, a spam complaint alerted the company that something was wrong. A Rigzone member contacted customer support to complain about receiving a solicitation from Oilpro despite having never submitted any information there.

Honeypot

Court documents describe how Rigzone.com, after finding no evidence that anyone from Oilpro had accessed its database, set up a honeypot: two fake accounts in its database with no public facing profiles.

Lo and behold, those accounts each received email solicitations to create profiles on Oilpro.com. Eventually, Rigzone figured out what was going on.

Between 2013 and 2016, Kent and at least one of his Oilpro employees accessed Rigzone’s database several times without authorization, coming away with more than 700,000 customer accounts.

The attack method varied. Court documents describe the first round of hacks, which took place more or less between October 17, 2013 and April 15, 2014, as little more than GET requests enabled by inside knowledge.

“The Get Resume Command was crafted to exploit a piece of source code unique to [Rigzone] known only to a few individuals, including David W. Kent, the defendant,” the complaint says.

In a transcript of Kent’s acknowledgement of his wrongdoing, he explained to the judge that he didn’t abuse anyone’s password. “The web pages I accessed didn’t necessarily have a log-in feature but I do believe I accessed those web pages without authorization,” he said.

The US Department of Justice did not immediately respond to a request to provide further details about the specifics of what it refers to as hacking.

Exploit

A subsequent attack, which took place between June 17, 2015 and August 2, 2015, or thereabouts, relied on exploiting a file on Rigzone.com called “resume_writer.asp.”

Knowledge of that file allowed Kent to extract some 700,000 resumes in a short period of time, according to the complaint.

Kent and at least one Oilpro.com employee also found a way to access or infer Google Analytics data from Rigzone.com, which they used for competitive intelligence related to landing page traffic.

Kent was arrested in March, 2016, and pled guilty in December of that year.

“David Kent admitted to hacking into a competitor’s computer network and stealing client data to boost the value of Oilpro, a company he founded,” said Acting Manhattan U.S. Attorney Joon H. Kim in a statement. “Kent then attempted to sell Oilpro – a company he grew using the stolen information – to the very company he had hacked.”

On Friday, in a New York City court, Kent was sentenced to a year and day in prison, followed by three years of supervised release, for intentionally accessing a computer without authorization. The charge carries a maximum penalty of five years.

That’s substantially less than Kent could have faced had he been convicted as initially charged. Following his arrest in April last year, in addition to the computer hacking charge, he faced a wire fraud charge, which could have resulted in as much as 20 years in prison.

DHI Group through a spokesperson declined to comment. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/07/after_selling_site_for_millions_founder_hacked_it_for_a_second_payday/

Our own Gabor “Szapi” Szappanos was recognized for his research on the AKBuilder crowdsourced exploit kit at this week’s VirusBulletin conference.

Szapi received the Annual Péter Szőr Award for Technical Security Research. Virus Bulletin created the award in Szőr’s honor after the researcher and Virus Bulletin advisory board member died in November 2013.

Virus Bulletin says the award:

Aims to recognize the best piece of technical security research published each year. Nominations for the award are sought from the security community at large, and a final shortlist voted on by the VB advisory board. The award is presented each year at the annual VB conference.

Szapi was nominated for his groundbreaking research on AKBuilder, an exploit kit that generates malicious Word documents that use exploits rather than macros to do their dirty work. Malicious actors use the exploit kit to create booby-trapped documents they can send out in spam emails.

AKBuilder was one of three exploit kits widely available for purchase by those interested in launching attacks with little need for technical know-how (the other two exploit kits were Microsoft Word Intruder and Ancalog Builder).

The kit is advertised in YouTube videos and sold in underground forums. The kit usually costs around $550 (payable in electronic currencies like Bitcoin and Perfect Money). Here’s an example:

The work exemplifies the dogged research Szőr is remembered for, said Virus Bulletin editor Martijn Grooten:

Exploit builders form an important part of the cybercriminal’s attack chain and make it a lot easier to conduct attacks. The subject isn’t researched as widely though, making Gabor’s work very important for the security community. In his AKBuilder paper, he shows the excellent research skills he is well known and well respected for within the community. He’s a very deserving winner of the fourth Péter Szőr Award.

Szapi has spent the conference talking about AKBuilder and the other kits. This morning, he delivered a talk called “When worlds collide – the story of Office exploit builders” — focusing specifically on the dramatic rise of Microsoft Word Intruder, Ancalog and AKBuilder.

Other research from Szapi that’s well worth reading include a paper on exploits targeting the CVE-2017-0199 vulnerability and Operation Pony Express.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6eE3tQ-Fsfk/

As deposed Equifax CEO Richard Smith made the rounds at Capitol Hill this week for rehearsed, ritual, rhetorical floggings before several congressional committees, it sounded like the world of data security really might be about to change.

There were calls for major reform – for sanctions to include major financial penalties. Congressman Joe Barton (R-TX) suggested that a credit bureau giant like Equifax – even one worth $13b, “might pay a little more attention if you had to pay everybody whose account got hacked a couple thousand bucks or something.”

Especially if “everybody whose account got hacked” is 145.5 million people.

Populist firebrand Sen. Elizabeth Warren (D-Mass.) called for consumers, not credit bureaus, to have control of who sees their data, adding that in cases like this, “senior executives like you should be held personally accountable.”

There was outright mockery. “I don’t think we can pass a law that fixes stupid,” US Rep. Greg Walden (R-Ore.) told Smith.

It sounded like the wake-up call to end all wake-up calls. But don’t hold your breath. The outrage may be real, but in Congress, the heat of the moment tends to last about as long as conversations about a Saturday Night Live skit.

Chances are that a year from now, the world of data security will perhaps have been tweaked, but not fundamentally changed. Congress will be holding hearings on some other outrage. And 145.5 million people will definitely not have each received a $2,000 check from Equifax.

Even though you’d think this kind of event would be an obvious incentive for significant reform. As more than half the country knows directly, this was vastly more damaging than the compromise of credit cards. This was information that you can’t change. As one sardonic tweet put it after Equifax finally got around to making it public in early September 2017, everybody should change their name, date of birth, address, gender and Social Security number.

This failure – not just the breach but the response as well – by one of the “big-three” credit bureaus, was so catastrophic that it left commentators searching for printable expletives to describe it. “Ham-handed,” “unacceptable,” even “shocking” didn’t go nearly far enough. Star security blogger Brian Krebs called it a “dumpster fire.”

The list of outrages, reported by multiple media outlets, goes on and on. Among them:

• Equifax knew in early March about the software flaw in the dispute portal of the Apache Struts platform that allowed the breach. US-CERT and Apache notified Equifax about it. At the time, Naked Security’s Paul Ducklin wrote a tutorial on it. Smith told Congress that an “internal email” requested the fix, but it wasn’t done – in effect leaving the door unlocked. This in a company with 225 people in its security department.
• It took the company another four and a half months, until 29 July 2017, to discover that it had been hacked sometime in May 2017. According to Smith, it took weeks longer to realize that the personal information of consumers had been compromised. While he quickly hired cybersecurity experts from the law firm King Spalding to look into it, he admitted he didn’t even ask if personally identifiable information (PII) may have been compromised.
• It didn’t publicly disclose the breach until 7 September 2017 – 40 days after it learned of it. During that time – the first and second week of August 2017 – Smith gave two public speeches in which he said, among other things that “the days are bright for Equifax,” that fraud is, “a huge opportunity for Equifax,” and that it was a “massive, growing business.” He told the committee he hadn’t known at the time how much or what data were compromised. Which could be because he didn’t ask for a briefing until 15 August 2017.
• Smith finally said what should be said up front, all the time, by all the credit bureaus: The company’s customers are not the consumers whose information it holds. Its customers are banks and other businesses that want our credit info. Consumers are the product.
• The data compromised was not encrypted. Equifax wasn’t encrypting data “at rest,” Smith said.
• Equifax (and the other credit bureaus) are pushing credit “locks” rather than freezes, saying the freezes are more cumbersome and costly, while the locks are simpler and free. But Consumers Union notes that the freezes are guaranteed by law, while the lock is just an agreement between the consumer and the company. Besides that, the freeze prevents Equifax from selling your credit file to banks and others, including ID thieves.
• Regarding senior executives who sold about $2m in stock during the first week after the company knew of the breach but a month before they announced it publicly, Smith said they didn’t know about the breach. He called them “honorable men of integrity,” apparently forgetting to add, “cosmically prescient.” Members of Congress said it “smelled really bad,” but there was no talk of subpoenas for those execs to put them under oath.
• As a final (maybe) note, Equifax announced on Monday that the number impacted by the breach was actually 2.5 million more than the 143 million they had earlier announced.
• And to pile on one more absurdity, at the end of September 2017, the IRS awarded Equifax a $7.25 million no-bid contract to provide identity-proofing and anti-fraud services. This after massive tax refund fraud in 2015 and 2016, thanks to weak security questions provided to the IRS by Equifax. Sen. John Neely Kennedy (R-La.) quipped that, “You realize to many Americans right now that it looks like we’re giving Lindsay Lohan the keys to the mini bar.”

Is all that enough to generate real, substantive change? History suggests it won’t be.

There should have been more than enough incentive for reform and accountability after the 2014-15 breach of the federal Office of Personnel Management (OPM), in which 22 million current and former federal employees had their PII vacuumed up.

A report released a year ago, titled, “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation,” declared that the breach was made possible, “in large part due to sloppy cyber hygiene and inadequate security technologies that left OPM with reduced visibility into the traffic on its systems.”

The government’s response? Federal employees got a letter from OPM offering free credit monitoring for a year and identity fraud insurance as “a courtesy,” but added that, “Nothing in this letter should be construed as OPM or the US Government accepting liability for any of the matters covered by this letter or for any other purpose.”

Personal accountability of top executives? Then OPM CIO Donna K. Seymour retired in February 2016, two days before she was scheduled to appear before Congress to talk about the breach.

The head of OPM during the intrusion, Katherine Archuleta, did resign under pressure from Congress in July 2015.

But both women rode off with no financial harm – their pensions and benefits intact. It likely won’t be all that different for Equifax.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/w-AJDOoqjZc/