STE WILLIAMS

Attention, all of you honest, upstanding users of the US Public Access to Court Electronic Records/Electronic Case File (PACER/ECF) system: you might have been paying for people not so honest and upstanding to use the system, thanks to an easily exploitable security hole.

The Free Law Project (FLP) reported in a blog post last week that the vulnerability to a Cross Site Request Forgery (CSRF) has now been patched by the Administrative Office of the Courts (AO), which operates the PACER/ECF system, on all of its 204 websites.

But the FLP said it had discovered it back in February, and added that it had probably existed in the system for nearly two decades – since the AO first implemented per-page fees, which are now 10 cents, billed quarterly.

The vulnerability, said the FLP,  could have been exploited by hackers not only to access legal documents through the accounts of legitimate users – with the bill being sent to those legitimate users – but even to file documents under the names of attorneys without their knowledge or consent.

CSRF is a common and pernicious attack – the Open Web Application Security Project (OWASP) ranked it eighth on its 2017 list of the Ten Most Critical Web Application Security Risks. As FLP puts it, the flaw enabling a CSRF is “easily found by hackers and can have significant impact on users … [by allowing] one website to take actions using an account on another website”, adding that given PACER/ECF’s 1.6m users and annual revenue of about $150m, “this type of vulnerability is extremely troubling”.

Naked Security’s Paul Ducklin offers a brief tutorial on CSRF here.

FLP gave an example of how it could happen on a fictional website it called legal-news.com, used by journalists and lawyers. As long as the vulnerability exists, a hacker on that site would be able to “make purchases using the PACER/ECF account of any visitor to their site who happened to also be logged into PACER/ECF”, said the FLP.

The organization has “no knowledge of this vulnerability being exploited”. But of course, one of the characteristics of a CSRF is that the victim doesn’t know that an unauthorized transaction has happened until it has been completed. And if users of PACER/ECF don’t scrutinize their bills, they might never be aware.

FLP did compliment the AO’s response, saying it had been “prompt and professional” in addressing the flaw. But, it said, “despite their skill in dealing with this issue, after discovering it we have lingering concerns about the security of PACER/ECF on the whole”.

Given the age of the system, says the FLP, simply fixing the CSRF flaw  “is like plugging a hole in a failing dam … More holes will soon appear, and slowly but surely, the dam will break”.

So, before the dam breaks, FLP recommends centralizing and standardizing PACER/ECF, which would make it much easier, and faster, to address other security flaws. The current system is not a single website, but 204 of them, all managed by different court staff across the country. Patching the CSRF hole took nearly six months, noted the FLP.

The current decentralized system also means that “hundreds of people are responsible for the security of their installation of PACER/ECF, each with their own priorities, skills, budgets, and time constraints”.

One result of that, said the FLP, was that none of the nearly 200 sites it had tested had a strong HTTPS configuration, “and many had poor configurations with basic errors, receiving an ‘F’ grade from SSLLabs,” which reviews HTTPS configurations.

The FLP’s other recommendations include:

• Use a well-known web development toolkit or framework, nearly all of which have built-in protections against CSRF and other vulnerabilities.
• Hire a security consulting firm to do security audits, the most basic of which would have caught the CSRF flaw.
• Establish a vulnerability disclosure policy and bug bounty program. “Bug bounties are a tested means of building security communities in the private sector … (and) in the public sector they are gaining steam too,” FLP said, noting that the Pentagon, the Army and General Services Administration now use them.
• Consider making content that is already free – which includes opinions and orders – available without requiring a login.

The AO did not respond to a request for comment. But Jim Manico, a global board member of the OWASP Foundation, said that while he thought most of the FLP’s security recommendations were “OK,” he was “not fond” of the recommendation to use a “well-known web development toolkit or framework”. He added:

Frameworks bring their own complexity and insecurity. Regardless of what you do, you specifically need to address these vulnerabilities in the right way.

He recommended looking at the OWASP CSRF Prevention Cheat Sheet. But he agreed that the CSRF vulnerability was “quite serious. Attackers can target users and make them trigger fake transactions without even knowing they are doing it,” he said, adding:

Especially when you combine this with logins that keep users logged in for very long periods of time, like when they support the ‘remember me’ feature.

In other words, this is an area where you actually have the right to be semi-forgotten. Use it.

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EkkqEb8qRwk/

Study Phishing is the attempt to obtain personal, private, or commercially sensitive information or funds by impersonating a trustworthy source. Fraudsters commonly use email to quarry their pray, but messaging apps, social media, fake websites, and phone calls are frequently used too. Consumer phishing attacks still outnumber those specifically targeting businesses and institutions, but this should not lull IT and business managers into a false sense of security.

Phishing scams targeting commercial and public sector organisations (look at some well-crafted examples below) can result in financial losses, brand damage, and compromised IT systems if an end-user inadvertently falls into the scammer’s trap.

Click to enlarge

Click to enlarge

Click to enlarge

In this reader poll we’d like to know how your organisation is tackling the challenge, so please click here to begin the survey.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/14/is_your_corporate_inbox_smelling_a_bit_phishy_these_days/

Doubts have been cast over claims that hacktivists have taken control of neo-Nazi website the Daily Stormer.

Elements of the loose hacker collective Anonymous supposedly took control of the site as a reprisal for the death of anti-racist protestor Heather Heyer after she was struck by a car during protests by white supremacists in Charlottesville, Virginia. According to the most recent “post” on the site, the hackers were ostensibly threatening to dox the Daily Stormer’s Andrew Anglin and users of the controversial site.

Anonymous, via a long-established Twitter account, cast doubt on whether hackers were actually behind the action. “This is likely to be the derps from dailystormer engaging in a silly troll to woo their clueless base. If we’re proven wrong, so be it,” YourAnonNews tweeted.

“And all the old content is left up by a ‘UNITED FORCE OF ELITE HACKERS’ on a shit post site ‘UNDER THE CONTROL OF ANONYMOUS.’ Doubtful,” it added.

This not a standard defacement. It looks like something posted rather than over-written and other elements of the site – including links to donations – seem to have been left intact.

In short, the hack is likely a hoax.

Current host GoDaddy has given the Daily Stormer 24 hours to find a new hosting company over terms-of-service violations. A disparaging story about Heather Heyer apparently prompted action where years of anti-Semitic vitriol did not. The Daily Stormer may struggle to find another host. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/14/anon_daily_stormer/

Users of the world’s most popular software version control systems can be attacked when cloning a repository over SSH.

When first announced by Recurity Labs’ Joern Schneeweisz, the vulnerability was attributed to Git, Mercurial and Subversion; and over the weekend, Hank Leininger of Korelogic told the OSS-Sec list the issue also affects the ancient CVS (Concurrent Versions System).

Schneeweisz writes that he first spotted the issue in Git LFS (Large File Storage) in May, and worked out that an attacker could craft the .lfsconfig file to “point Git LFS to crafted ssh:// URLs of the following form:”

[lfs]
    url = ssh://-oProxyCommand=some-command

That opened a “shockingly simple” vector for arbitrary command execution via a crafted repository – and with further work, Schneeweisz found, GitLab was also attackable via git clone.

$ git clone ssh://-oProxyCommand=gnome-calculator/wat

Yes, he observes, a user seeing that URL would probably think something was amiss – but not if the call happens in a Git submodule: “it is possible to create a Git repository that contains a crafted ssh:// submodule URL. When such a repository is cloned recursively, or the submodule is updated, the ssh:// payload will trigger.”

He also idenitifed SVN and Mercurial as suffering from the same issue (CVEs CVE-2017-1000117, CVE-2017-9800, and CVE-2017-1000116 have been assigned to Git, Subversion and Mercurial, but they’re yet to land at Mitre).

In his advisory about CVS, Leininger notes that if it’s configured for remote access over SSH, a similar hostname trick can be pulled. However, it’s more visible in the URL, and as he wryly notes, “first you would have find a victim”.

Git, Mercurial and Subversion have all been patched. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/13/ssh_flaw_in_git_mercurial_svn/

PostgreSQL has released three security patches for versions 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22.

In CVE-2017-7547, a remote attacker can retrieve others’ passwords because of a user mapping bug.

The authorisation oopsie derives from the database’s handling of pg_user_mappings, allowing an authenticated remote attacker retrieve passwords from user mappings defined by the server owner – all the way up to passwords set by the server admin.

Settle in with lots of coffee, sysadmins: after fetching the patch, there’s a set of fix commands that have to be run on every database in a cluster.

In CVE-2017-7546, the server accepts empty passwords, as explained by Adam Mariš here:

“Several authentication methods, including the widely-used ‘md5’ method, permit empty passwords. On the client side, libpq will not send an empty password. This may have given a false impression that an empty password was equivalent to disabling the account with respect to authentication methods requiring a password. On the contrary, an attacker could easily authenticate as the user.”

In CVE-2017-7548, there’s a fix to the database’s lo_put() function, which had a missing permission check that allowed “any user to change the data in a large object”.

The PostgreSQL note about the bug outlines 50 other fixes for bugs reported in the last three months, and reminds users that Version 9.2 will move to the end-of-life list in September. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/13/postgresql_password_flaws_fixed/

Oxford researchers reckon they’ve spotted the next emerging trend in Android advertising (and possibly malware): using common libraries to “collude” between apps with different privilege levels.

Libraries are a common enough vector for attackers to target, but the trio of boffins (Vincent Taylor, Alastair Beresford and Ivan Martinovic) point out most research looks at apps in isolation.

So they took a different approach, looking at how the same library in two different apps could expose information from a higher-privilege app to one with lower privilege.

They write that this “intra-library collusion” (ILC) happens “when individual libraries obtain greater combined privileges on a device by virtue of being embedded within multiple apps, with each app having a distinct set of permissions granted”.

As the paper explains, shared libraries can borrow permissions an app doesn’t have Click to embiggen

That’s a threat, because library re-use across different apps isn’t a bug, it’s a feature: it makes app development more efficient and keeps apps small by letting them use code pre-loaded to a device.

While noting that attackers are standardising their own libraries, the researchers focussed their effort on advertising libraries, since these are almost ubiquitous in the world of smartphone apps, and are already collecting and aggregating sensitive personal data.

Their research focussed on libraries handling location, app usage, device information, communication data like call logs and messages, access to storage (including, for example, a user’s files which can indicate their interests), and the microphone.

Of more than 15,000 apps with more than a million downloads, the researchers went to work decompiling apps to identify the libraries they linked to. Those they successfully decompiled, they analysed for their intra-library collusion potential.

The 18 most popular libraries include familiar names:

“The main catalyst that allows ILC to happen is the failure of the Android permission system to separate the privileges of libraries and their host apps”, they write, and this at least offers opportunities for an underhanded ad network to improve their data collection without seeking extra permissions from users.

They note that in such scenarios, app developers have a strong incentive to not support library privilege separation, since “it may impact their profits negatively”.

Digging deeper into how advertiser libraries behaved, they found on average those libraries “leak sensitive data from a device up to 2.4 times a day and that the average user has their personal data sent to 1.7 different ad servers per day”.

While the focus of the paper is on how advertisers might exploit ILC, it clearly offers an attack vector, especially on jailbroken or rooted phones. There’s already evidence in previous studies that as many as 7 percent of apps from the Play Store contain potentially malicious libraries, suggesting that “attackers have turned their attention to libraries as a means of malware propagation”. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/14/intra_library_collusion_smartphone_attack/

Russian hackers accused of ransacking the US Democratic party’s servers last year may now be targeting hotels in Europe and the Middle East, it is claimed.

Miscreants are using various techniques, including the leaked NSA EternalBlue exploit also wielded by the WannaCry malware, to hack into laptops and other devices used by government and business travelers, FireEye researchers declared on Friday.

Whoever is behind the attacks has been “sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit,” said the infosec biz’s Lindsay Smith and Ben Read.

To get onto the hotel networks without having to physically loiter around the building, the hackers apparently sent booby-trapped spear-phishing emails to hotel staff in at least seven European countries and one Middle Eastern nation. Opening the email’s .doc attachment dropped malware dubbed Gamefish, a tool often used by APT28, a Kremlin-backed hacker gang, according to FireEye.

Once running on a hotel machine, the malware is instructed by its masterminds to find and infect the equipment that controls the internal and guest Wi-Fi networks, so it can be used to attack people of interest.

Smith and Read say they have “moderate confidence” that this is all the handiwork of APT28, a group linked to Russian military intelligence, due to the presence of Gamefish. The attacks – whoever is behind them – have been running for around a year, according to FireEye, which concluded:

These incidents show a novel infection vector being used by APT28. The group is leveraging less secure hotel Wi-Fi networks to steal credentials and a NetBIOS Name Service poisoning utility to escalate privileges. APT28’s already wide-ranging capabilities and tactics are continuing to grow and refine as the group expands its infection vectors.

Travelers must be aware of the threats posed when traveling – especially to foreign countries – and take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible.

Chris Wysopal, cofounder and CTO at app security firm Veracode, added: “After the havoc that arose from the WannaCry and NotPetya attacks, it’s not surprising that notorious cyber gangs are finding new ways to use the NSA’s EternalBlue exploit to support their criminal activities. The EternalBlue exploit has been shown to be extremely effective at spreading malware infections to other unpatched Microsoft systems.

“With three attacks using this exploit having occurred over just the past few months, we’re likely to see cybercriminals continuing to deploy it until devices are patched and it is no longer an effective vector for them to spread malware.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/12/hotel_hackers/

The popular web browser released a major update on August 8, version 55, which — in addition to some nifty new features, like Virtual Reality support — includes a number of security fixes. Firefox 55 remediates three critical and 11 high-impact vulnerabilities, as well as seven moderate and six low-impact vulns.

Of the critical and high-impact vulnerabilities fixed, several of them would have allowed an attacker to crash the browser, execute arbitrary code, or even access sensitive information on a page the user was reading. A few days after the 55 release came its first minor update, 55.0.1, which includes a few additional bug fixes.

On August 8 also came the latest major update for Firefox Extended Support Release (ESR), version 52.3.0, which might be of interest to you if you manage and deploy Firefox in an organization. Firefox ESR 52.3.0 also mitigates the same security vulnerabilities as addressed in Firefox 55, all detailed in the MFSA 2017-18 security bulletin.

If you are running anything close to a recent version of Firefox, the browser should be set up to automatically update to the latest version as soon as the update is available — unless you’ve manually disabled this option, which we do not recommend!

As of the time of this writing, it doesn’t appear that the automatic updates for Firefox haven’t been pushed out quite yet (so you might still be running 54.0.1), but version 55.0.1 is available for standalone download if you don’t want to wait.  You can always check to see if you have the latest version by following the instructions on this help page from Mozilla.

Another step toward killing off Flash for good

One of the major changes in this release that’s not strictly a security update, but has big security implications, is a change in how Firefox runs the Adobe Flash plugin within the browser. Mozilla has a roadmap describing its phased plan for stopping plugins, including Flash, for good. Plugins, Mozilla writes, are an “obsolete technology”, and with the release of Firefox 46 last June (2016), all plugins aside from Adobe Flash became click-to-activate.

Since Flash is one of the most ubiquitous (and problematic) of plugins, Mozilla says it is working with other browser companies to help phase out support for Flash across the board.

With this release, Firefox now runs Flash click-to-activate and will only run on http or https URLs. Adobe Flash is and has been a major threat vector for years, and as you may have heard, is due to be killed off by Adobe in 2020; that said, in the intervening years, disabling the autoplay of Flash could certainly mitigate a number of attacks that use Flash to infiltrate a browser.

The Flash click-to-activate change is not universal and only is set to begin with release 55. According to the Firefox Plugins roadmap, this change will “be rolled out progressively during August and September 2017”. Once Adobe stops supporting Flash at the end of 2020, Firefox will as well — by that time, the browser will completely refuse to load the plugin no matter what.

And yes, we know that’s not a fox in the photo – it’s a red panda, which are also known as … firefoxes.

Follow @NakedSecurity
Follow @mvarmazis

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zLhcuTx11sI/

Your daily round-up of some of the other stories in the news

Protests at plans to use facial recognition at Carnival

Civil liberties groups have protested at plans by London’s Metropolitan Police to use facial recognition software to scan the faces of people partying at this year’s Notting Hill Carnival.

Tens of thousands of people party in the streets of west London’s Notting Hill Gate on the last weekend of August, and the civil rights group Liberty has challenged the decision to use the technology to spot troublemakers, saying it’s racist, as the carnival is rooted in the capital’s African-Caribbean community.

The police force trialled facial recognition last year, saying at the time that “the technology involves the use of overt cameras which scan the faces of those passing by and flag up potential matches against a database of custody images. The database has been populated with images of individuals who are forbidden from attending Carnival, as well as individuals wanted by police who it is believed may attend Carnival to commit offences.”

Nobody was arrested as a result of the trial, said the Met after the event. Stafford Scott of The Monitoring Group, an anti-racism charity, echoed Liberty’s concerns, saying: “It is racial profiling. They are coming and putting everyone’s face in the system. A technique they use for terrorists is going to be used against young black people enjoying themselves.”

Spy chief backs encryption

Jonathan Evans, a former British spy chief, has come out strongly in favour of encryption, despite the fact that “widespread use of encryption has reduced the ability of the agencies to police, to access the content of materials” shared by terrorists.

Evans, who led the UK’s MI5 spy service between 2007 and 2013, told the BBC’s Today programme on Radio 4 that “I’m not personally one of those who believes we should weaken encryption”. He was referring to the calls from Amber Rudd, the home secretary to weaken encryption: just last week she said that “real people” didn’t always want end-to-end encryption.

In his interview, Evans said that he was concerned about cybersecurity more broadly, and particularly mentioned the Internet of Things, the security of which we regularly despair about here at Naked Security. He said: “As our vehicles, air transport, our critical infrastructure is resting critically on the internet, we need to be really confident we have that secured because our economic and daily lives are going to be dependent on the security we can put in to protect us from cyberattack.”

At Naked Security we’re very encouraged by Evans’ words: we are opposed to backdoors and anything that would weaken encryption.

Ginger emoji planned

Emojis – we love them. And we’re also keen on equality here at Naked Security, so we very pleased to see that a ginger-haired emoji was among the options in the latest recommendations from Unicode’s emoji subcommittee.

As well as our titian-headed friends, silver foxes, the bald and those blessed with curls will also be represented in emojis from June next year if the draft candidates included in the recommendations from the subcommittee are adopted.

The emoji subcommittee meets weekly, by phone, and also holds a week-long meeting every quarter to discuss and advance or reject proposals.

The next stage for gingers, silver foxes, bald folk and curly-topped people is the final quarterly meeting of this year, when the list of final candidates for encoding in Unicode 11.0 will be decided, with the final code points and names for the new emojis being decided at the first quarterly meeting next year.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/S0KGGQvqTHc/

Malicious USB gadgets can secretly spy on data flowing in and out of devices plugged into adjacent USB ports, security researchers in Australia have warned.

For example, keypresses from a USB keyboard could be read by a specially modified thumb drive placed in the next-door port. The spy stick can pick up electrical signals leaking from one port to another; analyzing this leakage opens the door to keylogging attacks in this case.

It means miscreants can potentially read off sensitive info from a computer if they are able to get a booby-trapped thumb drive or some other evil gadget into a victim’s machine. Not a particularly practical or terrifying scenario, but interesting nonetheless.

“Electricity flows like water along pipes – and it can leak out. In our project, we showed that voltage fluctuations of the USB port’s data lines can be monitored from the adjacent ports on the USB hub,” said Dr Yuval Yarom, research associate with the University of Adelaide’s School of Computer Science, on Thursday.

“But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen.”

The research, to be presented at next week’s USENIX security conference in Vancouver, Canada, found that over 90 per cent of the 50 or so USB devices tested by the team could be read using what they call a “channel-to-channel crosstalk leakage” attack.

For the experiment, a novelty USB desk lamp was modified so that could collect the data from a keyboard plugging into an adjacent port. The keystrokes were sent via Bluetooth to a separate computer and analyzed using software to decode the keypresses and thus snoop on whatever usernames, passwords and other sensitive info was being typed.

“The USB has been designed under the assumption that everything connected is under the control of the user and that everything is trusted – but we know that’s not the case. The USB will never be secure unless the data is encrypted before it is sent,” Yarom said.

“The main take-home message is that people should not connect anything to USB unless they can fully trust it. For users it usually means not to connect to other people’s devices. For organizations that require more security, the whole supply chain should be validated to ensure that the devices are secure.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/11/leaky_usb_research/