STE WILLIAMS

The Register has been alerted that Australian retailer Woolworths’ customer loyalty points can be filched thanks to a user enumeration bug.

A reader alerted us to the simplest user enumeration hole imaginable: you only need to know how Woolworths Rewards numbers are put together. In other words, pick up a card at any Woolworths supermarket, or the many affiliates that use its loyalty scheme, and you have a starting point.

As is outlined in various shopper forums (here at OzBargain for example), the company’s smartphone apps, designed to check your own rewards accumulation, lets you input any card number.

That means an attacker can plug in number after number until they find account that’s accumulated decent rewards, program that number into a redemption app like Stocard, and claim the rewards as their own. As Woolworths rewards can be redeemed for discounts at the point of sale, the bug will deprive some users of cash.

Following The Register’s inquiry, a Woolworths spokesperson e-mailed us the following response:

“At Woolworths we work hard to ensure our customers’ shopping experience is efficient, seamless and importantly, safe and secure.

“We are monitoring customer feedback and – although our investigation shows there is no issue with the functionality and security of the Woolworths Money App – we are reviewing how the App experience can be better improved to provide further assurances for customers.

“We take our obligations in relation to customer data very seriously, and have robust controls in place to ensure customer expectations of privacy and security are met.

“We have a continuous program of security enhancements and our apps are constantly reviewed for any improvements in functionality and security.

“If customers require further information please contact us on 1300 767 969.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/28/woolworths_australia_user_enumeration_bug/

DEF CON Machine learning tools can create custom malware that defeats anti-virus software.

In a keynote demonstration at the DEF CON hacking convention Hyrum Anderson, technical director of data science at security shop Endgame, showed off research that his company had done in adapting Elon Musk’s OpenAI framework to the task of creating malware that security engines can’t spot.

The key to the system is to take legitimate-looking code and change just a few tiny parts of it to convert the software into attack code. Even changing small details can fool AV engines, he said, citing research by Google and others to show how changing just a few pixels in an image can cause a computer to mistake a bus for an ostrich.

“All machine learning models have blind spots,” he said. “Depending on how much knowledge a hacker has they can be convenient to exploit.”

So the team built a fairly simple mechanism to develop weaponised code by making very small changes and firing them at a security checker. By monitoring the response from the engine they were able to make lots of tiny tweaks that proved very effective at developing malware that could evade security sensors.

With 15 hours of training the software ran over 100,000 samples past an unnamed security engine. They were able to get 60 per cent of the malware samples past the security system’s defences.

This software-generation software will online at the firm’s Github page and Anderson encouraged people to give it a try. No doubt security firms will also be taking a long look at how this affects their products in the future. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/31/ai_defeats_antivirus_software/

DEF CON Windows Server admins keep making mistakes that let criminals target the OS, according to Microsoft’s lead security architect for Azure management Lee Holmes, Redmond therefore wants you to harden up by using PowerShell Just Enough Administration.

“In running Just Enough Administration, the idea is that admins are your attack surface and you can’t treat them as buddies anymore,” he said. “We need admins but people make mistakes. Everything they can do an attacker can do as well, if you’re worried about PowerShell attacks you have to be worried about admins.”

The key to controlling administrator accounts is reducing the time such accounts can be used, and ensuring users have only the privileges they need to do do their jobs. Such restrictions, Holmes argued, can dramatically reduce the attack surface available to hackers.

One of the most common mistakes, he said, was leaving RDP and Telnet connections exposed online. Language modes are also a big issue. NoLanguage mode is the only safe language mode he said, and hackers have proven adept at subverting constrained languages to worm their way onto systems.

Holmes rated vulnerable functions the biggest danger: tools like the Invoke-Expression cmdlet let users run scripts on a local computer. The security implications of doing so are obvious, yet many are offered privileges to use the cmdlet.

“So we’re releasing PowerShell injection hunter, which does all this automatically,” Holmes said. “This will flag everything that you might be worried about and it has integration with Visual Studio code.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/30/azure_boss_advises_windows_server_hardening/

An SMBv1 bug described late last week at DEF CON won’t be patched, because Redmond says it only needs a suitable block on connections coming from the Internet.

The 20-year-old bug was discovered by two RiskSense researchers combing code for vulnerabilities exposed by the NSA’s EternalBlue exploit.

After it landed, Twitter user @JennaMagius detailed what happens in a longish Twitter-thread, saying that the bug offers an easy vector to hose big web servers with small computers (all the way down to a Raspberry Pi).

However, it only works if the target machine has SMBv1 exposed to the Internet, and for that reason, Microsoft doesn’t see it as demanding an immediate patch.

SMBLoris is a memory handling bug, @JennaMagius explained on Twitter, associated with two non-paged allocations that use physical memory and can’t be swapped out – so it’s trivial to fill a target Web server’s memory.

The last 17 bits of the NBSS header are a length field. 17 bit length = 128kiB.

— Jenna @ DEF CON (@JennaMagius) July 29, 2017

NBSS is the NetBIOS Session Service protocol, and a connection to it allocates 128 KB of memory that’s only freed when the connection is closed (after 30 seconds if the attacker opens it but then does nothing). At one connection per TCP port (there are 655,35, @JennaMagius explains), the attacker can fill up more than 8 GB.

If they launch the attack on IPv4 and IPv6, that rises to 16 GB, and if an attack comes from just two IPs, they can fill 32 GB, and so on. Eventually, the target can’t allocate memory for NBSS and needs a manual reboot.

RiskSense researchers Sean Dillon and Zach Harding chatted to Kaspersky’s Threatpost about the bug before their DEF CON talk.

Noting a similarity to the old 2009 Slowloris bug, Dillon said:

“Similar to Slowloris, it requires opening many connections to the server, but these are low-cost connections for the attacker, so a single machine is able to perform the attack.”

In response to Microsoft saying it didn’t intend patching, Dillon said “The reason they say it’s a moderate issue is because it does require opening many connections to the server, but you could do it all from a single machine, and a Raspberry Pi could take down the beefiest server”. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/30/slow_loris_smbv1_attack/

Facebook COO Sheryl Sandberg has reiterated the company’s position that weakening the encryption of messaging apps isn’t going to give governments what they want.

Governments and law enforcement agencies are increasingly going public with their frustration that encryption prevents them accessing electronic messages.

That’s led to fears of a renewed “crypto-war” mirroring the 1990s, when the US government tried (and failed) to mandate the “Clipper chip”, tried (and failed) to put a stop to Phil Zimmerman’s Pretty Good Privacy, and tried (and failed) to limit browser SSL encryption strength.

That’s led at least two of the “Five Eyes” – the UK and Australia – to pursue legislative approaches that compel messaging services to help it out.

Last year, Westminster passed the Investigatory Powers Act, which when implemented will let the government issue “technical capability notices” ordering operators to remove “electronic protection … to any communications or data”.

The Australian government hasn’t yet detailed its proposals, but prime minister Malcolm Turnbull has cited the UK law as a model for local legislation.

Turnbull also led the Five Eyes push against encryption, a stance followed by Germany.

Sandberg said breaking encryption is a bad idea that will leave governments with less rather than more information, because organisations like Facebook (whose WhatsApp is frequently cited as dangerous) at least try to comply with requests for metadata.

Interviewed for the BBC’s Desert Island Disks, Sandberg said it’s pretty simple: “The message itself is encrypted, but the metadata is not. If people move off those encrypted applications to other applications offshore, the government has less information, not more.”

Sandberg said Facebook plans to expand the workforce of around 4,500 already working to identify terrorist content and hate speech by a further 3,000.

As well, she re-stated the collaboration between several tech companies (Facebook, Google, Twitter and others) to collaborate in taking down illegal content.

“If a video by a terrorist is uploaded to any of our platforms, we are able to fingerprint it for the others, so that they can’t move from platform to platform,” she said.

But it’s clear that humans are still needed as well as automation: “Context matters. If someone puts up an ISIS flag, are they doing it to recruit or are they doing it to condemn? We absolutely don’t allow the first, but we want the second.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/31/sheryl_sandberg_encryption_ban_remarks/

DEF CON A Tor Project grandee sought to correct some misconceptions about the anonymizing network during a presentation at the DEF CON hacking convention in Las Vegas on Friday.

Roger Dingledine, one of the three founders of the Tor Project, castigated journos for mischaracterizing the pro-privacy system as a bolthole exclusively used by drug dealers and pedophiles to hide from the authorities.

In fact, he said, only three per cent of Tor users connect to hidden services, suggesting the vast majority of folks on the network are using it to anonymously browse public websites for completely legit purposes. In other words, netizens – from journalists to activists to normal peeps – use Tor to mask their identities from website owners, and it’s not just underworld villains.

Dingledine even went as far as saying the dark web – a landscape of websites concealed within networks like Tor – is so insignificant, it can be discounted.

“There is basically no dark web. It doesn’t exist,” he told his DEF CON audience. “It’s only a very few webpages.”

The most popular website visited by Tor users was Facebook, Dingledine said. In 2014 the ad giant embraced Tor, setting up a hidden service as a portal to its social network. Now over a million people log into Mark Zuckerberg’s empire using the anonymizing network. It’s a tiny percentage of Facebook’s billion-plus user base, but very significant for a project like Tor, Dingledine said.

He also sought to calm those who fear that the world’s intelligence agencies have infiltrated the network by running large numbers of relay nodes in order to unmask Tor users. Leaks from the whistleblower Edward Snowden showed that yes, a number of nodes had been run by government snoops, Dingledine said, but not very many – not enough to compromise the integrity of the mesh.

Dingledine said that he knew about two thirds of the people running Tor relays and could vouch for them. Intelligence agencies didn’t need to set up their own stepping-stone nodes he said, since they could – if they wanted to – just monitor those who did run them.

Meanwhile, the Tor Project this week pushed out a security fix following an interesting discovery reported via its new bug bounty program. A chap called Julian Jackson found that it was possible, on some Linux systems, for a malicious URL to make Firefox bypass the Tor network and reveal the user’s public IP address. If you’re using Linux and Tor, check for a security update.

Firefox is still the preferred browser for Tor, Dingledine said, and Chrome is still causing concern due to its proxy bypasses. The project’s software is also being updated to allow for simpler and more secure hosting of sites.

The biggest need is Windows developers, we were told. Most Tor staff are Linux users, but the project is used by heaps of folks on Windows. As a result the project needs coders conversant in Microsoft’s operating system.

A benefit of the Snowden leaks is that Tor is seen as the best option for anonymous web use. Dingledine quoted top-secret Five Eyes documents that were backhandedly complimentary about the service. Tor was “the king of high security low latency internet anonymity,” GCHQ said. “There are no other contenders for the throne.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/29/tor_dark_web/

DEF CON After the debacle of the 2000 presidential election count, the US invested heavily in electronic voting systems – but not, it seems, the security to protect them.

This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House race – and hackers got to work physically breaking the gear open to find out what was hidden inside.

In less than 90 minutes, the first cracks in the systems’ defenses started appearing, revealing an embarrassing low level of security. Then one was hacked wirelessly.

“Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we’ve uncovered even more about exactly how,” said Jake Braun, who sold DEF CON founder Jeff Moss on the idea earlier this year.

“The scary thing is we also know that our foreign adversaries – including Russia, North Korea, Iran – possess the capabilities to hack them too, in the process undermining principles of democracy and threatening our national security.”

At the 1st ever Voting Village at #DEFCON, attendees tinker w/ election systems to find vulnerabilities. I’m told they found some new flaws pic.twitter.com/VpYPXANUMT

— Bradley Barth (@BBB1216BBB) July 28, 2017

The machines – from Diebolds to Sequoia and Winvote equipment – were bought on eBay or from government auctions, and an analysis of them at the DEF CON Voting Village revealed a sorry state of affairs. Some were running very outdated and exploitable software – such as unpatched versions of OpenSSL and Windows XP and CE. Some had physical ports open that could be used to install malicious software to tamper with votes.

It’s one thing to physically nobble a box in front of you, which isn’t hard for election officials to spot and stop. It’s another to do it over the air from a distance. Apparently, some of the boxes included poorly secured Wi-Fi connectivity. A WinVote system used in previous county elections was, it appears, hacked via Wi-Fi and the MS03-026 vulnerability in WinXP, allowing infosec academic Carsten Schurmann to access the machine from his laptop using RDP. Another system could be potentially cracked remotely via OpenSSL bug CVE-2011-4109, it is claimed.

Greetings from the Defcon voting village where it took 1:40 for Carsten Schurmann to get remote access to this WinVote machine. pic.twitter.com/1Xk3baWdxv

— Robert McMillan (@bobmcmillan) July 28, 2017

The “security” of these WINvote machines is so bad. Running WinXP, autorun enabled and hard-coded WEP wifi password. pic.twitter.com/AlOiAPcRra

— Victor Gevers (@0xDUDE) July 28, 2017

We’re told the WinVote machine was not fully secured, and that the intrusion would have been detected and logged, so don’t panic too much. And not all the attacked equipment are used in today’s elections. However, it does reveal the damage that can potentially be done if computer ballot box makers and local election officials are not on top of physical and remote security, especially with a growing interest from Russia and other states. Think of it as a wakeup call.

“Elections have always been the concern and constitutional responsibility of state and local officials. But when Russia decided to interlope in 2016, it upped the ante,” said Douglas Lute, former US Ambassador to NATO and now principal at Cambridge Global Advisors.

“This is now a grave national security concern that isn’t going away. In the words of former FBI Director James Comey, ‘They’re coming after America. They will be back.’” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/29/us_voting_machines_hacking/

DEF CON The BBC’s Micro:bit computer board may be winning over school kids, but hackers have found its wireless capabilities and programmable nature make it an excellent tool for mischief.

In a presentation at this year’s DEF CON hacking conference in Las Vegas on Friday, Damien Cauquil, senior security researcher at Econocom Digital Security, showed how the pocket-sized microcomputer could be configured to sniff out keystrokes from a wireless keyboard, and even take control of a quadcopter drone with just some nifty programming.

The Micro:bit, which costs just £12 in the UK or $15 in the US, is powered by a 16MHz 32-bit ARM Cortex-M0 CPU with 16KB of RAM and Bluetooth connectivity that, with a little Python coding, turns out to be an excellent wireless sniffer. To make matters better for hackers, it’s also tiny, and thus easy to hide while doing this job.

Cauquil showed that by using publicly available software, he could program the Micro:bit to snoop on signals from a wireless keyboard using Bluetooth, and then hide it in a desk to grab sensitive info, passwords and other login details out of the air as they are typed. Admittedly, the amount of storage on the Micro:bit is pitifully small, but it’s enough to hold the goodies you’d need for further mischief.

But there was also another use for the device. Cauquil attached it to a drone controller handset and used the resulting gizmo to interfere with an airborne quadcopter’s control mechanisms and hijack its flight controls. In other words, you can wire a suitably programmed Micro:bit into a controller and potentially use it to take over someone else’s drone.

This is your new pilot speaking … The combined controller-Micro:bit gadget (Click to enlarge)

The system wasn’t perfect, he said, because occasionally latency issues would cause the Micro:bit to lose its connection with the drone, but it was still fast enough to override the owner’s controller signal.

In some cases the Micro:bit’s wireless systems and Python support make it better at over-the-air sniffing and hacking than many dedicated hacking devices, Cauquil opined. One can only wonder what British schoolkids will do with the device, given the code is now available for it. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/29/bbcs_microbit_drone_hijacking_tool/

For our final article as #SysAdminDay 2017 draws to a close, we recorded a Facebook Live video to help you become a sysadmin.

Naked Security’s Paul Ducklin and Sophos Sales Engineer Matthew Boddy put their heads together to bring you the sort of advice you just won’t find anywhere else.

Of course, in just 10 minutes of video, they don’t have time to teach you about networking, programming, debugging, troubleshooting – or, for that matter, anything to help you actually do a sysadministrational job.

In short, they can’t show you how to be the part, but they can help you deal with the tricky choices you’ll need to make if you want to look the part.

For example, should you be seen to code in Perl or Python? Prefer cargo pants to jeans? Edit with Vi or Emacs? Listen to vinyl or cassette tapes? (Our two experts were unanimous on that issue, though not for the reasons you might expect.)

Don’t delay – watch right now, because this could be more important than you think, depending on how important you think it is going to be:

(Can’t see the video directly above this line? Watch on Facebook instead.)

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XLRR2LlAefo/