STE WILLIAMS

VMware’s AirWatch enterprise mobility management service has two flaws that means the software needs ran update ASAP.

In an emailed security advisory, VMware warns that “Airwatch Agent for Android contains a vulnerability that may allow a device to bypass root detection during enrollment.”

“Successful exploitation of this issue may result in an enrolled device having unrestricted access over local Airwatch security controls and data.”

The second flaw means “Airwatch Inbox for Android contains a vulnerability that may allow a rooted device to decrypt the local data used by the application.”

The potential outcome if this one is “unauthorized disclosure of confidential data.”

Happily, both can be fixed with a quick trip to Google Play, where an updated agent and Inbox app await your downloading pleasure.

Two as-yet-unexplained flaws, CVE-2017-4895 and CVE-2017-4896, lie at the root of these problems. VMware’s thanked Finn Steglich from SySS GmbH for noticing and reporting the bugs.

AirWatch was described as growing “robustly” in VMware’s Q4 earnings call last week. ®

Sponsored:
Customer Identity and Access Management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/31/vmwares_enterprise_mobility_management_tool_can_p0wn_itself/

Usenix Enigma 2017 Google and Firefox have been key drivers in the quest to get more people using HTTPS online, and starting later this week the hammer is coming down.

In a speech at Usenix Enigma 2017, Emily Schechter, a product manager for Chrome security, said that progress on HTTPS adoption was going well – currently over half of the top 100 websites support HTTPS and 44 per cent default to it. However there’s still a lot of work to be done, and she outlined future plans.

Later this week Chrome 56 will be released, and as announced, the browser bar icon for non-HTTPS connections has been changed so users get the written warning: “Not secure.” Google is adding a similar warning box to the autocorrect feature on password form pages and sites asking for login pass phrases and credit card details over HTTP.

“We want to avoid warning fatigue for users, but we also want secure connections,” Schechter said.

Firefox has had similar wording in its developer builds for some time now, but Schechter said that in the next stable build of Firefox, similar warning messages will be displayed. The same will be true for later browser builds if necessary.

In addition to encouraging users to switch, Google wants companies on their side. Traditionally businesses have been slow to get on board with HTTPS, due to expensive certifications and problems getting ad revenue and SEO information.

Those problems have eased, she said, with very little price premium (if any) for HTTPS certification – thanks to free Let’s Encrypt certs. As for ad revenues, over 80 per cent of Google ad requests now go through HTTPS, with other ad networks showing similar figures. Incidentally, The Register can be viewed over HTTPS, from our forums login to white papers to editorial articles – hats off to our tech team for that.

Of the tech news sites I picked on 3 months ago for not having TLS, only @TheRegister managed to implement it before Chrome 56 dropped

— Dawnstar Australis (@dawnstarau) January 30, 2017

Schechter said that businesses and developers would really benefit from HTTPS. That’s the carrot, and Google also has a stick to wield just in case.

The Chocolate Factory is going to start degrading the effectiveness of powerful APIs capable of slurping lots of useful data, unless it’s done securely. Google has already downgraded the Geolocation APIs, and anyone using getUserMedia(), encrypted media extensions, or AppCache will also have severe limitations unless they are on an HTTPS connection.

There will be optimized code in Chrome for transport layer security, notably in session resumption and false start functions. Conversely, features like Brotli compression will be performance-limited on insecure connections.

This is fair enough, considering the kind of data we’re talking about, Schechter argued. Geolocation can reveal an internet user’s home or work address, and be used for tracking. Such data needs to be more secure, she argued, and that need is only growing stronger. ®

Sponsored:
Customer Identity and Access Management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/31/google_in_your_face_about_https_adoption/

Take your printers off the Internet: a bunch of researchers from a German university have found a cross-site printing bug in the ancient PostScript language.

If PostScript is the printer driver, the printer is vulnerable to what they call Cross-Site Printing attacks, documented in detail at Hacking Printers here.

The bugs range from attackers exfiltrating copies of what’s sent to printers, to denial-of-service, code execution, forced resets and even bricking the targets.

The work from the University Alliance Ruhr landed on Full Disclosure here (with five vendor-specific follow-ups), and as they note: “This vulnerability has presumably been present in every PostScript printer [for] 32 years as solely legitimate PostScript language constructs are abused.”

As they note in the GitHub repo hosting their proof-of-concept code, it “makes dumpster diving obsolete”.

Linux, *BSD and Mac OS users note: the bug’s also exploitable via the popular Common Unix Printing System, CUPS.

The PostScript showpage operator is at fault here: present in every PostScript document to print the current page, it can be redefined by an attacker to execute their own PostScript code. The legitimate application is to overlay pages with things like letterheads; as the authors note, “it can be used to play pranks like putting `hax0r slogans’ on all sheets”.

More serious malice is also possible, however – an attacker can obtain copies of print jobs from outside the network.

The boffins exploit the Web mechanism Cross-Origin Resource Sharing (CORS) for this attack, which they’ve illustrated below.

Exfiltrating print jobs. Image: Hacking-Printers.net

CORS is the mechanism that lets Web pages request data from third-parties (font services, images, and of course advertisements), and it’s supposed to be restricted by the same origin policy. “CORS spoofing” demonstrated by the University Alliance Ruhr group breaks those rules and gives an attacker access to a networked printer.

“We have full control of what the requested `web server’ – which actually is a printer RIP [raster image processor – The Register] accessed over port 9100/tcp – sends back to the browser. By using PostScript output commands we can simply emulate an HTTP server running on port 9100/tcp and define our own HTTP header to be responded – including arbitrary CORS Access-Control-Allow-Origin fields which instruct the web browser to allow JavaScript access to this resource and therefore punch a hole into the same-origin policy.”

Vendors known to have exploitable functions include HP, Dell, and Lexmark, and there are specific advisories for others.

The researchers also say:

This last one happens because an exploit can force high numbers of rewrites to the printer’s NVRAM, which eventually causes it to deteriorate, bricking the target.

Finally, the researchers also demonstrate that PostScript printers and Brother’s proprietary PJL can be buffer-overrun with an exploit, leading to “denial of service or potentially even to code execution”. ®

Sponsored:
Customer Identity and Access Management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/31/postscript_bug/

Usenix Enigma 2017 Hacking sensors isn’t as big an area of research as hacking operating systems and firmware, but the results of simple physical hacks can be far-reaching.

In a talk at Enigma 2017 Yongdae Kim, professor in the Korea Advanced Institute of Science and Technology’s Graduate School of Information Security, showed how active and passive sensors can be hacked by simple laser pointer or speakers set on just the right frequency.

Passive sensors, like gyroscopes and magnetometers, simply measure their environment and report back. Active sensors, like radar and sonar, send out a signal and then take measurements on the return signal. Both are hackable relatively simply.

Take, for example, the gyroscopes used in off-the-shelf drones, which use an inertial measurement unit that tracks the forces on a weight along three axes. Many materials have a resonant frequency that causes them to oscillate – think breaking a wine glass with a high note – and it’s just a matter of finding that frequency.

Kim and his team found the correct frequency for gyroscopes in seven of the 15 commercial drones they tested, including hardware from STMicro and InvenSense. These ranged between audible and inaudible sounds for humans, but all proved effective in confusing the drone and causing it to crash.

This was demonstrated on stage, where a commercial quadrocopter crashed after Kim and his assistant fired the right sound at it. While you needed to be close up for the attack to work, more distant attacks could be achieved by ramping up the power output.

There are limiting factors, he admitted. If the gyroscope housing is sturdy, this would make the hack much more difficult, and there’s a limit to how loud you can go before the attack becomes more trouble than it’s worth.

On the active side, Kim showed how an active medical sensor that dispenses drips of drugs can be hacked using a laser pointer. By shining the laser at the sensor controlling droplet flows, it loses its ability to measure the droplets of medicine flowing into the patient.

In testing, the sensor could be tricked to double the dose of drugs to the patient, or to cut the flow of medicine by 45 per cent. To make matters worse, the physical distance needed to do this is based on the laser’s power, so as long as the laser has line of sight access to the sensor, the hack could work.

Thankfully this is fairly easy to block. Kim said you could simply cover the transparent sections of the device in masking tape. But overall, he said, it was worrying how easily commonly used sensors can be hacked.

This problem is only going to get worse. Sensors are increasingly added into all manner of devices and his team is currently looking at the kinds of sensors that self-driving cars rely on to keep us safe. ®

Sponsored:
Customer Identity and Access Management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/31/drones_brought_down_using_sound/

Usenix Enigma 2017 Facebook has published a specification for providing secure and reliable account recovery in websites and applications.

Recovering access to accounts is, judging from our article archives, too easy for developers to screw up: passwords are stored in plain text, security questions can be guessed or bypassed, and so on. In his keynote at Enigma 2017, Brad Hill, a security engineer at Facebook, said whenever he carries out penetration testing, the first thing he hits up is the security questions for a password.

“As we’ve seen with Guccifer’s hacking of Colin Powell and others, once you are famous enough all security questions are trivia,” Hill said. “And as more of us spend more time online, the problem is spreading fast.”

Basically, you’ve got to make sure the person claiming they’ve forgotten their password, and needs a way to get back into the account, is the legit owner, and not an identity thief or some other miscreant. Emailing a link to the address registered with the account is one way of granting access, although it assumes the email address’s account hasn’t been compromised and that the user can still get into their inbox. Security codes can be texted via SMS but this is unreliable and assumes the customer hasn’t lost their phone or had it stolen or seized.

To nail down a secure process for all this, Facebook has written and published a open specification that describes how to generate, for each account, a token that can be given to a third-party service. These tokens can later be used to reactivate the accounts. A developer kit and reference implementation is due to be revealed at some point.

Ahead of that public release, Facebook has worked with GitHub on a trial of the system. If someone gets locked out of their GitHub account, the code repository can ask the third-party recovery service – in this case, Facebook – for that person’s token. When the user logs into their profile on the social network, Facebook releases the person’s token to GitHub to complete the account recovery.

If you can’t get into your Facebook profile, you’ll have to navigate its account recovery process before logging into GitHub. Essentially, the specification allows website and app programmers to push their account recovery mechanism onto an established, trusted provider, thus avoiding the reinvention of any wheels. Facebook calls this “delegated account recovery”, the cynics among us call it “encouraging everyone has an active Facebook account.” Or Google, or whoever else implements the protocol.

The token could also have other uses, we’re told. Because they have timestamps, they could be used to authenticate a user if their credentials have been stolen and their account passwords or registered email address changed. Having a timestamped token would make restoring an account much easier – it can be used to prove you are the original owner.

This may sound like an authentication grab from Facebook, but Hill said that any service provider can implement the specification and begin storing authentication tokens. The system is being rolled out as a trial between Facebook and GitHub to limited partners, and will go on general availability later in the year.

The reason for the pause is to check the system. Facebook and Github will pay bug bounties to anyone who finds flaws in the code starting from today. Hill urged people to try to poke holes in the scheme.

Meanwhile, Facebook announced support for two-factor authentication using hardware keys for logging into the social network. ®

Sponsored:
Achieving rapid delivery of high quality software with continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/30/after_sorting_out_passwords_with_hardware_facebook_works_on_account_recovery/

Full of confidence in Ajit Pai – the new boss at the FCC, America’s communications watchdog – groups representing US telcos are seeking a repeal of the regulator’s privacy rules.

Citing the appointment of Pai and the imminent decision to roll back the previous administration’s net neutrality protections, industry groups now hope that the little requirement for an opt-in for the collection of user data will be frozen, if not done away with completely.

“The FCC privacy framework adopted just last October was a sharp departure from the FTC’s innovation-friendly, flexible guidelines that have overseen a successful burgeoning of the Internet,” said Doug Brake, telecom policy analyst with industry think-tank Information Technology and Innovation Foundation.

“It’s time to hit pause before these bad rules are implemented, and then hopefully wipe the slate clean to start fresh on a new policy direction.”

Brake, like many on the side of the telco industry, suggests that the FCC should loosen the rules on when and how ISPs and other service operators can both collect and sell off data on their customers.

Lobbying group CTIA has posted similar thoughts, arguing that telcos should be trusted not to flog off customer browsing habits to the highest bidder.

“For over twenty years, ISPs have protected their consumers’ data with the strongest pro-consumer policies in the internet ecosystem,” the group writes.

“ISPs know the success of any digital business depends on earning their customers’ trust on privacy.”

The groups have reason to feel optimistic that Pai will follow their wishes and roll back Tom Wheeler’s consumer protections. When the privacy rules were first announced in October of last year, Pai was one of two commissioners to oppose the new rules and backed the idea of bringing the FCC’s privacy protections in line with the FTC’s more lenient rules. ®

Sponsored:
Achieving rapid delivery of high quality software with continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/31/net_neutrality_dead_privacy_next/

Researchers are warning of a serious security hole that can be exploited to hijack potentially hundreds of thousands of Netgear routers.

The programming blunder allows an attacker with access to the router to harvest the administrator access password. A victim could visit a malicious webpage that uses JavaScript to exploit the vulnerability in the router firmware to take over the boxes, knock them offline, change their DNS settings to redirect browsers to malware-injecting websites, and so on. Malware already on the network can also

It can also be exploited from across the internet if the device is set up to expose its admin interface to the whole web, but this is not a default setting.

This particular security hole is believed to be present in 31 different Netgear models. Owners of at-risk kit are advised to check and update their firmware.

The flaws, designated CVE-2017-5521 and TWSL2017-003, were discovered by researcher Simon Kenin of Trustwave, who found that by triggering an error message, the router can be tricked into handing over a numerical code that can then be used with the password recovery tool to retrieve the router’s administrator credentials.

Further research led Kenin to discover that in many cases, the numerical code is not even necessary, and that random strings sent directly to the password recovery script would still cause the login information to be displayed.

In short, anyone who can pull up the router administrator screen, be it over the web or local Wi-Fi network, can obtain the admin password and gain complete control over the router itself.

“We have found more than ten thousand vulnerable devices that are remotely accessible,” said Kenin. “The real number of affected devices is probably in the hundreds of thousands, if not over a million.”

Netgear has released a fix for the update, though Kenin says that getting the network hardware giant to pay attention to the report was a nine-month ordeal that culminated in Netgear’s commitment to overhaul its handling of bug reports and work more closely with the research community.

The vulnerability is one of several high-profile flaws to be found in Netgear’s routers in recent months. On two occasions in December, researchers disclosed security flaws in the router that, like Kenin’s bugs, could be exploited remotely to take control over the device.

Mike Ahmadi, global director of critical systems security with Synopsys, says the cause of the problem is not unique to Netgear, but rather something every network hardware builder has to deal with.

“Vendors typically build such devices for the stated functionality, which is to route traffic and block unwanted traffic, when used as intended,” Amadi said.

“What many vendors fail to do, however, is adequately assess the inherent security of the devices they sell, thereby flooding the market with vulnerable devices. Some vendors have taken it upon themselves to address the inherent vulnerabilities, but the end user is often left guessing which devices are adequately tested, since there is currently no regulatory requirement to test to a given level of rigor, and any attempt to force such regulations are met with extreme resistance.” ®

Sponsored:
Achieving rapid delivery of high quality software with continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/31/major_security_hole_in_netgear_routers/

Skirt Club is a place for lesbian and bisexual women to play out their fantasies, and it’s known for being discreet. But that doesn’t seem to apply when it comes to the online privacy component, according to Vice Germany.

The club’s website privacy disclaimer (cached) says:

We endeavour to take all reasonable steps to protect your data. All the data collected by us is stored on a secure server.

Not enough, according to Vice, which reported that Skirt Club kept members’ photos easily accessible online. With more than 5,000 members worldwide – many of whom are not open about this part of their lives – the potential privacy violations are significant.

Vice included an example of those compromised: a 39-year-old woman who had been married for 15 years and said in her profile that “No one knows that I am bi in my environment. Not my kids, my friends or clients.”

Vice Germany investigated after anonymous sources contacted the publication to voice concerns with the site, which went dark around 1 pm. EST Friday. Vice published a feature on Skirt Club in October 2016, which is probably why it was contacted about this. Vice explained:

In December 2016, several anonymous sources contacted editors of VICE Germany and Motherboard Germany about serious security issues with the website. After they looked into those claims, the editors found that at that time, thousands of personal images that members had uploaded in order to join Skirt Club were accessible to non-members – photos of users partially or fully naked, often recognizable, sometimes even with their names mentioned in the image. You didn’t need to hack the site to see – they weren’t password protected and anyone curious enough to make a bit of an effort could view and download the photos.

Vice was particularly critical of how Skirt Club dealt with the issue:

After VICE Germany reported the security issues to Skirt Club in mid-December 2016, it took Skirt Club more than three weeks to patch the issue. The users’ pictures and data aren’t accessible any more, but the security issue isn’t resolved completely – and at the time of publication, Skirt Club hasn’t informed users of the former problem.

Naked Security reached out to Skirt Club, which directed press inquiries toward its attorney:

Skirt Club is directing all media enquiries to its lawyer, Dr Sebastian Gorski at Schertz Bergmann Rechtsanwälte in Berlin. 

Protecting yourself

Those with unconventional sex lives who sign up for this sort of thing can take steps to ensure privacy. They include:

• Editing any pictures you submit on your own machine, not via an editor function on the website
• Stripping out the metadata from any photographs you upload
• Making sure that any photographs you upload haven’t been posted anywhere else (so that they can’t be turned up by a reverse image search)
• Using a completely separate email account that isn’t connected to any of your social media presences
• Paying any fees via a separate PayPal account not linked to any other IDs. 

(Kate Bevan contributed to this report.)

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OARoaqn4PDw/

This is a critical year for those working to comply with the European Union’s (EU) General Data Protection Regulation (GDPR), which requires those doing business in the EU to more securely collect, store and use personal information by 2018.

Unfortunately, according to (ISC)2’s EMEA council, which covers issues concerning Europe, the Middle East and Africa, organizations aren’t doing too well, having accomplished precious little in the first year they had to get things in order.

In an advisory this weekend marking Data Privacy Day, the council warned of what it sees as poor acceptance of accountability across organizations and an apparent belief that the task ahead is one for the specialists – either legal or technical.

Those observations are based on the experiences of an international GDPR task force of (ISC)2 members tasked with implementing GDPR. The task force, which tracks and curates front-line experience with the compliance effort, mapped out the problems:

First observations from our group reveal that too many projects are falling at the first hurdle, with implementation teams unclear on or unable to secure business support or the budgets needed for compliance. Specialist knowledge is going into auditing and determining what is required, but it is being met with a lack of will or acceptance at a business unit level to move forward with projects that have been outlined. Progress that is being made tends to be linked to the roll out of new initiatives, leaving gaps in addressing existing systems and processes.

If business leaders can’t appreciate the requirements placed on them, the effort must shift to helping them be more clear about their role in the process and the resources (both people and financial) required, the council said. To that end, it mapped out a two-point action plan:

Ensure GDPR gains a priority ranking on the corporate and board-level risk register. The council said this is justified by both the impact of failing to comply and the likelihood of a breach in the current threat landscape:

The impact goes beyond the now well-cited maximum fine of 4% of worldwide turnover. Individuals have gained new rights to demand action and compensation for damages linked to a breach of their rights, while the definition of what is considered “personal data” includes many new forms of electronic data, IP addresses and the like, that can lead back to them.

Emphasize the scope of what is required. This is not a simple “audit and adjust” exercise, the council said, adding:

GDPR places greater emphasis on the documentation and existence of processes in place for the governance of personal data, and demands companies define how they will deal with user requests related to many new individual rights, the most cited of which is perhaps the right to remove their data from their systems.

The (ISC)² EAC GDPR Task Force published an overview of the basics that can be used as a tool to help everyone understand and communicate the scope of what is required.

Last month, Naked Security focused on things companies need to do in 2017 to get ready for GDPR. Those interviewed for the article pointed to a checklist published by Ireland’s Office of the Data Protection Commissioner. Below is a condensed breakdown of that list, which will hopefully clear up some of the questions the council believes is holding organizations back:

12 to-do items

The 11-page .pdf is loaded with actionable information. The document suggests companies be on top of the following by mid 2017:

1. Be aware. It’s not enough for CEOs, IT staff and compliance officers to be aware of what GDPR requires. Employees from the top to the bottom of an organization need to be extensively educated on the regulation’s importance and the role they have to play.
2. Be accountable. Companies must make an inventory of all personal data they hold and ask the following questions: Why are you holding it? How did you obtain it? Why was it originally gathered? How long will you retain it? How secure is it, both in terms of encryption and accessibility? Do you ever share it with third parties and on what basis might you do so?
3. Communicate with staff and service users. This is an extension of being aware. Review all current data privacy notices alerting individuals to the collection of their data. Identify gaps between the level of data collection and processing the organization does and how aware customers, staff and service users are.
4. Protect privacy rights. Review procedures to ensure they cover all the rights individuals have, including how one would delete personal data or provide data electronically.
5. Review how access rights could change. Review and update procedures and plan how requests within new timescales will be handled.
6. Understand the legal fine print. Companies should look at the various types of data processing they carry out, identify their legal basis for carrying it out and document it.
7. Ensure customer consent is ironclad. Companies that use customer consent when recording personal data should review how the consent is sought, obtained and recorded.
8. Process children’s data carefully. Organizations processing data from minors must ensure clear systems are in place to verify individual ages and gather consent from guardians.
9. Have a plan to report breaches. Companies must ensure the right procedures are in place to detect, report and investigate a personal data breach. Always assume a breach will happen at some point.
10. Understand Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organizations to identify potential privacy issues before they arise, and come up with a way to mitigate them.
11. Hire data protection officers. The important thing is to make sure that someone in the organization or an external data protection advisor takes responsibility for data protection compliance and understands the responsibility from the inside out.
12. Get educated on the internal organizations managing GDPR. The regulation includes a “one-stop-shop” provision to assist organizations operating in EU member states. Multinational organizations will be entitled to deal with one data protection authority, or Lead Supervisory Authority (LSA) as their single regulating body in the country where they are mainly established.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2_8gxChK914/