STE WILLIAMS

Conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, the Department of Justice reports.

A coordinated law enforcement operation targeting business email compromise (BEC) has led to the arrest of 281 individuals around the world, including 74 in the United States, 167 in Nigeria, 18 in Turkey, and 15 in Ghana, the Department of Justice reported this week. Alleged fraudsters were also arrested in France, Italy, Japan, Kenya, Malaysia, and the United Kingdom.

BEC scams are sophisticated schemes typically designed to target employees with access to company finances or organizations that work with suppliers and regularly send wire transfers. The same people who drive BEC fraud also target individuals, such as real estate purchasers or the elderly, convincing them to send money to criminal-owned accounts by impersonating a key employee, breaking into a target’s email account, or launching a romance or lottery scam.

Many BEC scams are perpetrated by foreign nationals who are often members of transnational criminal organizations that originated in Nigeria and spread throughout the world. The DoJ has ramped up efforts to take down those targeting American citizens and businesses with BEC.

Operation reWired was a four-month effort by the US DoJ, Department of Homeland Security, Department of the Treasury, Postal Inspection Service, and Department of State. The operation resulted in the seizure of nearly $3.7 million, the DoJ reported this week. Law enforcement worked with domestic and international groups to complete this operation.

Starting in May 2019, officials went after hundreds of BEC scammers and executed over 214 domestic actions including arrests, money-mule warning letters, and asset seizures and repatriations amounting to nearly $3.7 million; however, it seems scammers were after greater monetary gain.

In addition to corporate and individual finances, fraudsters may target personally identifiable information (PII) or employee tax records so they can file fake returns or sell stolen data online. Such was the case here: In investigating this massive identity theft and tax fraud scheme, law enforcement discovered conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, attempting to generate more than $91 million in refunds.

“The investigation of these crimes crossed international borders,” said director Todd Brown of the US Department of State’s Diplomatic Security Service. “Today’s charges are another successful example of our commitment to working together with both foreign colleagues abroad as well as local, state, and federal law enforcement partners here at home in the pursuit of those who commit cyber-related financial crimes.”

Many of the cases targeted by Operation reWired involved international criminal organizations that reportedly defrauded businesses large and small; others allegedly targeted individual victims who transferred high volumes of money or sensitive data. BEC is a tremendous financial burden to the companies and people it affects, the FBI reports, and reported losses are growing.

In a disclosure published the same day as the Operation reWired announcement, the FBI reported a 100% increase in identified global exposed losses related to BEC between May 2018 and July 2019. Between June 2016 and July 2019, there were 166,349 domestic and international cases of BEC; these generated $26.2 billion in total exposed monetary losses.

This increase in the number of incidents is partly attributed to greater awareness and reporting of BEC scams, which have been reported in all 50 states and 177 countries. Fraudulent transfers have been sent to at least 140 countries, though most go to banks in China and Hong Kong. Still, the FBI points to an uptick in fraudulent transfers sent to the UK, Mexico, and Turkey. 

The FBI’s Internet Crime Complaint Center has seen an increase in the number of BEC complaints related to the diversion of payroll funds, indicating human resources or payroll departments are receiving spoofed emails asking for a change in direct deposit accounts.

Some businesses say they have received phishing emails prior to requests for direct deposit changes. Employees may receive similar emails with a fake login page for the email host, which captures their login credentials and gives attackers a way to access their personal information. With a legitimate username and password, a scammer can make a request appear legitimate.

Related Content:

• 8 Ways to Spot an Insider Threat
• Two Zero-Days Fixed in Microsoft Patch Rollout
• Data Is the New Copper
• More Than 99% of Cyberattacks Need Victims’ Help

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Security Pros’ Painless Guide to Machine Intelligence, AI, ML DL.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/281-arrested-in-international-bec-takedown/d/d-id/1335781?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new set of regulations converts the government ban on using Kaspersky products from a temporary rule to one that’s permanent.

The Federal Acquisition Regulation Council has published a final, formal regulation that bars government agencies, departments, and bureaus from buying security software and services from Kaspersky Lab. This new rule replaces a temporary regulation that had instructed Federal purchasers on how they should act in abiding with terms of the 2018 National Defense Authorization Act.

The new regulation, spelled out in Sections 1634 (a) and (b) of the National Defense Authorization Act for Fiscal Year 2018, is a blanket prohibition that extends beyond the government itself; no contractor with a government practice is allowed to have Kaspersky software or services in any of its systems, either.

Kaspersky was hit with the prohibition in 2017 because of concerns that it could be serving as a “backdoor” attack surface for agents of Russia’s government. Kaspersky has protested that the regulation is unconstitutional because it targets a single company, not a set of behaviors.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Security Pros’ Painless Guide to Machine Learning, AI, ML DL.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/operations/fed-kaspersky-ban-made-permanent-by-new-rules/d/d-id/1335782?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

CA/Browser Forum wants SSL certificates to expire after a year. Many businesses that rely on them aren’t equipped to cope.

For years, Secure Sockets Layer (SSL) certificates — a digital tool used to allow secure web connections between a web server and web browser — has been a baseline for a business’s digital trust. The padlock icon and https forward that appear in the address bar are an easy way for website visitors to gauge whether the site they’re visiting is “trusted.”

Behind the scenes, SSL certificates, issued by certification authorities and approved/rejected by the big browser manufacturers, are updated and replaced every two years to ensure the certificates remain secure. This cycling is a process designed to ensure certificate authenticity and keep certificates current. SSL certificates are just one of a number of public and private certificates that IT teams manage on behalf of their business — across websites, devices, and software.

At the enterprise level, certificate management can be overwhelming. Highly skilled public key infrastructure (PKI) staff spend considerable time locating, revoking, and reissuing rolling certificates. For most businesses, this effort is time consuming, expensive, and managed manually with scarce resources, making certificate management prone to errors. Our research shows that 71% of businesses don’t even know how many certificates they have — leaving them ill-equipped to revoke and reissue at scale.

Founded in 2005, the CA/Browser Forum is a group of certification authorities and browser makers (such as Google, Safari, and Firefox) that work together to design processes that ultimately help make the Internet safer. In August, the Forum and its members announced a proposal to reduce the length of time that SSL/TLS certificates can be used to protect web servers. This has created considerable discussion about the benefits of shortened certificate lifetimes versus the additional management overhead required by users of these certificates to rotate them more frequently.

We know that many of the standards that govern IT, like those being recommended by the CA/Browser Forum, are often designed with good intentions; however, the operational effects can be considerable. If these new standards are adopted, organizations will be forced to rotate certificates every year rather than every two years (as is today’s practice), resulting in higher labor costs required to manage certificates. Certificate management continues to be a manual process for most businesses; a shortened lifespan means IT teams will have to invest twice the amount of time to manage rolling certificates, which produces at least a 2X outage and configuration misstep risk.

Per the proposal, the new standards would be effective March 2020, which doesn’t give businesses much time to pivot. Collectively, digitization means that most businesses today manage thousands of public and private certificates, across systems, software, and websites. Triple that estimate for larger enterprises. Manual management significantly raises the risks associated with outages and misconfigurations due to the implementation or replacement of expired certificates. The business and security risks produce greater likelihood of compromise, or a security event (such as the Equifax breach).

Regardless of the outcome around this proposal, IT teams should take the announcement as an opportunity to pause and evaluate their internal management processes to assess their crypto and certificate management capabilities across public and private certificates.

Leaders can start with four key areas to get ahead of future process changes and large-scale certification changes:

1. Run an inventory. Start by understanding your certificate landscape. Identify every certificate within the organization and use cryptographic parameters to understand where certs have been deployed and what assets they secure.

2. Develop a certificate life-cycle plan. Standardize certificates to ensure that common workflows are followed when certificates are deployed. Standardization addresses audit questions focused on asset custody and other downstream issues that could affect compliance.

3. Adopt IT automation technology. Traditional manual certificate management processes aren’t equipped to revoke and reissue certificates at scale. Introducing a single, automated platform provides complete visibility to every certificate, simplifying identification and replacement. (Note: Keyfactor is one of a number of companies that does this.).

4. Embrace crypto agility. Build a certificate inventory and life-cycle workflows to establish your crypto strategy and framework.

Standards changes like these are intended to improve overall security hygiene while hardening every point of the IT infrastructure. Ultimately these types of changes will continue to emerge to match evolving cyber-risk. IT leaders can prepare by ensuring the adoption of a crypto-agile strategy. That strategy includes the adoption of automation tools and proper certificate management that secures foundational infrastructure components, providing teams with a PKI “easy button” that helps them reduce and manage their risks.

Foundationally, the CA/Browser Forum standards open the door to a larger discussion around PKI and digital identities, providing IT leaders and budget owners incentive to invest in automation tools that lessen the burden on their IT teams and, more importantly, their business’s operational and security risk.

Related Content:

• The State of IT Operations and Cybersecurity Operations
• Keep Your Eye on Digital Certificates
• 7 Steps to Web App Security
• Getting Up to Speed with ‘Always-On SSL’

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Security Pros’ Painless Guide to Machine Intelligence, AI, ML DL.”

Chris Hickman is the chief security officer at Keyfactor, a leading provider of secure digital identity management solutions. As a member of the senior management team, Chris is responsible for establishing and maintaining Keyfactor’s leadership position as a world-class … View Full Bio

Article source: https://www.darkreading.com/risk/compliance/proposed-browser-security-guidelines-would-mean-more-work-for-it-teams/a/d-id/1335727?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On Monday, Facebook gave users a heads-up about changes coming in Android and iOS updates and how they let you see and manage your location data, how apps track you, and how Facebook’s use of your location data fits into all of it.

The post explains how Facebook’s app collects and uses background location data from smartphones: “background,” as in, when you’re not actually using the app.

You can see why Facebook might want to get its location data story out there now, in front of Apple’s release of iOS 13, which is expected in just a few days, on 19 September. (Android 10 was already publicly released – at least for Pixel devices – on 3 September.)

Facebook’s is, after all, one of the apps whose snail-slime trails of users’ location data iOS 13 is going to depict in maps.

From Facebook’s newsroom post:

If you are using iOS 13, you will begin to receive notifications about when an app is using your precise location in the background and how many times an app has accessed that information. The notification will also include a map of the location data an app has received and an explanation why the app uses that type of location information.

Apple announced the background location feature in June.

Craig Federighi, Apple’s senior vice president of software engineering, said at the time that sharing your location data with a third-party app can “really enable some useful experiences,” but that “we don’t expect to have that privilege used to track us.”

iOS 13 will show users a map of where apps have been tracking you when requesting permission

The notifications show a map of the specific location data a given app has tracked, displaying the snail-slime trails that we all leave behind in our daily travels and which so many apps are eager to sniff at for marketing purposes.

Or for other reasons, as well. Besides the map, the popups will also provide the app’s rationale for needing access to a user’s background location.

iOS 13 will also offer users the option to give apps access to location “just once,” instead of continuous background access or the constant access an app wants when in use. Previously, iPhone users were only given the options of providing that data when the app is in use, never, or always.

At Apple’s Worldwide Developers Conference 2019 in June, Federighi said that iOS 13 will also give users reports on what apps are up to if you do choose to grant them the ability to continually monitor your location in the background.

Android 10 might confuse you

Google’s Android 10 also ushered in a slew of privacy and security improvements designed to keep Android users a little safer. But some of the new options might confuse users, Facebook suggested.

As we reported last month, one of the significant privacy enhancements is control over how an app accesses a phone’s location. A new dialog lets users choose whether apps can access location at all times, or only when running in the foreground.

Android 10 also addresses apps that snoop on location data using other means, including by looking at Wi-Fi access points or checking folders for location data left by other apps. Android 10 requires specific fine location permissions for apps accessing selected Wi-Fi, telephony, and Bluetooth functions. It also has a new feature called scoped storage, which restricts an app’s access to files on external storage, only giving it access to its specific directory and media types.

Facebook said in its post that previously, Android offered an on/off switch for controlling an app’s access to your device’s precise location information. Facebook noted that earlier in the year, it introduced the ability to block Facebook’s background location tracking on Android – a move it made days after a report that it uses location data to monitor interns and other people the company deemed to be a “credible threat.”

With Android 10, users will have the option to allow individual apps to access their precise location, either while they’re using the app or in the background. Facebook said that this could give rise to instances of your Facebook privacy settings being out of sync with your Android 10 setting:

We understand that this may be confusing if you’re already using Facebook’s background location setting, and this update may cause a few instances where the Android and Facebook location settings will be out of sync.

Facebook’s fix: it’s going to respect whatever users’ most restrictive settings are.

For example, if your device location setting is set to “all of the time,” but your Facebook background location setting is off, we won’t collect your precise location information when you’re not using the Facebook app.

Facebook says it’s also going to phase out the Facebook background location setting on Android 10, by reminding people to check their device’s location settings, “to make sure what they’ve chosen is right for them.”

You’re in the driver’s seat

Make no mistake: Facebook thinks it’s better with location data:

It powers features like check-ins and makes planning events easier. It helps improve ads and keep you and the Facebook community safe. Features like Find Wi-Fi and Nearby Friends use precise location even when you’re not using the app to make sure that alerts and tools are accurate and personalized for you.

Having said that, Facebook emphasizes that “privacy matters” and that how much we share is up to each of us users.

You’re in control of who sees your location on Facebook. You can control whether your device shares precise location information with Facebook via Location Services, a setting on your phone or tablet.

At any rate, Facebook says it’s still potentially going to be able to suss out our location by using things like check-ins, events and information about our internet connections. It’s bringing us new ways to control how and when we share our location data, it says, and that means new features to “help you explore the world around you,” including breaking local news alerts and a new map in the Events tab, to “help you find things to do with friends nearby.”

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6rvcy97aMoE/

Imagine this: you’re at a party one Saturday night and, at 1 a.m. decide to send your best pal a picture of yourself doing a headstand wearing nothing but a pink tutu, slamming a litre of Smithwick’s finest from a beer bong.

Unfortunately, your best pal’s name is Sue, which also happens to be your boss’s name, and you selected the wrong contact. Ruh-roh. That’s a quick way to sober up.

Luckily, you sent the photo using Telegram Messenger, and you remember that it lets you delete entire messages and the pictures they contain both from yours and the recipient’s phone. Sue was probably asleep, so you can quickly wipe the message and no one will be any the wiser.

Phew, no harm done. Except for one important fact: it turns out that ‘unsend’ feature didn’t work properly.

Telegram introduced its ‘unsend message‘ feature in version 3.16 back in 2017. It’s another feature in an app that has attracted privacy advocates everywhere for its ability to cloak communications, but security researcher Dhiraj Mishra has uncovered a flaw.

The Android version of Telegram stores any images received in the /Telegram/Telegram Images/ folder. When deleting a message, you’d expect it to delete the image as well. In fact, it left the picture intact in the folder. The recipient would have to know to look there, of course, but if they checked, they’d be able to see you in all your tutu-sporting, beer-bonging glory. Bang goes your promotion.

Telegram’s unsend message function also works with messages sent to groups. That’s great for mistakes where you accidentally send a file to multiple participants, but unfortunately, the same bug exists there too. He said:

Assume a case wherein you’re a part of a group with 200,000 members and you accidentally share a media file not meant to be shared in that particular group and proceed to delete, by checking “delete for all members” present in the group. You’re relying on a functionality that is broken since your file would still be present in storage for all users.

Here’s a demo of the bug in action:

Mishra didn’t test the iOS or desktop versions of Telegram, but assumed it would work on other platforms. It’s a moot point for people that upgrade their Telegram app because the company fixed the bug in version 5.11. It also awarded him €2,500.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JlTC9zsAbJY/

An appeals court has told LinkedIn to back off – no more interfering with a third-party data-analytics startup’s use of the publicly available data of LinkedIn’s users.

The court’s decision, which affirmed that of a lower court, has been closely anticipated for what some legal scholars consider to be the case’s important constitutional and economic issues, as well as what critics believe could be a chilling effect on digital competition.

Constitutional scholar and Harvard law professor Laurence Tribe, for one, has weighed in on this issue to offer advice to the data-scraping startup in question, hiQ Labs.

At issue, Tribe has said, was that social media is the modern equivalent of the public square. He’s called LinkedIn’s attempts to stop hiQ from using its users’ publicly available data “a serious challenge to free expression in the modern world.”

Freedom of speech is not just about flag-burning. It’s about how you use information in the digital economy. Data is the new form of capital in creating products and services.

The decision was applauded for providing clarity around the scope of the nation’s major hacking law, the Computer Fraud and Abuse Act (CFAA). The Electronic Frontier Foundation (EFF), for one, said that it should come as a relief to researchers, journalists, and companies…

who have had reason to fear cease and desist letters threatening liability simply for accessing publicly available information in a way that publishers object to.

The case

Back in 2016, hiQ, a San Francisco startup, was marketing two products, both of which depend on whatever data LinkedIn’s 500 million members have made public: Keeper, which identifies employees who might be ripe for being recruited away, and Skills Mapper, which summarizes an employee’s skills.

hiQ wasn’t hacking anything away. It was just grabbing the kind of stuff you or I could get on LinkedIn without having to log in. All you need is a browser and a search engine to find the data hiQ sucks up, digests, analyzes and sells to companies who want a heads-up when their pivotal employees might have one foot out the door or that are trying to figure out how their workforce needs to be bolstered or trained.

In 2016, LinkedIn decided to offer a similar service, at which point it sent hiQ and others in the sector cease and desist letters and started blocking the bots that were reading its pages.

LinkedIn’s case has two main arguments:

1. hiQ is scraping data that belongs to LinkedIn and threatens its members’ privacy; and
2. It does this with bot-scraping programs that have negative effects.

LinkedIn alleged that hiQ was violating the CFAA, as well as the Digital Millennium Copyright Act (DMCA). It also alleged that hiQ was conducting unfair business practices under California state law. In the letter to hiQ, LinkedIn noted that it had used technology to block the startup from accessing its data.

On Monday, a three-judge panel nixed LinkedIn’s claims about the alleged CFAA violation and told LinkedIn to stop blocking the scraping. The judges wrote that data scraping of publicly available information does not constitute a violation of the CFAA.

CFAA doesn’t apply to public data

The court found that the CFAA simply doesn’t apply to information that’s available to the general public, as is LinkedIn users’ data. The court pointed out that LinkedIn’s privacy policy clearly states that…

…’any information you put on your profile and any content you post on LinkedIn may be seen by others’ and instructs users not to ‘post or add personal data to your profile that you would not want to be public.’

From the get-go, the CFAA was enacted not to protect such publicly available data, but rather to prevent “intentional intrusion onto someone else’s computer – specifically, computer hacking,” the decision reads.

The three judges referenced a 1984 House Report on the CFAA that explicitly compared the conduct prohibited by section 1030 of the existing computer fraud law (the CFAA was enacted in 1986 as an amendment to that law) to forced entry. From that 1984 report:

It is noteworthy that section 1030 deals with an ‘unauthorized access’ concept of computer fraud rather than the mere use of a computer. Thus, the conduct prohibited is analogous to that of ‘breaking and entering’.

The court pointed out that when the CFAA was first enacted, it only applied to certain categories of computers that had military, financial, or other sensitive data:

None of the computers to which the CFAA initially applied were accessible to the general public. Affirmative authorization of some kind was presumptively required.

In 1996, the law was extended to cover more computers. At that time, a Senate report said that the goal was to “increase protection for the privacy and confidentiality of computer information.”

Thus, California’s 9th Circuit reasons that “the prohibition on unauthorized access is properly understood to apply only to private information – information delineated as private through use of a permission requirement of some sort.”

But hiQ is only scraping information from public LinkedIn profiles. It’s the same data any member of the public is authorized to access.

LinkedIn argued that it could selectively revoke that authorization using a cease-and-desist letter, but the 9th Circuit wasn’t persuaded. The court said that ignoring a cease-and-desist letter isn’t the same as hacking into a private computer system.

Besides finding that hiQ hasn’t violated the CFAA, Monday’s ruling also upheld a lower court order that banned LinkedIn from interfering with hiQ’s scraping activities during the course of the litigation. As it is, if it can’t scrape LinkedIn data, hiQ doesn’t have anything to sell to its clients and will very likely go belly up before it has a chance to finish the case, the court recognized.

Next steps?

The EFF, which had filed an amicus brief along with the search engine DuckDuckGo and the Internet Archive, said that Monday’s decision is an “important step” in limiting use of the CFAA “to intimidate researchers with the legalese of cease and desist letters.”

But the CFAA could still be used by the likes of LinkedIn to stifle competition, EFF said, since the Ninth Circuit “sadly left the door open to other claims, such as trespass to chattels or even copyright infringement.”

This isn’t the end of the story, the EFF predicts. The CFAA is still full of muddy language, and the issues raised in this litigation could still wind their way on up to the Supreme Court:

Even with this ruling, the CFAA is subject to multiple conflicting interpretations across the federal circuits, making it likely that the Supreme Court will eventually be forced to resolve the meaning of key terms like ‘without authorization.’

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UVANipcvTu0/

Last Friday, 7 September, Wikipedia suffered what appears to be the most disruptive Distributed Denial of Service (DDoS) attack in recent memory.

It’s not that Wikipedia isn’t attacked regularly – it is. It’s just that the DDoS that hit it around 17:40 p.m. (UTC) on that day was far larger than normal and carried on its attack for almost three days.

The site quickly became unavailable in Europe, Africa, and the Middle East, before later slowing or stopping for users in other parts of the world such as the US and Asia.

The size of the attack has not been made public, although from details offered by mitigation company ThousandEyes it’s clear that it was an old-style volumetric flood designed to overwhelm the company’s web servers with bogus HTTP traffic.

Given the protection sites employ these days, this suggests that it was well into the terabits-per-second range used to measure the largest DDoS events on the internet.

In fact, most of that flood would never have reached Wikipedia’s servers, instead of being thrown away by upstream ISPs as a protective measure when it became obvious that a DDoS was underway.

DDoS takedowns

An attack this big is sometimes called a ‘takedown’ (not be confused with legitimate takedowns connected to content), a relatively rare event intended to bring a well-known site’s operation to a halt for as long as possible.

Why Wikipedia? Most likely, because someone out there doesn’t like Wikipedia. As the site’s owners, Wikimedia, put it in a brief statement:

We condemn these sorts of attacks. They’re not just about taking Wikipedia offline. Takedown attacks threaten everyone’s fundamental rights to freely access and share information.

Less likely, a DDoS-for-hire outfit decided to use a famous site like Wikipedia as a look-what-we-can-do advert for their services at the considerable expense of revealing much of the botnet designed to host such attacks.

Given that the attack persisted into the weekend, it’s not surprising that Wikimedia called for help from Cloudflare, the zero-cost mitigation provider for sites that can claim to have a public purpose.

By Sunday, ThousandEyes noticed, Wikipedia’s servers were being ‘fronted’ entirely by Cloudflare, which deploys anti-DDoS technology to identify bad traffic and throw it away.

Interestingly, big DDoS takedowns have become somewhat less frequent these days, presumably because all sites that consider themselves targets employ mitigation companies to defend themselves.

But, at the very least, the Wikipedia attack is a warning that the people who carry out these attacks have not given up on trying.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/b2MSnz2UW8w/

DSL modems and Wi-Fi routers from D-Link and Comba have been found to be leaving owners’ passwords out in the open.

Simon Kenin, a security researcher with Trustwave SpiderLabs, took credit for the discovery of five bugs that leave user credentials accessible to attackers.

For D-Link gear, two bugs were discovered in the firmware for the DSL-2875AL and DSL-2877AL wireless ADSL modem/router. The first bug describes a configuration file in the DSL-2875AL that contains the user password, and does not require any authentication to view: you just have to be able to reach the web-based admin console, either on the local network or across the internet, depending the device’s configuration.

“This file is available to anyone with access to the web-based management IP address and does not require any authentication,” Trustwave’s Karl Sigler said on Tuesday. “The path to the file is https://[router ip address]/romfile.cfg and the password is stored in clear text there.”

The second flaw is present in both the 2857AL and 2877AL models. It is less a “flaw” than a glaring security oversight: the source code for the router log-in page (again, accessible to anyone that can reach its built-in web UI server) contains the ISP username and password of the user in plain text. This can be pulled up simply by choosing the “view source” option in a browser window.

Fixes have been released for both models. Those with the 2877AL modem will want to get Firmware 1.00.20AU 20180327, while owners of the 2875AL should update to at least version 1.00.08AU 20161011.

The Register tried to get in touch with D-Link for comment on the matter, but was unable to get a response. Trustwave didn’t fare much better, saying that the bugs were only listed as patched after the researchers told D-Link they were going public with the findings, after waiting months for the router biz to get its act together.

“D-Link’s response to these findings was confusing and unfortunately very typical for organizations that are not set up to accept security problems from third party researchers like Trustwave SpiderLabs,” Sigler explained.

The Joy of Six… critical security patches: Cisco small biz switches open to hijacking via web UI

READ MORE

“After an initial response confirming receipt and escalation for these findings, they claimed they were unable to escalate the issue with their RD group within the 90-day window outlined in our Responsible Disclosure policy. We provided them a rather lengthy extension to that window, but they eventually simply stopped responding entirely.”

With Comba, three vulnerabilities were found within the AC2400 Wi-Fi Access Controller and AP2600-IAccess Point. In the first flaw, present in the AC2400, the MD5 hashed password is stored in plaintext in a file anyone can reach by knowing the device’s IP address.

The AP2600-I, meanwhile, stores the MD5 hashed password both in the source of the log-in webpage and in a config file, both accessible to anyone who knows the router’s IP address.

The Register has yet to receive a response from Comba. Neither did Trustwave, and at the time of writing it appears no fix has been posted. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/11/dlink_comba_flaws/

Only days after Mozilla said it plans to make DNS-over-HTTPS (DoH) available by default gradually for Firefox users in the US, Google announced its intention to test DoH in Chrome 78, due for beta release in the next two weeks.

DoH wraps domain-name queries in a secure, encrypted HTTPS connection to a DNS server, rather than firing off requests using bog-standard plain-text insecure DNS, thereby keeping queries inaccessible to eavesdroppers. It’s one of several emerging internet protocols intended to close security and privacy gaps in online communications.

Google’s experiment will involve checking whether Chrome 78 users’ DNS provider is among six services selected for their readiness to test DoH – Cleanbrowsing, Cloudflare, DNS.SB, Google, OpenDNS and Quad9. And if so, Chrome will switch from standard DNS to DoH using the same service provider, at least for those lucky few in the experimental group.

Mozilla today announced its Firefox Private Network beta that routes your browser traffic through Cloudflare and out to the open internet via an encrypted channel. This VPN-like proxy service is supposed to hide or obfuscate your connections from snoops, though it means everything you do flows through Cloudflare.

Google is thus avoiding one of the concerns raised by Mozilla’s approach, forcing Firefox users to change their chosen DNS provider for Cloudflare. In so doing, the Chocolate Factory ensures that malware screening and parental filtering capabilities offered by DNS providers will continue to function, if possible under DoH.

“This experiment will be done in collaboration with DNS providers who already support DoH, with the goal of improving our mutual users’ security and privacy by upgrading them to the DoH version of their current DNS service,” explained Kenji Baheux, Chrome product manager, in a blog post. “With our approach, the DNS service used will not change, only the protocol will.”

Baheux says Google’s goal is to validate its DoH implementation in Chrome and to measure the protocol’s effect on performance.

The experiment will involve a small percentage of Chrome users across supported platforms except for Linux and iOS. And there will be a way to opt-out: disabling the flag setting at chrome://flags/#dns-over-https. Most managed Chrome deployments for enterprise customers will be excluded from the test; Google plans to publish information about DoH for network admins on its Enterprise Blog shortly.

For those using Android 9 or greater who have set a DNS-over-TLS (DoT) provider in the private DNS settings, Chrome may attempt to utilize DoH and, if that fails, fallback to the DoT setting.

Mozilla Firefox to begin slow rollout of DNS-over-HTTPS by default at the end of the month

READ MORE

DoH and DoT are separate standards for encrypting DNS queries. DoH relies on TLS and HTTP/2 and uses the standard HTTPS port 443 for traffic; DoT relies on TCP as the connection protocol, in conjunction with TLS encryption and authentication on its own port, 853, making it more visible on a network level and easier to block.

In a Twitter post on Monday, Paul Vixie, CEO of Farsight Security and a contributor to the design of the DNS protocol, warned that DoH limits the autonomy of network administrators.

“DoT is not the same as DoH,” he wrote. “Both provide TLS-level privacy. But DoT can be blocked in network firewalls. DoH is ‘designed to prevent on-path interference in DNS operations’ (introduction, RFC 8484). DoT is a universal good. DoH will be a net harm no matter what good it may do.”

Earlier this year, he argued that DoH is part of a campaign by US tech companies to control the DNS resolution path, at the expense of those who would prefer to set their rules for their own networks. “There’s been a war for control of the DNS resolution path, since at least the SiteFinder debacle and perhaps earlier,” he said. ‘This is the latest battle in that long war. Big American tech companies want your DNS traffic, any way they can get it.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/10/chrome_78_dnsoverhttps/

Patch Tuesday Microsoft, Adobe, and SAP today delivered a load of security updates for this month’s Patch Tuesday.

80 bugs squashed in Redmond

It will be a busy day for admins and users of Windows PCs and servers, as Microsoft has released updates for a total of 80 CVE-listed bugs.

Among the more serious issues addressed this month are CVE-2019-1215 and CVE-2019-1214, a pair of elevation-of-privilege vulnerabilities that have been under active attack in the wild.

In both cases, experts say, miscreants are going after older machines. CVE-2019-1215 preys on Winsock, specifically ws2ifsl.sys, a service that has been targeted by malware since 2007, while the exploit for CVE-2019-1214 is largely looking to target Windows 7 boxes. These flaws can give malware on a machine admin-level access to hijack the whole box.

“This is a fine time to remind you that Windows 7 is less than six months from end of support, which means you won’t be getting updates for bugs like this one next February,” said Dustin Childs of the Zero Day Initiative.

“Patch your systems, then work on your upgrade strategy.”

Of the bugs classified by Microsoft as critical risks, four were for remote code execution vulnerabilities in Windows remote desktop. CVE-2019-0787 and CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291 all address remote code flaws that could be exploited by a malicious server to take over a victim’s PC after its client connects.

“An attacker would have no way of forcing a user to connect to the malicious server, they would need to trick the user into connecting via social engineering, DNS poisoning or using a Man in the Middle (MITM) technique,” Microsoft notes.

“An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect.”

Exim marks the spot… of remote code execution: Patch due out today for ‘give me root’ flaw in mail server

READ MORE

As is usually the case, the majority of this month’s critical patches address flaws in Microsoft’s browser scripting engines. Chakra, VBScript, and IE scripting engine accounted for eight of the critical fixes. In each case, a specially-crafted webpage could be used to remotely execute code on the target’s PC.

Companies running Azure DevOps Server and Team Foundation Server will want to patch CVE-2019-1306, a remote code execution bug triggered when the attacker uploads a poisoned file that is then indexed by the vulnerable server.

The .lnk format used for application shortcuts in Windows is the focal point of CVE-2019-1280. The bug would allow an attacker to get a malicious app to execute (with the rights of the current user) by hiding it behind a .lnk file on a removable drive or remote share.

CVE-2019-1235, an elevation of privilege flaw in Windows Text Service Framework and CVE-2019-1294, a security bypass in Secure Boot, should also be a priority to patch as both have been made public already but have yet to be exploited.

Two Flash fixes and an Application Manager patch from Adobe

Adobe had a relatively quiet Patch Tuesday this month as just two updates were issued to address a total of 3 CVE-listed flaws.

For those still using Flash Player, the update brings fixes for CVE-2019-8070 and CVE-2019-8069, a pair of arbitrary code execution flaws from use after free and same origin method execution errors. Neither has been targeted in the wild thus far.

Adobe Application Manager (the installer tool used to unpack Adobe apps) also received an update to address CVE-2019-8076, an arbitrary code execution bug caused by insecure handling of libraries. No exploits have been reported in the wild, yet.

Lucky you, 13 more patches dropped by SAP

Not to be overlooked is the September patch bundle from enterprise giant SAP.

Among the 13 updates issued are two patches for HANA, one for SAP Business Client, and two updates for SAP Diagnostics Agent. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/10/patch_tuesday_abode_sap/