STE WILLIAMS

Ransomware criminals have taken a particular shine to US city and state governments, infecting them with file-scrambling extorionware in hope of quick payouts.

So says the security team at Barracuda Networks, who pored over a stack of its infection reports in the Land of the Free, and found a large majority of specifically targeted ransomware invasions were aimed at local government agencies.

“The team’s recent analysis of hundreds of attacks across a broad set of targets revealed that government organizations are the intended victims of nearly two-thirds of all ransomware attacks,” Barracuda CTO Fleming Shi explained on Wednesday.

“Local, county, and state governments have all been targets, including schools, libraries, courts, and other entities.”

The focus on government targets over corporate networks is likely a crime of opportunity, as private companies are usually somewhat more diligent on security and are more likely to be up to date on patching and anti-malware than poorly-funded government facilities.

In many cases, researchers found that smaller governments were preyed upon, likely because they, in particular, lack the funds and manpower to be able to catch and prevent the spread of ransomware infections, nor are able to easily restore data after their files are scrambled. About 45 per cent of the 80 attacks Barracuda studied in depth took place against local government in areas that had fewer than 50,000 residents.

“Smaller towns are often more vulnerable because they lack the technology or resources to protect against ransomware attacks,” said Shi. “Nearly 16 percent of the municipalities attacked were cities with populations of more than 300,000 residents.”

Among those named in the report were the Florida towns of Lake City and and Riviera Beach, who combined to pay over $1.1m in ransom to get their data back from criminals, a practice the federal government discourages but some experts believe makes more sense for some companies and government agencies.

Part of the trend towards paying may be due to pressure from insurance companies, according to a separate report from ProPublica.

The Pwn Star State: Nearly two dozen Texas towns targeted by tiresome ransomware

READ MORE

That article cites officials in Lake City who say that the decision to cough up the ransom demand was made after consultation with the city’s insurer, who pointed out that paying the demand would be cheaper than a data recovery effort that could exceed the city’s coverage limit.

With insurance companies looking to keep their costs down, the report reckons, more people are paying up and, as a result, criminals have an incentive to continue ransomware attacks.

“They’re going to look at their overall claim and dollar exposure and try to minimize their losses,” said Eric Nordman, a former director of the regulatory services division of the National Association of Insurance Commissioners, or NAIC, the organization of state insurance regulators. “If it’s more expeditious to pay the ransom and get the key to unlock it, then that’s what they’ll do.”

As a result the criminals are now upping the amounts demanded in ransom because they know insurers will pay up. These incentives will ensure that ransomware is going to remain a bugbear for some time to come. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/28/ransomware_government_attacks/

Facebook is opening its Portal videoconferencing hardware to hackers for the first time at the upcoming Pwn2Own Tokyo competition.

The Social Network will be providing the headliner for the hacking contest, allowing contestants to demonstrate working exploits that can achieve either remote code execution or, barring that, local privilege escalation. Hacking teams from around the world will try their luck and could scoop a cash prize from Facebook of either $60,000 (for an RCE exploit) or $40,000 (for privilege escalation or non-invasive physical attacks), as well as the hardware itself.

Facebook’s Oculus subsidiary will also be taking part in the contest, offering up the Oculus Quest VR headset to the “Wearable” category. Like the Portal, winners must show working exploits for remote code execution, privilege escalation, or non-invasive physical attacks (you can touch, but can’t crack it open) on a fully-patched headset. Winners will get the unit and either $60,000 or $40,000, depending on the severity of the attack.

Both of the Facebook devices will be tested as part of the Pwn2Own Tokyo contest running on November 6th and 7th at the PacSec conference in Japan. In addition to the Facebook gear, contestants will get a chance to break into the Apple Watch, iPhone XS Max, Samsung Galaxy S10, Huawei P30, and home cameras from Amazon and Nest.

Other targets include routers (TP-Link and Netgear) and smart TVs from Sony and Samsung.

It’s March 2018, and your Windows PC can be pwned by a web article (well, none of OURS)

READ MORE

For the smartphones, in addition to getting into the phones via the web browser, contestants will be tasked with breaking into handsets over short-distance wireless (Wi-Fi, Bluetooth, USB), SMS message, or by pretending to be a base station.

Those who show working exploits (usually remote code execution, elevation of privilege, or sandbox escape, depending on the target) get the device and a cash payout, as well as points toward the overall “Master of Pwn” category, which has its own trophy and a Platinum-tier membership in the Trend Micro ZDI program as a reward.

“While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points,” ZDI notes.

“Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/28/pwn2own_facebook_portal/

The Electronic Frontier Foundation (EFF) has sued [PDF] the US Department of Homeland Security to find out more about a program where, it is claimed, officers secretly stick GPS trackers on vehicles they are suspicious of as they come through the border.

The EFF has made repeated freedom of information act (FoIA) requests about the program’s policies but has been stonewalled, with Homeland Security’s responses claiming any information would contain “sensitive information” that could lead to “circumvention of the law.”

The foundation’s main concern is that Homeland Security is carrying out its secret tracking without a warrant, or even anything beyond a single officer’s suspicion. And it points to a recent US Supreme Court decision where it ruled that warrantless GPS tracking was unconstitutional under the Fourth Amendment.

Details of the program came to light last year when customs officers revealed in court filings that they had used GPS trackers without a warrant at the border. Since then the EFF has tried to find out what the policies and procedures are for deciding when a vehicle can be tagged. The relevant authorities have not been keen to go into any detail.

There’s another legal precedent too: a California court ruled that government officials’ use of GPS devices to track two suspected drug dealers without getting a warrant violated the Supreme Court decision, made in 2012, and was government misconduct.

Constitutional bending

The two men had a tracking device stuck on their truck on the US side of the Canadian border in Michigan and were then tailed to California where they were arrested. An ICE official had signed a declaration saying the approach was consistent with the Supreme Court decision; the California courts felt otherwise.

California mulls law to protect your e-privates from warrant-free cops

READ MORE

The EFF is making no bones about its frustration with border agents: “Once again, ICE and CBP prove themselves to be rogue agencies by conducting searches that violate the Fourth Amendment and ignore Supreme Court precedent,” said staff attorney Saira Hussain. “Let’s be clear: the Constitution still applies at the border.”

The EFF’s FoIA request and now the lawsuit is designed to figure out if the border cops are still running similar programs even though they have clearly been ruled unconstitutional.

And in a related case, the EFF is still pushing to find out more about similar warrantless searches of people’s electronic devices at the border. That is going wending its way through the lawsuits but the EFF claims the case is so cut-and-dried that there’s no need for a trial and the court should simply rules that it is unconstitutional to conduct warrantless search on electronic devices, given other recent Supreme Court decisions.

The border issue has come under the spotlight again this week after a Harvard freshman had his visa revoked and was deported after a customs officer found posts written by other people in his social media feed that they felt were anti-US. The student in question had been asked to provide access to their phone and laptop and had done so. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/28/eff_cmp_gps/

Fuzzing is one of the basic tools in a researcher’s arsenal. Here are the things you should know about this security research foundational tool.

When you’re in the kitchen and throw pasta against the wall, it might stick so that you can tell whether it’s cooked. When you’re in computer security and you throw things against a target’s “wall,” they might do nothing… they might blow up the wall. Or they might land you in a different place entirely. That’s the allure — and the danger — of “fuzzing” as a research tool.

To understand what fuzzing is and why it’s so valuable, we go back 30 years to “An Empirical Study of the Reliability of UNIX Utilities,” a paper written by lead author Barton P. Miller, the “father of fuzzing.” In that paper, and in its 1995 follow-up “Fuzz Revisited,” Barton and his co-authors present the technique of throwing unanticipated input at utilities and programs to see what happens.

In the original paper, Barton wrote that the idea of fuzzing was born in line noise from a dial-up network connection. When random characters in the exchange caused a program to crash, it led researchers to wonder whether a tool generating random input strings could be valuable when looking at application security and reliability. As it turns out, it can be quite valuable — and the method can aid in discovering a host of vulnerabilities and errors.

What Can Fuzzing Discover?

The errors and vulnerabilities that fuzzing can discover tend to fall into four broad categories: invalid inputs, memory leaks, assertion failures, and incorrect results or connections. A separate area of fuzzing is used in credential stuffing attacks. Each can result in its own form of insecurity for the application or system owner.

Invalid Input

In almost every application that accepts user input, the program expects the input to be in a particular format. But what happens if, for example, a text string is entered into a date field? What happens if a series of emojis is entered into a name field? In both cases, type-checking functions should throw away the input and issue an error, but rushed developers don’t always include robust type-checking in their code. That’s when the vulnerabilities begin.

Memory Leaks

Memory leaks — when applications use memory for instructions and data, they’re supposed to clean up after themselves, releasing the memory to be used again and keeping everything within the nice, neat, logical boundaries that computers love. Unfortunately, some programmers don’t follow best practices and some programming languages thwart the best memory management efforts. Because of this, over time, memory becomes cluttered with stray data, information is stored where it shouldn’t be, and havoc ensues. Stuffing excessively large input into applications can speed up the process if good input-validation isn’t in place, and fuzzing can help figure out where those opportunities for mayhem reside.

Assertion Failure

Many applications assume that you’ve followed a logical path to get to a given point. That tends to mean that qualifications have been met and states set before you do what you’re doing now. But what if those states haven’t been set and those qualifications haven’t been met? If you’re still allowed to proceed, then an assertion failure has occurred — something the program was expecting hasn’t yet happened. Fuzzing is a great way to see if you can “skip the line” and get somewhere you shouldn’t be.

Unexpected Connections

Fuzzing can help answer the question, “What if, instead of my first name, I entered a SQL command here?” Or, “What if I entered a URL where the application was expecting something else?” In each of these cases, if anything but a discarded input and error message result, then a vulnerability has been discovered.

Credential Stuffing

Report after report show that human beings tend to rely on a handful of common, easily typed passwords for online accounts. And organizations tend to use a handful of formats for generating email addresses for employees. Attackers (or pen testers) can then try all of the common password types with each possible email address — statistically, they’ll get at least a few successful logins for each organization. Of course, running through all of the permutations can take time, unless the attacker is using an automated tool for fuzzing credentials.

Fuzzing Tools

In order to truly explore each type of vulnerability, a researcher must try a variety of different possibilities for each targeted input field. It would take far too much time to do this manually, so a variety of different automated tools have been developed to make the process faster and easier.

There are a number of free tools available for fuzzing. Among them are:

• American Fuzzy Lop
• honggfuzz
• libFuzzer

While not a simple fuzzing tool, Google OSS-fuzz is used by many researchers and can be a valuable tool for learning a complete research process around fuzzing. And it’s important to note that Barton has maintained a web page about fuzzing, including a link to download all the software, definitions, and targets in his original research, at the University of Wisconsin-Madison.

 

Related content:

• War on Zero-Days: 4 Lessons from Recent Google Microsoft Vulns
• Bug Bounty Awards Climb as Software Security Improves
• AI Poised to Drive New Wave of Exploits
• 53 Bugs in 50 Days: Researchers Fuzz Adobe Reader
• 5 Emerging Trends in Cybercrime

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/fuzzing-101-why-bug-finders-still-love-it-after-all-these-years/b/d-id/1335672?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An analysis of a sample published by the US government shows Russian espionage group APT28, also known as Fancy Bear, has stripped down its initial infector in an attempt to defeat ML-based defenses.

The APT28 cyber-espionage group, often called “Fancy Bear” and linked to Russia, has stripped much of the malicious functionality from its initial infector, hiding it in a sea of benign code, according to an analysis published today by Cylance, a subsidiary of Blackberry.

The approach shows that the group has developed greater operational sophistication, says Josh Lemos, vice president of research and intelligence at Cylance (and no relation to the author). The authors of the implant appear to be trying to hide in plain site by using well-known libraries, such as OpenSSL, and a widely used compiler, POCO C++, resulting in 99% of the more than 3 megabytes of code being classified as benign, according to Cylance’s analysis.

Those steps, taken along with other newly adopted tactics, suggest the group is trying a different approach to dodge evolving defenses, Lemos says.

“It would be odd for them to shift tactics without a reason,” he says. “That is what is giving us the belief that this is a response to a lot of players in the industry having shifted to static ML and even the heuristics engines and traditional AV scanners — those are going to have challenges keying in on malicious bits of this code.”

Attackers have used a variety of ways to dodge host-based defenses in the past, most often involving encrypting, or “packing,” parts of the file to prevent antivirus (AV) scanners from recognizing the malicious parts of the code. In addition, attackers have used domain generation algorithms (DGAs) to download code at a later date from hard-to-predict locations, defeating initial scans that look for malicious code, the report says.

Camouflaging malware as legitimate code is old hat for cybercriminals. Deception is a key part of their toolkits. Attempting to deceive machine-learning (ML) algorithms designed to spot malicious code features is more difficult.

“Machine learning is going to look at the static code and say, ‘Almost all of this is good code,'” Lemos says. “That may bias [the algorithm] toward labeling it ‘good’ in the machine-learning decision.”

APT28 has operated since at least 2007, according to an initial 2014 analysis by FireEye. The group has largely not focused on intellectual property theft, as some Chinese APT groups do, but instead steals government secrets, the company says in its report.

“Since at least 2007, APT28 has been targeting privileged information related to governments, militaries and security organizations that would likely benefit the Russian government,” the analysis states. “APT28 has systematically evolved its malware since 2007, using flexible and lasting platforms indicative of plans for long-term use and sophisticated coding practices that suggest an interest in complicating reverse engineering efforts.”

The US Cyber Command (USCYBERCOM) submitted the sample for the implant in May to the VirusTotal scanning service, which is run by Google. The action is part of an initiative, which started in November 2018, where the agency issues a sample to VirusTotal and then sends a tweet directing analysts to the sample. The initiative essentially notifies the industry of significant threats and results in a great deal of crowdsourced research into the code.

Almost all of the malware submitted to VirusTotal came from Russian-linked operations, according to security experts. The notable exceptions: On July 3, the cybersecurity agency warned that a group — identified as Iranian by security firms — was using an Outlook vulnerability to exploit targets.

Cylance is the latest security firm to take a look at the tools used by the Russian cyber-espionage group, which is blamed for cyberattacks on the nation of Georgia prior to Russia’s 2008 invasion, and for compromising computers at the US Democratic National Committee to steal e-mails and other sensitive data prior to the 2016 presidential election

In 2019, for example, security firm ESET published an analysis of the Zebrocy malware, one of the payloads of the APT28/Fancy Bear group, which had more than 30 commands that could be used for network and system reconnaissance. Unlike Cylance, ESET used active telemetry to gain insight into what the malware did once it was on a system.

While the latest techniques could cause problems for detection approaches based on machine-learning and heuristics, active approaches — such as watching for malicious behavior — are less likely to be fooled, Cylance’s Lemos says.

“Looking at code in multiple ways — that is very purposeful,” he says. “It does take a very blended approach for good defense these days.”

Related Content:

• Russian Nation-State Hacking Unit’s Tools Get More Fancy
• Machine Learning Boosts Defenses, but Security Pros Worry Over Attack Potential
• US Military Warns Companies to Look Out for Iranian Outlook Exploits
• Russia’s Fancy Bear APT Group Gets More Dangerous
• APT28 Uses EternalBlue to Spy on Hotel Wifi Networks

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Right to Be Patched: How Sentient Robots Will Change InfoSec Management.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/advanced-threats/fancy-bear-dons-plain-clothes-to-try-to-defeat-machine-learning/d/d-id/1335673?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new malicious campaign seeks cell account PINs from victims.

Researchers have discovered that TrickBot, a credential-theft botnet operated by the Gold Blackburn threat group, has been modified to target mobile device users on Sprint, T-Mobile, and Verizon cellular networks.

The research, conducted by the Counter Threat Unit Research Team at SecureWorks, found that TrickBot is using its traditional techniques — a man-in-the-middle attack that captures a web session, routes it to a command-and-control server where code is injected to request user credentials, then sends the page to the victim — in requests to the websites run by the three cellular networks.

According to the report, the PIN requested by the malicious form indicates that the criminals are interested in perpetrating SIM-swap fraud.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Right to Be Patched: How Sentient Robots Will Change InfoSec Management.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/trickbot-comes-to-cellular-carriers/d/d-id/1335674?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In 2.5 hours of research, one security expert uncovered more than 80 actively compromised ecommerce websites.

Magecart, the e-commerce threat behind security breaches at Ticketmaster, British Airways, and other prominent targets, remains a top concern among researchers: In 2.5 hours, one security expert discovered more than 80 e-commerce sites actively under the control of Magecart groups.

For the report “In Plain Sight II: On the Trail of Magecart,” conducted by Aite Group and commissioned by Arxan Technologies, researchers explored the broad attack surface available to cybercriminals when e-commerce apps aren’t properly protected. The study, released today, analyzes the trail of servers compromised by Magecart groups, as well as the servers where attackers send data.

Magecart is an umbrella name given to different crime syndicates targeting payment websites, inserting malicious code, and lifting payment card data. It’s not a new threat, but it is growing alongside the popularity of more secure payment methods like Apple Pay, Android Pay, and contactless cards. Magecart groups monetize data via Dark Web markets and shipping scams.

Alissa Knight, senior cybersecurity analyst at Aite Group, discovered the cell of 80 actively compromised websites and found 100 more actively compromised sites in additional research, as part of this July study. Some of the targeted websites were victims of more than one group, she discovered. Aite Group and Arxan worked with federal law enforcement to alert the 80 victims of their findings, as well as the staging sites used to collect their stolen information. 

A lack of security controls can expose Web applications to formjacking, an increasingly popular type of attack in which Magecart groups inject e-commerce checkout forms with malicious code that sends shoppers’ credit card information to an external server under adversaries’ control. Unsecured sites make it easy for attackers to debug and read JavaScript or HTML5 in plain text.

Magecart groups can break into target systems in a number of ways, but formjacking is the most common, says Aaron Lint, chief scientist and vice president of research with Arxan. Other methods include exploiting the Web server or container to inject code, exploiting a coding bug in first-party or third-party code, and hijacking an open source library or third-party component.

“While 25% of the websites are reputable brands, the disturbing thing is how many medium-sized and smaller businesses are getting caught in Magecart’s web,” Lint continues. “Any website that conducts financial transactions or collects user credentials is a target.” Victims ranged from luxury fashion retailers to motorcycle manufacturers and children’s learning websites. These target companies were spotted across the United States, Canada, Europe, and Asia-Pacific.

The most common similarity in the victim websites Knight discovered is the use of e-commerce platform Magento. “All of the sites running Magento are running old versions that are vulnerable to an authenticated upload and remote code execution vulnerability that has published exploits available,” the report states. The most recent edition of Magento is version 2.1.7; however, many of the compromised websites were running versions 1.5, 1.7, or 1.9.

Arbitrary file upload, remote code execution, and cross-site request forgery all affect version 2.1.6 and below. These versions make it easier for adversaries to inject formjacking code. All of the victim websites lacked in-app protection, such as tamper detection and code obfuscation.

What You Can Do
The potential financial damage of Magecart continues to grow as e-commerce does. A separate pool of research estimates global e-commerce will rise 20.7% to reach $3.53 trillion. By 2021, it’s expected to approach $5 trillion. Lint anticipates the continued growth of the e-commerce market will drive the continued evolution of Magecart attacks.

If a target makes it difficult for cybercriminals to act, their attackers will move on. Researchers advise organizations to implement multiple layers of security so as to cause friction for adversaries, and to create a regular patch and vulnerability management policy for applications like Magento and Shopify to ensure they’re updated as new releases are made available.

Related Content:

• 7 Biggest Cloud Security Blind Spots
• Fancy Bear Dons Plain Clothes to Try to Defeat Machine Learning
• The Right to Be Patched: How Sentient Robots Will Change InfoSec Management
• WannaCry Remains No. 1 Ransomware Weapon

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: The Right to Be Patched: How Sentient Robots Will Change InfoSec Management.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/magecart-shops-for-victims-as-e-commerce-market-grows/d/d-id/1335675?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The password-recovery mechanism once again puts users of the photo- and video-sharing platform at risk.

Facebook has closed a potentially serious security flaw in its Instagram photo- and video-sharing platform that would have let an attacker potentially take over any Instagram account by resetting its password.

The flaw is the second major issue the company has had to address in its password-recovery mechanism in the past two months. In both instances, India-based bug hunter Laxman Muthiyah reported the issue to Facebook and collected a bounty for it.  

Muthiyah’s research was prompted by a recent Facebook decision to increase payouts to researchers who discover and report account-takeover flaws and similar critical vulnerabilities in Facebook and several of its other platforms, including Instagram.

“Instagram forgot password endpoint is the first thing that came to my mind while looking for an account takeover vulnerability,” Muthiyah said in a blog last month describing the first of the two vulnerabilities he recently discovered.

Like most online services, Instagram allows users who have forgotten the password to their account to regain access via a password reset process. When a user submits a password change request from a mobile device, the person receives a six-digit code from Instagram that has to be entered in order for the password to be reset. The user has to enter the passcode within 10 minutes of receiving it or request another one.

With the first vulnerability, Muthiyah found an attacker could reset passwords to any Instagram account by triggering a password change request and then trying all one million possible combinations of the six-digit passcode until one of them worked.

The only hurdles Muthiyah discovered he had to get around were the 10-minute time limit and another Instagram control that blocked the number of tries a user could make after around 200 failed attempts.

He found that an attacker could bypass both by trying different passcodes from a large number of IPs at the same time. He figured that in a real scenario an attacker would need 5,000 IPs each making 200 requests to hack an account. “It sounds big, but that’s actually easy if you use a cloud service provider like Amazon or Google,” Muthiyah wrote. He estimated the cost of carrying out such an attack would be in the range of $150.

Facebook quickly remedied the issue and paid Muthiyah $30,000 for reporting it to the company.

Second Vulnerability
But even after the fix, Muthiyah found he could still hijack Instagram accounts by exploiting another weakness in the password reset process.

In a blog this week, Muthiyah described the second vulnerability as involving a randomly generated device ID that is sent along with every password change request an Instagram user makes from his or her mobile device. The same device ID is then also used to verify the passcode.

Muthiyah said his research showed that one device ID could be used to request passcodes for different users. He found that by requesting passcodes of multiple users on the same device, he could linearly increase the probability of hacking accounts.

In total, there are one million possible combinations for a six-digit passcode. “If you request pass code of 100,000 users using same device ID, you can have 10 percent success rate since 100k codes are issued to the same device ID,” he wrote. “If we request pass codes for 1 million users, we would be able to hack all the one million accounts easily by incrementing the pass code one by one.”

Facebook paid Muthiyah $10,000 for reporting the latest bug, which it described as having to do with “insufficient protections on a recovery endpoint.” The weakness, now fixed, allowed an attacker to try numerous, valid, one-time passcodes to attempt password recovery, the company said.

Eve Maler, vice president of innovation and emerging technology at ForgeRock, says the security researcher performed a white-hat function in disclosing the flaw to Facebook. “An attacker could have silently compromised untold numbers of accounts, misrepresented user content, spread misinformation, or demanded a hefty price for the return of the accounts,” Maler says.

The hack involved generating mobile device passcodes dynamically in response to a challenge by Instagram during a password reset. Such account recovery processes can be the most vulnerable part of user-involved identity management, she says.

“This process is often treated as if it were similar to routine login,” Maler says. In reality what needs to happen is identity proofing — or verifying that an identity credential is being issued to the correct individual, she said.

Related Content:

• Instagram Added to Facebook Data-Abuse Bounty Program
• 49 Million Instagram Influencer Records Exposed in Open Database
• Instagram Privacy Tool Exposed Passwords
• 9 Things That Don’t Worry You Today (But Should)

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Right to Be Patched: How Sentient Robots Will Change InfoSec Management.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/facebook-patches-second-account-takeover-flaw-in-instagram/d/d-id/1335676?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

More than half of social media logins are fraudulent, according to a new report.

Specifically, 53% of social media logins are fraudulent, and 25% of all new account applications on social media are also coming from scammers, according to the Arkose Labs Q3 Fraud and Abuse report.

Of course, there are plenty of good reasons to care about the fakery that saturates social media, given that the fraudulent activity is focused on stealing data and squeezing us all for money. Large-scale bots are behind most of these transactions, launching attacks on social media platforms with the goal of “disseminating spam, stealing information, spreading social propaganda and executing social engineering campaigns targeting trusting consumers,” according to a media release from Arkose.

Arkose looked at fraud across the internet, but with specific regards to social media fraud, the activity took on a host of different forms: account hijackings, fraudulent account creation, and spam and abuse were among them. It found that more than 75% of attacks on social media are coming from automated bots.

Social media was distinct among the industries Arkose analyzed: account hijackings were more common, with logins twice as likely to be attacked than account registrations, the report found. Arkose says that the account takeovers are being done by attackers looking to harvest valuable personal data from the accounts of legitimate users.

We’ve often written about how these account takeovers manifest and what they’re after: In November 2018, for example, Facebook said that the US Department of Justice (DOJ) had recently discovered an alleged IS supporter warning others that it’s gotten tougher to push propaganda on the platform, and thus was suggesting that fellow propagandists try to take over legitimate social media accounts that had been hijacked: to act like wolves pulling on sheepskins in order to escape from Facebook’s notice, as it were.

Profit is another big motivator: We’ve seen valuable Instagram accounts held for ransom and virtual loot worth real money that was motivating attackers to hijack 77,000 Steam accounts a month, for example.

Arkose CEO Kevin Gosschalk, from the press release:

The extremely high attack rate on social-media logins is indicative of the value placed on the data fraudsters extract from compromised social accounts. Because more than 50% of social media logins are fraud, we know that fraudsters are using large-scale bots to launch attacks on social-media platforms with the goal of disseminating spam, stealing information, spreading social propaganda and executing social-engineering campaigns targeting trusting consumers.

Using bots to launch the attacks makes economic sense, Arkose says. It saves crooks the money they’d otherwise have to spend on wages.

Arkose didn’t just look at social media logins. It looked at over 1.2 billion real-time transactions, including account registrations, logins and payments from financial services, e-commerce, travel, social media, gaming and entertainment industries, in real-time, to paint a portrait of the evolving threat landscape.

Besides the bogus social media account logins, the analysis also found that overall, one in 10 transactions of any type is an attack, coming from a range of sources from automated bots to malicious humans.

Automated attacks made up the bulk of the traffic Arkose analyzed, ranging from large-scale account validation attacks, to bots blocking seats on an airline, to scripted attacks that scrape user data and inventory.

But sometimes attacks need humans to carry them out, and that’s where cheap labor comes in handy. Attacks relying on human labor are mostly – 59.3% – coming from China, the analysis found. That’s four times higher than human-driven attacks coming from the US, Russia, the Philippines, and Indonesia.

Here’s Vanita Pandey, vice president of strategy at Arkose Labs:

Sometimes fraudsters have to rely on humans to carry out attacks; these attacks cost more, but the value they can extract from the attack makes the investment worthwhile. Developing economies are quickly becoming fraud hubs because they have easy access to sophisticated tools, cheap manual labor and good economic incentives associated with online fraud.

Pandey said that the fraudsters are now gearing up for the peak scam time of the year: the holidays.

As we head into the holiday season, this is critical for the retail industry, which sees high volumes of seasonal and human driven fraud. Right now, fraudsters are actively preparing to launch large-scale attacks on retail vendors during the holidays by validating and testing stolen gift cards and identities compromised in recent breaches. The long-term solution to this problem is not rooted in applying new defenses – because fraud will continue to evolve – but rather to break the economics of the attack and eliminate a fraudster’s financial incentive.

For some examples of holiday scams that SophosLabs has caught in its spamtraps, plus some advice on how to avoid getting hooked, check out our advice on how to stay off the hook – useful at any time of the year.

Other data points from the report:

• Most attacks are coming from the Philippines. The top originating countries for attacks are the US, Russia, the Philippines, UK and Indonesia. The Philippines is the single biggest attack originator for both automated and human-driven attacks with the US coming in at a distant second.
• Most Chinese attacks (59.3%) are coming from humans. That’s more than four times higher than those coming from the US, Russia, the Philippines, and Indonesia.
• Human attackers are going after tech companies. The technology industry is heavily targeted by “human click-farms and sweatshops,” the report found – as in, places that employ low-paid workers hired to make fraudulent transactions or create fake accounts. According to the report, 43% of all attacks on tech companies are human-driven and account registrations for tech companies are four times more likely to be attacks than logins. This isn’t surprising: in November 2018, for example, more than 100 Indian police swarmed 16 tech support scam call centers, arresting 39 people for allegedly impersonating legitimate support reps for companies including Microsoft, Apple, Google, Dell and HP.
• The travel industry is heavily targeted. Payment transactions in the travel industry are 10 times more likely to be attacked, Arkose found, especially from automated bots looking to block inventory, leading to denial of inventory attacks or a significant increase in ticket price. Almost 10% of all login attempts on travel sites are fraud, and 46% of all payment transactions for travel are fraud. Attackers try to make fraudulent purchases, conduct denial of inventory attacks or steal hard-earned customer loyalty points, which are as good as cash.

To protect yourself on social media from account hijackings and scam, start with our video, Five ways to stay secure on social media.

(Watch directly on YouTube if the video won’t play here.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GlHMOtyrs8I/

It’s official: Android 10, the next version of the Android operating system, ships 3 September 2019. Well, it’s semi-official, at least.

Mobile site PhoneArena reports that Google’s customer support staff let the date slip to a reader during a text conversation. Expect the operating system, also known as Android Q, to hit Google’s Pixel phones first before rolling out to other models. It will include a range of privacy and security improvements that should keep Android users a little safer.

Privacy features

Some of the most important privacy upgrades are those that stop applications and advertisers knowing more about your phone. Android 10 will now make apps transmit a randomised MAC address (this is a unique identifier for the network hardware in your phone) and also requires extra permissions to access the phone’s International Mobile Equipment Identity (IMEI) and serial numbers, both of which uniquely identify the device.

Google has also taken steps to protect information about how you interact with your contacts. When you grant an app access to your contacts, Android will no longer provide it with ‘affinity information’, which orders your contact data according to who you interact with most. Mark that one in the “wait, what? It did that?” file.

One of the other significant privacy enhancements is control over how an app accesses a phone’s location. A new dialog will let users choose whether apps can access location at all times, or only when running in the foreground. Google is playing catch-up here, as iOS already does this.

What about those apps that snoop on location data using other means, such as looking at Wi-Fi access points or checking folders for location data that other apps have left? The new version of Android will require specific fine location permissions for apps accessing selected Wi-Fi, telephony, and Bluetooth functions. It also has a new feature called scoped storage, which restricts an app’s access to files on external storage, only giving it access to its specific directory and media types.

Google has obviously been listening to researchers who discovered that a phone’s sensors could implicitly reveal details about its user. Android Q will introduce a new version of its ACTIVITY_RECOGNITON permission for apps that look at physical activity, like step count.

Other privacy enhancements include restrictions on when apps can start in the background, and the OS will also stop apps from silently accessing the device’s screen.

Biometric authentication

Google is also rolling out several security enhancements to complement the privacy features in Android 10. The new version of the OS will feature better support for biometric authentication. It will include two modes, explicit and implicit, which developers can use to remove friction from the authentication process.

The idea is that you want to be very clear about authorising some things. You don’t just want Android scanning your face to get authorisation for a credit card transaction without asking you first, for example. So explicit mode makes you click a button to let the phone scan your face or iris, authenticating you for high-value actions like that.

Conversely, implicit mode is far more lax. It lets Android get authentication for a task by scanning your face or iris without asking first. It’s designed for easily-reversible things like auto-filling forms.

Encryption

One of the elements Google addresses in Android Q is encryption, and it does it in two ways. First, it provides better encrypted communication.

Android phones already encrypt data in transit over HTTPS using the transport layer security (TLS) encryption protocol. Google is moving to version 1.3 of that protocol, approved as a standard a year ago. TLS 1.3 connects the phone to its destination up to 40% faster according to Google, because it uses fewer handshakes (the initial messages that set up a communication session). It also encrypts more of that handshake and strips out some less secure cryptographic algorithms.

The second enhancement is in file encryption. Some Android phones already encrypt files stored on the device using AES, a tried-and-tested method that has been around for decades. However, not all of them do. AES encryption and decryption has a computing overhead. Manufacturers using low-end processors in their phones often can’t manage AES, meaning that Google had to make an exemption for them.

Android 10 fixes this using Adantium, an encryption system that Google introduced in February. Instead of using AES, Adantium is based on a less demanding cipher called ChaCha12. It relies purely on the core functions of the CPU, meaning that processors which don’t include built-in hardware acceleration for cryptography can use it. Because it uses far less computing power than other methods of AES encryption, it can be used in everything from low-powered phones to smartwatches and medical devices, the company says.

Bug-fixing

Android 10 also features a number of security enhancements to existing parts of the operating system. Google analyses data from its bug bounty program with each release to work out what to focus on. Last year, it found that most of the bugs were in its media and Bluetooth functions.

Some 80% of Android’s media bugs were in its software codecs. Codec stands for coder/decoder, and it’s a software program that either turns multimedia into a data stream or decodes that data stream at the other end and turns it into something viewable. It has done its best to fix the bugs by moving software codecs into their own separate sandbox, which constrains what they can do. That means they have no access to hardware device drivers, so attackers can’t touch as much of your system using them.

Security and privacy enhancements are always a work in progress. These latest improvements to Android 10 / Q won’t be the last, but they show that Google is listening to cybersecurity researchers and responding. Android users with phones that support the new version should upgrade as soon as it becomes available.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WPdybx7qWVs/