STE WILLIAMS

The vulnerability, dubbed SWAPGS, is an undetectable threat to data security, similar in some respects to Spectre and Meltdown.

Bogdan Botezatu, director of threat research at BitDefender, leans across the table in a hotel lobby coffee shop to make his point. “When you’re a CISO, there is no single of vulnerability you’re aware of that doesn’t keep you awake at night.” The new vulnerability his team of researchers found — the vulnerability they will reveal in a press conference this evening — is one that he says should definitely contribute to CISO insomnia.

The new vulnerability, dubbed SWAPGS by the BitDefender research team, is a speculative execution vulnerability that Botezatu says is similar in some respects to Spectre and Meltdown. “What we have done is to manipulate this instruction called SWAPGS in order to sample information from the realm of the operating system memory into the user space,” he explains.

SWAPGS is an instruction that swaps the contents of a particular register with the contents of a specific memory location. The instruction is defined as a privileged instruction that should be available only to system software, such as a hypervisor. One of the things that makes the instruction dangerous when exploited is that it can provide rapid access to certain data structures used by the operating system kernel.

When the instruction is manipulated, Botezatu says, “This can lead to all sorts of trouble like leaking out information about passwords, encryption, keys, tokens, authentication, cookies, and other sensitive information that goes through the processor.”

Like many of the other speculative execution exploits that have been found, SWAPGS doesn’t allow the attacker to manipulate the data being stored in the memory location — it only allows for the contents of that memory location to be monitored. “You just poke the memory, and run a time-based attack. If it’s something interesting, it’s fine. If not, you have just lost 20 seconds and you need to go back to square one,” Botezatu explains.

As with most of the other speculative execution attacks, Botezatu sees SWAPGS as something that could be a tool for patient nation-state actors, not finance-focused criminals. Criminal actors, he says, can simply launch repeated phishing attacks to get the information that might become available through SWAPGS.

Still, he points out, a speculative execution attack like SWAPGS is dangerous because it bypasses hardware-based protection and is undetectable by normal security packages. Furthermore, while BitDefender followed responsible disclosure and Microsoft has issued a Window patch for the vulnerability, Botezatu says, “We know that in enterprises, patch adoption is not something that happens overnight. That can take anywhere from one to 180 days, if you’re lucky.”

Related content:

• New Intel Vulnerabilities Bring Fresh CPU Attack Dangers
• White-Hat Bug Bounty Programs Draw Inspiration from the Old West
• Real-World Threats That Trump Spectre Meltdown
• How Intel Has Responded to Spectre and Meltdown
• Enterprise Malware Detections Up 79% as Attackers Refocus

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/new-speculative-execution-vulnerability-gives-cisos-a-new-reason-to-lose-sleep/d/d-id/1335462?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Black Hat It is possible to thoroughly hijack a nearby vulnerable Qualcomm-based Android phone, tablet, or similar gadget, via Wi-Fi, we learned on Monday. This likely affects millions of Android devices.

Specifically, the following two security holes, dubbed Qualpwn and found by Tencent’s Blade Team, can be leveraged one after the other to potentially take over a handheld:

• CVE-2019-10540: This buffer-overflow flaw is present in Qualcomm’s Wi-Fi controller firmware. It can be exploited by broadcasting maliciously crafted packets of data over the air so that, when they are received by at-risk devices, arbitrary code included in the packets is executed by the controller.

  This injected code runs within the context of the Wi-Fi controller, and can subsequently take over the adjoining cellular broadband modem. Thus, CVE-2019-10540 could be exploited by nearby miscreants over the air to silently squirt spyware into your phone to snoop on its wireless communications.

  There is also, we spotted, a related CVE-2019-10539 buffer-overflow vulnerability in the Wi-Fi firmware that is not referenced by Tencent and not part of the QualPwn coupling.

• CVE-2019-10538: This vulnerability can be exploited by malicious code running within the Wi-Fi controller to overwrite parts of the Linux kernel running the device’s main Android operating system, paving the way for a full device compromise.

  Essentially, CVE-2019-10538 lies in a Qualcomm Linux kernel component for Android. The Wi-Fi firmware is allowed to dictate the amount of data to be passed from the controller to the kernel, when the kernel should really check to make sure it isn’t being tricked into overwriting critical parts of its memory. Without these checks, a compromised controller can run roughshod over the core of the Android operating system.

Thus, it is possible for a miscreant to join a nearby wireless network, seek out a vulnerable Qualcomm-powered Android device on the same Wi-Fi network, and send malicious packets over the air to the victim to exploit CVE-2019-10540. Next, the hacker can either compromise the cellular modem and spy on it, and/or exploit CVE-2019-10538 to take over the whole operating system at the kernel level to snoop on the owner’s every activity and move.

Both bugs are confirmed by Tencent to exist in Google Pixel 2 and 3 devices, and anything using a Qualcomm Snapdragon 835 and 845. Meanwhile, Qualy, in its own advisory released on Monday, revealed many more of its chips – which are used in hundreds of millions of Android devices – are at risk, all the way up to its top-of-the-line Snapdragon 855. Basically, if your phone or tablet uses a recent Qualcomm chipset, it’s probably at risk.

Exposed: Lazy Android mobe makers couldn’t care less about security

READ MORE

The good news is that all the bugs have been patched by Qualcomm. CVE-2019-10538 lies within Qualy’s open-source Linux kernel driver, and is available from Google. CVE-2019-10539 and CVE-2019-10540 are patched in Qualcomm’s closed-source Wi-Fi controller firmware, which was distributed to device makers in June after Tencent privately alerts the chip designer in April.

Now for the bad news. When exactly these fixes will filter down to actual Android users is not clear: if you’re using a supported Google-branded device, you should be able to pick up the updates as part of this month’s security patch batch. If not, you’re at the mercy of your device maker, and possibly cellular operator, to test, approve, and distribute the updates to punters.

Full details on the bugs and how they can be exploited are not public, and no exploits have been spotted in the wild. There is more good news: there are also various security hurdles to clear, within the Linux kernel and the Wi-Fi firmware, such as stack cookies and non-executable data areas before exploitation is successful. In other words, it is non-trivial to exploit Qualpwn, but not impossible.

Tencent’s Peter Pi and NCC Group consultant Xiling Gong plan to describe the pair of programming blunders during talks at the Black Hat and DEF CON hacking conferences this week in Las Vegas.

But wait, there’s more

Also out this week from Google are more security fixes for various parts of Android. The worst can be exploited by maliciously crafted media messages to take over a device.

Also, as for devices with Broadcom-based Bluetooth electronics: it’s possible to pwn the gizmos over the air via malicious data packets, which seems pretty bad and worthy of a story on its own.

Here’s a swift summary of the bugs:

• CVE-2019-2120 in Android runtime “could enable a local attacker to bypass user interaction requirements in order to gain access to additional permissions.”
• CVE-2019-2121, CVE-2019-2122, and CVE-2019-2125 in Framework, with the “most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process.”
• CVE-2019-2126, CVE-2019-2128, CVE-2019-2127, and CVE-2019-2129 in Media Framework, with the “most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process.”
• CVE-2019-2130 to CVE-2019-2137 in System, with “most severe vulnerability in this section could enable a remote attacker using a specially crafted PAC file to execute arbitrary code within the context of a privileged process.”
• CVE-2019-11516 in Broadcom’s firmware that “could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.”

There are also a bunch of other Qualcomm bugs (CVE-2019-10492, CVE-2019-10509, CVE-2019-10510, CVE-2019-10499, CVE-2019-10489, and CVE-2019-2294) fixed in the patch batch, from secure boot holes to Bluetooth mishandling.

Again, if you’re using an officially supported Google-branded device, you should be getting these updates over the air soon if not already. If you’re not, then, well, look for updates soon from your manufacturer and/or cellular network provider, or hope they can be installed automatically via Google Play services if they are not too low level. ®

PS: Google is adding support for Arm’s memory-tagging security feature to Android.

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/06/qualcomm_android_security_patches/

Passwords were among the 23 million customer records siphoned from CafePress by hackers – and the site was using the less secure SHA-1 hashing algorithm to store half of its users’ credentials.

As El Reg and the rest of the security-focused media reported yesterday, CafePress had around 23 million customer records exfiltrated from its systems back in February.

That data theft came to light yesterday after Troy Hunt, operator of the Have I Been Pwned hack-tracking website, learned that the hack had taken place and that millions of peoples’ credentials were circulating on hacker forums.

Infosec researcher Jim Scott told The Register that he found the swiped info after rumours of it reached Troy Hunt’s ears in mid-July. The stolen data included email addresses, names, phone numbers, and physical addresses – and, as it now turns out, passwords, too.

Scott told The Register: “Out of the 23 million compromised users, roughly half of them had their passwords exposed encoded in base64 SHA-1, which is a very weak encryption method to use, especially in 2019 when better alternatives are available.”

Hunt, meanwhile, mused that he’d seen both “a heap of identical base64 encoded ‘passwords'” and then “some SHA-1 versions stored in hex then base64 encoded”, leading one infoseccer to speculate that a planned migration had been taking place, although CafePress has not commented on this, nor on the database heist at all.

As for people affected by CafePress, Scott offered some comfort to those who logged in via third-party providers.

“The remaining users who used CafePress through third-party applications, such as FaceBook or Amazon, had no compromised passwords,” he said, adding: “It is very disappointing and frustrating to see when companies are unable to protect their users’ information when the necessary approach for better protection is available. And when an incident like this occurs, it is often the user who has to pay the price for other people’s mistakes.”

He encouraged people to use multi-factor authentication, to which El Reg adds the standard advice to also use a password manager. If nothing else, it makes identifying and changing your passwords after a cyber-break-in just that little bit easier – but good ones will also allow the generation of unique and, hopefully, hard-to-guess login credentials. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/06/cafepress_hack_passwords_stolen/

ATT staff were bribed $1m to slip the codes to unlock two million smartphones to a gang operating out of Pakistan, US prosecutors have claimed.

When those telco workers took too long to cough up the codes, the crew bought copies of the employees’ work login credentials and used them to go straight into the cellular giant’s systems and directly request the codes themselves, it is claimed. Specifically, we’re told, the crooks installed malware on ATT’s computers that automated the process of generating and downloading the codes.

And when those ATT staffers were caught and fired for leaking their usernames and passwords, the foreign gang paid someone to install wireless routers on the US giant’s internal network that gave them backdoor access to the telco’s systems to, again, silently and secretly obtain phone unlock codes, it is alleged.

These unlock codes can be used to free a handset from ATT, allowing it to use a SIM and cellular plan from another network. And millions of these codes were snaffled by the Pakistan-based crime ring, with one ATT worker pocketing as much as $400,000 for their efforts, according to Uncle Sam’s prosecutors. Those purloined unlock codes cost ATT $5m a year in lost revenue, the telco claimed.

The suspected leader of the crew, 34-year-old Muhammad Fahd, has been extradited from Hong Kong to America, and will now face trial in the United States.

According to the Dept of Justice on Monday, the Pakistani national is charged [PDF] with conspiracy to commit wire fraud, conspiracy to violate the Travel Act and the Computer Fraud and Abuse Act, four counts of wire fraud, two counts of accessing a protected computer in furtherance of fraud, two counts of intentional damage to a protected computer, and four counts of violating the Travel Act.

ATT: ’twas conniving contractors who nicked your info

READ MORE

Fahd was arrested by Hong Kong cops in February of this year. He is set to be tried in a federal district court in Seattle, Washington.

“This defendant thought he could safely run his bribery and hacking scheme from overseas, making millions of dollars while he induced young workers to choose greed over ethical conduct,” boasted US Attorney Brian Moran.

“Now he will be held accountable for the fraud and the lives he has derailed.”

Prosecutors allege that Fahd, his now-dead co-conspirator Ghulam Jiwnani, and other suspected gang members, contacted ATT employees at a Washington state call center via telephone and Facebook messages, and bribed them over a period lasting from 2012 to 2017. As well as the bungs, Fahd and his crew in Pakistan would send the staffers the unique identification numbers – the IMEIs – of phones they wanted unlocked for resale, and got the necessary unlock codes in return, it is claimed.

When simply feeding greased employees the hardware ID numbers of phones was not enough, it is said that Fahd convinced the workers to hand over their workplace network credentials, allowing the crew to remotely log into ATT systems, and install a software nasty that would automate the process of unlocking the desired phones.

On top of all that, the Department of Justice says, when some of the bribed employees were caught and fired – they have since pleaded guilty for their roles – Fahd’s team went so far as to get one ATT staffer to hook up rogue Wi-Fi gateways in the company’s network that would grant the intruders backdoor access to the telco’s machines without the need for stolen credentials.

When it was all said and done, more than two million handsets were unlocked by criminals and the ATT call center workers in Washington had pocketed more than one million dollars in bribes paid out in person or via wire transfer, it is alleged.

If convicted on all charges, Fahd could face up to 20 years in prison. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/06/att_unlock_fraud_hack_charges/

Criminals are getting increasingly sophisticated in their efforts to commit fraud and recruit ‘money mules,’ according to the FBI.

The FBI has issued a warning on the growing sophistication of criminals creating false online personas to launch confidence schemes, commit romance fraud, and recruit “money mules,” or individuals tasked with carrying illegal sums or criminal money across borders or launder money through bank accounts they open on behalf of others.

According to the FBI, the Internet Crime Complaint Center (IC3) saw reports of confidence/romance fraud grow from 15,000 to 18,000 from 2017 through 2018, while the amount of money lost to the criminals increased more than 70%, from roughly $211 million to more than $362 million.

In the warning, the FBI includes a list of best practices and warning signs. The best practices include performing reverse image searches on photos used in online profiles and heeding senses that things could be “not right,” while the warning signs include hearing claims that the meeting was “destiny” or “fate,” and receiving vague answers to specific questions.

Victims are urged to contact the IC3, the local FBI field office, or both.

For more, read here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/fbi-issues-relationship-fraud-confidence-scheme-warning/d/d-id/1335453?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Teams need to manage perceived risks so they can focus on fighting the real fires.

In January 2018, enterprise security teams around the world found themselves putting out a fire ignited by the discovery of the Meltdown and Spectre chip-based vulnerabilities. News stories ran daily and continued throughout the year as additional variants were found. None of the vulnerabilities were exploited in the wild, and patches became available. In the end, security teams that had dropped everything to respond to the vulnerabilities discovered there was more smoke than fire. Meet the newest threat facing enterprise security efforts: media-fueled hype.

I’m not suggesting that security teams should ignore news or vulnerabilities, especially those as far-reaching as Meltdown and Spectre. However, the level of attention given to these security flaws — which weren’t exploited — was unprecedented. While the threat existed, the perceived risk was out of proportion with reality and security teams were tasked with responding to perceived risk, rather than real risk. The repercussions? Wasted time and budget that would have been better spent on higher-risk issues. To gut-check our thinking, we interviewed a dozen CISOs, analysts, and other security professionals who deal with vulnerability management to get their thoughts.

The security professionals, who all remained anonymous, said the top-down response was disruptive. In some cases, executives were demanding systems be fixed in as little as 15 days, despite the fact that vendors hadn’t shipped patches yet. “There was a whole bunch of panic around that at first … and there was a whole lot of confusion” about what the risks were, said one interview participant. Security teams had to push back and educate executives or waste energy and cycles, diverting resources from other projects. For some, the vulnerability management programs were derailed as a result.

By comparison, the Apache Struts 2 remote code execution vulnerability that was disclosed and patched in August posed a more tangible risk but didn’t get quite the level of executive attention as Meltdown and Spectre. This could be because Struts 2 wasn’t as novel as the hardware vulnerabilities. It also could be partly due to what I call “vulnerability fatigue” following the hoopla around Meltdown and Spectre. With Apache Struts 2, however, the risk warranted the response, yet only a few organizations gave it a high level of executive attention.

After hearing about these issues from other CISOs, I walked away with two key takeaways:

• Security teams should be prepared for top-down pressure that doesn’t align with their evaluation of the risk. The best way to deal with it is to gather information that can help quantify and assess the legitimate risk. Interview participants suggested convening groups of technical experts, such as Linux experts for open source threats and chip experts for hardware vulnerabilities. This can help teams determine the real impact of a vulnerability so they can respond appropriately. It also helps them build out stronger processes and coalitions with other business units for when similar threats arise in the future. “As long as you have a proactive approach by having a vulnerability management program, having your metrics and having repeatable processes to deal with these things, it becomes a non-fire drill event moving forward,” one participant said.
• Effective communication is crucial for all stakeholders. Top executives rarely have the deep technical background necessary to fully understand the potential risk of a given vulnerability. This means CISOs and security teams must be armed with business context to translate the technical risk into business terms. This ensures the response is measured and appropriate based on real-world risk and not hype. Responding to high-profile vulnerabilities is an opportunity for security teams to build trust and show value.

Headline-grabbing vulnerabilities aren’t going away, and it’s clear they get the attention of the C-suite. The top-down response shouldn’t pose more problems for security teams than the vulnerabilities themselves do. Teams need to manage perceived risks so they can focus on fighting real fires and not be distracted by the emergency flares thrown their way.

Related Content:

• The State of IT Operations and Cybersecurity Operations
• 8 Free Tools to Be Showcased at Black Hat and DEF CON
• Demystifying New FIDO Standards Innovations
• Transforming ‘Tangible Security’ into a Competitive Advantage

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Robert Huber is Chief Security Officer at Tenable. He has more than 20 years of information security experience across financial, defense and critical infrastructure sectors. At Tenable, Robert oversees the company’s global security teams, working cross-functionally to reduce … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/when-perceived-cybersecurity-risk-outweighs-reality/a/d-id/1335417?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Exposed MongoDB databases have become the easy money-maker ransomware criminals are busy filling their boots with.

In mid-July 2019, another database fell to the extortion hackers, this time containing 2.1 million records belonging to well-known Mexican publisher and bookseller, Librería Porrúa.

It’s not certain how many individual customers were affected, but purchase information included details of 1.2 million names, email addresses, shipping addresses and phone numbers, plus site information such as invoices and purchases, shopping cart IDs, activation codes and tokens, and hashed card details.

There were also 958,000 personal records revealing most of the above data fields plus dates of birth.

We know all this because this exposed MongoDB instance was discovered by security researcher Bob Diachenko on 15 July 2019, the day after it was first indexed by the Shodan search engine.

He explains how he immediately contacted the company with the bad news. Unfortunately, by 18 July, criminals had spotted and “wiped” the database, leaving a demand for 0.05 Bitcoins (around $500) to return it.

The next day, access to the now empty database was disabled by someone, presumably in response to the attack. As of 1 August, nobody from Librería Porrúa had contacted Diachenko regarding his discovery.

As with previous incidents involving exposed databases, the MongoDB instance was accessible by anyone without the need for authentication, with the added bonus that it could be reached using two different IP addresses.

As Diachenko points out, by the time criminals access a database of this kind, paying the ransom is beside the point – even if the attackers hand back the data, it might still have been copied and exposed elsewhere.

Public access mode

As previously discussed on Naked Security, one of the risks with MongoDB is that’s its easy to mess up either by using an older version lacking remote access authentication, or a newer instance that has been poorly secured. Diachenko notes:

The public configuration makes it possible for cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.

It’s the recurring weakness that contributed to a huge campaign that compromised up to 27,000 thousand MongoDB installations in 2017.

In 2018, in another severe incident, a database of 445 million records held by disaster recovery company Veeam was found in an exposed state by Diachenko.

In May this year, Diachenko discovered yet another MongoDB database containing the records of 275 million people in India.

How to protect yourself from ransomware

If you’re a MongoDB user make sure your data is backed up, that your database is patched and up to date and that you’ve read the security section of the MongoDB manual. Using authentication is essential. In addition:

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defence against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FcH0s9NIc4o/

GitHub has been named in a class action lawsuit because the hacker who allegedly stole data from more than 100 million Capital One users posted details about the theft onto the platform.

GitHub is a code hosting platform for software development version control that uses Git and which lets coders remotely collaborate on projects. Microsoft bought the open-source developers’ site for $7.5 billion in stock in 2018.

The lawsuit, filed in US district court for the Northern District of California, names Capital One as well.

The suit says that GitHub had an obligation under California law and industry standards to keep off or remove Social Security numbers (SSNs) and personal information from its site. It says that it should be easy to do, given that SSNs are all nine digits long, in the sequence of XXX-XX-XXXX, but that GitHub “nonetheless chose not to.” Ditto for the other sensitive information that was leaked and posted, such as individuals’ addresses, which are all “similarly readily identifiable.”

The information was available on GitHub for over three months, until a bug hunter spotted it and notified Capital One.

The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act. It also alleges that GitHub is guilty of negligence, negligence per se, and violation of the California civil code.

However, Capital One and GitHub spokespeople told news outlets that the data uploaded to GitHub by the hacker didn’t contain any personal information. ZDNet quoted the GitHub spokesperson:

The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information. We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request.

Ex-Amazon systems engineer arrested

Last week, FBI agents arrested 33-year-old Paige A. Thompson, of Seattle – also known by her username “erratic” on social media platforms – for allegedly posting information on GitHub about stealing data from Capital One servers via a misconfigured firewall.

Last Monday, 29 July 2019, FBI agents executed a search warrant at Thompson’s home and seized electronic storage devices allegedly containing a copy of the leaked data.

The devices held nearly 30GB of Capital One credit application data from an unspecified rented cloud data server. Capital One said the breach affected about 100 million people in the US, 6 million in Canada, and any consumer or small business who applied for a credit card in the past 14 years (2005 to early 2019). The data included names, addresses, zip codes, phone numbers, email addresses, dates of birth, and income. Affected data for some customers also included credit scores, credit limits, balances, payment history, contact information, SSNs, and bank account numbers linked to credit cards.

The complaint didn’t identify the cloud-hosting provider from which the Capital One credit data was taken, but it does say that Thompson’s resume indicates that she worked as a systems engineer at the unnamed provider between 2015 and 2016.

Last Monday, the FBI alleged that Thompson, under the “erratic” nickname, talked about hacking Capital One and other companies in Twitter direct messages. She also used a public Meetup group, the FBI said, again using her “erratic” alias to invite others to join a Slack channel named “Netcrave Communications.”

Lawsuit says GitHub encourages “friendly hacking”

The 28-page lawsuit, filed on Thursday, asserts that GitHub “actively encourages (at least) friendly hacking.” The suit points to a GitHub repository named “Awesome Hacking” that lists resources for hacking, bug bounties, fuzzing, penetration testing, reverse engineering and more.

But like other platforms that host links to other user-provided content such as that provided by Awesome Hacking, GitHub staff or management aren’t associated with that repository. Rather, it’s owned by a GitHub user who identifies themselves as a security researcher and who claims to live in India.

Awesome Hacking is only one of thousands of GitHub repositories that host similar hacking and pen-testing materials, none of which are illegal. The lawsuit doesn’t acknowledge that GitHub users are responsible for posting content that abides by the platform’s rules, not GitHub itself.

Sabita Soneji, a lawyer for the plaintiffs, told Newsweek that GitHub has an obligation to filter posts and offer some monitoring for information posted on its platform.

Newsweek quoted a GitHub spokesperson’s response:

GitHub promptly investigates content, once it’s reported to us, and removes anything that violates our Terms of Service.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SJBRTxPFXi8/

A charlatan who passed himself off as a Dell staffer working in equipment and services support has pleaded guilty to stealing nearly $750,000 from the University of California San Diego (UCSD).

The Justice Department (DOJ) announced on Thursday that Amil Hassan Raage has pleaded guilty to receiving the money as part of a spear-phishing scheme.

On 23 July 2018, UCSD received the spear-phishing email, which posed as a legitimate business communication coming from a for-real Dell email account. The email instructed UCSD to redirect the payments it owed Dell for equipment and services to Raage’s Wells Fargo bank account in Minnesota.

UCSD employees swallowed the hook and did as they were told.

Of course, that was no Dell communique. The email actually came from one of Raage’s criminal buddies in Kenya. Between 8 August through 12 September 2018, UCSD sent Raage 28 payments totaling $749,158 before it found out it had been conned and stopped the payments.

As soon as the money arrived, Raage would withdraw it as cash or transfer it to another account.

It wasn’t just UCSD, though. Raage and his gang did the same thing to another, unnamed university, this one in Pennsylvania. Again using a fake Dell account, they told the university staff to redirect their Dell payments to a bank account in Minnesota, again controlled by Raage.

During January 2018, the Pennsylvania university wired six payments totaling $123,643.77 to Raage’s bank account before the university was alerted to the fraud and stopped payments.

Raage actually skipped town after the bank froze the accounts he used in the UCSD theft. He fled to Kenya on 22 September 2018. That didn’t stop the FBI from tracking him down, though: the FBI’s Legal Attaché in Kenya worked with Kenyan law enforcement and the DOJ’s Office of International Affairs. Kenyan police arrested Raage on 7 May 2019, and extradited him back to the US on 23 May 2019, to face prosecution.

Raage pleaded guilty to conspiracy to commit wire fraud. The crime carries a maximum penalty of 20 years in prison, though maximum penalties are rarely handed out. He’s due to be sentenced by Judge Gonzalo Curiel in San Diego court on 11 October 2019.

US Attorney Robert Brewer said it doesn’t matter that the tools have changed; highway robbery is still highway robbery:

Modern criminals like Raage have ditched the ski mask and getaway vehicle and opted for a computer as their weapon of choice. As this defendant has learned, we are matching wits with new-age thieves and successfully tracking them down and putting an end to their high-tech deception.

Doesn’t matter if crooks flee to Kenya or Kentucky or Kalamazoo, said FBI Special Agent-In-Charge Scott Brunner: the law’s still going to track you down:

As exemplified by this outstanding result, criminals who operate in cyberspace falsely believe themselves to be beyond the reach of law enforcement, but they are sorely mistaken. Our agents will relentlessly pursue justice, aided by our foreign partners. Thank you to the Kenyan National Police and the Office of International Affairs for their invaluable assistance in bringing Mr. Raage before the bar of justice.

What to do if you get scammed?

If you – or your business or organization – has been scammed via email by these type of fraudsters, the DOJ says it’s important to act fast. First, immediately contact your financial institution and get them to contact the financial institution to which they transferred your money.

The faster you act, the less time the crooks have to funnel your money into other accounts, and the better the chances are that you can claw back at least some of it. You might have heard of the North Carolina county that recently got fleeced for $2.5 million in a Business Email Compromise (BEC) scam? The county’s bank managed to freeze $776,518.40 of that: not exactly a happy ending, but better than losing the whole $2.5 million they initially transferred to fraudsters’ accounts.

After you call your bank, call the FBI at 1-800-CALL-FBI. Also, no matter how little or big the loss, file a complaint with the FBI’s Internet Crime Complaint Center (IC3). If you’re in the UK, you can report it to Action Fraud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vcTREDMg0FE/

NVIDIA has patched five bugs in its Windows GPU display driver, three of which could allow an attacker to execute code on the system. Users should patch now.

The bugs affect Windows versions of the display drivers for GeForce (gamer-class), Quadro (professional workstation-class), NVS (multi-display business graphics), and Tesla (high-performance computing) GPUs.

They could all lead to denial of service, but the three highest-severity flaws of the bunch are the ones that could also lead to local code execution on the target system. That means an attacker could theoretically take over a computer, although they’d need local user access to do so – they couldn’t exploit the flaws over a network.

The three code execution bugs would be ranked as high against the CVSS v3 severity scale. Bug CVE‑2019‑5683 in the user mode video driver’s trace logger fails to verify any hard links, meaning that an attacker could inject a link into the log file. This could also lead to privilege escalation. It gets a CVSS v3 score of 8.8.

The other two high-severity bugs, CVE‑2019‑5684 and 5685, are out-of-bounds memory access flaws in the DirectX driver. They can be triggered by malicious versions of shaders, which produce shading textures on 3D objects, and share a 7.8 severity score.

The other two bugs are of medium severity on the CVSS v3 scale, and they are both flaws in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, which is a callback function that shares information with the user-mode display driver. CVE-2019-5686 uses an application programming interface (API) function that may deliver invalid data. CVE-2019-5687 allows default permissions to expose software to an attacker. That could result in unintended information disclosure, said the advisory.

SHIELD

At the same time, NVIDIA also published nine patches for its NVIDIA SHIELD TV media streaming Apple TV rival, featuring movies and games. These included a critical (CVSS v3 9.3) bug (CVE‑2018‑6241) that could lead to arbitrary code execution, escalation of privileges, and denial of service.

The next six bugs in the SHIELD patch have CVSS v3 scores ranging between 8.8 and 7.7, equating to high severity. The bug with the highest score in this category, CVE‑2018‑6269, didn’t invite code execution, but it could lead to information disclosure, denial of service, escalation of privilege, or code injection errors, according to NVIDIA.

What to do?

Customers should install the GPU driver patches through NVIDIA’s driver downloads site. The company also noted that your computer hardware vendor may offer you Windows driver version 431.23, 425.85, or 412.39, which also contains the appropriate patch updates.

SHIELD users can install patches for their devices by selecting Settings  About  System Update.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZH4iPUoEUDc/