STE WILLIAMS

A $240,000 fine has been imposed on Online Buddies, the company behind gay/bi/trans/curious dating app Jack’d – for leaving users’ private, often nude, photos up for grabs for a year.

“Only you can see your private pictures until you unlock them for someone else,” Jack’d promised, even after a researcher found that that was far from true. In fact, anyone with a web browser who knew where to look could access any Jack’d user’s photos, be they private or public – all without authentication or even the need to sign in to the app.

The Office of New York Attorney General Letitia James on Friday announced the settlement, handed down for:

Failure to protect private photos of users of its ‘Jack’d’ dating application … and the nude images of approximately 1,900 users in the gay, bisexual, and transgender community.

From the announcement:

Although the company represented to users that it had security measures in place to safeguard users’ information, and that certain photos would be marked ‘private,’ the company failed to implement reasonable protections to keep those photos private, and continued to leave security vulnerabilities unfixed for a year after being alerted to the problem.

The Attorney General office’s release said that Jack’d – a dating app that claims to have hundreds of thousands of active users worldwide and which markets itself as a tool to help men in the LGBTQIA+ community to hook up and date – “explicitly and implicitly” assures users that its private pictures feature can be used to exchange nude images securely and privately.

The app interface presents users with two screens when they upload selfies: one for photos designated as “public” and another for photos designated as “private.” That private page shouldn’t be viewable to anyone for whom users haven’t granted access.

The app’s public photos screen displays a message stating, ‘[T]ake a selfie. Remember, no nudity allowed.’ However, when the user navigates to the private photos screen, the message about nudity being prohibited disappears, and the new message focuses on the user’s ability to limit who can see private pictures by specifically stating, ‘Only you can see your private pictures until you unlock them for someone else.’

In February 2019, researcher Oliver Hough finally went public after having told Online Buddies about the security bug a year prior.

Not only could anybody get at users’ photos, but the Jack’d app also neglected to have any limits in place: anyone could have downloaded the entire image database for whatever mischief they wanted to get into, be it blackmail or outing somebody in a country where homosexuality is illegal and/or leads to harassment.

Given the sensitive nature of the photos that were exposed, publications including the Register chose to publish Hough’s findings – without giving out many details – rather than leave users’ content in danger while waiting for the Jack’d team to respond.

Photos were exposed for a year

The New York State Attorney General’s Office conducted an investigation that confirmed that senior management had been told about the vulnerability – in fact, two vulnerabilities – back in February 2018.

Its investigation found that Online Buddies had failed to secure user data, including intimate photos, that it stored using Amazon Web Services Simple Storage Service (S3). Management had also been told about a second vulnerability that was caused by the failure to secure the app’s interfaces to backend data.

The vulnerabilities could have exposed users’ personally identifiable information (PII), including location data, device ID, operating system version, last login date, and hashed password. Combined, they also left the door open to attackers getting at private photos, public photos (that may have included the user’s face), and other PII, including their location, device ID, and when they last used the app.

James’s office said that the company knew how serious these vulnerabilities were, but that it was only after the press came knocking on its door that the it acknowledged them. Jack’d fixed the problem the same day – 7 February 2019 – that Ars Technica reported about it.

It’s not just Jack’d

Unfortunately, spilling highly personal data is more or less par for the course with mobile apps, including the often extremely sensitive personal data collected by, and shared via, dating apps.

Besides Jack’d, Grindr is an example: as of September 2018, the premium gay dating app was still exposing the precise location of its more than 3.6 million active users, in addition to their body types, sexual preferences, relationship status, and HIV status, after five years of controversy over the app’s oversharing.

Another frightening example is that of Hzone, the dating site for HIV-positive people that was leaking sensitive user data in 2015.

Hzone showed the same lack of response after being notified that Online Buddies did: For days after being told about its leak, sensitive data was still vulnerable, including users’ date of birth, religion, relationship status, country, email address, ethnicity, height, last login IP address, username, orientation, number of children, password hash, nicknames, political views and sexual life experiences, profile photos, and messages that often contained sensitive data about their diagnosis.

User beware

You always have to be careful about what sensitive data you share. You always need to bear in mind that data gets spilled. The type of data spilled by dating apps is of a particularly sensitive nature, though, which makes it all the more concerning when those who promise to protect it and keep it secure do nothing of the sort.

User, beware. While any app or online service can have a leak or breach, a failure to timely respond to notification, plus a failure to put in safeguards after learning of that data breach, are a very bad sign.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kPzp0OhMLMI/

Halloween came a little early for some Android users this year after a horror-themed computer game was found stealing their account credentials and displaying potentially malicious ads.

Researchers at mobile security company Wandera found the game, called Scary Granny ZOMBYE Mod: The Horror Game 2019, doing sneaky things behind the scenes. Upon installation, it tries to get the user to pay £18 (about $22) for the game, and then connects to an ad network that appears to spam the user’s device with commercials for other malicious games. Finally, it tries to phish the user’s Google account.

The game, apparently based on another highly successful Android game called Granny, releases a phishing attack against the target device, displaying a notification that asks the user to update their Google Security services. When the unwitting user agrees, it presents a fake login page to slurp their credentials.

For those that took the bait, the phishing code uses a browser built into the app to access the user’s account and downloads their recovery emails and phone numbers, their verification, their cookies and tokens (which could give the attackers access to third-party apps) and their verification codes. Wandera explained:

We could see the user information including cookies and session identifier being gathered and shipped off to the attacker without the user knowing. This is a proof point that this attack goes beyond typical credential theft that usually happens via social engineering.

The researchers also discovered code that seemed to attempt the same phishing technique with Facebook credentials, although they didn’t see that part of the program in action.

Sneaky tactics

Google uses a malware detection system to run new apps on the Play Store in a sandbox to detect malicious activities. This app was devious, though, using a timing mechanism to control its dastardly actions. Only after a period of two days would its payload kick in.

The program also used obfuscation techniques to hide its phishing code, naming its malicious components to look like official software modules used in the Android OS.

There was one interesting slip-up on the developers’ part: The page misspells ‘Sign in’ as ‘Sing in’, which would hopefully have deterred some users from falling for it. Thank goodness for sloppy spelling, eh?

Still, that won’t save victims from the horrors to come, because phishing pages aren’t the only things that Scary Granny haunts Android users’ screens with. It also displays full-screen ads for games which the researchers believe are equally malicious. It does this even after the phone is rebooted, and even outside of the app. Perhaps the word ‘Zombye’ is apt: it seems difficult to kill the thing.

The developers’ underhand tactics earned the game over 50,000 installations and a four-star review. It became so popular in part because the game is actually very good. Wandera concluded:

The app actually works! The developers have clearly gone to a lot of effort to create a fully functioning game in which you, the main player, are in a house running away from zombies and trying to find extra life and weapons.

Which just goes to show that it’s difficult to detect a dodgy Android app.

Arm yourself against malicious apps

Go and download Sophos Mobile Security from the Play Store, which offers malware protection, web filtering and a password safe.

Then, we suggest that when downloading apps, stick to the Google Play Store (yes, bad things do sometimes turn up, but it’s generally safer than downloading games and apps from other corners of the internet); search Google for reports of malicious activity and bad reviews; and when it’s installed, check to ensure that the app doesn’t ask for inappropriate permissions.

No single measure can save you from all the threats you face, but a combination of tactics will dramatically reduce your chances of being infected. And of course, never root your phone or install from an alternative third-party store.

As far as this particular ‘ZOMBYE’ goes however, Google has now removed the game from the Play Store.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CGZGCaM_Lt4/

Staff were evacuated today at Facebook’s Silicon Valley headquarters after a package believed to contain the chemical weapon sarin was delivered to the antisocial network.

Buildings were cleared out at the Menlo Park campus after the parcel triggered sarin alarms: it set off equipment designed to inspect all incoming mail for toxins and other nasties.

“At 1100 PDT this morning, a package delivered to one of our mail rooms was deemed suspicious,” Facebook said in a statement to The Register.

“We evacuated four buildings and are conducting a thorough investigation in coordination with local authorities. Authorities have not yet identified the substance found. As of now, three of the evacuated buildings have been cleared for repopulation. The safety of our employees is our top priority and we will share additional information when it is available.”

While NBC Bay Area initially reported that two people were being observed for possible exposure to the deadly nerve agent, it is now understood that nobody has been harmed.

A false positive result from the machine has not been ruled out.

Firefighters, FBI, cops, and the National Guard are understood to have shown up after the alarm was raised.

#NOW: @menlofire crews are at the scene of a hazmat call at a Facebook warehouse facility on Hamilton Ave. in Menlo Park. FBI and National Guard have been called to assist. Two employees were tested for possible chemical exposure, but have shown no symptoms, per fire marshal. pic.twitter.com/iL8DkKZGfU

— Chris Nguyen (@ChrisNguyenABC7) July 1, 2019

Facebook has had no shortage of criticism and controversy in recent months for its handling of a number of incidents, ranging from its ties to Cambridge Analytica to its irresponsible handling of private user images and data, and for its policies regarding hate groups which were criticized by a civil rights lawyer just this past weekend.

But a chemical weapons attack would be something very new for Silicon Valley. Last year three people were shot after a deranged vegan bodybuilder tried to take revenge for being deplatformed but, to date, no-one has tried a chemical attack. Here’s hoping it’s a false positive and things not having a escalated. ®

This is a developing story and will be updated as needed

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/01/facebook_sarin_scare/

In yet another example of absent security controls, troves of police body camera footage were left open to the world for anyone to siphon off, according to an infosec biz.

Jasun Tate, CEO of Black Alchemy Solutions Group, told The Register on Monday he and his team had identified about a terabyte of officer body cam videos, stored in unprotected internet-facing databases, belonging to the Miami Police Department, and cops in other US cities as well as places aboard. The operators of these databases – Tate suggests there are five service providers involved – work with various police departments. The footage apparently dates from 2018 to present.

“Vendors that provide services to police departments are insecure,” said Tate, adding that he could not at present identify the specific vendors responsible for leaving the archive freely accessible to the public. Below is an example body-cam video from the internet-facing data silo Tate shared on Twitter.

What is more distrubing about 1 terrabyte of police body cam videos from 2018-present that we just found on the darknet is that @MiamiPD and the other cities DAs are going to have a long day when they finally realize the 5 IT service providers they use are no #Infosec aware. pic.twitter.com/G9Kn5aBunC

— #CyberRonin #MetaHuman Paying Your Attention (@bitsdigits) June 30, 2019

Tate said he came across the files while doing online intelligence work for a client. While searching the internet, he said his firm came across a dark-web hacker forum thread that pointed out the body cam material sitting prone on the internet. Following the links led Tate to police video clips that had been stored insecurely in what he described as a few open MongoDB and mySQL databases.

For at least the past few days, the footage was publicly accessible, we’re told. Tate reckons the videos will have been copied from the databases by the hacker forum’s denizens, and potentially sold on by now.

According to Tate, the Miami Police Department was notified of the findings. A spokesperson for Miami PD said the department is still looking into these claims, and won’t comment until the review is completed.

Tate posted about his findings on Saturday via Twitter. The links to databases he provided to The Register as evidence of his findings now return errors, indicating the systems’ administrators have taken steps to remove the files from public view.

The incident echoes the hacking of video surveillance biz Perceptics in terms of the sensitivity of the exposed data. The Perceptics hack appears to be more severe because so much of its internal data was stolen and posted online. But that could change if it turns out that much of the once accessible Miami body cam footage was copied and posted on other servers. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/01/miami_police_bodycams_leaked/

Google today posted a fresh round of Android security fixes.

The July update addresses a total of 33 CVE-listed vulnerabilities, nine of them classified as critical risks.

At the basic 2019-07-01 level, a dozen bugs are addressed. Five of those would allow for remote code execution if exploited; three (CVE-2019-2106, CVE-2019-2107, CVE-2019-2100) in the Android media framework, while another (CVE-2019-2105) is in Android Library and the fifth (CVE-2019-2105) is found in the System. All would be triggered by opening a specially-crafted file.

Of the remaining CVEs, five (CVE-2019-2104 in Framework and CVE-2019-2116, CVE-2019-2117, CVE-2019-2118 and CVE-2019-2119 in System) are for information disclosure bugs and two (CVE-2019-2112, CVE-2019-2113) are elevation of privilege vulnerabilities.

The 01 level patches are the minimum required level for Android device makers and service providers. Those needing patches for additional components (such as for Qualcomm components) will get the 2019-07-05 patch bundle.

This month, the 05 level consists of fixes for 21 flaws, all in Qualcomm software. Those, in turn, are divided into two groups: eight CVE entries for open-source components and 13 entries for closed-source products where Qualcomm does not provide specific information on the nature of the flaw or the exact component.

It is with a heavy heart that we must report that your software has bugs and needs patching: Microsoft, Adobe, SAP, Intel emit security fixes

READ MORE

Ten of the closed-source component CVEs were for issues rated as High security risks; generally this means things like elevation of privilege and information disclosure flaws. Another three were classified as critical, which usually means a remote code execution vulnerability that requires little to no user interaction to exploit.

Of the open source Qualcomm fixes, two (CVE-2019-2308 in DSP_Services and CVE-2019-2330 in Kernel) were classified as critical. The other six were labeled high severity and were found in WLAN Host (CVE-2019-2276, CVE-2019-2307), WLAN Driver (CVE-2019-2305), HLOS (CVE-2019-2278), and Audio (CVE-2019-2326, CVE-2019-2328).

Those using Google branded devices, such as supported the Pixel phones, should be able to get the July updates shortly, while others will need to wait for their device maker or service provider to get the patches for their gear.

If available, admins will likely want to test and install the patches before July 9th, when things will get a bit busier thanks to Microsoft, Adobe, and SAP all delivering their monthly Patch Tuesday bundle of security fixes. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/01/july_android_fixes/

Campaign throws in Emotet and Trickbot for good measure, according to the UK’s National Cyber Security Centre.

A new Ryuk campaign is spreading globally, according to a warning issued by the UK’s National Cyber Security Centre (NCSC).

Ryuk is ransomware known for its long “dwell time” — the time between initial infection and system damage — and for adjusting the amount of ransom demanded based on the victim’s perceived ability to pay.

The warning lists Emotet, a banking Trojan, and Trickbot, a browser-manipulation data skimmer, as components of the new campaign. According to the NCSC, a common sequence is initial infection by Emotet, followed by a Trickbot infection that carries obfuscation capabilities. If the victim’s system provides information that indicates the ability to pay a ransom, Ryuk is deployed.

Read more here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/document.asp?doc_id=1335101&_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

‘Operation Tripoli’ is another reminder why users cannot trust every link they see on social media sites.

Social media platforms have become major malware distribution centers. Criminals are increasingly exploiting the trust many people have in the security of these venues to host and distribute a variety of malicious payloads on desktop and mobile systems, including those belonging to enterprise organizations.

The latest example is “Operation Tripoli,” a multiyear malware campaign mainly targeting users in Libya that has nevertheless impacted tens of thousands of Facebook users across multiple countries, including the US and Canada.

Researchers from Check Point Software uncovered the campaign recently when investigating a Facebook page impersonating Khalifa Haftar, commander of the Libyan National Army. The page, created in April, offered posts about airstrikes, terrorists being captured, and other content likely of interest to people in Libya.

With more than 11,000 followers, the page contained URLs for downloading files that were often described as documents containing evidence of countries like Qatar and Turkey conspiring against Libya, or containing photos of pilots captured when bombing Tripoli and other lures. Some URLs purported to be to sites where citizens could sign up for the army.

Facebook users on mobile and desktop devices who clicked on these links ended up downloading a variety of known remote administration tools used for spying and stealing data. Check Point’s investigation of the fake Khalifa Haftar Facebook page shows that the individual behind it had been distributing malicious links through more than 30 other Facebook pages since at least 2014. Some of the pages had tens and even hundreds of thousands of followers. One, for instance, had close to 140,000 followers.

All of the pages were Libya-related, and, in at least some instances, the threat actor appears to have gained access to them after the original owners had created and operated them for a while. As with many other campaigns these days, the malware associated with these pages was usually hosted on file-sharing services such as Dropbox, Google Drive, and Box.

In some instances, the threat actors behind Operation Tripoli compromised websites belonging to major companies and hosted malware on them. Among those compromised in this fashion were Libyana, a major mobile operator in the country, and at least one Israeli and Russian company, Check Point said.

One of Largest Malware Distribution Campaigns on Facebook
According to Check Point, the malware distribution campaign is one of the largest it has observed on Facebook. The security vendor has estimated that some 50,000 Facebook users have clicked on the URLs over the years, but it is unclear how many of them became infected as a result. Facebook has since removed the fake Khalifa Haftar page and all other artifacts of Operation Tripoli after Check Point informed the social media giant of the activity.

Lotem Finkelstein, group manager of products at Check Point, says the attacker’s primary motive appears to have been stealing sensitive and personal data, including credentials to social networks and other online services.

However, the attacker’s activities also show a very strong interest in the political tensions in Libya. “It is quite obvious that politicians and governments entities were also a target,” Finkelstein says. “The attacker shared several times top-secret governmental documents and official documents of high-profile personnel in his fake Facebook account.”

The main takeaway from this report is that phishing and malware attacks are not limited to email platforms, and that social networks, like Facebook, are used to distribute them, he says. “Therefore, the public has to be more alert to the content it consumes in social media,” Finkelstein says.

Malware distributed via social media sites pose a major threat for businesses, as well. Research conducted by Bromium earlier this year showed that nearly 20% of organizations had been hit with malware from a social media site, while some 12% had experienced a breach from such malware. At the time Bromium conducted its study, four of the top five sites that were illegally distributing cryptocurrency mining software were hosted on a social media platform.

The vendor found criminals using malicious advertisements, applications, plug-ins, and URLs to distributed malware via social media sites. Bromium estimated that 1.3 billion users of social media had already had their information compromised in the past five years. More than 50% of stolen data available in underground markets last year was sourced from social media platforms, according to Bromium.

Jim Zuffoletti, CEO of social media security vendor SafeGuard Cyber, says the threat to companies via social media accounts indeed is real. “Detecting malicious content is a massive challenge when it comes to the social media platforms who face the dual responsibility of protecting their own infrastructure as well as their customer accounts,” Zuffoletti says. “We’ve now seen payloads delivered via shared links, files, and direct messages, which underscores that social media is an incredibly important vector for companies and governments.”

Notes CheckPoint’s Finkelstein: “There are many attempts to use social networks to spread malware — it’s just a natural development of the cyberthreat landscape. Most attempts, however, fail, thanks to the efforts the platforms invest in taking them down.”

Related Content:

• Social Media Platforms Double as Major Malware Distribution Centers
• The Human Factor in Social Media Risk
• Email, Social Media Still Security Nightmares
• 7 Ways to Mitigate Supply Chain Attacks

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/document.asp?doc_id=1335104&_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Three unsecured Amazon S3 storage buckets compromised more than 1TB of data belonging to Attunity and its high-profile clients.

Data management firm Attunity exposed more than 1TB of sensitive data via three misconfigured Amazon S3 buckets, security firm UpGuard disclosed late last week. The mistake compromised Attunity’s internal corporate information as well as data of high-profile businesses, including Ford, TD Bank, and Netflix.

UpGuard researcher Chris Vickery found publicly accessible S3 storage buckets “attunity-it,” “attunity-patch,” and “attunity-support” on May 13, 2019. While the total amount of compromised data has not been confirmed, Vickery downloaded a sample of about 1TB, which included 750GB of compressed email backups, UpGuard reports.

“Attunity-it” held the bulk of sensitive data as well as the oldest files, which were uploaded in September 2014, though this doesn’t mean they have been publicly accessible since then. The newest files were uploaded days before the discovery. Attunity was notified of the exposure on May 16. Following complications related to time zone disparities and Attunity’s recent acquisition by business intelligence company Qlik, public access to the buckets was removed on May 17, 2019.

“Attunity was notified in mid May of an issue related to internal company data stored in AWS S3 buckets,” writes Qlik spokesperson Derek Lyons in a statement. “Attunity personnel responded quickly to ensure that the data was secured. Attunity customers deploy and operate the software directly in their own environments, and therefore Attunity doesn’t store or host sensitive data.”

While AWS S3 bucket leaks are fairly common, Attunity’s stands out for a few reasons. For starters, Vickery says, it wasn’t difficult to discover three of its publicly accessible repositories. He usually finds one, maybe two or three, for a single company with one search. These businesses likely have more exposed, but the buckets’ names may have terms he doesn’t explicitly search. When Vickery used “Attunity” as a term, the search yielded these results.

“Finding three so quickly for Attunity was a little out of the ordinary,” he says. This was “surprising” for a cloud migration and data integration business that counts 2,000 enterprises and half of the Fortune 100 among its clients. A file exposed among the buckets contained a client list with a number of organizations containing that description, he reports.

What Went Exposed?
Attunity’s S3 buckets included details of internal projects at Ford, software upgrade invoices for TD Bank, and information on technology it was configuring for TD Bank. Vickery found backups of Attunity employee OneDrive accounts, which spanned a range of data that people need to do their jobs: emails, system passwords, sales and marketing contact info, project specifications.

“What made it even more surprising was the amount of employee email content,” Vickery continues, adding that “you never know what’s going to be in an email archive.” Some of the exposed emails contained company account passwords written in plaintext, he points out.

Exposed files included documentation of Attunity’s internal systems, documents describing how they will process customer data, and spreadsheets of employee information displaying full names, department, location, job title, date of hire, annual salary, and a range of other details. Adding to the risk, Vickery found employee ID numbers that are linked to Attunity’s US employees use the same numbering scheme as Social Security numbers, leading to the idea the two may be the same. Researchers were able to confirm the Attunity employee IDs were valid SSNs; however, they were not able to verify the employee ID number for a person was also their SSN.

“The amount of data that was present was pretty extensive,” says Vickery. “Whenever you have over a terabyte, that catches your attention.” UpGuard notified Attunity of its findings, as well as its own clients that were affected by the exposure.

Cutting Third-Party Risk
The exposure of login credentials, particularly administrative credentials, increases the potential reach of someone who accessed these buckets. UpGuard researchers don’t attempt to use credentials and cannot confirm the level of access provided by those exposed in the Attunity leak. Vickery says the question is what level of access Attunity has to client networks.

“Clients could be giving Attunity access that at some point is privileged, to a degree,” he explains. If this is the case, it’s hard to imagine a scenario in which the client wouldn’t be at risk.

System credentials could be found in several places across the Attunity data set, serving as a reminder of how that data should be stored within an organization. Credentials such as private keys were stored and exposed in directors for configuring their respective systems. If exposed credentials and data pose a risk to Attunity, they pose a risk to the data that Attunity processes.

Vickery advises companies with major enterprise clients to “never upload anything to a third-party cloud that’s not already encrypted.” Encrypted data stored in a misconfigured bucket isn’t as big a deal; even if a researcher or attacker finds it, they won’t be able to read it. The publicly accessible buckets Vickery found belonging to Attunity had information stored in plaintext.

When establishing contracts with third parties, he also suggests including “very clearly defined areas” where the data will be stored and managed, as well as URLs to the buckets where data will be backed up. One of the two parties owns or controls this “neutral storage zone,” he explains, but both will be able to verify whether the data is publicly accessible.

As per Lyons’ statement, Qlik is still in the process of investigating this issue and has consulted outside security firms to conduct independent evaluations. At this point, findings indicate UpGuard, the security firm that alerted Qlik, is the only one to externally access the data.

Related Content:

• The Truth About Your Software Supply Chain
• 7 Ways to Mitigate Supply Chain Attacks
• How Hackers Infiltrate Open Source Projects
• Office 365 Multifactor Authentication Done Right

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/document.asp?doc_id=1335105&_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A hacking group has gained access to the internal infrastructure of large cloud services provider PCM.

California-based PCM provides a mixture of solutions including cloud services and hardware, and made over $2bn in revenues in 2018. According to a report by specialist cybersecurity journalist Brian Krebs, the company discovered the breach in mid-May. Sources told him that the attackers stole administrative credentials for Office 365 accounts, and that they were mostly interested in using stolen data to conduct gift card fraud.

The modus operandi in this case was similar to other attacks on large IT providers we’ve seen, in which the hacking group sends phishing emails to companies including retailers, employee reward programs, customer loyalty and recognition businesses, and other organizations dealing in gift cards.

After compromising a system, the group would use a custom version of a malware strain called Mimikatz, which collects usernames and passwords from memory.

Once the group has access to the infrastructure of companies that deal in gift cards, it would then use money transfer services, payment processing services, and clearing houses to monetize that information. The report added:

A possible theory for targeting could be that gift cards provide access to liquid assets outside of the traditional western financial system.

Krebs believes this group began its hacking campaign in 2016, focusing initially on retailers. The report added that it didn’t expand to target IT hosting companies like PCM until this year, suggesting:

Actors could be looking to target the third-party provider to compromise multiple organizations.

PCM confirmed to Naked Security that a “cyber incident” affected some customers, but that no consumers’ personal data was lost. PCM sent us the following statement concerning the breach:

PCM recently experienced a cyber incident impacting a limited number of its corporate customers. Based on thorough investigations conducted, no consumers’ personal information was accessed or acquired by an unauthorized party.  As the company has previously stated, impact to its systems was limited, and the matter has been remediated. To the extent any corporate customer was potentially impacted by the incident, those customers were contacted and PCM worked with them to address any concerns they had.

Whether you’re a cloud provider, a hosting company, a small business or even just a home user with a laptop, breach prevention is always way better than cure – not least because after a breach, it’s really hard to be absolutely certain what happened.

The crooks know exactly what they stole, and can prove it if need be by leaking your data to the world. But you’re left trying to prove a negative by figuring out what they didn’t get.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/M9lOBNb0Lm0/

Thanks to Richard Cohen of SophosLabs for his help with this article.

Remember sextortion?

That’s the name for the cybercrime where crooks blast you with spam claiming to know something about your sex life or sexuality that you’d probably want to keep private if it were true…

…and then threaten to tell the world (or at least your colleagues, friends and family) all about it.

Unless you send them money right away, usually in the form of a cryptocurrency like Bitcoin, and usually within 48 hours.

It’s all a pack of lies, of course – the crooks blast out millions of these messages in the hope that the contents will be close enough to the truth that at least some victims will pay up.

Generally, the crooks say they have taken screenshots of you viewing porn, synchronised with a recording they made at the same time via your webcam.

But even if you never watch porn, or don’t have a webcam, or both, this sort of email can still be alarming because the crooks also claim to have total control of your computer, typically including:

• Access to your passwords.
• Access to you what you type in even if you go and change your passwords.
• Access to your email and social media contact lists.

Also, to increase your fear, the crooks may offer “proof” that they’ve already stolen private data from you by including one or more snippets of personal information in the email.

The crooks often include your phone number or one of your passwords recovered from an existing data breach, or they pretend that they sent the email directly from your own account.

(Watch directly on YouTube if the video won’t play here.)

In the latest sextortion campaign we’ve seen, the crooks have another trick – they’re using your password as your name (or what they think is your password) in to TO: field in the email headers, so it shows up even when you are just previewing your email:

TO: pa55word [email protected]
FROM: madeupsender
SUBJECT: Security Alert. Your account was compromissed. Password must be changed.

Sometimes, the password is garbage; sometimes it’s a password for an old account that you changed long ago.

But often it really is a password you once used, which certainly lends a touch of credibility to the claims that follow:

Hi, dear user of [YOUR DOMAIN NAME]

We have installed one RAT software into you device 
For this moment your email account is hacked too.
I know your password for this account [YOUR USERNAME]: [YOUR PASSWORD]
Changed your password? You're doing great!

But my software recognizes every such action. I'm updating passwords!
I'm always one step ahead....

So... I have downloaded all confidential information from 
your system and I got some more evidence. The most interesting moment 
that I have discovered are videos records where you masturbating.

Intriguingly, the crooks behind this scam campaign include a bogus explanation of how they sneaked the RAT (short for Remote Access Trojan, a type of malware that does exactly what its name suggests) onto your system, saying:

I posted EternalBlue Exploit modification on porn site, and then
you installed my malicious code (trojan) on your operation system.
When you clicked the button Play on porn video, at that moment my
trojan was downloaded to your device.

ETERNALBLUE is a genuine attack vector, and it’s quite well-known because it was originally developed (or at least obtained by) the US intelligence services and used for law enforcement and surveillance purposes.

But it was subsequently stolen from the US government, offered for sale and ultimately published on the internet for free so anyone with evil intentions could use it.

And they did – ETERNALBLUE was the primary trick used by the infamous WannaCry virus to jump around on and between networks.

The crooks finish by demanding that you pay $600 in Bitcoin within 48 hours:

For the moment, the software has harvrested all your contact 
information from social networks and email addresses. If you need to 
erase all of your collected data, send me $600 in BTC (crypto currency).
This is my Bitcoin wallet: 1XXXXXXXXXXXXXXXXXXXXXXXXXXX 
You have 48 hours after reading this letter.

The Bitcoin address mentioned in the email has received two payments worth approximately $550 each at current rates, but we have no idea whether the funds came from real victims who were frightened enough to pay, or from unrelated sources.

What to look for?

The subject lines and message bodies of spam and scam campaigns change all the time, so don’t rely on specific details when trying to figure out whether an email is genuine or not.

However, the samples we’ve seen of this particular scam have similar content in the message body itself, but the subject lines vary considerably, and include:

Your account was under attack! Change your access data!
Your account is being used by another person!
Your account has been hacked! You need to unlock.
The decision to suspend your account. Waiting for payment.
Security Notice. Someone have access to your system.
Security Alert. Your accounts was hacked by criminal group.
Security Alert. Your accounts was compromised. You need change password!
Security Alert. Your account was compromissed. Password must be changed.
High level of danger. Your account was under attack.
High danger. Your account was attacked.
Hackers know password from your account. Password must be changed now.
Frauders known your old passwords. Access data must be changed.
Caution! Attack hackers to your account!
Be sure to read this message! Your personal data is threatened!

What to do?

From a technical point of view, given the inclusion of a real password and the mention of a genuine security exploit, this scam certainly sounds possible, and even plausible, but it’s all a bunch of made-up nonsense.

So you can delete it without further ado.

Nevertheless, there are some useful security reminders mixed in with this story, namely:

• Patch early, patch often. The ETERNALBLUE exploit was patched way back in March 2017, so no one should be able to attack you successfully with it any more.
• Prefer two-factor authentication (2FA). We’re assuming you already pick proper passwords, for example by using a password manager to help up, but the one-time login codes typically required for 2FA add another layer of difficulty for crooks.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Cx_pLP2Sd3E/