STE WILLIAMS

Google admitted Tuesday its paid-for G Suite of cloudy apps aimed at businesses stored some user passwords in plaintext albeit in an encrypted form.

Administrators of accounts affected by the security blunder were warned via email that, in certain circumstances, passwords had not been hashed. Hashing is a standard industry practice that protects credentials by scrambling them using a one-way encryption algorithm.

Google was at pains to stress it was the enterprise non-consumer version of G Suite affected, and that the passwords were encrypted at rest on disk – though, we note, hashing them would have fully secured the sensitive info.

Before we get to the threat model part of this, there are essentially two security cockups at play here. The first involves a G Suite feature available from 2005 that allowed organizations’ admins to set their G Suite users’ passwords via the Google account admin console. That feature, designed for IT staff to help new colleagues set their passwords and log in, did not hash these passwords.

The second involves recording some user passwords in plaintext on disk, as they logged in, and keeping these unhashed credentials around for 14 days at a time, again encrypted at rest. This practice started in January this year, during attempts by Googlers to troubleshoot their login system, and has been stopped.

On the first issue, Suzanne Frey, Google veep of engineering and cloud trust, explained:

In our enterprise product, G Suite, we had previously provided domain administrators with tools to set and recover passwords because that was a common feature request. The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company’s users. The intent was to help them with onboarding new users; e.g., a new employee could receive their account information on their first day of work, and for account recovery. The functionality to recover passwords this way no longer exists.

We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.

On the second issue, Frey continued:

In addition, as we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident.

Here’s some examples of today’s email alerts sent today to G Suite admins:

Legacy functionality lead to some G Suite passwords being stored unhashed. Here is a sample of the email from Google pic.twitter.com/6z2dvHIsiE

— Thexyz (@thexyz) May 21, 2019

It looks like @gsuite have been storing unhashed passwords. Ooops! 😬

If you are a GSuite admin check your inbox!#GSuite pic.twitter.com/Prq9UzzvqF

— Paul Barton (@barton_paul) May 21, 2019

Passwords are hashed so that if someone breaks into, say, Google’s servers, they can’t make off with people’s login credentials: they’ll be scrambled in such a way the miscreant can’t figure out the originals and use them to log into other websites where the passwords are reused. If a hacker gets into Google’s infrastructure, passwords hashed or not hashed, it’s potentially game over anyway: it’s possible they could access other sensitive info.

The passwords weren’t hashed in this G Suite case, reminding us of Facebook, but were apparently stored encrypted at rest, meaning a hacker should not, in theory, be able to access them. However, it may be possible that a rogue staffer, or a skilled intruder, could still access the logged passwords – they have to be decrypted at some stage by the ad giant’s backend software to be used. This is why it’s highly preferable to hash passwords, and then store them encrypted at rest, to be totally sure.

In other words, it’s sloppy, dangerous, and embarrassing, though keep it all in perspective: to exploit this security blunder, an attacker would have to break into Google’s key networks, and obtain and exfiltrate the decrypted data, or subvert a staffer with enough seniority to decrypt the passwords, and in both cases, users would be severely screwed, anyway. Hashing would protect the account passwords from snooping, sure, but, er, there would be rather bigger problems to solve: bad people on the network with all sorts of servers and data to potentially leaf through… until they trip an intrusion detection system, of course.

From Wednesday, Google will begin changing passwords for affected accounts that have not already done so. So if you see things have changed, don’t panic. Just keep calm and carry on. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/22/google_g_suite_password_reset/

An AWS-hosted database was configured with no username or password required for access to personal data.

How many Instagram influencers does it take to create a massive unplanned data release? At least 49 million, if the contents of a publicly exposed database are any indication.

In the latest data incident involving an AWS-hosted database misconfiguration, a database containing contact information for millions of Instagram influencers was found by researcher Anurag Sen, who discovered that the information required no username or password for access.

A TechCrunch reporter traced the database to Chtrbox, a Mumbai-based firm that pays Instagram users to post sponsored information. According to Instagram, scraping the service for the phone, email, mailing address, and other information contained in the database is against the platform’s terms of service. The company says it is in conversation with Chtrbox to determine how the information was gathered.

After being contacted by the reporter, the database was taken offline; Chtrbox has not commented on the database, its contents, or the incident.

For more, read here and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/49-million-instagram-influencer-records-exposed-in-open-database/d/d-id/1334775?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The latest changes to the Satan ransomware framework demonstrate attackers are changing their operations while targeting victims more carefully.

The operators and developers behind a 2-year-old ransomware framework, dubbed Satan, continue to expand the codebase, adding exploits for the Spring Web application framework, the ElasticSearch search engine, and ThinkPHP Web application framework popular in China, according to research from Fortinet. 

The refinements demonstrate a trend in ransomware: The malware is becoming more sophisticated and operations against victims more targeted, according to the company. In its quarterly threat report, Fortinet points to multiple debilitating attacks on manufacturers, chemical companies, and engineering firms, stating that attackers are moving from “indiscriminate ransomware attacks to more targeted and potentially more lucrative campaigns.”

“We are seeing more methodical techniques,” says Anthony Giandomenico, a senior security researcher at Fortinet. “Some of the adversaries that are using ransomware — they are getting better at quickly incorporating new vulnerabilities that have recently been successfully exploited.”

The incorporation of three new exploits into the Satan ransomware framework highlights the continuing improvement in capabilities incorporated into the malicious software by operators and developers. Satan, which is the malware component of a ransomware-as-a-service offering on the Dark Web of the same name, had already included exploits for a variety of Web technologies, such as JBoss, Apache Struts, Web Logic, Tomcat, and the infamous EternalBlue exploit for Windows SMB services.

While the addition of three new exploits does not appreciably increase the threat level of the malware, it does show that the developers are actively improving the code and the service, Fortinet’s Giandomenico says.

“The ransomware-as-a-service is successful in that it is taking advantage of those vulnerabilities that have been exploited much faster,” he says.

Ransomware attacks garner a great deal of attention. The malware payload, which typically encrypts valuable data until a victims pays the ransom, impacts both the operations of victims and causes obvious symptoms of an attack, such as displaying ransom notes on monitors. In the past five years, significant attacks have shown the danger of malware that makes data essentially unusable.

The 2014 attack on Sony Pictures had a wiper component that erased systems and forced the company to take weeks to clean its information-technology environment and recover business data. In 2017, two worms — WannaCry and NotPetya — spread through companies’ IT systems, disrupting operations for manufacturing giants such as pharmaceutical maker Merck, auto maker Nissan, and shipping conglomerate AB Maersk. Most recently, ransomware disrupted government systems and services in the city of Baltimore.

In January 2017, Satan made headlines as the first known ransomware-as-a-service offering — but not the first crimeware-as-a-service product — on the Dark Web. Subscribers can create tailored ransomware attacks, and the operators of the Satan service take a portion of any ransom paid. 

The malware created by Satan also can spread on its own. Once Satan compromises a system, the malware attempts to execute its list of exploits against each IP addresses on the local network. 

The attack can also be used against publicly accesible servers. The malware will reach out to one of the command-and-control (C2) servers, retrieve a Class C subnet to attacks, and then enumerate every IP address on that network and attempt to spread.

While WannaCry and NotPetya raised fears that mass ransomware infections could hobble businesses and governments, attackers have seemingly gone in the opposite direction. By targeting specific companies, or at least manually taking over attacks against those companies, the ransomware operators can do the most damage and levy higher fees for recovery, Giandomenico says.

Ransomware is also becoming more of a capability of malware and a potential tool to use during attacks, he says.

“I would put money on the fact that we will see more targeted attacks that are using ransomware,” Giandomenico says. “It will be multistaged. They may do other things on the network first, and when they are finished, they will slap some ransomware in there to cover their tracks” or convert the compromise to cash.

With Satan, the attackers look ready to continue to target more applications with vulnerabilities. The current version of the malware platform scans for applications such as Drupal, Adobe, and XML-RPC, but does not yet have the exploits to compromise the applications. Instead, it reports their existence to the C2 servers.

“Most likely, its purpose is to gather statistics of application usage that can be targeted in future attacks,” Fortinet’s analysis stated. “The malware authors can easily update their spreader to implement an exploit against one of these applications if they observe that enough of clients that are using it.”

Related Content

• Baltimore Ransomware Attack Takes Strange Twist
• Satan Ransomware Variant Exploits 10 Server-Side Flaws
• ‘Anatova’ Emerges as Potentially Major New Ransomware Threat
• How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
• Ryuk Ransomware Attribution May Be Premature

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/satan-ransomware-adds-more-evil-tricks/d/d-id/1334779?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Some of Europe’s biggest ISPs and mobile operators stand accused of using Deep Packet Inspection (DPI) technology to quietly undermine net neutrality rules and user privacy.

News of the troubling allegation first reached the public domain earlier this year in an analysis by German organisation epicenter.works. It claimed it had detected 186 products offered by providers that appeared to involve applying DPI to their customers’ traffic. Deep packet inspection filters network traffic by looking at the contents of data packets.

Naked Security’s Mark Stockley explains:

Traditional network filtering is like directing road traffic based on the type of vehicle. DPI is like looking at who’s driving and what’s in the trunk.

Now a group of academics and digital rights campaigners headed by European Digital Rights (EDRi) has sent EU authorities an open letter pointing out the implications of this. The EDRi letter states:

Several of these products by mobile operators with large market shares are confirmed to rely on DPI because their products offer providers of applications or services the option of identifying their traffic via criteria such as Domain names, SNI, URLs or DNS snooping.

EU regulation outlaws DPI for anything other than basic traffic management, but it seems that providers in many countries have found a grey area that allows them to bend – and increasingly bypass – those rules.

The frontline of this is something called ‘zero rating’ whereby mobile operators attract subscribers by offering free access to a specific application – a streaming service would be one example – without that counting towards their data allowance.

By its nature, this favours larger application providers, in effect busting the principle of net neutrality that says that all applications and services should be given equal prioritisation across networks.

DPI is the technology that makes this possible because:

DPI allows IAS providers to identify and distinguish traffic in their networks in order to identify traffic of specific applications or services for the purpose such as billing them differently throttling or prioritising them over other traffic.

DPI has Phorm

DPI is a technology that’s been around in business LAN/WAN networking for years and has plenty of legitimate uses, including simply looking at traffic at a packet level to make sure important applications are given higher levels of prioritisation.

ISPs can also use it to detect traffic they deem to be in breach of terms and conditions – such as that sent by a small number of users to torrent and file-sharing sites.

Inevitably, the technology is open to abuse, as appeared to be the case in the UK when a number of UK ISPs signed up with an ad targeting company called Phorm in 2008.

Its system worked by using DPI to scan user traffic and searches for keywords, and using this data to show users individualised ads. Worse, the platform had been used in trials without the privacy implications being explained to subscribers.

The storm that erupted around (and eventually killed) Phorm turned DPI into a technology with a bad reputation that has stuck ever since in some countries.

A decade on, mobile providers are the big players and rather like early broadband networks these operate according to rules that ruthlessly conserve, meter and prioritise data capacity.

It’s the basis on which they’re doing that which EDRi objects to. Its letter to the EU paints a picture of a slow slide towards DPI and with it the end of true net neutrality. At the point, it claims, user privacy will be in deep packet trouble.

Prevention v cure

One difference in today’s battles with DPI is the emergence of standards and technologies that allow users to fight back. These include widespread HTTPS and emerging standards that secure DNS traffic such as DNS over HTTPS and encrypted Server Name Identification (SNI).

Alternatively, VPNs are an even simpler way to prevent DPI monitoring because all traffic crossing the ISP’s network is encrypted. Arguably, that’s a kludge. Not all VPNs have a trustworthy reputation and the ones that do tend to be expensive and far from seamless to set up. There’s also the possibility of DNS leaks too.

If a newer generation of privacy-oriented VPNs such Cloudflare’s proposed 1.1.1.1 Warp service don’t offer a way out for users it’ll be down to the EU to tighten the rules. Mobile companies won’t go down without a fight because DPI has been built into their business models and can’t easily be ripped out.

DPI has the potential to turn into a decade-defining fight.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/e7nYEJM-XqE/

They may look familiar to you, and that isn’t a coincidence. New threats are often just small twists on old ones.

Cyberattackers are often thought to be tech experts. Cyberattackers understand security vulnerabilities and loopholes that most people don’t understand. However, the reality of a cyberattacker is that most are not that specialized — they bypass security solutions through small adjustments to already well-known attacks. By simply leveraging an already established attack sample that is available on the Web, hackers can and do consistently and efficiently modify attacks in order to stay one step ahead of their targets’ security solutions. In fact, some malware strains have been designed to automatically modify themselves to avoid signature-based security offerings.

Even sandboxing security solutions — which involve opening suspect files in a controlled environment — are not deterring the ever-increasing rate of email attacks. Because sandboxing solutions have become popular among security practitioners, hackers have also developed sandbox-evasion techniques. Some of these techniques are quite straightforward, such as using the sleep mode to avoid scan detection. And some techniques involve more advanced tools such as sandbox presence detection, where malware runs “clean” code when a sandbox is detected.

In addition, most sandboxes run on machines with low processor counts, RAM, etc. This helps malware detect the difference between an actual computer and a sandbox. A lack of USB ports, small hard drives, no personal files, and no mail client can indicate a sandbox. Once the malware identifies the sandbox, specific techniques are then designed to evade detection. As a dynamic solution, sandboxes offer a way of effectively scanning a file to detect malware.

The bottom line is that as a general rule, today’s security solutions rely on past attack experiences to identify present-day threats and ultimately often come up short when it comes to heading off the next hacker attack. Here are a couple of examples of how attackers make minor adjustments in order to take advantage of their targets.

GandCrab Ransomware
GandCrab is a Trojan horse that encrypts files on a targeted computer and follows up with a demand for payment to decrypt them. GandCrab’s creators used phishing emails to transmit ransomware and infect systems. These attackers have continued to evolve and adapt to avoid detection, bypass security solutions, and get its victims into mistakenly install ransomware onto their systems.

Between the end of January and September 2018, GandCrab has been updated five times. This agile approach has allowed its creators to stay one step ahead of security solutions and profit on the unsuspecting. 

Emotet Malware
Recently, a new version of Emotet malware surfaced following a short period of inactivity. This marked the introduction of yet another iteration in a series of modifications that started back in 2014.

Emotet first emerged as an info-stealing Trojan aimed at financial credentials and proprietary data. Able to learn from experience, it has continually improved and increased in effectiveness and popularity. This most recent variant has developed a new capability allowing it to avoid detection by most security filters. In addition, Emotet is becoming stronger, more destructive, and costly to organizations and individual users.

Attackers are able to modify their techniques so quickly that it is impossible for organizations to be able to pinpoint what they are going to do next. They shouldn’t try, either. What they should do is acknowledge that they need to stay vigilant and that these malicious actors, their viruses, and their profiteering are constantly fought against. Organizations must adapt and evolve themselves, by taking a proactive approach, embracing and implementing security solutions that are attack-agnostic. 

With this strategy, organizations can detect and block viruses, no matter what kind of virus or malware is embedded in them, even if it changes or strengthens over time. This kind of approach provides more comprehensive data security than currently available.

Related Content:

• Demystifying the Dark Web: What You Need to Know
• Confluence Vulnerability Opens Door to GandCrab
• The Big E-Crime Pivot
• ‘Matrix’-Themed Ransomware Variant Spreads

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Liron Barak, CEO and Co-Founder of BitDam, has over 10 years of experience dealing with the most sophisticated cyber threats and exploitation techniques. Prior to founding BitDam, Liron served in Unit 8200 of the Israeli Intelligence Corps, where she managed teams of highly … View Full Bio

Article source: https://www.darkreading.com/perimeter/old-threats-are-new-again/a/d-id/1334731?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The acquisition solidifies KnowBe4’s European presence and shows a focus on building and measuring security culture.

KnowBe4 today confirmed its acquisition of CLTRe, a Norwegian company that specializes in helping organizations build, assess, maintain, and measure a stronger cybersecurity culture.

CLTRe (pronounced “culture”), was founded in 2015 and is headquartered in Oslo, Norway. Its Security Culture Framework and CLTRe Toolkit were developed to help businesses collect evidence about their security culture and how it changes over time. Its platform aims to help drive security culture and awareness training programs with assessments, external and internal benchmarking, and reports and insights to demonstrate how culture improves over time.

The deal shows that KnowBe4, a platform for awareness training and simulated phishing, is taking a closer look at culture. A “Cybersecurity Culture Report” from ISACA and CMMI Institute found 95% of security respondents see a gap between current and desired security culture. With most malware delivered via email, it sees an opportunity to work with employees and lessen risk.

CLTRe will continue to operate as an independent subsidiary under KnowBe4 and service customers around the world. Its CLTRe Toolkit and Security Culture Framework will be made available to KnowBe4 customers later this year, and CLTRe clients will have access to KnowBe4’s platform for cybersecurity awareness training and simulated phishing.

Terms of the deal were not disclosed. CLTRe has generated a total of €50,000K in funding.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/perimeter/knowbe4-focuses-on-security-culture-with-cltre-acquisition/d/d-id/1334773?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Attackers are getting further ahead, and entrenched corporate rules shoulder much of the blame.

In recent years, the cyber skills gap between attackers and defenders has widened. Corporate security teams — their hands tied by budget constraints, box-ticking exercises, internal politics, and outdated training — are struggling to catch up. More than half of organizations now consider the shortage of adequately trained cybersecurity professionals to be a major problem.

Attackers, on the other hand, have no such problem. Unfettered by corporate issues, they operate in the type of purist environment in which technical talent thrives. They “learn by doing” — continually coming up with creative ideas to solve a problem, rewarding curiosity and perseverance, and encouraging innovation. Because of this, they remain steadfastly in the lead. While many companies talk about a need to address the cyber skills gap, few are challenging existing norms. The security sector is good at tearing up rule books, so it’s about time this applied to skills development.

Deeply embedded legacy process lies at the heart of an organization’s cyber skills gap. For example, HR teams typically are involved in the hiring of cyber talent. Not that this is wrong, but while filtering candidates, an absence of specialized technical knowledge is often compensated for by an overreliance on formal accreditations and certifications.

Although certifications do have relevance and carry weight, they can also exclude genuine talent. They rely on the person having the time and resources to undertake them in the first place, discounting those who don’t have either or even possess the mindset to do structured courses in the first place. As many in the industry know, raw, unstructured talent often is the best.

To this point, skills gained through experience and creative thinking bring immeasurable depth to a security team. Much classroom-based training neglects this, using passive listen-and-learn methods that don’t always appeal to the personality types of high-performing cybersecurity talent. The most effective cybersecurity professionals want to learn on the job. Naturally inquisitive, they prefer to take things apart and find out how they operate. This is a self-learned skill and it is deeply personal, not something that can be dictated.

An organization’s internal people structures also stop the right skills getting to the right place. Rigid hierarchies enforced by subtle work politics still dominate security teams, meaning those responsible for specific areas are not always the best qualified but simply people with more time in the game. This is where such teams can learn from their foes. Attackers put more stock in the idea of a meritocracy. If someone is a better malware writer, they write malware — letting the expert social engineer worry about hooking people with a targeted phish.  

Speed of response — the main issue that dominates any cybersecurity countermeasure — is also the single biggest problem for any organization when it comes to closing the skills gap. If security skills are ever expected to keep up with those of an attacker, they must be updated as regularly and often as attacks change. This is not happening in the majority of cases. Malware morphs continuously, domains are generated randomly, and Web app attacks are dynamic, yet training happens the third Thursday in the last month of the quarter.

This factor is widening the gap between attack and defense more than any other factor. Current training approaches mean that the skills learned are often out of date by the time the person leaves the classroom. Cyber skills training needs to be continuous to be relevant. You wouldn’t expect your technical defenses to operate on outdated threat intel, so why your human ones?

Here Are Some Steps to Cut Through the Red Tape

• Look for demonstrable skills and experience rather than just formal qualifications.
• Include a skills-based test as part of the recruitment process.
• Ensure a cybersecurity professional — third party if necessary — is involved throughout the entire process.
• Gamify training — story-driven wargames will allow teams and individuals to hone their skills in “real life” situations.
• Base any training on real-time threat intelligence to assure greater preparedness.

Related Content:

• Demystifying the Dark Web: What You Need to Know
• How the Skills Gap Strains – and Constrains – Security Pros
• How to Close the Critical Cybersecurity Talent Gap
• The Fine Line of Feedback: 6 Tips for Talking to Security Pros

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

 

James Hadley founded Immersive Labs in January 2017 after delivering GCHQ’s cyber summer school. It was during these sessions he realized that passive, classroom-based learning doesn’t suit the people, or pace, of cybersecurity. Not only did the content date quickly, its … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/to-narrow-the-cyber-skills-gap-with-attackers-cut-the-red-tape/a/d-id/1334695?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers have uncovered the second serious bug in a WordPress plugin this month that could lead to the mass compromise of WordPress websites.

The bug in the WP Live Chat Support plugin allows attackers to inject their own code into websites running it. It follows a bug discovered in the plugin six weeks ago that allowed attackers to execute code on affected websites. 

WP Live Chat Support is an open source third-party plugin for WordPress that allows users to install live chat functionality on their sites for customer support purposes. There are over 60,000 active installations of the software today, according to its WordPress page.

According to Sucuri, the vulnerability lies in an unprotected admin_init hook. A hook is a way for one piece of code to interact with and change another. 

WordPress calls the admin_init hook whenever someone visits a WordPress site’s admin page, and developers can use it to call various functions at that point.

The problem is that admin_init doesn’t require authentication, meaning that anyone who visits the admin URL can cause it to run code. WP Live Chat’s admin hook calls an action called wplc_head_basic, which updates the plugin settings without checking the user’s privileges. 

An unauthenticated attacker could use this flaw to update a JavaScript option called wplc_custom_js. That option controls the content that the plugin displays whenever its live chat support window appears. An attacker can insert malicious JavaScript into multiple pages on a WordPress-powered website, the researchers explain.

This isn’t the first time that WP Live Chat has had to patch its plugin. Last year, its developers patched CVE-2018-12426, which was a bug allowing users to upload PHP scripts to the site and execute code remotely. 

In April, Alert Logic found that the plugin was still vulnerable even after the patch. The developers introduced the flaw by writing their own file upload code rather than relying on WordPress’s built-in code, the researchers said. 

WP Live Chat support fixed the JavaScript insertion bug in version 8.0.27 and the file upload bug in 8.0.29, released on 15 May 2017. Website owners should patch now, Sucuri says:

Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous. 

However, some users complained that they were unable to update. WP Live Chat’s page in the WordPress plugin directory says it is closed to new installations. In its support forum, user Tiiunder said:

I am not able to update the plugin anymore, which is necessary because of the vulnerability which occurred the last days.

I get the message: This plugin has been closed for new installations.

Others reported the same problem, with one complaining that the plugin was part of a WordPress theme they had bought.

We were unable to get a response from the company via several channels, but it urged people to update on Twitter last week. Its blog mentions that it recently merged the free and pro versions of the plugin and points to an installation guide.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ut5b6wFsORI/

Prepare yourself for the warm glow of schadenfreude: OGUsers, a forum devoted to trading stolen Instagram, Twitter and other accounts, has apparently been hacked, its forum hard drives wiped, and its user database stolen and published on a rival hacking community site for any and all comers to download for free.

As Motherboard reported last year, OGUsers – called OGU by its members – is a forum popular among hackers who specialize in hijacking people’s accounts, particularly through SIM swapping.

Trading in desirable usernames

Launched in April 2017, the forum is a market for buying and selling “OG” usernames. That’s short for “original gangster” and refers to usernames that are considered desirable, whether it’s because they’re short – such as @t or @ty – or because they’re considered cool, such as @Sex or @Eternity, or then again, because they belong to celebrities, such as, say, the Twitter accounts of Wikipedia co-founder Jimmy Wales, comedian Sarah Silverman, or NASA, to name just a few.

According to Motherboard, OGUsers traded in hijacked social media accounts, as well as in PlayStation Network, Steam, Domino’s Pizza, and other online accounts.

The administrator of OGUsers, known as “Ace”, announced the attack in a post on the forum on 12 May 2019. According to security journalist Brian Krebs, Ace told forum members that an outage had been caused by hard drive failure that erased months’ worth of private forum posts and prestige points. Ace said they’ve restored a backup from January 2019.

But we’ve since come to find out, that 12 May outage coincided with the theft of the forum’s user database and the erasure of its hard drives.

Four days after Ace’s post, the administrator of a rival hacking community, RaidForums, announced that they’d uploaded OGUsers’ database. Come and get it, RaidForums administrator Omnipotent said, raising an eyebrow at OGUsers’ use of the vulnerability-vexxed MD5 hashing function:

On the 12th of May 2019 the forum ogusers.com was breached [and] 112,988 users were affected. I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I’m the first to tell you the truth. According to his statement he didn’t have any recent backups so I guess I will provide one on this thread lmfao.

Krebs got hold of the purloined list of OGUsers’ members. He said it appears to contain the usernames, email addresses, hashed passwords, private messages and IP addresses at the time of registration for around 113,000 users – although, he said, some users are likely using multiple aliases. Motherboard also checked out the database and found that it contained users’ emails and source code.

Motherboard verified the data by searching for two accounts registered by its reporters.

Music from the tiniest violin

OGUsers’ members are, understandably, and to the delight of the universe’s karmic balance, freaked. Several threads on OGUsers have been filled with users worrying that they’ll be exposed due to the breach, while some claim that they’ve already received phishing emails, Krebs reports.

Some are furious at Ace, claiming he disabled users’ ability to remove their accounts. Krebs quoted one user who had this to say on the Discord chat:

Ace be like:

– not replace broken hard drives, causing the site to time warp back four months
– not secure website, causing user info to be leaked
– disable selfban so people can’t leave

Motherboard talked to one OGUsers member who said that the rats are leaving the sinking ship, worried about 1) getting hacked themselves and 2) a visit from the law:

It’s like a nuke dropped on the site. Some people only used OGU pms as their only contact, so if you were to look into it or an FBI agent there is a lot to find.

No, no, please don’t go, little ratties, Ace said in a post. OGUsers getting breached is just like any other site getting breached, they wrote, neglecting the part about how most of the users are presumably cybercrooks:

OGUsers has been online close to 3 years now and this the first time any breach has occurred. I do understand everyone’s frustration and I am deeply sorry this has all happened recently. You must realize other sites such as Twitter, Facebook, Dropbox, Forums you have used in the past, and many more have been breached at least once. People are targeting the site 365 days a year. Again, I am deeply sorry this occurred and I will do my best to make sure it never happens again.

… yes, it’s exactly like Twitter or Facebook or Dropbox getting breached, with the teensy weensy exception of potential incarceration for the people whose personal information was exposed.

We’d wish you good luck as you scamper, little ratties, but hey, you know… karma and all that. We wish you no luck at all in escaping the long arm of the law, and the victims of your account hijackings no doubt share that attitude.

Still, we can’t be too tickled about crooks kicking each other’s shins off. Malware is a scourge that Sophos battles all the time, so we can’t applaud too loudly, even when, say, a Nigerian scammer infects himself.

And like we said when we reported about hackers hacking hackers – if hackers can be hacked, then so can you, if you aren’t careful.

So be careful!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/h5Mud_fGpbo/

Last week, Facebook’s WhatsApp whispered out a warning to update the mobile messaging app after learning that it had a vulnerability that really deserved to be shouted from the rooftops: a zero-day vulnerability that allowed hackers to silently install government spyware onto victims’ phones had been exploited in the wild.

The zero day meant that with just one call, spies could access your phone and plant spyware – specifically, the notorious Pegasus software.

Pegasus has been unleashed against Mexican political activists; targeted at the human rights-focused NGO Amnesty International in a spearphishing attack; and used against Ahmed Mansoor, a prominent human rights activist and political dissident in the United Arab Emirates who was sentenced to 10 years in jail and a fine of 1,000,000 Emirati Dirham (USD $272K) after being charged with “insulting the UAE and its symbols”.

WhatsApp quickly patched the vulnerability.

Just as quickly, Amnesty International filed a lawsuit that seeks to stop the “web of surveillance” it says is enabled by NSO Group, the Israeli firm that makes Pegasus.

Last Monday, Amnesty announced that it’s taking the Israeli Ministry of Defense (MoD) to court to force it to revoke NSO Group’s export license.

Thirty members and supporters of Amnesty International Israel and others from the human rights community are alleging that NSO Group’s spyware has been used to surveil Amnesty staff and other human rights defenders, thereby putting human rights at risk.

Referencing the June 2018 spearphishing attack on an Amnesty staff member, Danna Ingleton, Deputy Director of Amnesty Tech, said in an affidavit that the attack was “the final straw.”

NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw.

The Israeli MoD has ignored mounting evidence linking NSO Group to attacks on human rights defenders, which is why we are supporting this case. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.

How Pegasus flies

As Ingleton described in the affidavit, a Pegasus infection can happen in several ways. Most commonly, a target clicks on an exploit link, often sent as a text message. That triggers the download onto a mobile device.

Alternatively, NSO Group has reportedly figured out how to infect a device without user interaction. As Motherboard has reported, all it takes is a phone call to a targeted device to grant the attacker full access to its contents, without the need for the victim to click on a rigged link.

Once installed, Pegasus turns into what Citizen Lab has called a “silent, digital spy.” It can get at everything – including contacts, photos, call history and previous text messages – regardless of encryption or other protections. It also allows its operator the ability to remotely operate a device’s camera and microphone, enabling remote eavesdropping on conversations, as well as passive or active tracking of a target’s location data.

When Amnesty’s technology team analyzed the rigged link that had been sent via a WhatsApp message in the June 2018 spearphishing attack, they found that it was connected to a domain known to distribute and deploy NSO Group’s Pegasus spyware. Had the staff member clicked on the link – which they did not – they would have been taken to a site that would have attempted to install the spyware on their device.

In fact, the domain that hosted the link is part of a network of more than 600 suspicious domains used to trigger Pegasus infection, according to the affidavit.

Although the targeted Amnesty employee hadn’t clicked on the boobytrapped link, they were still horrified that they’d been targeted on the basis of their human rights work, in “clear violation of the right to freedom of opinion, freedom of expression, and the right to privacy, guaranteed under the International Covenant on Civil and Political Rights,” the affidavit said.

The fear is lingering: the employee has declined to have their name released in the aftermath. But he or she is only one of scores of targets: Citizen Lab has traced use of Pegasus spyware to 45 countries where its operators may have been using it in surveillance campaigns between August 2016 and August 2018.

Off-label use of government spyware?

NSO Group’s response to incidents of operators unlawfully using its software to persecute dissidents, activists and journalists has been consistent: it repeatedly points out that Pegasus is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists. From the statement it put out after the June 2018 spearphishing attack on Amnesty:

NSO Group develops cyber technology to allow government agencies to identify and disrupt terrorist and criminal plots. Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.

In the lawsuit filed last week, Amnesty says that NSO Group has been ignoring the “foreseeable risk” that governments would misuse its spyware to unlawfully surveil human rights defenders.

There is no evidence that NSO Group refused to sell its products to those governments, ascertained that those governments had proper legal frameworks and oversight mechanisms for the use of spyware in place prior to any sale, or revoked access to its products after evidence emerged of their misuse.

NSO Group claims that its Business Ethics Committee reviews and approves all transactions and that it conducts investigations into allegations of misuse. Yet it hasn’t disclosed what factors it considers when choosing who to sell to, doesn’t disclose much of anything with regards to the results of its investigations into misuse, and has failed to demonstrate what, if anything, it’s done to mitigate the risks of misuse, the affidavit says.

At a minimum, NSO Group could review the human rights record of a prospective client country. It could also monitor use of products post-sale, Amnesty says.

Trampling on human rights

The legal action is being brought by Amnesty International as part of a joint project with New York University (NYU) School of Law’s Bernstein Institute for Human Rights and Global Justice Clinic. Faculty Director Margaret Satterthwaite:

The targeting of human rights defenders for their work, using invasive digital surveillance tools, is not permissible under human rights law. Without stronger legal checks, the spyware industry enables governments to trample on the rights to privacy, freedom of opinion and expression.

The Israeli government needs to revoke NSO Group’s export license and stop it profiting from state-sponsored repression.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UBeqK0sI4bs/