STE WILLIAMS

Yet 68% of agree they also must do more to protect their own information.

More than three-quarters of US consumers strongly agree that companies need to protect their information, a 16% increase over last year, according to a comprehensive study of online consumer behavior.

The research, conducted by IDology, also shows 71% of Americans say their decision to choose a financial institution would be positively affected if it uses better, more advanced identity verification methods. That’s a dramatic 27% increase over last year, when only 56% of Americans reported the same.

The “Second Annual Consumer Digital Identity Study” is based on 1,499 responses collected by an online survey from Jan. 29 to Feb. 11. Survey respondents are representative of the 225 million people who make up the US online population of 18 years old and older.

Christina Luttrell, IDology’s senior vice president of operations, adds that while consumers say companies need to protect their information, 68% strongly agree it’s also their own responsibility to protect their own personal information.

Many consumer are taking action to protect themselves, she points out. Of those who were notified their data had been breached, 60% say they changed their account passwords, 38% had their card reissued, and 32% turned on two-factor authentication.

Consumers also expect more online, with 37% saying they have abandoned signing up for a new online account (via computer or mobile phone) because the process was too difficult or took too long. This was especially true among Gen Z respondents (51%) between the ages of 18 and 24.

“The younger folks want it fast, and they want it now,” Luttrell says. “And they don’t want to jump through hoops.”

Interestingly, asked whether they would use some of the new tools to sign into an online account, the majority (58%) of consumers say they prefer to enter their information manually, according to the report. However, 42% say they would auto-fill the information with a password manager, and 34% would be willing to snap a picture of an identity document, such as a driver’s license. Another 24% say they would be fine with a third-party pulling the added information from their mobile carriers, and 23% are OK with pulling identity information from their social media profiles.

Frank Dickson, a research vice president at IDC who focuses on identity management, adds that that old trade-off between security and ease of use has to change.

“The security industry has to make their products easy and secure,” Dickson says. “Companies have to invest, and it certainly takes extra work on the part of the provider. It’s a challenge, but it’s the responsibility of the provider to put in the extra effort and do it right.”

Related Content:

• Why Are We Still Celebrating World Password Day?
• World Password Day? Or Groundhog Day?
• Who Are You Really? A Peak at the Future of Identity
• Microsoft, MasterCard Aim to Change Identity Management

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/operations/identity-and-access-management/78--of-consumers-say-online-companies-must-protect-their-info/d/d-id/1334690?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Compromised information includes full names, birth dates, national ID numbers, medical insurance numbers, and other personal data.

An unprotected Elasticsearch server was found publicly exposing personally identifiable information belonging to nearly 90% of Panama citizens, a security researcher found last week.

Bob Diachenko, cyber threat intelligence director at Security Discovery, found the data sitting in a server, where it was publicly available and visible in any browser. The database held 3.4 million records containing detailed information on Panamanian citizens, labeled “patients,” as well as 468,086 records labeled “test-patient.” He reports the exposed information appears to be valid.

Given Panama’s total population amounts to some 4.1 million people, he adds, the number of exposed records (including test-patient) would indicate compromise for 90% of citizens.

The compromised records contained the following: full names, birth dates, national ID numbers, medical insurance numbers, phone numbers, email and physical addresses, and other data. Diachenko alerted CERT Panama, which secured the databased with 48 hours, he says. It’s unclear which business or government institution owns the poorly secured server.

Read more details here.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/poorly-configured-server-exposes-most-panama-citizens-data/d/d-id/1334691?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Mark’s power is unprecedented and un-American. It is time to break up Facebook.

That’s the gist of what Facebook co-founder Chris Hughes had to say in a lengthy op-ed published by the New York Times on Thursday. Of course, he was referring to Facebook CEO Mark Zuckerberg.

Well, he can probably kiss that friendship goodbye, Hughes said in an interview with CBS This Morning. The two were roommates while they attended Harvard and launched what would become the world’s most dominant social media platform. They’ve been friends ever since, even after Hughes left the company 10 years ago.

Do you think you’re going to stay friends with Mark Zuckerberg?

“I don’t know. Probably not… but there are some… twitter.com/i/web/status/1…

—
CBS This Morning (@CBSThisMorning) May 10, 2019

Great guy, perhaps a little power mad, and definitely in charge of a social media monopoly that’s strangling innovation in the cradle, Hughes said of Zuckerberg:

Mark is a good, kind person. But I’m angry that his focus on growth led him to sacrifice security and civility for clicks. I’m disappointed in myself and the early Facebook team for not thinking more about how the News Feed algorithm could change our culture, influence elections and empower nationalist leaders. And I’m worried that Mark has surrounded himself with a team that reinforces his beliefs instead of challenging them.

He has too much power.

The untouchable king of social media

Hughes’s editorial delves into how Zuckerberg – who controls 60% of the company’s voting shares – is, to quote a Vox headline, “essentially untouchable.”

Mark’s influence is staggering, far beyond that of anyone else in the private sector or in government. He controls three core communications platforms – Facebook, Instagram and WhatsApp – that billions of people use every day. Facebook’s board works more like an advisory committee than an overseer, because Mark controls around 60 percent of voting shares. Mark alone can decide how to configure Facebook’s algorithms to determine what people see in their News Feeds, what privacy settings they can use and even which messages get delivered. He sets the rules for how to distinguish violent and incendiary speech from the merely offensive, and he can choose to shut down a competitor by acquiring, blocking or copying it.

Hughes says this lack of checks on the head of a company that’s now worth about half a trillion dollars was evident in the aftermath of 2018 – what he calls Facebook’s “annus horribilis”, when Russian meddling in US discourse via social media came into focus and the Cambridge Analytica data debacle hatched.

Delete Facebook and go… where?

Disgusted users across the world launched a “Delete Facebook” movement. Fat lot of good it did them. Hughes referred to figures from the Pew Research Center that found that a quarter of users deleted their accounts from their phones during the year leading up to June 2018, but many did so only temporarily. And maybe some of them never left at all but thought they had, ignorant to the fact that Facebook has gobbled up social media rivals including WhatsApp and Instagram.

I heard more than one friend say, ‘I’m getting off Facebook altogether – thank God for Instagram,’ not realizing that Instagram was a Facebook subsidiary. In the end people did not leave the company’s platforms en masse. After all, where would they go?

Hughes thinks it’s time for the US to relearn how to bust monopolies, and Facebook is a good place to start. And no, we shouldn’t allow industries to self-regulate, he said:

We don’t expect calcified rules or voluntary commissions to work to regulate drug companies, health care companies, car manufacturers or credit card providers. Agencies oversee these industries to ensure that the private market works for the public good. In these cases, we all understand that government isn’t an external force meddling in an organic market; it’s what makes a dynamic and fair market possible in the first place. This should be just as true for social networking as it is for air travel or pharmaceuticals.

A $5 billion fine won’t solve this

The US Federal Trade Commission is now weighing whether to hold Zuckerberg and Facebook accountable for the string of privacy lapses, the Washington Post reported last month. In a statement, Facebook said they “hope to reach an appropriate and fair resolution.”

Even the $5 billion fine that the FTC is expected to impose won’t be enough to slow Facebook down, Hughes says. Rather, it’s apparently more like throwing fuel on a fire, given the spike in stock price that it sparked:

Last month, the day after the company predicted in an earnings call that it would need to pay up to $5 billion as a penalty for its negligence – a slap on the wrist – Facebook’s shares surged 7 percent, adding $30 billion to its value, six times the size of the fine.

Nor will Facebook’s offer to appoint some kind of privacy czar. The government “must hold Mark accountable,” Hughes said, rather than just being bowled over by the company’s success and made to look like doddering techno-illiterates:

After Mark’s congressional testimony last year, there should have been calls for him to truly reckon with his mistakes. Instead the legislators who questioned him were derided as too old and out of touch to understand how tech works. That’s the impression Mark wanted Americans to have, because it means little will change.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/I0SarpJuX2Q/

One of the oft-discused downsides of choosing an Android device is the phenomenon of pre-loaded “bloatware.”

Broadly speaking, these are apps and services pre-loaded on smartphones and tablets by phone vendors, mobile carriers, and their partners along with the basic suite of Google apps and Android itself.

Not all of this software is necessarily useless, and some vendors load less than others, but often it can’t be uninstalled, leaving users stuck with space-consuming software they might never use.

Worse still, according to a new study by researchers at the Universidad Carlos III de Madrid in Spain and Stony Brook University in the US, which analysed crowdsourced data from 1,742 devices made by 214 vendors, bloatware can also create hidden security and privacy risks.

Their first discovery was the sheer amount and mysterious origins of the software shipping on Android devices, which totalled 424,584 firmware files, only 9% of which corresponded to app APKs found on Google Play.

That amounted to around 140,000 apps, built using 11,665 different third-party software libraries (TPLs), and 1,200 developers closely associated with smartphone makers.

What does all this software do?

Mostly social networking, advertising, and analytics, which included extensive tracking of users for commercial purposes, the researchers found.

A lot of it was obscure long-tail stuff but plenty of big brands appeared regularly, such as Spotify, Facebook, TripAdvisor, and AccuWeather.

Activities ranged from gathering location data to more invasive cases that resulted in the collection of phone call metadata, contacts and, of course, valuable behavioural data.

The analysis covered 144 countries, with the team also spotting a small number of known malicious apps.

Our results reveal that a significant part of the pre-installed software exhibit potentially harmful or unwanted behavior.

Android users understand that phone makers need to make a profit from the device. What’s less well understood is that the data users generate while using the device is also lucrative when scaled across millions of people. It’s not easy for Android users to fathom for themselves:

Overall, the supply chain around Android’s open source model lacks transparency and has facilitated potentially harmful behaviors and backdoored access to sensitive data and services without user consent or awareness.

And the sheer volume of pre-installed apps and privileges afforded to them increased the chances that some suffered from software flaws that might be exploited maliciously by third parties.

The researchers suggest reforms, including that phone makers be required to list the installed software, stating its developer and purpose and any data collection it is engaged in.

They also suggest reforming user consent – although that might not be easy to put into practice on a device with a dozen or more of these pre-installed apps, each one of which might require a separate agreement.

Perhaps, then, it would just be easier to allow users to uninstall all non-integral apps. This wouldn’t solve the bloatware problem (not all users would bother) but would at least give users some say in the matter.

Right now, buying an Android smartphone is like holding a party for a large number of guests you’ve never met and perhaps shouldn’t trust.

Listen to the podcast

In episode 26 of the Naked Security podcast, we looked into the annoying problem of bloatware on Android phones [01’54”]

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/j5R6uxxspik/

The US thinks it knows who’s behind the vast breach that siphoned off 78.8 million customer and employee records from US health insurer Anthem between 2014 and 2015.

On Thursday, the Justice Department unsealed an indictment against two people who prosecutors say are part of a sophisticated hacking group, based in China, that was behind not just the Anthem attack, but also attacks against three other US businesses.

The DOJ didn’t name the other businesses but did say they were data-rich. One was a technology business, one was in basic materials, and the third was in communications: all businesses that have to store and use large amounts of data – some of it confidential business information – on their networks and in their data warehouses.

The suspects are 32-year-old Fujie Wang – following the Chinese convention of putting a surname first, that would be Wang Fujie; he also used the Western nickname of “Dennis” – and a John Doe. Investigators haven’t yet figured out Doe’s real name, but the indictment said he goes by various online nicknames, as well as “Deniel Jack,” “Kim Young” and “Zhou Zhihong.”

The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.

The four-count indictment alleges that beginning in February 2014 and up until around January 2015, Wang, Doe and other members of the gang hacked into the targeted businesses using “sophisticated techniques” including spearphishing and malware.

They allegedly rigged tailored spearphishing emails with links to malware and sent the messages to employees at the targeted companies. When employees clicked on the links, their systems would get infected by malware that, among other things, planted a backdoor that gave the hackers remote access via their command and control server.

Once in, the suspects and their accomplices moved laterally across the infected network in order to escalate their network privileges and to thereby boost their ability to get at information and to tweak the network environment.

Tiptoe through the tulips

They were in no rush, the indictment says. Sometimes, they’d allegedly wait months to take the next step, all the time quietly maintaining their access to the infected network.

Once the time was right, the hackers would allegedly sniff around for valuable personally identifiable information (PII) and confidential business information. In the case of Anthem, that information included names, health identification numbers, dates of birth, Social Security numbers, addresses, telephone numbers, email addresses, employment information and income data, according to the indictment. In other words, a veritable toolkit for identity theft.

Then, the suspects and other hackers allegedly exfiltrated the data using encrypted archives, shuffling it through multiple computers as it wended its way on to its final destination: China. The indictment says they used Citrix ShareFile data storage for data storage and transfer. Then, in an attempt to cover their tracks, they allegedly deleted the encrypted archives.

Wang is accused of having set up the servers, hosted in California and Arizona, that were used for the Anthem attack.

Biggest data breach settlement ever, most health records stolen

Mop-up was costly for Anthem: in 2017, the company agreed to pay $115 million to settle a class action lawsuit over the breach. It was the largest data breach settlement in history up until that date.

That’s only one of a few superlatives that adhered to the Anthem breach. It was the largest health insurance company in the US at the time, and it lost the most medical records, dwarfing that year’s next-biggest medical data breaches, with 11 million breached at Premera and 10 million from Excellus.

In the DOJ’s press release about the indictments, Assistant Attorney General Brian Benczkowski was quoted as saying that the hacking group’s brazenness, and the damage it caused, were unprecedented:

The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history. These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors, and violated the privacy of over 78 million people by stealing their PII. The Department of Justice and our law enforcement partners are committed to protecting PII, and will aggressively prosecute perpetrators of hacking schemes like this, wherever they occur.

That doesn’t mean the US will have any luck getting Wang or Doe extradited. China would have to go along with it, and the likelihood of that is remote.

We’re still falling for spearphishing

The same year that the Anthem breach was discovered – 2015 – a survey of Black Hat attendees found that spearphishing was the top thing keeping security experts awake at night.

The majority of those polled (57%) reported that sophisticated, targeted attacks were their greatest concern. Yet only 26% reported that targeted attacks were among the top three spending priorities at their organizations, while only 20% said that targeted attacks were among the top three tasks where they were spending the most time.

Has anything changed in the years since? Hard to say without replicating that survey, but a quick look at just the incidents we’ve covered since then shows that spearphishing has been involved in many big ones, including (to name just a few):

• the hack of the Democratic National Committee, which resulted in senior party members’ emails distributed online,
• Russian election meddling that spanned all US states, and
• Amnesty International getting spearphished with powerful, malicious government spyware.

We’ve also seen companies drained of hundreds of millions of dollars through whaling: the most targeted spearphishing attack out there. Those attacks are targeted at the biggest fish, with carefully crafted emails sent to senior executives, managers, financial controllers or others who might hold the purse strings at large, lucrative organizations.

So yes, spearphishing is alive and well. It only takes one click to unleash a world of hurt, after all: it was only one employee, who clicked on one malicious link, in one malicious email, that let the hackers in to Anthem.

How to stay off the hook

You can never have too many tips when it comes to keeping the fingers off those phishy links.

In the past, we’ve served up tips on how to check that you’re not giving away information that can be used against you in a spearphishing attack.

We’ve also provided advice on how to protect your boss from getting whaled.

Stay cyber aware!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yVmuynl7CWo/

Roundup Last week, a Symantec boss stepped down, a Chinese hacker was called out, and an AirBnB hidden camera creep was cuffed.

What else went on? See below.

Systemd, Linux, AMD and shoddy randomness

File this one under bad situations that probably don’t affect anyone.

It reemerged that some older generation AMD processors fail to generate random numbers in hardware after waking up from suspend, which has knock on effects into Systemd on Linux.

The bug is down to the fact that the software stack relies on the CPU’s RDRAND instruction to generate random ID numbers, but this instruction fails to work properly, returning an error code, on older AMD chips after the machine wakes up from suspend. The end result is the computer can’t suspend again after waking up until the box is rebooted.

Fortunately, this flaw is extremely limited in scope. Those at risk include folks running certain versions of Linux, and the bug only shows up in generation 22 AMD chips (Ryzen is generation 23, for reference). So if you have a newer CPU, it will never show up. And in any case, developers are working on a fix.

Leaky cloud DB exposes 275 million records in India

Last week, security consultant Bob Diachenko found an unsecured MongoDB database hosted in AWS that contained personal details of more than 275 million Indian citizens.

Diachenko, who has made a number of similar responsible disclosures – including another huge database breach last month – promptly notified the Indian CERT team, the national agency tasked with responding to major cyber security incidents.

Unfortunately, Indian CERT was dragging its feet, and a week later, the entire repository suddenly disappeared – in its stead, Diachenko found a calling card for hacker group Unistellar.

The message was simple: “Restore? Contact: [email protected]”

What this likely means is the database was discovered by Unistellar, who then attempted to extort the owner: Diachenko previously detailed a campaign of attacks against unsecured MongoDB databases, dubbed MongoLock.

What makes this story particularly interesting is the fact that the database had no apparent owner – suggesting it could have been a part of a large data harvesting operation, and the details were intended to be used in carrying out cyber crimes. So, no ransom then.

Diachenko found the unsecured MongoDB repository using Shodan, the original (and the best) search engine for Internet-connected devices. Shodan is a powerful port scanner, previously used to find traffic lights, security cameras, baby monitors, home heating systems as well as control systems for gas stations, power grids and even nuclear power plants.

Diachenko discovered a total of 275,265,298 records which included name, gender, email address, date of birth, salary, employment history and a few other personal details of Indian citizens.

Baltimore hit by ransomware (yet again)

No, this is not a repeat from 2018. The US city of Baltimore, Maryland is once again being hit with a malware infection.

This time, it’s a ransomware infection that has managed to shut down services at the City Council offices, board of elections, parks and rec, legislative reference office, and email for the police department.

No word yet on when services could be restored.

US Cert warns of Cisco controller flaws

The US-CERT has issued an alert to admins urging them to make sure copies of the Cisco Elastic Services Controller were up to date.

This after Cisco patched a critical flaw in the network management tool that could allow an attacker to target the REST API and bypass authentication protections. Versions 4.4 and earlier are vulnerable, though REST is not enabled by default, so most companies should be fine.

China Mobile blocked from the US

The Federal Communications Commission has once again taken action to keep a Chinese telco out of the US.

This time, it is China Mobile who was told no by the US comms watchdog This after a review by the commission returned concerns that China Mobile was a little too close for comfort with Beijing, and may be pushed by the government to spy on network communications.

“Specifically, after an extensive review of the record in this proceeding, the Commission finds that due to several factors related to China Mobile USA’s ownership and control by the Chinese government, grant of the application would raise substantial and serious national security and law enforcement risks that cannot be addressed through a mitigation agreement between China Mobile and the federal government,” the FCC said.

Facebook suspends South Korean marketing firm

Stop us if you’ve heard this one before: Facebook is fessing up to allowing an unscrupulous marketing partner to play fast and loose with user data in an announcement released late in the afternoon West Coast time – just as it did with Cambridge Analytica.

Korea’s Rankwave is the culprit this time, as the Social Network says it wants to take the matter to court.

“Facebook was investigating Rankwave’s data practices in relation to its advertising and marketing services,” Facebook says.

“Rankwave failed to cooperate with our efforts to verify their compliance with our policies, which we require of all developers using our platform.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/13/security_roundup_100519/

The Office of the Australian Data Information Commissioner’s quarterly report has revealed that more than 10.5 million Ozzies – about 40 per cent of the lot of them – had their personal data slurped in one single incident in the first three months of 2019.

One specific incident affected “10 000 001 or more” individuals, while another single event hit between “250 000 and 500 000”. At least 10.5 million all told had their data slurped. The regulator has also issued its report for the first year of notification requirements, which showed three incidents that affected more than one million people.

Over the year from April 2018, the Data Information Commissioner (DIC) found human error was responsible for 35 per cent of all breaches, 60 per cent were blamed on malicious or criminal attack and five per cent on systems failure. Figures for the quarter were very similar with 131 breaches blamed on criminal hackers, 75 on human error and nine on systems failure.

Happy Thursday! 770 MEEELLLION email addresses and passwords found in yuge data breach

READ MORE

The DIC added that 31 per cent of breaches were blamed on sending email to the wrong recipient, 16 per cent due to loss of paperwork or storage devices and 28 per cent blamed on accidental release or publication of data.

Of outsider incidents, 66 per cent involved cyber, 5 per cent were down to social engineering, 14 per cent theft of paperwork or storage devices and 15 per cent were blamed on insider or rogue employee actions.

Of those cyber attacks, 40 per cent were blamed on compromised or stolen credentials taken by an unknown method, 20 per cent from credentials stolen via phishing attacks, 13 per cent were caused by malware, ransomware and brute force attacks both contributed seven per cent.

Private health providers made up 27 per cent of total notified breaches and 13 per cent came from the finance sector.

Total breaches were down to 215 in the quarter from 262 in the last quarter of 2018.

The OAIC does not typically name companies which have been breached, but some observers have pointed the finger at Marriott’s mega-breach – although The Reg notes that the massive personal data dump uncovered on Mega in early January could equally be suspected.

You can find the quarterly report here (PDF) and the numbers for the year here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/13/10m_ozzies_had_data_breached_in_last_three_months/

This week, a Symantec boss stepped down, a Chinese hacker was called out, and an AirBnB hidden camera creep was cuffed.

What else went on? See below.

Systemd shamed for shoddy randomness

File this one under bad situations that probably don’t affect anyone.

Researchers have found that some older generation AMD processors can have problems with Linux, thanks to a poorly-implemented random number generator.

The bug is down to misconfigured entropy components (aka random number generators) in the chips that can cause problems when the machines wake up from a sleep state. This occurs when the RDRAND call is used instead of the more common “getrandom()” command.

Fortunately, this flaw is extremely limited in scope. Those at risk include folsk running certain versions of Linux, and the bug only shows up in Generation 22 AMD chips (Ryzen is generation 23, for reference). So if you have a newer CPU, it will never show up.

Leaky cloud DB exposes 275 million records in India

Last week, security consultant Bob Diachenko found an unsecured MongoDB database hosted in AWS that contained personal details of more than 275 million Indian citizens.

Diachenko, who has made a number of similar responsible disclosures – including another huge database breach last month – promptly notified the Indian CERT team, the national agency tasked with responding to major cyber security incidents.

Unfortunately, Indian CERT was dragging its feet, and a week later, the entire repository suddenly disappeared – in its stead, Diachenko found a calling card for hacker group Unistellar.

The message was simple: “Restore? Contact: [email protected]”

What this likely means is the database was discovered by Unistellar, who then attempted to extort the owner: Diachenko previously detailed a campaign of attacks against unsecured MongoDB databases, dubbed MongoLock.

What makes this story particularly interesting is the fact that the database had no apparent owner – suggesting it could have been a part of a large data harvesting operation, and the details were intended to be used in carrying out cyber crimes. So, no ransom then.

Diachenko found the unsecured MongoDB repository using Shodan, the original (and the best) search engine for Internet-connected devices. Shodan is a powerful port scanner, previously used to find traffic lights, security cameras, baby monitors, home heating systems as well as control systems for gas stations, power grids and even nuclear power plants.

Diachenko discovered a total of 275,265,298 records which included name, gender, email address, date of birth, salary, employment history and a few other personal details of Indian citizens.

Baltimore hit by ransomware (yet again)

No, this is not a repeat from 2018. The city of Baltimore, Maryland is once again being hit with a malware infection.

This time, it’s a ransomware infection that has managed to shut down services at the City Council offices, board of elections, parks and rec, legislative reference office, and email for the police department.

No word yet on when services could be restored.

US Cert warns of Cisco controller flaws

The US-CERT has issued an alert to admins urging them to make sure copies of the Cisco Elastic Services Controller were up to date.

This after Cisco patched a critical flaw in the network management tool that could allow an attacker to target the REST API and bypass authentication protections. Versions 4.4 and earlier are vulnerable, though REST is not enabled by default, so most companies should be fine.

China Mobile blocked from the US

The Federal Communications Commission has once again taken action to keep a Chinese telco out of the US.

This time, it is China Mobile who was told no by the US comms watchdog This after a review by the commission returned concerns that China Mobile was a little too close for comfort with Beijing, and may be pushed by the government to spy on network communications.

“Specifically, after an extensive review of the record in this proceeding, the Commission finds that due to several factors related to China Mobile USA’s ownership and control by the Chinese government, grant of the application would raise substantial and serious national security and law enforcement risks that cannot be addressed through a mitigation agreement between China Mobile and the federal government,” the FCC said.

Facebook suspends South Korean marketing firm

Stop us if you’ve heard this one before: Facebook is fessing up to allowing an unscrupulous marketing partner to play fast and loose with user data in an announcement released late in the afternoon West Coast time – just as it did with Cambridge Analytica.

Korea’s Rankwave is the culprit this time, as the Social Network says it wants to take the matter to court.

“Facebook was investigating Rankwave’s data practices in relation to its advertising and marketing services,” Facebook says.

“Rankwave failed to cooperate with our efforts to verify their compliance with our policies, which we require of all developers using our platform.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/13/security_roundup_100519/

A GPS tracker used by elderly people and young kids has a security hole that could allow others to track and secretly record their wearers.

The white-label product is manufactured in China and then rebadged and rebranded by a range of companies in the UK, US, Australia and elsewhere including Pebbell 2, OwnFone and SureSafeGo. Over 10,000 people in the UK use the devices.

It has an in-built SIM card that it used to pinpoint the location of the user, as well as provide hands-free communications through a speaker and mic. As such it is most commonly used by elderly people in case of a fall and on children whose parents want to be able to know where they are and contact them if necessary.

But researchers at Fidus Information Security discovered, and revealed on Friday, that the system has a dangerous flaw: you can send a text message to the SIM and force it to reset. From there, a remote attacker can cause the device to reveal its location, in real time, as well as secretly turn on the microphone.

The flaw also enables a third party to turn on and off all the key features of the products such as emergency contacts, fall detection, motion detection and a user-assigned PIN. In other words, a critical safety device can be completely disabled by anybody in the world through a text message.

The flaw was introduced in an update to the product: originally the portable fob communicated with a base station that was plugged into a phone line: an approach that provided no clear attack route. But in order to expand its range and usefulness, the SIM card was added so it was not reliant on a base station and would work over the mobile network.

The problem arises from the fact that the Chinese manufacturer built in a PIN to the device so it would be locked to the telephone number programmed into the device. Which is fine, except the PIN was disabled by default and the PIN is currently not needed to reboot or reset the device.

And so it is possible to send a reset command to the device – if you know its SIM telephone number – and restore it to factory settings. At that point, the device is wide open and doesn’t need the PIN to make changes to the other functions. Which all amounts to remote access.

Random access memory

But how would you find out the device’s number? Well, the researchers got hold of one such device and its number and then ran a script where they sent messages to thousands of similar numbers to see if they hit anything.

They did. “Out of the 2,500 messages we sent, we got responses from 175 devices (7 per cent),” they wrote. “So this is 175 devices being used at the time of writing as an aid for vulnerable people; all identified at a minimal cost. The potential for harm is massive, and in less than a couple of hours, we could interact with 175 of these devices!”

The good news is that it is easy to fix: in new devices. You would simply add a unique code to each device and require it be used to reset the device. And you could limit the device to only receive calls or texts from a list of approved contacts.

But in the devices already on the market, the fix is not so easy: even by using the default PIN to lock it down, the ability to reset the device is still possible because it doesn’t require the PIN to be entered. The researchers say they have contacted the companies that use the device “to help them understand the risks posed by our findings” and say that they are “looking into and are actively recalling devices.” But it also notes that some have not responded.

In short, poor design and the lack of a decent security audit prior to putting the updated product on the market has turned what is supposed to provide peace of mind into a potential stalking and listening nightmare. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/11/panic_alarms_hackable/

Cisco Talos researchers have uncovered an SQLite use-after-free() vulnerability that could allow an attacker to, in theory, remotely execute code on an affected device.

“An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0,” said Talos in a blog post describing the vuln, provisionally allocated CVE-2019-5018.

An open-source project, SQLite’s maintainers describe it as “the most used database engine in the world.”

SQLite implements SQL’s Window Functions, and Talos researcher Cory Duplantis found that the way SQLite handles the functions includes reusing a deleted partition.

As he noted: “After this partition is deleted, it is then reused in exprListAppendList, causing a use after free vulnerability, resulting in a denial of service. If an attacker can control this memory after the free, there is an opportunity to corrupt more data, potentially leading to code execution.”

Talos published a walkthrough, complete with examples of code highlighting precisely what the vuln is and how it exists. The fix is easy, up to a point: update your project or product to SQLite version 3.28, available on the SQLite website – and then roll out the fix to your end users.

Impact

Now, it sounds scary but the key thing here is that an attacker would have to execute carefully crafted SQL commands on the vulnerable engine to get code execution on the underlying host system.

Typically, users and miscreants aren’t allowed to run arbitrary SQL commands as that would mean they could potentially do far more damage, such as delete data or access information belonging to other users. If an attacker can inject or run their own SQL commands on a database, then it’s probably game over already for your application and data.

What this all really means is that if an application has an SQL injection security hole in it, it can be exploited in conjunction with this latest SQLite vulnerability to run arbitrary malicious code, such as malware, on the underlying computer or device. It would allow a hacker to jump from SQL injection to code execution.

It, realistically, requires the combination of an SQL injection flaw with this latest engine bug to do scary damage. So don’t panic, systems aren’t going to be pwned all over the world, but do patch if you can, because you don’t want potentially exploited vulnerabilities lingering in your kit.

History

Late last year, Tencent researchers spotted an SQLite vuln that could have been abused to inject malware into vulnerable systems, as we reported at the time. That one relied on memory corruption to create the conditions for arbitrary code execution, though the key vector was ordinary users being granted the privs to execute SQL commands.

Less recently, SQLite creator Dwayne Richard Hipp talked to El Reg about the project’s unabashedly Christian code of conduct. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/10/sqlite_rce_vuln/