STE WILLIAMS

HMRC’s database of Brits’ voiceprints has grown by 2 million since June – but campaign group Big Brother Watch has claimed success as 160,000 people turned the taxman’s requests down.

The Voice ID scheme, which requires taxpayers to say a key phrase that is recorded to create a digital signature, was introduced in January 2017. In the 18 months that followed, HMRC scooped up some 5.1 million people’s voiceprints this way.

Since then, another 2 million records have been collected, according to a Freedom of Information request from Big Brother Watch.

That is despite the group having challenged the lawfulness of the system in June 2018, arguing that users hadn’t been given enough information on the scheme, how to opt in or out, or details on when or how their data would be deleted.

Under the GDPR, there are certain demands on organisations that process biometric data. These require a person to give “explicit consent” that is “freely given, specific, informed and unambiguous”.

Off the back of the complaint, the Information Commissioner’s Office launched an investigation, and Big Brother Watch said the body would soon announce what action it will take.

Meanwhile, HMRC has rejigged the recording so it offers callers a clear way to opt out of the scheme – previously, as perm sec Jon Thompson admitted in September, it was not clear how users could do this.

Big Brother Watch said that this, and the publicity around the VoiceID scheme, has led to a “backlash” as people call on HMRC to delete their Voice IDs. FoI responses show 162,185 people have done so to date.

“It is a great success for us that HMRC has finally allowed taxpayers to delete their voiceprints and that so many thousands of people are reclaiming their rights by getting their Voice IDs deleted,” said the group’s director, Silkie Carlo.

“Now it is down to the ICO to take robust action and show that the government isn’t above the law. HMRC took millions of Voice IDs without taxpayers’ legal consent – the only satisfactory outcome is for those millions of Voice IDs to be deleted.”

An HMRC spokesman told The Register: “Our Voice ID system is very popular with millions of customers as it gives a quick route to access accounts by phone.

“All our data is stored securely and customers can opt out of Voice ID or delete their records any time they want. Seven million customers are using this system and only a very small percentage of customers have chosen to opt out.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/25/hmrc_voice_id_big_brother_watch/

Interview A senior EU cybersecurity official has said he is “optimistic” about information sharing between the UK and the political bloc continuing after Brexit.

In an interview with The Register, Steve Purser of the EU agency for Network and Information Security (ENISA) said that while it is “obvious” that the information-sharing relationship “will be changed… if the Brexit goes about”, he is keeping an open mind.

This could be seen as a contrast to the decidedly gloomy view being promoted today by a slack handful of retired defence and security bigwigs.

“ENISA and the [EU] Commission doesn’t just do things within our boundaries,” he said at France’s FIC2019 infosec shindig earlier this week. “My guess would be that [being] within the Union would give the best information sharing relationship. Having said that, we are looking for global approaches and we will make the best deal out of a bad situation.”

ENISA is a relatively small agency based on the Greek island of Crete. Employing 83 people at present, its ambition is to grow to “around 140” heads – and, presumably, expand its annual budget of just 11m euros. Following new EU cybersecurity directives in 2017, Purser told us, ENISA secured “a permanent mandate and [many] more responsibilites.”

“The most interesting thing about it from my point of view is that we get a very big new responsibility which is to set up an EU cybersecurity certification framework. This is a framework that will allow certifying authorities to certify everything from lightbulbs, toasters to atomic stations and submarines. And processes and services,” he added. This “voluntary” scheme would, in his vision, ultimately allow the general public to “understand and interpret” the security capabilities of consumer goods and “influence their purchasing decisions.”

A shop-of-shops

ENISA functions by “leveraging the expertise of the [EU] member states”, said Purser. Rather than doing all its own work in-house, it aims to bring together “a community of experts” to work on problems and exercises. Though this seems like a very limited role, when we put this to Purser he emphasised how “scalable” ENISA’s setup is:

“By working like this, the ownership of the solution is with the community. That’s a powerful model because it’s then their solution and not ENISA’s solution. We do not pretend to be those that can save the world but by working together [with the EU] member states, together we can do an extremely good job.”

Surely, El Reg asked, it’s not all as smooth as that, and the EU’s traditionally top-down approach doesn’t really gel with the realities of frontline infosec? Purser, bespectacled and slightly flush from the powerful heating in Lille’s Grand Palais conference centre, nodded. “When we started out, we did terribly.”

Referring to a 2010 exercise that was a “failure”, Purser said that “was the best possible thing that could have happened. Ever since then we’ve been doing exercises every two years and now have a very sophisticated setup. We have SOPs defined across borders… incidentally, they were used for Wannacry and Notpetya, so we had a better response than we would have done otherwise.”

In light of that failure, he said ENISA has three main objectives regarding incident response terms: identifying who to call; understanding that person’s “decision making powers and capabilities”; and exchanging, in a secure way, the right information to solve the problem.

“A lot of what ENISA does is bottom up,” he emphasised. “We get the experience on why some things worked well and others don’t, and we feed back into the policy loop.”

Don’t worry, be happy … oh, er, about that

In terms of what badness he sees coming our way this year, Purser was explicit: ENISA thinks black hats are getting more sophisticated and more geared towards hacking for profit rather than notoriety.

“We see, to a certain extent, a move towards hardware,” he said. “Spectre and Meltdown, the Rocker vuln, some evidence that things may be moving lower down in the stack to some extent.”

“Monetisation, for sure,” he continued. “People used to hack for reputation, now it’s about money. There are industrial level processes and quality systems supporting some attacks. We see people understanding the weaknesses of new technologies – but, of course, when new things come out like AI or robotics we can be ready for a whole new wave of attacks.”

Moreover, things are not going to get safer any time soon. Even new technologies bring their own unique set of threats with them, Purser agreed.

“Fundamental concepts are being threatened. For many years we assumed that safety and security were pretty much the same thing, whereas some things taught us that’s not necessarily true. The example I give is the Eurowings crash where the pilot used a security feature to crash the plane.* As we move into the world of cyberphysical systems, we cant assume they’re the same: we have to look very carefully at the two.” ®

Bootnote

* Andreas Lubitz, the Germanwings pilot who in 2015 murdered 150 people in cold blood as well as himself, waited until the aircraft captain briefly left the flight deck before locking the cockpit door shut and setting the autopilot to fly into the Alps. After the Twin Towers terrorist murders of 2001, all airliner cockpit doors were reinforced and made unopenable from the outside if locked.

Shortly after the Alps mass murder, Germanwings rebranded as Eurowings.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/25/enisa_steve_purser_interview/

Something for the Weekend, Sir? This place is a mess. No, worse than that: it’s a disaster area.

I hesitate to use the analogy “it looks like a bomb hit it” in this lively era of mischievous politics and religious fascism. Besides it’s not an appropriate description of the sight before my eyes. No, not bombs. Wild horses, perhaps. Possibly a tornado. Or most likely of all, one really determined dickhead.

I am witnessing the aftermath left behind by a previous visitor to the shared office kitchenette facilities.

When I arrived this morning, everything was pretty much as the cleaners had left it last night: mugs and glasses sparkling in the cupboard, steel sink and chrome taps twinkling with glinty health, Formica surfaces wiped and reflective. At 11:00am, I return for a hot water top-up only to discover a scene of utter bedlam.

About 100 mugs – stained on the outside as well as inside and mostly still half full of miserable brown liquid – are piled up around the work surfaces and in the sink. Pools of milk have been liberally poured around the kitchen, including on top of the microwave and dribbling down the sides of the green metal fire extinguisher. Something orange has been proficiently exploded inside the microwave, entirely obscuring the little window; even with the door closed, it smells of fish.

Mostly dry and unused teabags are littered everywhere in an arrangement which, while not unartistic, suggests no obvious purpose, including in the sink and even a couple inside the fridge. Twisted shreds of dry kitchen paper are heaped on the floor around the waste bin, and a couple more are deftly balanced on top around its edge; the bin itself is empty. As I walk with trepidation towards the kettle, granulated sugar crunches unpleasantly under foot.

The fact that I am a temporary contract visitor to client premises does not hide the fact that I am sharing this kitchenette with a mere dozen employees. It is impossible, as I crunch back out of the disaster zone, not to gaze across the few rows of desks and play a mental game of Find The Dickhead.

Golly, it makes me so cross. Grr. See? If you are feeling sympathetic anger, feel free to manage it with the help of a little light music as you read on.

Youtube Video

Then it hits me: how the heck did they create such wild disorder without being seen or heard in the act? Slip in, cause utter mayhem, slip out quietly. That’s actually quite a skill. Even hackers don’t escape unnoticed… or do they?

At the time, I was trying to detail the circumstances around the appearance of Collection #1, last week’s massive data breach in which 773 million email users exposed themselves on a hacking site. As its name suggests, it’s not a new security break-in but a big bunch of previous stolen lists gathered into one place for unrestricted use by the cyberspacernet’s official Naughty Community.

If you haven’t been following this story because it’s about data security and therefore the dullest thing in human existence, here’s the tl;dr. Go to Have I Been Pwned and type in your email addresses to see which of them are in the collection.

Reg readers almost certainly won’t need to panic when they inevitably see at least one of their addresses returned with “Oh no – pwned!” You will already have changed your ID credentials long ago. Most of this stuff comes from classic ID list hacks over the last eight years, including famous ones such as Adobe’s amateurish 2013 loss of 153 million poorly encrypted passwords, Dropbox’s 2012 breach of tens of millions of IDs, and LinkedIn’s loss of 164 million addresses and passwords which were apparently nabbed in 2012 but not exploited until 2016 and of course yet again last week.

For me, the amusing detail was in the work of now-celebrity security researcher, 1Password evangelist and founder of the Have I Been Pwned site Troy Hunt in condensing duplicates. From a total data dump of 2.6 billion email addresses, he brought this down to 772,904,991 unique ones. OK, that’s not exactly hilarious until Troy Hunt notes that these correspond with just 21,222,975 unique passwords.

Er… 21 million passwords for 773 million email addresses? Strictly speaking (if statistically idiotic, I realise) this could mean on average that your unique password is being shared by 35 other people. More likely, your devilishly cunning password is probably shared only by a handful of people who bothered to use uppercase, lowercase, numbers and special characters while also having coincidentally named their pet identically to yours. The other 772.9 million email addresses are all using the same password as each other.

In theory again, if there are on average 36 email addresses for every unique password in the exposed IDs, this suggests to me that hackers could find it 36 times easier to guess your password than guess your email address. Yes yes, I know, but even if you factor in the usual uppercase, lowercase, numbers and special characters, I reckon it works out even in the end.

And even so, a common theme across a lot of the lists in Collection #1 is not how bad our passwords are, but how ineffectively and incompetently big companies bother to secure them. If I choose to use the password passw0rd for a dozen logins, that’s a risk I take upon myself. But if my crap password turns up unsalted alongside my email address on a hacking site, that’s down to the original list manager failing to protect it, plunging me into a world of shit as a result of their cavalier attitude to data security, not mine.

Talking of a world of shit, I have just visited the Gentlemen’s toilet facilities at my aforementioned client’s offices.

Oh. My. God.

Since my initial visit upon arriving at work, it appears that the office toilets have played venue to a mass brawl between an American football team (both offence and defence), a monastery of whirling dervishes, a band of anarchistic freerunners and a drug-crazed troupe of uncharacteristically violent Morris dancers. While shitting.

I stagger back into the open-plan office in horror, gasping for breath, as someone somewhere leans onto the keys of a church organ. Gaping at my dozen temporary colleagues in horror, I am filled with marvel and revulsion in equal measure at such stealth. Which of you filthy bastards…? And how…? When…?

Grr. See? I’m getting angry again. Put the music back on and we’ll get through this.

Youtube Video

Alistair Dabbs is a freelance technology tart, juggling tech journalism, training and digital publishing. He claims not to suffer from OCD but insists it is arguably unnecessary to distribute 37 torn shreds of toilet paper artlessly across the cubicle before urinating directly onto the seat, the lid, the back wall and across the floor. As for the rest, he can only assume they were voiding their bowels with the aid of a power hose turned to the “fan” setting. @alidabbs

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/25/data_hackers_are_like_toilet_ninjas_this_is_not_a_clean_crime_you_know/

A strain of malware has been clocked using steganography to run malicious JavaScript on Macs via images in online banner ads, it was claimed this week.

A joint report from security shops Confiant and Malwarebytes drilled into the techniques used by VeryMal, a malvertising operation that spreads through poisoned ad images. What they found was that miscreants were avoiding security filters by hiding code in images using steganography.

That code, when executed in the browser, redirects the visitor to dodgy sites that try to trick people into installing Adobe Flash updates and similar fare that are actually adware, which secretly clicks on ads in the background to generate revenue for the campaign’s masterminds. We’ve seen this kind of thing before, against Windows PCs.

We’re told VerMal was active between January 11 and 13, on two top-tier ad exchanges used by a quarter of the top 100 publisher websites, targeting macOS and iOS users in the US. It was also doing the rounds in December, according to Confiant.

The upshot: as many as five million netizens a day shown maliciously crafted adverts, costing the industry $1.2m in just one day, it is alleged. That dollar value is the guesstimated impact of running these dodgy ads – from an increase in blockers and loss of trust in publishers to money paid out by advertisers and networks for fraudulent clicks.

“As malvertising detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done,” explained Confiant security engineer Eliya Stein.

“The output of common JavaScript obfuscators is a very particular type of gibberish that can easily be recognized by the naked eye. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.”

Beware Greeks bearing lists: Bank-raiding nasty Zeus smuggles attack orders in JPEGs

READ MORE

Stein said that in the case of VeryMal, the banner ad image containing the code is just a benign image: it is not dangerous on its own, and doesn’t exploit any vulnerabilities in the browser. However, encoded in the pixels of the image is malicious JavaScript code. Crucially, the ad is served to the browser along with a small piece of seemingly harmless JS that reads through the image’s pixels, extracts the malicious script from these bytes into a string, and then executes the string.

(Don’t forget that in this day and age, ads are fetched as a package of images and code, the latter of which lets the ad network know if the former was seen by an actual human. For instance, if a reader scrolls past an ad too fast, it isn’t reported as a successful impression by the bundled watchdog code. If the ad was fetched but not visibly rendered due to a blocker, the watchdog again snitches to the network.)

Security software scanning for malicious JS will not spot it smuggled into the ad image, and will likely let through the side-loaded extraction code. One solution to all of this, of course, is to block ad images and sidekick code from being fetched. (Just make sure you white-list the nice ads, like ours.)

Interestingly, the code checks to see if Apple fonts are present, and if so, it figures it’s running on a Mac and continues on. Non-Macs stop at this point. Here are the full extraction steps, according to the report:

* Create a Canvas object (this enables the use of the HTML5 Canvas API in order to interact with images and their underlying data.)

* Grab the image located at: hxxp://s.ad-pixel.com/sscc.jpg

* Define a function that checks if a specific font family is supported in the browser.

* Check if Apple fonts are supported. If not, then do nothing.

* If so, then loop through the underlying data in the image file. Each loop reads a pixel value and translates it into an alphanumeric character.

* Add the newly extracted character to a string.

* Execute the code in the string.

“Much of the buzz around these types of attacks will have you believe that the image file alone is the threat and that we now have to fear the images that our browsers load during day to day web surfing, but this is a departure from the truth,” said Stein.

“Validating the integrity of individual image files served in ads makes little sense within the broader context of the execution of these payloads.

“Estimated all together, Confiant benchmarks the cost impact for just that Jan 11th peak alone to have been over $1.2 million. When you consider that this was just one of multiple hundreds attacks Confiant has caught and blocked over the past month alone, the scale of the issues facing the digital ad industry becomes clearer.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/24/mac_steganography_malware/

Microsoft Exchange appears to be currently vulnerable to a privilege escalation attack that allows any user with a mailbox to become a Domain Admin.

On Thursday, Dirk-jan Mollema, a security researcher with Fox-IT in the Netherlands, published proof-of-concept code and an explanation of the attack, which involves the interplay of three separate issues.

According to Mollema, the primary problem is that Exchange has high privileges by default in the Active Directory domain.

“The Exchange Windows Permissions group has WriteDacl access on the Domain object in Active Directory, which enables any member of this group to modify the domain privileges, among which is the privilege to perform DCSync operations,” he explains in his post.

This allows an attacker to synchronize the hashed passwords of the Active Directory users through a Domain Controller operation. Access to these hashed passwords allows the attacker to impersonate users and authenticate to any service using NTLM (a Microsoft authentication protocol) or Kerberos authentication within that domain.

Mollema wasn’t immediately available to discuss his work due to time zone differences and the need to involve a media handler.

The attack relies on two Python-based tools: privexchange.py and ntlmrelayx.py. It has been tested on Exchange 2013 (CU21) on Windows Server 2012 R2, relayed to (fully patched) Windows Server 2016 DC and Exchange 2016 (CU11) on Windows Server 2016, and relayed to a Server 2019 DC, again fully patched.

Using NTLM, Mollema says it’s possible to transfer automatic Windows authentication, which occurs upon connection to the attacker’s machine, to other machines on the network.

Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)

READ MORE

How then to get Exchange to authenticate the attacker? Mollema points to a ZDI researcher who found a way to obtain Exchange authentication using an arbitrary URL over HTTP through the Exchange PushSubscription API using a reflection attack.

If this technique is instead used to perform a relay attack against LDAP, taking advantage of Exchange’s high default privileges, it’s possible to for the attacker to obtain DCSync rights.

Mollema describes several potential mitigations for the attack in his post. These include: reducing Exchange privileges on the Domain object; enabling LDAP signing and channel binding; blocking Exchange servers from connecting to arbitrary ports; enabling Extended Protection for Authentication on Exchange endpoints in IIS; removing the registry key that allows relaying; and enforcing SMB signing.

In a statement emailed to The Register, Microsoft avoided commenting on the specific vulnerability described by Mollema, but the wording of its coy, content-free reply suggests the company may issue a fix in February.

“Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible,” a Microsoft spokesperson said. “Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/25/microsoft_exchange_hashed_passwords/

Breach latest example of how misconfigurations, human errors undermine security in a big way, experts say.

Data on tens of thousands of loans and mortgages issued by Wells Fargo, CapitalOne, and several other financial institutions — some now defunct — was recently found leaked online in what appears to be a particularly egregious example of human error.

Independent security researcher Volodymyr “Bob” Diachenko discovered the data on January 10 in an Elasticsearch database that was openly accessible via the Internet and not protected even by a password. The database has since been removed.

Diachenko, in collaboration with TechCrunch, investigated the breach and identified the entity responsible for putting the database online as Ascension Data Analytics, a firm that provides a range of custom analytics services around loan data. Ascension is a vendor to companies that purchase mortgages and loans from banks.

TechCrunch, the first to report the breach along with Diachenko’s Security Discovery blog, quoted representatives from Citi and Wells Fargo as saying the banks had no direct connection with Ascension.

In total, the database that Diachenko found contained more than 24 million records amounting to some 51GB of data. Many of the documents contained the full names, addresses, social security numbers, credit history, loan amounts, repayment schedules, and other details typically associated with a home mortgage or other bank loan. Such information can be especially useful to criminals seeking to commit identify theft and other types of financial fraud.

The records were copies of handwritten notes and printed documents related to loans and mortgages that Ascension had converted into a computer-readable form via Optical Character Recognition (OCR).

Diachenko, who regularly uses public search engines like Shodan and Censys to search for exposed databases and report them back to the responsible organizations, says he found the Ascension data the same way.

“Despite my pretty busy pipeline of reports, it is not often when I find such a large amount of sensitive data collected in one place, without any password or login,” Diachenko says.

Most of the time, the exposure is the result of a human error rather than a technical or factory-level misconfiguration, he says. “On top of that, insecure databases have always been a common target for attackers, especially Elasticsearch instances.”

The TechCrunch report suggests that a New York-based company called OpticsML that works with Ascension was involved in the breach as well. But it is not entirely clear what the company’s role was in the incident. Neither Ascension nor Rocktop Partners — a firm that TechCrunch identified as the parent of Ascension — responded to a Dark Reading request for comment on the data breach. But in comments to TechCrunch, a Rocktop representative confirmed the breach and said it will notify all individuals impacted by the exposure.

Unintended Disclosures

Despite all the concern over cybercriminals and nation-state actors, a startlingly high proportion of data breaches, especially in the cloud, result from basic misconfigurations and human error. “The big takeaway is that this data exposure was totally avoidable,” says Praveen Kothari, CEO of CipherCloud.

Based on available data, the breach appears to have been the result of an internal administrative error. “In the final analysis, the cloud providers secure their infrastructure, but it is totally up to you to secure your data,” Kothari says.

Data maintained by the Privacy Rights Clearinghouse shows that 20% of all breaches in 2018 resulted from causes not involving hacking or criminal intent. In many cases, the breaches were the result of sensitive information accidentally being posted publicly, sent to the wrong party, mistakenly distributed via email or physical mail, and other similar mishandling. More data records – 54.7% – were exposed last year via such incidents than any other reason.

In a report last year, Symantec identified the three most common configuration mistakes that organizations make in the cloud as leaky storage buckets, vulnerabilities caused by open-source components, and accidentally leaving tokens, passwords and other secrets in publicly accessible repositories. In a 2018 study, Digital Shadows estimated some 1.5 billion files are exposed online as the result of misconfigured Amazon S3 buckets, FTP servers, network attached storage, and SMB file-sharing.

“Common configuration errors include failing to password-protect databases with sensitive data, failing to configure servers to limit access, and failing to encrypt sensitive data in general,” says Jonathan Deveaux, head of enterprise data protection at comforte AG.

Mistakes often result from a lack of knowledge about where sensitive data resides, he says. Negligent and careless insiders and a failure to recognize that security is everyone’s concern are other issues, he notes.

Colin Bastable, CEO of Lucy Security, says breaches such as the one involving Ascension are the manifestation of a training and attitude problem. “Who leaves such data without password protection? Someone who does not care,” he says.

Plenty of tools are available to protect data at all stages of the lifecycle, so technology is not an issue. “Fundamentally … management needs to fear the consequences of exposing personal data more than they crave the money from trading data,” Bastable says.

Partner Problems

The Ascension data breach is also another example of the exposure that companies can face from the security mistakes of partners, suppliers, vendors, and other third parties with whom they interact either directly, or even indirectly. In this case, even though Citi and Wells Fargo did not appear to have direct contact with Ascension for years, their customer data still got exposed.

Such incidents show why it is important for organizations to prioritize vendors based on business exposure and potential impact and then applying the right level of due diligence to those vendors, says Fred Kneip, CEO at CyberGRX.

“A lot of organizations don’t have a handle on which vendors pose them the greatest risk,” he says. 

Related Content:

• 49% of Cloud Databases Left Unencrypted
• Study Finds Petabytes of Sensitive Data Open to the Internet
• AWS Employee Flub Exposes S3 Bucket Containing GoDaddy Server Configuration and Pricing Models
• 6 Serverless and Containerization Trends CISOs Should Track

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/database-of-24-million-mortgage-loan-records-left-exposed-online/d/d-id/1333730?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple