STE WILLIAMS

As legislators and the public have bludgeoned them with complaints about how they’ve let fake news melt democracy, tech big boys such as Microsoft and Facebook have said hey, that ain’t our thing – we’ll get fact-checkers to take this slapping for us.

Bring it on, said one of those fact-checking services. The buck stops right here, said third-party startup NewsGuard… following it having glued an “untrustworthy” badge onto the Daily Mail’s journalism, which includes the Mail on Sunday and Mail Online.

As part of Microsoft’s attempt to stop the spread of malarkey, the company has preinstalled NewsGuard’s messages into its Microsoft Edge browser on Android and iOS. Thus, as of this week, Edge users are seeing messages saying that Mail Online rates a one out of five for credibility: “the same level as the Kremlin-backed RT news service,” as The Guardian reports.

The Daily Mail is a UK tabloid that’s second only to The Sun for daily newspaper readership. It, along with its online outlets, have been rated by NewsGuard as “generally fail[ing] to maintain basic standards of accuracy and accountability.”

According to The Guardian (which, according to PC Mag, NewsGuard has rated as trustworthy), Microsoft Edge users who visit Mail Online will now see a small shield icon in the URL bar at the top of the screen. It asserts that the website…

…generally fails to maintain basic standards of accuracy and accountability… [and] has been forced to pay damages in numerous high-profile cases.

Readers should tread with caution, NewsGuard says, given that…

…the site regularly publishes content that has damaged reputations, caused widespread alarm, or constituted harassment or invasion of privacy.

NewsGuard is also warning that the Daily Mail sites fail to “handle the difference between news and opinion responsibly” and fail to reveal “who’s in charge, including any possible conflicts of interest.”

The NewsGuard app is run by a group of veteran journalists, including co-CEOs Steven Brill – who founded The American Lawyer, Court TV, and the Yale Journalism Initiative – and Gordon Crovitz, who was a publisher of, and a columnist writing for, the Wall Street Journal.

It eschews algorithms, instead relying on a team of trained journalists and editors to review and rate websites based on journalistic criteria such as whether a site regularly publishes false content, reveals conflicts of interest, discloses financing, or publicly corrects reporting errors.

When a site fails to meet any of its nine criteria, NewsGuard emails and calls, to try to give it a chance to comment.

That’s what NewsGuard says it did with the Daily Mail. NewsGuard’s label states “fairly clearly” how many times it tried to contact Mail Online, Brill told the Guardian. However, that conversation was not to be, Brill said:

The analyst that wrote this writeup got someone on the phone who, as soon [as] he heard who she was and where she was calling from, hung up. We would love to hear if they have a complaint or if they change anything.

Don’t blame Microsoft for the rating, he said. This one’s on us, and we’re happy to answer for it:

They can blame us. And we’re happy to be blamed. Unlike the platforms, we’re happy to be accountable.

We want people to game our system. We are totally transparent. We are not an algorithm.

“The buck stops here” is NewsGuard’s business model: it’s licensed to tech companies that want to fight fake news but don’t want to be the ones responsible for separating the wheat from the chaff.

It’s already completed these “human-generated verdicts” on the top 2,000 news outlets in the US, Brill said, and is staffing up to do the same with the top 150 news sites in the UK. The plan is to publish those results in April.

A Mail Online spokesperson told the Guardian that they’re now talking to NewsGuard to rectify this “egregiously erroneous classification”:

We have only very recently become aware of the NewsGuard startup and are in discussions with them to have this egregiously erroneous classification resolved as soon as possible.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BAqjy0sLcUg/

Apple has issued its January security updates fixing a list of mostly shared CVE flaws affecting iOS and macOS with a smattering for Safari, watchOS, tvOS, and iCloud for Windows.

iOS v12.1.3

This latest version fixes a sizable list of CVEs for the iPhone 5s and later, and the iPad and iPod Touch 6^th Generation. Almost all were reported to Apple by external researchers.

Among the interesting ones is CVE-2019-6200, a remote code execution (RCE) Bluetooth flaw, and CVE-2019-6224, another RCE an attacker might exploit through FaceTime.

Fixes for the WebKit browser engine make up another nine CVEs, including CVE-2019-6229 which might allow cross-site scripting through a malicious web page.

Kernel-level flaws account for six CVEs, all of which would allow an attacker able to sneak a malicious app past Apple to elevate privileges, break out of the sandbox, or execute malicious code.

The update should appear without intervention or you can check manually by clicking Settings General Software Update.

macOS v10.14.3 Mojave

Also known as Security Update 2019-001 for Sierra and High Sierra, most of the CVEs mentioned in the iOS v12.1.3 update appear here too, including those for BlueTooth, FaceTime, WebRTC, CoreAnimation, SQLite, IOKit, and those affecting the kernel.

Those specific to macOS Sierra/High Sierra are CVE-2018-4452, an RCE weakness affecting the Intel Graphics Driver, and CVE-2018-4467, which might allow a privilege elevation issue affecting the OS’s hypervisor.

Affecting all versions is CVE-2019-6220, an out-of-bounds flaw in QuartzCore that could allow an attacker to read restricted memory.

Updating can be initiated through System Preferences Software Update. If you haven’t clicked the box marked, Automatically keep my Mac up to date it might be a good idea to do that now.

Finally, Apple update wouldn’t be complete without something for Safari, which gets CVE-2019-6228, fixing a cross-site scripting vulnerability with better URL validation in the browser’s Reader.

Updates are also available for iCloud for Windows (v7.10), watchOS (v5.1.3), and tvOS (v12.1.2).

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2LToQ8xRk00/

Apple has issued its January security updates fixing a list of mostly shared CVE flaws affecting iOS and macOS with a smattering for Safari, watchOS, tvOS, and iCloud for Windows.

iOS v12.1.3

This latest version fixes a sizable list of CVEs for the iPhone 5s and later, and the iPad and iPod Touch 6^th Generation. Almost all were reported to Apple by external researchers.

Among the interesting ones is CVE-2019-6200, a remote code execution (RCE) Bluetooth flaw, and CVE-2019-6224, another RCE an attacker might exploit through FaceTime.

Fixes for the WebKit browser engine make up another nine CVEs, including CVE-2019-6229 which might allow cross-site scripting through a malicious web page.

Kernel-level flaws account for six CVEs, all of which would allow an attacker able to sneak a malicious app past Apple to elevate privileges, break out of the sandbox, or execute malicious code.

The update should appear without intervention or you can check manually by clicking Settings General Software Update.

macOS v10.14.3 Mojave

Also known as Security Update 2019-001 for Sierra and High Sierra, most of the CVEs mentioned in the iOS v12.1.3 update appear here too, including those for BlueTooth, FaceTime, WebRTC, CoreAnimation, SQLite, IOKit, and those affecting the kernel.

Those specific to macOS Sierra/High Sierra are CVE-2018-4452, an RCE weakness affecting the Intel Graphics Driver, and CVE-2018-4467, which might allow a privilege elevation issue affecting the OS’s hypervisor.

Affecting all versions is CVE-2019-6220, an out-of-bounds flaw in QuartzCore that could allow an attacker to read restricted memory.

Updating can be initiated through System Preferences Software Update. If you haven’t clicked the box marked, Automatically keep my Mac up to date it might be a good idea to do that now.

Finally, Apple update wouldn’t be complete without something for Safari, which gets CVE-2019-6228, fixing a cross-site scripting vulnerability with better URL validation in the browser’s Reader.

Updates are also available for iCloud for Windows (v7.10), watchOS (v5.1.3), and tvOS (v12.1.2).

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2LToQ8xRk00/

In this week’s Naked Security Live video, we investigate at the story of a US family whose Nest security camera warned them of “incoming nuclear missiles” – cue 5 minutes of understandable panic!

We tell you how you to avoid a similar cyberincident in your home:

(Watch directly on YouTube if the video won’t play here.)

PS. Like the shirt in the video? They’re available at: https://shop.sophos.com/

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TAd0G8vYI0E/

In this week’s Naked Security Live video, we investigate at the story of a US family whose Nest security camera warned them of “incoming nuclear missiles” – cue 5 minutes of understandable panic!

We tell you how you to avoid a similar cyberincident in your home:

(Watch directly on YouTube if the video won’t play here.)

PS. Like the shirt in the video? They’re available at: https://shop.sophos.com/

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TAd0G8vYI0E/

Is it defamatory to write a Yelp review claiming that a law firm is incompetent, negligent of following through on its contractual obligations, and deserves less than one star?

Maybe. Yelp says that it removes reviews it finds to be defamatory, since they violate its terms of service. But in this particular case, Yelp didn’t find the review – written by a client of Hassell Law Group who went by the username of Birdzeye B. – to be so.

Hence, Yelp refused to take down Birdzeye B.’s review, as San Francisco attorney Dawn Hassell had requested and as California’s Supreme Court had ordered it to do in July.

On Tuesday, the US Supreme Court’s docket showed that it had rejected an appeal of the case, which centers around the question of whether Yelp is culpable for removing defamatory reviews from its site.

The review is still up on Yelp, along with a far more scathing update from Birdzeye B., who turned out to be a woman identified as Ava Bird. The case was brought by Hassell not against Yelp, but against Bird.

Hassell’s law firm, which represents plaintiffs in accidents, job discrimination and other cases, had briefly represented Bird in an injury case in 2012 before withdrawing. Months later, Bird posted her one-star review on Yelp, calling the firm incompetent and advising others to seek representation elsewhere. Hassell brought Hassell v. Bird in an effort to get Yelp and Bird to take down the review and Bird’s subsequent update. The firm also sued Bird for libel, seeking damages and an order to remove the postings, but it didn’t sue Yelp.

In January 2014, after Bird failed to respond, a judge entered a default judgment that found the postings libelous and ordered her to pay more than $550,000 in damages for a decline in the firm’s Yelp rating and what Hassell described as a loss of business. The judge also ordered both Bird and Yelp to remove her reviews.

Yelp declined. It said that it voluntarily removes postings it deems defamatory, but that it didn’t find Bird’s ratings to be libelous.

At that point, the law firm of Charles Harder – a lawyer known for high-profile defamation lawsuits and a member of President Donald Trump’s legal team – took up the case, petitioning the Supreme Court to hear the complaint against Yelp. As the San Francisco Chronicle reports, the goal was to get the court to allow court orders to have “entirely unlawful” content removed.

Section 230 lives on … for now

At this point, what’s keeping such court orders from being enforced against sites such as Yelp is Section 230 of the Communications Decency Act (CDA), which states that websites aren’t liable for user-submitted content. The Supreme Court’s refusal on Tuesday to hear an appeal of the case lets stand that key legal protection for all websites.

But it might prove to be just a brief respite for Section 230, which has fended off a steady barrage of legal attacks for years. We’ve seen actions taken against Section 230-protected sites such as those dedicated to revenge porn, for one.

More recently, anti-Section 230 legal battles have been gaining momentum. In March 2018, we saw the passage of H.R. 1865, the Fight Online Sex Trafficking Act (FOSTA) bill, which makes online prostitution ads a federal crime and which amended Section 230.

In response to the overwhelming vote to pass the bill – it sailed through on a 97-2 vote, over the protests of free-speech advocates, constitutional law experts and sex trafficking victims – Craigslist shut down its personals section.

Back in 1995, when he was pushing the amendment that wound up being Section 230, Senator Ron Wyden warned that we were facing the prospect of an “army of censors” that would stifle the internet’s promise.

Nowadays, Wyden told The Verge, the danger is coming from the web platforms themselves, with a ceaseless stream of disturbing revelations such as Facebook playing loosey-goosey with user data, YouTube and its eye-poppingly inappropriate videos targeted at kids, bullying on Twitter, or virally spread rumors that lead to people getting lynched.

The early days of Section 230 were nothing compared to this, Wyden said:

Back then, I think there was an awareness of the fact that there might be significant privacy issues, but I don’t think anybody was talking about an Exxon-Valdez of privacy the way people talk about it today.

That’s leading to a slew of new challenges to Section 230, including…

• A lawsuit that charges Grindr with turning a blind eye when an alleged stalker tormented his ex-lover by using the app to misguide 1,000 sex-hungry men into showing up on his doorstep and at his workplace.
• Wisconsin’s Supreme Court has agreed to hear a case, Daniel v. Armslist, in which the firearm classified advertising site Armslist is being sued following a mass shooter having purchased a gun after responding to an ad on the site.

Yelp called the California Supreme Court’s decision last year a win for “those of us who value sharing one another’s opinions and experiences” on the internet, while SCOTUS’s more recent decision to not hear the appeal upholds the right to publish “entirely truthful consumer opinions.” Here’s what a Yelp spokesperson told The Verge:

We are happy to see the Supreme Court has ended Hassell’s efforts to sidestep the law to compel Yelp to remove online reviews. This takes away a tool that could have been easily abused by litigants to obtain easy removal of entirely truthful consumer opinions.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qmE-m3AZedI/

Is it defamatory to write a Yelp review claiming that a law firm is incompetent, negligent of following through on its contractual obligations, and deserves less than one star?

Maybe. Yelp says that it removes reviews it finds to be defamatory, since they violate its terms of service. But in this particular case, Yelp didn’t find the review – written by a client of Hassell Law Group who went by the username of Birdzeye B. – to be so.

Hence, Yelp refused to take down Birdzeye B.’s review, as San Francisco attorney Dawn Hassell had requested and as California’s Supreme Court had ordered it to do in July.

On Tuesday, the US Supreme Court’s docket showed that it had rejected an appeal of the case, which centers around the question of whether Yelp is culpable for removing defamatory reviews from its site.

The review is still up on Yelp, along with a far more scathing update from Birdzeye B., who turned out to be a woman identified as Ava Bird. The case was brought by Hassell not against Yelp, but against Bird.

Hassell’s law firm, which represents plaintiffs in accidents, job discrimination and other cases, had briefly represented Bird in an injury case in 2012 before withdrawing. Months later, Bird posted her one-star review on Yelp, calling the firm incompetent and advising others to seek representation elsewhere. Hassell brought Hassell v. Bird in an effort to get Yelp and Bird to take down the review and Bird’s subsequent update. The firm also sued Bird for libel, seeking damages and an order to remove the postings, but it didn’t sue Yelp.

In January 2014, after Bird failed to respond, a judge entered a default judgment that found the postings libelous and ordered her to pay more than $550,000 in damages for a decline in the firm’s Yelp rating and what Hassell described as a loss of business. The judge also ordered both Bird and Yelp to remove her reviews.

Yelp declined. It said that it voluntarily removes postings it deems defamatory, but that it didn’t find Bird’s ratings to be libelous.

At that point, the law firm of Charles Harder – a lawyer known for high-profile defamation lawsuits and a member of President Donald Trump’s legal team – took up the case, petitioning the Supreme Court to hear the complaint against Yelp. As the San Francisco Chronicle reports, the goal was to get the court to allow court orders to have “entirely unlawful” content removed.

Section 230 lives on … for now

At this point, what’s keeping such court orders from being enforced against sites such as Yelp is Section 230 of the Communications Decency Act (CDA), which states that websites aren’t liable for user-submitted content. The Supreme Court’s refusal on Tuesday to hear an appeal of the case lets stand that key legal protection for all websites.

But it might prove to be just a brief respite for Section 230, which has fended off a steady barrage of legal attacks for years. We’ve seen actions taken against Section 230-protected sites such as those dedicated to revenge porn, for one.

More recently, anti-Section 230 legal battles have been gaining momentum. In March 2018, we saw the passage of H.R. 1865, the Fight Online Sex Trafficking Act (FOSTA) bill, which makes online prostitution ads a federal crime and which amended Section 230.

In response to the overwhelming vote to pass the bill – it sailed through on a 97-2 vote, over the protests of free-speech advocates, constitutional law experts and sex trafficking victims – Craigslist shut down its personals section.

Back in 1995, when he was pushing the amendment that wound up being Section 230, Senator Ron Wyden warned that we were facing the prospect of an “army of censors” that would stifle the internet’s promise.

Nowadays, Wyden told The Verge, the danger is coming from the web platforms themselves, with a ceaseless stream of disturbing revelations such as Facebook playing loosey-goosey with user data, YouTube and its eye-poppingly inappropriate videos targeted at kids, bullying on Twitter, or virally spread rumors that lead to people getting lynched.

The early days of Section 230 were nothing compared to this, Wyden said:

Back then, I think there was an awareness of the fact that there might be significant privacy issues, but I don’t think anybody was talking about an Exxon-Valdez of privacy the way people talk about it today.

That’s leading to a slew of new challenges to Section 230, including…

• A lawsuit that charges Grindr with turning a blind eye when an alleged stalker tormented his ex-lover by using the app to misguide 1,000 sex-hungry men into showing up on his doorstep and at his workplace.
• Wisconsin’s Supreme Court has agreed to hear a case, Daniel v. Armslist, in which the firearm classified advertising site Armslist is being sued following a mass shooter having purchased a gun after responding to an ad on the site.

Yelp called the California Supreme Court’s decision last year a win for “those of us who value sharing one another’s opinions and experiences” on the internet, while SCOTUS’s more recent decision to not hear the appeal upholds the right to publish “entirely truthful consumer opinions.” Here’s what a Yelp spokesperson told The Verge:

We are happy to see the Supreme Court has ended Hassell’s efforts to sidestep the law to compel Yelp to remove online reviews. This takes away a tool that could have been easily abused by litigants to obtain easy removal of entirely truthful consumer opinions.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qmE-m3AZedI/

A bomb threat spam campaign that hit North America last month may have been engineered using a flaw in GoDaddy’s domain management process, it was revealed this week.

The campaign saw attackers send out spam emails warning recipients that their places of work would be bombed unless they sent payments in bitcoin. Investigators linked its unknown perpetrator to a separate sextortion attack which falsely claimed to have compromising webcam images of victims and demanded blackmail payments in bitcoin.

Both of these spam campaigns came from domains hosted by Russian hosting company Reg.ru, but anti-spam researcher Ron Guilmette reportedly found that most of the domains used in the bomb threat campaign had been transferred from US hosting giant GoDaddy shortly before the attack began. Ars Technica suggests that the domains were hijacked using an attack technique that first surfaced in 2016.

DNS is short for Domain Name Service, and it’s effectively a phone book for the web. It’s the internet’s way of converting a URL such as www.example.com to the IP address for the computer that hosts its web pages.

Your computer finds a domain’s IP address by querying a name server that stores that information in a text record known as a zone file. Your computer knows what name server to query because the name server addresses are stored in top level domain (TLD) servers dotted around the internet. These TLD servers get the name server addresses from the registrar that originally registered the domain.

Hosting companies that offer managed DNS services update all of this information for you. You tell them which domain you want to control, and they provide the appropriate name server information. The problem is that many managed DNS services allow people to add domains to their accounts without checking to see if those people own the domains first.

Cybersecurity researcher Matthew Bryant first discovered this flaw in the domain setup process for hosting company Digital Ocean in 2016 before realising that it was a much wider problem affecting companies ranging from Amazon to Rackspace.

The problem occurs when the zone file for a domain disappears but the domain’s owner doesn’t update the name server information held by the registrar. This can happen because the domain’s owner doesn’t want to host a web site at the domain anymore, or because payments for the domain hosting lapse. Occasionally, as was the case with the hijacked domain virtualfirefox.com, the owner gains legitimate ownership of the domain to avoid someone cybersquatting it but doesn’t need to host anything at that domain.

This leaves a name server with no zone file, meaning that an attacker can populate it with their own. They can register a free account with the managed DNS/hosting company and ask for that domain to be included in their account. That lets them transfer the domain to their own hosting provider. As Bryant found, many managed DNS companies honour that request without first checking to see if someone else owns the domain.

This is a great attack vector for spammers, explained Bryant in his 2016 post, because it gives them legitimacy. Anti-spam software will often block mail from newly-registered domains or from domains with bad reputations, which makes it hard for spammers to deliver their mail. Using this attack, they can use email servers registered to the hijacked domains to send spam emails that originate from their own servers. The domains that they hijack will often have been registered for a long time and have good reputations, which makes it far more likely that their spam mail will get through.

Bryant said:

If an attacker launches a malware campaign using these domains, it will be harder to pinpoint who/what is carrying out the attack since the domains would all appear to be just regular domains with no observable pattern other than the fact that they all use cloud DNS. It’s an attacker’s dream, troublesome attribution and an endless number of names to use for malicious campaigns.

This is what appears to have happened with the bomb threat spam sent last month, and with the sextortion campaign mentioned earlier. Guilmette’s research reportedly found that overall, GoDaddy left more than half a million domains vulnerable to hijacking.

The attackers appear to have cherrypicked sites owned by household names including Expedia, Mozilla and Yelp.

GoDaddy told Naked Security that it was fixing the problem associated with the hijacked domain names:

We have indeed made the fix to prevent malicious use of our DNS zone entries. Due to the sensitive nature of security, we are not disclosing exactly how we fixed it. Additionally, we are currently removing the domains names mentioned by the security researcher.

To prevent their sites being hijacked this way, though, the safest bet for domain owners is to ensure that they update their name server information when removing a zone file so that attackers can’t take control of their domain.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3wDUd_N9NZI/

A bomb threat spam campaign that hit North America last month may have been engineered using a flaw in GoDaddy’s domain management process, it was revealed this week.

The campaign saw attackers send out spam emails warning recipients that their places of work would be bombed unless they sent payments in bitcoin. Investigators linked its unknown perpetrator to a separate sextortion attack which falsely claimed to have compromising webcam images of victims and demanded blackmail payments in bitcoin.

Both of these spam campaigns came from domains hosted by Russian hosting company Reg.ru, but anti-spam researcher Ron Guilmette reportedly found that most of the domains used in the bomb threat campaign had been transferred from US hosting giant GoDaddy shortly before the attack began. Ars Technica suggests that the domains were hijacked using an attack technique that first surfaced in 2016.

DNS is short for Domain Name Service, and it’s effectively a phone book for the web. It’s the internet’s way of converting a URL such as www.example.com to the IP address for the computer that hosts its web pages.

Your computer finds a domain’s IP address by querying a name server that stores that information in a text record known as a zone file. Your computer knows what name server to query because the name server addresses are stored in top level domain (TLD) servers dotted around the internet. These TLD servers get the name server addresses from the registrar that originally registered the domain.

Hosting companies that offer managed DNS services update all of this information for you. You tell them which domain you want to control, and they provide the appropriate name server information. The problem is that many managed DNS services allow people to add domains to their accounts without checking to see if those people own the domains first.

Cybersecurity researcher Matthew Bryant first discovered this flaw in the domain setup process for hosting company Digital Ocean in 2016 before realising that it was a much wider problem affecting companies ranging from Amazon to Rackspace.

The problem occurs when the zone file for a domain disappears but the domain’s owner doesn’t update the name server information held by the registrar. This can happen because the domain’s owner doesn’t want to host a web site at the domain anymore, or because payments for the domain hosting lapse. Occasionally, as was the case with the hijacked domain virtualfirefox.com, the owner gains legitimate ownership of the domain to avoid someone cybersquatting it but doesn’t need to host anything at that domain.

This leaves a name server with no zone file, meaning that an attacker can populate it with their own. They can register a free account with the managed DNS/hosting company and ask for that domain to be included in their account. That lets them transfer the domain to their own hosting provider. As Bryant found, many managed DNS companies honour that request without first checking to see if someone else owns the domain.

This is a great attack vector for spammers, explained Bryant in his 2016 post, because it gives them legitimacy. Anti-spam software will often block mail from newly-registered domains or from domains with bad reputations, which makes it hard for spammers to deliver their mail. Using this attack, they can use email servers registered to the hijacked domains to send spam emails that originate from their own servers. The domains that they hijack will often have been registered for a long time and have good reputations, which makes it far more likely that their spam mail will get through.

Bryant said:

If an attacker launches a malware campaign using these domains, it will be harder to pinpoint who/what is carrying out the attack since the domains would all appear to be just regular domains with no observable pattern other than the fact that they all use cloud DNS. It’s an attacker’s dream, troublesome attribution and an endless number of names to use for malicious campaigns.

This is what appears to have happened with the bomb threat spam sent last month, and with the sextortion campaign mentioned earlier. Guilmette’s research reportedly found that overall, GoDaddy left more than half a million domains vulnerable to hijacking.

The attackers appear to have cherrypicked sites owned by household names including Expedia, Mozilla and Yelp.

GoDaddy told Naked Security that it was fixing the problem associated with the hijacked domain names:

We have indeed made the fix to prevent malicious use of our DNS zone entries. Due to the sensitive nature of security, we are not disclosing exactly how we fixed it. Additionally, we are currently removing the domains names mentioned by the security researcher.

To prevent their sites being hijacked this way, though, the safest bet for domain owners is to ensure that they update their name server information when removing a zone file so that attackers can’t take control of their domain.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3wDUd_N9NZI/

Hadoop databases haven’t been getting much interest from hackers so far, compared to other data silos, but that’s changing, according to a new study.

Security shop Securonix, reports that its research team has seen a sharp rise in attacks targeting vulnerabilities in Hadoop components such as Hadoop YARN, Redis, and ActiveMQ in recent months.

The team found that the cyber-assaults ranged from single forays to more complex attacks exploiting multiple vulnerabilities ranging from unauthenticated command vulnerabilities and remote command execution holes to remote file execution flaws.

What the attackers are looking to do in each case is get access to the software platform’s underlying Linux or Windows servers, which are then infected with malware. This software nasty generates cryptocurrency for the miscreants, inject a dose of ransomware, and/or raid the boxes for corporate secrets and personal data.

“In most cases, the focus of the attacks is on installing a second-stage payload for cryptomining and/or remote access,” Securonix said in its report.

“In other cases, the malware propagates and infects the exposed services, removes data, and installs second-stage cryptomining and ransomware payloads.”

Apache Hadoop spins cracking code injection vulnerability YARN

READ MORE

One nasty in particular that’s thrown at Hadoop installations is the Xbash botnet malware, a Swiss Army knife of cyber-woe. Bots scan blocks of IP addresses for open ports on services like Redis (along with the likes of MySQL, Oracle Database, and Elastic Search) in search of servers to pwn.

If Xbash hits a vulnerable server, and can infect it, it first wipes the host’s databases and then tries to collect a ransom payout by pretending the wiped data is only encrypted.

“Once the malware is successfully able to log into the database services (MYSQL, PostgreSQL, MongoDB, or phpMyAdmin) it deletes the existing databases stored on the server and creates a database with a ransom note specifying the amount and the bitcoin wallet.”

Another infection spotted in the wild was the more basic Moanacroner malware, a modified version of the Sustes nasty that runs silently on the host server to mine Monero for the attacker.

In both cases, the Securonix researchers say that admins can reduce the chance of infection by keeping up on patches (the observed attacks all targeted known and patched vulnerabilities) and reducing the attack service by limiting what Hadoop services can be accessed remotely and, if possible, running services in protected modes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/24/hadoop_malware_attack/