STE WILLIAMS

Exclusive Alarmed Microsoft support partners can currently view support tickets submitted from all over the world, in what appears to be a very wide-ranging blunder by the Redmond-based biz.

“At the moment in the Microsoft Partner Portal you can see every ticket title for every support request worldwide!” Stuart Crane of IT biz Everon told us this morning.

Microsoft’s partner portal is exposing ‘every single’ filed support ticket. Click to enlarge

Another Microsoft partner, Warren Lloyd of Ilkley IT services, added: “You can’t see the contents of the ticket, but you can see the case number and title… So you can’t see any customer info, just the title of what’s been submitted.”

Another view of the partner portal problem. Click to enlarge

Another Microsoft small biz specialist contacted us to say “Logged on to my Microsoft Partner portal to check status of a ticket I have open with them only to see lots of tickets which are not ours”.

With no customer details being visible, it is unlikely this embarrassing SNAFU will get MS in trouble with data protection laws or watchdogs. However, the cockup will leave the American multinational with more than a few red faces.

Such a thing doesn’t appear to have happened before – at least, not that is recorded in El Reg’s extensive archives, brimming as they are with tales of TITSUPs and SNAFUs and general wail-inducing failures.

Microsoft said it would get back to us when we asked what had happene and why this happened. We’ll update this article when the company responds again. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/18/microsoft_partner_portal_support_request_data_visible/

Cloud security experts weigh in with the practices and tools they prefer to monitor and measure security metrics in the cloud.

(Image: Gorodenkoff – stock.adobe.com)

When it comes to today’s cloud security practices, companies are in “reactive mode,” says Balaji Parimi, CEO of CloudKnox. They’re focused on protecting their cloud environments by using tools that provide visibility into anomalous activity and then responding to it, he explains.

“While there is some merit to these ‘reactive’ tools, companies must prioritize pre-emptive measures in order to prevent catastrophic scenarios,” Parimi says. He advises they evaluate tools that will help prevent, or at least minimize, risks linked to poorly provisioned identities.

Watching for overprovisioned or incorrectly provisioned identities is one of the ways companies can improve security monitoring in the cloud. Here, experts share their best practices for how to approach cloud security monitoring and what to watch for in their cloud environments.

Feel free to share your own in the comments. 

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/8-tips-for-monitoring-cloud-security/d/d-id/1333666?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There’s more money to be made from bug hunting in Microsoft code after Redmond announced its 10th active bug hunting reward scheme, the Azure DevOps Bounty Program.

Formerly known as Visual Studio Team Services, the new Azure DevOps Services provides developers with collaborative cloud coding and automation. The bug bounty program also covers on-premises products like Azure DevOps Server and Team Foundation Server.

In a blog post, Buck Hodges, director of engineering for Azure DevOps, said the program will complement existing security practices like code reviews, security scans and red team testing.

“Our Bounty program rewards independent security researchers who find flaws and report them to us responsibly,” he said. “We’ll publicly recognize the researchers who report these security issues, and for high-severity bugs we’ll present payments of up to $20,000.”

Bug bounty programs have been proliferating, according to HackerOne, a biz that runs such contests. In its 2018 Hacker-Powered Security Report, the firm said bug bounty programs jumped 38 per cent in North America, 37 per cent in Asia, 26 per cent in Europe, the Middle East, and Africa, and 143 per cent in Latin America.

Since the firm launched in 2012 through June 2018 – when HackerOne’s report was issued – organizations have paid hackers more than $31m in bounties, a third of that in the 12 months prior to the report’s publication.

That may sound like a substantial sum but security biz Trail of Bits recently cautioned that a few highly skilled researchers collect most of the money while the majority of bug hunters collect very little.

Find our bugs and earn ‘exposure bucks’

Sean Roesner, a UK-based security researcher, wrote recently about the problems facing bug hunters now that bounty programs have become more common and more exploitative, asking hackers to work for free before they can join VIP programs that pay.

Want to get rich from bug bounties? You’re better off exterminating roaches for a living

READ MORE

Calling such bug bounty programs overhyped and unsustainable, he laments how crowded the space has become crowded with would-be bounty hunters. “I don’t recommend anyone does this full time and bug bounties should only be treated as a side hobby in my opinion,” he said, echoing concerns raised by Trail of Bits.

At the same time, even if the median annual earnings figure for a bug bounty hunter isn’t very much ($34,255), a small number of skilled security researchers do rather well. Tommy DeVoss, a security expert based in Richmond, Virginia estimates that he earned about $500,000 last year across the various platforms in which he participates.

“I love the bug bounty programs, and see tremendous value in them as we are helping to secure countless companies systems,” said DeVoss in an email to The Register.

“I just don’t agree with billion dollar companies running unpaid programs for the masses and private programs for small groups of people. It’s like saying their time is worth being compensated for, while the others aren’t.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/18/microsoft_blue_bug_bounty_bonanza_beckons/

Twitter has fessed up to a flaw in its Android app that, for more than four years, was making twits’ private tweets public. The programming blunder has been fixed.

The 280-character social-experiment-gone-awry admitted on Thursday that a bug dating back to November 3, 2014 potentially changed users’ “Protect your Tweets” preference – which hides tweets from public view so they are only seen by followers – to publicly visible when a user’s email address or other account settings were changed.

This is particularly bad news for netizens who opted for protected tweets, because they typically padlock their feeds to avoid potential or real harassment, or consider the contents of their feeds to be sensitive or highly personal in nature.

Twitter wouldn’t say exactly how many of its twits had their protected tweets exposed to the world, but if you were running the Twitter for Android app, now is probably a good time to go back over your profile and check your privacy settings.

FYI: Twitter’s API still spews enough metadata to reveal exactly where you lived, worked

READ MORE

The Twitter iOS app and website were not affected by the bug, so Apple fans and desktop users can breathe a sigh of relief, at least.

“We’ve informed people we know were affected by this issue and have turned “Protect your Tweets” back on for them if it was disabled,” Twitter said. “We are providing this broader notice through the Twitter Help Center since we can’t confirm every account that may have been impacted.”

Twitter has some experience handling these sort of problems. Back in September the site disclosed that a bug in one of its APIs would have accidentally given some developers the ability to read the protected tweets and DMs of some users.

More recently, a team of researchers from the US and Greece revealed that Twitter’s past geolocation settings (prior to turning the feature off by default in 2015) could be used years later to reliably track the activity of individuals and infer highly personal information.

Perhaps, at the end of the day, the best policy should be to never share anything with Twitter that you don’t want the whole world to know about. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/18/twitter_bug_protected_tweets/

Drupal has issued a pair of updates to address two security vulnerabilities in its online publishing platform. The vulns are a little esoteric, and will not affect most sites, but it’s good to patch just in case you later add functionality that can be exploited.

Both Drupal.org and US-CERT are advising admins to test and install the two Drupal core fixes, both concerning flaws that can be exploited to perform remote-code execution. As their bug ID numbers would suggest, the updates are the first fixes for Drupal core this year, and they were found by the company’s own security team.

The first update, 2019-001, addresses a PEAR Archive_Tar library vulnerability. The security hole, assigned CVE-2018-1000888, can be exploited by a malicious tar file to achieve remote code execution via a deserialization blunder when extracting the archive. Presumably if your website doesn’t handle tar archives, then you should be fine, though it’s best to install the fix anyway.

2019-001 updates the version of PEAR Archive_Tar used in Drupal core to a non-vulnerable build. Deleting data remotely is also possible.

The second fix, 2019-002, addresses a vulnerability in the way Drupal core handles phar:// URIs in file operations. A vulnerable script would have to pass a maliciously crafted string from a user to a file operation to trigger the bug and achieve remote code execution.

Drupal drisputes dreport of widespread wide-open websites – whoa

READ MORE

While the patch is considered critical, not every Drupal instance will be vulnerable to attack: most webapps won’t chuck user input into file calls without stripping out anything that looks like a protocol like phar://.

“Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability,” the advisory reads. “This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.”

In addition to updating the phar stream wrapper, Drupal is opting to bump the .phar extension to “dangerous” status, meaning all files uploaded with it will be converted to text to prevent it being accidentally executed.

Admins are being advised to double check that the update has been successfully installed, as there have been multiple reports that updates over the Drush shell have been failing due to errors. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/18/drupal_critical_patches/

Oracle admins, here’s your first critical patch advisory for 2019, and it’s a doozy: a total of 284 vulnerabilities patched across Big Red’s product range, and 33 of them are rated “critical”.

We hope your support contracts are up-to-date to receive these fixes. The full list is here, and with so much to choose from, The Register will work through the top-rated bugs.

Oracle Communications Applications (OCA) is home to nine of the vulnerabilities in various components:

• You might be familiar with CVE-2016-1000031 – it’s the Apache Commons FileUpload remote code execution (RCE) bug disclosed in November last year. OCA’s Diameter Signalling Router component inherited the bug, as did its Communications Services Gatekeeper. Other systems affected by this bug include its Financial Services Analytical Applications Infrastructure, the Fusion Middleware MapViewer, and four three Oracle Retail components.
• Another 2016 bug, this time in Codehaus versions of Groovy (CVE-2016-6814) affected OCA Unified Inventory Management.
• An Apache Log4j bug, CVE-2017-5645, was inherited by Oracle’s Converged Application Server – Service Controller, and the OCA Online Mediation Controller, Service Broker, and WebRTC Session Controller. It also popped up in a FLEXCUBE component in Oracle Financial Services Applications, Fusion’s GoldenGate app adapters and SOA Suite, and a Sun tape library component. This CVE has been problematic for Big Red before: last year, it was responsible for 21 entries in the January patch list, and in April it had to be squashed in its Fusion Middleware.
• OCA’s Communications Policy Management Component suffered from CVE-2018-11776, an Apache Struts bug that last year was exploited to mine cryptocurrency.
• VE-2018-9206 exposed OCA’s Services Gatekeeper to arbitrary file upload. This bug also affected Primavera P6 in the Construction and Engineering Suite, and Siebel CRM.

Oracle E-Business’ Performance Management component had an “easily exploitable” bug in CVE-2019-2453: an unauthenticated network attacker could create, delete, or modify critical data. There was similar bug in the e-biz suite’s fulfillment system (CVE-2019-2489).

Are we there yet?

Sorry, no.

In CVE-2016-4000, Jython provided a vector for arbitrary code, and it’s used by Big Red’s Enterprise Manager platform, Banking Platform, and Utilities Network Management System.

Yet another Apache tool, Derby before version 10.12.1.1 used in the WebLogic server, suffered from CVE-2015-1832, a denial-of-service vulnerability.

Thought Patch Tuesday was a load? You gotta check out this Oracle mega-advisory, then

READ MORE

Oracle Tuxedo used a version of the Spring framework vulnerable to CVE-2018-1275, an RCE bug that also affected the Sun Tape Library ACSLS component.

The company’s JD Edwards Enterprise Tools was vulnerable to CVE-2018-8013, a complete takeover enabled by a deserialisation bug in Apache Batik.

There were a couple more authorisation bypass bugs to deal with, one in MySQL (CVE-2018-10933, inherited from libssh), and Xstore Payment (CVE-2017-7658, in the Eclipse Jetty server).

Finally: in CVE-2015-8965, Rogue Wave JViews was patched against an RCE, and Oracle found that software in the Agile PLM component of its supply chain suite. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/18/new_oracle_bugs/

A new program will pay bounties of up to $20,000 for new critical bugs in the company’s Azure DevOps systems and services.

Microsoft has announced the launch of a new bug bounty program, this one aimed at Azure DevOps services and applications. The program will offer bounties of up to $20,000 for new bugs and vulnerabilities discovered in the company’s Azure DevOps online services and the latest release of Azure DevOps server.

According to the web page describing the program, eligible bugs include previously unreported vulnerabilities in one of the target services or products. The description of the bug must “include clear, concise, and reproducible steps, either in writing or in video format,” that “Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue.”

The highest bounty will be paid for a high-quality report on a critical remote code execution vulnerability, according to the site.

For more, read here and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities-and-threats/microsoft-launches-new-azure-devops-bug-bounty-program/d/d-id/1333678?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Facebook says the accounts and pages were part of two unrelated disinformation operations aimed at targets outside the US.

Facebook has closed hundreds of accounts and pages linked to Russia, due to “coordinated inauthentic behavior” or disinformation operations. 

Facebook’s head of cybersecurity policy, Nathaniel Gleicher, wrote in a blog today that the shuttered pages and accounts (on both Facebook and Instagram) represent two unrelated disinformation networks. One operation targeted Ukraine, and the other covered Central and Eastern Europe, the Baltics, Central Asia, and the Caucasus. 

US law enforcement tipped off Facebook to the network that focused on Ukraine, which spent $25,000 on Facebook ads last year. The network exhibited some “technical overlap with Russia-based activity we saw prior to the US midterm elections,” wrote Gleicher, and similar behavior to that of the Internet Research Agency, a Russian troll farm indicted by US Special Counsel Robert Mueller for interference in the 2016 US presidential election.

Facebook shut 107 groups, pages, and accounts (with about 180,000 total followers) and 41 Instagram accounts (55,000 followers) associated with this operation. 

The other network was a content amplification program for a Russian state-sponsored media organization.

As described by the Atlantic Council‘s Digital Forensics Research Lab (DFRLab) in an extensive report:

The pages masqueraded as groups with special interests — ranging from food to support for authoritarian presidents — and amplified content from the Kremlin’s media agency, Rossiya Segodnya, especially that of its subordinate online news outlet Sputnik.

The nature of the activity varied. The Sputnik editors acknowledged that Sputnik ran certain pages in Latvia, but at the other end, “a sub-group of nine pages in Georgia was run by an account that appeared to be actively fraudulent” and purchased ads specifically to promote Rossiya Segodnya content, DFRLab wrote. “Most of the pages in the network were covert, in that they did not mention a connection to Rossiya Segodnya and also did not claim any other specific identity.”

According to Gleicher, Facebook has thus shut 75 accounts and closed 289 pages, representing 790,000 followers and $135,000 in advertising.

“The decision is clearly political. This is tantamount to censorship,” said Sputnik in a statement to the Associated Press.  

In a statement to Dark Reading, a Facebook representative said, “As Nathaniel mentioned in his post today, we’ve taken down these Pages and accounts based on their behavior, not the content they post. In these cases, the people behind this activity coordinated with one another and used fake accounts to misrepresent themselves, and that was the basis for our action.”

For more, read here at AP, here at DFRLab, and here at Facebook. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/facebook-shuts-hundreds-of-russia-linked-pages-accounts-for-disinformation/d/d-id/1333674?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Data appears to be from multiple breaches over past few years, says researcher who discovered it.

A folder with over 12,000 files containing nearly 773 million email addresses and over 21 million unique passwords from numerous previous data breaches — some potentially dating back to 2008 — has been posted online in another massive leak of credential data.

Security researcher Troy Hunt discovered the 87 GB worth of data on cloud storage service Mega last week and has uploaded it to his Have I Been Pwned (HIBP) service, where individuals can verify if their email addresses are on the list. The leaked passwords, meanwhile, have been published on Pwned Passwords, a site that Hunt maintains to let people check whether their passwords have been exposed in data breaches.  

Some 140 million email addresses and about half of the just-leaked passwords are new, meaning the data has not been previously published on HIBP or the compromised passwords site. With the new data, Pwned Passwords now contains more than half-a-billion leaked passwords.

In a blog Thursday, Hunt described the folder he discovered on Mega as containing data from what appears to be over 2,000 previously breached and dehashed databases. The data appears to be from breaches between 2008 and 2015. But it is possible that at least some of leaked data was not involved in a data breach at all, Hunt said.

It’s unclear who might have compiled the list of breached databases and put them in the file that was leaked on Mega. Attackers commonly use such datasets to carry out automated “credential stuffing” attacks where they try breaking into enterprise accounts using combinations of previously compromised email and password data.

The file on Mega has since been removed. But, according to Hunt, the data is currently being advertised for sale in a popular hacker forum. Hunt is calling the breach “Collection #1” after the name given to the root folder containing the files.

The Collection #1 breach is among the biggest involving passwords and email addresses. Other similarly massive compromises include one recently at Marriott International, in which 380 million records were exposed; multiple breaches at Yahoo, which ended up exposing all 3 billion of its user accounts; and one at Adult Friend Finder, which impacted 412 million accounts.

Such breaches keep highlighting the weakness of password-only account protection models and the need for strong authentication mechanisms. A new report from MarketsandMarkets shows concerns over data breaches and regulations are driving demand for multifactor authentication technologies. The market for such tools and services is projected to grow by over 15.5% annually over the next few years to top $12 billion by 2022, according to the analyst firm.

Bimal Gandhi, CEO at Uniken, says credential leaks pose a multifaceted threat for organizations. The fact that people often reuse passwords across personal and office accounts exposes organizations to attack even if their own sites and user credentials haven’t been compromised.

“An attacker can replay your customers’ known credentials from other sites against you on the reasonable chance that those credentials will also allow them access to your applications,” Gandhi says. Attackers have a broad array of methods to attack organizations via both the mobile and the browser using harvested credentials, he says.

Credential data is also invaluable for phishing, says Tim Erlin, vice president of product management and strategy at Tripwire. There has been a recent increase in the use of compromised credentials in email extortion attempts, he says.

The fact that at least some of the leaked credential data is old makes it relatively less of a threat to organizations that regularly change passwords. But the potential for misuse should not be underestimated, Erlin says. “People often change personal passwords far less frequently than corporate credentials, meaning that there may very well be valid data present,” he added.

Related Content:

• Why Password Management and Security Strategies Fall Short
• Beyond Passwords: Why Your Company Should Rethink Authentication
• Nearly Half of Security Pros Reuse Passwords
• 7 Privacy Mistakes That Keep Security Pros on Their Toes

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/773-million-email-addresses-21-million-passwords-for-sale-on-hacker-forum/d/d-id/1333684?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The founders of medical symptom-checker app Your.MD knew that a number of key medical information databases were “open to anyone who knows the URL”, emails seen by a London tribunal have revealed.

What’s the case about?

Your.MD was taken to the Employment Tribunal by former vice-president Randeep Sidhu, who claims he was unfairly dismissed from his £110,000 post after making legally protected disclosures about patient safety and information security.

Among other things, he is claiming the company sacked him because he blew the whistle on the state of its information security, which he alleges was so bad that anyone could have tampered with Your.MD’s medical advice databases to change the diagnoses issued by the app.

Emails read out to the Central London Employment Tribunal in Holborn this morning by former vice-president Randeep Sidhu’s barrister, Andrew Hochhauser QC, revealed:

• Your.MD execs were aware that five key databases were “publicly available to the internet” in June 2017;
• the firm had no way of validating, at the time, that business-critical microservices “still work[ed] to specification” following changes; and
• data from Your.MD’s medical knowledge database, Alexandria, “can be downloaded worldwide, and modified, without even a password”.

In addition, a Facebook chatbot devised by Your.MD allegedly allowed its Facebook page admins direct access to customers’ health data.

The vulnerabilities, allegations about which were made in two emails sent by Your.MD Ltd chief product officer Sam Lowe on 12 June 2017, were “first priorities” to be fixed. Lowe also proposed organising an “independent 3rd party penetration test” to check for other vulnerabilities. Your.MD chief operating officer Alessandro Traverso replied in an immediate followup email that he agreed the situation was serious.

Top doc asked about data security

Lowe’s emails were read out during cross-examination of Professor Maureen Baker, a former chairwoman of the Royal College of GPs who is Your.MD’s chief medical officer (CMO) and also sits on the startup’s clinical advisory board. In addition to these posts, she is a visiting professor of general practice at the University of Sheffield.

Professor Baker responded to Hochhauser’s early line of questioning about data security by saying: “If I can expand. I’m really focused on the medical and professional aspects. I’m not – I didn’t have any discussions about the tech or the presentations and this hasn’t come up in the discussions I’ve had with the medical teams.”

Her Scottish lilt remaining level and clear in the well-heated hearing room, she added: “I’m talking here specifically about clinical safety. Clinical safety and data security are not the same thing… that’s not my remit.”

Sidhu, the claimant, had previously argued during his own cross-examination that the two were very closely connected.

Surely, asked Hochhauser, the Alexandria medical knowledge database being unsecured meant that “a malicious person could make the service misdiagnose dangerous conditions?”

“No,” replied Baker, “that’s incorrect on two levels.

“So firstly the app does not make a diagnosis. So it cannot misdiagnose. Secondly, the data referred to, steps, etc, none of that would affect the outcome of a consultation on Your.MD,” she added.

“What is being suggested,” intoned Hochhauser in a deep voice, “and it was looked at in Mr Lowe’s email, is that Alexandria could have incorrect information inserted into it because of the lack of security and that posed a problem… I realise you want to assist the company, but would you agree that is an unsatisfactory state of affairs?”

Stung, Baker responded: “Firstly, I have sworn an oath to tell the truth and I am answering your questions; it’s not about assisting the company. Secondly, I think you’re conflating things.”

She continued, pausing occasionally to gather her words. “So there’s one issue, which is alteration of the medical knowledge database. That’s an issue. If that happened that would be – there are possibilities for things to go wrong. I accept that. However, what I don’t accept is the health metrics bit leading to a problem for a user. In terms of a condition outcome.”

Facebook, chatbots and people’s medical histories

Back in 2017, Your.MD released a Facebook Chat-based bot where users could interact with it and ask it for advice on medical symptoms. Sidhu claimed that Your.MD implemented few privacy controls on who within the company could access customers’ information via Facebook.

In his witness statement, Sidhu asserted that “personally identifiable information was linked to highly sensitive personal information that could compromise the individual, such as abortions, sexual health and/or a pre-existing medical condition”. He claimed that “any admin” of Your.MD’s Facebook account “could use their personal Facebook profile to find their employer/boyfriend/parents/friends” and use the sensitive medical information “to threaten or blackmail the user”.

“Given your background, Professor Baker,” asked Hochhauser, “wouldn’t you agree that that is a highly unsatisfactory state of affairs?”

Baker said in response that while any abuses like that would be “deplorable and highly unsatisfactory”, systems involving medical records do require people to have access to it “in order to do their jobs: the same could be said of any receptionist or administrator in any healthcare system”.

The tribunal is due to conclude today. Judgement is expected to be handed down in a few weeks’ time. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/17/your_md_medical_symptom_app_employment_tribunal/