STE WILLIAMS

A Northern California federal judge ruled last week that police can’t force suspects to unlock their phones with their fingers, eyes or face, even with a warrant, because it amounts to the same type of self-incrimination as being forced to hand over your passcode.

If other courts apply her decision, it could set an important precedent in Fifth Amendment interpretation and the debate between compelling suspects to use “what they are” (i.e., forced use of their bodies) vs. “what they know” (i.e., forcing suspects to unlock their brains to get at their passcodes).

As Forbes reports, Judge Kandis Westmore ruled that compelled testimony is compelled testimony, regardless of whether it’s a passcode uttered aloud or a forced finger swipe. In this day and age, multiple forms of authentication unlock treasure troves of personal data, she wrote.

If a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.

Judge Westmore wrote the decision in denial of a warrant to police who were investigating alleged extortion in Oakland, California. The suspects allegedly used Facebook Messenger to threaten a man with the release of an embarrassing video unless he coughed up money.

Police had two suspects, but they wanted the go-ahead to compel anybody located on the same premises to unlock their devices, be it with a finger/thumb, face or iris. Judge Westmore denied the request for a search warrant on Fourth and Fifth Amendment grounds.

She agreed that the officers had probable cause to search the suspects’ property, but not to unlock any and all devices or compel people to do so. That would be a fishing expedition, she said. The government can’t be permitted to search and seize people’s devices just because they happen to be present during a lawful search.

With regards to the Fifth Amendment, it protects against suspects being forced to be witnesses against themselves. In this particular case, Judge Westmore wrote, the issue is whether the use of a suspect’s biometrics to unlock their device(s) is considered “testimonial” under the Fifth Amendment.

Courts are trying to keep pace with technology

The challenge facing courts is that “technology is outpacing the law,” the judge wrote. She referred to a recent case in which the US Supreme Court told courts that they needed to adopt rules that “take account of more sophisticated systems that are already in use or in development.”

The case she referred to, Carpenter v. United States, had to do with a Radio Shack robbery and the privacy of the phone location data that got the robber convicted. In June 2018, the Supreme Court ruled it unlawful for law enforcement and federal agencies to access cellphone location records without a warrant.

The decision said that courts “have an obligation to safeguard constitutional rights and cannot permit those rights to be diminished merely due to the advancement of technology.”

In the past, using biometrics to unlock devices has been compared to compelled fingerprinting or DNA swabs. Judge Westmore wrote that it should more rightly be thought of as a shortcut for a passcode, given that they both secure a device owner’s content – “pragmatically rendering them functionally equivalent.”

Her decision could be significant for both digital privacy and the law around search and seizure of connected devices. However, there’s no guarantee that it won’t be challenged or overturned. As it is, that law has continued to evolve, and there’s been a patchwork of contradictory findings.

A little history of finger forcing

Ever since Apple introduced Touch ID, many privacy and legal experts have said that biometric information such as fingerprints are like our DNA samples or our voice imprints: they’re simply a part of us. They don’t reveal anything that we know, meaning that they don’t count as testimony against ourselves.

Therefore, the prevailing thinking has gone, forcing suspects to press their fingers to get into a phone doesn’t breach their Fifth Amendment rights against forced self-incrimination.

It’s similar to when police with a search warrant demand a key to a lockbox that contains incriminating evidence, the Supreme Court has suggested: turning over the key is just a physical act, not “testimony” about something we know.

Over the years, there have been numerous court cases where that line of thinking has supported forced biometrics unlocking as well as people’s rights not to be forced into giving up passcodes. Here are just a few of those:

• In 2014, when an Emergency Medical Services captain was charged with trying to strangle his girlfriend, a judge declared that cops could force phone unlocking with your fingerprint, but not with your passcode. Law enforcement in that case were after footage possibly recorded on video equipment in the suspect’s bedroom that might have shown the fight.
• In 2015, a Pennsylvania federal district court confirmed Fifth Amendment protection for passcodes in an insider trading case.
• In 2016, a Los Angeles judge forced a woman to unlock her iPhone with her finger so that police could get at evidence in a case concerning her alleged gang member boyfriend.
• In October 2018, we saw the first known case of a suspect being forced to unlock his iPhone with his face.

The reasoning hasn’t always been applied that way, though. In 2016, a Philadelphia court said that a suspected child abuser would stay locked up indefinitely until he decrypted the drive that investigators thought contained abuse imagery, Fifth Amendment or no Fifth Amendment.

Similarly, there’s no guarantee that other courts will choose to apply this recent no-forced-biometrics ruling. We’ll be sure to keep an eye on how the courts continue to adapt in this age of connected devices, but for now, the safest thing to do if you care about your data privacy is likely the same as always: use a passcode instead of biometrics. The privacy of that approach is supported by a good deal of court rulings.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/27_NY3f3ODk/

Crooks are laundering money through Fortnite’s in-game currency, known as V-Bucks, according to an investigation carried out by The Independent and cybersecurity firm Sixgill.

They’re using stolen credit cards to purchase V-Bucks, then selling the currency at a discount to players on the Dark Web and thereby cleaning the money.

Why do we keep hearing about yet more scams that revolve around Fortnite? Same reason that robbers rob banks: that’s where the money’s at.

Be they young, old, and/or dressed up in the skin of an anthropomorphic tomato, players worldwide flock to the free Fortnite Battle Royale, to the tune of what its maker, Epic Games, said was more than 125 million players across all platforms as of June 2018.

Before its release, we saw fraudsters exploit gamers’ keen anticipation to get invitations to the release, flogging their fictional “extra free invites!!!” as they looked for profit or for pumped-up Twitter followers/likes/retweets/comments.

Then we saw scammers seed the internet with fake Fortnite apps that never loaded the actual game and instead churned victims through the downloading of other apps that the fraudsters got paid to disseminate.

Then, within a year of its 2017 launch, we saw hijacked Fortnite accounts being hawked on Instagram: what Kotaku called a “booming industry”.

A Slovenian teenager told the BBC last month that he’d made £16,000 (around $20,000) in the previous seven months by selling stolen accounts.

The news about V-Bucks being used to launder money is anything but surprising, given that crooks are using Fortnite to make money in a mind-boggling variety of ways.

The credit card thieves have an eager market when it comes to selling discounted in-game currency. The game may be free to play, but there’s plenty of money to be made by selling in-game accessories like character outfits, weapons, skins for those weapons, and emotes (such as dances for their characters to perform).

The 1,000 virtual coins needed to buy all that colorful, virtual bling will set you back about $10. You can buy them from the official Fortnite store, as well as from some other vendors. There are ways to get free V-Bucks, but there are also plenty of scammers pretending to give them away, as Fortnite has warned users:

PSA:

Visiting websites or clicking links claiming “free” Vbucks or in-game items are unsafe. The official Fortnite… twitter.com/i/web/status/9…

—
Fortnite (@FortniteGame) March 07, 2018

At these prices, you can see why players would wind up sniffing around for discounted coins in the dark corners of the web.

The investigation conducted by The Independent and Sixgill found that V-Bucks are being sold in bulk on the Dark Web, while smaller quantities are being advertised on the open web, on social media such as Instagram and Twitter. Sixgill analysts posed as interested buyers and uncovered coin sales being conducted worldwide – in Chinese, Russian, Spanish, Arabic and English.

It’s unclear how much profit is being made from such money laundering. Given that the vendors are accepting payment in bitcoin and bitcoin cash – both semi-anonymous currencies – it’s tough for law enforcement agencies to track.

Sixgill senior intelligence analyst Benjamin Preminger told The Independent that granted, erasing all the criminal activity centered around Fortnite is a tall order. But Epic Games could do a bit more to mitigate it, such as …

…monitoring the transfer of high-value goods in the game, identifying players with large stockpiles of V-Bucks, and sharing data with relevant law enforcement agencies.

As of Tuesday evening, Epic Games hadn’t responded to media outlets’ requests for comment.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0bOZXGKIto8/

Intel last week released six advisories covering a range of products, the most interesting of which is a flaw discovered in the company’s Software Guard Extensions (SGX) built into all Intel processors since the company’s sixth-generation Skylake processors in 2015.

Discovered by independent researcher SaifAllah benMassaoud, the latest SGX vulnerability (CVE-2018-18098) is a weakness in the software layer that enables SGX hardware that could allow what Intel euphemistically describes as “escalation of privilege or information disclosure.”

SGX makes possible ‘secure enclaves’ that can be used for a variety of purposes, including Digital Rights Management (DRM). Essentially, an application can put whatever data it is working on into one of these so that no other application can access, compromise or copy it.

Intel offers few details as to how this flaw affects that integrity. However, benMassaoud told The Register that a simple batch script sent via email could be used to launch an attack exploiting the flaw:

Once the file is opened by the victim who uses the affected software, it will automatically download and execute a malicious code from attacker’s server to the vulnerable setup version of Intel SGX SDK and Platform Software on the victim’s machine.

There’s also a video that demonstrates the proof of concept.

This is the third issue found in SGX in less than a year, the most notable examples of which were the Foreshadow flaws that came to light last August.

That was more serious because it resulted from the way SGX is implemented in hardware rather than software but for admins it’s still a new to-do sticky note.

The thing about technologies such as SGX from a patching point of view is that it is a software layer not everyone realises they have. Intel’s advisory lists the affected products as being:

• Intel® SGX SDK for Windows before 2.2.100
• Intel® SGX SDK for Linux before 2.4.100
• Intel® SGX Platform Software for Windows before version 2.2.100
• Intel® SGX Platform Software for Linux before version 2.4.100

That means that patching the flaw is something for developer- and system-makers rather than end users.

What to do?

If your computer dates from after 2015 and contains a Skylake processor (AMD and others not being affected), your system maker should issue an update in time. Admins can download the recommended patches through a patching system or direct with an Intel account.

But don’t forget to check Intel’s Security Center just in case there any new advisories that might need attention.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oJfzhs2IgRY/

Senior Amazon technical expert Abby Fuller had a bit of a shock when she logged into WhatsApp using a new telephone number earlier this month. She found someone else’s messages waiting for her.

logged into whatsapp with a new phone number today and the message history from the previous number’s owner was rig… twitter.com/i/web/status/1…

—
Abby Fuller (@abbyfuller) January 11, 2019

WhatsApp, which Facebook purchased for $19bn in 2014, advertises itself as a secure, reliable messaging app.

The service prides itself on not retaining messages on its servers once they have been delivered. Fuller was using a new telephone number on a new mobile device. Her SIM card was new, and she hadn’t restored any backed-up messages from anywhere. So what gives? How did messages meant for someone else get onto her phone?

WhatsApp ties user accounts to their phone numbers. The problem is that people don’t always keep their phone numbers forever. When someone stops using a number, by ending their smartphone contract for example, it goes back into a pool of numbers and under FCC rules it can be reassigned to someone else after 90 days.

WhatsApp is aware of this, and warns:

Before you stop using a particular phone number, you should migrate your WhatsApp account to the new number.

It even has a Change Number feature to help people switch their accounts from one number to another.

Perhaps the number’s previous owner didn’t do that, but even if they didn’t, the company has a failsafe. It monitors account inactivity and watches for accounts that are unused for 30 days. If someone then activates an account with that number on a different mobile device, WhatsApp removes all the old account data tied to that phone number, including the profile photo and the About section, it says.

Yet Fuller has had her number for longer than that:

This number has been mine 45 days (multiple month). Seems like the messages should have been wiped with the accou… twitter.com/i/web/status/1…

—
Abby Fuller (@abbyfuller) January 11, 2019

One potential explanation is that WhatsApp relies not only on the original owner of the number changing their account but on all of their friends upgrading their account too. It warns:

Whenever a friend gives up a phone number, you should make sure to delete the number from your phone’s address book. As it is common practice for mobile providers to recycle numbers, you may incorrectly identify an account in WhatsApp as your friend’s account, when in fact the account belongs to the new phone number’s owner.

WhatsApp exclusively uses phone numbers to identify accounts and we display the names you have saved in your address book for those contacts.

At least one Twitter user suggested that this might be the root cause:

@abbyfuller The only explanation I can think of here is that they were sent *after* the previous owner stopped usin… twitter.com/i/web/status/1…

—
Filippo Valsorda (@FiloSottile) January 11, 2019

Since 2016, WhatsApp has used end-to-end encryption, but it uses different encryption keys for each chat, which explains why the messages meant for the number’s previous owner showed in in plaintext on Fuller’s device.

Fuller has been fielding explanations from the Twitterverse about what may have happened all week, but as she points out, it’s WhatsApp’s job to ensure that it doesn’t happen:

My point is that this is not (or should not be) the correct behavior. No one should ever get someone else’s messages.

Creeped out by the whole affair, she quickly deleted the messages, but comments on her Tweets suggested that this is not an isolated event. Several users reported similar issues with WhatsApp:

@abbyfuller For the past 1.5 years I’ve been getting messages to a previous number holder and often get added to ch… twitter.com/i/web/status/1…

—
⚜️ Dave Hogue ⚜️ (@DaveHogue) January 11, 2019

@abbyfuller This happened to me!! Got put straight back into someones family group chat and friends chats!! Kept re… twitter.com/i/web/status/1…

—
Chloemurphy (@chloomurphy) January 15, 2019

@abbyfuller I hate with whatsapp that the number is the id. My little girls sent a happy birthday video to their co… twitter.com/i/web/status/1…

—
Ivar Abrahamsen (@flurdy) January 11, 2019

@abbyfuller Scarier was that in whatsapp the thread has all the older messages, still listed under my nephew’s name… twitter.com/i/web/status/1…

—
Ivar Abrahamsen (@flurdy) January 11, 2019

We may never get to the bottom of what really happened with those errant messages, but it’s quite possible that there’s no easy way to solve the problem. The flaw probably lies in the design principle that ties a person’s identity to an ephemeral data point like a phone number. In 2019, surely there must be a better way to create long-lasting, unassailable identities for people?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/h_rhhhbRSrg/

Microsoft has released a second raft of fixes for Windows 10 following the monthly Patch Tuesday excitement last week. It has also issued some fixes for its latest Windows Insider build.

The latest tokens of affection from the gang at Redmond come in the form of KB4480976, KB4480967 and KB4480959, which cover the 1803, 1709 and 1703 releases of Windows 10 respectively.

The cursed October 2018 Update has yet to receive a second whacking with the patch stick. Microsoft is likely a little nervous about poking the thing too hard in case it bites again.

All three updates resolve an issue that cropped up during the 8 January fixing frenzy which left third-party applications having difficulty authenticating hotspots. The issue remains open for the October 2018 Update, with Microsoft only saying that a “solution will be available in late January”.

Also left open is an Access 97 issue, where Jet databases using the venerable file format fail to open if the database has column names greater than 32 characters. The workaround, according to Microsoft, is to either reduce those name lengths or upgrade the thing.

Understandable. Microsoft Access 97 came to the end of mainstream support almost exactly 15 years ago. However, as we discovered ourselves while researching another story, a distressing number of organisations still rely on databases using the technology.

While today’s updates haven’t dealt with the issue, Microsoft does reckon a fix will be inbound by “early February”. Presumably after it has dug out the ancient source to work out exactly what in patch Tuesday made Jet and the Access 97 file format so poorly.

Known issues aside, the updates also deal with a slew of bugs, including Edge focus events and a problem that makes BitLocker Network Unlock fail on generation 2 virtual machines on an IPv4-only network.

Insider Patching Fun

Microsoft also flung out a patch for the current fast ring version of Windows 10 (aka 19H1) rather than simply issuing an entirely new build.

The OS, which is intended for Redmond’s army of volunteer Windows Insider testers, received tweaks fixing File Explorer getting a little too attached to USB drives and a GSOD (Green Screen of Death) habit the OS had developed over the last couple of flights.

Microsoft also fixed an issue where a password change could result in the next unlock hanging for Active Directory users, something that will make the preview OS a good deal easier to test for Enterprise customers.

It is those enterprises that Microsoft really wants to get onboard with the firm as the release of 19H1 creeps ever closer. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/16/microsoft_patch_tuesday_2/

Crafty infosec bods exploited XSS vulns on dusty corners of Epic Games’ web infrastructure to steal Fortnite gamers’ login tokens and compromise their accounts – using a genuine Epic Games URL to phish their marks.

Infosec biz Check Point discovered the XSS vuln, which, when combined with a login redirect attack, had the potential to let a mischief-maker gain access to user accounts without having to trick targets into handing over usernames and passwords.

Check Point’s proof-of-concept even used a completely genuine *.epicgames.com URL as a phishing vector.

Researchers discovered that dusty corners of Epic’s web infrastructure were vulnerable to a combination of the XSS vuln and a SQL injection attack, allowing them to compromise Epic’s social media account single sign-on implementation.

They did all of this by exploiting an old Unreal Tournament 2004 server.

How?!

Epic’s online login process for Fortnite includes a URL string with the parameter “redirectedUrl”, bouncing the user around a couple of times before settling on account.epicgames.com. Check Point researchers found that they could successfully change that initial redirect URL to point to anything that included *.epicgames.com.

This was where the vulnerable UT2004 subdomain came in. The old stats site was vulnerable to a SQL injection attack, Check Point found, which allowed the miscreants to plant an XSS payload on the server.

Older readers will remember the classic Unreal Tournament line of PC-based first-person shoot-em-ups. For excellent reasons that include allowing upper-bracket millennials to relive their misspent youths, Epic – publisher of Unreal as well as Fortnite – kept some of the old UT2004 infrastructure online, including the multiplayer game stats server.

Unfortunately for Epic, Check Point discovered that the since-patched server (which is no longer publicly accessible) would execute certain SQL queries, though some locking-down had been done by Epic. Check Point planted its Javascript XSS payload on ut2004stats.epicgames.com, having written it to include three encoded JSON keys: “redirectUrl”, “client_id” and “prodectName”.

XSS + Javascript payload = bad news

Epic uses multiple SSO providers to let eager gamers log on with the social media account of their choice, including Facebook, PlayStationNetwork/PSN, Xbox Live, Nintendo and even Google+. The Javascript payload “could then make a request to any SSO provider”, as Check Point said, though it only tested Facebook.

Epic’s implementation of SSO was provider-agnostic; any of the named vendors would respond to a valid token request. One of the parameters in that request is named “state”. By rewriting one of the keys in the state parameter to point at their compromised ut2004stats.epicgames.com server, Check Point’s researchers could capture the generated SSO token and send that to Epic’s (legitimate) server to finish the login authentication process.

“In response, Epic Games’ server generates a response with no input validation and redirects the user to “ut2004stats.epicgames.com” with the XSS payload and the SSO token,” said Check Point in its writeup of the exploit.

From that point, it was straightforward to extract the token from the request and send it to an attack-controlled server for later exploitation.

As reported at great length on other news websites, the implications of this are that user accounts could be stolen by socially engineering users to click on a *.epicgames.com URL that would have passed muster as a genuine Epic Games-controlled site. All the attacker would have to do is hope the user logged in using a set of OAuth SSO creds.

Given that Fortnite is very popular amongst kids, that kind of social engineering would probably not be difficult – pinging a URL around via Fortnite in-game text chat promising free game credits (V-Bucks) is one method Check Point suggested.

Once in control of a compromised account, attackers could then read a user’s registered data from the account settings page, impersonate the user, start video chats with other gamers, and so on.

Epic has patched the vulns, according to Check Point, which disclosed them to the game publisher before going public. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/16/fortnite_security_vuln_token_theft/

Researcher to show how attackers can exploit the built-in advanced connectivity functions in some Rockwell PLCs.

S4x19 — Miami — Programmable logic controllers (PLCs) long have been known to be easy marks for attack due to their blatant lack of built-in security, but a security researcher here this week will demonstrate how a hacker could commandeer some PLCs via their own advanced communications features.

Roee Stark, senior software engineer with ICS/SCADA network security monitoring firm Indegy, discovered that he could use two communication functions built into Rockwell Automation’s CompactLogix PLC line to wage network-borne attacks. Cybercriminals or nation-state actors could deploy these features as a way to stealthily infiltrate and control industrial processes and operations, or even reach into the target’s IT network infrastructure, he says.

Most PLC security research to date has focused ways to hack into PLCs or rig them with malware, for example, to alter the industrial process or compromise the devices’ ladder logic, basically the programming language used to code PLCs. Researchers have built rootkits and worms for PLCs, for example.

But Stark’s PLC hacking research instead targets the connectivity of a PLC. The PLCs openly allow connections to the network, he says, a design that leaves them open to network-based attacks. “It’s much easier than changing the programming of a controller, or making [a device] explode.”

The first of the two features he coupled together to exploit the PLCs is the so-called complex path feature, which comes with Rockwell CompactLogix PLCs that use the Common Industrial Protocol (CIP), a communication architecture for industrial networks that integrates those operations with IT-based networks and the Internet. CIP runs on EtherNet/IP, Control/Net, and other popular industrial network protocols.

Complex path lets you create a CIP session between two PLCs that aren’t directly connected: “So if PLC A is connected to PLC B, [which is then] connected to PLC C, you can create a connection from PLC A to C” via a path through PLC B, Stark explains. The feature allows you to forward and transfer messages from one PLC to another.

The second feature is the so-called socket object, which lets the PLC send and receive TCP or UDP traffic.

“When combining these two capabilities, we can send and receive packets from a controller we have access to and all other controllers that are connected to it – regardless of the connection type,” Stark says.

An attacker with direct or remote access to the Rockwell PLC could abuse those features to collect data for reconnaissance purposes; to exfiltrate data; and to further attack the network using known security vulnerabilities, for example.

If an attacker can reach the PLC on the plant floor either via the local network or the Internet, he or she can then spot the ControlNet connection and employ the complex path feature to reach other controllers in the plant, he explains. Once he or she reaches the PLC, they can collect data via the socket interface using queries and running scans.

Stark doesn’t know for sure if these attacks could also work on other vendors’ PLCs since he hasn’t tested them. Even so, he notes, Rockwell’s CompactLogix series contains more advanced communications protocols and features than most PLCs, he says. “As far as I know, these features are fairly unique to them,” he says of the PLC communications features.

Indegy did not disclose the research to Rockwell since it wasn’t a pure vulnerability disclosure, but rather a way to abuse the controller’s features, Stark says. “It’s not a vulnerability because you don’t bypass anything and you don’t exploit any control,” he says. “The programmatic flow is doing exactly what it is supposed to do” when you abuse it, he notes.

A Rockwell Automation spokesperson declined to comment on Indegy’s research when contacted by Dark Reading.

Missing Links

The Rockwell PLCs actually come with a logging feature that would be useful for catching such attacks, but logging is disabled by default in the devices, Stark found. “And turning it on again would not be trivial … you have to dig deep into the Web interface to find it,” he says.

Authentication would help thwart such an attack as well, but the PLCs don’t include such a feature, he says, and continuous network monitoring – a technology Indegy sells – could help spot any nefarious network activity using the legitimate PLC communications features in the Rockwell devices. Route whitelists also could prevent unauthorized PLC traffic.

Meanwhile, the focus on securing PLCs on the plant floor traditionally has been mostly on protecting them from malicious firmware updates, or from getting infected with malware. “They usually only take into account the execution flow,” Stark says.

Related Content:

• Stealthy New PLC Hack Jumps the Air Gap
• 3,000 Industrial Plants Per Year Infected with Malware
• 6 Ways to Anger Attackers on Your Network

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/hijacking-a-plc-using-its-own-network-features/d/d-id/1333660?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Exclusive A security hole in a widely used airline reservation system remains open to exploit, allowing miscreants to edit strangers’ travel details online, The Register has learned. A fix to close the vulnerability was incomplete, and thus ineffective, it is claimed.

White hats at Safety Detective told us today the security flaw in Amadeus, the web-based reservation system used by nearly half of the world’s airlines, was only superficially patched after the glaring hole was privately reported by the team.

The vulnerability revolves around the way Amadeus and airlines identify travelers: each person is assigned a unique booking reference, which is a six-digit alphanumeric string that retrieves their passenger name record (PNR). This record has all their personal details and their journeys. The system is used to manage passengers and flights, and allow government security agencies check the identity of travelers for known baddies.

Bug-hunter Noam Rotem found an Amadeus web script, hosted by individual airlines, that accepts a booking reference in the URL, and if that reference is valid, it returns a page with the passenger’s name on it. Armed with a working reference and corresponding name, it’s possible to log into the airline’s online portal as that stranger, and access and edit the traveler’s reservation page and PNR details. That means miscreants can change passenger seat assignments, redirect frequent flyer points to another account, alter or view contact details, or even move or cancel flights.

Due to a lack of brute-force protection, bots could repeatedly hit the vulnerable page, running through as many booking references as possible, and making a note of those that cough up a person’s name. The reference and name combinations can then be used to access the reservation page, as described above.

Though Safety Detective reported the issue to Amadeus, and early media reports suggested the bug had been squashed, the infosec biz believes those claims were premature, and that the supposed fix for the flaw was only superficial.

Lipstick on a pig

Take for instance, the Israeli airline ELAL, which, like British Airways, Air France, and United Airlines, uses Amadeus for managing its reservations. Safety Detective bods noticed that while the vulnerable flight reservation page was patched to no longer visibly show a passenger’s name for a given booking reference…

A page that seemingly shows no passenger name … Click to enlarge

…the HTML source code still contains the person’s name in some embedded JSON, it is claimed:

But the source code includes the name we need to access the reservation … Click to enlarge

Thus, according to the security biz, you can still supply a reference and get a potential name out of it, which can together be plugged into the airline’s online portal to carry out further mischief. There are also still no brute-force protections in place, either, we’re told.

It seems ELAL is not alone, either. Safety Detective reckons the issue will still be present in all 144 airlines that use the system.

“It is like we told them ‘hey there is dirt on the floor, it’s not clean,’ and they took a rug and covered it up, and said, ‘now you don’t see it anymore’,” Security Detective spokesperson John Brown told us. “Well, we can take the rug off (Ctrl+U in Chrome shows you the code) and see the issue didn’t go away just because you (very clumsily) hid it.

“In the brute-force attack, we guess a PNR code, get the flight details, and are then able to change them. Since there is no limitation to the number of attempts, we can guess a good number of valid flights. It’s all a matter of time, really. In the screenshot, we show they didn’t really fix it. They hid the information in the page, for example, the passenger’s name.”

Amadeus is urged to curb bot access with CAPTCHAs and limiting the rate of lookups, and introduce some kind of authentication system, such as passwords or passphrases, rather than simply hiding passenger names.

Fiddling while Rome burns

ELAL has been alerted to the purported weak fix. Meanwhile, Amadeus said it is investigating the matter.

“At Amadeus, we give security the highest priority and are constantly monitoring and updating all of our products and systems,” a spokesperson insisted to The Register.

“We became alerted to an issue in one of our products and our technical teams took immediate action. We are working closely with our customers and we regret any disruption this situation may have caused.

Travel booking systems ‘wide open’ to abuse – report

READ MORE

“We work together with our customers and partners in the industry to address PNR security overall. The airline industry relies on IATA standards that were introduced to improve efficiency and customer service on a global scale.

“Because the industry works on common industry standards, including the PNR, further improvements should include reviewing and changing some of the industry standards themselves, which will require industry collaboration. We are conducting a thorough internal review and detailed investigation into the root cause and impact of this issue and will be working hand in hand with those customers affected.”

While researchers have been sounding the alarm on the security of booking references and PNRs, the industry seem reluctant to act. So, too, are regulators, with the EU fumbling a chance to shore up the system. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/15/amadeus_security_hole/

A pair of Ukranian hackers broke into America’s financial watchdog to swipe insider info for stock traders, it is claimed.

Oleksandr Ieremenko, 26, and Artem Radchenko, 27, were today charged by New Jersey prosecutors, who alleged the pair committed securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud, and computer fraud.

Uncle Sam’s legal eagles claim that, in 2016, both men hacked into the US Securities and Exchange Commission (SEC) EDGAR system, which publicly traded companies use to file and store financial filings for government officials to inspect ahead of publication. The two then handed scooped-up information over to stock traders, who used the insider dirt to turn a quick buck on stocks they knew would soon rise or fall when the filings were made public.

“The defendants charged in the indictment announced today engaged in a sophisticated hacking and insider trading scheme to cheat the securities markets and the investing public,” said US Attorney Craig Carpenito.

“They targeted the Securities and Exchange Commission with a series of sophisticated and relentless cyber-attacks, stealing thousands of confidential EDGAR filings from the Commission’s servers and then trading on the inside information in those filings before it was known to the market, all at the expense of the average investor.”

The Department of Justice did not say when, if at all, the two Ukrainians, both from Kiev, will appear in a US court to face charges.

In just one case, the alleged crooks netted more than a quarter of a million dollars from the scam, according to prosecutors. Here’s their summary of that escapade:

Radchenko recruited to the scheme traders who were provided with the stolen test filings so they could profit by trading on the information before the investing public. Armed with the stolen information, the traders profited by executing various trades in brokerage accounts they controlled. In one instance, a test filing for “Public Company 1” was uploaded to the EDGAR servers at 3:32 p.m. (EDT) on May 19, 2016. Six minutes later, the defendants stole the test filing and uploaded a copy to the Lithuania server. Between 3:42 p.m. and 3:59 p.m., a conspirator purchased approximately $2.4 million worth of shares of Public Company 1. At 4:02 p.m., Public Company 1 released its second quarter earnings report and announced that it expected to deliver record earnings in 2016. Over the next day, the conspirator sold all the acquired shares in Public Company 1 for a profit of more than $270,000.

While Radchenko only looks likely to face the criminal charges, Ieremenko will face a second trial as part of a group of nine people being sued by the SEC (PDF) for allegedly trading on and profiting from stolen info.

SEC ‘fesses to security breach, says swiped info likely used for dodgy stock-market trading

READ MORE

The commission claims Ieremenko and his associates obtained at least 157 corporate earnings releases before they were made public and, as a result, were able to rack up around $4.1m in ill-gotten gains.

“International computer hacking schemes like the one we charged today pose an ever-present risk to organizations that possess valuable information,” said Stephanie Avakian, SEC enforcement division co-director.

“Today’s action shows the SEC’s commitment and ability to unravel these schemes and identify the perpetrators even when they operate from outside our borders.”

If the name Oleksandr Ieremenko and insider trading strike you with a sense of deja-vu, it is because this exact same fellow was alegedly behind a very similar scheme busted in 2015.

In that case, Ieremenko was said to have compromised a press-release wire service and used that info to pull off insider trades and illegally rack up profits. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/15/ukrainians_sec_hacking_insider_trading_charges/

Bots that can launch hundreds of attacks per second are making account takeover fraud more difficult to defend against.

Modern malicious botnets can do far more than launch huge DDoS attacks: According to a new report, criminals participating in account takeover activities are using botnets to launch more than 100 of these attacks every second.

The report, published by e-commerce fraud prevention company Forter, says that between 20% and 30% of all account takeover attacks are launched by organized fraud rings, and these organized groups are seeing greater success. More than 80% of all account takeover attacks are launched by fewer than 10% of the attackers targeting the site.

Organizations that offer more services on their web sites may increase customer loyalty, but they also increase their site’s attractiveness to criminals, says the report. Loyalty programs, for example, increase their risk of account takeover attacks by as much as 200%.

As for prevention, the report points out that a focus solely on the point of transaction may be misguided, since fraud actors may well have been watching a victim’s behavior for days or weeks.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities-and-threats/report-bots-add-volume-to-account-takeover-attacks/d/d-id/1333658?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple