STE WILLIAMS

Roundup Everything is insecure and everything is broken, exhibits A through Z:

Plastic surgery biz botches storage, leaks patient records

A software vendor specializing in record-keeping tools for plastic surgery clinics poorly secured a storage bucket hosted by Amazon Web Services containing hundreds of thousands of sensitive patient photos and records.

The team at vpnMentor discovered and reported a public-facing, insecure AWS S3 bucket belonging to NextMotion. The French software developer has since taken down the database, but the exposed records were, apparently, very intimate and accessible by anyone.

“The compromised database contained 100,000s of profile images of patients, uploaded via NextMotion’s proprietary software,” noted vpnMentor. “These were highly sensitive, including images of patients’ faces and specific areas of their bodies being treated.”

Iran accused of hacking vulnerable VPN, RDP servers

Infosec outfit ClearSky claims it has evidence of Iranian hackers, likely state backed, breaking into “dozens of companies around the world in the past three years” by exploiting “known vulnerabilities in systems with unpatched VPN and RDP services.” The miscreants target businesses that provide IT services to others, allowing the intruders to menace thousands of customers, we’re told.

Keep your external-facing remote-access systems up to date and patched, folks.

Photo app leaks people’s photos, info

PhotoSquared left 100,000 customer records on a public-facing, poorly secured Amazon Web Services S3 bucket, according to, once again, peeps at vpnMentor. The 94.7GB data silo was removed from view on Friday after it was alerted to the blunder at the end of January. The bucket contained pictures, including personal snaps, receipts, and shipping labels, for thousands of punters from 2016 to last month.

Israeli voting app spills citizen data

A botched app rollout by Israel’s Likud party leaked the personal information of more than six million citizens. According to Haaretz, the gaffe resulted in the exposure of 6,453,254 folks’ data, including addresses, names, genders, and social security numbers.

Malware infection menaces US children’s hospital

The Boston Children’s Hospital had to take one of its external networks offline this week following a ransomware outbreak that scrambled some patient records. Local news reports the infection hit an affiliate system that handled medical data.

“The Pediatric Physicians’ Organization at Children’s (PPOC) reported a large outage affecting more than 500 primary care doctors, nurse practitioners and physician assistants across the state,” says Boston 25 News. “The outage is only affecting offices that are affiliated with Boston Children’s Hospital.”

If there is any good news to be had here, it is that the attack was limited to that external network, so no vital systems at the hospital itself are in any danger of infection, at least from this outbreak.

Ransomware cost tallied at an arbitrarily large number

Security house Emsisoft compiled a report guesstimating the cost of ransomware in countries around the world. Over the 2019 calendar year, it estimated some 24,770 samples of ransomware caused $1.3bn of damage in the US. For the UK, the number of incidents was placed at 4,999 with damages adding up to $277m (£212m).

These numbers are based on the number of ransomware samples submitting to an identification service, so take the above with an enormous pinch of salt.

Puerto Rican government phished for millions

The people of Puerto Rico really didn’t need to hear this, but its government fell victim to a massive phishing attack. The island said more than $2.6m in fraudulent payments were sent to crooks after someone in the US territory’s Industrial Development Office was convinced to re-route outgoing checks to a different account. The FBI has reportedly been called in to investigate the blunder.

Estee Lauder blushing after records leak

Cosmetics company Estee Lauder also saw millions of its internal documents spill onto the public internet this month, thanks to a poorly configured database. Jeremiah Fowler at Security Discovery said the misconfigured database had more than 440 million logs and records, including company emails. What’s worse, the logs also included specific information on some of the middleware systems the company used.

This is particularly bad as that information would be extremely useful to a miscreant who wanted to get a foothold in the company’s network and then spread to more secure systems at Estee Lauder. “There were millions of records pertaining to middleware that is used by the Estée Lauder company,” Fowler noted.

“In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network.” ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/17/roundup_feb14_2020/

Martin Hellman, co-creator of the Diffie-Hellman key exchange, and his wife of 53 years, Dorothie, talk about the current state of cryptography and what making peace at home taught them about making peace on Earth.

Dozens of adoring, young Chinese university students (and not-so-young infosec professionals) surround Martin Hellman, posing for selfies that are surely destined for WeChat. The cryptographer and national security expert still revered for his work with Whitfield Diffie on the Diffie-Hellman key exchange — or Diffie-Hellmann-Merkle, as he prefers to call it, in recognition of Ralph Merkle’s work — has just completed a presentation at the INSEC 2019 conference in Chengdu, China.

Also in attendance is Dorothie Hellman, who has witnessed such outbursts of celebrity many times before. Dorothie doesn’t need any help being glamorous, but her mystique is nevertheless enhanced by having been featured in Martin’s presentation on public key cryptography. (Instead of the crypto keys being swapped between the proverbial Bob, Alice, and Eve, Hellman’s presentation hustled keys between Marty, Whit, and Dorothie.) She herself was formerly a CPA at Touch Ross and the vice president of fundraising at the Beyond War Foundation.

Dorothie and Martin have been wedded for 53 years (and counting). But that partnership almost didn’t last. The couple recently self-published a book about their road back from the brink of separation, titled A New Map for Relationships: Creating True Love at Home and Peace on the Planet.

But this book is rather different than most books on marriage you’ll find in the self-help aisle.

A New Map is splashed with endorsements by scientists and security experts: a former US Secretary of Defense, the designer of the first microprocessor, the president of the Nuclear Age Peace Foundation, and a former ambassador to Afghanistan who called it “the most thoughtful, unique, and fascinating book I have ever read on personal and international diplomacy.”

The Hellmans explain the essence of the story in the forward: “The experiments we carried out in our marriage allowed us to see how adversaries could eventually achieve a level of harmony that would seem impossible from their starting point. At the personal level, we reclaimed the true love that we felt when we first fell for one another. Extending what we learned in our marriage to the global level would result in something that, from today’s perspective, would look like world peace.”

So what got them to put their story on paper? “For 40 years the two of us have worked to try to save humanity from destroying itself,” says Martin Hellman in an interview with Dark Reading. “And yet there’s very little interest in that in the air. … What got us initially started was not wanting to save the world. It was wanting to save our marriage.”

Cold Times Abroad and at Home

Although the book was self-published in 2016, the research for it began in the 1980s. Martin had put cryptography and cybersecurity mostly aside to focus on international security. It was the thick of the Cold War. The threat of nuclear warfare was imminent. And the fracturing of the Hellmans’ marriage was just as heavy in the air.  

“Our relationship was very, very difficult at that time,” says Dorothie. “We weren’t communicating at all, and we were leading separate lives.”

“And you were ready to leave me, right?” says Martin.

“And I decided it just wasn’t what marriage was about,” says Dorothie

“You contemplated leaving me?” repeats Martin.

“I was contemplating leaving,” she admits to me. “But I decided I wasn’t going to do that — that he was ‘the one.’ And I needed to figure out how to really make this marriage work. So that’s where it began.”

Chapter 1 may be a terribly familiar story. Dorothie was reading a map, Martin took the map from her “to help,” Dorothie stormed away, Martin awkwardly pretended that nothing at all had happened, and when Dorothie returned, she grabbed the map back and tore it into little pieces. Fortunately, they were able to see the comedy they were starring in, laughed at themselves, and put the map back together like a puzzle.

The lesson: Although they are very different people with different ways of thinking (opposites attract, after all), both of their methods are equally valid. In fact, their differences are a strength.

The Hellmans tell me they have not had an argument in 20 years.

Really.

Well, then, they must be grand compromisers, I say.

No. They’ve agreed to never make compromises with each other. Compromises always result in both parties feeling they’ve lost something.

(I briefly lose the capacity for speech.) How is this scientifically possible? You must have disagreements, surely?

“We disagree all the time!” says Martin. “Now, disagreements become opportunities to discover better solutions than either of us thought. … She thought she wanted X, I thought I wanted Y, which seemed totally incompatible, and then since we agreed that we weren’t going to compromise … we commit to not doing anything until we have a solution Z that we both really love.”

The book continues with other lessons they learned: For example, practice compassion and holistic thinking, realize that inconceivable does not mean impossible, get curious not furious, and realize deeply held beliefs may be mistaken.

“And the same things we learned to make our relationship right,” says Dorothie, “are the same things we need to learn internationally to make the world right.”

Time for a ‘Shift in Consciousness’

Dorothie recalls a conversation relating to that.

“We had a congressman sitting in our living room, and we were talking about shifts in attitude like this,” she says, “and what he said was, ‘I can’t get too far ahead of my people.’ And so what needs to happen is a shift in consciousness among people, so that our leaders aren’t fighting the territorial kind of attitude where somebody wins and somebody loses.”

“And,” adds Martin, “that they’re not seen as weak for doing that.”

In a recent Federation of American Scientists paper “Rethinking National Security,” Martin suggested that to truly address certain security issues, we need to adjust our mindset – and see that “national security” now depends on “global security.”

“We usually act as if national security makes sense in and of itself,” he wrote, “but nuclear weapons, other weapons of mass destruction technologies, cyber warfare, terrorism, and global environmental crises are making our national security increasingly dependent on all nations feeling more secure, including those we regard as adversaries.”

Martin cautioned against allowing a cyberarms race to proceed and follow the same pattern that the nuclear arms race did. Supporters of Hellman’s initiative to rethink national security include former members of the national security council, Ronald Reagan’s ambassador to Moscow, Nobel laureates in chemistry and physics, and one of Hellman’s own former adversaries: former Director of NSA, Adm. Bobby Inman. 

When Martin first met Inman in 1978, NSA thought Hellman was the “devil incarnate,” says Hellman, “and I thought of them largely the same way.”

Upon meeting, Inman said with a smile: ‘It’s nice to see you don’t have horns.’     

Martin replied: ‘Same here.’

Forty-one years later, Adm. Inman signed his statement of support to Hellman’s paper.

“We went from demonizing each other to becoming friends,” Martin says. “And that can happen.”

(continued on next page: A crypto pioneer’s thoughts on crypto today) 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/martin-and-dorothie-hellman-on-love-crypto-and-saving-the-world-/b/d-id/1337067?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google has removed more than 500 Chrome extensions in response to a report from a security researcher, who found the browser plugins distributed through the Chrome Web Store facilitated ad fraud and data theft.

Using a free extension forensic analysis tool called CRXcavator, released last year by Cisco’s Duo Security, independent infosec bod Jamila Kaya spotted a set of similarly coded Chrome extensions “that infected users and exfiltrated data through malvertising while attempting to evade fraud detection on the Google Chrome Web Store,” said Kaya, and Jacob Rickerd, a security engineer at Duo, in a blog post this week.

We’re told “the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms.”

For the past two years or so, Google has been scrambling to revise the way Chrome extensions work because the APIs available to extension developers can be abused. The ad biz decided to limit its extension platform technically rather than commit the considerable resources that would be necessary to thoroughly review the code of extensions submitted to the Chrome Web Store and prevent developer misbehavior.

Its security-focused platform revision, referred to as Manifest v3, is presently underway. But Chrome extensions developed under the more liberal regime, Manifest v2, are still being written and distributed. And the Chrome Web Store remains woefully understaffed.

Kaya found several extensions offering advertising as a service – with names like MapsTrek Promotions, FreeWeatherApp Promos, and CouponRockstar Offers – and discovered they were part of a network of browser plugins that shared similar code. Using CRXcavator, she identified about 70 related extensions and presented her findings to Google and we understand they were removed last year.

Google then created a code fingerprint that led the company to find more than 500 bad extensions and subsequently remove them. About 1.7m Chrome users had these extensions installed.

Google halts paid-for Chrome extension updates amid fraud surge: Web Store in lockdown ‘due to the scale of abuse’

READ MORE

It’s not clear whether any of the victims recognized they were under attack. The malicious extensions appear to have been designed to operate unobtrusively and generate ad revenue by redirecting the victim’s browser to a series of host sites – almost all hosted on AWS, the researchers claim – that serve a series of ads, both legitimate and illegitimate.

Yet these ads – billed to advertisers with the scammers getting some portion of the proceeds unless detected – may never have been viewed by actual people.

“A large portion of these are benign ad streams, leading to ads such as Macy’s, Dell, or Best Buy,” explain Kaya and Rickerd.

“What differentiates it as malvertising and ad fraud rather than legitimate advertising is the large volume of ad content shown, the fact that the user does not see many if not the majority of these ads, and the fact that malicious third-party actors are actively using these streams to redirect the user to malware and phishing.”

“We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” said a Google spokesperson in an email, offering The Register a statement identical to the one the company provided in Duo Security’s blog post.

“We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.”

Google’s spokesperson ignored other questions from The Register about whether law enforcement was notified, and whether the company has any further information about the individual or group behind the malicious extensions.

A spokesperson for Duo Security said it took two months from the time that Kaya identified the dubious extensions to the time when Google was notified, but declined to identify when specifically this occurred and referred further questions to Google.

Kaya and Rickerd provide few details about the person or group behind the malvertising campaign. It appears the responsible party has been active since at least January 2019 and may have been active further back based on domain registration dates in 2017. Certain code patterns point back further still to 2010.

One of the domain registration records cited contains an individual’s name, but the security researchers take no position about whether this individual is a real person actually associated with any of the registered domains supporting this malvertising operation.

The two researchers speculate that the malvertising plugins avoided detection by changing the names of their JavaScript functions but not the underlying code – which, if true, suggests Google’s security scanning for extensions, at least up to this point, hasn’t been particularly sophisticated. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/14/500_chrome_extensions_removed/

Updated IBM has pulled out of annual security shindig RSA Conference, due to be held in San Francisco at the end of this month, to avoid its staff catching the Wuhan novel coronavirus that’s spreading worldwide.

“The health of IBMers continues to be our primary concern as we monitor upcoming events and travel relative to Novel Coronavirus (COVID-19),” Big Blue told The Register in a statement in the past hour.

“As a result, we are cancelling our participation in this year’s RSA taking place February 24 – 28 in San Francisco.”

This is the first major exhibitor to pull out of the show, one of the largest of its kind in the world with an estimated 45,000 attendees. The novel coronavirus has so far, according to official numbers from Beijing, infected more than 64,400 people, and killed at least 1,300, including three people outside of China.

RSA Conference organizers earlier said nine companies based in the Middle Kingdom – the epicenter of the deadly virus – were planning to attend the event, though six had dropped out due to travel restrictions put in place by the Chinese government to contain the bio-nasty. Meanwhile, 83 per cent of attendees are based in the United States, we’re told, meaning most people attending won’t be from areas severely hit by the virus.

Mobile World Congress now none of those things as 2020 industry megashow axed over coronavirus fears

READ MORE

Nevertheless, this has got to be a major blow for the infosec bash’s bosses, coming about a week before the doors open.

IBM is a platinum sponsor of the RSA Conference, and now other suppliers will be taking the long US weekend to consider whether they are going to turn up, too. It’s feared events with thousands of people arriving from around the globe, such as RSA Conference, may put attendees at risk, and hasten the epidemic’s spread.

This week saw the cancellation of MWC Barcelona, again to minimize the spread of the coronavirus. LG had pulled out of the conference, triggering a domino effect that led to a flood of big-name exhibitors refusing to attend. Cisco also cancelled its Live conference in Melbourne, Australia, over virus fears, and Black Hat Asia and DEF CON Asia have both been put on hold.

Among other events pulling the plug over the coronavirus, Facebook has just cancelled its annual global marketing confab in San Francisco.

The RSA Conference organizers had no comment at time of going to press. ®

Updated to add

“We learned today that IBM has made the decision to no longer participate in RSA Conference 2020 as a Platinum Sponsor,” the organizers said today. “We understand and respect their decision. RSA Conference is still planning to proceed as scheduled.”

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/14/ibm_rsa_cancel/

Palm Beach County’s elections supervisor does not believe the attack is linked to Russian hacking attempts targeting Florida.

A ransomware attack struck Florida’s Palm Beach County Elections Office weeks ahead of the 2016 US presidential election, the Palm Beach Post reported this week.

The incident took place more than three years ago, when Susan Bucher was elections supervisor, but is now coming to light after current elections supervisor Wendy Sartory Link was informed of it. Link was speaking with temporary IT director Ed Sacerio when he mentioned a security incident took place in 2016. As Sacerio described the attack, it was noticed when a colleague saw files disappearing and Word files and Excel spreadsheets being encrypted.

Sacerio does not believe the virus affected any voter data or election results. The office’s former IT director “kept his team at a distance” when handling the incident, he says.

After she learned of the 2016 attack, Link called the state, the FBI, and Department of Homeland Security, none of which had known about it. The Palm Beach elections office has now received guidance from Florida’s Cyber Navigator program, as well as attention from DHS. Link said she does not think the ransomware attack related to reports of Russian attackers targeting Florida counties.

Read more details in the full report here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Coronavirus Raises New Business Continuity, Phishing Challenges for InfoSec“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/palm-beach-elections-office-hit-with-ransomware-pre-2016-election/d/d-id/1337064?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Consumers in dozens of countries were targeted, Lookout says.

A recent phishing campaign involving the use of SMS messages to lure potential victims into disclosing their bank-account access credentials is the latest evidence of growing attacker interest in users of mobile apps.

Lookout, which tracked the threat, Friday described it as impacting mobile users in dozens of countries, including the US. Among those targeted were customers of Chase, HSBC, TD, Scotiabank, and CIBC banks. The campaign appears to have started in June 2019 but is currently offline.

The mobile security vendor said it detected at least 4,000 unique IP addresses belonging to mobile users who appear to have fallen for the scam. Lookout said it is not sure how the victims were impacted financially because of a lack of visibility into how the attackers might have actually used the compromised credentials. 

But campaigns like these are a clear warning for mobile users, says Apurva Kumar, staff security intelligence engineer at Lookout. “Mobile phishing is on the rise,” Kumar says. “The attack was entirely mobile-focused, from delivering messages via SMS to rendering the phishing sites as mobile banking logins.”

For bad actors, mobile phishing is an attractive attack vector because it is often easier to obfuscate details of a scam on the mobile form factor, she says. With the increased use of multifactor authentication for signing into many apps, consumers have grown accustomed to banks communicating with them via SMS and therefore are less likely to scrutinize the messages as carefully as they should. 

Mobile devices are also attractive targets because of the amount of sensitive data they hold, Kumar says. “Many end users are still unaware that mobile phishing exists or is even a risk, even though they may be wary of email phishing attacks,” she says.

Malicious mobile apps posing as legitimate apps are another growing problem for consumers, especially for those using Android devices. In a recent report, Upstream said it had identified some 98,000 malicious Android apps and some 43 million infected Android smartphone and tablets in 2019. In most cases, the malicious mobile apps were being used to perpetuate ad fraud on a massive and global scale. And troublingly, Upstream found that 32% of the most active malicious apps it blocked last year were available through Google’s official mobile app store.

Spray-and-Pray Attack
According to Lookout, the SMS messages used in the recent phishing campaign spoofed the login pages of various banks in an effort to capture credentials and other sensitive information, such as answers to security questions for verifying the user’s identity.

The threat actors used an automated off-the-shelf SMS tool to create unique phishing messages for customers of different banks and then sent the message out in mass volume. Lookout said it identified over 200 phishing pages imitating bank login pages that were used in the campaign.

“This is a phishing-by-the-numbers attack, blasting out as many messages as possible in an effort to get even a 1% response,” Kumar says. It was a mass sending of untargeted text messages to mobile users with hopes of convincing a small percent of the recipients to enter their credentials, she notes.

Lookout hasn’t been able to identify the threat actor behind the campaign, but there’s nothing to suggest it was necessarily a sophisticated group considering it was launched from an off-the-shelf phishing kit. “It could be literally anyone, anywhere, which represents the risk from these kits being sold on the web,” Kumar says.

Related Content:

• Android Malware for Mobile Ad Fraud Spiked Sharply in 2019
• Mobile Users Targeted With Malware, Tracked by Advertisers
• Mobile Banking Malware Up 50% in First Half of 2019
• 9 Things That Don’t Worry You Today (But Should)

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Coronavirus Raises New Business Continuity, Phishing Challenges for InfoSec“

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/mobile/phishing-campaign-targets-mobile-banking-users/d/d-id/1337066?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A trio of researchers from Singapore just published a paper detailing a number of security holes they discovered in Bluetooth chips from several different vendors.

The good news is that they disclosed the holes responsibly back in 2019 and waited 90 days – a sort-of industry standard period popularised by Google’s Project Zero team – before releasing the paper.

The bad news is that not all of the affected devices have received patches yet, and even for chips where the vendor has provided new firmware, it’s hard to be sure:

• Which products out in the market use those chips.
• Which products that could have been patched have actually received updates.
• Which products might be affected but don’t support patching at all.

The researchers name seven different Bluetooth chip manufacturers as having buggy chips, though they insist that their list is “By no means […] exhaustive in terms of being affected.”

We assume they’re saying that out of a sense of fairness to the vendors they did name, which just happen to be the major Bluetooth chip makers whose chips appeared in the products they tried.

In other words, they’re not claiming that they tested a long list of chips and found all the other vendors to be safer, or suggesting that by avoiding the named vendors you’ll immediately be more secure.

The researchers also say that they were quickly able to find about 480 different products using the affected Bluetooth chips they’d identified, including fitness trackers, digital locks, remotely controllable plugs and more.

This family of bugs has been dubbed Sweyntooth. (The -W- should be pronounced as a -V- in English.) We’re usually a bit cynical about BWAINs – bugs with an impressive name, as we call them – that go in for dedicated websites, logos and so on for PR purposes. But we did smile at this name – Bluetooth itself is named after Harald Bluetooth, a Danish ruler from the 10th century. Harald was deposed and driven into exile by his own son, Sweyn Forkbeard. Incidentally, Sweyn was the first Danish king of England, and the father of Cnut, who famously proved to his unbelieving followers that he was not omnipotent by showing them that there were forces that even a king could not control, no matter how hard he tried. (Cnut used the tide to prove his point.)

How bad is it?

Fortunately, most of the Sweyntooth bugs aren’t too serious, and all of them require the attacker to be within Bluetooth Low Energy (BLE) range.

Nine of the ten bugs can so far only be exploited to force an affected device either to reboot or to hang; only one can potentially be abused by crooks to access your device without needing you to let them pair with it first.

Because it’s the most serious, we’ll start with the pairing bypass bug, dubbed CVE-2019-19194 and denoted in the researchers’ paper as 6.10 because it’s explained in the tenth section of part 6 in the document.

(Only one vendor’s Bluetooth chip was found vulnerable to this attack – if you are worried, please check the paper for suggestions on what sort of products under which brand names might be affected.)

According to the researchers, the firmware in the affected chip fails to handle the Bluetooth pairing process properly.

In theory, an app that wants to connect to a device is supposed to go through pairing first.

Typically, this can’t be completed without the owner of the device taking a voluntary step, such as pressing a button or acknowledging a prompt, so that you can’t easily pair with a device without some sort of consent.

During the pairing process, a cryptographic dance is done by both sides to agree on a 16-byte LTK, short for “long-term key”.

Each side remembers the LTK associated with the other device, and with that LTK they can connect securely in future.

But to avoid using the LTK itself on every future occasion they connect, they use an SK, short for “session key”, computed from the LTK.

Different every time

To ensure that the SK is different every time, the two devices connecting first agree on 16 random bytes called the “session key diversifier”, or SKD.

It doesn’t matter if an eavesdropper gets the SKD, because it’s converted to the session key independently at each end, using the algorithm:

       SK = aesencrypt(SKD,LTK)   /* Encrypt the 16-byte SKD with the */
                                  /* 16-byte LTK using the AES cipher */

So, to get the right SK, you need to know not only the random data, which can be considered public, but also the LTK, which you can only acquire privately during the original by-consent pairing process.

No pairing, no LTK; no LTK, no session key; no session key, no connection.

But the researchers found they could trick the buggy chip firmware into short-circuiting the pairing process.

They sent a request to start pairing, and waited for the other end to say, “Go ahead”.

But then they skipped straight to making a session connection, without pairing at all, and without getting an LTK.

The other end ought to say, “No! I don’t know you and I don’t have an LTK for you, so go away until you have completed the pairing process.”

Instead, the buggy firmware went ahead with the connection process anyway and calculated the session key like this:

       SK = aesencrypt(SKD,'0000...0000')   /* Encrypt the 16-byte SKD with  */
                                            /* with 16 bytes' worth of zeros */

In other words, by simply pretending to pair but never actually doing so, you effectively “autopair” with a known LTK consisting of all zeros.

Because you “know” the LTK, you can calculate SK, and with SK, you can complete your connection without ever going through the pairing process.

The other nine bugs

The other bugs are somewhat milder – at the moment, all the researchers have been able to do with them is reboot or freeze a device.

Most of the bugs are buffer overflows, meaning that the vulnerable device can be sent N bytes of data that it then tries to store into M bytes of memory, where M N.

There isn’t a lot of spare memory in a Bluetooth Low Energy chip, so the chances are that if you write past the end of the memory block reserved for storing, say, a device name, you’ll stray straight into an important memory that comes next, say, the number of seconds to wait for the network to settle after an error.

You don’t have to know what data you’re overwriting – what matters is that you’re messing something up that might later be important, and by trial and error you can probably find a data pattern that will crash or lock the device.

In the example above, imagine that your buffer overflow ends up corrupting a memory area that usually says, “Wait 0x0001 seconds after an error” so that it now says, “Wait 0x4141 seconds after an error”.

We chose 0x4141 because it just happens to be the hexadecimal bytes you get from the two ASCII characters AA. Bug hunters often use the text AAA...AAA in varying lengths in the early stages of probing for buffer overflows – it’s handy to type in, and it’s easy to recognise in mangled data because of the 0x4141...4141 pattern in hexadecimal.

Well, 0x4141 seconds is 16,705 seconds in decimal notation, which is close to five hours, so the next error will tie up the device for all that time instead of just one second – essentially a Denial of Service (DoS) attack.

Some of the bugs were astonishingly simple to trigger: CVE-2019-19192, for example, just required the researchers to send an innocent, well-formed packet to the other end, and then to send exactly the same packet again immediately.

The other end would freeze up and the device had to be rebooted before it would work again – an instant DoS.

What to do

The connecting-without-pairing bug is the most serious, for obvious reasons.

The authors don’t give any advice themselves, but we suspect that some devices – assuming they are vulnerable – may offer a workaround by setting them into “undiscoverable” mode, if they have such an option.

Devices that are undiscoverable aren’t closed to authorised connections, but they don’t advertise themselves for the pairing process.

Therefore, if your device can be made to ignore pairing requests altogether, we suspect that the pre-conditions for CVE-2019-19194 can’t be met and therefore the attack won’t be possible.

NB. We don’t have a vulnerable device to test this, which is why we’re saying we suspect this will help.

As for the bugs that could crash or freeze your devices: make a habit of checking up on your devices regularly if you rely on them being up and running.

Some devices reboot themselves automatically after a crash or an error; others may fail into a state you didn’t want (the researchers found a power plug that could be crashed so that it turned itself off and stayed off, presumably for electrical safety).

And the researchers were able to crash one device that couldn’t easily be rebooted because it didn’t have a power button, so they had to remove and replace the battery to get it to restart.

You implicitly check that the fridge is still working every time you go in it – did the interior light come on? Is the lettuce looking limp?

So, make a habit of doing the same sort of checks on your Internet of Things (IoT) devices – it only takes a moment and will help you spot all sorts of problems, including fading batteries, misconfigured settings… and devices that have crashed unexpectedly.

Oh – and get any available patches, assuming the manufacturer of your device provides them!

By the way, whether you think you’re vulnerable to Sweyntooth or not, get those patches anyway, because it never pays to be behind in cybersecurity.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RPIddP3q73U/

Encrypted email service Tutanota on Thursday accused US mega-telco ATT of blocking its service in some parts of America, and cited the service interruption, ongoing for more than two weeks, as evidence for the need for net neutrality.

“Starting on January 25th 2020, we have had constant complaints from ATT mobile users who were unable to access their encrypted Tutanota mailbox,” company co-founder Matthias Pfau, wrote in a blog post on Thursday. “While ATT seemed willing to fix this when we reached out to them, the issue is still not solved and reports from users keep coming in.”

Pfau said Tutanota, because it’s based in Germany, has been unable to conduct its own network tests, but added that customers have confirmed being blocked on ATT mobile connections in Chicago.

“No ISP should have the right to block or throttle access to any website,” said Pfau. “We hope that ATT will lift this regional block soon.”

However, it may be premature to link the lingering application-specific outage to as-yet-unproven network favoritism.

ATT insists it isn’t blocking Tutanota, at least not deliberately, and claims it’s trying to address the issue.

“We are aware that some of our customers have reported trouble accessing Tutanota email service,” an ATT spokesperson said in an email to The Register. “We are working with them to resolve this as quickly as possible.”

ATT’s spokesperson declined to provide further details about the cause of the service problems.

Net neutrality refers to the notion that network traffic should be carried by network providers on a non-discriminatory basis. This was the basis for internet data traffic pretty much since its inception, but telcos increasingly disliked the practice.

In 2015, America’s comms watchdog – the FCC – enacted formal rules enforcing net neutrality to settle the matter once and for all. Then the Republican Party won the next election, and the new FCC, led by chairman and ex-telco executive Ajit Pai, voted in December 2017 to repeal net neutrality rules. While that decision remains the subject of legal wrangling, there’s ample evidence that network providers sometimes play favorites.

Computer science researchers from Northeastern University and University of Massachusetts Amherst published a study last year showing that almost all wireless carriers throttle selected video streaming services. ATT, for example, was found to have limited bandwidth to Netflix and YouTube about 70 per cent of the time, but didn’t do so for Amazon Prime Video.

And in 2018, Sprint was found to be throttling traffic to Microsoft Skype, which competes with its own VoIP service.

Even so, Tutanota’s decision to ring the net neutrality alarm bell without presenting evidence of deliberate network meddling makes this more a matter of support escalation than of malice. As Pfau acknowledges in his post, “we are reaching out publicly in the hope of getting the attention of the right people at ATT.” ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/14/att_tutanota_block/

Austria’s foreign ministry has said a weeks-long cyber attack from a “state actor” against its systems has ended – amid local reports that pin the blame on a Russian hacking crew and its initial four-byte payload.

The attack, which was announced to burghers of the state on a 4th January, was aimed at the ministry’s IT infrastructure, according to local reports.

Foreign minister Alexander Schallenberg said the attack had been ended, adding: “We managed to clean up our IT systems.” He claimed that “no damage to the IT equipment could be detected”.

The ministry said in a statement: “According to current knowledge, this was a targeted attack against the Foreign Ministry with the intention of gathering information. However, due to the dimension and the high complexity, it cannot yet be said beyond doubt who is behind the attack.”

It is unclear whether the attack itself ended yesterday or whether yesterday marked the end of the cleanup and repair period.

Local newspaper Der Standard said that despite news reports blaming usual suspects – Russia and China – local Russian ambassador Dmitri Ljubinski demanded a retraction and apology. The newspaper said: “For example, the Kronen Zeitung headlined on Tuesday with the claim that a trail leads to Moscow – without further substantiating this.”

A local radio station, the Österreichischer Rundfunk (ORF, state broadcaster Austrian Radio), reported in mid-January that the attack bore the hallmarks of Russia’s Turla Group. Citing information from its own sources, the broadcaster described the attack in detail:

Like all previously known malware modules that are assigned to Turla, Topinambour is a pure spy tool. The individual elements of the malware are – as is usual – only put together in the target network, but the sophistication of Turla lies in the “how”. The entire suite consists of short command chains for .NET or PowerShell and uses – wherever possible – legitimate Windows elements such as cmd.exe that are present on the attacked machine anyway.

ORF reported that a command-line module was used by the attackers to send a four-byte TCP request to an external server. That downloads the malware dropper, which in turn places Turla’s trojan. Deployed as a so-called fileless attack, the malware’s operators were, so ORF said, able to revisit freshly disinfected servers with subtly altered strains, reacting to countermeasures on the fly. A Google-translated version of its article, which reads well in English, is available here.

“Strings of the command-line interface PowerShell or the counterpart of the .NET programming suite from Microsoft are always buzzing around in this network,” said ORF, highlighting that Austria’s foreign ministry maintains around 100 diplomatic missions worldwide.

Turla Group, like every other malware operator out there on the internet, has about two-dozen trade names depending on which infosec company is blogging about it at a given moment. It is variously known as Venomous Bear, Group 88, Uruburos, Iron Hunter, and so on. It was last seen on El Reg when British and American spies blamed the hacking crew for masquerading as Iranians to launch attacks on Middle Eastern governments.

Last summer the United Nations HQ in Austrian capital Vienna was hacked. Incredibly, officials covered it up in the hope nobody would notice. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/14/austria_foreign_ministry_hack_turla_group_allegs/

When it comes to building buy-in from the business, all cybersecurity needs is love — especially when it comes to communication.

When most people, including the majority of us in the industry, think about cybersecurity, “lovable” isn’t the first word that comes to mind. Cybersecurity has a “dark arts” reputation that conjures up images of shadowy hackers in hoodies slouched behind their laptops, out of sight from the rest of the organization except when it’s time to serve up stern warnings to scare folks into staying safe online.

Of course, much of that is by design. Cybersecurity isn’t an industry built on approachability; it’s known for building digital barriers to protect networks, data, and devices. But leading with FUD (fear, uncertainty, and doubt) won’t get you far with key constituents at your company. In my experience, when it comes to building buy-in from the business, all cybersecurity needs is love — especially when it comes to communication.

That’s where love languages — the five ways people express and experience love — comes in. The idea is that effective communication with loved ones means ditching a “me-first” mindset, so we understand their needs and act accordingly. The same is true for security. We can’t have a “cybersecurity-first, business-second” mindset. We have to right-size security to each facet of the business so that we understand how each one operates, and how we can best support them. On Valentine’s Day, I thought I’d share how these five love languages apply to cybersecurity and the teams we interact with.

The Love Language of Touch: Engineers
Let’s be clear. Your engineers — whether they’re in product development, DevOps, or in your data center — aren’t looking for a handshake or a hug. But they do want to feel like you’re helping with the heavy lifting as they build code, instead of slowing them down. They’re not here to educate you on engineering. Security needs to care about the code down to its core. The more technical context you can provide, even the lowest-level details about an exploit, the more confident engineers will feel as they build. It’s not enough for security to show up and say, “We have a SQL injection here. Fix it.” We need to explain the risk and offer enough details to solve it.

The Love Language of Quality Time: Legal Team
Besides security, no one quite appreciates and understands risk quite like your legal team. They have deep knowledge of the foundational principles of risk and how they translate to liability. So they want to sit down and solve problems with a team that not only translates the technical side but also understands and appreciates the value of compliance. They want a trusted adviser who can spend the time with them to home in on what the risks really are, how likely they are to happen, and frame them up in terms of controls. Say, for example, you want to run a bug bounty program. Cybersecurity should be prepared to discuss how it’s safeguarding data, and the processes put in place to make it a safe and secure testing ground.

The Love Language of Acts of Service: Marketing and BizDev
These teams care deeply about the impact cybersecurity has on customer experience, especially when friction is introduced into the product because of security controls. For cybersecurity, the why is important here, but so is the how — as in, how is this going to affect the people who use our product? Let’s say a security team wants to introduce a captcha. They need to explain why doing so will keep customers secure, but also how to go about it in an uncomplicated way so the customer doesn’t have to jump through more hoops than necessary.

The Love Language of Giving and Receiving Gifts: C-Suite
Your top leadership is most interested in the top risks the company faces. Cybersecurity’s job is to prioritize those risks by contextualizing them within the business, and then determine when the company needs to take action. The gifts you give the C-suite are a map and GPS. The map is an understanding of the geography of risks; the GPS is a recommendation of what path to take. If the C-suite, for instance, asks about where it should allocate engineering resources, cybersecurity can’t answer as an entity unto itself. It needs to put business needs first so leadership understands the trade-offs of each scenario and arrives at the best decision possible.

The Love Language of Words of Affirmation: Board Members
This isn’t about telling the board what they want to hear or sugarcoating the truth. It means providing them with context and information that enables them to give sound advice and hold the company accountable to the decisions it makes. Speaking to the board means educating them on trends and patterns to develop informed opinions. If you’re a CISO presenting enterprise risk to the board, do more than explain what you’re working on. Talk about how you plan to address issues and how long it will take.

The universal language of cybersecurity is why but how you communicate that why varies with each group with whom cybersecurity engages. Cybersecurity can’t just hide behind its hoodies or expect people to comply with its policies just because it says so. It needs to share the love and meet people where they are, in a way they understand, to build buy-in and gain trust.

Related Content:

• 6 Traits to Develop for Cybersecurity Success
• 90% of CISOs Would Cut Pay for Better Work-Life Balance
• What It’s Like to Be a CISO: Check Point Security Leader Weighs In

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Chaos Order: The Keys to Quantum-Proof Encryption“

Fredrick “Flee” Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance and risk. Before Gusto, Flee spent more than 15 years leading global information security and privacy … View Full Bio

Article source: https://www.darkreading.com/operations/the-5-love-languages-of-cybersecurity--/a/d-id/1337034?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple