STE WILLIAMS

China’s Internet Society chapter has warned local internet app-makers to tone down their collection of personal information.

Last week, the society convened an expert panel with the country’s Information and Communication Administration (part of the Ministry of Industry and Information Technology) to present the results of its analysis of apps popular in China.

What it found will be familiar to anybody who has watched apps in any country: 18 of the most popular apps the society tested collected excessive user information, and in nine cases, that seemed to be taking place without user consent.

Some of those swept up users’ text message archives, their address books, location data, and recordings.

The Internet Society of China report (in Chinese) noted that the revelation led to “heated discussions and comments” between panel members. However, the panel was able to come to the consensus that even if there are still “irregularities”, everybody is at least trying to behave better: “All relevant internet companies have made active efforts to strengthen the protection of users’ personal information.”

The society’s deputy secretary-general, Song Maoen, said the organisation will put together further resources to help its members “carry out self-discipline work on personal information protection, in order to safeguard the legitimate rights and interests of users”.

Among the problematic apps were QQ Music and Kuwo Music, both part of the Tencent Music stable that in December raise over a billion dollars in an IPO, and the Baidu mobile assistant, which was collecting user information without permission.

The news comes hard on the heels of Privacy International raising fresh concerns about app malfeasance outside the Great Firewall.

The London-based privacy advocates said app developers were failing to manage their use of the Facebook SDK, and as a result, apps were frequently sending information sufficient to profile users back to Zuckerberg’s ad farm – even if the individual wasn’t a Facebook user.

It claimed 61 per cent of the apps it tested sent information to Facebook as soon as the app was opened, along with the user’s Google advertising ID. The apps someone routinely uses, Privacy International pointed out, can be enough to create a broad profile of their lifestyle and interests.

Some apps went further, sending detailed information about how users interact with their apps to Facebook – like the Kayak travel booking app, which passed over users’ search and bookings info.

Facebook told Privacy International that since June 2018 it had revised how the SDK’s report-home defaults were configured. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/03/from_beijing_to_blighty_app_privacy_worries_lead_us_into_2019/

University of Maryland researchers have given Google a “welcome to 2019” gift by breaking its latest reCaptcha audio challenge.

The work is a follow-up to an attack published in April 2017 by the university’s Kevin Bock, Daven Patel, George Hughey and Dave Levin, again attacking the audio challenges. Since then, Google has updated the code, and the boffins have updated their attack.

The audio challenge was created to solve reCaptcha’s accessibility problem – someone using a screen reader can’t see where to “tick the box” to prove they aren’t a robot.

The 2017 attack, documented here, downloaded and segmented the audio captcha, sent the segments on to multiple online speech-to-text services, checked the responses for homophones, applied a weighted vote to those responses, and uploaded the answer to reCaptcha.

They claimed better than 85 per cent accuracy for that attack, and when Google fixed reCaptcha’s audio challenge, the group set to work attacking the replacement. They demonstrated that the fixes made reCaptcha less secure, told Google in June 2018 (with a six-month disclosure deadline), and on Monday published unCaptcha2.

The group said: “Thanks to the changes to the audio challenge, [parsing] ReCaptcha is easier than ever before. The code now only needs to make a single request to a free, publicly available speech to text API to achieve around 90 per cent accuracy over all captchas.”

The GitHub post notes that unCaptcha2 no longer needs to use multiple speech-to-text engines, and the fragmentation approach used in the first version has also been abandoned.

The boffins added that Google cleared them to release the code. “The Recaptcha team is aware of this attack vector, and have confirmed they are OK with us releasing this code, despite its current success rate.”

They added: “While unCaptcha2 is tuned for Google’s Demo site, it can be changed to work for any such site – the logic for defeating ReCaptcha will be the same.”

Researchers wanting to check out unCaptcha2 for themselves will need their own API keys from the relevant services (speech-to-text engines from wit.ai, Bing, IBM and Google).

Since Google has had six months’ notice, the boffins noted that unCaptcha2 could stop working at any time. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/03/recaptcha_voice_challenge/

ESET eggheads have shed more light on the Unified Extensible Firmware Interface (UEFI) rootkit being used by the Kremlin’s Fancy Bear hacking crew.

Dubbed Lojax, the software nasty embeds itself within the motherboard firmware of infected Windows PCs, allowing it to run as soon as the machine is powered up or reset, allowing it to ideally spy on the user and evade detection by the operating system or any antivirus tools. The firmware executes at the lowest levels, underneath OS kernels and apps, with full system access.

While ESET blew the whistle on Lojax with a disclosure back in September, the nitty-gritty of how the malware operates was withheld until the annual Computer Chaos Club conference at the end of December, where researcher Frederic Vachon described in a presentation how the UEFI-based rootkit is able to hide in modern firmware. ESET was able to get its hands on a copy of Lojax when one of its customers’ computers picked up the cyber-nasty.

In short, Lojax – a modified version of the legitimate Lojack anti-theft software – starts out as a poisoned application delivered via spear phishing emails that, when run by hoodwinked victims, unpacks and runs code that hijacks a vulnerable driver, which is loaded by the UEFI firmware during startup, to install the rootkit in flash memory.

UEFI has a mechanism called DXE that locates and runs device drivers needed to get a machine going, before the OS is booted. Lojax tampers with one of the loaded drivers so that it flips the switch on the firmware’s write protection, disabling the safeguard and allowing the chips’ contents to be overwritten. At that point, the malware can inject its rootkit into the firmware so that it is run following a subsequent power or reset cycle.

Resident evil: Inside a UEFI rootkit used to spy on govts, made by you-know-who (hi, Russia)

READ MORE

So, the driver is fiddled with so that it unlocks the firmware during next boot, then Lojax alters the flash chip contents to inject its rootkit, and then on next boot, the spyware is up and running. This is because the firmware is expected to maintain its own security.

“The chipset exposes write protection mechanisms that need to be properly protected by the firmware,” he explained. “Because there is no such thing as BIOS write protection by default, it is the job of the firmware to do that.”

In order to turn off the firmware’s write protection, Lojax exploits a known race-condition in Intel’s flash memory controllers by repeatedly enabling BIOS updates and attempting to write to flash memory before the motherboard software steps in and automatically disables updates.

Once that is done, Lojax is able to write the full rootkit on to the UEFI firmware, which ensures the malware is installed and run during the operating system startup, making it nearly impossible to remove by anything short of a complete reflash of the board’s SPI memory.

Fortunately, Vachon notes, vendors themselves can protect against the attack by fixing and patching the driver vulnerabilities, and/or enabling Secure Boot. This will cause the Lojax malware to automatically abort installation attempts. Secure Boot cryptographically ensures the firmware contents isn’t altered. Also, not opening emailed applications as a system administrator helps a lot: the rootkit installer requires sysadmin access. However, it could exploit privilege escalation holes to gain admin control, so the real solution is enabling Secure Boot in the BIOS settings and set a password or other lock to prevent any changes.

“The tool only works if the platform is misconfigured,” he explained. “If firmware vendors would have done their job correctly here, this tool would have failed at flashing the firmware, it’s a great example of how [important] firmware security is.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/02/lojax_uefi_rootkit/

The hackers who claim to have breached a British insurer last year say their cache of pilfered files include confidential documents on the September 11 terrorist attacks.

The Dark Overlord group claims a collection of 18,000 files, lifted from British insurance company Hiscox, include insurance claims that Lloyd’s of London and Silverstein Properties handled in the aftermath of the 2001 attacks that killed 2,977 innocent people and 19 terrorists during the destruction of both towers at New York City’s World Trade Center and the attack on the Pentagon. Silverstein owns the World Trade Center complex.

“What we’ll be releasing is the truth. The truth about one of the most recognisable incidents in recent history and one which is shrouded in mystery with little transparency and not many answers,” the hacker group said.

“What we’re offering to the world is the truth, exclusively from us, one of the planets premier hacking organisations dedicated to breaching leading targets and acquiring the most scandalous materials that we may use in our systematic extortion campaigns.”

The Dark Overlord group has previously claimed to have hacked Netflix (an allegation that was denied by Netflix) and a UK plastic surgery clinic.

Hiscox has confirmed at least some of Dark Overlord’s boasts about obtaining the insurance files are true, acknowledging that documents related to 9/11 insurance cases were swiped during an April 2018 cyber-raid on a law firm Hiscox worked with.

“The law firm’s systems are not connected to Hiscox’s IT infrastructure and Hiscox’s own systems were unaffected by this incident,” Hiscox said on Monday.

“One of the cases the law firm handled for Hiscox and other insurers related to subrogation litigation arising from the events of 9/11, and we believe that information relating to this was stolen during that breach. Once Hiscox was made aware of the law firm’s data breach, it took action and informed policyholders as required. We will continue to work with law enforcement in both the UK and US on this matter.”

Silverstein Properties, meanwhile, was unfazed by the claim.

Chill, it’s not WikiLeaks 2: Pile of EU diplomatic cables nicked by hackers

READ MORE

“We are aware of claims of alleged security breaches at firms involved in the five-year insurance litigation following the attacks of 9/11, and are conducting an internal investigation based on these claims. To date, we have found no evidence to support a security breach at our company,” a spokesperson told The Register.

“We have spent the last 17 years fulfilling our obligation to deliver a magnificent and fully rebuilt World Trade Center. We will not be distracted by 9/11 conspiracy theories.”

Lloyd’s of London did not return a request for comment.

DarkOverlord says the pilfered files will be offered up to anyone and everyone willing to pay for them in Bitcoin, while the companies named in the cache can cough up some BTC to get specific items removed from the doc dump.

“The good news for you is that we’ll be selling these documents for a limited time,” the group said. “If you’re a terrorist organisation such as ISIS/ISIL, Al-Qaeda, or a competing nation state of the USA such as China or Russia, you’re welcome to purchase our trove of documents.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/03/911_insurance_claim_hack/

Promo As new and ever more inventive threats keep crowding over the IT horizon, the security professional is under constant pressure to stay ahead of the cybercriminals.

Prepare to meet whatever the attackers throw at you at SANS London 2019 from 11-16 March, where you can choose between 10 intensive training courses, tailored to suit all levels from novice to seasoned expert.

All provide the chance of gaining valuable GIAC certification and arm attendees with defensive and offensive skills that can be put into practice immediately.

These are the courses on offer.

• Introduction to cyber security
  
  Students with no prior cybersecurity experience can jump-start their education with this basic five-day course covering terminology, networks, security policies, incident response, passwords and cryptography.
• Security essentials bootcamp style
  
  Would you be able to find compromised systems on your network? Do you know if each security device is configured correctly? Are proper security metrics set up and communicated to your executives?
• Hacker tools, techniques, exploits and incident handling
  
  Follow a step-by-step response to computer incidents and learn about legal issues such as employee monitoring, working with law enforcement and handling evidence.
• Continuous monitoring and security operations
  
  It is no longer enough to rely on perimeter security. Once attackers can find a way into an organisation they will be able to achieve their nefarious goals. Find out how to detect anomalies that indicate criminal behaviour so you can nip intrusions in the bud.
• Mobile device security and ethical hacking
  
  Mobile devices are often an organisation’s biggest security worry. Learn about the strengths and weaknesses in Apple iOS and Android devices and how to communicate risks to key stakeholders.
• Advanced Web app penetration testing, ethical hacking and exploitation techniques
  
  Modern web applications are increasingly sophisticated and complex. Learn about new web frameworks and backends, dig deep into practical cryptography, and examine new protocols such as HTTP/2 and WebSockets.
• Advanced penetration testing, exploit writing and ethical hacking
  
  Aimed at those who already have penetration testing training and experience. Walk through dozens of real-world attacks and consolidate your knowledge with hands-on lab work.
• Advanced digital forensics, incident response and threat hunting
  
  Determined adversaries can get past monitoring tools so it’s important to catch intrusions in progress rather than after attackers have done their worst. Study the art of recognising criminal behaviours to identify data breaches.
• Advanced memory forensics and threat detection
  
  This course on Windows memory forensics for incident response investigators uses the most effective freeware and open-source tools to examine RAM content to reveal the story of what happened on a system.
• Secure DevOps and cloud application security
  
  How to build and deliver secure software using DevOps and and Amazon Web Services using popular open-source tools such as GitLab, Puppet, Jenkins, Vault, Graphana, and Docker.

More information and registration details here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/02/sans_london_2019/