STE WILLIAMS

As CAPTCHA-haters know to their frequent irritation, rumours of the imminent death of the text-based Completely Automated Procedures for Telling Computers and Humans Apart tend to be exaggerated.

On the contrary, despite being battered by proof-of-concept attacks and more sophisticated replacements (Google’s reCAPTCHA version 2 for instance), incarnations of text CAPTCHAs made up of jumbled letters and numbers can still be found surprisingly frequently across the internet.

But perhaps text CAPTCHAs have finally met their match thanks to a group of researchers from Northwest University and Peking University in China, and Lancaster University in the UK.

Their idea, as outlined in Yet Another Text Captcha Solver: A Generative Adversarial Network Based Approach, is to attack this type of CAPTCHA using a recent development called the Generative Adversarial Network (GAN).

This is a type of neural network comprising two parts – the generative network that synthesises lots of examples of the target (i.e. text CAPTCHAS), and a discriminative network that assesses the output against examples from the real world.

This should result in a virtuous circle in which the first network gradually produces better simulations that the second gets better at spotting.

When the second part of the network can no longer detect a difference between the simulated CAPTCHAs and real ones, these are fed into a ‘solver’ which further refines these simulated solutions against real-world systems.

Does it work?

Although GANs have been pitted against image-based CAPTCHAs in the past, this is apparently the first time they have been pitted against text equivalents with good results.

In total, the researchers tested their system against 11 text CAPTCHAs used by big internet companies, achieving alarmingly good results.

The easiest to beat were Sohu (92%), eBay (86.6%), JD.com (86%), Wikipedia (78%), and Microsoft (69.6%), while at the other extreme was Google (3%).

Comparing their results against 22 CAPTCHAs that have been attacked by other tests, the researcher’s system out-performed rivals by a significant margin.

Most impressive of all is the ease with which the researchers were able to do all this using only 500 genuine CAPTCHAs to refine the solver instead of the millions previously needed.

It also did its work at a rate of 0.05 seconds per CAPTCHA from a humble desktop computer and GPU.

Lancaster University’s Dr Zheng Wang:

We show for the first time that an adversary can quickly launch an attack on a new text-based captcha scheme with very low effort. This is scary because it means that this first security defence of many websites is no longer reliable.

Google, for one, have put a lot of effort into new types of CAPTCHA (or reCAPTCHA as Google calls its technology), culminating more recently in their complete disappearance in favour of an alternative system that models a user’s (or bot’s) interaction with websites in a more general way to sift friend from foe.

That makes life harder for neural net AI because there are no text or images to attack. But it surely won’t be long before researchers start trying to figure out how to simulate humans to beat these systems too.

CAPTCHA’s days might be numbered, but like the academics with their GANs, cybercriminals are unlikely to give up that easily.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qYGe42N3lMI/

Google has disclosed the second security hole in its Google+ social network in three months. This one exposed private information from 100 times as many users as the first, and has prompted the company to hasten the service’s demise.

The bug stemmed from the Google+ People: get application programming interface, which enables developers to retrieve someone’s Google profile. It returns information including their name, profile URL, photo, birthday, gender, relationship status and a short biography. Other items revealed include information about the organization that they are a member of and the places that they have lived. There’s a full list in the description of the API.

Developers were able to access this information even if it was set to private, the company revealed in a blog post. The flaw also gave them access to other private data that had been shared with the user by other Google+ members.

Google had already announced that it was going to shutter the service in August 2019 following a “root-and-branch review” of third-party developer access to Google account data that turned up the first bug.

That bug was very similar to this latest one. It also stemmed from a vulnerability in one of Google’s People APIs, and it also shared information that Google+ users had made private. Google fixed that bug, which affected 500,000 users, in March but didn’t reveal it until seven months later. The delay drew criticism for the company, which is eager to publish others’ software flaws under the strict disclosure rules in its Project Zero initiative.

Google moved faster this time. It introduced the new bug, which impacted approximately 52.5 million users, in a November software update, and it fixed it within a week, meaning that the disclosure period would have been at most five weeks or so.

The company was also quick to downplay the significance of the bug. It said:

The bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.

No third party compromised our systems, and we have no evidence that the developers who inadvertently had this access for six days were aware of it or misused it in any way.

Nevertheless, the bug seems to have strengthened Google’s resolve to drive a stake through the heart of its social media network. The company has decided to kill it off more quickly. It will shut down all Google+ APIs in the next 90 days and move forward the sunsetting of the consumer Google+ service to April 2019.

If a service could slouch, Google+ would be doing so right now. It’s a humiliating end for a platform that never reached its full potential, faced with red-hot competition from Facebook.

How could a company with so many brainiac developers introduce what looks like an almost identical flaw twice in a row?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YCqyR43JnYI/

Ticketmaster is telling its customers that it wasn’t to blame for the infection of its site by a strain of the Magecart cred-stealing malware – despite embedding third-party Javascript into its payments page.

In a letter to Reg reader Mark, lawyers for the controversy-struck event ticket sales website said that Ticketmaster “is of the belief that it is not responsible for the Potential Security Incident”.

They were referring to the June 2018 infection of its UK website with the Magecart payment credential-stealing malware. At the time, Ticketmaster publicly blamed “a customer support product hosted by Inbenta Technologies” for the infection. Inbenta chief exec Jordi Torras immediately hit back, telling us in June: “Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat.”

Our reader, who was travelling in the US when the Ticketmaster breach happened, found out that one of his bank cards was being used for unauthorised transactions in Belgium. After asking his bank to block it, Mark found that a second card had been blocked by Visa because of an “identity breach”.

He told El Reg: “It’s only the cards linked to my Ticketmaster account and used for purchases with them that were breached. I use the others for online and in-person purchases in various countries with no issues,” adding that cards he had used with Amazon and Paypal were not compromised.

When he demanded compensation from Ticketmaster, lawyers from the Paul Hastings law firm wrote back to Mark (who showed us their letter) claiming that the ticket site was “currently undertaking an extensive investigation into the Potential Security Incident, and, in particular, its cause and the impact, if any, on customers and the privacy and security of their payment and other personal information”.

They added that the breach “arose as a result of certain third party software infected with malicious code being served directly on our client’s customers from third party servers; there was no security breach of our client’s own servers and systems”.

Ticketmaster failed to respond to multiple attempts by The Register to seek comment.

If all is as described by both Ticketmaster and Inbenta – noting that the former has not made public any details about precisely where the offending JS component was embedded – it is difficult to see how Ticketmaster could say it is not responsible for the breach while keeping a straight face.

In a statement on its website, Inbenta said: “Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code… Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it.”

The breach was plugged back in June, according to Inbenta, though details of transactions made between February and June were potentially exposed.

The summer Magecart outbreak was part of what seemed to infosec researchers to be a sustained and widespread campaign. Magecart’s operators had switched from trying to directly infect individual websites to targeting and compromising widely used third-party webpage elements. BA and Sotheby’s Home were also infected.

The malware’s typical approach involves compromising webpage elements – typically Javascript – and injecting those elements into websites with the aim of reading customers’ payment card details and beaming them back to a server controlled by criminals, ready for later misuse. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/12/ticketmaster_denies_fault_website_magecart_infection/

Microsoft, Adobe, and SAP are finishing up the year with a flurry of activity, combining to patch more than 140 CVE-listed security flaws between them.

In-the-wild worries from Microsoft

The December patch bundle from Microsoft addresses a total of 39 vulnerabilities, including one that is publicly known and another that is being targeted in the wild.

The bug currently being exploited is CVE-2018-8611, an elevation of privilege flaw in the Windows kernel. Researchers with Kaspersky Lab said the flaw, which allows for code to run in kernel mode, is being used in tandem with other vulnerabilities to install malware.

Meanwhile, a denial of service flaw in the .NET Framework, CVE-2018-8517, has been publicly disclosed but has not been targeted in the wild yet. In addition, .Net Framework is also the culprit in CVE-2018-8540, a remote code execution bug.

Dustin Childs of the Trend Micro Zero Day Initiative notes that enterprises should pay special attention to CVE-2018-8626, a heap overflow flaw in Windows DNS Server that would allow an attacker to run code as the LocalSystem Account.

“Exploiting this vulnerability is as easy as sending a specially crafted request to an affected DNS server. Since DNS servers are designed to handle requests, there’s no other real defense beyond applying the patch,” Childs explained.

“If you’re running DNS servers in your enterprise, definitely prioritize this one.”

As usual, the Edge and Internet Explorer browsers were popular targets for bug-hunters. Chakra, the scripting engine for Edge, received fixes for five different remote code execution bugs, while Internet Explorer was subject to two remote code flaw fixes, one (CVE-2018-8631) for a memory corruption bug, and another (CVE-2018-8619) in VBScript.

Office users and admins will want to be sure they install the patches for information disclosure (CVE-2018-8627) and remote code execution (CVE-2018-8636) in Excel as well as a remote code execution bug in PowerPoint (CVE-2018-8628) and a cross-site-scripting flaw in Office SharePoint (CVE-2018-8650).

Generous Adobe gives out 87 Reader and Acrobat fixes

Adobe is closing out the year with a massive load of fixes for its two PDF apps.

The Windows and Mac versions of both Reader and Acrobat will be getting fizes for 87 different CVE-listed vulnerabilities.

Of those 87 flaws, 36 would potentially be exploited for code execution, 48 would allow information disclosure, and three could be exploited for elevation of privilege.

SAP joins the fun with 17 of its own patches

Enterprise giant SAP, meanwhile, has also delivered a fresh crop of bug fixes.

According to security firm Onapsis, admins should pay particular attention to CVE-2018-2505, a cross-site scripting bug in Hybris Commerce storefronts and CVE-2018-2475, a missing authorization check in Customizing Tools (a component of S4/HANA and Netweaver ABAP) that could potentially be used in a man-in-the-middle attack.

SAP also issued a fix for 23 vulnerabilities in the Chromium components of Business Client and patches for CVE-2018-2503 and CVE-2018-2492, a missing default authorization and a bad XML validation check in NetWeaver AS Java. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/12/december_patch_tuesday/

A quarter of NHS trusts in the UK responding to a Freedom of Information request have no staff with security qualifications, despite some employing up to 16,000 people.

NHS could have ‘fended off’ WannaCry by taking ‘simple steps’ – report

READ MORE

On average, trusts employ one qualified security professional for every 2,582 employees, according to Freedom of Information requests submitted by penetration testing firm Redscan.

Trusts were asked about their cyber, information and data security spending and training, with 159 responding to at least one question.

It found that nearly one in four – 24 of the 108 who responded to this question – had no employees with security qualifications.

However, several of the NHS trusts were reported to have said they had staffers in the process of gaining relevant security qualifications.

This might suggest they recognise the importance of training, or that they struggled to recruit people with the qualifications – or perhaps that they were aware of how the numbers would look amid concerns about NHS security.

Most prominent among these is the 2017 WannaCry malware outbreak – which hit one in three English NHS Trusts and cost the National Health Service £92m, but this is far from the only cyber attack NHS systems face. Meanwhile, there are reports about small-scale data breaches that still affect patients, and about clunky tech in need of updating.

Redscan also asked about training for data security and information governance in the past 12 months, finding that trusts spent an average of £5,356 on data security training, with figures ranging from £238 to £78,000.

This broad variation wasn’t related to the size of the trust: mid-sized groups with 3,000 to 4,000 employees spent between £500 and £33,000.

On the NHS tech team? Weep at ugly WannaCry post-mortem, smile as Health dept outlines plan

READ MORE

Redscan added that “a significant proportion” had spent nothing on specialist training – but a lot of in-house training does not cost the trusts anything, and they can also rely on free tools from NHS Digital.

This includes free information governance training, which NHS Digital recommends that 95 per cent of all staff should have passed every 12 months.

The FoI found that only 12 per cent of trusts had met this target, but most were not far off, having trained between 80 and 95 per cent of their staff. A quarter said fewer than 80 per cent had completed the training.

However, Mark Nicholls, Redscan director of cybersecurity, said that information governance training was just one part in the information and security picture.

“People remain the weakest link in the cyber security chain,” he said. “Despite IG training raising awareness of security risks and common pitfalls, you can never fully mitigate the risks of employees making mistakes or falling for social engineering scams.”

More broadly, Nicholls said that, despite getting some extra cash from government for cybersecurity in the aftermath of WannaCry, NHS trusts are still under extreme financial pressure.

This will not only make it harder for the NHS to recruit staff as they struggle to compete with “the private sector’s bumper wages”, but also put pressure elsewhere in the system.

“No doubt resources are being strained further still if you assume that staff with security qualifications are part of IT teams responsible for far more than just cyber security,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/11/nhs_data_security_training_foi/

Updated A US Congressional report outlining the breakdowns that led to the 2017 theft of 148 million personal records from Equifax has revealed a stunning catalog of failure.

The 96-page report (PDF) from the Committee of Oversight and Government Reform found that the 2017 network breach could have easily been prevented had the company taken basic security precautions.

“Equifax, however, failed to implement an adequate security program to protect this sensitive data,” the report reads.

“As a result, Equifax allowed one of the largest data breaches in US history. Such a breach was entirely preventable.”

The report noted some of the previously-disclosed details of the hack, including the expired SSL certificate that had disabled its intrusion detection system for 19 months and the Apache Struts patch that went uninstalled for two months because of that bad cert.

The report states that Equifax’s IT team did scan for unpatched Apache Struts code on its network. But it only checked the root directory, not the subdirectory that was home to the unpatched software

Both issues were blamed for allowing an attacker to compromise the Equifax Automated Consumer Interview System and then spend weeks moving throughout the network to harvest personal records from other databases. It was only when the certificate was renewed that Equifax saw the massive amounts of data being copied from its servers and realized something was very wrong.

While those two specific issues were pinpointed as the source of the attack, the report finds that the intrusion was allowed to happen because the IT operation at Equifax had grown far too large far too fast, without a clear management structure or coherent policies across various departments.

Lousy IT security by design

“In 2005, former Equifax CEO Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, IT systems, and data. While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks,” the committee found.

“In August 2017, three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing ‘almost 1,200 times’ the amount of data held in the Library of Congress every day.”

What’s more, the report notes that Equifax had been aware of these shortcomings for years, with internal audits that found problems in their software patching process back in 2015, and in both 2016 and 2017 a report from MSCI Inc. rated Equifax network security as a “zero out of ten.”

Stand up who HASN’T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone

READ MORE

A 2015 audit found that ACIS, a Solaris environment that dated back to the 1970s, was not properly walled off from other databases, a fault that allowed the attackers to access dozens of systems they would not have otherwise been able to get to.

“Although the ACIS application required access to only three databases within the Equifax environment to perform its business function, the ACIS application was not segmented off from other, unrelated databases,” the report noted.

“As a result, the attackers used the application credentials to gain access to 48 unrelated databases outside of the ACIS environment.”

After the pwning of its servers was revealed Equifax blamed its woes on an IT staffer who hadn’t installed the Apache patch, and fired the person. The report makes it clear that there were many more people involved in Equifax’s failings than this one scapegoat.

To help prevent similar attacks from occurring, the report recommends a number of additional requirements for credit reporting agencies to tell people what information is being gathered, how it is stored, and who it is shared with. The report also suggests moving away from social security numbers as personal identifiers and recommends that companies in the finance and credit sectors be pushed to modernize their IT structure. ®

Updated to add

Equifax sent the following statement to The Register

“We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information,” the company said.

“During the few hours we were given to conduct a preliminary review before they released it yesterday, we identified significant inaccuracies and disagree with many of the factual findings. This is unfortunate and undermines our hope to assist the Committee in producing a credible and thorough public resource for those who wish to learn from our experience managing the 2017 cybersecurity incident.”

The credit biz has yet to identify what in the report is inaccurate.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/11/equifax_megaleak_report/

Italy’s competition regulator announced on Friday that it’s fining Facebook €10m (USD $11m, £8.9m) for laying it on thick when it comes to the service being “free” to users but keeping quiet about how the company’s making money off their data.

The fines come out of an investigation the Italian Competition Authority (ICA) wrapped up on 29 November. Opened last April, it looked into alleged violations of the Consumer Code by Facebook Ireland Ltd. and its parent company, Facebook Inc.

Here’s what the ICA had to say about it:

Facebook emphasizes the free nature of the service but not the commercial objectives that underlie the provision of the social network service, thus inducing users into making a transactional decision that they would not have taken otherwise (i.e., to register in the social network and to continue using it). The information provided is in fact general and incomplete and does not adequately make a distinction between the use of data to personalize the service (in order to connect “consumer” users with each other) and the use of data to carry out advertising campaigns aimed at specific targets.

Four Consumer Code violations

Facebook violated four of the Consumer Code articles, the ICA concluded: by misleading consumers into “registering without adequately and immediately informing them during the creation of the account that the data they provide will be used for commercial purposes,” it’s violated articles 21 and 22.

The ICA also found that Facebook has violated articles 24 and 25 with “aggressive” business practices, as it “exerts undue influence on registered consumers,” it said.

Those users are hurt by Facebook’s failure to give them “express and prior consent,” leading to transmission of their data “unconsciously and automatically” to third-party websites and apps for commercial purposes, and vice versa.

The undue influence is caused by the pre-selection by Facebook of the broadest consent to data sharing. When users decide to limit their consent, they are faced with significant restrictions on the use of the social network and third-party websites/apps, which induce users to maintain the pre-selected choice.

Specifically, Facebook pre-selects the “Active Platform” function, which pre-sets the users’ ability to access websites and external apps using their accounts, thus enabling transmission of their data without users’ express consent, the ICA said.

Facebook regularly uses “opt-out” instead of “opt-in” in other data-sharing scenarios, the ICA said, including “whenever users access third-party websites/apps, including games, using their Facebook accounts.”

In this case also, users can in fact only deselect the pre-setting operated by Facebook, without being able to make a free, informed choice.

Besides the fines, the ICA has ordered Facebook to publish an apology on its site and on its app.

Facebook said in a statement that it’s thinking it over:

We are reviewing the Authority’s decision and hope to work with them to resolve their concerns. This year we made our terms and policies clearer to help people understand how we use data and how our business works. We also made our privacy settings easier to find and use, and we’re continuing to improve them. You own and control your personal information on Facebook.

This is the second fine that regulators have slapped on Facebook since the Cambridge Analytica data-sharing scandal, and it’s highly unlikely that it will be the last. In October, the UK’s data protection watchdog, the UK’s Information Commissioner’s Office (ICO), fined the company £500k (about $640k).

The Guardian reports that other regulators have been expressing interest in Facebook’s practices: Ireland, California, and the US Federal Trade Commission.

The Irish Data Protection Commission has opened a formal investigation into a data breach that Facebook discovered in September and which affected nearly 50m accounts. The Irish investigation could result in a fine of up to $1.63bn.

The Irish penalty probably won’t turn out all that stiff: the Guardian quoted Rowenna Fielding, a senior data protection lead at Protecture, who noted that the amount was “a ceiling, not a stipulation”.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YJvXMqB2c_8/

Incorrigible SWATter George Duke-Cohan, a British teenager from a village near Watford, just north of London, has now been sentenced to three years in prison, according to the UK’s National Crime Agency (NCA).

In September, Duke-Cohan – at 19, the most outspoken member of a distributed denial of service (DDoS) gang – pleaded guilty to making bomb threats to thousands of schools and to a United Airlines flight between the UK and San Francisco while it was in mid-air.

The teenager sent bomb threats that resulted in 400 UK schools being evacuated in March. He was arrested just days later.

While still under investigation in April, Duke-Cohan sent a mass email to schools in the UK and the US claiming that there were pipe bombs planted on their grounds.

Then on 9 August, his hacking group – “Apophis Squad” – claimed on Twitter that flight UAL 949 had been grounded due to their actions.

Later that month, he, or somebody else in Apophis Squad, was still gleefully rubbing their hands over the prospect of more threats when schools reopened:

Boi we can NOT wait for schools to go back! Hay! maybe we will offer FREE DDoS attacks to schools so students can g… twitter.com/i/web/status/1…

—
APOPHIS SQUAD (@apophissquadv2) August 24, 2018

The NCA says that its investigators, working with the FBI, determined that Duke-Cohan had made the bomb threat to the transatlantic flight by calling San Francisco Airport and FBI police.

In one of the calls, Duke-Cohan pretended to be a worried father whose daughter contacted him from the flight to tell him it was being hijacked by gunmen, one of whom had a bomb.

When the plane touched down in San Francisco, it was placed in a quarantined area of the airport and subjected to an intense security search. The NCA says that all 295 passengers had to remain on board, resulting in disruption to their journeys and financial loss to the airline.

And, undoubtedly, a good amount of fear.

In the US and other countries, hoax bomb threats fall under the genre of crime called SWATting, which takes its name from elite law enforcement units called SWAT (Special Weapons and Tactics) teams. It’s the practice of making a false report to emergency services about shootings, bomb threats, hostage taking, or other alleged violent crime in the hopes that law enforcement will respond to a targeted address with deadly force.

Convicted SWATters such as Tyler Barriss will tell you that their intention isn’t to have anybody shot or killed. It is, rather, to shock or cause alarm. It doesn’t matter what Barriss’s “intention” was – it won’t buy back the life of 28-year-old Andrew Finch, whom police shot to death when responding to Barriss’s hoax call.

Fortunately, no deaths resulted from Duke-Cohan’s juvenile pranks. But that’s not to his credit: it was just roll-of-the-dice luck.

Duke-Cohan was arrested by NCA officers for the third time at his home in Watford on 31 August.

“Perverted fun”

The BBC reports that Duke-Cohan’s lawyer had said that psychology experts had described Duke-Cohen as very immature, but that prosecutors said that he craved attention from his social media followers.

While imposing his sentence, Judge Richard Foster said that the young man knew full well what he was doing:

You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow.

You were playing a game for your own perverted sense of fun in full knowledge of the consequences.

The scale of what you did was enormous.

According to the BBC, Marc Horsfall, senior investigating officer with the NCA, said Duke-Cohan had few real friends and spent “a great deal of his time online”. During his arrest, when asked if he needed to bring any medications with him, Duke-Cohan mentioned that he takes Vitamin D since he doesn’t go outside much.

Duke-Cohan doesn’t have any previous convictions. However, the former IT student had been expelled from West Herts College for issuing a bomb threat.

The NCA said that police were in the process of organizing a community resolution order for his actions when “events overtook them” two months later.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lJyWEiiAbZk/

What’s the safest way for a criminal to buy counterfeit banknotes?

Curiously, it’s not necessarily from the dark web, as 235 people now “detained” by police have just discovered.

According to Europol, between 19 November and 3 December police forces in 13 countries searched 300 properties, uncovering caches of drugs, guns and knives, along with computer wallets containing Bitcoins and the hardware needed to mine currency.

About 180 of the searches were in Germany, with 28 in France, and 20 in Italy. Others took place in Croatia, Cyprus, Finland, Ireland, the Netherlands, Portugal, Spain, Switzerland, and the UK.

To prove the adage that you never know what you’ll find until you look, German police even stumbled upon two facilities for growing marijuana, one cannabis plantation and a second counterfeit euro print shop.

The entire bust stemmed from the arrest in Austria in June 2018 of a single unnamed individual whom police discovered had been counterfeiting 10-, 20-, and 50-euro banknotes.

These days, simply stopping a criminal is becoming a small part of this kind of arrest operation – more important is finding out who that individual was doing business with, increasingly through the dark web.

On this occasion, Austrian police were able to analyse the counterfeiter’s transactions, leading them to the bigger prize – hundreds of criminal associates believed to have bought 10,000 fake currency notes.

Said Europol’s deputy executive director of operations, Wil van Gemert:

This joint effort highlights that complete anonymity on the internet and the Darknet doesn’t exist. When you engage in illegal activity online, be prepared to have police knocking on your door sooner or later.

Multi-headed enemy

The direct impact of these arrests on the illegal activity of the dark web as a whole may be minimal. It must still feel like police are battling a hydra.

However, this latest action illustrates how the dark web’s strength of quick and easy connectivity can also be its undoing when one participant is compromised.

A fortnight ago, in the latest instalment of its long-running In Our Sites (IOS) operation, Europol announced that it had disrupted several networks selling counterfeit goods in the last year, seizing 20,520 domains. However, it’s made similarly impressive statements after each of the previous campaigns and still the workload increases each year.

Europol has also had some success against phishing botnets, as its 2016 downing of the Avalanche crime group showed.

Meanwhile, US authorities have been just as aggressive, arresting several alleged dark web drug traffickers in August’s Operation Darkness Falls.

These might dent rather than damage dark net criminality but at least they show that for all its mystery, the people who use it for ill-gotten gain are real human beings, living in houses on ordinary streets.

Dark or not, no web is invulnerable.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mIYc9o63Eng/

A recently patched set of flaws in Samsung’s mobile site was leaving users open to account theft.

Bug-hunter Artem Moskowsky said the flaws he discovered, a since-patched trio of cross-site request forgery (CSFR) bugs, would have potentially allowed attackers to reset user passwords and take over accounts.

Moskowsky told The Register that the vulnerabilities were due to the way the Samsung.com account page handled security questions. When the user forgets their password, they can answer the security question to reset it.

Normally, the Samsung.com web application would check the “referer” header to make sure data requests only come from sites that are supposed to have access.

In this case, however, those checks are not properly run and any site can get that information. This would let the attacker snoop on user profiles, change information (such as user name), or even disable two-factor authentication and steal accounts by changing passwords.

“Due to the vulnerabilities it was possible to hack any account on account.samsung.com if the user goes to my page,” Moskowsky explained.

“The hacker could get access to all the Samsung user services, private user information, to the cloud.”

I found a security hole in Steam that gave me every game’s license keys and all I got was this… oh nice: $20,000

READ MORE

In one proof of concept, the researcher showed how an attack site could use the CSRF flaw to change the target’s Samsung.com security question to one of the attacker’s choosing. Armed with the new security question and its answer, the attacker would then use the “reset password” function to steal the target’s Samsung account.

It turned out the situation was even worse than the researcher initially thought. Thinking there were only two CSRF vulnerabilites on the site, Moskowsky went to report the issue directly to Samsung – something that was also done through the Samsung.com website. While reporting the issue, he noticed a third bug, the one that would allow him to forcibly change security questions and answers.

“I first discovered two vulnerabilities. But then when I logged in to security.samsungmobile.com to check my report, I was redirected to the personal information editing page,” Moskowsy explained.

“This page didn’t look like a similar page on account.samsung.com. There was an additional ‘secret question’ field on it.”

In total, three bugs were found and were rated medium, high, and critical, respectively. Moskowsky earned himself a payout of $13,300 for the find, a nice payout, but well short of the $20,000 he pocketed for spotting a major bug in Steam back in October.

Samsung did not respond to a request for comment on the matter. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/10/samsung_patches_accountstealing_hole/