STE WILLIAMS

Someone’s taken a wander through the systems of question-and-answer website Quora, pilfering account details of 100 million users.

The organisation announced on Monday this week: “On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to one of our systems.”

It said it has “taken steps to contain the incident”.

Breached data includes account information, public content and actions (such as comments, upvotes and actions), and non-public actions (answer requests, downvotes, and direct messages, the latter used by only “a small percentage” of users).

The account data involved included user IDs, email addresses, and (it’s good to report, for once – El Reg) fully encrypted passwords. Quora’s post said it will log out all affected users, and push a password reset.

Magecart fiends punch card-skimming code in Sotheby’s Home website

READ MORE

For everyone else, there’s this advice: “While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.”

The breached also included “data imported from linked networks,” if a user had given permission for that to be done from their account.

The post doesn’t stipulate what information might come from linked accounts, but it’s explained in the privacy policy. If you’ve used Google or Facebook to log in, or you’ve connected your Quora account with Facebook, Twitter, or LinkedIn, “we receive certain profile and account information about you from the Linked Network.”

So it looks to The Register there’s a risk that someone using their real name on Quora, but not on Twitter, could be doxxed as part of this leak.

Quora believes it’s “identified the root cause and taken steps to address the issue”, an outside organisation is assisting, and law enforcement has been notified. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/04/100_million_quora_passwords/

The Czech Republic says that Russian government hackers were intercepting and snooping on communications for one of its agencies for more than a year.

An annual report from the Czech Security Information Service (BIS) covering the 2017 calendar year disclosed how, in the early months of the year, it uncovered a massive network breach at the office of the Ministry of Foreign Affairs (MFA).

According to the BIS report (PDF), published on Monday this week, the attackers were able to covertly sit on the network from 2016 to 2017, and gather massive amounts of correspondence from the highest levels of the ministry.

“The MFA electronic communication system had been compromised at least since the beginning of 2016 when the attackers accessed more than 150 mailboxes of the MFA staff and copied emails, including attachments,” the report reads.

“They thus obtained data that may be used for future attacks, as well as a list of potential targets in virtually all the important state institutions. The attackers focused mostly on mailboxes of top ministry representatives. They accessed their mailboxes in a repeated, long-term and irregular manner.”

The attack was one of two operations targeting the MFA, with the second being a brute-force attack on email logins that occurred in December of 2016. The BIS did not say whether that attack found much success.

Trump wants to work with Russia on infosec. Security experts: lol no

READ MORE

The report goes on to name Russia’s FSB and GRU agencies as the people behind the attack, with the BIS saying there was “clear” evidence the Russians were responsible for both attacks.

“Most likely, those two incidents were not interrelated,” the report claims.

“All the findings make it clear that it was the Turla cyberespionage campaign, originating from the FSB, a Russian intelligence service, and APT28/Sofacy, which is credited to the Russian military intelligence, the GRU.”

This isn’t the first time the FSB has been accused of doing Moscow’s cyber-espionage dirty work. The intelligence agency was said to have been a key player in the massive Yahoo data breach and the bugging of an NSA programmer’s home machine via Kaspersky Antivirus. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/03/czech_russia_hacking/

The keepers of Kubernetes, the rather popular software container orchestration system, have pushed out three new releases that patch a critical flaw.

In a post to the Kubernetes announcement list on Monday, Google senior staff engineer Jordan Liggitt says Kubernetes version v1.10.11, v1.11.5, and v1.12.3 have been made available to fix CVE-2018-1002105, a privilege escalation vulnerability.

The code error in the open source project has been designated severity 9.8 out of 10 because it can be executed remotely, the attack is not complex and no user interaction or special privileges are required .

According to Liggitt, a malicious user could use the Kubernetes API server to connect to a backend server to send arbitrary requests, authenticated by the API server’s TLS credentials.

The API server is the main management entity in Kubernetes. It talks to the distributed storage controller etcd and to kublets, the agents overseeing each node in a cluster of software containers.

The bug was spotted by Darren Shepherd, chief architect and co-founder at Rancher Labs.

Red Hat OpenShift, an enterprise-oriented container platform, has introduced patches for all product variants.

“This is a big deal,” said Ashesh Badani, veep and general manager of OpenShift at Red Hat, in a blog post. “Not only can [miscreants] steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall.”

There are two primary attack vectors. Using the first, an individual possessing the Pod exec/attach/portforward privileges granted to a normal user by default can become a cluster-admin, thereby gaining access to any container in the Pod and potentially any information therein.

The second method lets an unauthenticated user access the API to create unapproved services, which could be used to inject malicious code.

“Any unauthenticated user with access to a Kubernetes environment can hit the discovery endpoint which proxies the aggregated API server (not the kube-apiserver),” explained Christopher Robinson, manager of product security assurance at Red Hat, in an email to The Register.

“Crafting a message to the API so that an upgrade fails can leave the connection alive and allows re-use with arbitrary headers, and then allows cluster-admin level access to that aggregated API server. This could be used against the service-catalog that would allow for the creation of arbitrary service instances.”

The vulnerability is particularly troubling because any unauthorized requests cannot be easily detected. According to Liggitt, they do not show up in the Kubernetes API server audit logs or server log. Malicious requests are visible in kublet or aggregated API server logs, but there’s nothing that distinguishes them from authorized and proxied requests via the Kubernetes API server. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/03/kubernetes_flaw_cve_2018_1002105/

Citrix says there is no reason to panic after it asked customers to reset their passwords on its Sharefile service.

The file-dropping service rang in the new month with the announcement that it would begin regularly requiring users to change out their passwords. That new policy will begin this week, as all users are being asked to reset.

According to Citrix, there’s no specific data breach or incident behind the move, but rather an intent to get out ahead of hackers who are farming leaked passwords from other breaches and trying them with Sharefile.

“There has been a constant increase in internet-account credential (usernames and passwords) theft. Those same credentials are often used to access other accounts,” Citrix said in announcing the new policy.

“In response to this, we are requiring a password reset and will be incorporating a regularly-scheduled, forced password reset into our normal operating procedures.”

While Citrix posted the new policy on its status page over the weekend, many customers did not get the news and, when greeted Monday with a reset request, were rightly concerned that something was not right.

“My organisation is a Citrix Sharefile user and we had all our users’ accounts locked and a password reset issued,” writes one Reg reader. “There was no warning that this was happening.”

Another Reg reader notes that the presentation and rollout of the new policy by Citrix is not doing it any favors.

“Multiple users here thinking they were locked out as no message on the login screen,” our tipster explains. “Email looks very spammy which is poor.”

Users in the Reddit r/sysadmin community were similarly confused as to why the reset was spun out with so little warning and explanation to administrators who would now have to deal with concerned clients and end-users.

‘It’s legacy stuff brute-forced in’: Not everyone is happy with Citrix’s cloud

READ MORE

Citrix did not say how frequently users will be required to change out their passwords going forward, a spokesperson would only tell El Reg the resets would be “regularly scheduled” and “regularly-scheduled reset” and “based on our assessment of the evolving threat landscape.”

If past findings are any indication, though, the company would be wise to use the forced resets sparingly. Back in 2016 the FTC found that users who are required to regularly change out their passwords tend to chose poor passwords that end up negating the potential benefits of regular resets.

“There is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily,” said FTC chief technologist Lorrie Cranor.

“Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/04/password_change_for_sharefile/

The Czech Republic says that Russian government hackers were intercepting and snooping on communications for one of its agencies for more than a year.

An annual report from the Czech Security Information Service (BIS) covering the 2017 calendar year disclosed how, in the early months of the year, it uncovered a massive network breach at the office of the Ministry of Foreign Affairs (MFA).

According to the BIS report (PDF), the attackers were able to covertly sit on the network from 2016 to 2017, and gather massive amounts of correspondence from the highest levels of the ministry.

“The MFA electronic communication system had been compromised at least since the beginning of 2016 when the attackers accessed more than 150 mailboxes of the MFA staff and copied emails, including attachments,” the report reads.

“They thus obtained data that may be used for future attacks, as well as a list of potential targets in virtually all the important state institutions. The attackers focused mostly on mailboxes of top ministry representatives. They accessed their mailboxes in a repeated, long-term and irregular manner.”

The attack was one of two operations targeting the MFA, with the second being a brute-force attack on email logins that occurred in December of 2016. The BIS did not say whether that attack found much success.

Trump wants to work with Russia on infosec. Security experts: lol no

READ MORE

The report goes on to name Russia’s FSB and GRU agencies as the people behind the attack, with the BIS saying there was “clear” evidence the Russians were responsible for both attacks.

“Most likely, those two incidents were not interrelated,” the report claims.

“All the findings make it clear that it was the Turla cyberespionage campaign, originating from the FSB, a Russian intelligence service, and APT28/Sofacy, which is credited to the Russian military intelligence, the GRU.”

This isn’t the first time the FSB has been accused of doing Moscow’s cyber-espionage dirty work. The intelligence agency was said to have been a key player in the massive Yahoo data breach and the bugging of an NSA programmer’s home machine via Kaspersky Antivirus. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/03/czech_russia_hacking/

The keepers of Kubernetes, the rather popular software container orchestration system, have pushed out three new releases that patch a critical flaw.

In a post to the Kubernetes announcement list on Monday, Google senior staff engineer Jordan Liggitt says Kubernetes verversion v1.10.11, v1.11.5, and v1.12.3 have been made available to fix CVE-2018-1002105, a privilege escalation vulnerability.

The code error in the open source project has been designated severity 9.8 out of 10 because it can be executed remotely, the attack is not complex and no user interaction or special privileges are required .

According to Liggitt, a malicious user could use the Kubernetes API server to connect to a backend server to send arbitrary requests, authenticated by the API server’s TLS credentials.

The API server is the main management entity in Kubernetes. It talks to the distributed storage controller etcd and to kublets, the agents overseeing each node in a cluster of software containers.

The bug was spotted by Darren Shepherd, chief architect and co-founder at Rancher Labs.

Red Hat OpenShift, an enterprise-oriented container platform, has introduced patches for all product variants.

“This is a big deal,” said Ashesh Badani, veep and general manager of OpenShift at Red Hat, in a blog post. “Not only can [miscreants] steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall.”

There are two primary attack vectors. Using the first, an individual possessing the Pod exec/attach/portforward privileges granted to a normal user by default can become a cluster-admin, thereby gaining access to any container in the Pod and potentially any information therein.

The second method lets an unauthenticated user access the API to create unapproved services, which could be used to inject malicious code.

“Any unauthenticated user with access to a Kubernetes environment can hit the discovery endpoint which proxies the aggregated API server (not the kube-apiserver),” explained Christopher Robinson, manager of product security assurance at Red Hat, in an email to The Register.

“Crafting a message to the API so that an upgrade fails can leave the connection alive and allows re-use with arbitrary headers, and then allows cluster-admin level access to that aggregated API server. This could be used against the service-catalog that would allow for the creation of arbitrary service instances.”

The vulnerability is particularly troubling because any unauthorized requests cannot be easily detected. According to Liggitt, they do not show up in the Kubernetes API server audit logs or server log. Malicious requests are visible in kublet or aggregated API server logs, but there’s nothing that distinguishes them from authorized and proxied requests via the Kubernetes API server. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/03/container_code_clusterfact_theres_a_hole_in_kubernetes/

About 25% of political support in Arizona and Florida was generated by influence agents using Twitter as a platform, research shows.

Influence agents were responsible for roughly 25% of political support spread via Twitter for candidates in the Arizona and Florida midterm elections, researchers report.

A new body of research by Morpheus Cybersecurity and APCO Worldwide, entitled “Impact of Influence Operations Targeting Midterm Elections,” explores the effects of disinformation campaigns. They analyzed hundreds of thousands of retweets from thousands of accounts, looking for non-organic behavior – for example, high numbers of daily tweets for a long time frame.

The researchers’ goal was to include all types of influence agents and explore the myriad ways in which bots and humans effectively swayed politicians and journalists with disinformation. 

Influence agents span a broad range of actors, including fully automated bots, semi-automated bots partially operated by humans, people who leverage software to generate traffic, political volunteers working together, and paid influencers employed by a central organization. Actors helped candidates appear to be more popular and generate organic support they didn’t have.

The first phase of this study (June 2018 to August 2018) found an average of 27% of support for each political candidate in Arizona and 24% for each candidate in Florida appeared to come from non-organic accounts. Those numbers remained consistent in phase 2 (September 2018), when 26% of support for Arizona candidates and 28% of support for Florida candidates came from non-organic accounts.

Phase 3 consisted of collecting proof of influence. Researchers analyzed thousands of conversations between influence agents and politicians, journalists, and thought leaders. Their findings included a candidate agreeing with statements provided by influence agents, another engaging in a QA session with an influence agent, and a journalist discussing his work with an influence agent who was continually threatening him.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/influence-agents-used-twitter-to-sway-2018-midterms/d/d-id/1333386?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Class-action suits have been filed on behalf of guests and shareholders, with more expected.

Legal fallout from the massive Starwood Hotels reservation breach reported last week has begun, with class-action suits filed on behalf of both guests and investors.

On Friday, Murphy, Falcon Murphy, with co-counsel Morgan Morgan, filed a class-action suit against Marriott International on behalf of the 500 million guests whose personal information was part of the breach. According to a statement announcing the suit, “Marriott failed to ensure the integrity of its servers and to properly safeguard consumers’ highly sensitive and confidential information.”

The next day, Dec. 1, Rosen Law Firm announced that it had filed a class-action suit on behalf of those who purchased Marriott International shares from Nov. 9, 2016, through the day prior to the suit’s filing date. The suit claims that Marriott International made misleading statements to shareholders by not finding and disclosing the breach prior to the purchase of Starwood Hotels.

At least one additional lawsuit on behalf of guests has been filed, and more lawsuits on behalf of both guests and shareholders are anticipated.

Read here, here, and here for more.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/first-lawsuits-filed-in-starwood-hotels-breach/d/d-id/1333387?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers have found evidence that the UPnProxy router compromise uncovered earlier in 2018 is now being used to attack computers on networks connected to the same gateways.

To recap, UPnProxy is the name Akamai gave to an attack against a wide range of routers running vulnerable Universal Plug and Play (UPnP) implementations. The attack is estimated to have infected 65,000 routers from a possible target list of 3.5 million.

UPnP has long been a fat target for cybercriminals, with UPnProxy exploiting its flawed potency to turn routers into proxy servers as a way of hiding phishing, DDoS, spam, and click fraud traffic behind legitimate IP addresses.

Akamai’s latest research from early November suggests the attackers behind UPnProxy then had a light bulb moment – why not use UPnP’s port mapping to go after vulnerable computers on the LAN side of the router?

UPnProxy had evolved to do this by using the infamous EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) exploits to target machines running Windows SMB and Linux Samba clients on ports 145 and 449.

EternalSilence

Dubbing the new attack ‘EternalSilence’, the company has detected signs of this port mapping injection on at least 45,000 routers from a population of 277,000 still vulnerable to UPnProxy.

However, after totting up the number of IPs connected to these routers, Akamai estimates that the number of exposed computers could be as high as 1.7 million.

The final victim count would depend on how many of those computers were vulnerable to the exploits.

In theory, most computers should have been patched, but lower priority ones in businesses may not have been – on the assumption that they were not exposed to the internet because of the router’s Network Address Translation (NAT).

Writes Akamai’s Chad Seaman:

The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits.

It’s worth recalling that EternalBlue (stolen from the NSA) was first used to devastating effect during 2017’s WannaCry and NotPetya attacks, so these are not run-of-the-mill threats.

Who might be affected?

Akamai’s UPnProxy research estimated the number of router models running vulnerable UPnP to be 400 from 73 different companies. That said, the actual number of infected routers was still relatively small.

The likelihood of falling prey to UPnProxy and/or EternalSilence depends on the following factors:

• Is UPnP enabled on the router (including in the last year)?
• Has it received regular firmware updates since it was bought?
• Were Windows computers connecting through this router patched for EternalBlue in 2017? (or Linux’s EternalRed?)

So what should you do? The first step is to turn off UPnP before updating to the latest firmware version (or buying a new router) and making sure Windows or Linux patches addressing EternalBlue/EternalRed have been applied.

If a router is suspected of being infected (and that’s very difficult for a non-expert to tell) it gets more complicated because simply turning UPnP off won’t clear existing NAT injections.

In those cases, Akamai recommends resetting the router it to its factory state and initiating an update to the latest firmware version.

Checking for computers compromised by EternalSilence is trickier:

Administrators looking to try and gain an edge can scan themselves and see if they’re exposed to these vulnerabilities, including scanning their UPnP NAT table to look for oddities.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vmkeb8EyiHE/

A battle for who owns the YouTube crown for top channel has been waged over the past few months between fans of Swedish video game commentary celebrity Felix “PewDiePie” Kjellberg and of the Bollywood label T-Series.

This is getting serious: It’s one thing when a fan launches a PewDiePie “Bro Army,” structured to recruit members’ friends and family in order to keep PewDiePie at the top, replete with “Privates” and “Corporals.”

But now, the printers are in on it. As The Verge reports, somebody hacked printers worldwide to print pro-PewDiePie propaganda.

Here are some Tweets showing the messages the printers were forced to spit out:

So this just randomly printed on one of our work printers. I think @pewdiepie has hacked our systems. https://t.co/wSG9cprJ4s

—
Dr.Moxmo (@Dr_Moxmo) November 29, 2018

@grandayy @DolanDark @pewdiepie ok so basically a printer at a friend’s workplace got hacked. not complaining https://t.co/DcNGrKlbXj

—
apex | IG @bobbywainwright (@apex2504) November 27, 2018

The printers were indeed hacked, but it’s not the vlogger who’s behind it. Rather, responsibility has been claimed by somebody who says they were doing it after 1) getting bored playing Destiny 2 for four straight hours and then 2) screwing around with Shodan to see what mischief they could get up to.

Here’s the tale, told by @HackerGiraffe:

Here is how the entire #pewdiepie printer hack went down:

1. I was bored after playing Destiny 2 for a continous 4… twitter.com/i/web/status/1…

—
TheHackerGiraffe (@HackerGiraffe) December 01, 2018

As we’ve reported in the past, the security of networked office printers is pretty squishy.

For example, in February 2017, German researchers reported that they’d found several ways to exploit access to networked printers through RAW printing on port 9100.

Popularized by HP’s JetDirect in the 1990s, port 9100 was configured for remote maintenance by admins, although it can also be used to print. Other examples of direct access include the Internet Printing Protocol on port 631 and the old Unix Line Printer Daemon (LDP) on port 515.

After they learned about those three printing protocols, TheHackerGiraffe says they searched for the protocols on Shodan: the search engine for exposed devices and databases. The port 9100 vulnerability is found on hundreds of thousands of printers worldwide, leading the hacker to hit the Shodan jackpot:

3. I was horrified to see over 800,000 results show up in total. I was baffled, but determined to try and fix this.… twitter.com/i/web/status/1…

—
TheHackerGiraffe (@HackerGiraffe) December 01, 2018

From there, TheHackerGiraffe decided to print a message in support of “our dear overlord @pewdiepie himself!”

The hacker claims that they used a tool called PRET – the Printer Exploitation Toolkit – that, according to its GitHub page, allows attackers to “captur[e] or manipulat[e] print jobs, [to access] the printer’s file system and memory or even caus[e] physical damage to the device.”

The hacker said the stunt wasn’t meant maliciously. Rather, it was done to bring people’s attention to printers’ vulnerability:

@thefreeman28989 @pewdiepie Your printer is exposed. I’m trying to warn you to close it, how else am I gonna get your attention?

—
TheHackerGiraffe (@HackerGiraffe) November 29, 2018

As of Friday, The Verge was looking for proof that TheHackerGiraffe was behind the attack. The news outlet quoted the hacker, who said that first off, the attack could have done serious damage. Second, they’d pulled it off in a mere half hour, start to finish:

People underestimate how easy a malicious hacker could have used a vulnerability like this to cause major havoc. Hackers could have stolen files, installed malware, caused physical damage to the printers and even use the printer as a foothold into the inner network.

The most horrifying part is: I never considered hacking printers before, the whole learning, downloading and scripting process took no more than 30 minutes.

TheHackerGiraffe certainly wasn’t the first to discover the vulnerability, and they weren’t the first to hack thousands of printers to get the point across. In February 2017, a hacker called Stackoverflowin caused 150,000 printers worldwide to cough up this message:

Stackoverflowin has returned to his glory, your printer is part of a botnet, the god has returned, everyone likes a meme, fix your bulls***… For the love of God, please close this port, skid.

Over the next 24 hours, tweaks of that same message spewed out of printers made by manufacturers including HP, Brother, Dell, Canon, Samsung, Epson, Lexmark, Oki and Ricoh.

Is your printer potentially a pro-PewDiePie platform?

As we said with regards to the “please close this port, for the love of God” attack, every printer is different. Here are some ways to button up some of the vulnerable ones:

• The affected printers in the 2017 attack were all networked models, potentially including wireless models.
• Printers with built-in management can be vulnerable if they can be accessed remotely, so make sure to change the default password.
• Make sure your firewall is properly configured.
• Don’t leave your printer switched on if you’re not using it.

Printers aren’t just passive boxes. If they’re hooked to the network, they can be put to work shilling for whatever favorite cause a bored gamer who plays around with Shodan decides on. Worse still, they can be damaged.

Don’t let your office workhorse become collateral damage in the Bollywood-PewDiePie dance-off… or any other weirdness the internet coughs up!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/u5Nte_b7Cmg/