STE WILLIAMS

Who is archiving the web, and what happens when people ask for information to be ‘un-archived’?

The internet found out recently, when a company with a questionable marketing history reportedly asked the world’s best-known web archive to eradicate its information.

The Wayback Machine, which is run by the non-profit Internet Archive, has been quietly archiving as much of the web as it can to create a permanent record of our fast-moving, volatile digital landscape.

The archive’s preservation of online data has proven valuable on several occasions. In 2014, Ukrainian separatist leader Igor Girkin bragged about downing a Soviet military cargo plane on social media. After that plane was revealed as Malaysia Airlines Flight 17, the post was deleted, but the Wayback machine still had the original message.

Clearly, archiving information has its benefits. So what happens when someone doesn’t want information about them to stick around?

This issue came up recently when Thailand-based FlexiSpy reportedly asked the Internet Archive to delete its webpages from the Wayback Machine. FlexiSpy, which sells software for monitoring phones and desktop computers, used to market its software as a tool to spy on cheating spouses. As Motherboard points out, another archive still maintains images of the company’s site from several years ago.

Search the Wayback Machine’s archive for FlexiSpy, however, and it reports that the URL has been excluded. Does that mean it complied with the request?

The Internet Archive did not respond to requests about its policy. However, its terms and conditions say that if asked by an author or publisher, it “may remove that portion of the Collections without notice.” Its FAQ says that site owners can “send an email request for us to review”.

Traditionally, the Archive has based its approach to exclusion requests on a policy created by UC Berkeley (archived version here). Under this policy, archivists should provide a ‘self-service’ approach that site owners can use to remove their materials using robots.txt files.

Robots.txt files are instructions left on sites for crawlers, telling them what they should not look at. Under the policy, a site owner could simply add one of these files at the top level of their site with a specific instruction for the Internet Archive, and then submit their site using a form.

That policy had significant implications for the Archive. In 2006, it settled with a firm called Healthcare Advocates, which was in the middle of a trademark dispute with a similarly-named company. Healthcare Advocates had added a robots.txt file to its site to stop crawlers spidering it. Under the Archive’s policy at the time, this should have triggered the site’s complete deletion from the Wayback Machine, but it didn’t.

Since then, the Archive’s policy on crawling has relaxed. In December 2016 it began ignoring robots.txt files on government sites, and then in April 2017 announced that it was “looking to do this more broadly”. However, the ability to request a deletion via email remains, as it always has done.

FlexiSpy’s request isn’t the first that the Archive has received. There are many others, and some have resulted in legal cases. In 2007, it settled with activist Susanne Shell, who had demanded that it take down records of her family rights site after alleging copyright infringement. Internet Archive said at the time:

Internet Archive has no interest in including materials in the Wayback Machine of persons who do not wish to have their Web content archived.

Nevertheless, the Archive doesn’t appear ready to roll over at every request. Nor does it seem to have completely removed robots.txt-based removals.

MSNBC host Joy Ann Reid has recently been the subject of controversy after Wayback Machine searches unearthed homophobic comments on her blog. She has said that someone hacked the Wayback Machine, which is an unsubstantiated claim that the Archive denies. The interesting part is that the Archive refused an emailed request from her lawyers to delete the offending posts, due to:

Reid’s being a journalist (a very high-profile one, at that) and the journalistic nature of the blog archives.

So, the Archive won’t always follow takedown requests. However, its automated robots.txt file policy apparently still does. Its decision to explore ignoring robots.txt files more widely clearly hasn’t kicked in yet, because someone put a robots.txt file on Reid’s live blog, and the automated removal process played out – the blogs are no longer visible. Perhaps that highlights the need for a more manual process?

A broader question is: Does honouring takedown requests, manually or automatically, affect the Archive’s value?

In an age of fake news, shrinking government trustworthiness and changing official narratives, scientists have already had to rush to preserve information in the face of political change. Without a reliable archive, how can we be sure that we are fixing statements in time and holding people to account?

The Archive is a small non-profit with around $17.5m in revenues, and yet it is currently our best hope for documenting the internet’s ephemera and making it permanent. However, without substantially more funding, it will have to pick its legal battles wisely.

Follow @NakedSecurity
Follow @dannybradbury

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DTG0N7b1FCI/

Have you ever wanted to know what your phone is up to?

Good, then this article is for you.

Phones are locked down so you don’t have to worry about what’s going on under the hood. That’s great if you want a device that Just Works, and it’s the exact opposite if you’re the kind of person that worries about what it might be up to – like me.

Fortunately, if you have a bit of time and some technical skills, there are some simple ways to see what your apps are up to.

One of the things I worry about is oversharing – apps sending out more data than they need to, or transmitting data in insecure ways – such as using unencrypted HTTP requests instead of HTTPS.

My concerns led me to do some network analysis on popular Android apps, following the methodology set out in the OWASP Mobile Security Testing Guide.

I’ll tell you what I did, what I discovered and how you can do it to.

Oversharing apps

I looked at the charts of the most popular apps on Google Play, picked a few at random, installed them and then monitored their traffic to see what they were sharing.

I tested fourteen popular apps:

• Four of them sent data unencrypted, making them easy to spy on over public Wi-Fi.
• One app shared email addresses and authentication tokens in plain text.
• Another shared my ZIP code, Android version and battery charge (a potential fingerprint).

I was shocked at how easy it was to discover such basic security blunders, and shared what I found with the apps’ developers.

There are millions of apps on Google Play, and millions more on other markets – far too many for me to test on my own. That’s where you come in – here’s how I did it, so you can do it too.

A simple way to spy on your phone

This basic setup will get you up and running, looking for one thing: apps that use HTTP instead of HTTPS. It won’t catch everything your apps are doing, but it’s a very good place to start.

To see what my Android phone was up to, I installed Fiddler on a Windows computer that was on the same Wi-Fi network as a Nexus 5 phone running Android 6.0.1.

Fiddler is a freely downloadable web debugging proxy that lets you capture and view the traffic going into and out of your Android device (other proxy applications are available, such as BURP Suite and Charles).

Windows setup

Install Fiddler on your Windows machine. Open it, and go to Tools Options Connections.

The Connections tab shows you which port Fiddler is listening on (it’s port 8888 by default). If you want to use a different port, change it and then write it down, you’ll need it later.

Next, we need to find out the Windows machine’s IP address.

Open a command prompt and type ipconfig. Your IP address is listed as IPv4 Address under whichever network adapter your computer is using to connect to your Wi-Fi network (for obvious reasons, your Windows and Android devices will need to be on the same network).

Android setup

With Fiddler setup on Windows, you now need to get your Android device using it as a proxy so that it routes traffic through it. Here’s how:

1. Open Settings.
2. Open Wireless Settings.
3. Select the Wi-Fi network your Windows machine is on.
4. Select Advanced Settings.
5. Change the proxy configuration from None to Manual.
6. Set the proxy hostname to your Windows machine’s IP address.
7. Set the proxy port to whichever port Fiddler is listening on.

Fiddler is now set up to capture traffic from your Android device.

Analysis

Fiddler is now setup as a Man-in-the-Middle (MitM), so we’re going to open our apps and watch their traffic passing through it to see if they’re using HTTP and potentially sharing more than they should.

(A handy feature of Fiddler is that you can double click on a packet that you want to inspect and it will automatically identify what it thinks is the most important information in that packet.)

So what should you look for?

• Images: Like the recent issues with Tinder, my tests showed that some apps encrypt all of their traffic apart from images.
• JSON data: One of the apps I tested sent a JSON file (a data structure in plain text) that contained a username, email address and authentication details.
• URLs: You’ll be surprised at what you can see in a URL sometimes. I saw my IP Address, Android version, phone make and model, ZIP code, geo-coordinates, battery charge – all in one URL!

The list goes on, of course, and if you have any suggestions on things to look out for based on what you find, please leave them in the comments below.

A word to app developers: If you’re an Android or iPhone app developer and you’ve yet to implement SSL/TLS in your apps… get on with it!

You can pay a few dollars for a server certificate from your hosting company, or get one for free from Let’s Encrypt. Information about what to do in your app to support SSL/TLS can be found on the Android Developer’s Security with HTTPS and SSL pages.

A word to would-be hackers: Eric S. Raymond famously said, “many eyes make all bugs shallow”. It’s not entirely true, but it helps and I think the more people that hold their Android and iPhone apps to account, the more chance we have of finding misbehaving apps and improving the overall standard.

If you decide to start looking more closely at what your apps are doing, I’d love to hear about what you find, either in the comments below or via our tips email address, [email protected].

But remember: If you do find something, please practice responsible disclosure.

Going to Infosec Europe 2018?

I’ll be talking about this very subject on the Sophos stand (F160) at Infosec in London next week, with a presentation titled “Hacking Android: How to find out which apps are spying on you”. I’ll be presenting at 15:00 on Tuesday 5th June and 14:00 on Wednesday 6th June.

Please stop by and say hi if you’ll be at the event. If you haven’t done so already, you can register for Infosec Europe here.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/a6Hkk9olt0s/

A Manchester man has won his case against former employer the Department for Work and Pensions, after a superior shared “highly private” medical information with his colleagues.

Aftab Marchant, who worked in the DWP’s Stockport office, has reportedly received a substantial payout in the case – for which he was claiming damages of £50,000.

According to the Manchester Evening News, the department has paid out in the case, and given the manager an informal warning.

Marchant said that he told his superior about a long-term illness he had, along with the “embarrassing” side effects of the treatment, and asked this to be kept strictly confidential.

However, the superior sent an email about it to a colleague, with 10 others copied in.

Marchant said he found out about the breach – which happened in February 2016 – after returning to work following a period of annual leave, when a colleague asked about his illness.

The former staffer told the MEN that he had depression and was “very paranoid” about being a subject of workplace gossip, and later decided to take his employer to court for distress and personal injury as a result of a breach of data protection and privacy laws.

His lawyer, Nick McAleenan of JMW Solicitors, told the MEN: “After what has been an incredibly distressing time for our client, it is positive to see the DWP acknowledge that this was an absolutely unacceptable disclosure of private information, with a healthy sum of money paid to our client as a result.”

The DWP said that it didn’t comment on individual cases. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/29/exdwp_staffer_bags_payout_after_boss_blabbed_medical_info_to_colleagues/

What’s This?

By Shehzad Merchant, Chief Technology Officer, Gigamon

It’s the time of the year where everyone makes predictions for the following year. But rather than focus on predictions, I’d like to zero in on long-term trends that will have a broad, far-reaching impact. So without further ado, here are three of them:

1. The Pendulum Of Cybersecurity Will Shift From Confidentiality To Integrity And Availability

The risk rhetoric around cyber breaches will shift from one aimed at confidentiality to one increasingly focused on integrity and availability. Typically, when we talk about breaches, more often than not we’re talking about compromised company data or customer information. Many of the recent large breaches in the news reflect this. Cyberattacks that seek to compromise confidential or personal information are fundamentally attacks on the confidentiality of information. However, as we look toward the world of connected devices, breaches in that world will affect the functioning of those devices.

In other words, cyber breaches in the world of connected things or the internet of things (IoT) will impact either the availability of devices or the integrity or functioning of those devices. And this is a much more serious threat than what we are used to today. Cyber breaches that affect the integrity or availability of devices can be life-threatening, and consequently, the risk, cost and threat levels associated with such breaches will far outweigh anything that we are seeing today. An example that comes to mind is medical equipment vital to a patient’s survival such as a respirator or insulin pump. While we as an industry are perhaps reaching the point of breach fatigue, I think the bigger set of issues lie ahead of us. 

2. Rise Of Machine Learning

The use of machine learning (ML) will increasingly proliferate across all aspects of cybersecurity. With recent advances in technology, the use of ML is no longer something mystical, futuristic or confined to the academics. Rather, ML is fast becoming mainstream, with open-source and commercial offerings targeted toward cyber defense. Massive compute and storage capacity at affordable prices and infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) offerings are making ML-based solutions easier and more affordable to deploy.

More significantly, however, is that the algorithms around ML, both focused around supervised and unsupervised ML and the toolkits around them, are rapidly advancing in capability and maturity, particularly in the finance sector. Even the ability to throw massively parallel graphics processing unit (GPU) systems toward ML-based computation is now becoming mainstream with the availability of user-friendly toolkits, APIs and third-party integrations. With these advances, threat intelligence researchers, technology companies, academic institutions and infosec teams will all increasingly attempt to apply ML-based solutions as a way to fingerprint bad actor activity, build more accurate baselines into normal behavior and surface anomalies against that. Key to the success of this is access to relevant and targeted training data that is used for supervised and unsupervised ML. Here, too, the content-rich network traffic data and metadata, which hitherto were harder to come by, are now becoming easily available. This is one promising and long-term trend that can significantly advance cyber defense.

3. Blockchain To The Forefront

Any talk about long-term trends would be remiss without a discussion on blockchain. I am referring to the underlying technology behind Bitcoin — not the cryptocurrency itself. The distributed ledger mechanism of blockchain is very amenable to solving many of the broader problems we face today. While smart contracts seem to be the buzz today around blockchain, the real power lies in harnessing it for fundamental and discontinuous shifts in how we think about trust and the role of centralized trusted authorities. These include governments, banks, clearinghouses, credit verification agencies, etc. Our long-standing reliance on central authorities has created both monopolies and choke points that cybercriminals have been able to target with massive impact.

For example, take the case of the Equifax breach that revealed a record number of user identities. Rather than having a handful of central authorities that control the data of hundreds of millions of users, we should consider models with each user’s credit history protected as part of a blockchain with access rights controlled by the user as needed, such as for credit verification. Leveraging blockchain in this way would fundamentally change how we think about credit reporting, privacy and the ability to access that information for credit history verification.

There are other challenges that will arise, of course, and blockchain itself will need to evolve. However, the overarching point is blockchain has the potential to create discontinuities that can change and reshape the very notion of the role of centralized authorities, governments and banks and their involvement in terms of how we conduct business in our day-to-day lives. There is still a long way to go with it, but it’s certainly a very interesting trend to keep an eye on.

From a swing of the cybersecurity pendulum to the increasing ubiquity of machine learning and more, 2018 is likely to be one for the books. How do you foresee the cyber landscape changing in the coming year?

As previously seen on Forbes in An Industry In Transition: Key Tech Trends In 2018.

Shehzad Merchant serves as Chief Technology Officer of Gigamon bringing over 20 years of experience in the high-tech industry. Prior to joining Gigamon, Shehzad served as the CTO at Extreme Networks, and is the author of several networking and communications patents. He is a … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/gigamon/an-industry-in-transition-key-tech-trends-in-2018/a/d-id/1331890?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Singaporean broadband users were left vulnerable to attackers after their ISP opened remote access ports on their modems and forgot to close them.

The discovery was made by NewSky Security researcher Ankit Anubhav, who used Shodan to scan for SingTel routers open on port 10,000 – the default Network Data Management Protocol TCP/UDP port.

Anubhav said the scan yielded 975 devices that had port 10,000 open with no protection, as a result of a fault-finding exercise gone wrong (that number is only those found on the scan).

When NewSky alerted Singapore’s CERT, and that body took the issue to SingTel, Anubhav said the root cause was that SingTel enabled port 10,000 to troubleshoot a problem with the SingTel-branded routers (the “Wi-Fi Gigabit Router” is supplied by Arcadyan).

The carrier neglected to close the port once the issues were resolved, leaving the customers vulnerable.

The NewSky post quotes SingCERT’s Douglas Mun as saying: “Port forwarding was enabled by their customer service staff to troubleshoot Wi-Fi issues for their customers and was not disabled when the issues were resolved. ISP SingTel will be taking measures to ensure that port forwarding is disabled after troubleshooting has completed.”

Mun added that the ISP had since closed the ports. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/29/singtel_left_home_router_ports_open/

Softbank’s popular anthropomorphic robot, Pepper, has myriad security holes according to research published by Scandinavian researchers earlier this month.

The ‘bot allows unauthenticated root-level access, runs a Meltdown/Spectre-vulnerable processor, can be administered over unencrypted HTTP and has a default root password.

The researchers, Örebro University’s Alberto Giaretta working with Michele De Donno and Nicola Drgoni of the Technical University of Sweden, decided that while there have been various one-off stunt-hacks of the robot, they weren’t aware of any systematic assessment of Pepper’s security.

Their research found that “it is a breeze to remotely turn it into a ‘cyber and physical weapon’, exposing malicious behaviours”.

A sorry list of vulns

The Meltdown/Spectre vulnerability was trivially identified, since all they needed was the uname -a terminal command.

Smart robots prove stupidly easy to hack for spying and murder

READ MORE

A bit of Ettercap and Wireshark work revealed that the admin page is unsecured, which leaves naked the user/password pair of the only user account offered, called nao.

The robot almost implemented some kind of security by limiting SSH access to nao rather than permitting root SSH access, but since the root account’s password is root (unchangeable and documented in the user manual), a superuser command from nao's terminal gives the attacker full privileges.

There’s also no “log off” function in the admin panel.

“As a side note, we strongly believe that, in 2018, selling products so easily vulnerable to these kinds of attacks is not tolerable anymore”, the researchers observed.

The researchers also found the bot is susceptible to a brute-force attack.

This would most likely succeed, because Softbank’s engineers haven’t provided any protections against an attacker hammering Pepper with unlimited password attempts: “no countermeasures to brute-force attacks have been deployed with Pepper, which is once again an intolerable and disappointing finding”.

The researchers’ next victim was an application on Pepper called ‘Simple Animated Messages’ (SAM), which lets users “design a simple choreography that makes Pepper move, say something through a text-to-speech service, and show a picture on its on-board tablet”.

By now you can guess what’s coming: “the application performs no control over the file extension. As a matter of fact, we were able to upload images, text files which extensions have been modified to images, and even plain text files without performing extension editing”.

They decided not to build a proof-of-concept, but believe this would be easy for an attacker to exploit.

Then there’s the Pepper API, which exposes its capabilities through languages like Python, C++, and Java, provides access to all sensors, cameras, microphones, and moving parts, and is “astonishingly insecure”.

“Pepper exposes a service on port 9559 which accepts TCP messages and reacts accordingly. As long as the messages comply to the API, by-design, Pepper accepts packets from whoever sends them” – and without authentication.

An attacker able to communicate with Pepper over TCP could use the cameras and microphones to spy on people and conversations; could remotely interact with people (for example, to trick them into providing personal information); use Pepper as an attack robot; or send the shutdown or factory reset commands.

At least Furby dolls needed hardware hacks to make them swear. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/29/softbank_pepper_robot_multiple_basic_security_flaws/

The FBI has reminded the world it wants us to reboot our routers to try and help it identify VPNFilter-affected routers.

It first asked for reboots last Wednesday, May 23, in the Department of Justice VPNFilter media release, but on Friday added a stand-alone public service announcement emphasising its “IT Crowd” strategy.

FBI agents take aim at VPNFilter botnet, point finger at Russia, yell ‘national security threat’

READ MORE

Last week, Cisco Talos researchers announced the malware had infected around 500,000 home and small office routers and NAS devices. The company listed routers from Linksys, MikroTik, Netgear, and TP-Link, and QNAP storage systems, as targets of VPNFilter.

Talos noted that the malware was trying to target machines in the Ukraine, and the FBI attributed the attacks to the group known as “Sofacy” or “Fancy Bear”.

On Thursday, the FBI revealed it had seized a domain associated with the campaign, giving it the chance to drop malware traffic into a sinkhole.

The FBI said it would gather the IP addresses of infected devices, and pass those to the Shadowserver Foundation to disseminate among ISPs and non-US CERTs.

As we noted last Thursday, a reboot only removes part of the infection: the infected device will still try to contact command and control servers.

As at May 25, the date of the public service announcement, the FBI stills said the infection vector was unknown.

Vendor responses to VPNFilter so far include:

• Netgear said users should install the latest firmware for their devices, change the default admin password, and turn off remote management;
• MikroTik said the March 2017 version of its operating system disables the malware, and provided instructions about securing its devices;
• QNAP said suitable firmware has existed since last year, and reminded users to change the default admin password; and
• TP-Link said VPNFilter only affected its TP-R600VPN router, and linked users to firmware and security instructions.

As we noted in last week’s security roundup, SecureList has analysed VPNFilter’s CC mechanism. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/28/fbi_vpnfilter_hunt/

If you’re a Naked Security reader, you’ve probably heard of Ghostery.

Even if you don’t use it yourself, you’re likely to have seen it mentioned, almost certainly positively, in comments by other readers.

In its own voice, “Ghostery is a browser extension that helps you to manage website trackers for a cleaner, faster, safer experience.”

Ghostery’s German owner, Cliqz – itself part-owned by Mozilla – makes a Firefox-based browser called (you may have guessed this already) Cliqz, “the no-compromise browser” that “gives you relevant search results and does not leak your private data.”

You therefore probably wouldn’t expect Ghostery, of all people, to be carried away by the recent GDPR messaging frenzy sweeping Europe.

We’re assuming that our American friends felt the fringe of the GDPR email storm, but here in the EU (the UK is a member state for the time being) the flood has turned into a veritable deluge in recent days.

Companies that collected our email addresses sometime in the past, but had never thought to ask if we minded being on their mailing lists, even though GDPR has been law for more than two years already, used the last few days before the start of GDPR enforcement to beg, bludge or badger us into making things official.

Their emails typically didn’t put it like that, of course: they warned us that it we weren’t careful, we’d inadvertently sacrifice the inestimable value of being on their list, so we’d be well-advised to act at once – with one particularly desperate company offering us no less that a FREE CAT VIDEO for signing up.

MAKE IT STOP! More GDPR “opt out of opting in to opting in to opting out” madcap frenzy 🙂 This one has a CAT VIDE… twitter.com/i/web/status/9…

—
Paul Ducklin (@duckblog) May 24, 2018

Of course, on Friday 25 May 2018, when GDPR enforcement officially started, we were looking forward to the end of all this consent-at-the-last-minute nonsense…

…while simultaneously wondering just how much self-congratulatory-and-smugly-compliant stuff we’d now start getting instead, this time from companies that had acquired our consent before the cutoff, and couldn’t wait to show us the innumerable benefits of having stayed on their list.

Ghostery’s gaffe

Anyway – fear not, we’ve got ourselves back on track in this article now – Ghostery was one of the companies that decided to send its subscribers a “Happy GDPR Day” email on Friday.

We mean that quite literally, by the way, as you can see from the subject line below:

Fighting talk, to be sure, although we suspect someone at Ghostery is regretting the highlighted words in the text above:

We at Ghostery hold ourselves to a high standard when it comes to users’ privacy, and have implemented measures to reinforce security and ensure compliance with all aspects of this new legislation.

In fact, we suspect that someone is not only regretting those words, but also worrying just how fiery their first meeting on Monday morning is going to be.

Unfortunately for whomever pressed [Send] on this one, privacy-protecting proselytisers Ghostery ended up delivering the message to all of its security-sensitive subscribers on Friday…

…in batches of 500, with all 500 email addresses in the To: field every time.

In other words, each of the recipients of the “Happy GDPR Day” message explaining just how much Ghostery values their privacy and security, and how many steps it has taken to reinforce them …

…could see the other 499 people on their section of the mailing list, making the email look a bit like this:

In words we have probably all utterered at some time or another, “That was NOT supposed to happen!”

What to do?

As the Naked Security reader who sent us a copy of the errant email wryly remarked, “Well, this is embarrassing.”

What advice do we have for anyone wanting to avoid the same problem?

All we can think of is, “Don’t do that.”

By the way, if you’re the boss with the job of roasting the person who clicked [Send] come Monday, please take into account that they’ve had the whole weekend to sweat about the blunder…

…but if you’re the person who clicked [Send], you might want to use the weekend to go shopping for a flameproof jacket and a pair of heat-resistant trousers.
.
Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BOB8hJ5RHIg/

Roundup While this week was dominated by news of a new Spectre variant, the VPNFilter botnet, and TalkTalk’s badbad routersrouters, plenty of other stories popped up.

Here are a handful of security happenings that you may have missed.

Wireless Z-Wave smart-locks, home IoT devices menaced

Wireless gadgets, such as home smart locks, using Z-Wave to communicate via radio can be potentially hijacked over the air by nearby miscreants, according to infosec biz Pen Test Partners.

Once upon a time, Z-Wave had a pairing mode called S0 that was used to connect a device, such as a lightbulb or lock, to a controller, such as a home IoT hub. In 2013, that mode was found to be insecure, so today Z-Wave-compatible devices use a stronger pairing method called S2.

However, Pen Test Partners said this week it has found a way to downgrade communications between gizmos to S0 mode from S2 during pairing, thus opening up more than 100 million Z-Wave-compatible things to potential attack. If you can get near a gizmo while it is in pairing mode, such as during its initial setup, you can potentially push it down to S0 and attempt to commandeer it.

Here’s a video demonstrating the flaw:

Youtube Video

Z-Wave overseers Silicon Labs said devices already paired cannot be forced down to S0 from S2, adding: “We are updating the specification to ensure that any user will not only get a warning during a downgrade to S0 but will have to acknowledge the warning and accept it to continue inclusion.”

Starbucks brews double-whip grande mocha pwnage

Researcher Martin Bajanik discovered a cross site scripting bug that was present on the Starbucks UK website. The now-patched bug would have allowed an attacker to inject malicious JavaScript into the browsers of people visiting the cafe chain’s online store, though Bajanik says an actual exploit would have been hard to pull off.

“The underlying issue was a simple HTML injection with extremely low, even none, security impact. Due to existing code, however, I was able to achieve arbitrary JavaScript execution under certain, fairly obscure, circumstances,” Bajanik told The Register.

“Exploitation would have been rather unlikely as the attack could only work if the potential victims would had followed a malicious link created by the attacker (it was reflected XSS).”

Speaking of bug bounties, researcher Ryan Stevenson banked $1,000 after discovering in April a T-Mobile US server used by staff to look up customers’ names, addresses and account numbers using their cellphone numbers, which was not secured and open to all who could find it. It’s since been fixed.

If you’ve found any security vulnerabilities, and want to share details, please do let us know or chat to us anonymously on Ricochet at ricochet:qk724lftsymjcwlq

IRS warns beancounters over phishing scams

US tax officials are sounding an alert over a wave of spear phishing attacks targeting professional accountants.

The campaigns go after the high-value target in tax scams: the pros who would handle dozens of personal and corporate tax filings.

“Cybercriminals specifically targeted tax professionals in Iowa, Illinois, New Jersey and North Carolina. The IRS also received reports about a Canadian accounting association,” the IRS explained

“The awkwardly worded phishing email states: ‘We kindly request that you follow this link HERE and sign in with your email to view this information from (name of accounting association) to all active members. This announcement has been updated for your kind information through our secure information sharing portal which is linked to your email server’.”

Needless to say, accountants and the IT staff and admins who work with them should be on the lookout for this scam.

Comcast site spaffs Wi-Fi keys

US cable giant Comcast has confirmed reports that its Xfinity home site was leaking some customer information including Wi-Fi passwords. The bug, spotted in the customer portal, would have allowed an attacker with an account number to obtain the person’s home address, Wi-Fi network name, and password.

“There’s nothing more important than our customers’ security. Within hours of learning of this issue, we shut it down. At no time did this site enable anyone to access customers’ personal usernames and passwords and we have no reason to believe that any account information was accessed,” Comcast told The Register.

“We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”

I wish I knew how to quit you Eugene

Weeks after supposedly banning all Kaspersky Lab software from government sysytem, the US Department of Homeland Security is said to still be running the security vendor’s code on many of its computers. The problem is that a number of routers, firewalls, and other equipment rely on Kaspersky products for their security, we’re told.

“It’s messy, and it’s going to take way longer than a year,” one official was quoted as saying. “Congress didn’t give anyone money to replace these devices, and the budget had no wiggle-room to begin with.”

D-Link routers leave the back door open

Stop us if you’ve heard this one before: a home router vendor has left serious security vulnerabilities wide open in its devices.

This time, it’s D-Link who have messed up by using a bug-riddled firmware that contains no fewer than four serious remotely exploitable vulnerabilities, including data disclosure and remote code execution.

According to Kaspersky Lab, the routers are largely concentrated to a few ISPs in Russia, but may also be in use by customers in other parts of the world.

“The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data, e.g., configuration files with plain-text passwords,” says the security vendor.

“The vulnerable web interface allows an unauthenticated attacker to run arbitrary JavaScript code in the user environment and run arbitrary commands in the router’s operating system (OS).”

Mac Monero malware menaces millions

Lest you thought rogue coin creators were only a problem for the Windows world (and we have no idea why you would think that), here is a new piece of Mac malware that turns your beloved iThing into a coin-generating machine for hackers.

Malwarebytes has an analysis of a piece of malware spotted by a number of Mac users that hijacks CPU time to run XMRig, a Monero-mining tool. They’re not sure how the malware is being installed, but it’s likely not anything more sophisticated than a dodgy download site.

Fortunately, all this malware seems to do is waste your CPU cycles.

“This malware is not particularly dangerous, unless your Mac has a problem like damaged fans or dust-clogged vents that could cause overheating,” Malwarebytes explains.

Russia breaks up malware bank heist

Earlier this week, members of Russia’s Group-IB announced the arrest of a 32-year-old man they believe to be behind a massive malware operation.

According to the group’s release, the unnamed man had used a set of Android malware packages to lift the bank account credentials of people in Russia and send them to a command server. From there, withdrawals were made from the accounts, with the same malware infections intercepting SMS notifications on the victims’ phones.

The Group-IB statement indicates the man had been acting as part of a larger operation.

“The investigation by authorities identified a member of the criminal group, who was responsible for transferring money from user accounts to attacker’s cards, a 32 year old unemployed Russian national who had previous convictions connected to arms trafficking,” Group-IB said.

“During the suspects arrest in May 2018, authorities identified SIM cards and fraudulent bank cards to which stolen funds were transferred. The suspect has confessed to his actions and the investigation/prosecution continues.”

What time is it? Xenotime

Security company Dragos says it has found what it thinks is “easily the most dangerous threat activity publicly known” in a piece of industrial malware it has dubbed “Xenotime”.

The malware, according to Dragos, is highly sophisticated and it spreads through both industrial controllers and Windows systems alike. The ultimate target of the worm appears to be safety control systems. Were it to live, Dragos warns, the malware could cause serious physical danger.

Fortunately, it looks like at least one major attack from the malware’s controllers has already failed.

“The group created a custom malware framework and tailormade credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly,” Dragos said.

“As Xenotime matures, it is less likely that the group will make this mistake in the future.”

Now there’s happy note to enjoy the long weekend on. Stay safe people. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/26/info_security_roundup/

Roundup While this week was dominated by news of a new Spectre variant, the VPNFilter botnet, and TalkTalk’s badbad routersrouters, plenty of other stories popped up.

Here are a handful of security happenings that you may have missed.

Wireless Z-Wave smart-locks, home IoT devices menaced

Wireless gadgets, such as home smart locks, using Z-Wave to communicate via radio can be potentially hijacked over the air by nearby miscreants, according to infosec biz Pen Test Partners.

Once upon a time, Z-Wave had a pairing mode called S0 that was used to connect a device, such as a lightbulb or lock, to a controller, such as a home IoT hub. In 2013, that mode was found to be insecure, so today Z-Wave-compatible devices use a stronger pairing method called S2.

However, Pen Test Partners said this week it has found a way to downgrade communications between gizmos to S0 mode from S2 during pairing, thus opening up more than 100 million Z-Wave-compatible things to potential attack. If you can get near a gizmo while it is in pairing mode, such as during its initial setup, you can potentially push it down to S0 and attempt to commandeer it.

Here’s a video demonstrating the flaw:

Youtube Video

Z-Wave overseers Silicon Labs said devices already paired cannot be forced down to S0 from S2, adding: “We are updating the specification to ensure that any user will not only get a warning during a downgrade to S0 but will have to acknowledge the warning and accept it to continue inclusion.”

Starbucks brews double-whip grande mocha pwnage

Researcher Martin Bajanik discovered a cross site scripting bug that was present on the Starbucks UK website. The now-patched bug would have allowed an attacker to inject malicious JavaScript into the browsers of people visiting the cafe chain’s online store, though Bajanik says an actual exploit would have been hard to pull off.

“The underlying issue was a simple HTML injection with extremely low, even none, security impact. Due to existing code, however, I was able to achieve arbitrary JavaScript execution under certain, fairly obscure, circumstances,” Bajanik told The Register.

“Exploitation would have been rather unlikely as the attack could only work if the potential victims would had followed a malicious link created by the attacker (it was reflected XSS).”

Speaking of bug bounties, researcher Ryan Stevenson banked $1,000 after discovering in April a T-Mobile US server used by staff to look up customers’ names, addresses and account numbers using their cellphone numbers, which was not secured and open to all who could find it. It’s since been fixed.

If you’ve found any security vulnerabilities, and want to share details, please do let us know or chat to us anonymously on Ricochet at ricochet:qk724lftsymjcwlq

IRS warns beancounters over phishing scams

US tax officials are sounding an alert over a wave of spear phishing attacks targeting professional accountants.

The campaigns go after the high-value target in tax scams: the pros who would handle dozens of personal and corporate tax filings.

“Cybercriminals specifically targeted tax professionals in Iowa, Illinois, New Jersey and North Carolina. The IRS also received reports about a Canadian accounting association,” the IRS explained

“The awkwardly worded phishing email states: ‘We kindly request that you follow this link HERE and sign in with your email to view this information from (name of accounting association) to all active members. This announcement has been updated for your kind information through our secure information sharing portal which is linked to your email server’.”

Needless to say, accountants and the IT staff and admins who work with them should be on the lookout for this scam.

Comcast site spaffs Wi-Fi keys

US cable giant Comcast has confirmed reports that its Xfinity home site was leaking some customer information including Wi-Fi passwords. The bug, spotted in the customer portal, would have allowed an attacker with an account number to obtain the person’s home address, Wi-Fi network name, and password.

“There’s nothing more important than our customers’ security. Within hours of learning of this issue, we shut it down. At no time did this site enable anyone to access customers’ personal usernames and passwords and we have no reason to believe that any account information was accessed,” Comcast told The Register.

“We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”

I wish I knew how to quit you Eugene

Weeks after supposedly banning all Kaspersky Lab software from government sysytem, the US Department of Homeland Security is said to still be running the security vendor’s code on many of its computers. The problem is that a number of routers, firewalls, and other equipment rely on Kaspersky products for their security, we’re told.

“It’s messy, and it’s going to take way longer than a year,” one official was quoted as saying. “Congress didn’t give anyone money to replace these devices, and the budget had no wiggle-room to begin with.”

D-Link routers leave the back door open

Stop us if you’ve heard this one before: a home router vendor has left serious security vulnerabilities wide open in its devices.

This time, it’s D-Link who have messed up by using a bug-riddled firmware that contains no fewer than four serious remotely exploitable vulnerabilities, including data disclosure and remote code execution.

According to Kaspersky Lab, the routers are largely concentrated to a few ISPs in Russia, but may also be in use by customers in other parts of the world.

“The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data, e.g., configuration files with plain-text passwords,” says the security vendor.

“The vulnerable web interface allows an unauthenticated attacker to run arbitrary JavaScript code in the user environment and run arbitrary commands in the router’s operating system (OS).”

Mac Monero malware menaces millions

Lest you thought rogue coin creators were only a problem for the Windows world (and we have no idea why you would think that), here is a new piece of Mac malware that turns your beloved iThing into a coin-generating machine for hackers.

Malwarebytes has an analysis of a piece of malware spotted by a number of Mac users that hijacks CPU time to run XMRig, a Monero-mining tool. They’re not sure how the malware is being installed, but it’s likely not anything more sophisticated than a dodgy download site.

Fortunately, all this malware seems to do is waste your CPU cycles.

“This malware is not particularly dangerous, unless your Mac has a problem like damaged fans or dust-clogged vents that could cause overheating,” Malwarebytes explains.

Russia breaks up malware bank heist

Earlier this week, members of Russia’s Group-IB announced the arrest of a 32-year-old man they believe to be behind a massive malware operation.

According to the group’s release, the unnamed man had used a set of Android malware packages to lift the bank account credentials of people in Russia and send them to a command server. From there, withdrawals were made from the accounts, with the same malware infections intercepting SMS notifications on the victims’ phones.

The Group-IB statement indicates the man had been acting as part of a larger operation.

“The investigation by authorities identified a member of the criminal group, who was responsible for transferring money from user accounts to attacker’s cards, a 32 year old unemployed Russian national who had previous convictions connected to arms trafficking,” Group-IB said.

“During the suspects arrest in May 2018, authorities identified SIM cards and fraudulent bank cards to which stolen funds were transferred. The suspect has confessed to his actions and the investigation/prosecution continues.”

What time is it? Xenotime

Security company Dragos says it has found what it thinks is “easily the most dangerous threat activity publicly known” in a piece of industrial malware it has dubbed “Xenotime”.

The malware, according to Dragos, is highly sophisticated and it spreads through both industrial controllers and Windows systems alike. The ultimate target of the worm appears to be safety control systems. Were it to live, Dragos warns, the malware could cause serious physical danger.

Fortunately, it looks like at least one major attack from the malware’s controllers has already failed.

“The group created a custom malware framework and tailormade credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly,” Dragos said.

“As Xenotime matures, it is less likely that the group will make this mistake in the future.”

Now there’s happy note to enjoy the long weekend on. Stay safe people. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/26/info_security_roundup/