STE WILLIAMS

Over the weekend, Jackie Stokes, a cybersecurity consultant, tweeted about having received copies of a text conversation on the dating app Tinder that allegedly depicted a current Facebook engineer bragging about using their privileged access to stalk women online:

I’ve been made aware that a security engineer currently employed at Facebook is likely using privileged access to s… twitter.com/i/web/status/9…

—
Jackie Stokes 🙋🏽 (@find_evil) April 30, 2018

On Monday, Stokes followed up with a screen capture of the conversation, saying that she “really, really” hoped that she was wrong about it…

I really, really hope I’m wrong about this. https://t.co/NDkOptx8Hv

—
Jackie Stokes 🙋🏽 (@find_evil) April 30, 2018

…and on Tuesday, Facebook fired the engineer.

Alex Stamos, Chief Security Officer at Facebook, sent a statement to NBC News, saying that Facebook is investigating the allegations “as a matter of urgency.”

Employees who abuse Facebook restrictions about what they’re entitled to do with their access will be fired, he said:

It’s important that people’s information is kept secure and private when they use Facebook. It’s why we have strict policy controls and technical restrictions so employees only access the data they need to do their jobs – for example to fix bugs, manage customer support issues or respond to valid legal requests. Employees who abuse these controls will be fired.

NBC News uses a male pronoun in its report, so we’ll follow suit, though I didn’t see Stokes use a gender-specific pronoun in her tweet stream. She went on to say that she’d cross-referenced the engineer’s online profiles to determine that he was likely currently employed by Facebook. She also said that she herself wasn’t one of his targets.

Stokes told NBC News that she was pleased that an investigation was conducted and “an appropriate action taken to improve the trust users need to have in social media platforms to live their lives fully and enjoyably online.” Stokes:

Everyone deserves to feel safe, even on the internet.

Stokes’s original tweet had pondered what she should do about uncovering the alleged stalking. On Tuesday, Stokes sent thanks to all the Facebook employees who reached out to offer help, and to Stamos for his swift actions:

I’d like to thank the many Facebook employees who reached out to me personally to find out what they could do to he… twitter.com/i/web/status/9…

—
Jackie Stokes 🙋🏽 (@find_evil) May 02, 2018

On Tuesday, during F8 – Facebook’s annual developer conference – CEO Mark Zuckerberg unveiled, ironically enough, dating features to layer over its main mobile app.

The engineer isn’t the first to face allegations of abusing access to people’s personal information. Back in 2013, a new National Security Agency (NSA) agent allegedly spent his first day on the job snooping on his ex-girlfriend.

The agency has a bit of experience with employees who spy on former, current or future love interests – known, romantically enough, as “lovints” in NSA speak. At the time, NSA inspector general Dr. George Ellard detailed 12 investigations into such “intentional and willful misuse” of spying tools by civilian and military NSA employees. Here are a few:

• 2004: A civilian employee based overseas, upon returning to the US, checked out a foreign phone number she found in her husband’s mobile phone because she suspected her husband had been cheating. She managed to eavesdrop on her husband’s phone communications.
• 1998 to 2003: In a case of serial snoopery, one civilian employee based overseas snooped on the telephones of nine foreign women over the course of five years. The tip-off came from another NSA employee who suspected the subject – an NSA civilian employee who was also her lover – of listening to her phone calls.
• 2011 A subject ran her foreign-national boyfriend’s phone number through the system and came up with some material, which she reviewed. She said that she was in the habit of entering foreign national phone numbers of people she met in social settings to ensure she wasn’t “talking to ‘shady characters’”.

If the Facebook engineer did in fact pull an NSA with his own lovints, it could similarly be the tip of the iceberg. We all know, all too well, that Facebook’s got an uncomfortably deep reservoir of personal information about its billion users. As of December 2017, Facebook employed 25,105 people.

Since Stokes broke the story, several more people have come forward and told similar stories to Motherboard, anonymously:

One former Facebook worker said when they joined the company multiple people had been terminated for abusing access to user data, including for stalking exes.

Another former Facebook employee said that they know of three cases where people were fired because they mishandled data, one of which included stalking.

In this case at least, it seems that Stamos’s has been true to his words: “Employees who abuse these controls will be fired.”

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Es6e154vPdY/

A security vulnerability in Oracle Access Manager leaves the network authentication tool leaning more toward “access” than “manager.”

The flaw, classified as CVE-2018-2879, can be exploited by a remote attacker to bypass an Oracle Access Manager (OAM) authentication screen and, in the process, take over the account of any user or administrator on a vulnerable system.

Designed to manage remote connections to cloud and mobile apps via a single sign-on page, with multi-factor authentication, OAM is offered by Oracle as a part of the security and administration tools for its middleware and PaaS platforms.

According to researcher Wolfgang Ettlinger of SEC Consult Vulnerability Lab, a miscreant can exploit a flaw in the way OAM handles encrypted messages to trick the software into accidentally disclosing information that can be used to log in as someone else. Specifically, a padding oracle attack can, ultimately, disclose an account’s authorization cookie.

An attacker properly game the OAM flaw would then be able to create and execute a script that generates valid login keys for any desired user, including administration accounts. From there, the attacker is able to simply write their own login credentials and take complete control over OAM.

“An attacker can abuse this vulnerability to log in to any resource protected by the OAM using any user account, even administrative accounts,” Ettlinger explains.

“This security vulnerability completely breaks the main functionality of the OAM product.”

Fortunately, there is already a solution in place. Ettlinger said his company contacted Oracle about the flaw and the enterprise software giant was able to slip a fix for the vulnerability into its April security updates.

As Oracle’s patch is the only known way to address the flaw, it is recommended that administrators make sure they have that update applied. Versions 11.1.2.3.0 and 12.2.1.3.0 and earlier are still vulnerable. Even then, Ettlinger notes, that this flaw was even present is not a very good sign.

“Since the vulnerability was found in such a central component of the OAM, we suspect that an insufficient amount of attention has been given to information security,” Ettlinger notes.

“Given the central position in an organization’s security infrastructure, we recommend Oracle’s customers either conduct a full audit of the component or request the results of such audits from Oracle.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/03/oracle_access_manager_vulnerability/

It’s time for Cisco’s Midweek Misery, netadmins, with four critical vulns to patch and a slew of others to look over if you have time.

WebEx has two nasties, CVE-2018-0112 and CVE-2018-0264.

CVE-2018-0112 is a remote code execution (RCE) vulnerability in two clients (the WebEx Business Suite client and WebEx Meetings), and the WebEx Meetings Server.

It’s an input validation slip-up that means an attacker can share a malicious Flash file (extension .swf) within WebEx and execute code on a victim’s machine. If you can’t patch with a new version, Cisco’s advisory links to WebEx removal instructions.

The other bug, CVE-2018-0264, is in WebEx Network Recording Player for Advanced Recording Format (ARF), and is also an RCE vulnerability. Again, it’s exploited with a malicious file – this time, the ARF format that records meetings – and if the victim is persuaded to click the link, they’re pwned.

The Cisco Secure Access Control System has a message validation vulnerability (CVE-2018-0253) that leads to, you guessed it, RCE. Its Action Message Format (AMF) protocol can let a malicious message containing attack code through, letting an attacker execute arbitrary commands on the ACS device.

In the final critical vulnerability this week, CVE-2018-0258, the Cisco Prime File Upload servlet has a path traversal bug.

An attacker can upload files to any directory of a vulnerable device, and then execute those files.

Cisco also disclosed five vulnerabilities rated “High”, in its wireless LAN controllers (here and here), Meeting Server (not the WebEx server), two in various Aironet products (here and here), and one in IOS, IOS XE, and IOS XR. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/03/cisco_patches_may_2/

Scam sites have been abusing a little-known feature on Google Maps to redirect users to dodgy websites.

This according to security company Sophos, who says a number of shady pages are being peddled to users via obfuscated Maps links.

According to security shop Sophos scammers are using the Maps API as a defacto link-shortening service, hiding their pages as redirects within Maps links.

The reason for this is Google’s recent efforts to get rid of its Goo.gl URL-shortening service. The link-shortening site is a favorite for scammers looking to hide the actual address of pages.

URL shorteners reveal your trip to strip club, dash to disease clinic – research

READ MORE

“Of course Google doesn’t stand for iffy links,” Sophos says, “so spammy Goo.gl URLs are almost as easy to report as they are to create.”

Without Goo.gl to pick on, scammers are now abusing a loophole in the Maps API that allows for redirects to be put into Google Maps URLs. This allows the attackers to chain the links to their scam pages within a link to Google Maps, essentially creating a more trustworthy URL that users are more likely to follow.

The trick also has the benefit of being harder to catch and shut down than links made with the well-policed Goo.gl service. Because it uses Google Maps there’s no reporting structure in place to get the scammers shut down and the scammers don’t have to use a Google-owned interface or API to do it.

This isn’t the first time Google’s URL-managers have been found to be open for abuse. In 2016, researchers disclosed that flaws in Goo.gl, among other link-shorteners, could be exploited to track users and harvest personal information. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/01/google_maps_url/

LoJack for Laptops, a software tool designed to rat on computer thieves, appears to be serving a double purpose – by seemingly working with a Russian state-sponsored hacking team.

The application allows administrators to remotely lock and locate, and remove files from, stolen personal computers. It’s primarily aimed at corporate IT types who want to protect stuff that gets nicked, but anyone can use it, and it is installed by default on various notebooks.

Just recently, several LoJack executables were found to be unexpectedly communicating with servers that are suspected to be under the control of Fancy Bear, a hacking group associated with Russia’s GRU military intelligence agency.

In a report published on Tuesday, security researchers at Netscout’s Arbor Networks said they have found five LoJack agents (rpcnetp.exe) that point to four suspicious command-and-control domains, three of which have been associated with Fancy Bear in the past. It is feared someone has secretly backdoored certain copies of LoJack so that it acts as remote-controlled spyware for the Kremlin.

“Our analysis has revealed a small number of modified agents,” said Hardik Modi, director of Arbor’s Security Engineering Response Team (ASERT), in an email to The Register. “This is consistent with a targeted operation. We’re cooperating with numerous parties on this matter.”

Kremlin-linked hacker crew’s tactics exposed

READ MORE

The finding is troubling because LoJack’s software, in its anti-theft capacity, is designed to operate discreetly and to remain on systems where it has been installed even after hard drive replacement and system re-imaging.

The low-level access enjoyed by security applications, and the high-level of trust afforded to them, make programs like LoJack appealing targets for subversion.

ASERT observes that many anti-virus vendors mark LoJack executables as “not-a-virus” or “Risk Tool” rather than flagging them as potential malware. Russian state-backed hackers allegedly used Kaspersky Lab’s security software for similar ends.

Though designed to protect laptops from theft, LoJack implements only minimal security to safeguard its own data.

“The LoJack agent protects the hardcoded [command-and-control] URL using a single byte XOR key; however, according to researchers it blindly trusts the configuration content,” the report says. “Once an attacker properly modifies this value then the double-agent is ready to go.”

This weakness was raised in security research presented at the Black Hat conference in 2014.

At the time, researchers Vitaliy Kamlyuk, Sergey Belov and Anibal Sacco said that it would be easy to alter the registry configuration block, where the command-and-control URL is stored, to make the software communicate with a malicious domain.

ASERT said while it wasn’t sure about the initial attack vector, Fancy Bear in the past has used phishing messages to deliver malware.

In statement emailed to The Register, a spokesperson for Absolute Software said the company was aware of the Arbor Networks report.

“We have spoken to Arbor regarding the claims in this report and are investigating this matter internally,” a company spokesperson said. “At this time, we do not believe that this has impacted any customers or partners, but are taking every precaution to ensure any concerns are promptly addressed.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/02/lojack_fancy_bear_allegation/

WannaCry led the pack all year, new F-Secure report says.

WannaCry helped boost the volume of ransomware attacks in 2017 dramatically, representing 90% of all ransomware detection reports. Overall, ransomware attacks increased by 400% from 2016, new data from F-Secure shows.

The number of new ransomware variants also spiked by 62%, with 343, and aside from WannaCry, Locky, Mole, Cerber, and CryptoLocker were the most commonly used ransomware families. But according to F-Secure, the overall use of ransomware declined in the second half of 2017. 

“The last couple of years saw cybercriminals developing lots of new kinds of ransomware, but that activity tapered off after last summer. So it looks like the ransomware gold rush mentality is over, but we already see hard core extortionists continuing to use ransomware, particularly against organizations because WannaCry showed everyone how vulnerable companies are,” says F-Secure Security Advisor Sean Sullivan. Cryptomining also took hold, he says.

Read more here.

 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/ransomware-attacks-jumped-400--worldwide-in-2017/d/d-id/1331701?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Many employees have trouble controlling the release of sensitive information in email.

Nearly half (45%) of employees have accidentally included banking information in email sent to an unintended recipient outside the organization, a new study found.

The Clearswift survey of 600 senior business decision makers and 1,200 employees across the UK, US, Germany, and Australia, shows that more than a quarter of users have been on the receiving end of mis-addressed sensitive information, indicating that the flow of poorly managed private information goes in both directions.

Upon receiving unintended information, 31% of employees say that they would read the email, with 12% admitting they would scroll through to read the entire email chain. Once read, only 27%  would delete the email from their inboxes.

Only 45% of employees were familiar with any formal process or course of action for receiving an email from someone in another company in which they were not the intended recipient. Add that to the 22% who admitted that there is no formal process in place at all for such situations, and you have an environment in which an enormous opportunity exists for sensitive information to end up (and stay) in the wrong hands.

Read more here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/survey-shows-sensitive-data-goes-astray-in-email/d/d-id/1331700?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It may have escaped the notice of prospective buyers, but cars have recently become a bit of a target for security researchers.

The latest example of this challenge sport has arrived from researchers at Dutch pen-testers Computest, who decided to see what security woes they could uncover in two 2015 models, the Volkswagen Golf GTE and an Audi A3 Sportback e-tron, both made by Volkswagen Audi Group (VAG).

True to their hunch, with a bit of hunting they eventually found a way into both cars through an insecure software service exposed by the Wi-Fi interface used by the car’s Harman In-Vehicle Infotainment (IVI) system.

Having burrowed in via Wi-Fi the researchers had a platform from which to hunt for further vulnerable components elsewhere in the car. After some effort they found a path to the IVI’s Control Area Network (CAN) bus.

This meant that:

Under certain conditions attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history.

And:

There is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time.

The car uses a different, high-speed CAN bus for vehicle-critical communication such as steering, door unlocking, park assist, and – yes – braking.

That high-speed CAN bus is precisely one component away from the compromised IVI CAN bus: the two are separated by a CAN bus gateway that acts as a firewall between the two.

It’s here that the researchers stopped.

…we decided to discontinue our research at this point, since this would potentially compromise intellectual property of the manufacturer and potentially break the law.

…the current attack vector poses no direct threat to driver safety. However, if an exploitable vulnerability in the gateway were to be found, the impact would significantly increase.

So, the researchers stopped themselves from attempting to bridge the gap to the cars’ most critical systems having removed most, but not all, of the barriers between it and the outside world.

The researchers reported their findings to VAG, which seems to have taken the issue seriously enough to invite them to come to its HQ in Germany to explain them.

The company later said it had patched the flaws that allowed access, although of course that would only fix new cars made from the point that firmware image became available.

Standing back, the research is telling us the car industry isn’t so different from many of the other sectors adding products to the internet of things (IoT).

First, there is not usually an over-the-air updating mechanism. The only way to fix a serious problem is to ask every car owner to visit the dealer for a service update, a hugely expensive and time-consuming task.

Then there’s the question of how well tested these systems are against hacking in the first place – the fact two pen testers were able to get inside the infotainment system suggests that all is not as it might be on that score. The same applies to the lack of any agreed system through which car makers tell owners about potential security issues in vehicle software.

The biggest weakness of all is simply that few car makers seem to have any responsible disclosure process for researchers to tell them about problems.

Note the researchers, ominously:

Ethical hackers should not be threatened but encouraged to disclose findings to the manufacturer.

This is a blind spot that it’s within the wit of car makers to fix, perhaps through the kind of managed bug bounty programme used routinely by big software companies.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yaS4GgrZ8ns/

Medical devices from Becton, Dickinson and Company (BD) that rely on Wi-Fi networks encrypted by Wi-Fi Protected Access II (WPA2) encryption are vulnerable to the KRACK Wi-Fi attacks, the company said in a security advisory.

The advisory is an update of one first issued when KRACK appeared in October 2017.

BD is monitoring the developing situation with a recently disclosed set of vulnerabilities found in the WPA2 protocol affecting confidentiality, integrity, and availability of communication between a Wi-Fi access point and a Wi-Fi enabled client such as a computer, phone, Wi-Fi base stations, and other gear, even if the data is encrypted.

BD is far from the only healthcare devices maker, or device maker in any industry, with vulnerable products. But with BD and other medical device makers, that means devices used to monitor and treat patients, including, for example, anesthesia systems.

The security bulletin provides a list of vulnerable devices, including medical supply and management systems such as the BD Alaris Gateway Workstation, Pyxis Anesthesia ES, Anesthesia System 4000, MedStation ES, and Parx handheld, among others.

KRACK isn’t just one bug. It’s a collection of similar bugs, called the KRACK Attacks, that were discovered in October 2017, triggering breathless, apocalyptic warnings about the end of Wi-Fi as we know it.

In the event the world did what it normally ends up doing in the face of whatever this month’s cyberapocalypse is: it patched what it could and moved on.

KRACK – which stands for Key Reinstallation Attack – works by exploiting a flaw in WPA and WPA2 protocol encryption, which these days covers most wireless access points where encryption has been turned on.

BD said that as far as medical devices go, nobody’s yet reported a successful malicious exploit of the vulnerability. The company said that a successful attack would in fact be tough to pull off, given that it would have to come from nearby and would take some skill:

KRACK can be exploited from an adjacent network. The attack complexity is high as it requires proximity to an affected Wi-Fi access point and significant technical skills.

Be that as it may, an attack would require no privileges, nor any direct user interaction. If the vulnerability were to be successfully exploited, BD said that attackers could change patient records and/or steal data, as well as inflict “major IT disruptions.”

To avoid that grim outcome, healthcare facilities’ IT departments and the vendors on which BD depends are going to have to take action, it said.

What action? Patch what you can and move on of course.

The company says it’s implemented third-party vendor patches through its routine patching process and gave a vulnerable list of products that have already been patched. It’s currently contacting more vendors to schedule more patches.

What spooked people about KRACK was its scale – the bugs affected the Wi-Fi encryption used to secure most of the world’s wireless networks and countless devices and systems that use WPA were vulnerable.

Fortunately, and as you might expect, patches were forthcoming: Apple was fast out of the gate with a patch to keep (some) iPhone users from being exploited, as we reported in early November 2017… Ditto for Aruba, Cisco and Intel, among others.

In December, Apple also threw the security blanket around iOS 11.2, which meant KRACK patches for the devices that were left out in the cold the first time around.

BD recommends that users of its products also take these steps to reduce the risk of KRACK attacks:

• Make sure your Wi-Fi access points have the latest recommended updates.
• Use physical controls to prevent attackers getting in range of affected Wi-Fi devices.
• Backup data and implement appropriate disaster recovery procedures

The rest of us can use KRACK as a reminder that no matter what this month’s cyberapocalypse is, defence in depth is the best strategy. With that in mind, the advice our own Paul Ducklin put forward when the KRACKs first appeared is worth another look:

• Apply KRACK patches for your clients (and access points) as soon as they are available.
• Treat all Wi-Fi networks like coffee shops with open, unencrypted, wireless.
• Use HTTPS wherever websites allow it so your web browsing is encrypted.
• Consider using a VPN, so that all your network traffic (not just your web browsing) is encrypted, from your laptop or mobile device to your home or work network, even if it travels over an unencrypted connection along the way.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/M6-pJ4S48RY/

Last week, SophosLabs published a technical paper about ransomware called SamSam that has been setting a new trend in how ransomware attacks unfold.

The SamSam criminals are targeting fewer victims, but aiming for much greater disruption each time an attack succeeds – so the crooks end up with a bigger hold over you, and can set about squeezing you for a bigger payment.

The typical SamSam recovery price seems to be an eye-watering $45,000 – we don’t know how the bad guys hit on that number, but we’ve guessed it’s to get the price as high as they dare without asking for so much that the payment needs a board meeting to get company approval.

We went on Facebook Live to give you advice on what to do:

(Can’t see the video directly above this line, or getting an error such as “no longer available”? Watch on Facebook instead.)

Note. With most browsers, you don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. Internet Explorer users may need to use the general link https://www.facebook.com/SophosSecurity/videos/ instead.
No sound? Click the speaker icon in the bottom right to unmute.

LEARN MORE ABOUT THE SAMSAM RANSOMWARE

• Shutting out SamSam ransomware. (Advice from our technical support experts.)
• SamSam ransomware chooses its targets carefully. (Ransomware analysis from SophosLabs.)

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Z1x1SWvAEOk/