STE WILLIAMS

A security researcher based in Germany has identified a flaw in the way Apple’s iOS 11 handles QR codes in its Camera app.

Last year, with the launch of iOS 11, Apple gave its Camera app the ability to automatically recognize QR codes.

Over the weekend, Roman Mueller found that this feature has a bug that can be used to direct people to unexpected websites.

The first step involves creating a QR code from a URL, such as this one:

https://[email protected]:[email protected]/

If you then open the Camera app under iOS 11.2.6 (the most recent release) and point the device’s camera at the QR code made from that URL, it will immediately recognize the presence of a QR code, parse the embedded URL, and ask whether you want to open “facebook.com” in Safari.

The problem is that the the app will open a different website – “infosec.rm-it.de” – in Apple’s Safari browser. Hence, the potential for misuse.

Imagine someone popping codes on posters on public transit, banks, shops, cafes, and so on, that pretend to lead to a legit website, but really go to password-collecting fake sites, or malicious pages that attempt to download and run malware.

“The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does,” said Mueller in his post. “…This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.”

Technically, the example URL is problematic because the backslash character while valid is considered “unwise,” according to past RFCs. The recommendation is that it should be escaped or percent-encoded, which is to say represented using the characters “%5C” in place of “”.

But El Reg created a QR code from a percent-encoded URL and got the same results.

The issue lies elsewhere, in the way Apple’s software handles the initial “@” character. It’s not clear exactly where this bug lies – because the relevant Apple code isn’t open source – but the notification display mechanism and Safari handle the URL string in a different way.

The notification system picks up the first domain in the string, “facebook.com,” while Safari detects the second.

The problem goes away if you drop the leading “@” character from the URL and create the QR code from this revised URL:

https://xxxfacebook.com:[email protected]/

According to Mueller, this issue was reported to the Apple security team on December 23, 2017 and as of Monday remained unfixed.

The security risks posed by QR codes have been known for years. But the problem with the way Apple’s Camera app handles QR codes offers a reminder that opening a website when the URL is not evident isn’t a great idea.

Apple did not immediately respond to a request for comment. The release of iOS 11.3 is expected shortly, possibly on Tuesday, March 27 in conjunction with Apple’s scheduled educational announcement. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/27/apple_ios_camera_app_qr_codes/

European cyber-cops have felt the collar of a bloke suspected of running a network of crims that used malware to pinch €1bn (£874.8m, $1.24bn) from cash machines and other banking systems.

The crew developed the software nasty Anunak, later updated to Carbanak, as well as cyber-weapons based on Cobalt Strike’s penetration testing toolkit. The gang lobbed this malicious code at more than 100 financial institutions around the globe from 2013 until 2016, we’re told.

The crooks are said to have kicked off their activities with the Anunak malware in 2013, which was sent in spear-phishing emails to bank employees to infect their Windows PCs when opened. Once compromised, the zombie machines were used to access the bank’s internal network and hijack ATMs.

These compromised cash machines then spat out notes at a predetermined time and location, presumably into the nondescript holdall of a gang member. Other activities of the gang included hijacking global electronic payment networks to shuffle money out of infected institutions and into the accounts of criminals.

Because it wouldn’t be a financial crime story without them, cryptocurrencies played a part in the money-laundering process: prepaid cards linked to online alt-coin wallets were used to buy flash motors and nice houses, effectively shifting the criminals’ cyber-loot, the plod claim.

The Anunak malware evolved into a nastier version known as Carbanak, which was used until 2016. The rogue programmers from then on used the Cobalt Strike penetration testing software to create tailored nasties.

On Monday, Europol made much of the international cooperation that led to the arrest in Alicante, Spain, giving credit to the FBI, police forces from Romania, Belarus, and Taiwan, and private infosec outfits, as well as its own officers.

The Register has asked Europol to comment on how much of the €1bn has been recovered. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/27/cybercrime_arrest_in_spain/

Efforts to improve the UK.gov’s secure server setup are being ramped up through an expansion of a scheme from the National Cyber Security Centre, the infosec folk at British crypto and intel agency GCHQ.

DVLA denies driving licence processing site is a security ‘car crash’

READ MORE

The web certificate set-up and encryption offered by UK government and agency websites can sometimes fall below best practice, as recent issues with the Driver and Vehicle Licensing Agency (DVLA) illustrate. Almost all central government websites have started to follow best practice and website security – while there’s still plenty of room for improvement – normally achieves at least a passing grade. The picture with local government websites is far less rosy, with examples of serious web security fails in Birmingham, Wigan and elsewhere thick on the ground.

The improvement of UK government website security over the last year can be chalked up to the National Cyber Security Centre’s Web Check service, according to the UK government’s lead cyber-security agency.

Web Check tests websites for security issues before reporting the findings in audits back to owners alongside advice on how to fix any problems identified. The service – available to all public sector organisations – uncovered 6,000 different issues across almost 8,000 different sites, including 2,178 certificate related issues, according to stats from the NCSC.

More than 4,000 such advisories have been produced since April 2017, leading to most issues being fixed within two days of being reported.

The NCSC said it wanted to “encourage all gov.uk domains to benefit from the easy-to-implement Web Check service”.

Dr Ian Levy, NCSC technical director, said: “We identified that resource strapped public sector organisations sometimes had security problems on their web properties so we built Web Check, a free service for public sector to help identify the most common issues and provide remediation advice.

“The plan for the coming year is to scale the service to the vast majority of public sector sites,” he added.

Independent security expert Paul Moore questioned whether the current patchy security picture can be blamed on a lack of resources.

“The lack of subsequent necessary checks *could* be blamed on a lack of resources, but the implementation failures demonstrate a lack of technical understanding which no amount of funding would resolve,” Moore told El Reg. “It appears that unless NCSC carried out their (excellent) work, the majority of the .gov portfolio would be festooned with security errors.”

Web Check users can also create a “watch list” of website URLs they manage. The service involves running a growing set of non-intrusive scans before reporting findings back to subscribers. Users can share URLs and findings with colleagues as well as annotating findings for their own future reference.

Web Check is part of Active Cyber Defence, launched last year as part of the National Cyber Security Strategy, a more comprehensive scheme that ultimately aims to thwart commodity cyber attacks.

Moore noted that although Web Check looks at the security headers of audited sites it doesn’t report on this metric back to site owners, possibly because security headers are a more complex metric than Qualys SSLLabs-style digital certificate setup and configuration checks. He described this approach as “disheartening”.

“Without the NCSC, the services which we all rely on would be substantially weaker and in some cases, completely unfit for purpose,” Moore said. “….There’s clearly much more work to do.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/27/ncsc_web_check_sitrep/

The ink has dried, so to speak, on TLS 1.3, so it’s time for work developing software to implement the standard to begin in earnest.

As we reported last week, now that the protocol’s received the necessary consensus in the IETF, implementation “will require people to put in some effort to make it all work properly.”

Vulture South talked to one of the people involved in that implementation, Mauritian developer Loganaden Velvindron, who said the biggest change he’s seen since the Singapore IETF 100 last October is that developers no longer seem so wary of the protocol.

“What was interesting to me is that finally, open source developers are no longer saying ‘wait and see’ about TLS 1.3,” said Velvindron, who participated in the TLS 1.3 hackathon for IETF 101 in London^*.

World celebrates, cyber-snoops cry as TLS 1.3 internet crypto approved

READ MORE

Velvindron said the hackathon’s work to build TLS 1.3 into OpenSSL was the gathering’s most important contribution, since that will have the most upstream impacts.

The OpenSSL architecture helped: it “abstracts a lot of the low-level changes [behind] the API,” he said.

His team had a bunch of other projects ready to go by the end of the hackathon: the ubiquitous wget command-line HTTP retrieval library, the Nagios-plugins set of network system monitoring packages, the Git and Mercurial version control libraries, the Eclipse Paho machine-to-machine library, and the Monit process/file monitor.

Along the way, Velvindron said, the team discovered a misconstruction in how servers construct the CLIENT HELLO that other app maintainers should watch out for.

He said some applications “don’t work with 1.3 because … the CLIENT HELLO is not constructed correctly, it causes handshake failures”, he said.

Also, Velvindron told us, while the signed-off TLS 1.3 included a resolution to the “middlebox controversy”, it could take a while for that to be implemented in the field.

Middleboxes – chiefly enterprise-edge traffic inspectors and packet filters – were one of the points of contention that helped delay TLS 1.3 for four years.

The IETF decided that systems like OpenSSL should ship with “middlebox compatibility” enabled by default. In this mode, the TLS 1.3 connection looks like TLS 1.2, Velvindron said.

“Assuming that the middlebox implements TLS 1.2 correctly, then the session goes through … it looks like TLS 1.2, but it’s using TLS 1.3.”

That means, for example, that some of the worst aspects of TLS 1.2 – for example, that hackers could trick the system into reverting to an old and insecure ciphersuite – are plugged without customers having to undertake a large-scale upgrade to existing systems.

If there’s anything wrong with how the middlebox implements TLS 1.2, the connection will break and users will get a warning, and Velvindron said some middleboxes will probably need a firmware upgrade.

What’s next: DNS privacy

TLS 1.3 implementation is along way from finished, but with the project well begun, the group behind it is branching out.

One project that’s caught their eye is the IETF’s work on DNS privacy, making sure that encrypted DNS sessions don’t leak information.

“You still need RFC 7830, DNS padding”, Velvindron told Vulture South.

That’s because even the size of an encrypted message can “leak information about the message,” he explained, “and that can make it easier for snoopers to get an idea of the kind of message going through.”

Padding under RFC 7830 makes sure the packet aligns to a particular block size.

One thing that emerged during IETF 101 is that DNS is becoming unwieldy: according to Velvindron, noted Power DNS developer Bert Hubert asked in a presentation: “How many features can we add to this protocol before it breaks?”

Since there are 185 DNS-related RFCs, things could already be starting to creak, which is why Hubert has created the “DNS Camel” (code at GitHub), which is crawling IETF archives for DNS-related documents (the tabulation is here).

“Very few people understand all those features, they’re a very small group in the IETF”, Velvindron told Vulture South.

A result is a growing concern that developers tend to work in isolation: “We don’t test a feature with other DNS features to make sure it interpolates correctly.”

There was a consensus, he said, that this needs to change – that developers need to test their DNS features against others.

As part of that, the meeting discussed the need to bring ISPs on board, to explain which features they’re using, so developers know what’s important to test against. ®

^*Other hackathon participants and hackers.mu members were Muzaffar Auhammud, Pirabarlen Cheenaramen, Nitin Mutkawoa, Codarren Velvindron, Yasir Auleear, Rahul Golam, Nigel Yong Sao Yong and Yash Paupiah.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/27/with_tls_13_signed_off_its_implementation_time/

AggregateIQ – a Canadian political advertising firm that played a role in the 2016 US election and the UK’s “Vote Leave” Brexit campaign – left its applications and database credentials publicly accessible, security firm Upguard said on Monday.

There’s no evidence that the exposed code or data was taken. Nor is there evidence it wasn’t. It was simply left accessible to the public for an unspecified period of time.

In a phone interview with The Register, Chris Vickery, Upguard’s director of cyber risk reesearch, said AggregateIQ had installed a custom version of the open source GitLab software version control and collaboration system.

“For whatever reason, they configured it to allow registration of new accounts by the public,” he said.

About a week ago, on March 20, Vickery found the code repo, hosted on a GitLab subdomain of AggregateIQ.com, gitlab.aggregateiq.com.

Accessing the URL allowed him to register simply by providing an email address. After that, he was able to see the firm’s tools and data.

Calling in the Feds, although they may already know

Vickery said he informed federal authorities of his findings but declined to name the specific agency, per the agency’s request. He also said he informed AggregateIQ, and the biz shut down access 11 minutes later.

Upguard suggests the material found – apparently used to support US Senator Ted Cruz’s failed 2016 presidential campaign – raises questions about the firm’s alleged ties to Cambridge Analytica, which received $5.8 million for services rendered from the Cruz campaign.

Cambridge Analytica, a UK-based data analytics firm, stands at the center of the current Facebook privacy scandal, a consequence of the biz obtaining about 50 million Facebook profiles from a researcher who took advantage of the social media site’s former policy of letting app devs gather info on app users and all of their friends.

AggregateIQ has been linked to Cambridge Analytica in press reports; Cambridge Analytica CEO Alexander Nix (currently suspended after undercover video of him discussing his company’s tactics) has acknowledged using AggregateIQ in the past to develop software applications.

A Guardian/Observer report from May 2017 alleges that Wylie, the whistleblower who helped bring the Facebook data scandal to the fore, brought AggregateIQ and Cambridge Analytica together.

The report asserts that at one point, AggregateIQ’s address and phone number were the same as the address and phone listed for SCL Canada on Cambridge Analytica’s website.

On Saturday, AggregateIQ issued a statement to distance itself from Cambridge Analytica and its parent company SCL and to assert that it has never knowingly been involved in illegal activity.

“AggregateIQ has never been and is not a part of Cambridge Analytica or SCL,” the Canadian company said. “Aggregate IQ has never entered into a contract with Cambridge Analytica. Chris Wylie has never been employed by AggregateIQ.”

Vickery expressed skepticism about AggregateIQ’s disavowal of ties to Cambridge Analytica.

“I find it hard to believe that there would be such a non-relationship as they describe,” he said. “I’ve seen compelling evidence the to contrary.”

The clue’s in the code

Upguard says it discovered “a set of sophisticated applications, data management programs, advertising trackers, and information databases that collectively could be used to target and influence individuals through a variety of methods, including automated phone calls, emails, political websites, volunteer canvassing, and Facebook ads.”

The security biz also said it found various credentials, keys, hashes, usernames, and passwords to access AggregateIQ accounts, which would allow hackers who obtained the information to compromise accounts. Vickery clarified that the databases were not directly exposed.

“These are the tools used to interact with the data,” he said. “These aren’t the databases themselves.”

Facebook’s inflection point: Now everyone knows this greedy mass surveillance operation for what it is

READ MORE

The credentials to access the databases through these tools were available but he said he did not use them – using someone else’s credentials to login without authorization carries a potential legal risk.

But, said Vickery, there’s mention of the Republican National Committee and a significant data store. Upguard’s post contains a screenshot of an application described at the Database of Truth that combines RNC data with state voter files, consumer data, third party data providers, and other sources of information. In theory, that database could contain information on millions of US voters.

Vickery said he is considering further posts about his findings but has yet to determine the details.

Asked whether it is aware of Upguard’s findings, a spokesperson for the Office of the Privacy Commissioner of Canada sent in the following statement:

“What we can tell you at this point is that we have been in contact with our provincial counterpart in British Columbia, which has been examining matters related to AggregateIQ and our discussions with them are ongoing. We don’t have further information to share at this time.” ®

PS: Cambridge Analytica has been accused of breaking US election laws in complaints filed to the US Federal Election Commission and Department of Justice.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/26/political_data_left_exposed/

Machine learning tools will assist trained human reviewers who Facebook says block millions of fake accounts at the time of registration every day.

In the giant news shadow created by Cambridge Analytics, it can be easy to forget that Facebook-based basic financial fraud victimizes thousands of people every year. Today, Facebook announced that it is enlisting machine learning tools to help battle the criminals.

The new tools will be largely tasked with fighting fake accounts used to commit fraud. While there are a number of techniques being used to identify fraudulent accounts, in a blog post Facebook wrote that the company looks for “instances where people are reaching out to others far beyond their typical network of connections, or in unusually large volumes, along with other behavior patterns.”

Facebook’s fight against fraud comes against a backdrop of concern about how the social media company treats customers and their data as a general matter. In a statement released today, Tom Pahl, acting director of the Federal Trade Commission’s Bureau of Consumer Protection, says in part, “… the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.”

Machine learning tools will assist trained human reviewers who, Facebook says, block millions of fake accounts at the time of registration every day. In addition, Facebook provides users with a guide to spotting scams and fraud.

For more, read here and here.

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/facebook-adds-machine-learning-to-fraud-fight/d/d-id/1331367?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Carbanak group has caused more financial losses to financial institutions than any other cybercrime group since it surfaced in 2013.

In a big victory for international law enforcement, Spanish police have arrested the alleged leader of Carbanak, a cybercrime group believed responsible for stealing over $1.2 billion from more than 100 banks in 40 countries.

The question now is whether the arrest will completely stop the group — one of the most financially destructive ever — or merely disrupt its operations in the short term.

“Much like traditional organized crime, the serpent has many heads so when one is caught even at the upper echelon, there are many more eager and willing to take that person’s place,” says Brian Hussey vice president of cyber detection and response at Trustwave.

He predicts a short pause in the group’s day-to-day operations, but not much more. “A billion-dollar hacking operation is just too lucrative to be completely reliant on a single person.” 

Europol announced the arrest of the alleged Carbanak ringleader on March 26 but did not identify the individual or the circumstances leading to the arrest. An Associated Press report quoting Spanish authorities described the individual as Ukrainian and identified only as Denis K. Three accomplices said to be from Ukraine and Russia have also been arrested in connection with the Carbanak group’s activities, the AP report noted.

In the statement, Europol described the arrests as stemming from a massive international effort involving the FBI, Europol’s European Cybercrime Centre (EC3), law enforcement in Romania, Belarus and Taiwan, and several private companies.

Also key was the role of the European Banking Federation (EBF), which for the first time actively cooperated with Europol on a specific investigation. “The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity,” Steven Wilson, the head of EC3 said in the statement.

The Carbanak group first surfaced in August 2013 and was initially associated with Anunak, a malware campaign that targeted mostly Russian banks and payment systems. The group began testing and later using Carbanak malware a short time later, and by the end of 2014 had infiltrated over 100 financial institutions and caused nearly $1 billion in cumulative losses.  

Security vendor Kaspersky Labs was the first to warn publicly about the Carbanak group in a February 2015 report. The report described the group’s modus operandi as involving the use of phishing emails to install the Carbanak backdoor on systems belonging to targeted individuals at banks. The group then has used the malware to log keystrokes, spy on the institution’s operations in other ways, and to move laterally through the compromised network to find specific systems of interest. In some instances, the threat actors have used infected computers to actually record videos of people working at their computers as part of the information-gathering process.

Cashing Out

The group has used multiple methods to steal money. One tactic is to infect servers controlling a bank’s ATM systems and instructing the machines to dispense cash at specific locations and specific times so mules can collect the money without having to interact with the ATMs at all.

In other instances, Carbanak gang members have used the SWIFT financial services network to transfer money out of victim banks and into accounts held by the criminals. The Carbanak group has on several occasions also modified bank databases to create fake accounts and to inflate balances in existing accounts, and then transferred the money in these accounts to mules around the world.

After the Kaspersky Lab report, the group switched from using Carbanak malware to using the Cobalt Strike penetration-testing tool to launch even more devastating attacks. According to Europol, banks that the Carbanak group has targeted with Cobalt have suffered losses averaging $12.5 million.

“Carbanak is the most successful APT group in terms of stolen money,” says Sergey Golovanov, principal security researcher at Kaspersky Lab’s global research and analysis team.  One reason has been its ability to copy the tactics, techniques and procedures of state-sponsored attackers such as the use of spear-phishing, hidden persistence, and months of data exfiltration.

From a malware standpoint, there is little to separate the Carbanak group from other advanced persistent threat groups. What does sets it apart is its connections with criminals worldwide, Golovanov says. These connections have been critical to the group’s ability to understand the language of documents and systems installed in target financial institutions around the world and to steal money from them.

“The law enforcement action against Carbanak showcases the idea of [the] inevitability of punishment,” Golovanov says. “We understand that the arrest of one man will not solve all cases reported to the police, but this is a step towards catching others.”

He predicts that a lot of the people associated with the Carbanak group will go offline for a while following the arrests. “Some of them will never become active again, because of the fear of being arrested.”

Ilia Kolochenko, CEO of High-Tech Bridge, is less optimistic. It is quite likely the arrests will not lead to more arrests because many cybercriminals are good at covering their identities even from each other, he says. “It’s difficult to estimate, but [it is] unlikely such arrests will make substantial improvements [from] a long term prospective,” Kolochenko says.

Related Content:

• Carbanak’s Back And Using Google Services For Command-and-Control
• Cybercrime Gangs Blend Cyber Espionage And Old-School Hacks In Bank Heists
• Russia Arrests 50 In Rare Cybercrime Crackdown
• 8 Nation-State Hacking Groups to Watch in 2018

 

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/leader-of-cybercrime-apt-behind-$12-billion-in-bank-heists-arrested-/d/d-id/1331371?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

AVCrypt tries to disable anti-malware software before it can be detected and removed.

A newly discovered ransomware variant attempts to remove any anti-malware protection in place on a victim’s computer before it begins its nefarious work.

A group of researchers that includes Lawrence Abrams (of bleepingcomputer.com), MalwareHunterTeam, and Michael Gillespie discovered the malware and reported it in a post on BleepingComputer. The malware, which the group of analysts and researchers is calling AVCrypt, first tries to identify and remove a number of Windows services that are required for two specific anti-virus packages, Windows Defender and Malwarebytes, to operate successfully.

Abrams said in his post that AVCrypt seems at best incomplete because of major missing pieces. While it does contact a command and control server and encrypt files, it doesn’t actually include any ransom instructions or provisions for decryption.

In a Twitter conversation about the ransomware, several participants point out that other types of malware have been able to disable particular antivirus packages, but that this is new behavior for ransomware. It’s also noted that AVCrypt specifically targets Malwarebytes and Windows Defender. Defender is the default antivirus package from Microsoft that’s typically activated if the user decides not to install other AV software.

MalwareHunterTeam also pointed out in the Twitter exchange that AVCrypt will abort a shutdown sequence command in an attempt to prevent the user from staying safe by “pulling the plug” on a machine. The combination of behaviors could make a number of the standard processes for an emergency recovery unworkable.

While the specific ransomware variant discussed in the article is new, there are significant similarities to other malware code seen previously. In a Twitter discussion with Michael Gillespie, Microsoft’s Windows Defender Security Intelligence tweeted, “#WindowsDefenderAV blocked this #ransomware at the onset using proactive cloud-based protection. We’re seeing very limited instances of this ransomware, it does look like it’s in development. We detect this new threat as Ransom:Win32/Pactelung.A.”

It seems that the curtain has been pulled back on a very new, very immature ransomware variant before it could be released into the wild in its finished form. The delivery mechanisms for AVCrypt appear to be the standard methods seen in other ransomware, including malicious spam, drive-by URLs, and pirated software. For now, it appears that stringent applications of existing protection should protect organizations against AVCrypt.

Related Content:

• GandCrab Ransomware Goes ‘Agile’
• 7 Ways to Protect Against Cryptomining Attacks
• What Happens When You Hold Robots for Ransom?
• Microsoft Report: Cybersecurity’s Top 3 Threats Intertwine

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/new-ransomware-attacks-endpoint-defenses/d/d-id/1331372?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Craigslist shut down its personals section on Friday in response to the passage of H.R. 1865, the Fight Online Sex Trafficking Act (FOSTA) bill, in both houses of Congress on Wednesday.

Ditto for some related subreddits. Both moves have likely been taken to avoid lawsuits in the wake of the government gutting the law that protects online sites and services from responsibility for content posted by users.

Reddit announced on Wednesday that it would ban subreddits having to do with certain transactions, including “paid services involving physical sexual contact.”

For its part, Craigslist posted this statement on Friday:

US Congress just passed HR 1865, “FOSTA”, seeking to subject websites to criminal and civil liability when third parties (users) misuse online personals unlawfully.

Any tool or service can be misused. We can’t take such risk without jeopardizing all our other services, so we are regretfully taking craigslist personals offline. Hopefully we can bring them back some day.

To the millions of spouses, partners, and couples who met through craigslist, we wish you every happiness!

Happiness? There’s a long list of people who are not happy with this bill, which makes online prostitution ads a federal crime and amends Section 230 of the Communications Decency Act (CDA). Section 230 states that websites are immune from legal responsibility for content submitted by others.

Here’s an extremely truncated list of who’s against this bill:

Constitutional law experts, including the Department of Justice (DOJ). In passing the bill, Congress ignored the DOJ’s warning that it was so poorly drafted that it would actually make it more difficult to prosecute sex traffickers. The DOJ also called into question whether the bill would pass Constitutional muster.

Notre Dame law instructor Alex F. Levy said in a guest post on Eric Goldman’s Technology Marketing Law blog that the bill will likely run into trouble in the courts, given that it affects constitutionally protected speech. Critics note that the bill flattens all the differences between, for example, sites that sell trafficked victims and sites devoted to support for the victims who’ve escaped their captors, as well as failing to differentiate between consensual and non-consensual sex work.

Unlike the [Campus Sexual Violence Elimination Act, or SAVE Act], which prohibits the knowing advertisement of trafficked sexual services, this statute implicates constitutionally protected speech.

The Electronic Frontier Foundation (EFF) said FOSTA is “a bill that silences online speech by forcing internet platforms to censor their users.” The EFF noted that this amendment to Section 230 is particularly worrying because…

[It’s] the most important law protecting free speech online. Section 230 protects online platforms from liability for some types of speech by their users. Without Section 230, the internet would look very different… in absence of Section 230 protections, noncommercial platforms like Wikipedia and the Internet Archive likely wouldn’t have been founded given the high level of legal risk involved with hosting third-party content.

Sex workers.

Sex workers have spoken out too, explaining how online platforms have literally saved their lives. Why didn’t Congr… twitter.com/i/web/status/9…

—
  (@EFF) March 21, 2018

From Alana Massey, writing at Allure:

These bills* target websites that are widely and inaccurately believed to be hubs of trafficking activity when it is precisely those websites that enable people in the sex trades to do their work safely and independently, at the same time as they make it easier for authorities to find and investigate possible trafficking cases.

*Plural bills, since the Senate passed a version of FOSTA that incorporated the earlier Stop Enabling Sex Traffickers Act (SESTA, S. 1693).

Massey says that the bill will criminalize the very websites where she found “the generous communities and actionable advice I needed to get out of and avoid exploitative sex work situations.”

Though the bill is meant to target sites hosting sex work advertisements, it covers online forums where sex workers can tip each other off about dangerous clients, find emergency housing, get recommendations for service providers who are sex worker-friendly, and even enjoy an occasional meme. These are often on the same websites where advertisements are hosted.

Before you say, ‘Just get rid of the ads, then,’ know that online ads themselves are one of the greatest tools for protecting yourself as a sex worker: They make it possible to screen clients, arrange safe indoor working conditions, and establish a communication record with clients that street-based work doesn’t provide.

On the lawmaker side, those against the bill are scant:

Only two senators. Sen. Ron Wyden (D-Oregon), from the Senate floor on Wednesday, as quoted by Reason:

In the absence of Section 230, the internet as we know it would shrivel… Civic organizations protecting their right to free speech could be [ruined] by their more powerful political opponents [and] there would be an enormous chilling effect on speech in America.

Wyden said that’s why big, established online players like Facebook supported the bill: “Because it would pull up the ladder in the tech world” and keep out new companies that can’t afford to get in.

The only other senator to join Wyden in his “No” vote was  Rand Paul (R-Kentucky).

So why?

With all these opponents voicing clear-eyed reasons about why the bill isn’t the way to achieve what it sets out to do, why did it sail through with a 97-2 vote?

This tweet, from Senator Dianne Feinstein, sums it up:

Sex traffickers sell their victims on websites like Backpage. A congressional investigation showed Backpage knew ab… twitter.com/i/web/status/9…

—
Sen Dianne Feinstein (@SenFeinstein) March 21, 2018

The passage of SESTA/FOSTA, now awaiting President Trump’s signature – he’s applauded the bill as “an important step forward” – was hailed by some anti-sex-trafficking groups and law enforcement as an important tool to fight online prostitution of teenagers.

It’s easy to see where the impulse to gut Section 230 comes from. Young women who’ve been prostituted on Backpage – an online classifieds site – have been blocked when trying to sue the website, with courts specifically citing Section 230 as protecting such sites from liability.

Section 230 is (or was, depending on how the president’s signature goes) a strong legal shield to protect websites from being held liable for what others do online, but the majority of Americans disagree with the premise. According to a 2017 report from the Pew Research Center, 79% believe that online companies and platforms should be held responsible for users’ behavior or content.

That’s borne out by a star-studded public service announcement in which comedian Amy Schumer calls Section 230 a “stupid loophole.”

Note that while some anti-sex-trafficking groups applauded SESTA/FOSTA, there were notable exceptions. As Massey noted, the nation’s largest network of anti-trafficking organizations, The Freedom Network, all but begged legislators not to mess with Section 230. To do so will lead to harm to those it seeks to help, it said.

From an open letter (PDF) The Freedom Network posted to lawmakers:

Internet sites provide a digital footprint that law enforcement can use to investigate trafficking into the sex trade, and to locate trafficking victims. When websites are shut down, the sex trade is pushed underground and sex trafficking victims are forced into even more dangerous circumstances. Street-based sex workers report significantly higher levels of victimization, including physical and sexual violence. This means that trafficking victims face even more violence, are less likely to be identified, with less evidence of their victimization.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ymFlyrYaOts/

If an application offers authentication security, it’s always a good idea to turn it on if on isn’t the default setting.

Too often, however, this cardinal rule is ignored or overlooked. The latest example of this has been discovered by researcher Giovanni Collazo, who decided to take a closer look at the etcd (“et-cee-dee”) clustering credential distribution store popular in Kubernetes datacentres.

What he uncovered with almost no effort is a security void with large numbers of etcd servers exposing a range of sensitive credentials to anyone with the nous to run a search on Shodan.

All told, Collazo reports finding 2,284 etcd servers reachable on the internet, which he queried using a simple script designed to see what he could shake down.

When he stopped the query at 750MB of collected data, he’d gathered credentials from 1,485 of these servers, including 8,781 passwords, 650 Amazon AWS access keys, and 23 unidentified secret and 8 private API/certificate keys.

Collazo observed:

I did not test any of the credentials but if I had to guess I would guess that at least a few of them should work and this is the scary part.

Anyone with just a few minutes to spare could end up with a list of hundreds of database credentials which can be used to steal data or perform a ransomware attacks. [sic]

Which is ironic because what piqued his curiosity in the first place was the similarity of etcd in its default state to the weakness that led to the January 2017 ransom attack on 27,000 MongoDB database servers.

As with MongodDB at that time, etcd’s authentication is not turned on by default, a consequence of needing to maintain backwards compatibility with older versions that were completely open.

Bad Packets researcher Troy Mursch confirmed Collazo’s discovery, publishing a MySQL password he was able to retrieve during a separate test. (The password was “1234.”)

Collazo recommends that Kubernetes/etcd admins who haven’t done so already should read up on its authentication settings as soon as possible.

It would also be a good idea, where possible, to remove servers from open internet access, he said.

Perhaps there’s an assumption that nobody would be interested in this relatively obscure but important infrastructure, or if they were, that they wouldn’t find it easy to target specific vulnerable servers.

This idea needs to be put out to grass. If a server is unsecured, it is a near certainty that someone will come for it eventually.

Anyone who uses etcd should double check its security settings before they receive a visit.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UQX1NhoJnVg/