STE WILLIAMS

As part of its monthly Update Tuesday, Microsoft announced this week that they’ve released a preliminary fix for a vulnerability rated important, and present in all supported versions of Windows in circulation (basically any client or server version of Windows from 2008 onward).

The flaw affects the Credential Security Support Provider (CredSSP) protocol, which is used in all instances of Windows’ Remote Desktop Protocol (RDP) and Remote Management (WinRM).

The vulnerability, CVE-2018-0886, could allow remote code execution via a physical or wifi-based Man-in-the-Middle attack, where the attacker steals session data, including local user credentials, during the CredSSP authentication process.

Although Microsoft says the bug has not yet been exploited, it could cause serious damage if left unpatched.

RDP is widely used in enterprise environments and an attacker who successfully exploits this bug could use it to gain a foothold from which to pivot and escalate. It’s also popular with small businesses who outsource their IT administration and, needless to say, an attacker with an admin account has all the aces.

Security researchers at Preempt say they discovered and disclosed this vulnerability to Microsoft last August, and Microsoft has been working since then to create the patch released this week.

Now it’s out there, it’s a race against time to make sure you aren’t an easy target for an attacker who wants to try and kick the tires on this vulnerability. Obviously, patch as soon as possible.

Windows RDP as a tempting attack vector

If you’ve ever worked in an office and run into issues with your Windows-based computer, there’s a decent chance that your IT administrator helped you from afar using RDP.

It’s been around in some form or another since Windows XP and allows an administrator to control another person’s machine, usually so they can fix issues directly and quickly. (Given that many IT staff aren’t located in the same country as the people they are trying to help, RDP is certainly a lot faster than waiting for tech help to show up at your desk.)

RDP works directly via the user interface, allowing a remote user to interact with a target computer as if they were sat at the keyboard right in front of it.

And that’s what makes it such an appealing target for attackers.

With an RDP session, an attacker can run privilege escalation exploits and then attempt to disable protective measures, install hacking tools, attack other machines on the same network, shut down key systems like backups or SQL databases and, of course, run malware.

Attacks like this allow hackers to take their time, discover the lay of the land and even try out different types of ransomware until they find one that works.

For more information on RDP attacks, and how to harden yourself against them, read our recent article about how ransomware-spreading hackers sneak in through RDP.

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/V3TR_0gREVs/

A former Equifax CIO has been charged with insider trading leading up to the 2017 breach.

The US Securities and Exchange Commission on Wednesday charged Jun Ying, former CIO of an Equifax business unit that was called on for breach remediation and next in line to be the company’s global CIO, with using confidential information to conclude that it wasn’t just Equifax customers who’d suffered a serious breach.

Rather, as the SEC’s complaint describes, Ying correctly surmised that it was Equifax itself that had sprung an enormous leak, writing this in a text message:

On the phone with [global CIO]. Sounds bad. We may be the one breached. . . . Starting to put 2 and 2 together.

Putting 2 and 2 together led to a lot more than 4, the SEC alleges: it led to Ying avoiding the loss of a good chunk of the proceeds he made from unloading what would soon become less valuable stock.

That oil leak of a breach spread out to affect 145.5 million Americans, 15.2 million Brits, and some 100,000 Canadians: victims whose personal data, including tax payer ID, home addresses, the respective drivers’ license states, dates of issuance or expiration dates, and more were exposed.

Equifax’s subsequent investigation continues apace, uncovering yet more victims: Equifax came across another 2.4 million Americans who were affected, the data monger disclosed earlier this month.

The SEC alleges that before any of this became public, Ying exercised all of his vested Equifax stock options and then sold the shares, reaping proceeds of nearly $1 million. According to the complaint, he would have lost more than $117,000 if he’d waited until after the public disclosure of the breach to sell his stocks.

The SEC’s announcement quoted Richard R. Best, Director of the SEC’s Atlanta Regional Office:

As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public. Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.

Ying is also facing parallel criminal charges from the Attorney’s Office for the Northern District of Georgia.

The SEC’s complaint charges Ying with violating the antifraud provisions of the federal securities laws and seeks disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief.

Will Ying be the only Equifax exec to face stock-dumping charges? As it is, three Equifax senior executives sold shares worth almost $1.8m in the days after the company discovered the breach but before it was disclosed.

Equifax has said that those three hadn’t been informed of the breach before they sold their stock. Still, plenty of people have smelled plenty more than just one rat. It could turn out that Ying is just the first to face the music.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5XqgjnKOvBQ/

A Russian coder who ran and franchised an anti-anti-virus service has pled guilty to one charge of conspiracy and one charge of aiding and abetting computer intrusion. The service let crooks check against dozens of brands of antivirus software to see if their malware would be detected and helped a range of malware slip through to bring about massive hacks.

Jurijs Martisevs was arrested on a trip to Latvia last April. Also arrested was fellow countryman Ruslans Bondars, who’s accused of running the service along with Martisevs and a third, unnamed, alleged co-conspirator in Virginia.

Martisevs was extradited to the US – a move that Russia claimed was tantamount to kidnapping. Bondars is still awaiting trial.

Martisevs’ service was designed to keep new malware out of the hands of anti-virus makers. It didn’t report the detection of malicious files, thereby keeping anti-virus makers in the dark about new threats. The service had quite the palate: malware submitted to it included, among other types, crypters meant to hide malware from anti-virus programs, remote-access Trojans (RATs), keyloggers, and malware tool kits to create customized malicious files.

Beyond running the service for themselves, the operators franchised it, marketing it under different names and in different languages. Martisevs was the customer support contact for customers who wanted to franchise or resell the service. He sent them along to Bondars, who allegedly provided technical support.

Bondars also allegedly provided application programming interfaces (APIs) so that the service could be integrated directly into the malware kits the conspirators designed and sold. One such was the notorious Citadel toolkit, with which crooks initiated wire transfers out of victims’ bank accounts.

According to court documents, Martisevs and Bondars set up the anti-anti-virus service at least as early as 2009 and ran it until May 2017. Malware developers would submit samples, determine if they would be detected by the anti-virus programs used by their intended victims – companies and institutions – and then rinse and repeat. They’d tweak the malware to come up with new hash values, then resubmit it to see if the new version would then slip past anti-virus signatures.

According to Martisevs’ plea deal, the service enabled the creation of malware that was used in hundreds of thousands of attacks.

The victims weren’t named, but one major breach mentioned in court documents took place in 2013 and targeted the payment processing systems of a “major retail store located in the United States.” That sounds an awful lot like the huge Target breach of 2013.

The hackers submitted variations of their credit card stealing code to the service four times over the course of two weeks before finally deploying the malware on Black Friday weekend. The Target breach ultimately netted thieves some 100 million credit and debit cards. It also cost the retailer a $39 million settlement with banks and credit card firms, and $10 million paid out to consumers in a class action lawsuit.

Martisevs is looking at up to five years in prison on the conspiracy charge, a fine of $250,000, and three years of supervised release. The aiding and abetting charge is the more serious one: it has a maximum of 10 years in prison (though maximum penalties are rarely handed out), as well as the fines and supervised release.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rXtJYRLwVvw/

The latest version of Firefox, version 59, contains a setting designed to let users control the bane of intrusive push notification requests.

In the unlikely event Firefox users have forgotten, these are the small dialogue boxes that pop up on many websites offering users three options: “always receive notifications”, “always block notifications” or “not now”.

(In Chrome, the same request is made as “allow or “block”.)

There’s nothing wrong with these requests per se – they can be extremely useful when using webmail or social media – the problem is the sheer number that multiplied after Firefox version 44 embedded the W3C’s Push API two years ago.

The ability to control them was quietly buried in Firefox’s about:config panel at some point, but this can now be turned on by ticking the box marked “Block new requests asking to allow notifications”, accessed through Tools Options Permissions.

Once enabled, the only way to allow a push notification from a site is to allowlist it manually while bearing in mind the warning that “blocking notifications may break some website features.”

So much for notifications but what about the long-running struggle against intrusive in-page pop-ups?

The best example of this are marketing pop-ups that ask users whether they want to “subscribe to xyz’s newsletter”, which usually activate after users have been on a web page for a few minutes, and must be manually closed.

All browsers offer basic pop-up control, which in Firefox is enabled by ticking the box marked “block pop-up Windows” in Options Permissions.

Unfortunately, this only controls pop ups that open automatically. Publishers game this system by waiting for the user to interact with the page, which makes it difficult for the pop-up blocking system to work out whether pop-ups were activated intentionally or not.

Or, to put it less politely, browser pop-up blocking works quite well except for all the important occasions when it doesn’t.

Mozilla hasn’t given up on finding a global solution to this problem and wants users to submit examples of these ads to help the company with pop-up blocking 2.0.

Mozilla’s Ehsan Akhgari:

Are you tired of seeing in-page popups like this? We’re experimenting with a popup blocker to dismiss them automatically, and we’re curating a dataset for it.

It’s not clear when this feature might turn up in Firefox, but when it does it’s a certainty publishers will look for new ways to get around it.

Two final security tweaks: as promised some weeks back, Firefox 59 also now plugs leaky referrers (aka cross-site tracking) in Private Browsing Mode, and from Firefox 62 onwards websites won’t be able to access the legacy APIs for proximity and ambient light unless you turn them on.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Jo8XHHS0GQk/

Were the US moon landings faked? Did director Stanley Kubrick rig the astronauts up with theatrical wires in a movie studio and bounce them up and down to simulate low gravity?

We’re not going there. We’re not going to the moon, and we’re not going to try to talk anybody out of their belief that visual flashes in videos betray the wires. But YouTube is – at least, it’s getting ready to put a bit more context around such content.

Reuters reported on Tuesday that YouTube – a unit of Google’s Alphabet – is planning to slap excerpts from Wikipedia and other websites onto pages containing videos about hoaxes and conspiracy theories, such as the ones relating to moon landings.

YouTube CEO Susan Wojcicki delivered the news at the South by Southwest Conference (SXSW) in Austin, Texas, on Tuesday. She displayed a mock-up of the new feature, which will be called information cues.

Wojcicki said that the videos slated to get this treatment won’t go away. They’ll just be accompanied by additional sources:

People can still watch the videos but then they actually have access to additional information, can click off and go and see that.

The information cues won’t appear on all controversial videos. Engadget reports that at least at first, the cues – including a text box linking to a third-party source such as Wikipedia – will only appear around videos regarding conspiracies that have “significant debate.”

Here’s a statement sent out by a YouTube spokesperson:

We’re always exploring new ways to battle misinformation on YouTube. At SXSW, we announced plans to show additional information cues, including a text box linking to third-party sources around widely accepted events, like the moon landing. These features will be rolling out in the coming months, but beyond that we don’t have any additional information to share at this time.

This is only one approach out of many that major content platforms such as Google and Facebook have presented, all in response to lawmakers and media advocacy groups asking for their help to battle hoaxes and fake news.

Google did something similar in April, putting Fact Check tags, gleaned from a fact-checking community of 115 organizations, on some of its search and news results in order to add additional information.

Both Facebook and Google have tried pushing down potentially fake content in their news rankings. Facebook has also tried sticking disputed flags onto what some of us call fake news and what others call the stories that mainstream news outlets with hidden agendas want to suffocate. It subsequently mothballed the tags after admitting they hadn’t done squat to stop the spread of fake news.

As Engadget points out, YouTube not only hosts and displays videos that push extreme conspiracies. Its algorithm also suggests related videos and thereby can push the craziest content to the top of rankings, furthering its spread and giving creators incentive to churn out similar content.

A case in point was a video that accused Parkland High School shooting survivors of having been coached to play the part of “crisis actors” – a video that top-trended last month.

Will the information cues lessen such algorithm-boosted dissemination? It would be nice to think so, but a similar approach didn’t work very well for Facebook. Recent research has shown that people relish fake news. It’s so much more colorful than the plain old humdrum truth.

Good luck turning that around, YouTube.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/y_5-xMUfBPQ/

Email newsletter distribution service MailChimp has promised to act on the abuse of accounts to send (frequently) malware-tainted spam.

Security experts have been complaining with increasing frustration that the problem has been going on for months. MailChimp is widely used for sending newsletters, bulletins and in some cases invoices and order confirmations.

Tainted messages sent through the MailChimp network are a particular problem because they will pass authentication checks. In addition, email providers routinely whitelist MailChimp. Taken together this means that any dodgy messages sent through the service are much more likely to reach recipients’ inboxes than might otherwise be the case.

Crooks are hacking into MailChimp’s network to send fake invoices and malware-tainted emails, as illustrated in a blog post by UK security blogger My Online Security here. In one case, Red Bull Records’ MailChip account was breached, and the database abused to send Apple-themed phishing emails.

“It is unclear how spammers managed to gain access to MailChimp’s systems; possibilities range from a vulnerable third-party plug-in that integrates into MailChimp, to a vulnerability in MailChimp itself, or customer credentials being stolen through a phishing attack,” said Martijn Grooten‏, editor of industry journal Virus Bulletin and some-time security researcher, in a blog post.

UK-based infosec guru Kevin Beaumont complains that the MailChimp network has been used to deliver the Gootkit banking malware for four months since December 2017.

“If @MailChimp can’t get Gootkit delivery under control by April, I’m going to advise businesses block all MailChimp email delivery, and provide instructions around how to do this in practice,” Beaumont said in a Twitter update.

In response to queries from El Reg, MailChimp acknowledged the problem and said that unspecified security initiatives would address it. In the meantime, users should lock down their accounts by applying two-factor authentication, it advised.

We are taking it very seriously that our platform is being used in this way. While we can’t comment on specific security initiatives, we can tell you that a team is working full time to investigate and address the issue as quickly as possible.

We are also working to educate impacted users around two-factor authentication and other account security measures. We expect to see an improvement soon.

®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/15/mailchimp_malware_spam/

A pair of recently patched security vulnerabilities in SAP NetWeaver Application Server Java* could have been combined to hack customer relationship management (CRM) systems.

When exploited together, the directory traversal and log injection flaws lead to information disclosure, privilege escalation and full SAP CRM system compromise. Both bugs were resolved by updates last month.

The security issues were rated as 6.3 and 7.7 by CVSS Base Score v.3 but their combined impact was much more severe, according to enterprise app security specialists ERPScan, the consultancy that uncovered the vulnerabilities.

The results of a scan by the firm released yesterday suggest that more than 500 SAP CRM systems were unpatched against the flaws and accessible via the internet.

The researchers shared details of the bugs and how they can be exploited with SAP prior to the development of patches.

• An attacker uses the directory traversal vuln to read encrypted admin credentials from system config file
• They decrypt this password and log into SAP CRM portal
• Then the attacker uses another directory traversal vulnerability to change SAP log file path to the web application root path
• Finally, using special request, they can inject the log file with malicious code and call it anonymously from a remote web server

ERPScan’s researchers found a bug in SAP NetWeaver AS Java as far back as February 2016 but SAP was initially unable to replicate the problem. It was then wrongly classified as a duplicate of a previously reported issue, delaying the German software maker’s normally efficient remediation process.

In response to queries from El Reg, SAP confirmed that it had patched both issues last month and urged customers to apply its updates, if they hadn’t done so already. It thanked the ERPScan team for flagging up the faults.

SAP Product Security Response Team collaborates frequently with research companies like ERPScan to ensure a responsible disclosure of vulnerabilities. All vulnerabilities in question have been fixed using security notes 2547431 and 2565622.  Both security notes were released as part of February patch day. We strongly advise our customers to secure their SAP landscape by applying the available security patches immediately.

CRM systems typically store business-critical data (such as clients’ personal information, prices, contact points), making any breach both costly and a threat to a victim’s reputation.

Details of the vulnerabilities were unveiled during a presentation by ERPScan yesterday at the Troopers security conference, an annual event with a special track focused on SAP Security. During the talk, SAP BUGS: The Phantom Security, researchers explained how hackers might be able to remotely read any file on unpatched SAP CRM without authentication.

Youtube Video

Vahagn Vardanyan, senior security researcher of ERPScan, warned: “The security researchers at ERPScan identified directory traversal and log injection vulnerabilities in the solution. The two issues in combination lead to information disclosure, privilege escalation, and complete SAP systems compromise. The two vulnerabilities can wreak havoc in any company running SAP CRM.”

ERPScan has put together a micro-site featuring details of vulnerabilities and an overview of attack process. ®

Bootnote

* SAP NetWeaver AS Java is an application platform that forms part of SAP CRM.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/15/sap_crm_vulnerabilities/