This week we travel from tiny bugs through alarming language to outer space. Yep, that’s right, we end back in orbit.
And yes, in between you get articles like “How to make 10 grand in 10 minutes”, the death of the Flash Player (again) and how to run malware from your new Windows Defender command line executable.
Whether you laugh, or cry, there’s something in here just for you!
Read the article or download the podcast.
Cryptobugs Found in Numerous Google Play Store Apps
Academics from Columbia University developed a custom tool, CRYLOGGER, that analyzes Android applications for unsafe use of cryptographic code according to 26 basic cryptography rules. Those rules include avoiding the use of: broken hash functions, bad passwords, reusing passwords multiple times, HTTP URL connections or a “badly-derived” key for encryption.
The research team—comprised of Luca Piccolboni, Giuseppe Di Guglielmo, Luca P. Carloni and Simha Sethumadhavan the unleashed it on 1,780 of the most popular apps in the Play Store from 33 different categories. The team’s analysis found that hundreds of them are breaking at least one if not several—up to 18 in some cases–of these basic rules.
The top 23 rules broken were: Don’t use an unsafe pseudorandom number generator; don’t use broken hash function; and don’t use the operation mode Cipher block chaining (CBC).
“We hope that application developers will adopt it to check their applications as well as the third-party libraries that they use,” researchers wrote in their paper about their work, which will be presented next year in May 2021 at the IEEE Symposium on Security and Privacy.
The Columbia team also made their tool available on GitHub. They said they chose to dynamically analyze code—that is: while it’s being executed—for several reasons: "Though static analysis has its benefits, it can create false positives or negatives or miss some of the crypto mistakes found in code as it’s loading dynamically. Most of the recent research efforts focused on static approaches, while little has been done to bring dynamic approaches to the same level of completeness and effectiveness.”
How to make 10 grand in 10 minutes or… how a little bug in Google Maps allowed XSS Attacks
Zohar Shachar, head of application security at Wix.com, reported the flaw to Google on April 23 and was issued a $5,000 reward soon after. Google publicly disclosed the issue, declaring it “fixed” on June 7. Minutes after Shachar was notified of the patch and bounty payment award, he said he found a bypass for the Google Maps fix. That earned him another $5,000.
“Something in the boredom of this particular moment led me to overcome my initial mindset of ‘this is Google, they know how to fix an XSS’, and actually try and validate the fix. Within 10 minutes of that, I had a bypass in hand, and a few days later a double bounty in my account,” wrote Shachar in blog post Sunday breaking down the flaws for the first time publicly.
The initial vulnerability stemmed from a Google Maps function that allows users to create their own map, said Shachar. After building the map, users can export it in several formats. One of those formats is Keyhole Markup Language (KML), an XML-like format for expressing geographic annotation and visualization within 2D maps.
When the map was exported as KML, Shachar found the server response contained a CDATA tag. CDATA tags indicate that a certain portion of the document is general character data (rather than non-character data) and makes sure that the code wouldn’t be rendered by the browser. However, he found that by adding special characters, the CDATA tag can be easily “closed.”
“Specifically, by adding ‘]]>’ at the beginning of your payload (I.e. as the beginning of the ‘map name’), you can escape from the CDATA and add arbitrary XML content (which will be rendered as XML) – leading immediately to XSS,” said Shachar.
To exploit this flaw, an attacker could create a new empty map, rename it using these special characters and add an XSS payload for SVG. SVG (or Scalable Vector Graphics) is an XML-based vector image format. Then, they need to set permissions for the map to “public,” allowing everyone to access it, export it as KML and copy the download link. They can then send the download link to their victim. Once the target is persuaded to click on the link (via social engineering) the XSS attack is launched.
After Shachar reported the bug, Google said it was fixed. However, Shachar then discovered a way to bypass the patch. That’s because in order to fix the flaw, Google appeared to have added an additional CDATA tag – meaning an attacker could merely add two CDATA closing tags, said Shachar.
“I was genuinely surprised the bypass was so simple. I reported it so quickly (literally 10 minutes between checking my mailbox and reporting a bypass)!
Now you know what to do.
For US consumers hit by a security breach, you may find a little more useful information on the newly launched breachclarity(dot)com site. Enter the name of the organization that was breached (try Equifax for example) and they will provide a breakdown of the risks on the left, and on the right hand side, information as to how to protect yourself.
As always, it’s another group trying to sell you something offering a premium service that will do the work you could do, for you. But, as a learning tool, it’s a great way to ensure that you have the protections you should in place.
US: 2020 elections ransomware threat.
According to NTT Ltd.’s global threat report for September, ransomware could be deployed and lay in wait to be activated on election day, or once voting machines are activated, and could pose a significant threat to voting processes and procedures, potentially bringing voting operations to a halt.
“Election threats from ransomware, or from other types of cyber-attacks, do not come solely from foreign governments,” the report said. “A cyber or physical attack on the election infrastructure, whether election systems or processes are interconnected or not, could potentially lead to overall election system dysfunction, errors in vote count, delays in voting results and erroneous election reporting."
Think of it. The coming US elections could be the biggest lure yet for an aspiring hacker to bolster their reputation: DDoS, Malware, voter PII breach, you name it. So what are NTT’s words of advice? Keep those machines patched and updated and train and then have all staff on high alert for the inevitable attack.
"Use Alarming language!" The FBI underplayed its Democratic National Convention warning in 2016—but says it won’t again.
Andy Greenberg for Wired: On April 28, 2016, an IT tech staffer for the Democratic National Committee named Yared Tamene made a sickening discovery: A notorious Russian hacker group known as Fancy Bear had penetrated a Democratic National Convention (DNC) server “at the heart of the network,” as he would later tell the US Senate Select Committee on Intelligence. By this point the intruders already had the ability, he said, to delete, alter, or steal data from the network at will. And somehow this breach had come as a terrible surprise—despite an FBI agent’s warning to Tamene of potential Russian hacking over a series of phone calls that had begun fully nine months earlier.
The FBI agent’s warnings had “never used alarming language,” Tamene would tell the Senate committee, and never reached higher than the DNC’s IT director, who dismissed them after a cursory search of the network for signs of foul play. That miscommunication would result in the success of the Kremlin-sponsored hack-and-leak operation that would ultimately contribute to the election of Donald Trump.
Now the FBI has developed a so-called “emergency lead notification” process that bypasses the bureau’s usual internal consultations and immediately notifies a cybersecurity-focused agent in a field office who can warn a victim, hopefully before the hackers deliver their ransomware payload. “We’re leaning forward in terms of notifying victims as soon as possible and skipping the intermediary steps.”
Perhaps they should add: “And we’re using very alarming language!”
Why You Should Stop Sending Photos On Apple iMessage
Zak Doffman: Our smartphones leak our personal information—we all know this. There’s a multi-multi-billion-dollar marketing industry tracking where we go, who we visit and what we buy. Facebook’s warning that a change in Apple’s iOS 14 would slash advertising revenue tells you just how welcome a change this will be for iPhone users when it eventually comes. Location data is at the heart of this—our sneaky little smartphones know exactly where we are and, given a chance, they’ll happily share with the world.
We now capture and share so many photos, both on social media and to our contacts by our messengers. Occasionally it might be useful to share the time and place those photos were taken, but usually not. Social media apps strip this metadata when they upload and compress your photos—downloading the images will not betray private information. But if you email or SMS your photos, then EXIF (Exchangeable Image File) metadata is also sent.
SMS and its RCS upgrade have weak security given their lack of end-to-end encryption and fragmented architectures. Lots of us use other messengers: The two most popular ones—the highly-secure WhatsApp and less-secure Facebook Messenger, both strip EXIF data when you send images. Unsurprisingly, Telegram and Signal do the same. But what about Apple’s end-to-end encrypted iMessage? Unfortunately, it’s actually not as secure as others.
But…there is a way to protect your location data within iMessage, however it’s a little clunky.
- In the primary photo app, you have a share option.
- You can select one or multiple photos and then have the “options” to remove all photo data or just location data.
- You can then share the photo(s) using any messenger or social media platforms.
This is far from ideal—most users are within iMessage when they choose to share a photo, and click through to attach the images they want to send, with no option to strip data before sending.
The problem with using the iOS photo app share tool to exclude location data is that “the change is not persisted—the location toggle is always switched on by default. If the user switches it off and shares a photo and then tries to share another photo, the user must tap on options and perform the tedious task of toggling that switch off again. This has to be done every time the user shares a photo.”
As for the option to share photos directly from iMessage, “the user gets a minimalistic view of their photos. This method does not show any warning if a photo has location info in it. It also doesn’t provide an option to remove location info from the photo. In other words, the user picks a photo and sends it to a contact without knowing that the photo has location information in its EXIF properties."
If your photo is forwarded and shared repeatedly, all that location data stays with it. Because there have been no updates in iMessage for the upcoming iOS 14 the word is to share photos via Signal or WhatsApp for the time being.
Is Microsoft Defender Antivirus Now A Windows 10 Security Risk?
Using the new -DownloadFile command-line argument, as a local user, Bleeping Computer reporters were able to use Microsoft Antimalware Service Command Line Utility (MpCmdRun.exe) to download the same WastedLocker ransomware sample as used against Garmin in the recent high-profile attack.
But hold on… to download a file in the first place requires access to a local user account, be that admin or a limited-user one. The malicious file can’t be downloaded to another users’ folder or to those directories the attacker had no write privileges for.
Which means that privilege escalation doesn’t appear possible here. Long exhale for all Windows users…
Digital Point Webmaster Forum Database exposes the data of 800K Users.
San Diego, California based, Digital Point calls itself the “largest webmaster community in the world,” bringing together freelancers, marketers, coders, and other creative professionals.
On the first of July 2020 the WebsitePlanet research team and cybersecurity researcher Jeremiah Fowler uncovered an unsecured Elasticsearch database containing over 62 million records. In total, data belonging to 863,412 Digital Point users was included in the leak. According to the team, names, email addresses, internal user ID numbers, internal records and user post details were made publicly available in the open database.
The long, long, long awaited end to the Flash Player??
Microsoft and Adobe first announced the end of Flash back in July 2017, along with partners Apple, Facebook, Google, and Mozilla. While it led the charge with in-browser games and media experiences back in its heyday, over time the plug-in has become susceptible to a variety of security issues, making it a target for cyberattacks.
More secure browser technology has been made available in the meantime with the arrival of HTML5, which is capable of delivering more modern web-browsing experiences while offering better performance and tighter security for end users.
“In keeping with this plan, Microsoft is ending support for Adobe Flash Player on Microsoft Edge (both the new Microsoft Edge and Microsoft Edge Legacy) and Internet Explorer 11 at the end of 2020.”
OK then…
US Federal systems must be covered by vulnerability-disclosure policies by March 2021
The U.S. government’s cybersecurity agency CISA has issued a mandate that requires federal agencies to implement vulnerability-disclosure policies (VDPs) by March 2021. The main purpose of vulnerability-disclosure policies is to ensure that required information, other than confidential business information, is disclosed to the public and shared with relevant parties in a timely, accurate, complete, understandable, convenient and affordable manner.
"Today we issued a directive that requires federal civilian agencies in the executive branch to publish a #vulnerability disclosure policy. This will ensure people know how to report a problem if they find one. To centralize part of this effort, CISA will offer a vulnerability disclosure platform service next spring. We expect this will ease operations at agencies, diminish their reporting burden under this directive, and enhance discoverability for vulnerability reporters.”
— Cybersecurity and Infrastructure Security Agency (@CISAgov) September 2, 2020.
UK: London Charing Cross Gender Identity Clinic Data Leak Victims Could Claim £30,000 in Damages
Last year the Charing Cross Gender Identity Clinic sent out mass emails to people using the CC function instead of the BCC function, mistakenly revealing the names and email addresses of close to 2000 people on its email list.
This year they could be looking at damages of up to UK£30K+ per person with legal firms still offering to represent those affected.
CL: BancoEstado, one of Chile’s three biggest banks, was forced to shut down all branches on Monday following a ransomware attack that took place over the weekend.
“Our branches will not be operational and will remain closed today,” the bank said in a
Details about the attack suggest the bank’s internal network was infected with the REvil (Sodinokibi) ransomware.
Probably through a Word document a backdoor was installed which was used to access the bank’s network and install ransomware.
Thankfully, the bank had a segregated network in place so the bank’s website, banking portal, mobile apps, and ATMs were all untouched.
Now we wait to see if BancoEstados data turns up on the REvil Ransomware leak site.
AU: Service NSW reveals 738GB of customer data was stolen during email breach
Aimee Chanthadavong: Service NSW has revealed that the personal information of 186,000 customers was stolen because of a cyber attack earlier this year on 47 staff email accounts.
Following a four-month investigation that began in April, Service NSW said it identified that 738GB of data, which compromised of 3.8 million documents, was stolen from the email accounts.
"The data is made up of documents such as handwritten notes and forms, scans, and records of transaction applications.
"Across the last four months, some of the analysis has included manual review of tens of thousands of records to ensure our customer care teams could develop a robust and useful notification process.
“We are sorry that customers’ information was taken in this way.”
Last week, it was revealed information on thousands of New South Wales driver’s license-holders was breached, with reports indicating a cloud storage folder that had over 100,000 images was mistakenly left open.
Cyber Security NSW confirmed a commercial entity was responsible for the breach of scanned driver’s licence images. It said it was the responsibility of the commercial entity to investigate this matter and notify any customers if their data had been breached.
UK: Newcastle University hit by cyber attack
"Our teams are working with a number of agencies to address the current issues and are taking further measures to secure the IT estate.
The nature of the problem means this will be an ongoing situation for some time and it will take several weeks to address.
Please be aware:
- Many IT services are not operating and will remain that way for the duration.
- IT services that are operating may need to be taken down without notice.
- Colleagues may lose access to their IT accounts without notice and they may not be re-enabled quickly.
- NUIT may need access to any IT system you keep or use.
- We may need to remove PCs, servers or other devices if we find out they are impacted, in order to carry out detail investigations"
Both the Information commissioner’s Office and the Police have been notified in what appears to be a ransomware attack.
Update 2020 090 08 The DoppelPaymer ransomware gang have now claimed responsibility for a digital security incident that affected Newcastle University’s network and systems.
US: Critical Infrastructure and Cyber-Physical Security
Tara Seals: As 5G accelerates the integration of Internet of Things (IoT) devices onto and into systems and previously non-integrated networks the responsibilities of CEOs are increased, especially in areas where life and death systems are incorporated.
These convergences are mainly found in critical infrastructure and clinical healthcare environments for now, but will become more widely deployed with the expansion of 5G, and as innovations in the world of smart buildings, smart cities, connected cars and autonomous vehicles, and telehealth/remote surgery continue to roll out, the Gartner noted.
In these environments, “incidents can quickly lead to physical harm to people, destruction of property or environmental disasters,” according to the firm. “Gartner analysts predict that incidents will rapidly increase in the coming years due to a lack of security focus and spending currently aligning to these assets.”
Gartner also predicted that the financial impact of CPS attacks resulting in fatal casualties will reach more than $50 billion by 2023. This encompasses the costs for organizations in terms of compensation for loss-of-life, litigation, insurance, regulatory fines and reputation loss.
“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, research vice president at Gartner, in a media statement. “In the U.S., the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”
“Keep an eye out for any regulation that might come into force as a result of the first cyber-physical casualty,” Thielemann added.
Global: Money from bank hacks rarely gets laundered through cryptocurrencies.
Despite being considered a cybercrime haven, cryptocurrencies play a very small role in laundering funds obtained from bank hacks; the SWIFT financial organization said in a report last week.
“Identified cases of laundering through cryptocurrencies remain relatively small compared to the volumes of cash laundered through traditional methods,” said SWIFT, the organization that runs the SWIFT inter-bank messaging system used by almost all banks across the world to wire funds across borders.
These traditional methods include the use of money mules, front companies, cash businesses, and investments back into other forms of crime, such as drug trade or human trafficking. SWIFT said that incidents where hackers laundered money via cryptocurrencies have been very rare.
Space: White House publishes a cyber-security rulebook for space systems
The White House has published today a new directive detailing a list of recommendations and best practices for protecting space systems from cyber-threats and cyber-attacks.
The new rules, detailed in Space Policy Directive-5 (SPD-5), are meant to establish a cybersecurity baseline for all space-bound craft, systems, networks, and communications channels built and operated by US government agencies and commercial space entities.
According to SPD-5, many threats could be mitigated through a set of best practices, already well-established, and applied in other industry sectors.
“Effective and validated authentication or encryption” should also be used for protecting command, control, and telemetry functions from unauthorized entry.
The same command, control, and telemetry functions — used by ground operators to control spacecraft — should also come with protections against communications jamming and spoofing, US government officials said.
This implies using signal strength monitoring programs, secured transmitters and receivers, authentication, or “effective, validated, and tested encryption.”
And since we’re talking about spacecraft, where size and weight matters, cybersecurity systems and measures should also be designed not to impair missions by affecting space vehicle size, weight, mission duration, or other technical mission requirements.