Hostingu Czechia od firmy ZONER unikly přihlašovací údaje zákazníků
22.11.2017 Lupa.cz Incidenty
Brněnský hosting Czechia.com, který patří pod firmu ZONER, oznámil únik dat svých zákazníků. Šlo o přihlašovací údaje k e-mailovým schránkám a webhostingovým službám. Jak velké části klientů se problém týkal, firma zatím nezveřejnila. Únik se týká i slovenské hostingovky Slovaknet, která také patří pod ZONER. Případ vyšetřuje policie.

Podle vyjádření firmy únik zřejmě souvisí s pokusem zaměstnance jednoho ze zákazníků o průnik na backend hostingu:

Koncem roku 2013 jsme zjistili podezřelou aktivitu na dedikovaném serveru jednoho z našich zákazníků. Na základě provedené analýzy jsme konstatovali pokus o útok na náš backend zaměstnancem daného zákazníka, ale neměli jsme žádné indicie nebo důkazy o tom, že by se udál závažný bezpečnostní incident a došlo k ukradení jakýchkoliv dat. … V letošním roce jsme zjistili, že bezpečnostní incident související s podezřelou aktivitou na zákaznickém serveru znamenal únik dat (v podobě, která neumožňuje jejich přímé zneužití). Okamžitě jsme Policii ČR podali trestní oznámení a bylo zahájeno vyšetřování. Současně Policie ČR učinila opatření vedoucí k ochraně zcizených dat a zamezila dalšímu přístupu k nim.

V uniklých datech podle firmy nebyly žádné osobní údaje a uniklá hesla byla zahashována algoritmem SHA-1. Podle firmy to znamená, že je nejde jednoduše prolomit, což je ale přinejmenším hodně optimistické tvrzení (o relativní snadnosti prolamování zahashovaných hesel podrobněji čtěte v Jak jsem crackoval hesla z úniku Mall.cz bezpečnostního experta Michala Špačka).

„Nezaznamenali jsme masové pokusy o zneužití uniklých dat,“ tvrdí ZONER. Údaje ze seznamu uniklých dat podle firmy momentálně stále používá asi 7 % zákaznických účtů. Firma podle svých slov dotyčné zákazníky kontaktuje a pomáhá jim údaje změnit.

Firmě jsme poslali řadu doplňujících dotazů, do textu je doplníme, jakmile dostaneme odpovědi.

Uber tajil masivní únik 57 milionů záznamů. Hackerům zaplatil za mlčení
22.11.2017 Živě.cz Incidenty
Bývalý šéf Uberu chtěl ututlat závažný únik dat. Bál se poškození pověsti Uberu a zabezpečení jeho služeb. Nyní se případ provalil. Před rokem hackeři ze serverů Uberu odcizili údaje o 57 milionech zákazníků a o 600 tisících řidičů Uberu.Vnik do databáze byl možný kvůli chybě administrátorů, kteří přístupové údaje omylem zveřejnili na GitHubuBývalé vedení dvěma hackerům zaplatilo 100 tisíc dolarů za mlčenlivost a smazání získaných dat. Nový šéf Uberu Dara Khosrowshahi útok oznámil. Omluvil se a ujistil zákazníky i řidiče, že podle analýz nedošlo k žádnému zneužití uniklých dat.
Společnost Uber, která provozuje stejnojmennou platformu pro sdílení jízd, se stala v roce 2016 terčem kybernetických útočníků. Ze serverů odcizili údaje o 57 milionech zákazníků a o 600 tisících řidičů Uberu. Předchozí výkonný ředitel však celý incident utajil a informace vyplavaly na povrch až nyní. Upozornil na to CNet.

Nový šéf Uberu Dara Khosrowshahi včera vydal prohlášení, ve kterém uvedl, že firma zaznamenala neoprávněný vstup do systému v listopadu 2016. Podle výsledků vyšetřování začaly útoky už o měsíc dříve.

Hackeři za tento čas stihli získat databázi obsahující 57 milionů záznamů o zákaznících, mezi nimiž figurují jména, e-mailové adresy a telefonní čísla. Kromě toho uniklo i 600 tisíc čísel řidičských průkazů patřících řidičům ze Spojených států.

Ostatní informace, jakými jsou například historie polohy, čísla platebních karet a bankovních účtů, data narození či čísla sociálního zabezpečení, prý zločinci nezískali.

Přístupové údaje na GitHubu
Khosrowshahi navíc přiblížil i to, jak k útokům došlo. Podle jeho slov nebyla zneužita žádná bezpečnostní slabina v podnikovém systému, ani v infrastruktuře. Problémem bylo pravděpodobně selhání jednotlivce, který neúmyslně uložil administrátorská data do cloudové služby třetí strany.

Bezpečnostní společnost Sophos byla konkrétnější a na svém webu uvedla , že vývojáři Uberu vložili na GitHub spolu se zdrojovými kódy i přístupové pověření k serverům. Hackeři to zřejmě zjistili, a tak využili příležitosti. Server byl spuštěn v cloudové službě Amazon Web Services (AWS), na kterém se nacházely databáze s osobními údaji.

Útočníci si vydělali
Podobný typ úniku uživatelských dat není v současnosti ničím neobvyklým. Tento se však liší v tom, jak se tehdejší vedení Uberu k bezpečnostnímu incidentu postavilo. Útok se snažilo utajit a dvojici hackerů zaplatili 100 tisíc amerických dolarů za to, že odcizenou databázi odstraní. Firma následně sepsala s útočníky dohodu o utajení a celý incident byl zamaskovaný jako součást programu Bug Bounty (vyplácení odměn za nalezení chyb).

V souvislosti s uvedenou kauzou bylo propuštěno i několik zaměstnanců, kteří na ní měli největší podíl. Konkrétně má jít o ředitele počítačové bezpečnosti, jeho zástupce a právníka.

Uber ujišťuje všechny uživatele a řidičů, že aktuálně neexistuje žádný důkaz o zneužití uniklých dat. Přesto byli řidiči zapojeni do programu, který je má ochránit před úvěrovými podvody a před odcizením identity.

After Getting Hacked, Uber Paid Hackers $100,000 to Keep Data Breach Secret
22.11.2017 thehackernews Incindent

Uber is in headlines once again—this time for concealing last year's data breach that exposed personal data of 57 million customers and drivers.
On Tuesday, Uber announced that the company suffered a massive data breach in October 2016 that exposed names, e-mail addresses and phone numbers of 57 million Uber riders and drivers along with driver license numbers of around 600,000 drivers.
However, instead of disclosing the breach, the company paid $100,000 in ransom to the two hackers who had access to the data in exchange for keeping the incident secret and deleting the information, according to a report published by Bloomberg.
Uber said none of its own systems were breached, rather two individuals outside the company inappropriately accessed and downloaded 57 million Uber riders' and drivers' data that was stored on a third-party cloud-based service.
The cyberattack exposed the names and driver license numbers of some 600,000 drivers in the United States, and the names, emails, and mobile phone numbers of around 57 million Uber users worldwide, which included drivers as well.
However, the company said other personal details, such as trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth, were not accessed in the attack.
Uber Hid 57 Million User Data Breach For Over a Year
According to Bloomberg report, former Uber CEO Travis Kalanick learned of the cyber attack in November 2016, when the company was negotiating with the Federal Trade Commission (FTC) on a privacy settlement.
So, the company chose to pay the two hackers $100,000 to delete the stolen information and keep quiet about the incident and finally agreed to the FTC settlement three months ago, without admitting any wrongdoing.
Uber Technologies Inc. only told the FTC about the October 2016 data incident on Tuesday, when the breach was made public by Bloomberg.
However, this secret payment eventually cost Uber security executives their jobs for handling the incident.
Now Uber CEO Dara Khosrowshahi has reportedly asked for the resignation of Uber Chief Security Officer Joe Sullivan, and one of his deputies, Craig Clark, who worked to keep the attack quiet.
"None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes," Khosrowshahi said.
"We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."
Uber is notifying regulatory authorities and offering affected drivers free credit monitoring and identity theft protection.
The company also says that it is monitoring the affected accounts for fraudulent activity and that riders do not need to take any action against this incident. It's likely that Uber will be forcing its customers to reset their passwords for its app.

ProtonMail Launches Encrypted Contacts Manager
22.11.2017 securityweek  Safety
Swiss-based encrypted email services provider ProtonMail announced on Tuesday the launch of a new tool designed to help users securely manage their contacts.

According to the vendor, the new ProtonMail contacts manager has been in development for more than a year and it adds powerful functionality for managing the address book.

What makes ProtonMail Contacts highly secure is the fact that it uses zero-access encryption. This means contact information is encrypted and it can only be decrypted by the user – not even ProtonMail can access the data.

The company says the new encrypted contacts manager is ideal for journalists and other individuals for whom it’s critical that contact information is protected.

ProtonMail noted that the new feature secures phone numbers, physical addresses and other information added by the user, but it does not use zero-access encryption for email addresses as it would break email filtering functionality and it wouldn’t represent a significant privacy improvement considering that the service needs to know the recipient’s email address in order to deliver messages.

On the other hand, the new ProtonMail Contacts tool does provide some protection for email addresses by using digital signatures to verify their integrity. The digital signatures mechanism, which provides a cryptographic guarantee that contact data hasn’t been tampered with, covers all the information stored in the address book, not only email addresses. If the application detects an invalid signature, it displays an error message to alert the user.

“This is a big security benefit for many reasons,” ProtonMail said in a blog post. “For example, if an attacker wanted to intercept the communications between you and a sensitive contact, one way to do it could be to secretly change the email address or phone number you have saved for that contact, such as changing john.smith(at)protonmail.com to john.snnith(at)protonmail.com, which might escape your notice.”

The new contacts manager relies on new private and public key pairs for each account. The private key is generated based on the user’s password and it’s stored on the client side, preventing ProtonMail from gaining access to the encryption key. The same key pair is used both for encrypting contact information and digital signing.

The new contacts manager is currently only available for the web version of ProtonMail, but it will soon be added to the iOS and Android apps as well. Future versions of the tool will also allow users to store keys created for sending PGP-encrypted messages, ProtonMail said.

The source code for ProtonMail’s web client, including the contacts manager, is available on GitHub.

ProtonMail Contacts – ProtonMail launches world’s first encrypted contacts manager
22.11.2017 securityaffairs Safety

ProtonMail launched ProtonMail Contacts, the world’s first contact manager with both zero-access encryption and digital signature verification.
ProtonMail is announcing today the launch of the world’s first encrypted contacts manager that also features digital signature verification. Starting immediately, the new contacts manager is available to all of ProtonMail’s 5 million users around the world.
The development and launch of this feature was driven by the feedback that the company received from many of its users in the investigative journalism space. “Last year, we had the unique opportunity to meet with many of our users in the field at the Second Asian Investigative Journalism Conference in Kathmandu, Nepal, and one message that we heard over and over again was the need for better ways to protect sources,” says ProtonMail co-founder Dr. Andy Yen, “the new encrypted contacts manager today is the result of over one year of research and development into how we can best meet the needs of the thousands of activists, journalists, and dissidents who rely on ProtonMail to protect their privacy.“
In addition to protecting sensitive contact details with zero-access encryption (meaning that ProtonMail itself cannot decrypt the data, and cannot reveal the private contact details to third parties), ProtonMail’s new contact manager also utilizes digital signatures to verify the integrity of contacts data. This provides a cryptographic guarantee that nobody (not even ProtonMail), has tampered with the contacts data.
“Combining encryption with digital signatures provides powerful protection that guarantees not only the privacy, but also the authenticity of the contacts saved in ProtonMail, and reduces the need to trust ProtonMail, as even we cannot access or change this information without your knowledge,” says Dr. Yen. In line with standard company practice, the software behind ProtonMail’s encrypted contacts manager is fully open source.

-> For more details about ProtonMail’s encrypted contacts manager, please refer to our launch blog post here: https://protonmail.com/blog/encrypted-contacts-manager/
-> The link to this press release can be found here: https://protonmail.com/blog/contacts-press-release/
-> ProtonMail’s media kit can be found here: https://protonmail.com/media-kit/

U.S. charges Iranian state-sponsored hacker over ‘Game of Thrones’ HBO hack
22.11.2017 securityaffairs BigBrothers

US Department of Justice charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones’ HBO Hack, he also worked with the Iranian Military.
The United States charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones‘ HBO Hack. On Tuesday, the man was charged with stealing scripts and plot summaries for ‘Games of Thrones’.

The Manhattan US attorney Joon Kim said Mesri is “had previously hacked computer systems for the Iranian military”. The man threatened to release stolen data, unless HBO paid a $6 million ransom in Bitcoin.

“Behzad Mesri, an Iranian national who had previously hacked computer systems for the Iranian military, allegedly infiltrated HBO’s systems, stole proprietary data, including scripts and plot summaries for unaired episodes of Game of Thrones, and then sought to extort HBO of $6 million in Bitcoins.” said U.S. Attorney Joon H. Kim. “Mesri now stands charged with federal crimes, and although not arrested today, he will forever have to look over his shoulder until he is made to face justice. American ingenuity and creativity is to be cultivated and celebrated — not hacked, stolen, and held for ransom. For hackers who test our resolve in protecting our intellectual property — even those hiding behind keyboards in countries far away — eventually, winter will come.”

Behzad Mesri, who is still at large, is an Iran-based hacker who also goes online with the moniker Skote Vahshat.

Mesri faces seven counts in the United States, including wire fraud, aggravated identity theft and four counts of computer fraud.

The DoJ accused the man of being the mastermind behind the cyber attacks against HBO from May to August, he stole scripts and plot summaries for then unaired episodes of the “Game of Thrones” series, and multiple other shows.

Mersi compromised multiple user accounts belonging to HBO employees and other authorized users, in this way he accessed the company servers and stole confidential and proprietary information.

“Over the course of several months, MESRI used that unauthorized access to steal confidential and proprietary information belonging to HBO, which he then exfiltrated to servers under his control.” states the press release published by the US Department of Justice.

“Through the course of the intrusions into HBO’s systems, MESRI was responsible for stealing confidential and proprietary data belonging to HBO, including, but not limited to: (a) confidential video files containing unaired episodes of original HBO television programs, including episodes of “Barry,” “Ballers,” “Curb Your Enthusiasm,” “Room 104,” and “The Deuce;” (b) scripts and plot summaries for unaired programming, including but not limited to episodes of “Game of Thrones;”(c) confidential cast and crew contact lists; (d) emails belonging to at least one HBO employee; (e) financial documents; and (f) online credentials for HBO social media accounts (collectively, the “Stolen Data”).”

According to the US prosecutors, Mesri previously conducted computer attacks on behalf of the Iranian military that targeted nuclear software systems and Israeli infrastructure.

Prosecutors confirmed that the Iranian man was a member of the Iranian-based Turk Black Hat Security hacking group that targeted hundreds of websites in the United States and around the world.

“MESRI is an Iran-based computer hacker who had previously worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure.” continues the DoJ.

“At certain times, MESRI has been a member of an Iran-based hacking group called the Turk Black Hat security team and, as a member of that group, conducted hundreds of website defacements using the online hacker pseudonym “Skote Vahshat” against websites in the United States and elsewhere.”

More Industrial Products at Risk of KRACK Attacks
22.11.2017 securityweek  Attack
An increasing number of vendors have warned customers over the past weeks that their industrial networking products are vulnerable to the recently disclosed Wi-Fi attack method known as KRACK.

The KRACK (Key Reinstallation Attack) flaws affect the WPA and WPA2 protocols and they allow a hacker within range of the targeted device to launch a man-in-the-middle (MitM) attack and decrypt or inject data. A total of ten CVE identifiers have been assigned to these security bugs.

The vulnerabilities impact many products, including devices designed for use in industrial environments. The first industrial solutions providers to warn customers about the KRACK attack were Cisco, Rockwell Automation and Sierra Wireless.

Cisco said the flaws affect some industrial routers and access points, for which the company has released updates. Rockwell and Sierra Wireless have also identified impacted products and provided patches and mitigations.KRACK affects industrial products

Other industrial solutions providers have come forward in the past weeks to admit that their products are affected.

Siemens said the KRACK vulnerabilities affect some of its SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS products. The company is working on releasing updates that will address the security holes and, in the meantime, it has provided some mitigations.

Swiss-based ABB informed customers that TropOS broadband mesh routers and bridges running Mesh OS 8.5.2 or prior are also vulnerable to KRACK attacks. ABB has yet to release patches, but it did provide workarounds and mitigations.

German industrial automation firm Phoenix Contact also confirmed that three of the KRACK flaws affect some of its BL2, FL, ITC, RAD, TPC and VMT products. The company said the impact is limited for some of its products, and pointed out that in many cases the attacker would have to be inside the plant in order to conduct an attack.

Phoenix is working on patching the vulnerabilities in affected products. The vendor has advised customers using devices running Windows to install the security updates provided by Microsoft.

Lantronix informed customers that several of its wireless connectivity solutions are impacted by KRACK, including PremierWave ethernet-to-WiFi gateways, WiPort wireless ethernet bridges, MatchPort programmable embedded device servers, xPico embedded IoT WiFi modules, SGX IoT device gateways, and WiBox wireless device servers.

The company has released a patch for PremierWave 2050. For the other products, fixes are expected to become available by the end of the year.

Some Johnson Controls products may also be vulnerable to KRACK attacks. The company’s product security and incident response team (PSIRT) is currently assessing the impact of these flaws.

Kaspersky Lab’s ICS-CERT team pointed out that while KRACK attacks can be launched against industrial control systems (ICS) -- for example, some PLCs use Wi-Fi for remote management -- the biggest risk is to network communication devices, smartphones and tablets used by engineers and operators for remote access to ICS.

“In most cases KRACK attacks present virtually no risk to those large industrial and critical infrastructure systems that do not use 802.11 technologies. Today, such systems constitute an absolute majority,” explained Ekaterina Rudina, senior system analyst in Kaspersky’s ICS-CERT team. “Even in cases where these technologies may be used, physical restrictions on access to the controlled zone (e.g., a specific manufacturing unit) would prevent an attack from being carried out.”

“The main risk zone still encompasses those industrial sectors the security of which is given a lower priority than that of critical infrastructure systems and where using wireless technologies to upgrade systems or meet industrial network maintenance needs has become necessary but where compliance with the ‘best practices’ supported by major vendors is not possible because the changes required are too complicated or too costly,” Rudina added.

Unbelievable: Uber concealed data breach that exposed 57 Million records in 2016
22.11.2017 securityaffairs Incindent

Unbelievable: Uber concealed data breach that exposed 57 Million records in 2016 and paid hackers to delete stolen records.
Uber CEO Dara Khosrowshahi announced on Tuesday that hackers broke into the company database and accessed the personal data of 57 million of its users, the bad news is that the company covered up the hack for more than a year.

The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.

The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the Uber development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.

“Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.” states Bloomberg.

In a statement on Tuesday, Khosrowshahi said the intruders accessed cloud-hosted data stores:

“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.

At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.” reads a CEO’s statement.

“You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.”

The situation is more unbelievable, rather than to notify the data breach to customers and law enforcement as is required by the California’s data security breach notification law, the Uber’s chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed. It is a good way to hide the payment, Uber is running a bug bounty program to encourage white hat hackers to responsibly disclose vulnerabilities affecting its services.

“Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty” — a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.” reported The New York Times“

“The details of the attack remained hidden until Tuesday. The ride-hailing company said it had discovered the breach as part of a board investigation into Uber’s business practices.”

As a result of the new board investigation Sullivan and one of his lieutenants were ousted.

The CEO explained that such kind of thing will not happen again in the future because Uber put the customers’ security and trust as the pillar of its business.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.” added Khosrowshahi.

The CEO added that forensics experts haven’t found evidence that data were downloaded, anyway the company is monitoring the affected account for fraudulent activities.

Below the list of actions the company has taken in response to the incident:

I’ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company.
We are individually notifying the drivers whose driver’s license numbers were downloaded.
We are providing these drivers with free credit monitoring and identity theft protection.
We are notifying regulatory authorities.
While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.
The New York Attorney General Eric Schneiderman has also launched an investigation into Uber data breach.

This isn’t the first time the company has experienced security breaches, it suffered the first data breach in May 2014, but the event was discovered on February 2015.

In the attack, the names and driver’s licenses of more than 50,000 of the company’s drivers were compromised.

At the time, the giant announced a data breach that resulted in unauthorized access to the driver partner license numbers of roughly 50,000 of its drivers.

In June 2016, security experts from the Integrity firm have found more than a dozen flaws in the Uber website that could be exploited by hackers to access driver and passenger data. The researchers discovered a total of security 14 issues, four of which cannot be disclosed.

Uber má problém: útočníci mu ukradli data uživatelů a firma to zkusila zatajit
22.11.2017 Lupa.cz Kriminalita
První špatná zpráva zní, že se útočníci koncem roku 2016 dostali k datům 57 milionů zákazníků a řidičů dopravní firmy Uber. Je tu ale druhá, ještě mnohem horší novina: Uber se tento incident pokusil před zákazníky i regulačními úřady skrýt a nikoho o to neinformoval. Za mlčení dokonce útočníkům zaplatila 100 tisíc dolarů.

Uber teď únik potvrdil na svém blogu. „Postiženy byly účty cestujících po celém světě. Konkrétně nám unikla jména, e-mailové adresy a čísla na mobil. Naši externí forenzní experti nezjistili, že by došlo taky k úniku záznamů o poloze, čísel platebních karet, čísel bankovních účtů, čísel sociálního zabezpečení nebo dat narozen,“ informuje dnes.

Nedávno jmenovaná nová ředitelka Uberu Dara Khosrowshahi k tomu dodává, že za únikem stojí dva lidé, kteří v roce 2016 získali přístup k databázi uložené v cloudovém úložišti třetí strany, které Uber používá. Útočníci se tak dostali mimo jiné ke jménům a číslům řidičských průkazů asi 600 tisíc řidičů Uberu v USA. A také ke kontaktním údajům zmíněných 57 milionů uživatelů.

Jak to konkrétně proběhlo? Podle agentury Bloomberg se dva lidé dostali na soukromou stránku Uberu na GitHubu, kterou používají vývojáři Uberu (firma neupřesnila, jak k ní získlai přístup, GitHub prý nicméně vylučuje, že by došlo k narušení jeho bezpečnosti).

Na GitHubu dva útočníci získali přihlašovací údaje do cloudové služby Amazonu, kterou firma používala. A v cloudu pak našli zmíněnou databázi s informacemi o uživatelích a řidičích. Podle Uberu pak měli firmě poslat e-mail, ve kterém žádali peníze. Uber se pak s nimi domluvil, že ukradená data smažou, a za to že budou o incidentu mlčet, jim zaplatil 100 tisíc dolarů.

Hackeři ukradli Uberu data 57 miliónů zákazníků a řidičů

22.11.2017 Novinky/Bezpečnost Kriminalita
Hackeři loni v říjnu ukradli alternativní taxislužbě Uber data 50 miliónů zákazníků a sedmi miliónů řidičů. V úterý místního času (v noci na středu SELČ) to oznámil šéf Uberu Dara Khosrowshahi s tím, že se to dozvěděl teprve nedávno. Incident přitom společnost rok tajila a hackerům zaplatila 100 000 dolarů (asi 2,2 miliónu korun), aby data vymazali a o útoku mlčeli, napsala agentura Bloomberg.
„Nic z toho se nemělo stát a já to nebudu omlouvat,” uvedl Khosrowshahi, který se generálním ředitelem Uberu stal letos v září. „Měníme způsob našeho podnikání,” dodal.

Ukradená data zahrnují jména zákazníků, jejich adresy, mobilní telefony a e-mailové adresy. V případě řidičů útočníci získali i jejich řidičské průkazy a další informace. Uber nicméně ujišťuje, že neunikla čísla platebních a kreditních karet, bankovních účtů, data narození, místa jízdy nebo čísla sociálních pojistek.

Khosrowshahi uvedl, že podle zjištění firmy se k datům uloženým na cloudových serverech jiné společnosti využívaných Uberem dostali dva útočníci. Ti podle něj nepronikli do firemního systému a datové infrastruktury Uberu.

Společnost ihned podnikla bezpečnostní opatření, útočníky identifikovala a získala od nich ujištění, že ukradená data byla zničena, uvedl Khosrowshahi.

Jaké triky zkoušejí počítačoví piráti před Vánocemi

22.11.2017 Novinky/Bezpečnost Kriminalita
Nejdůležitějším obdobím v roce jsou pro kybernetické zločince Vánoce. Před samotnými svátky jde totiž často obezřetnost stranou a lidé jsou schopni se nachytat i na nejrůznější phishingové podvody, kterých by si za jiných okolností všimli.
Viry se maskují
Internetem kolují aktuálně desetitisíce nejrůznějších virů. Ty dokážou odposlouchávat uživatele na dálku, monitorovat jeho práci, ale klidně i šikovně obejít ověřovací mechanismy v internetovém bankovnictví.

Takové nezvané návštěvníky bylo možné v počítači ještě před pár lety rozeznat, protože první škodlivé programy byly naprogramovány tak, aby mazaly data, nebo dokonce zablokovaly celý operační systém.

Moderní viry se ale snaží zůstat co nejdéle v anonymitě a potají otevírají zadní vrátka pro kybernetického útočníka.

Odhalit takové smetí pomáhají programy, z nichž každý se specializuje na něco jiného. Některé si dovedou poradit s trojskými koni či spywarem, další zase detekují takzvané keyloggery (programy zaznamenávající stisk kláves).

Cena takovýchto aplikací se zpravidla pohybuje od 500 do několika tisíc korun. Vedle toho ale existují také bezplatné alternativy, které nejčastěji firmy nabízejí pouze k vyzkoušení a zaplatit chtějí až za pokročilejší verzi. Ale i proto, aby v nich mohly zobrazovat reklamu a tím vydělávat peníze.

Výsledky testů bezplatných a placených aplikací se různí, v některých dokonce zdarma dostupné aplikace vyhrávají nad placenými.

Na PC by měl být nainstalován vždy jen jeden bezpečnostní program svého druhu. Dva antiviry na disku dokážou udělat pěknou neplechu. Totéž platí také o firewallech i antispywarech.

Dnes 10:09

Scénáře phishingových útoků jsou si velmi podobné. Podvodníci lákají na předvánoční půjčky či na slevy elektroniky a šperků – od uživatelů se snaží vylákat hotovost, stejně jako jejich citlivé údaje, které pak na černém trhu velkou cenu.

Velké oblibě se mezi kyberzločinci těší také slevové kupóny. Na podvodných stránkách se často objevuje možnost bezplatného získání kupónu, pokud se uživatel zaregistruje. Místo skutečné slevy ale lidé v podobných případech pouze riskují zneužití svých osobních údajů.

E-mailová schránka bude smazána
Počítačoví piráti se snaží zaskočit uživatele novým trikem. Internetem se začala šířit podvodná zpráva, ve které kyberzločinci uživatelům vyhrožují, že jejich e-mailová schránka bude smazána. E-mail je psán anglicky, ale distribuován již byl podle informací Novinek také mezi české uživatele.

Na první pohled se může zdát, že tato zpráva byla automaticky vygenerována kancelářským balíkem Microsoft Office. Právě na to ale počítačoví piráti sázejí – že se uživatelé leknou loga amerického softwarového gigantu a na trik jim skočí.

Ukázka podvodného e-mailu

FOTO: Novinky

Ve zprávě se totiž píše, že heslo k e-mailovému účtu uživatele bylo kompromitováno. A proto bude celá e-mailová schránka smazána. Jedinou možností, jak tomu zabránit, je údajně ověřit poštovní schránku pomocí přiloženého odkazu.

Jde ale samozřejmě o klasickou phishingovou zprávu, počítačoví piráti totiž doslova loví důvěřivé uživatele na udičku jako ryby. Prostřednictvím podvodného odkazu se z nich snaží vylákat skutečné přihlašovací údaje k jejich e-mailové schránce.

Ty mají totiž na černém trhu doslova cenu zlata. Na e-maily jednotlivých uživatelů jsou totiž velmi často napojeny další internetové služby – například nejrůznější sociál ní sítě, ale v některých případech klidně i bankovní účty.

Trojský kůň změní PIN a zašifruje data
Na chytré telefony s operačním systémem Android cílí trojský kůň zvaný DoubleLocker, před kterým varovala antivirová společnost Eset. Ta upozornila, že tento nezvaný návštěvník dokáže změnit na mobilním zařízení přístupový PIN kód a navíc ještě zašifrovat uložená data. Za jejich zpřístupnění pak požaduje výkupné.

DoubleLocker se tedy na napadeném zařízení chová úplně stejně jako vyděračské viry, které jsou označovány souhrnným názvem ransomware.

„DoubleLocker zneužívá služby Android Accessibility, což je oblíbený trik mezi kybernetickými zločinci.

Trojský kůň změní PIN a zašifruje data.

FOTO: Mario Anzuoni, Reuters

Jakmile je podvodná aplikace spuštěna, zažádá si o aktivaci služby zpřístupnění, která se v tomto případě vydává za aplikaci Google Play Service,“ přiblížili bezpečnostní experti útok škodlivého kódu.

Problém nastane ve chvíli, kdy uživatel na svém zařízení potvrdí aktivaci této služby. Útočník tak totiž získá administrátorská práva k zařízení, tedy jinými slovy může s napadeným přístrojem dělat na dálku prakticky cokoliv.

Podle bezpečnostních expertů se tento malware šíří především v Evropě a Turecku. Konkrétně byl jeho výskyt zaznamenán v Polsku a Německu, ojediněle pak v Bělorusku a Estonsku. Uživatele v České republice zatím nenapadl.

Bankovní účty pod palbou počítačových pirátů
Počítačoví piráti neustále hledají cesty, jak se dostat na cizí bankovní účty. Tentokrát to zkoušejí přes zasílání zabezpečené zprávy uživatelům. Samozřejmě jde ale o podvod. Před novým typem útoku varovala Česká spořitelna.

Phishingový útok, při kterém počítačoví piráti doslova loví důvěřivé uživatele na udičku jako ryby, cílí právě na klienty spořitelny. Jeho cílem je vylákat přihlašovací údaje k internetovému bankovnictví, tedy ke službě Servis 24.

Podvodné bankovnictví imitující službu Servis24.

FOTO: Česká spořitelna

„Vy máte nové zprávy on-line. Chcete-li zobrazit svou zabezpečenou zprávu, přihlaste se do služby Internetového bankovnictví,“ tvrdí podvodníci vydávající se za bankéře v e-mailu, který v posledních dnech koluje českým internetem.

Pozornější uživatelé si na první pohled mohou všimnout, že zpráva je psaná s chybami a některá slova jsou dokonce špatně vyskloňovaná. Odkaz v e-mailu navíc nevede na oficiální stránky služby Servis 24, nýbrž na podvodný web, což je patrné z adresního řádku.

Po přihlášení kyberzločinci důvěřivcům tvrdí, že je potřeba aktualizovat kontaktní informace – právě to měla být ona důležitá zpráva. Pokud to důvěřivci skutečně udělají, jsou již jen krůček od vybílení bankovního účtu. Se znalostí telefonního čísla je totiž pro podvodníky hračkou vylákat od lidí potvrzovací SMS zprávu, pomocí které mohou například provádět peněžní transakce. V ohrožení jsou přitom i jedinci, kteří nemají na bankovním účtu příliš mnoho financí. Útočníci mohou touto cestou sjednat bez vědomí majitele klidně i půjčku. A tyto peníze následně vyberou.

Chytré spotřebiče mohou napadnout hackeři
Trouby, lednice, pračky, klimatizace, ale například také inteligentní vysavače – všechna tato zařízení se dnes dají připojit na dálku ke smartphonu. Bezpečnostní společnost Check Point však nyní objevila závažnou zranitelnost v chytrých domácích spotřebičích od LG, které mohou snadno zneužít počítačoví piráti. Spotřebiče jednoduše ovládnou na dálku.

Bezpečnostní chybu obsahovala obslužná mobilní aplikace LG SmartThinQ.

FOTO: archív výrobce

Chyba se týká obslužné aplikace LG SmartThinQ, kterou k ovládání svých chytrých spotřebičů používají milióny lidí z různých koutů světa. „Zranitelnost v této mobilní a cloudové aplikaci umožnila výzkumnému týmu společnosti Check Point přihlásit se vzdáleně do cloudové aplikace SmartThinQ, převzít kontrolu nad uživatelským účtem LG a získat kontrolu nad vysavačem a jeho integrovanou videokamerou,“ uvedl Oded Vanunu, ředitel výzkumu produktových zranitelností ve společnosti Check Point.

„Jakmile dojde k převzetí kontroly nad konkrétním účtem LG, jakékoli LG zařízení propojené s daným účtem může být ovládáno útočníky – včetně robotických vysavačů, ledniček, trub, praček, sušiček a klimatizací,“ zdůraznil Vanunu. Zranitelnost HomeHack umožňuje útočníkům například špehovat domácnost uživatelů prostřednictvím videokamery v robotickém vysavači. Útočníci mohou také ovládat jakékoliv zařízení LG SmartThinQ, například vypínat a zapínat myčky na nádobí, pračky atd.

V současnosti je již k dispozici aktualizace, která bezpečnostní chybu aplikace LG SmartThinQ opravuje. V ohrožení jsou nicméně stále uživatelé, kteří používají starší verzi aplikace od LG. Bezpečná je podle zástupců výrobce verze 1.9.20 a novější.

Uber Hacked: Information of 57 Million Users Accessed in Covered-Up Breach
22.11.2017 securityweek  CyberCrime

Uber Covered Up Massive Hack in 2016 for More Than a Year

Uber said Tuesday that hackers accessed the personal data of 57 million of its users in a breach that had been covered up by the company for more than a year.

Stolen information included the names, email addresses and mobile phone numbers of customers around the world, while the names and driver’s license numbers of roughly 600,000 of its drivers in the United States were accessed.

“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” Uber CEO Dara Khosrowshahi, wrote in a blog post Tuesday, adding that the incident did not breach Uber’s corporate systems or infrastructure.

According to a report from Bloomberg, attackers obtained credentials from a private GitHub site used by Uber’s software developers, which were used to access data stored on an Amazon Web Services (AWS) account.

Uber reportedly paid $100,000 to the hackers as a ransom payment in order to limit fallout from the breach. The company did not provide any details on such payment, but said “we subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”

Uber said that two employees “who led the response to the incident" are no longer with the company. While the company did not provide names, some reports indicate that Chief Security Officer Joe Sullivan has been let go. Uber hired Sullivan, Facebook's former security chief, as its first ever Chief Security Officer in April 2015.

SecurityWeek has contacted Uber for comment on the ransom payment and Sullivan’s rumored departure.

“Today’s incident at Uber is an example of how unprotected machine identities can lead to data breaches. Access to cloud services, such as like Amazon AWS, are secured with SSH keys that are often outside the control of security teams,” Kevin Bocek, chief security strategist for Venafi, told SecurityWeek. “Unfortunately, we frequently seen SSH keys that provide access to AWS left unprotected in GitHub. Without robust SSH intelligence and strong security controls malicious actors can abuse these keys while flying under the radar of most other security controls,” Bocek added.

“The Uber breach is staggering not so much in its magnitude, but more so in the extensive efforts the company seems to have made in concealing the breach in violation of their customers’ trust and perhaps laws that require disclosure,” John Gunn, Chief Marketing Officer at Vasco Data Security, told SecurityWeek.

Uber does run a bug bounty program to encourage security researchers to responsibly disclose vulnerabilities found in across its services.

In June 2016, Researchers from Portugal-based security consulting and audit firm Integrity identified more than a dozen vulnerabilities in Uber websites and services, including issues that could have been exploited to access driver and passenger information.

In 2015, Uber disclosed two security incidents: one where an unauthorized party gained access to the driver’s license numbers of roughly 50,000 drivers, and a software bug that exposed the personal details of hundreds of U.S. drivers.

Has Everyone Really Been Hacked?
22.11.2017 securityweek  Hacking
There is little doubt that fear sells security products, hikes law enforcements agency (LEA) budgets and sells newspapers. Both the security industry and government agencies benefit from sensational headlines; leaving people wondering what the real truth may be. So when UK newspaper The Times ran a headline, 'Everyone has been hacked, say police', it leaves the question, is this just more scaremongering or a true reflection on the state of security?

To my knowledge and belief, I have not been hacked (yet) -- so the headline is patently untrue. But I (and indeed everyone) am frequently targeted; I'm fairly certain I have dozens of unclicked malicious links and files in my mail system. Here's the first method of scaremongering: security vendors, LEAs and parts of the media will often claim, 'millions of users hit by new malware'. The truth is most likely that millions of users have been targeted or can potentially be affected, not that millions of users have been infected.

The Times headline is very clear: everyone has been hacked. But this is not what the police actually said. According to The Times' own report, "Virtually everyone in the country is likely to have had their personal data hacked and placed for sale on the dark web, police have said."

This is bad enough, but it is not the same as being personally hacked. What the police (in this case Peter Goodman, the National Police Chiefs' Council lead for cybercrime and the Chief Constable for Derbyshire) is saying is that everybody will have had some personal data taken by cybercriminals via third party breaches (such as Yahoo, LinkedIn, TalkTalk and more recently Equifax). Whether the amount of personal data stolen in this way is more or less than the personal data we willingly give to Google, Microsoft and Facebook is a separate -- but equally valid -- question.

Nor do we know what personal data has been stolen -- some personal data is clearly more valuable to cybercriminals (and dangerous to us) than other personal data. However, we should never dismiss any data loss as being unimportant. Cybercriminals, and especially state-affiliated criminals, have as much ability to use big data correlation and analysis as the big security vendors and government agencies. Little bits of data from different sources can be matched together to form a surprisingly detailed picture of us.

The question then remains, how accurate is the police view that we have all been affected by third-party data loss?

Chris Morales, head of security analytics at Vectra, comments, "Anyone who has performed any online transaction has personal data on the internet. Even worse, personal information exists in locations people are not even aware of or have any control over.

Equifax impacted more than 145 million consumers. Of those, around 700,000 were believed to be in the UK. That is just one recent breach.

Based on data reported from breachlevelindex.com [a site sponsored by Gemalto], there have been 9,198,580,293 data records lost or stolen since 2013. That's more data records than people in the world. For the UK specifically, they report a number of 137,516,163 records stolen since 2013, double the population. Therefore, it is a reasonable assumption to make that everyone has been hacked and some more than once." (Notice that Morales accepts the Times' use of the term 'hacked'.)

Chris Roberts, chief security architect at Acalvio, takes a similar stance. "Healthcare has lost between 600 and 700 million records since we started counting," he told SecurityWeek. "That's almost twice the population of the United States. Between all the various high visibility breaches and government losses, it's arguable that everyone's data is already out there. Finally, the quantity of credit cards that are breached on an annual basis would arguably demonstrate that almost everyone has had financial breaches."

Ilia Kolochenko, disagrees with the headline, but agrees with the content. "Digitization has become an inalienable part of our everyday lives," he told SecurityWeek. "Even people who have never used a PC or a smartphone have their personal data stored and processed somewhere. Cybercrime is skyrocketing, and the vast majority of digital systems have been breached. However, I think that it's technically incorrect to say that every person was hacked, as our common notion of "hack" implies at least some motive and targeting. Otherwise, we can reasonable say that every person in the world has been hacked many times over."

He has concerns over the headline, but has no issue with the content. "In the matter of general awareness, such announcements are beneficial, as many people still seriously underestimate the growing hydra of cybercrime. Hopefully, the government will finally allocate additional resources that are necessary to fight cybercrime on national and international levels. Right now, law enforcement is seriously under-equipped with technology, qualified personnel and financial resources to prevent, investigate and prosecute digital crime."

The general consensus is that (apart from the headline), the views of Peter Goodman do not represent scaremongering. Stephen Burke, founder and CEO of Cyber Risk Aware adds a rider: "There is a high percentage of people that have been affected by cybercrime -- however, it would be unfair to say that everyone has been a victim. It's possible they could be by virtue of the data that is readily available online and the data that they give out via social media and to companies who handle billing. If this were the case, then there would be too much data for hackers to handle."

Nevertheless, statistics suggest that everyone, from corporate manager to stay-at-home mum and her kids, have had personal data stolen by cybercriminals. Goodman has his own solution: "Mr Goodman said that providing lifetime security for digital devices should be mandatory," says the Times.

That's a big, and frankly unrealistic ask. "We have learned prevention is never going to be enough and at some point it is realistic to assume a breach will occur," said Morales. "At that point, we must be better prepared to detect and respond to the breaches that do happen and that can cause the most damage. The goal should be to reduce the impact of those breaches."

The implication is clear. Just as business is exhorted to plan its response to an inevitable breach, individuals need to plan a response to the seemingly inevitable misuse of their stolen personal data.

macOS Malware Spread Via Fake Symantec Blog
22.11.2017 securityweek  Apple
A newly observed variant of the macOS-targeting Proton malware is spreading through a blog spoofing that of legitimate security company Symantec.

The actor behind this threat created symantecblog[dot]com, a good imitation of the real Symantec blog, and even mirrored content from the original. On this blog, a post about a new version of CoinThief, a piece of malware from 2014, promotes an application called “Symantec Malware Detector,” while in fact distributing OSX.Proton instead.

The domain’s registration information appears to be legitimate, with the same name and address as those used by Symantec, but the email address shows that something is off. Furthermore, the certificate used for the site is a legitimate SSL certificate issued by Comodo and not by Symantec’s own certificate authority.

Links to the fake blog have been spreading on Twitter via both fake and legitimate accounts, Malwarebytes reports. It is possible that the actor behind this campaign used stolen passwords to access legitimate accounts and promote their malicious post. However, it is also possible that people were tricked into promoting the link.

When first run, the Symantec Malware Detector application displays a very simple window, using the Symantec logo, claiming to require authorization to perform a system check. Should the potential victim close the window at this point, the malware won’t be installed, the researchers say.

Should the user agree to run the check, the admin password is requested, a step that results in the malware stealing the password. Next, the app displays a progress bar claiming to be scanning the computer, but Proton is installed in the background.

The Symantec Malware Detector application is nothing more than a malware dropper, and all users who have downloaded it are advised to delete it and attempt to disinfect their systems.

The malware immediately starts gathering user information, such as the admin password and other personally-identifying information (PII), and saves all data to a hidden file. Keychain files, browser auto-fill data, 1Password vaults, and GPG passwords are also harvested.

The Proton executable is dropped in the .random directory and is kept running by the com.apple.xpcd.plist launch agent. The stolen data is stored in the .cachedir folder.

“Fortunately, Apple is aware of this malware and has revoked the certificate used to sign the malware. This will prevent future infections by the Symantec Malware Detector. Revoking the certificate will not, by itself, do anything to protect a machine that is already infected,” the security researchers explain.

Proton has been designed to steal login credentials and affected users are advised to take emergency actions post-infection. They should consider all of their online passwords as compromised and change all of them, while also setting up a different password for each site and storing all of them in a password manager. The master password should not be stored in the keychain or anywhere else on the computer. Enabling two-factor authentication should also minimize the impact.

This incident, the researchers note, shows the danger of fake news being used to spread malware. Due to the increased prevalence of adware for macOS, many users are looking to download malware removal tools, and cybercriminals are attempting to take advantage of that.

“Proton has been circulating for quite some time after its initial appearance in March. It has previously been distributed via a compromise of the Handbrake application and a similar compromise of a couple Eltima Software applications. It is highly likely that Proton will continue to circulate, and similar incidents will continue to occur,” Malwarebytes concludes.

Code Execution Flaw Found in HP Enterprise Printers
22.11.2017 securityweek  Vulnerebility
Researchers have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. The vendor claims to have already developed a patch that will be made available to customers sometime this week.

Back in 2015, HP announced the launch of new enterprise-grade LaserJet printers fitted with security features designed to block malicious actors from breaching a company’s network. Roughly one year later, the company also announced several security improvements to its Managed Print Services.

The tech giant claims it provides “the world’s most secure printing” and a recent marketing campaign run by the company shows how printers from other vendors can allow hackers to cause significant damage to an organization.

Researchers at FoxGlove Security wanted to put HP’s claims to the test so they acquired an HP PageWide Enterprise 586dn multi-functional printer (MFP), currently sold for $2,000, and an HP LaserJet Enterprise M553n printer, which costs roughly $500.HP Printer

The experts started testing the devices using PRET (PRinter Exploitation Toolkit), a tool developed by researchers from Ruhr-Universität Bochum in Germany. When PRET was introduced, its creators claimed to have used it to find vulnerabilities in 20 printers and MFPs from HP, Brother, Lexmark, Dell, Samsung, Konica, OKI and Kyocer.

FoxGlove used PRET to find a path traversal flaw that allowed them to access the content of any print job, including PIN-protected jobs. PRET also helped it discover vulnerabilities that can be exploited to manipulate the content of print jobs, and reset devices to factory settings and implicitly remove the admin password.

However, the researchers’ goal was to find a vulnerability that could be exploited for remote code execution (RCE). In order to achieve this, they extracted the printer operating system and firmware and reverse engineered them. HP has implemented some mechanisms to prevent tampering with the system, but the experts managed to bypass them and gain access to files.

They then analyzed firmware updates and HP Software Solutions, which use the OXP platform and SDK to extend a printer’s functionality. Both Solutions and firmware updates are delivered as a single bundle (.BDL) file that needs to have a valid signature.

They failed to upload a malicious firmware to the device due to the signature validation mechanism, but they have proposed some possible attack vectors in case others want to continue the research. On the other hand, they did crack signature validation for Solutions files and they managed to upload a malicious DLL and execute arbitrary code.

FoxGlove Security has made available the source code of the tools used during the research, including proof-of-concept (PoC) malware.

The code execution vulnerability was reported to HP on August 21 and the company has promised to release a patch this week.