Frost Bank announced it has suffered a data breach that exposed check images
21.3.2018 securityaffairs  Incindent
On Friday, Frost Bank announced that it has suffered a data breach that exposed check images, crooks could use them to forge checks.
Frost Bank announced on Friday that it has suffered a data breach that exposed check images.

The bank is a subsidiary of Cullen/Frost Bankers, Inc., its staff discovered an unauthorized access to its systems containing images of checks.

Attackers compromised a third-party lockbox software program, in this way they were able to access the images of checks stored electronically in the database.

“In March 2018, Frost detected unauthorized access into a third-party lockbox software program that allowed unauthorized users to view and copy images of checks stored electronically in the image archive.” reads the security advisory published by the company.

“The identified incident did not impact other Frost systems. We have stopped the unauthorized access, and have reported the incident to and are cooperating with law-enforcement authorities.”

The lockbox services are normally used by customers to send payments to a central post office box, once the bank will receive the payments it will credit them to a business’s account.

According to Frost Bank, its systems weren’t impacted by the security breach.

The bad news is that crooks once obtained the images could use them to forge checks.

“Information from the accessed images can be used to forge checks.” continues the advisory.

According to Frost Bank, the unauthorized access was limited to one software program serving about 470 commercial customers who use the electronic lockbox,

The company confirmed it stopped the identified unauthorized access once discovered the breach.

Law enforcement is investigating the case, while Frost Bank hired an unnamed cybersecurity firm to investigate the security breach,

“At Frost, we care deeply about taking care of our customers and protecting their information, and we regret that this situation has occurred. We are working very hard to make things right,” Frost Chairman and CEO Phil Green said in a statement.

Uber Self-Driving Car struck and killed a woman in Tempe, Arizona
21.3.2018 securityaffairs IT
An Uber self-driving car has struck and killed a woman pedestrian in Tempe, Arizona. The incident raises questions about the safety and security of this kind of vehicles.
This is a sad page of the book of technology evolution, an Uber self-driving car has struck and killed a woman pedestrian in Tempe, Arizona.

The news was confirmed by the company, this is the first incident of this type.

Our hearts go out to the victim’s family. We’re fully cooperating with @TempePolice and local authorities as they investigate this incident.

— Uber Comms (@Uber_Comms) March 19, 2018

According to the media, the accident occurred while the car, a Volvo XC90 SUV, was in the self-driving mode.

“Tempe police are investigating a deadly crash involving a self-driving Uber vehicle overnight. The Uber vehicle was reportedly headed northbound when a woman walking outside of the crosswalk was struck.” states the TV station ABC15.

“Tempe Police says the vehicle was in autonomous mode at the time of the crash and the vehicle operator, 44-year-old Rafaela Vasquez, was also behind the wheel. No passengers were in the vehicle at the time. “

The victim Elaine Herzberg (49), the Uber self-driving car has struck the woman while she was crossing the street outside of a crosswalk.

The woman was transported to the hospital where she has died.

Source USA Today

The company immediately suspended its service, all the self-driving cars in the US will be halted, below the message sent by the Uber CEO.

Some incredibly sad news out of Arizona. We’re thinking of the victim’s family as we work with local law enforcement to understand what happened. https://t.co/cwTCVJjEuz

— dara khosrowshahi (@dkhos) March 19, 2018

Uber launched the self-driving program in 2015, its vehicles since then are circulating in many US cities, including Phoenix, Pittsburgh, San Francisco, and Toronto.

The tests in Tempe, Arizona started in February 2017.

The National Transportation Safety Board announced an investigation and sent a team to the place of the accident.

NTSB sending team to investigate Uber crash in Tempe, Arizona. More to come.

— NTSB_Newsroom (@NTSB_Newsroom) March 19, 2018

The company suspended its self-driving program and withdrew all autonomous cars from US roads.

Even if this is an accident, we cannot forget the aspect safety and security when dealing with automotive. Are we really ready to make a self-driving car on the road?

When such kind of vehicle will crowd our cities the risks will be high and the cybersecurity aspects will be crucial.

Supreme Court in Russia ruled Telegram must provide FSB encryption keys
21.3.2018 securityaffairs BigBrothers
A Supreme Court in Russia ruled Telegram must provide the FSB with encryption keys to access users’ messaging data to avoid being blocked.
Bad news for Telegram, a Supreme Court in Russia ruled the company must provide the FSB with encryption keys to access users’ messaging data. If Telegram will refuse to comply the request the authorities will block the service in Russia.

Media watchdog Roskomnadzor asked Telegram to share technical details to access electronic messages shared through the instant messaging app.

Roskomnadzor requested to “provide the FSB with the necessary information to decode electronic messages received, transmitted, or being sent” within 15 days.

In June, Roskomnadzor, the Russian Government threatened to ban the popular instant messaging app because the company refused to be compliant with the country’s new data protection laws. In July, the company agreed to register with Russia authorities to avoid the local ban, but it did not share user data.

Telegram appealed against the ruling, but the Supreme Court rejected the request of the company.

Telegram founder Pavel Durov labeled the FSB request as “technically impossible to carry out” and unconstitutional, then he left Russia in September 2017 in response to the request of the FSB.

In July, Russia’s Duma approved the bill to prohibit tools used to surf outlawed websites

Russian authorities requested private firms operating in the country to provide the FSB with information on user activities, all the data related to Russian users must be stored in local servers according to anti-terror legislation that passed in 2016.

Expedia-owned travel website Orbitz says 880,000 payment cards hit in data breach
21.3.2018 securityaffairs  Incindent
Orbitz, the travel website owned by Expedia announced on Tuesday that it has suffered a security breach that affected hundreds of thousands of users.
Orbitz.com has millions of users, it was acquired by Expedia in 2015 for $1.6 billion.

Orbitz confirmed that attackers gained access to a legacy platform between October 1 and December 22, 2017, and stole personal and financial data belonging to consumers and business partners.

The exposed data includes full name, date of birth, gender, phone number, email address, physical and billing address, and payment card data. According to Orbitz, the security breach affected roughly 880,000 payment cards.

There is no evidence that the current Orbitz.com website is affected, passport and travel itinerary information were not exposed in the incident.

The company discovered the breach on March 1 following an internal investigation, Orbitz hired security experts to investigate the issue and identify the flaws exploited by hackers.

The company also notified the incident to the law enforcement that is investigating the case too.

According to the investigators, the hackers may have accessed personal information of customers that made certain purchases between January 1 and June 22, 2016.

Attackers may have obtained information on Orbitz partners who made purchases between January 1, 2016, and December 22, 2017.

“We are working quickly to notify impacted customers and partners. We are offering affected individuals one year of complimentary credit monitoring and identity protection service in countries where available. Additionally, we are providing partners with complimentary customer notice support for partners to inform their customers, if necessary,” reads the statement issued by the company.

“Anyone who is notified is encouraged to carefully review and monitor their payment card account statements and contact their financial institution or call the number on the back of their card if they suspect that their payment card may have been misused,”

Customers can contact the firm by calling 1-855-828-3959 (toll-free in the U.S.) or 1-512-201-2214 (international), or by visiting the website orbitz.allclearid.com.

Expedia’s shares fell as much as 1.9 percent to $108.99.

This is the last incident in order of time that affected the travel sector, other companies that suffered security breaches are the hotel chain InterContinental Hotels Group Plc and Hyatt Hotels Corp in 2017.

Windows Remote Assistance flaw could be exploited to steal sensitive files
21.3.2018 securityaffairs  Exploit
A critical flaw in the Windows Remote Assistance tool allows someone you trust to take over your PC so they can help you fix a problem, and vice-versa.
A critical vulnerability in Microsoft’s Windows Remote Assistance (Quick Assist) feature affects all versions of Windows to date, including Windows 10, 8.1, RT 8.1, and 7. The flaw could be exploited by a remote attacker to steal sensitive files on the targeted machine.
Windows Remote Assistance tool allows someone you trust to take over your PC so they can help you fix a problem, and vice-versa.

The Windows Remote Assistance feature relies on the Remote Desktop Protocol (RDP) to establish a secure connection with the person in need.
Trend Micro Zero Day Initiative researchers Nabeel Ahmed discovered an information disclosure vulnerability in Windows Remote Assistance tracked as CVE-2018-0878. An attacker can trigger the flaw to obtain information to further compromise the victim’s system.
Microsoft fixed the vulnerability this month with the patch Tuesday, the issue resides in the way Windows Remote Assistance processes XML External Entities (XXE).

The CVE-2018-0878 vulnerability affects Microsoft Windows Server 2016, Windows Server 2012 and R2, Windows Server 2008 SP2 and R2 SP1, Windows 10 (both 32- and 64-bit), Windows 8.1 (both 32- and 64-bit) and RT 8.1, and Windows 7 (both 32- and 64-bit).

Nabeel has also released online technical details and a proof-of-concept exploit code for the vulnerability.

The attacker can use the “Out-of-Band Data Retrieval” attack technique to exploit this vulnerability that resides in MSXML3 parser. The attacker offers the victim access to his computer via Windows Remote Assistance.

To set up a Windows Remote Assistance connection the attacker can:

Invite someone to help him;
Respond to someone who needs help.
When you invite someone to help you, an invitation file is generated (i.e. ‘invitation.msrcincident’) which contains XML data used for authentication.

In the following table are reported the parameters included in the request.

The expert started using the MSXML3 to parse the XML data and discovered it does not properly validate the content. This means that an attacker can send a specially crafted Remote Assistance invitation file containing a malicious code to the victim that instructs the target computer to submit the content of specific files from known locations to a remote server controlled by the attackers.

“To exploit this condition, an attacker would need to send a specially crafted Remote Assistance invitation file to a user. A attacker could then steal text files from known locations on the victim’s machine, under the context of the user, or alternatively, steal text information from URLs accessible to the victim.” reads the security advisory published by Microsoft.

“The stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. In all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action.”

The expert warns of mass scale phishing attacks that leverage on .msrcincident invitation files that could potentially result in loss of sensitive information.

“This XXE vulnerability can be genuinely used in mass scale phishing attacks targeting individuals believing they are truly helping another individual with an IT problem.” Ahmed concluded.
“Totally unaware that the .msrcincident invitation file could potentially result in loss of sensitive information. An attacker could target specific log/config files containing username/passwords. ,” Ahmed warns.

The expert developed a tool to automate XXE exfiltration of multiple files by brute-forcing certain directory locations, the software is available on GitHub.

Don’t waste time, install the latest update for Windows Remote Assistance as soon as possible.

A flaw in Ledger Crypto Wallets could allow to drain your cryptocurrency accounts. Fix it!
21.3.2018 securityaffairs  Vulnerebility
Saleem Rashid, a 15-year-old researcher from the UK, has discovered a severe vulnerability in cryptocurrency hardware wallets made by the Ledger company.
Hardware wallets enable transactions via a connection to a USB port on the user’s machine, but they don’t share the private key with the host machine impossible malware to harvest the keys.

Saleem Rashid has found a way to retrieve the private keys from Ledger devices once obtained a physical access to the device.

The researchers discovered that a reseller of Ledger’s devices could update the devices with malware designed to steal the private key and drain the user’s cryptocurrency accounts when the user will use it.

Giving a close look at the Ledger’s hardware device, Saleem Rashid discovered that they include a secure processor chip and a non-secure microcontroller chip. The nonsecure chip is used for different non-security tacks such as displaying text on the display. The problem ties the fact that the two chips exchange data and an attacker could compromise the insecure microcontroller on the Ledger devices to run malicious code in stealth mode.

Even is Ledger devices implement a way to protect the integrity of the code running on them, the expert developed a proof-of-concept code to bypass it and run malicious code on the products.

The PoC code was published along with the official announcement from Ledger about the availability of a new firmware update that addresses the vulnerability.

“You’re essentially trusting a non-secure chip not to change what’s displayed on the screen or change what the buttons are saying,” Rashid told to the popular cyber security expert Brian Krebs. “You can install whatever you want on that non-secure chip, because the code running on there can lie to you.”

Rashid published a research paper on the flaw and a video PoC of the attack against a Nano-S device, one of the most popular hardware wallets sold by the company.

“This attack would require the user to update the MCU firmware on an infected computer. This could be achieved by displaying an error message that asks the user to reconnect the device with the le/ button held down (to enter the MCU bootloader). Then the malware can update the MCU with malicious code, allowing the malware to take control of the trusted display and confirmation buttons on the device.” wrote the researcher.
This attack becomes incredibly lucrative if used when a legitimate firmware update is released, as was the case two weeks ago.”

“As you can tell from the video above, it is trivial to perform a supply chain attack that modifies the generated recovery seed. Since all private keys are derived from the recovery seed, the attacker could steal any funds loaded onto the device.” continues the expert.

The Ledger MCU exploit relies on the fact that the process for generating a backup code for a user’s private key leverages on a random number generator that can be forced to work in a predictable way and producing non-random results.

Curiously, when Rashid first reported his findings to Ledger, the company dismissed them.

“the firmware update patches three security issues. The update process verifies the integrity of your device and a successful 1.4.1 update is the guarantee that your device has not been the target of any of the patched attack. There is no need to take any other action, your seed / private keys are safe.” reads the security advisory published by the French company.

“Thimotee Isnard and Sergei Volokitin followed the responsible disclosure agreement process and were awarded with a Bounty, while Saleem Rashid refused to sign the Ledger Bounty Program Reward Agreement.”

Rashid pointed out that Ledger doesn’t include anti-tampering protection to avoid that an attacker could physically open a device, but the company replied that such kind of measures is very easy to counterfeit.

In this case, let me suggest buying the devices directly from the official vendor and not from third-party partners and update them with the last firmware release.

F-Secure Looks to Address Cyber Security Risks in Aviation Industry
19.3.2018 securityweek Safety

Aviation, as part of the transportation sector, falls within the critical infrastructure. While it may not have the same security issues as ICS/SCADA-based manufacturing and utilities, it has certain conceptual similarities; including, for example, a vital operational technology infrastructure with increasing internet connectivity, and the associated cyber risks.

It also has one major difference -- the close physical proximity of its own customers. Catastrophic failure in the aviation industry has a more immediate and dramatic effect on customers -- and for this reason alone, a trusted brand image is an essential and fragile part of success in the aviation industry. Without customer trust, customers will not fly with a particular airline.

Historically, aviation security has primarily focused on physical safety, and has become highly efficient in this area. But in recent years, the customization of new aircraft to provide newer and unique passenger experiences -- such as the latest in internet-connected in-flight entertainment systems -- has added a new cyber risk.

Matthieu Gualino, deputy director of the International Civil Aviation Organization Aviation Security Training Center, described the three current areas of cyber risk as flight control (the critical systems needed to fly the aircraft -- high impact, low likelihood); the operational cabin (systems used to operate and maintain aircraft -- medium impact, medium likelihood); and passengers (systems with direct passenger interaction -- low impact, high likelihood).

The problem today is that aviation security is experienced in operational technology, security and safety; but less experienced in the rapidly evolving world of cyber security. To help counter this risk, Finland's F-Secure has launched its new Aviation Cyber Security Services to help secure not just aircraft, but the entire aviation industry: aircraft, infrastructure, data, and -- most importantly to F-Secure -- reputation. Customers are unlikely to fly with companies they do not trust; and successful cyber-attacks rapidly eliminate customer trust and confidence; even, suggests F-Secure, a minor breach of something like an in-flight entertainment system.

"Off-the-shelf communication technologies are finding their way into aircraft, which makes security much more complicated than in the past," said Hugo Teso, head of aviation cybersecurity services at F-Secure and a former pilot. "Because these off-the-shelf technologies weren't necessarily created to meet the rigorous safety requirements of airlines, the aviation industry is making cyber security a top priority. But they need a partner that understands both cyber security and the details of airline operations, because it's an industry where those details make a big difference."

The new service integrates security assessments of avionics, ground systems and data links, vulnerability scanners, security monitoring, incident response services, and specialized cyber security training for staff.

The primary problem is not unknown to the security industry -- the need to protect safety-critical systems from less significant but more exposed and vulnerable systems (such as those with an internet connection). "A key protection measure is separating systems into different 'trust domains'," explains F-Secure's head of Hardware Security Andrea Barisani, "and then controlling how systems in different domains can interact with one another. This prevents security issues in one domain, like a Wi-Fi service accessible to passengers, from affecting safety-critical systems, like aircraft controls or air to ground datalinks."

Data diodes are typically used for this type of system segmentation, because they provide unidirectional data flows where complete bidirectional isolation is not possible. "It is essential for any data diode to be implemented in a manner that allows no attack, parsing errors or ambiguities, failures to affect their correct operation," Barisani told SecurityWeek. "Our team is routinely involved in testing data diode security to provide assurance on their operation, improve their design and fix any issues well before their certification."

Diodes are part of the separation of the vulnerable passenger facilities from the critical flight operations. "In-flight entertainment and connectivity (IFE/IFC) are two of the most exposed systems in modern aircraft," explained Teso. "Facing directly the passengers, those systems are a major cyber security concern to any operator as any incident would have important brand damage for them. Not to safety though. Due to the way aircraft are designed, built and upgraded any incident involving or originating in the cabin of the airplane will be isolated from the most critical, and safety related, systems."

F-Secure is keen not to promote its new service with the 'fear factor'. The aviation industry already does an excellent job at maintaining the safety of its flights. The new cyber risk is currently primarily against aviation's brand reputation, and the threat of a cyber hijack taking over an aircraft in flight, is, suggests Teso, more likely in the movies than in reality.

But that doesn't mean it can be dismissed or forever ignored, or even limited to civil aviation. The aviation industry, including both civil and military aircraft, shares a common core of technologies, although the threat model differs between the two. Nevertheless, commented Teso, "F-Secure aviation cyber security services is not limited to any specific part of the aviation industry. If it's part of Aviation, our services have it covered."