Researchers found misconfigured Jenkins servers leaking sensitive data
21.1.2018 securityaffairs Security

Security expert Mikail Tunç analyzed Jenkins servers exposed online discovering that many instances leak sensitive information.
The researchers clarify that he did not exploit any vulnerabilities to gain access to Jenkins servers, he simply analyzed open ones.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community.

The automation server supports developers build, test and deploy their applications, it has more than 133,000 active installations worldwide with more than 1 million users.

The researcher used the Shodan search engine to find Jenkins servers accessible online, he discovered roughly 25,000 instances. The analysis of approximately half of them revealed that 10-20% were misconfigured, then the researchers manually analyzed each of them and notified affected vendors.

Tunç highlighted that Jenkins typically requires credentials to the code repository and access to an environment in which to deploy the code, usually GitHub, AWS, and Azure. Failure to configure the application correctly can expose data to serious risk.

The researcher discovered that many misconfigured systems provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account.

Tunç also found some Jenkins servers that implemented SAML/OAuth authentication system linked to Github or Bitbucket, unfortunately, they allowed any GitHub or Bitbucket account to log in rather than legitimate owners.

“Misconfigured in this context means any one of the following:

Wide open to the internet with either guest or administrative permissions by default – guest can be just as catastrophic and damaging as having admin rights
The web application was behind a log-in prompt but allowed ‘self-registration’ which granted guest or admin rights
The web application was behind a SAML/OAuth log-in linked to Github or Bitbucket but was misconfigured to allow anyGithub/Bitbucket account to log-in to Jenkins rather than being locked down to the organisation’s user pool
” wrote the expert in a blog post.

Tunç reported that almost all of the misconfigured instances he analyzed also leaked sensitive information, including credentials for private source code repositories, credentials for deployment environments (e.g. usernames, passwords, private keys and AWS tokens), and job log files that included credentials and other sensitive data.

The researcher also found Google had exposed sensitive tokens on their Jenkins instance, the company promptly solved the problem after being informed via its bug bounty program.

Other instances discovered by the experts that belong to major organizations are:

London’s government-funded transport body Transport for London;
Supermarkets Sainsbury’s and Tesco;
A company who manufacturers toys for children;
Credit checking company ClearScore;
Newspaper publisher News UK;
educational publisher Pearson, and newspaper publisher News UK.
“It’s 2018 and most organisations don’t have the most basic of responsible disclosure processes in place. Surprisingly (or not) big names fall foul of this problem too.” concluded the researcher.

“If you work in InfoSec or are responsible for the security of your infrastructure, now’s a good time to methodically crawl through your infrastructure to ensure you’re not unknowingly exposing sensitive interfaces to the internet. It only takes one misconfigured instance to destroy your business.”

OnePlus admitted hackers stole credit card information belonging to up to 40,000 customers
21.1.2018 securityaffairs Incindent

OnePlus confirmed that a security breach affected its online payment system, hackers stole credit card information belonging to up to 40,000 customers.
OnePlus confirmed that a security breach affected its online payment system, a few days ago many customers of the Chinese smartphone manufacturer claimed to have been the victim of fraudulent credit card transactions after making purchases on the company web store.

OnePlus has finally confirmed that its online payment system was breached, following several complaints of from its customers who made purchases on the company’s official website.

Dozens of cases were reported through the and on , the circumstance that credit cards had been compromised after customers bought a smartphone or some accessories from the OnePlus official website suggests it was compromised by attackers.

On January 19, the company released a statement to admit the theft of credit card information belonging to up to 40,000 customers. The hacker stole the credit card information between mid-November 2017 and January 11, 2018 by injecting a malicious script into the payment page code.

The script was used by attackers to sniff out credit card information while it was being entered by the users purchasing on the web store.

“We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users.” reads the statement.
“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered. The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated.”

OnePlus is still investigating the breach to determine how the hackers have injected the malicious script into its servers.

The script was used to sniff out full credit card information, including card numbers, expiry dates, and security codes, directly from a customer’s browser window.

OnePlus said that it has quarantined the infected server and enhanced the security of its systems.

Clients that used their saved credit card, PayPal account or the “Credit Card via PayPal” method are not affected by the security breach.

As a precaution, the company is temporarily disabling credit card payments at , clients can still pay using PayPal. The company said it is currently exploring alternative secure payment options with our service providers.

OnePlus is notifying all possibly affected OnePlus customers via an email.

“We are eternally grateful to have such a vigilant and informed the community, and it pains us to let you down. We are in contact with potentially affected customers. We are working with our providers and local authorities to address the incident better,” continues the statement.

Crackas leader (15) gained access to data of intel operations in Afghanistan and Iran by posing as the CIA chief
20.1.2018 securityaffairs BigBrothers

British teenager Kane Gamble (15), leader of the ‘Crackas With Attitude’ hacking group gained access to intel operations in Afghanistan and Iran by posing as the CIA chief.
Do you remember “Crackas With Attitude”?

You remember for sure the Crackas With Attitude, a hacking crew that claimed clamorous actions in support of the Palestine cause.

The notorious group is responsible for clamorous attacks against US intelligence officials, the list of targeted victims is long and includes James Clapper, the Director of National Intelligence under President Obama’s administration and the deputy director of the FBI Jeh Johnson, CIA director John Brennan.

Cracka is also responsible for the disclosure of personal information of 31,000 government agents, including data of FBI agents, Department of Homeland Security (DHS) officers and DoJ employees.

Cracka used the account “@DotGovz” on Twitter to publish online the sensitive data.

The Cracka with Attitude team always expressed its support to Palestine, they hacked US Government entities due to its support to the Israeli politics.

The group was lead by a British teenager, Kane Gamble, that was 15-years-old at the time of the hack of CIA director.

According to prosecutors, Kane Gamble accessed secret data related to intelligence operations in Afghanistan and Iran by pretending to be head of CIA.

“He accessed some extremely sensitive accounts referring to, among other things, military operations and intelligence operations in Afghanistan and Iran.” said John Lloyd-Jones QC prosecutor.

Gamble was arrested in February 2016, in October 2017, Kane Gamble pleaded guilty to ten charges related to the attempted intrusions occurred between late 2015 and early 2016.

Two other members of Crackas With Attitude team, Andrew Otto Boggs and Justin Gray Liverman, were arrested by FBI in September 2016 and had already been sentenced to five years in federal prison.

Gamble pleaded guilty to eight charges of performing a function with intent to gain unauthorized access, and two charges of unauthorized acts with intent to compromise the operation of a computer.

“It all started by me getting more and more annoyed at how corrupt and cold-blooded the US Government is so I decided to do something about it.” Gamble told a journalist.

“The court heard Gamble “felt particularly strongly” about US-backed Israeli violence against Palestinians, the shooting of black people by US police, racist violence by the KKK and the bombing of civilians in Iraq and Syria.” reported The Sun.

Gamble’s advocate sustained that Gamble he is on the autism spectrum at the time of his offending had the mental development of a teenager.

“Medical experts for the defence argue that he is on the autism spectrum and at the time of his offending had the mental development of a 12 or 13-year-old.” reported The Telegraph.

“He has no friends to speak off and is closest to his mother Ann, a cleaner who reportedly won a £1.6million lottery jackpot in 1997 but “lost all the money on doomed property deals”.

William Harbage QC said that after his arrest he told doctors “it was kind of easy” and that he had little consequences of his actions “in his bedroom on the internet thousands of miles away”. “

The teenager is waiting for the final sentence.