Security Articles - H 2020 1 2 3 4 5 6 7 8 9 10 Security List - H 2021 2020 2019 2018 1 Security blog Security blog
Four npm packages found opening shells and collecting info on Linux, Windows systems
18.10.20 Security Securityaffairs
On Thursday, four JavaScript packages have been removed from the npm portal because they have been found containing malicious code.
NPM staff removed four JavaScript packages from the npm portal because were containing malicious code. Npm is the largest package repository for any programming language.
The four packages, which had a total of one thousand of downloads, are:
plutov-slack-client
nodetest199
nodetest1010
npmpubman
“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” the npm security team said.
“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,”
The researcher AX Sharma, who analyzed the packages, revealed that plutov-slack-client, nodetest1010, and nodetest199 share identical code.
Experts warn that systems running applications that imported one of these packages should be potentially compromised because the three JavaScript libraries opened web shells on the computers running them.
A web shell is a code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to gain remote access and code execution.
The npmpubman, unlike the other packages, was found collecting user data from the environment variables and uploads the gathered info to a remote host.
The malicious code could work on both Windows and *nix operating systems, including major distros, including Linux, FreeBSD, OpenBSD.
One of the packages was uploaded on the npm portal in May, while the remaining ones were uploaded in September 2018.
“It is possible that all four packages were authored by the same attacker(s) despite conflicting data provided in the package.json manifests.” reported Bleeping Computer.
“In a real-world scenario, npmpubman could be used as a part of an attacker’s reconnaissance efforts to collect information about a system, whereas the other packages establish a direct connection between the attacker’s and the victim’s computers.”
In August, the npm security team has removed the JavaScript library “fallguys” from the npm portal because it was containing a malicious code used to steal sensitive files from an infected users’ browser and Discord application.
A Self-Service Password Reset Project Can Be A Quick Win For IT
12.10.20 Security Thehackernews
Since the beginning of this year, organizations' IT staff have faced numerous challenges and an increased workload as a result of the global pandemic and shift to a mainly remote workforce.
Supporting end-users that are now working from home has introduced new challenges in troubleshooting since it isn't as simple as visiting an end user's desk to resolve issues as they arise.
One support issue common to both on-premises and remote end-users is password resets and other account-related activities. These include accounts that are locked out, passwords that have expired, and password changes.
Implementing a self-service password reset (SSPR) solution can be a quick win for IT staff who are now supporting both on-premises and remote workers and taking care of other normal daily tasks.
Let's look at why SSPR solutions can lead to quick results in lowering the overall support burden on IT staff.
Increased Strain On IT Staff
The global pandemic this year has been challenging for just about everyone. Most have seen adjustments, cutbacks, increased duties, and other changes resulting from the impact of Covid-19. Earlier this year, as the global pandemic unfolded, IT staff were tasked with effectively providing remote access to resources almost overnight. This led to many tense days as IT staff may have struggled to make this possible for all remote employees technically.
After the initial provisioning of a remote work solution, IT has been responsible for supporting end-users who are now reliant on home Internet connectivity and, in some cases, even on personal devices to connect to corporate resources. Like many others, IT departments may also have been subject to downsizing due to business downturns associated with the pandemic. All of these factors have led to tremendous workloads on IT staff, among others.
This sheds light on a couple of important considerations that emerge to help IT support staff keep up with increased duties and activities.
These include prioritizing:
Minimizing high volume calls to the IT service desk
Projects that optimize efficiency quickly
Implementing a self-service password reset (SSPR) solution can achieve both objectives. Adopting an SSPR solution helps to minimize the overall number of calls to the IT service desk. Additionally, IT will see a quick time to value for an SSPR solution which is easy to implement and will start yielding results almost immediately.
How Much Do Account-related Activities Cost Your Business?
According to analyst firms the Gartner Group and Forrester Research, between 20%-50% of help desk calls are related to password resets, and a single password reset call can cost about $70. So, to put some context to those numbers, if your service desk triages 500 calls a month, potentially 250 of those calls are password related accounting for $17,500 in support costs per month!
Implementing a self-service password reset (SSPR) solution could essentially eliminate the 250 calls in the example and save the organization tens of thousands per month while freeing up IT staff to triage other issues in the environment. Another cost-saving that is not accounted for is end-user productivity, which is a bit harder to quantify.
What is a Self-Service Password Reset (SSPR) Solution?
A self-service password reset solution provides a way for end-users to resolve their account issues, including password resets, account unlocks, and password changes in an automated way, without the need to interact with the service desk.
With SSPR, end-users enroll in the system and provide information that can later be used to verify their identity when the need arises to unlock their account or reset their password. Common SSPR identity verification methods include security questions and one-time passcodes delivered over text or email.
For example, users will enroll into the system with answers to predetermined questions or with their mobile or email address. Before being able to perform account-related actions, users will have to identify themselves using the enrolled identity verification method to ensure that they are whom they say they are. The workflow includes a fully automated approach without IT staff interaction and allows end-users to get a resolution to their issue almost immediately.
Full-featured SSPR solutions generally provide the following benefits to your organization:
Fast implementation – They are easy to implement and generally provide a small footprint from an infrastructure perspective.
Measurable cost savings – Statistically speaking, SSPR solutions could potentially cut service desk calls by up to 50%. With the high cost of password resets, this can amount to tremendous savings in time and effort from service desk professionals. This has a trickle-down effect of allowing more time allocation for other issues.
Higher quality experience – End users no longer have to wait for service desk technicians to work through the queue and triage their password issue. Account-related activities and password resets can be resolved immediately with the self-service process made possible by the SSPR solution. This is easily accomplished via an intuitive web-based interface.
Increased security – Given that IT service desk user verification is often non-existent or highly insecure, SSPR fills this gap by ensuring users are whom they say they are before performing a password reset.
Not All SSPR Solutions Are Created Equal
Implementing an effective SSPR solution can certainly result in a quick win for IT departments that are already stretched thin due to the COVID-19 pandemic. However, not all SSPR solutions are created equal. A large part of the success of an SSPR implementation depends on the features and functionality of the solution itself.
Some essential features you should look for include:
Enrollment specific features – pre-enrollment, admin enrollment, and forced enrollment options.
Usability – ability to access and utilize the solution easily from multiple entry points (login screen, Internet, apps, etc.)
Ability to use existing MFA tools – supports existing forms of authentication that users use to access other applications at work.
For an SSPR solution in your environment to truly be successful and lead to a quick win for IT, you need to have 100% compliance from an enrollment standpoint. As such, the solution needs to either remove the enrollment process from end-users or make the enrollment process mandatory while being simple to use and access.
Specops uReset is an example of a fully-featured and secure SSPR solution that can ensure 100% user enrollment and usage. Request a free trial today.
Researchers found alleged sensitive documents of NATO and Turkey
11.10.20 Security Securityaffairs
Security experts from Cyble found alleged sensitive documents of NATO and Turkey, is it a case of cyber hacktivism or cyber espionage?
Researchers from the US-based firm Cyble recently came across a post shared by an unknown threat actor that goes online with the moniker Spectre123, where he has allegedly leaked the sensitive documents of NATO and Havelsan (Turkish Military/defence manufacturer).
Cyble analyzed the leaked sensitive documents and reported that they include Statement of Work files, proposals, contracts, 3d designs, resumes, excel sheets containing raw materials information, and financial statements.
It is unclear if the threat actors acted for cyber espionage purposes or hacktivism, the content of the message advertising the leak suggests that it was the work of hacktivists, but we cannot exclude that it is the result of a nation-state actor.
“Based on the message body of the leak, the cyber attack indicates hacktivism, but last year, around May 23, 2019, UK warned NATO allies of hacking activities of Russia -> Link. Also, in September 2020, it was reported that Russian hackers targeted government agencies in NATO member countries, and nations who cooperate with NATO -> Link.” reads the post published by Cyble. “These events ensue an unsatisfying narrative – Is it really hacktivism or cyber espionage?”
The availability of sensitive documents like the ones discovered by the experts could allow threat actors to gather intelligence on potential targets and use the leaked information to carry out spear-phishing campaigns.
Cyber researchers are still investigating the data leak and will provide updates on the story.
'Five Eyes' Alliance Demands Ways to Access Encrypted Apps
11.10.20 Security Securityweek
The "Five Eyes" intelligence alliance demanded Sunday that tech companies insert "backdoors" in encrypted apps to allow law enforcement agencies the access they say they need to police online criminality.
The top justice officials of the United States, Britain, Australia, Canada and New Zealand said in a statement that the growth of end-to-end encrypted apps that make official oversight impossible -- like Signal, Telegram, FaceBook Messenger and WhatsApp -- "pose significant challenges to public safety."
"There is increasing consensus across governments and international institutions that action must be taken," they said.
"While encryption is vital and privacy and cyber security must be protected, that should not come at the expense of wholly precluding law enforcement, and the tech industry itself, from being able to act against the most serious illegal content and activity online."
They called on tech companies to "embed the safety of the public in system designs," providing access to law enforcement "in a readable and usable format."
It was the strongest call yet for programmers to include "backdoor" access to encrypted communications programs.
India and Japan, which cooperate in intelligence with the Five Eyes group, added their names to the statement.
Law enforcement globally has complained of the difficulty encrypted communications poses to criminal investigations.
But end-to-end encryption also offers protection to all sorts of activities from business to political dissent.
Pro-privacy advocates say encoding the means for law enforcement to access a user's communications can endanger democracy activists and empower dictatorial governments.
Pressure has built in recent years in the US and Europe to force the makers of encryption apps to provide access to law enforcement.
According to the Electronic Frontier Foundation, which advocates for privacy on the internet, European countries have moved closer to regulating such apps.
In an article last week, the EFF said that recently leaked European Union documents indicate a plan to introduce anti-encryption laws forcing backdoor access to the European Parliament "within the next year."
It would be "a drastically invasive step," EFF said.
The Five Eyes statement says that its proposal would require safeguards and oversight so that authorities cannot take advantage of their access without cause.
They justified the need based on the prevalence of child sexual abuse material on the internet.
In the United States, most prominent cases in which law enforcement said it was stymied by encrypted devices and communications have been related to violent extremism.
Stuck in Your 'Smart' Chastity Device? Use a Screwdriver, Manufacturer Says
9.10.20 Security Securityweek
The maker of a 'smart' male chastity device has recommended using a screwdriver to break them open after warnings they can be locked remotely by hackers.
Chinese firm Qiui, whose Bluetooth-controlled Cellmate device can only be unlocked via an app, issued a video called "When nothing else works", showing the screwdriver fix.
It follows a warning from researchers that the Cellmate, which clamps a metal ring around the genitals, is vulnerable to hackers who could lock them en masse, potentially trapping thousands of users.
Company founder and CEO Jake Guo said it was "simply not true" that users could get stuck in the Cellmate, which is marketed both for anti-cheating and submission sex play.
"In case you cannot contact our customer support, the second option is to break open the Cellmate cap with a screwdriver or similar, as demonstrated in the video on our website," he said in a statement sent to AFP.
"This will allow you to remove the pin lock and device."
Guo added: "Compared to Cellmate, wearing a traditional chastity cage –- often made of steel -– with a classic padlock is much riskier.
"If you lose the key, you actually would need a grinder or bolt-cutter to remove the cage."
Learn More About IoT Security at SecurityWeek's IoT Lockdown Virtual Event
Alex Lomas of Pen Test Partners, which released the research report, questioned the screwdriver manoeuvre, wondering whether the required angle was possible while wearing a Cellmate.
"Also, it's a bit close for comfort!" he wrote on Twitter. "Have you tried this for real?"
His colleague Ken Munro told the BBC: "The forceful use of a screwdriver in close proximity to a very sensitive area of the anatomy seems very unwise."
- Internet of things -
PTP also found other security flaws in the Cellmate -- listed for $189 on Qiui's website -- that could expose user information such as names, phone numbers, birthdays and location data.
Smart sex toys and devices are among the wave of new "internet of things" products and appliances introduced in recent years that are online and capable of being operated remotely.
Their connectivity has also made them vulnerable to security breaches and privacy violations.
To guard against hacks, Guo advised Cellmate users to remove the Qiui app on their phones and replace it with an updated version.
"Every modern device can potentially be hacked nowadays," he said.
"When a possible security leak with a game console, PC, smart phone or social media app is discovered and reported, people don't seem to have the tendency to stop using them."
Google Readies Redesigned Security Alerts for Google Accounts
8.10.20 Security Securityweek
Google this week revealed that it’s working on redesigning the security alerts for Google accounts and that it will make them available directly in the applications users are logged into.
The company has already built numerous protections into Google accounts and other Google products, with Safe Browsing delivering protection for over 4 billion devices, Gmail blocking in excess of 100 million daily phishing attempts, and Google Play Protect scanning more than 100 billion apps per day.
However, the company plans to continue investing in such protections, and keeping users notified on suspicious activity on their Google accounts is one of the areas to receive improvements.
Since 2015, notifications regarding critical issues in Google accounts are delivered to Android devices, and Google says that an increasing number of users has been engaging with these alerts within one hour after receiving them.
“Soon we’ll be introducing a redesigned critical alert and a new way of delivering it. When we detect a serious Google Account security issue, we’ll automatically display an alert within the Google app you’re using and help you address it—no need to check email or your phone’s alerts,” Google says.
The company claims that the new alerts are resistant to spoofing, and that the warnings will be rolled out to a limited set of users in the coming weeks, with more users receiving them early next year.
In the coming weeks, Google will also introduce for Google Assistant on home devices a ‘Guest mode,’ where interactions won’t be saved to the user’s account. The Guest mode can be easily turned on or off, and users also have the possibility to delete any interaction with the Assistant using voice commands only.
Google is also rolling out new security and privacy protections for Google Workplace, along with updated password protections in Chrome. Furthermore, the company is also advancing on implementing a Privacy Sandbox in the browser, in an attempt to further improve user privacy online.
“To make it easier to control your privacy, you'll soon be able to directly edit your Location History data in Timeline by adding or editing places you’ve visited with just a few taps, and because Search is the starting point for so many questions, starting today we’ll display your personal security and privacy settings when you ask things like ‘Is my Google Account secure?’,” the company says.
Android 11, which started arriving on devices last month, includes security and privacy improvements as well, including the training of new word prediction models and AI models without having data leaving devices.
Google’s Chrome 86: Critical Payments Bug, Password Checker Among Security Notables
8.10.20 Security Threatpost
Google is rolling out 35 security fixes, and a new password feature, in Chrome 86 versions for Windows, Mac, Android and iOS users.
Google’s latest version of its browser, Chrome 86, is now being rolled out with 35 security fixes – including a critical bug – and a feature that checks if users have any compromised passwords.
As of Tuesday, Chrome 86 is being promoted to the stable channel for Windows, Mac and Linux and will roll out over the coming days. The versions of the browser for Android and iOS were also released Tuesday, and will become available on Google Play and the App Store this week.
Threatpost Webinar Promo Retail Security
Click to Register!
Included in the newest browser version is a critical flaw (CVE-2020-15967) existing in Chrome’s payments component. The flaw, reported by Man Yue Mo of GitHub Security Lab, is a use-after-free vulnerability. Use after free is a memory-corruption flaw where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code.
Use-after-free bugs have plagued Google Chrome in the past year. In fact, all seven high-severity vulnerabilities fixed by Google in Chrome 86 were use-after-free flaws – ranging from ones affecting Chrome’s printing (CVE-2020-15971), audio (CVE-2020-15972), password manager (CVE-2020-15991) and WebRTC (CVE-2020-15969) components (WebRTC is a protocol for rich-media web communication).
Further details of the bugs are not yet available, as “access to bug details and links may be kept restricted until a majority of users are updated with a fix,” according to Google’s Tuesday post.
Password Check
The Android and iOS versions of Chrome 86 will also come with a new security feature, which will send a copy of user’s usernames and passwords using a “special form of encryption.” That then lets Google check them against list of passwords known to be compromised.
“Passwords are often the first line of defense for our digital lives,” Abdel Karim Mardini, senior product manager with Chrome, said in a Tuesday post. “Today, we’re improving password security on both Android and iOS devices by telling you if the passwords you’ve asked Chrome to remember have been compromised, and if so, how to fix them.”
At the back end, when Google detects a username and password exposed by a data breach, it stores a strongly hashed and encrypted copy of the data. Then, when Chrome users log into a website, the feature sends a strongly hashed and encrypted version of their username and password to Google – meaning the company never derives usernames or passwords from the encrypted copy, it said.
Google then fetches the encrypted database of every “unsafe” username and password – and shares the same anonymous hash prefix of account detail, ensuring, it said, that the username and password details are not revealed during the process.
Google rolled out an iteration of this feature in 2019, when it unveiled the Password Checkup Chrome extension, to alert Chrome browser users of weak or compromised passwords. The company has now embedded this functionality directly into Chrome for Android and iOS for better ease of use. It has also added support for “well-known/change-password” URLs, letting Chrome take users directly to the right “change password” form after they’ve been alerted that their password has been compromised.
“We notify you when you have compromised passwords on websites, but it can be time-consuming to go find the relevant form to change your password,” said Mardini.
The password-reuse issue continues to be a staple problem in the security industry, and has led to a slew of attacks, most notably credential stuffing. A Google study released in August 2019 – which was actually based on data collected from Google’s Password Checkup Chrome extension – found that 1.5 percent – or 316,000 users – of website logins on the browser are utilizing already-hacked passwords.
Google’s password checkup feature joins other similar services including Have I Been Pwned and Mozilla’s Firefox Monitor in fighting against stolen password problems.
Other Features
Chrome 86 also comes with a slew of other security features, including Safety Check on iOS and Android. This feature is used to check for compromised passwords, tell users if Safe Browsing is enabled and whether the version of Chrome being run is updated with the latest security protections.
Chrome 86 will also include mixed-form warnings on desktop and Android to alert and warn users before submitting a non-secure form that’s embedded in an HTTPS page. And, the browser will now block or warn on some insecure downloads initiated by secure pages.
“Currently, this change affects commonly abused file types, but eventually secure pages will only be able to initiate secure downloads of any type,” according to Google.
Internet Engineering Task Force Proposes Standard for Network Time Security
2.10.20 Security Securityweek
IETF Publishes New Proposal to Add Security to Network Timing
The Internet Engineering Task Force (IETF) has published RFC8915, its proposed standard for network time security (NTS). It has been five years in the making and is designed to remedy the issues and vulnerabilities that exist in the current network time protocol (NTP).
Accurately synchronized time between different computers over packet-switched, variable-latency data networks is essential. This becomes even more critical in the age of the fourth industrial revolution, where the accurate timing and sequence of different processes is vital. Since its launch in 1985, NTP has served this purpose well. However, over the last 35 years it has become apparent that various vulnerabilities and issues in NTP demonstrate that it requires an increased level of security. NTS is designed to provide that security.
The existing issues affecting basic NTP include DDoS amplification, packet manipulation, and replay attacks -- the last two being implemented by man-in-the-middle (MiTM) attacks that can forge messages and falsify the time.
The primary solution has been the introduction of asymmetric cryptography to the initial server authentication. This can prevent MiTM attacks. That it operates slower than symmetric encryption opens an increased possibility of DDoS attacks against NTP servers. However, as RFC8915 notes, "a successful DDoS attack on an NTS-KE server separated from the NTP service it supports will not affect NTP users that have already performed initial authentication, AEAD key extraction, and cookie exchange."
The proposed standard also warns that NTS does not fully protect against attacks from on-path adversaries. "In addition to dropping packets and attacks... an on-path attacker can send spoofed Kiss-o'-Death replies, which are not authenticated, in response to NTP requests."
However, NTS does largely prevent the use of some NTP implementations in DDoS amplification attacks. "Certain nonstandard and/or deprecated features of the Network Time Protocol enable clients to send a request to a server that causes the server to send a response much larger than the request," notes the standard. NTS avoids contributing to this problem by ensuring that NTS-related extension fields included in server responses are the same size as the fields sent by the client.
This is not a hundred-percent accurate statement since RFC7822 requires that extensions be padded and aligned to four-octet boundaries -- meaning that response size may in some cases exceed request by up to three octets. But as the IETF comments, "This is sufficiently inconsequential that we have declined to address it."
"The publication of RFC8915 is an important moment both for the development of NTS and for security on the Internet in general," comments Lars Michael Jogback, the CEO of Netnod. Netnod is a Swedish firm that provides NTP, NTS and Precision Time Protocol (PTP) services. "Netnod is proud to have been at the forefront of developing the NTS standard and implementations. We will continue to focus on services such as NTS to make the Internet as secure and robust as possible for everyone."
Voatz Under Fire From Infosec Community Over Its Views on Security Research
16.9.20 Security Securityweek
Representatives of the infosec community have signed an open letter in response to an amicus brief that mobile elections platform developer Voatz filed with the U.S. Supreme Court in the case of Nathan Van Buren.
Van Buren is a former cop who was charged under the Computer Fraud and Abuse Act (CFAA) after he was bribed to search for confidential information in a police database. While prosectors say the man violated the CFAA by exceeding authorized access, his defense claims he did not exceed authorized access since he had been given the credentials to access that database. The court’s decision in this case could have far-reaching implications, including for security research.
Security researchers may violate a product’s terms of use when searching for vulnerabilities — companies often ban analysis of their products in the terms of use. If this would be considered “exceeding authorized access” under the CFAA, it allows vendors to more easily take legal action against researchers looking for vulnerabilities in their products.
In the amicus brief it filed, Voatz suggests that only authorized security research should be considered lawful, but not independent security research, even if in good faith. The company opposes an effort to narrow the meaning of the CFAA, which was enacted in 1986, to allow for unauthorized independent research.
“Rather, the necessary research and testing can be performed by authorized parties. These include private consulting firms and participants in organized ‘bug bounty’ programs,” Voatz’s amicus brief reads.
In response to the filing, representatives of the infosec community, including people involved in global coordinated vulnerability disclosure programs, bug bounties, and election security, say that Voatz’s brief “fundamentally misrepresents widely accepted practices in security research and vulnerability disclosure.”
They also add that “the broad interpretation of the CFAA threatens security research activities at a national level,” iterating their support for the petitioner in the case, Van Buren.
An amicus brief was also filed in the case of Van Buren by the EFF.
Security research, the open letter notes, has implications in almost all aspects of life, including systems that humans heavily rely on, such as medical devices and automobiles, and going all the way to industrial and election systems.
“It is clear security research has tangibly improved the safety and security of systems we depend upon. It is not a given that this vital security work will continue. A broad interpretation of the CFAA would magnify existing chilling effects, even when there exists a societal obligation to perform such research,” the letter reads.
Furthermore, it underlines the benefits of coordinated vulnerability disclosure, which has become a widely adopted practice, encouraging researchers to hunt for and safely report vulnerabilities to vendors. Moreover, organizations are required to provide researchers with a channel for reporting any identified security issues, and even federal agencies are required to adopt these best practices, under a recent Cybersecurity and Infrastructure Security Agency (CISA) directive.
“Vulnerability disclosure policies and bug bounties help mitigate, but do not solve, the broader chilling effects of the law toward security research,” the letter reads, explaining that, despite claiming to offer safe harbor to security researchers reporting vulnerabilities, organizations may still take legal action against them.
The letter also points out that, “under a broad interpretation of the CFAA, a failure to comply with any component of a vulnerability disclosure policy would itself constitute a contractual violation, and hence a CFAA violation, even if the policy specifically authorizes testing,” and that any research that also involves a company’s vendors or third-party services might not benefit from the protection.
From this perspective, the letter notes, Voatz acts in bad faith, especially since the company hasn’t followed rules established by its own policies and took action against a student, although their actions were considered authorized under Voatz’s safe harbor policies. The company later updated the policy to disallow the student’s activity.
“There is great irony in the fact that Voatz’s own interactions with researchers highlight the need for CFAA reform; Voatz’s actions demonstrate how firms are not necessarily incentivized to behave well. A firm acting in bad faith should not subject a good-faith researcher to legal action,” the letter reads.
The signatories of the letter explain how Voatz failed to act in “good faith” towards researchers in the past, which also resulted in March of this year in HackerOne removing the company from its bug bounty platform. Voatz even disputed MIT research that identified vulnerabilities disclosed in collaboration with CISA, further demonstrating its hostility toward security researchers, says the letter.
“To companies like Voatz, coordinated vulnerability disclosure is a mechanism that shields the company from public scrutiny by allowing it to control the process of security research. The fact that the MIT researchers discovered vulnerabilities that reflect poorly on Voatz’s security only underscores the need for public scrutiny — what is simply a hassle to Voatz is a crucial warning flare to the public,” the letter reads.
The letter’s signatories also reaffirmed their support of efforts at strengthened security research, noting that security researchers perform work that is vital to the public interest.
“We must not let Voatz’s distorted arguments overshadow many recent advancements in this space,” the letter reads.
The signatories also point out that CISA has released guidance for election administrators to implement vulnerability disclosure policies, and that six major voting vendors have already committed to launching such policies.
“A broad interpretation of the CFAA risks undoing many of these positive advancements. Voatz’s actions threatening good-faith security research are indicative of what may come should the Court decide that a breach of contractual terms constitutes a criminal CFAA violation. We cannot afford to lose the benefits of security research on our digital and physical safety, and our democracy as a whole. Thus, we urge the Court to adopt a narrow interpretation of the CFAA in support of the petitioner,” the letter reads.
Oracle Announces Availability of Cloud Guard, Maximum Security Zones
15.9.20 Security Securityweek
Oracle on Monday announced the general availability of its Cloud Guard and Maximum Security Zones cloud security tools.
Cloud Guard and Maximum Security Zones were some of the new security services univeled by Oracle in September 2019. Offered to Oracle Cloud customers at no extra cost, they help automate threat response and reduce risk.
Oracle Cloud Guard, now available in all commercial regions, is designed to continuously monitor activities and configurations in an effort to identify and address potential threats. The tool directly integrates with Oracle Cloud Infrastructure Services and it relies on three components: targets, which define which resources should be examined; detectors, which identify issues and alert users; and responders, which automatically take action when a problem is detected (e.g. suspend users, stop instances).
Oracle Maximum Security Zones is designed to help organizations deploy cloud workloads securely and prevent misconfiguration errors by enforcing security best practices. According to Oracle, the service “extends IaaS access management to restrict insecure actions or configurations using a new policy definition that applies to designated cloud compartments.”
Maximum Security Zones includes policies for infrastructure services such as Networking, Object Storage, File Storage, Encryption and DBaaS.
One of the companies that has been using Oracle Cloud Guard is consulting giant Accenture.
“Accelerating the path to value is our key focus area, and Oracle technology and Oracle Cloud is a key factor to deliver on that. We were immediately impressed with Oracle Cloud Guard – the set-up, ease of use, and immediate results about potential misconfigurations,” said Chris Pasternak, managing director at Accenture. “We appreciate the fact that this capability is available at no cost above the Oracle Cloud Infrastructure investment. It further solidifies the conversations I have with my clients about how Oracle builds Oracle Cloud with security in mind first; Oracle Cloud Guard is a great example of how Oracle continues that heritage.”
Natural ingredients maker Darling Ingredients has also tested Cloud Guard, as well as Maximum Security Zones.
“We recently turned on Oracle Cloud Guard, and we've been looking at Oracle Maximum Security Zones to see how we're doing as we deploy the Oracle E-Business Suite production instance into Oracle Cloud Infrastructure,” said Tom Morgan, threat intelligence lead, Cyber Security Group, Darling Ingredients. “What I like about Oracle Cloud Guard is the fact that it is continuously running and available to a wider group of people, which provides a continuous improvement process in our security posture. It's also included with Oracle Cloud Infrastructure, which is a really good value.”
Epic Manchego gang uses Excel docs that avoid detection
8.9.20 Security Securityaffairs
A recently discovered cybercrime gang, tracked as Epic Manchego, is using a new technique to create weaponized Excel files that are able to bypass security checks
Security experts from NVISO Labs recently spotted the activity of a new malware gang, tracked as Epic Manchego, that is actively targeting companies across the world with phishing emails since June. The phishing messages carry weaponized Excel documents that are able to bypass security checks and that had low detection rates.
The trick used by the Epic Macnchego gang consists of compiling the documents with a .NET library called EPPlus, instead of the standard Microsoft Office software.
The EPPlus library is widely adopted by several organizations and development team that integrates it in their applications to add several functions such as the “Export as Excel” or the “Save as spreadsheet.”
The library can generate files in multiple spreadsheet formats, it also supports Excel 2019. NVISO researchers observed Epic Manchego crew using the EPPlus library to generate spreadsheet files in the Office Open XML (OOXML) format.
The OOXML format generated by Epic Manchego missed a section of compiled VBA code, which is specific for Excel documents compiled in Microsoft’s proprietary Office software.
Some antivirus solutions specifically analyze this section look for malicious VBA code in the Excel docs. The lack of this section makes the Excel files generated by Epic Manchego gang hard to detect.
The Epic Manchego threat actors stored their malicious code in a custom VBA code format, which was also password-protected to prevent researchers from analyzing it.
“At first, we thought they were created with Excel, and were then VBA purged. But closer examination leads us to believe that these documents are created with a .NET library that creates Office Open XML (OOXML) spreadsheets.” reads the analysis published by NVISO. “As stated in our VBA Purging blog post, Office documents can also lack compiled VBA code when they are created with tools that are totally independent from Microsoft Office. EPPlus is such a tool.”
Experts pointed out that the spreadsheet files created with the EPPlus library worked like any other Excel document.
Upon opening the Excel files, the embedded malicious script is executed after the victims clicked the “Enable editing” button. Then the macros would download and install the malicious code, a data stealer, on the victim’s systems.
Experts observed the attackers delivering well-known infostealer trojans, like Azorult, AgentTesla, Formbook, Matiex, and njRat.
The use of this specific trick was a hallmark of Epic Manchego’s attacks that were easily spotted by the NVISO experts that discovered more than 200 malicious Excel files associated with this threat actors.
According to the researchers, the first attack dates back to June 22, 2020.
Since the first attack, experts detected more than 200 malicious documents over a period of 2 months. The cybercrime gang has increased their activity in the last weeks, recently the researchers spotted more than 10 new malicious documents on some days.
“NVISO assesses with medium confidence that this campaign is delivered by a single threat actor based on the limited number of documents uploaded to services such as VirusTotal, and the similarities in payloads delivery throughout this campaign;” concludes the analysis.
Google Announces Confidential GKE Nodes, General Availability of Confidential VMs
8.9.20 Security Securityweek
Google on Tuesday announced an expansion of its Confidential Computing portfolio, with the general availability of Confidential VMs and the addition of Confidential GKE (Google Kubernetes Engine) Nodes.
Introduced in July in beta, Confidential VMs were the first product in the Google Cloud Confidential Computing portfolio, and Google is making them available to all Google Cloud customers in the coming weeks. The product will include all of the features that were introduced during the beta stage.
Confidential GKE Nodes, the second product in Google’s Confidential Computing portfolio, will arrive in beta when GKE 1.18 is released and should provide organizations with more options for confidential workloads when looking to use Kubernetes clusters with GKE.
Built using the same technology foundation as Confidential VMs, Confidential GKE Nodes help organizations keep data encrypted in memory using a dedicated key that is node-specific. The AMD EPYC processor generates and manages the key, Google explains.
The new product will provide organizations with the ability to configure a GKE cluster so that only node pools that have Confidential VM capabilities are deployed. Thus, the use of Confidential VMs is automatically enforced for all worker nodes on clusters that use Confidential GKE Nodes.
According to Google, hardware memory encryption that uses AMD EPYC processors’ Secure Encrypted Virtualization feature is employed by Confidential GKE Nodes, so that all workloads on these nodes are encrypted when in use.
Confidential VMs too leverage memory encryption to isolate workloads and tenants, offering an easy-to-use option to ensure that the memory of workloads in Google Compute Engine is protected.
According to Google, Confidential VMs also provide high performance, even for demanding computational tasks, and ensure that VM memory remains encrypted (using a per-VM key that the secure processor within AMD EPYC chips generates and manages).
New capabilities that the Internet giant is introducing for Confidential VMs include audit reports for compliance (with detailed logs on the integrity of the firmware responsible for key generation), new policy controls for confidential computing resources, integration with other enforcement mechanisms, and the ability to share secrets securely with Confidential VMs.
Organizations can now define specific access privileges for Confidential VMs, through the IAM Org Policy, and can disable non-confidential VMs within the project. Moreover, they can combine Shared VPCs, policy constraints, and firewall rules, so that only interaction between Confidential VMs is allowed, or to define a perimeter of GCP resources for the VMs.
Now, Confidential VMs ensure that sharing of secrets is done securely, through the virtual Trusted Platform Module (vTPM). Furthermore, the go-tpm open source library allows organizations to use APIs to bind secrets to the vTPM of the Confidential VM.
Google Increases Bug Bounty Payouts for Abuse Risk Flaws
3.9.20 Security Securityweek
Google this week increased the reward amounts paid to researchers for reporting abuse risk as part of its bug bounty program.
Google added product abuse risks to its Vulnerability Reward Program (VRP) two years ago and says that more than 750 such issues have been identified since.
The amount for high severity issues was increased by 166% from $5,000 to $13,337. Furthermore, Google announced that security researchers who submit reports on security flaws with medium to high impact and probability may receive up to $5,000 for their discoveries.
The company is willing to pay up to $1,337 for low impact flaws with high probability.
“Starting today the new rewards take effect. Any reports that were submitted before September 1, 2020 will be rewarded based on the previous rewards table,” the company says.
The Internet giant notes that the final reward amount that a researcher will be awarded for their findings “remains at the discretion of the reward panel.” Both the severity of the issue and the number of impacted users are taken into consideration when evaluating the impact of an abuse risk.
Google also said that it is considering expanding the scope of Vulnerability Research Grants to support research aimed at the prevention of abuse risks, but that specific details on the matter will be shared at a later date.
“Identification of new product abuse risks remains the primary goal of the program. Reports that qualify for a reward are those that will result in changes to the product code, as opposed to removal of individual pieces of abusive content,” the search company explains.
Google points out that, while the nature of product abuse is changing in line with advances in technology, it is mainly interested in research aimed at protecting users’ privacy and ensuring the integrity of Google’s technologies, in addition to preventing financial fraud or other types of harm.
Tor launches Tor Project Membership Program to financially support its work
2.9.20 Security Securityaffairs
The Tor Project announced the launch of the Tor Project Membership Program to financially support the work of the organizations.
The Tor Project launched the Tor Project Membership Program to financially support its work.
The move aims at diversifying funding in the budget of the organization and to increase unrestricted funds for the software development of tor and other tools.
The Tor Project Membership Program also aims at reinforcing partnerships with private organizations that want to support the work of the noprofit.
“Today we are officially launching the Tor Project Membership Program, a new way for nonprofit and private sector organizations to financially support our work.” reads the announcement. “We decided to create a program inspired by what Tor is based on, community. Our goal is to build a supportive relationship between our nonprofit and private sector organizations that use our technology or want to support our mission.”
The five founding members are Avast, DuckDuckGo, Insurgo, Mullvad VPN, and Team Cymru.
The Tor Project Membership Program is very important to drastically reduce the turn-around period (six to twelve months) from submission of a proposal to the receipt of a contract and start of work.
Thanks to the membership the organization will propose a more agile development process.
“Because we are a software development organization, relying only on grant funding, forces us into a development model that is slow and archaic. We can never execute solutions immediately in an agile way or experiment quickly with possible paths.” continues the announcement. “We want to change that so we can respond to issues and start projects faster. And we can do that by increasing the number and amount of unrestricted contributions to the Tor Project.”
The Tor software is essential for anyone that wants to avoid censorship, including activists, journalists, and civil rights organizations.
Several third-party organizations, such as GlobaLeaks, SecureDrop, Brave browser, and OnionShare include integrated support for Tor the network in their solutions.
“Any membership level contribution means that your organization will have access to Onion Advisors and our special webinars. The only thing that differentiates the tiers is the public promotion of your membership. Each tier will come with varying opportunities to share your organization’s commitment to online privacy with our hundreds of thousands of followers and dedicated community.” concludes the announcement.
Companies interested in becoming a member could reach out to the organization by sending an email at giving@torproject.org.
Maximum Lifespan of SSL/TLS Certificates is 398 Days Starting Today
1.9.20 Security Thehackernews
Starting today, the lifespan of new TLS certificates will be limited to 398 days, a little over a year, from the previous maximum certificate lifetime of 27 months (825 days).
In a move that's meant to boost security, Apple, Google, and Mozilla are set to reject publicly rooted digital certificates in their respective web browsers that expire more than 13 months (or 398 days) from their creation date.
The lifespan of SSL/TLS certificates has shrunk significantly over the last decade. In 2011, the Certification Authority Browser Forum (CA/Browser Forum), a consortium of certification authorities and vendors of browser software, imposed a limit of five years, bringing down the certificate validity period from 8-10 years.
Subsequently, in 2015, it was cut short to three years and to two years again in 2018.
Although the proposal to reduce certificate lifetimes to one year was shot down in a ballot last September, the measure has been overwhelmingly supported by the browser makers such as Apple, Google, Microsoft, Mozilla, and Opera.
Then in February this year, Apple became the first company to announce that it intends to reject new TLS certificates issued on or after September 1 that have a validity of more than 398 days. Since then, both Google and Mozilla have followed suit to enforce similar 398-day limits.
Certificates issued before the enforcement date won't be impacted, neither those that have been issued from user-added or administrator-added Root certificate authorities (CAs).
"Connections to TLS servers violating these new requirements will fail," Apple explained in a support document. "This might cause network and app failures and prevent websites from loading."
For its part, Google intends to reject certificates that violate the validity clause with the error "ERR_CERT_VALIDITY_TOO_LONG" and treat them as misissued.
Additionally, some SSL certificate providers, such as Digicert and Sectigo have already stopped issuing certificates with a two-year validity.
To avoid unintended consequences, Apple recommends that certificates be issued with a maximum validity of 397 days.
Why Shortent Certificate Lifespan?
Capping certificate lifetimes improve website security because it reduces the period in which compromised or bogus certificates can be exploited to mount phishing and malware attacks.
That's not all. Mobile versions of Chrome and Firefox do not proactively check for certificate status due to performance constraints, causing websites with revoked certificates to load without giving any warning to the user.
For developers and site owners, the development is a good time to implement certificate automation using tools such as Let's Encrypt and EFF's CertBot, which offer an easy way to set up, issue, renew, and replace SSL certificates without manual intervention.
"Expired certificates continue to be a massive problem, costing companies millions of dollars due to outages every year," said Chris Hickman, the chief security officer at Keyfactor. "On top of that, more frequent expired certificate warnings may result in web visitors becoming more comfortable bypassing the security warnings and error messages."
"However, certificate subscribers frequently forget how or when to replace certificates, causing service outages from unexpected expiration [...] leaving them ill-equipped to manage these new shorter life certificates at scale."
ZDI Shares "Crazy" Stories on 15-Year Anniversary
21.8.20 Security Securityweek
Trend Micro’s Zero Day Initiative (ZDI) this week celebrated its 15-year anniversary and the company has shared some “crazy” and “odd” stories with SecurityWeek.
ZDI
Since its launch in 2005, ZDI, which describes itself as the world’s largest vendor-agnostic bug bounty program, says it has reported more than 7,500 vulnerabilities to vendors and it has paid out more than $25 million to over 10,000 researchers.
ZDI is also the organizer of the Pwn2Own hacking competitions, where white hat hackers have earned tens or hundreds of thousands of dollars for demonstrating sophisticated exploits targeting smartphones, IoT devices, operating systems, popular software, industrial control systems, and even cars.
Here are the interesting stories from the past 15 years that ZDI has shared with SecurityWeek:
Shutting down government operations:
Back in 2015, we received a submission that demonstrated how to bypass the LNK patch meant to fix a bug used by Stuxnet in 2010. We definitely purchased the bug, and Microsoft patched it quickly. After the Shadow Brokers leak, it came to light that one of the tools was called “EZCheese” – a tool that exploited the LNK patch from 2010. After our submission, the agency (allegedly) developed a different tool called “Brutal Kangaroo” for the same purpose. That’s just one example. Bugs we’ve purchased also helped disrupt the Black Energy APT and were referenced often in the Hacking Team data breach from 2015.
Nearly setting the hotel on fire in Amsterdam:
At Mobile Pwn2Own in 2012, we somehow forgot that European electricity is at a higher voltage than U.S electricity. We had an adapter nearly go up in smoke. We felt a little better about that situation when one of our researchers made the same mistake with a Tesla head unit prior to Pwn2Own in 2019. Fortunately, that just required a new power supply and not a new head unit. To his credit, he bounced back strong and was one half of the duo that won the Tesla Model 3 with a compromise of the infotainment system.
Dropping 0-day on our “parents”:
The ZDI must remain independent of our parent company. This is true to the extent that when we purchase bugs in our parent company’s products, they are subject to the same disclosure timelines. In the past, this has led to multiple instances of the ZDI dropping a 0-day on our parent company’s software. To say these were awkward calls with executives is putting it mildly. However, it does demonstrate to the researcher community that we hold everyone to the same standard.
Winning the Microsoft Bounty:
Our research earned $125,000 from Microsoft for submitting a bypass for defensive measures Microsoft had implemented in their browser. The submission took only a couple of weeks to complete. Our research was unique to the point that we earned a patent on the technique. Even though they paid out, a part of that research ended up being disclosed as a 0-day. All of the money was donated to charities focused on STEM education.
Challenges in Running Pwn2Own:
Once, due to a miscommunication with the conference organizers, we didn’t have laptops. We ended up running around Vancouver looking for identical HP laptops we could use for the contest. One of the biggest challenges is making sure we have all of the latest patches for the devices in the contest. Vendors often patch immediately before the contest, which means we’re up late at night to ensure everything is up to date. This can also be complicated by updates that are only available in certain regions. It’s tough on contestants as well. There have been multiple times where someone lands in Vancouver on a Monday with a working exploit only to have it fail on the Wednesday after Patch Tuesday.
Exceptional eccentricities:
Every program that does vulnerability disclosure receives their fair share of submissions that don’t meet the bar for various reasons. Sometimes the bug is already public. Sometimes it’s a legitimate bug in a product we’re not interested in. Sometimes it just isn’t a real bug. This can lead to some interesting exchanges with those who are convinced their “bug” could set the Internet on fire. In rare cases, we’ve had to deal with people who send in long, rambling conspiracy theories about how their neighbors and every 3-letter agency is out to get them. Still, all things considered, we have a much lower rejection rate than most agencies doing vulnerability disclosure.
Threat Report Portugal: Q2 2020
15.8.20 Security Securityaffairs
The Threat Report Portugal: Q2 2020 compiles data collected on the malicious campaigns that occurred from April to Jun, Q2, of 2020.
The Portuguese Abuse Open Feed 0xSI_f33d is an open sharing database with the ability to collect indicators from multiple sources, developed and maintained by Segurança-Informática. This feed is based on automatic searches and also has a strong contribution from the community. This makes it a reliable and trustworthy and continuously updated source, focused on the threats targeting Portuguese citizens.
The Threat Report Portugal: Q2 2020 compiles data collected on the malicious campaigns that occurred from April to Jun, Q2, of 2020. The campaigns were classified as either phishing or malware. In addition, the report highlights the threats, trends, and key takeaways of threats observed and reported into 0xSI_f33d. This report provides intelligence and indicators of compromise (IOCs) that organizations can use to fight current attacks, anticipating emerging threats, and manage security awareness in a better way.
Phishing and Malware Q2 2020
The results depicted in Figure 1 show that phishing campaigns (84,5%) were more prevalent than malware (15,5%) during Q2 2020.
Observing the threats by category from Jan – Jun, it is possible to verify that there was an increasing number of phishing campaigns during March, April, and Jun, and this is a strong indicator related to the COVID-19 pandemic situation.
From Figure 2, January presented a total of 15 phishing campaigns, 29 in February and 46 during March. 196 campaigns were registered during April, 262 in April, and 204 in June. It is crucial to monitor this growth indicator to predict the trend for the next months.
On the other hand, May and June were the months where malware was spotlighted, with the botnet Mirai and the infamous Lampion Trojan in place. This piece of malware was identified at the end of December 2019 using template emails from the Portuguese Government Finance & Tax and Energias de Portugal (EDP) with the goal of collecting banking details from victim’s devices. Also, other trojan bankers were identified and analyzed during Q2, including TroyStealer and Grandoreiro expanded now to Portugal.
Malware by Numbers
Overall, the Lampion Trojan malware was one of the prevalent threats affecting Portuguese citizens during Q2 2020. Other trojan bankers variants and families affecting users from different banks in Portugal were also observed. These kinds of malwares come from Brazil and the attacks are disseminated via phishing campaigns. Criminals are also using smishing to enlarge the scope and to impact a large group of victims.
In a research conducted by Segurança-Informática, where the whole phishing chain was described, it is possible to validate that the Android trojan bankers used Android webviews to remotely load the phishing-landing page. Those landing-pages were the same that were used in the current phishing waves, confirming that the threat group is the same.
Indeed, the same threat, with the same modus operandi is common amongst different bank organizations.
Also, the well-known malware first described by ESET, Grandoreiro, was expanded to affect Portuguese citizens during Q2. Details about this threat can be accessed here.
Threats by Sector
Regarding the affected sectors (Figure 5), Banking was the most affected with both phishing and malware campaigns hitting Portuguese citizens during Q2 2020. Next, was Retail and Financing, as the most sectors affected in this season.
Threat campaigns during Q3 will be published on a daily basis into 0xSI_f33d, as well as additional incidents and investigations that are being documented and published on Segurança-Informatica.
The infographic containing the report can be downloaded from here in printable format: PDF or PNG.