Tag: Recent News

Information On 48 Million People Leaked Through Massive File

File this one away under self-inflicted wounds.  It has recently come to light that a company called LocalBox left a massive data file vulnerable on a cloud server.  The data file was more than a terabyte in size and contained detailed psychometric profiles of more than 48 million people.

LocalBox describes itself as a combination of personal and business data search service, but most of their revenue comes from the creation of psychometric profiles created by mining data from a wide range of publicly available sources (social media, public records, and the like).  On the company’s website, they describe themselves as being “the First Global Customer Intelligence Platform to search, combine and validate deep business and people profiles – at scale.”

According to the UpGuard Cyber Risk Team, they got confirmation from Ashfaq Rahman (LocalBox’s co-founder) that the data file was placed on a mis-configured cloud-based storage system.  The misconfiguration left the file vulnerable. The file included names, dates of birth and physical addresses culled from sources including Twitter, LinkedIn, Facebook, Zillow (a popular real estate site), and more.

UpGuard researchers had this to say about the incident:

“In the wake of the Facebook/Cambridge Analytica debacle, the importance of massive sets of psychographic data is becoming more and more apparent.  This combination of information begins to build a three-dimensional picture of every individual affected–who they are, what they talk about, what they like, even what they do for a living–in essence, a blueprint from which to create targeted persuasive content, like advertising or political campaigning.  If the legitimate uses of the data aren’t enough to give pause, the illegitimate uses range from traditional identity theft, to fraud, to ammunition for social engineering scams such as phishing.

The data gathered on these people connected their identity and online behaviors and activity, all in the context of targeted marketing, (i.e., how best to persuade them).  Your psychographic data can be used to influence you.  It is what makes exposures of this nature so dangerous, and also what drives not only the business model of LocalBox, but of the entire analytics industry.”

Terrifying indeed.

Another Vulnerability Found In Intel CPU’s

More bad news for Intel. Yet another security flaw has been identified in the processors the company makes.  This one is so newly discovered that the full technical details have yet to be released.  Here’s what we know so far, from a recent Intel announcement:

“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch…Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other process through a speculative execution side channel that infers their value.”

In simpler terms, what this means is that a hacker could use this exploit to gain partial cryptographic keys used by other programs running on the target computer.

While related to the recent Spectre and Meltdown security flaws, this one is different in two ways.  First, it’s not quite as severe as the formerly discovered flaws in scope or scale.  To make use of this, one would require an incredibly exotic attack that would simply be beyond the capabilities of most hackers.

Also, it should be noted that where Spectre and Meltdown impacted dozens of chipsets dating back more than a decade, the “Lazy FP State Restore” flaw only impacts chips beginning at Sandy Bridge.

The other key difference is that the flaw in this case, does not reside in the hardware.  That’s good news for businesses of all shapes and sizes, because it means that when Intel and their hardware vendors have a patch ready, it will be quick and relatively painless to install it.

Unfortunately, since the initial discovery of Spectre and Meltdown, a number of variants of those flaws have emerged, and now this new one.  It’s unlikely that this will be the last we’ve seen of these types of issues, so if you’re using Intel equipment, brace yourself.  There’s likely more to come.

WiFi Sync on iOS Vulnerable To TrustJacking

Owners of Apple devices have a new attack vector to worry about, called “TrustJacking.”  Symantec researchers recently stumbled across a pair of scenarios that take advantage of Wi-Fi syncing of various Apple devices. These are scenarios that also take advantage of the trust users have in the security of their own devices, allowing hackers to take complete control over those devices.

The flaw is a consequence of the way that iTunes Wi-Fi Sync is designed.  The vulnerability manifests when a device is connected and the user selects the “sync” feature. This creates an opening which could potentially allow a hacker to take complete control over the device.

The first issue manifests like this:  With the “sync” setting enabled, the device owner has access to both that device and a paired iPhone over a wireless connection, even after the device is disconnected from the syncing service.  That sets up part one.

Part two of the first scenario requires a bit of social engineering, where a hacker tries to trick the device owner to click on a malicious link that will install malware of the hacker’s choosing on the vulnerable system.

The second part of the second scenario targets users who are traveling.  A hacker could take control of a free airport charging station.  In order to make use of those free charging stations, users are required to trust the device.  As soon as that happens, the hacker controlling the charging station can remotely issue a command to connect to iTunes, and then enable the sync command.

Once those two steps are completed, even when the victim disconnects from the charging station, the hacker can still access the compromised device remotely, gaining access to most (if not all) of the user’s private information.

Unlike similar, recently discovered vulnerabilities in Apple products, this one distinguishes itself by allowing the hacker permanent access to the device, making it a dangerous vulnerability indeed.

Google Cracking Down On 3rd Party Browser Extension Installs

Malicious code can wind up on your PC or phone by any number of roads.  Companies do their best to guard the digital passes, but invariably, things get missed and the hackers find a way in.  It’s a constant battle, and sadly, one that the good guys are losing.

Recently Google has stepped up its efforts, this time by focusing on Chrome browser extensions installed by third parties.  By the end of the year, no extensions will be allowed on Chrome except for those acquired via the Web Store.

James Wagner, Google’s Product Manager for the Extensions Platform, had this to say on the topic:

“We continue to receive large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly – and the majority of these complaints are attributed to confusing or deceptive uses of inline installation on websites.”

It’s a thorny problem, but industry experts broadly agree that Google is taking the right approach here.  Beginning in September, Google plans to disable the “inline installation” feature for all existing extensions.  The user will instead be redirected to the Chrome Web Store where they’ll have the option to install the extension straight from the source.

Then, in December 2018, the company will remove the inline install API from Chrome 71, which should solve the problem decisively.

Of course, hackers being hackers will no doubt find a way around that, but kudos to Google for taking decisive action here.  While browser extensions aren’t a major attack vector, it’s troublesome enough that Google’s attention is most welcome.

It should be noted that one of the indirect benefits of Google’s plan is that it further bolsters the importance of user ratings of extensions.  They’re highly visible on the Web Store, so anyone who’s considering installing something has a good, “at-a-glance” way of telling whether the extension is good or a scam. That’s information they wouldn’t get had the extension been installed inline.

Again, kudos to Google!

Hackers Can Use PDF Files To Access Windows Credentials

Security researcher Assaf Baharav from Check Point Security has discovered a new twist on an old, fairly well-known attack.  He was able to essentially “weaponize” PDFs to steal Windows credentials stored in NTLM hashes.  Unfortunately, no action other than simply opening the PDF is required for the hacker to gain access to the information.

Baharav used the same methodology that hackers have used in the past, which amounts to instantiating SMB requests from inside the document.  Hackers have already performed these types of attacks from inside web browsers, Windows shortcut files, shared folders, Microsoft Office documents, and Microsoft outlook. Using a PDF to run the exploit is something new.

Baharav had this to say about his research:

“We chose to test these two high profile readers (Adobe Acrobat and the FoxIT reader).  Regarding the others, we highly suspect they may be vulnerable as well.  We followed a 90 days disclosure policy by notifying only Adobe and Foxit regarding the issues.”

Foxit did not respond to the information Baharav sent, but Adobe did.  Unfortunately, their response was not encouraging.  They simply announced that they had no plans to address the issue, deferring to Windows OS-level mitigations (reference Microsoft Security Advisory ADV170014).

Microsoft released this advisory to provide instructions on how to disable the NTLM SSO authentication inside the Windows operating system.  This is a workable solution, but it has problems.

For starters, it’s not really a patch, but rather the modification of a specific registry key and then the implementation of a network isolation policy.  Worse, it’s only applicable to Windows 10 and Windows Server 2016 machines.  People who have older systems are simply left vulnerable.

Be on the alert then PDFs can now be used to steal credentials.  It appears that every reader is affected and that no help is coming for older systems.

Majority Of Web Apps Found To Have Security Vulnerabilities 

How many web apps do you have on your phone?  Probably a ton.  Here’s something you likely didn’t know.  Based on the latest research from Positive Technologies, nearly half of them (48 percent) are vulnerable to unauthorized access.

As bad as that is, it’s just the tip of the proverbial iceberg.

Here are some additional disturbing stats from their report:

  • 44 percent of the apps with vulnerabilities place the user’s personal data at risk
  • 70 percent are prone to leak critical information stored on the device
  • 96 percent of them contain flaws that would allow any malicious actor to exploit them to launch an attack on the target device
  • Of those, one in six (17 percent) has a flaw severe enough that it would allow an attacker to assume complete control over the app, and from there, the device itself

The majority of these flaws (some 65 percent) are the result of simple coding errors, with improper configuration of web servers being the most common of these.

There is one bright spot in the otherwise dismal report, though.  The percentage of apps with critical vulnerabilities has declined slightly, down from 52 percent last year, and 59 percent the year before. So the numbers, while frustratingly large, are trending in the right direction.

Ed Keary, the CEO of Edgescan had this to say on the topic:

“DevSecOps needs to be embraced such that security is throughout the development pipeline.  Application component security management (software components used by developers) is still not commonplace in terms of supporting frameworks and software components and is a common source of vulnerability.”

If your firm designs such applications, pay special attention to this report and review your code base at the earliest opportunity.  Even if you don’t, it pays to be mindful of the percentages, because odds are that your employees have several at-risk apps on the devices they’re connecting to your network.

New Trick Lets Hackers Bypass Office 365 Email Security

What’s old is new again.

Hackers have recently begun re-deploying a decade-old trick called ‘ZeroFont’ to get around Microsoft’s security filters and deliver phishing and spam emails to Office 365 email accounts.  The gimmick?  Zero-point fonts.

As anyone with even passing familiarity to Office 365 knows, if you’re drafting a document, you can change the font size to suit your tastes and preferences.  What few people realize is that you can use html code to set your font to zero-point size.

Of course, such a move has no practical application in everyday usage, because no one could read a zero-point font.  Hackers, however, can make cunning use of it, and Office 365 is unable to detect the presence of zero-point fonts.  Since they’re not detected, they’re not marked as malicious and sail right through the security filters.

By itself, the zero-point trick is useful, but not inherently deadly.  Unfortunately, it can be combined with other tricks like Punycode, Unicode, or Hexidecimal code to insert malicious commands into what appears to be a totally innocent email.

It gets better (or worse, depending on your point of view).  Just last month, researchers at a company called Avanan discovered that it was possible to use the HTML tag in an email or Office 365 document, point it at a malicious site, and the security filters would blithely ignore it.

Again, it should be noted that these tricks aren’t new.  They’ve been around for years, fell out of favor in preference for newer techniques, and now are being recycled.  Apparently, they’re so old that they skate right past modern security flags and filters.

Expect updates soon to catch these types of things, but in the short run, just be aware these types of attacks are not only possible, but trivial to execute.

Apple Will Officially No Longer Sell Routers

After more than two decades in the business, Apple is officially going to stop selling routers.  The writing has been on the wall for a while now, since the company’s “AirPort” family of products hasn’t received a significant update in more than five years.

When Apple first introduced its AirPort product line, wireless computing was still something of a rarity, and Apple’s offerings were ahead of their time.  In the years between then and now though, the market has changed significantly.  Unfortunately, Apple’s product line never really changed with it.

These days the competition is fierce with industry giants like Google and Linksys both offering great options for power users. With the rise of mesh networks, the AirPort product line has fallen increasingly behind the times.

The company announced that it would sell its existing AirPort product inventory and support its current user base for the time being, but after that, it would quietly fade away.  The company has simply moved on and has redirected its efforts toward other initiatives.

In looking at the broader market, it’s not a huge blow. Of course, if you own and use an AirPort product, now is the time to begin casting about for alternatives.  The clock is ticking, and once Apple sheds its existing inventory, we can expect to get an end of support date from them. This will leave any AirPort products still in operation at that point increasingly vulnerable to a variety of hacks.

Even so, given how ubiquitous wireless networking is these days, and how many powerful options are out there, finding a replacement for your AirPort product shouldn’t present too much of a challenge.  Just make sure your IT staff knows that the end is nigh, so they can get a replacement in place before the clock runs out.

Study Shows People Prefer Alternatives Over Passwords

File this one away under “confirming things we already knew.”  A recent study conducted jointly by Blink and Trusona confirmed that people just don’t like passwords very much.

Their study tracked the login behavior of 148 participants over a three-week period.  Without knowing the true purpose of the study, participants were asked to log into a gift idea generation website at least three times a week.

They were given the option of a “classic” (password-based) login, or an “easy” login option, which utilized alternative forms of authentication.

The results should surprise no one, but here are some of the statistics collected during the course of the experiment:

  • 84 percent of participants utilized the easy login at least once
  • 47 percent of participants utilized the classic login at least once
  • Those who used the easy login had successful logins 78 percent of the time
  • Those who used the classic login had successful logins 56 percent of the time

Per Robert Capps, a VP for NuData Security,

“This report shows that consumers are ready to move beyond passwords and usernames to more secure authentication methodologies.  Using a multilayered authentication framework that combined behavioral analytics with biometrics allows companies to verify users accurately without adding unnecessary friction and detect any unauthorized activity before it enters the environment.

Multilayered solutions that include these technologies analyze hundreds of data points throughout a session and create an evolving profile of a user across the session.  Passive biometrics and behavioral analytics are technologies that can provide this level of monitoring without adding friction to legitimate users, thus creating more convenient experiences for users.”

Clearly, users don’t like passwords.  Unfortunately, there’s currently no technology on the market capable of the feats Mr. Capps describes.  There are several promising models and products in varying stages of development, but sadly we’re still a ways off from realizing a password-free, hyper-secure login paradigm.  That day is no doubt coming though, and not a moment too soon.

Use Caution Traveling, Hackers Now Have Keys To Hotel Rooms

Score one for the good guys, but with hesitation. Unfortunately, in today’s fast-moving digital world, even a victory doesn’t mean the end of a problem.

Recently, a pair of researchers (Tomi Tuominen and Timo Hirvonen of F-Secure) released information about a new hack they had discovered. It takes advantage of a critical security flaw in the magnetic VingCard locking systems used in hotel chains around the world.

This particular system produced by Assa Abloy is deployed in more than 42,000 facilities around the world. So in terms of scope and scale, this flaw impacts literally millions of doors.

The security flaw is about as bad as it gets, too.  The duo found a way that hackers could turn an old, dead RFID key card into a master key that could be used to unlock any VingCard door.  Although the software they used to create the master key card is proprietary, any hacker worth his salt and with a couple hundred dollars to spare for equipment could reproduce the hack on their own, if given time.

Fortunately, long before the pair announced their discovery of the hack, they contacted Assa Abloy privately. They have been working with the company’s R&D department to develop a fix for the security flaw.  That fix has now been deployed, and the researchers stress that so far, there is no evidence that the exploit has ever been used in the wild.

Of course, that doesn’t mean that it couldn’t be used, and just because Assa Abloy has released a fix for the flaw doesn’t mean that everyone will promptly install it. So, the risk is still very real.  If you’re a frequent traveler, take extra precautions and don’t leave your valuables in plain sight in your room.  They may be more vulnerable than you realize.