[…]

computer scientists at Tel Aviv University in Israel say they have discovered a way to bypass a large percentage of facial recognition systems by basically faking your face. The team calls this method the “master face” (like a “master key,” harhar), which uses artificial intelligence technologies to create a facial template—one that can consistently juke and unlock identity verification systems.

“Our results imply that face-based authentication is extremely vulnerable, even if there is no information on the target identity,” researchers write in their study. “In order to provide a more secure solution for face recognition systems, anti-spoofing methods are usually applied. Our method might be combined with additional existing methods to bypass such defenses,” they add.

According to the study, the vulnerability being exploited here is the fact that facial recognition systems use broad sets of markers to identify specific individuals. By creating facial templates that match many of those markers, a sort of omni-face can be created that is capable of fooling a high percentage of security systems. In essence, the attack is successful because it generates “faces that are similar to a large portion of the population.”

This face-of-all-faces is created by inputting a specific algorithm into the StyleGAN, a widely used “generative model” of artificial intelligence tech that creates digital images of human faces that aren’t real. The team tested their face imprint on a large, open-source repository of 13,000 facial images operated by the University of Massachusetts and claim that it could unlock “more than 20% of the identities” within the database. Other tests showed even higher rates of success.

Furthermore, the researchers write that the face construct could hypothetically be paired with deepfake technologies, which will “animate” it, thus fooling “liveness detection methods” that are designed to assess whether a subject is living or not.

Source: Researchers Say They’ve Found a ‘Master Face’ to Bypass Face Rec Tech

Analysis of tracking data from Automatic Identification System broadcasts reveals vessel locations have been simulated for a number of ships, including military vessels. This false information could compromise vessel safety, decrease confidence in a crucial collision avoidance system and potentially spark international conflict.

Over the years, data analysts working with Global Fishing Watch and SkyTruth have noticed a number of ship tracks coming up in impossible locations—in transit over Antarctica, circling in the Utah desert and elsewhere—and we have questioned whether these false positions resulted from faulty Automatic Identification System (AIS) transmitters, deliberate misuse of those transmitters, or from intentional third party interference. AIS is the international system of vessel radio broadcasts used to identify vessel locations and help prevent collisions at sea. We have learned how to interpret anomalies in AIS data and, even when the ship coordinates were wrong, we never had reason to doubt that these vessels were on the water broadcasting AIS. In most cases, we are also able to identify the true position of the vessel.

[…]

I first noticed these false AIS tracks in groups of sailboats which appeared hundreds of miles out in the Atlantic Ocean even though shore-based AIS antennas appeared to receive their positions. Since a typical range for a terrestrial antenna is at most about 60 miles, I knew something was wrong with these positions. When I searched for more information on the identities of these vessels I found that they were featured on a website running simulated sailing races. Whoever was setting up the races not only simulated realistic AIS positions for each of the participants, but then fed these made up positions into a public AIS site — sites like AISHub receive ship positions from contributors — so that the sailboat positions appeared on these sites alongside real vessel traffic.

[…]

Our recent investigation into a second group of false AIS tracks has shown that these concerns were very much warranted. I was alerted to this case when an article in Dagens Nyheter, a Swedish news outlet, was shared with me. Nine Swedish Navy vessels appeared on AIS as if out on maneuvers. In the news story, the Swedish Navy confirmed that these positions were false and mentioned additional false positions in the Baltic Sea, specifically near the Russian enclave of Kaliningrad.

[…]

I was able to take advantage of the full complexity of AIS communication to identify a pattern specific to the false simulated AIS positions. From there, I wrote an automated computer query of our global AIS database to identify other vessels with this same pattern of AIS broadcast.

The results were alarming. Nearly a hundred U.S. and European naval vessels had track segments with the same AIS pattern as the false tracks of the Swedish navy ships near Karlskrona. Over the past few months I dug into this data using all available sources to confirm vessel locations and identities. I confirmed false AIS positions for 15 navy vessels from seven countries, with many more vessels suspected of having fabricated positions.

[…]

Naval vessels are frequently photographed, and it’s possible to get a sequence of port visits based on photos uploaded to sites like warshipcam.com. This documented series of port visits can then be compared to the AIS track to confirm that an MMSI corresponds to a particular vessel.

[…]

Two sources of open satellite imagery work very well for matching to AIS, Sentinel-1 (S1) synthetic aperture radar (SAR) and Sentinel-2 (S2) optical imagery from the European Space Agency (ESA). S1 SAR is acquired with very high frequency over Europe — any given location is imaged approximately every other day and has the advantage of penetrating clouds

[…]

I matched S1 and S2 imagery to tracks of 15 naval vessels with AIS patterns sharing characteristics identified in the false positions of the Swedish vessels near Karlskrona. These 15 examples, which I was able to confirm with comparison to imagery, represent just a fraction of the nearly 100 naval vessels with suspected false AIS tracks identified by my algorithm between August 27, 2020 and July 15, 2021.

[…]

I describe two examples below.

U.S. survey vessel USNS Bruce C. Heezen transiting into Baltic Sea, September 2020

AIS data shows this vessel transiting through the North Sea and entering the Baltic Sea between September 17 through 23, 2020. However, the positions broadcast on those dates match the false AIS pattern, and I have additional evidence that this AIS track did not show the actual location of the vessel.

[…]

British Aircraft carrier HMS Queen Elizabeth on the Irish coast with accompanying flotilla of British, Dutch, and Belgian warships, September 2020

AIS from September 17, 2020, shows a surprising international naval flotilla accompanying the British aircraft carrier HMS Queen Elizabeth about 20 miles out from the coast of Ireland. In addition to the 283-meter Queen Elizabeth, AIS shows the British HMS Duncan (152 meters) and HMS Albion (176 meters) as well as the Dutch HNLMS Rotterdam (163 meters), the HNLMS Johan de Witt (176 meters) and the Belgian BNS Leopold I (122 meters). This flotilla of massive warships should have made quite a striking picture on Sentinel-2 satellite imagery. However, the image coinciding with the AIS transit dates, seen below, shows none of the six naval vessels. Furthermore, several publicly posted photos and news articles show that these vessels were in port elsewhere at the time.

[…]

It’s unclear how the false positions get combined with real data from terrestrial AIS antennas, though one can hypothesize that they could be produced by an AIS simulator program similar to that used to produce the tracks in the simulated sailing races. While I initially thought the false data might be entering the data feed from a single terrestrial AIS station, it appears that false AIS positions were reported at a number of different terrestrial stations.

Some of these terrestrial stations appear to be picking up AIS positions when vessels are too far away. For example, a suspected false position near Kiel, Germany was picked up by a receiver in Gdynia, Poland more than 300 miles away and outside of normal terrestrial antenna range. However in other cases, false positions were picked up by nearby receivers. Further information linking individual AIS positions to particular receiving antennas could allow us to understand more about where the positions are coming from.

Possible motives for data falsification

It’s clear that considerable care was taken to produce plausible tracks. For example, false AIS segments mostly appear only in those locations where naval vessels would be expected to broadcast AIS (near port and in other congested areas). Confirmed and suspected false AIS segments show incursions by 11 North Atlantic Treaty Organization (NATO) and NATO allied warships into Russian territorial waters near Kaliningrad and Murmansk as well as within the disputed territorial waters around Crimea in the Black Sea. Suspected false tracks from June 2021 also show two Russian warships entering the territorial waters of Ukraine and Poland. Other false AIS tracks are more subtle

[…]

A recent incident in the Black Sea shows how uncomfortably close we are to a scenario where a false AIS track is used to show an aggressive action by a naval vessel that did not really occur. From June 18 to 19, 2021, the British destroyer HMS Defender and Dutch frigate HNLMS Evertsen could be seen at dock in Odessa, Ukraine. However, on those same dates, AIS showed the vessels leaving port and going to a naval base in Sevastopol in Russian-occupied Crimea.

[…]

Although this attempt at disinformation was easily refuted by witnesses and a live webcam in Odessa, a far more delicate situation unfolded a few days later when the HMS Defender really did leave Odessa and transit through Russian claimed waters. The HMS Defender broadcast AIS during the transit past Crimea that showed the vessel entering disputed territorial waters that extend 12 nautical miles from shore. The vessel entered only about 1.8 nautical miles inside territorial waters and maintained a normal transit course under “innocent passage.” Russian forces claim to have responded with warning shots and dropping live bombs in the path of the vessel. The HMS Defender proceeded normally, exiting the waters around Crimea and continuing to Georgia.

[…]

Fortunately, these false tracks could be readily identified with the same systematic data analysis tools which have made it possible to pull increasingly detailed information from the global AIS dataset to inform researchers about activity at sea.

The openness and accessibility of AIS has made possible innovative uses of the data. But this accessibility also makes the system vulnerable to manipulation which, if not detected, could support false narratives about vessel movements that cause confusion and potentially could even spark an international incident.

Ultimately, AIS is a critical collision-avoidance system relied upon by thousands of mariners, and while these manipulations don’t directly compromise on-the-water collision avoidance, they may compromise trust in the AIS system

[….]

Source: Systematic data analysis reveals false vessel tracks – SkyTruth

Researchers have released technical details on a high-severity privilege-escalation flaw in HP printer drivers (also used by Samsung and Xerox), which impacts hundreds of millions of Windows machines.

If exploited, cyberattackers could bypass security products; install programs; view, change, encrypt or delete data; or create new accounts with more extensive user rights.

The bug (CVE-2021-3438) has lurked in systems for 16 years, researchers at SentinelOne said, but was only uncovered this year. It carries an 8.8 out of 10 rating on the CVSS scale, making it high-severity.

According to researchers, the vulnerability exists in a function inside the driver that accepts data sent from User Mode via Input/Output Control (IOCTL); it does so without validating the size parameter. As the name suggests, IOCTL is a system call for device-specific input/output operations.

“This function copies a string from the user input using ‘strncpy’ with a size parameter that is controlled by the user,” according to SentinelOne’s analysis, released on Tuesday. “Essentially, this allows attackers to overrun the buffer used by the driver.”

Thus, unprivileged users can elevate themselves into a SYSTEM account, allowing them to run code in kernel mode, since the vulnerable driver is locally available to anyone, according to the firm.

The printer-based attack vector is perfect for cybercriminals, according to SentinelOne, since printer drivers are essentially ubiquitous on Windows machines and are automatically loaded on every startup.

“Thus, in effect, this driver gets installed and loaded without even asking or notifying the user,” explained the researchers. “Whether you are configuring the printer to work wirelessly or via a USB cable, this driver gets loaded. In addition, it will be loaded by Windows on every boot. This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected.”

[…]

 

Source: 16-Year-Old HP Printer-Driver Bug Impacts Millions of Windows Machines | Threatpost

The security shortcoming can be exploited using the wonderfully named PetitPotam technique. It involves abusing Redmond’s MS-EFSRPC (Encrypting File System Remote Protocol) to take over a corporate Windows network. It seems ideal for penetration testers, and miscreants who have gained a foothold in a Windows network.

Specifically, security researcher Gilles Lionel found it was possible to use MS-EFSRPC force a device, including Windows domain controllers, to authenticate with a remote attacker-controlled NTLM relay. The end result is an authentication certificate that grants the attacker domain-controller-level access to services, allowing them to commandeer the entire domain.

“PetitPotam takes advantage of servers,” said Microsoft, “where the Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks.”

Lionel published a proof-of-concept exploit, available from the above link, and Microsoft responded by burying the bad news in an advisory released on Friday. The Windows giant described PetitPotam as “a classic NTLM relay attack,” and noted that such attacks have a long, long history.

Which does make us wonder: why does the problem linger on?

Microsoft’s preferred mitigation is for administrators to simply disable NTLM authentication, although doing so could break any number of services and applications that depend on it. A variety of alternatives are also on offer, “listed in order of more secure to less secure.”

Great.

[…]

Windows Server 2008 and up are affected, according to Microsoft’s advisory, and, other than suggesting customers take NTLM mitigations, a fix for MS-EFSRPC does not appear to be incoming.

[…]

Source: You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick • The Register

Like most Internet-of-things (IoT) devices these days, Amazon’s Echo Dot gives users a way to perform a factory reset so, as the corporate behemoth says, users can “remove any… personal content from the applicable device(s)” before selling or discarding them. But researchers have recently found that the digital bits that remain on these reset devices can be reassembled to retrieve a wealth of sensitive data, including passwords, locations, authentication tokens, and other sensitive data.

Most IoT devices, the Echo Dot included, use NAND-based flash memory to store data. Like traditional hard drives, NAND—which is short for the boolean operator “NOT AND“—stores bits of data so they can be recalled later, but whereas hard drives write data to magnetic platters, NAND uses silicon chips. NAND is also less stable than hard drives because reading and writing to it produces bit errors that must be corrected using error-correcting code.

Reset but not wiped

NAND is usually organized in planes, blocks, and pages. This design allows for a limited number of erase cycles, usually in the neighborhood of between 10,000 to 100,000 times per block. To extend the life of the chip, blocks storing deleted data are often invalidated rather than wiped. True deletions usually happen only when most of the pages in a block are invalidated. This process is known as wear-leveling.

Researchers from Northeastern University bought 86 used devices on eBay and at flea markets over a span of 16 months. They first examined the purchased devices to see which ones had been factory reset and which hadn’t. Their first surprise: 61 percent of them had not been reset. Without a reset, recovering the previous owners’ Wi-Fi passwords, router MAC addresses, Amazon account credentials, and information about connected devices was a relatively easy process.

The next surprise came when the researchers disassembled the devices and forensically examined the contents stored in their memory.

“An adversary with physical access to such devices (e.g., purchasing a used one) can retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (e.g., cameras, door locks),” the researchers wrote in a research paper. “We show that such information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset.”

[…]

If a device has not been reset (as in 61% of the cases), then it’s pretty simple: you remove the rubber on the bottom, remove 4 screws, remove the body, unscrew the PCB, remove a shielding and attach your needles. You can dump the device then in less than 5 minutes with a standard eMMC/SD Card reader. After you got everything, you reassemble the device (technically, you don’t need to reassemble it as it will work as is) and you create your own fake Wi-Fi access point. And you can chat with Alexa directly after that.

If the device has been reset, it gets more tricky and will involve some soldering. You will at least get the Wi-Fi credentials and potentially the position of the Wi-Fi using the MAC address. In some rare cases, you might be able to connect it to the Amazon cloud and the previous owner’s account. But that depends on the circumstances of the reset.

[…]

Source: Thinking about selling your Echo Dot—or any IoT device? Read this first | Ars Technica

While it will come as no comfort to those who had their Western Digital My Book Live NAS drives wiped last week, it seems they were attacked by a combination of two exploits, and possibly caught in the fallout of a rivalry between two different teams of hackers.

Initially, after the news broke on Friday, it was thought a known exploit from 2018 was to blame, allowing attackers to gain root access to the devices. However, it now seems that a previously unknown exploit was also triggered, allowing hackers to remotely perform a factory reset without a password and to install a malicious binary file.

[…]

Analysis of WD’s firmware suggests code meant to prevent the issue had been commented out, preventing it from running, by WD itself, and an authentication type was not added to component_config.php which results in the drives not asking for authentication before performing the factory reset.

The question then arises of why one hacker would use two different exploits, particularly an undocumented authentication bypass when they already had root access through the command injection vulnerability, with venerable tech site Ars Technica speculating that more than one group could be at work here, with one bunch of bad guys trying to take over, or sabotage, another’s botnet.

Source: Another Exploit Hits WD My Book Live Owners | Tom’s Hardware

So is it possible that the authentication code was commented out?!

Things are not looking good for LinkedIn right now. Just two months after a jaw-dropping 500 million profiles from the networking site were put up for sale on a popular hacker forum, a new posting with 700 million LinkedIn records has appeared.

The seller, “GOD User” TomLiner, stated they were in possession of the 700 million records on June 22 2021, and included a sample of 1 million records on RaidForums to prove their claims. Our researchers have viewed the sample and can confirm that the damning records include information such as full names, gender, email addresses, phone numbers, and industry information.

We reached out to LinkedIn for verification and received this official statement from Leonna Spilman:

“While we’re still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members’ privacy is protected.”

[…]

Is the data the same as from the previous LinkedIn leak?

According to a statement from LinkedIn, the previous data leak contained an “aggregation of data from a number of websites and companies” as well “publicly viewable member profile data.” However, it was not technically a breach since no private information was stolen.

This time around, it seems as though the records are, once again, a cumulation of data from previous leaks. However, this could still include information from both public and private profiles. We employ a strict policy of not supporting sellers of stolen data and, therefore, have not purchased the leaked list to verify all of the records.

Source: Exclusive: 700 Million LinkedIn Records Leaked June 2021 | Safety First

It was a closed source backdoored system. This goes to show that weakening encryption for political reasons and trusting software that can’t be audited independently is a Bad Idea ™

A weakness in the algorithm used to encrypt cellphone data in the 1990s and 2000s allowed hackers to spy on some internet traffic, according to a new research paper.

The paper has sent shockwaves through the encryption community because of what it implies: The researchers believe that the mathematical probability of the weakness being introduced on accident is extremely low. Thus, they speculate that a weakness was intentionally put into the algorithm. After the paper was published, the group that designed the algorithm confirmed this was the case.

Researchers from several universities in Europe found that the encryption algorithm GEA-1, which was used in cellphones when the industry adopted GPRS standards in 2G networks, was intentionally designed to include a weakness that at least one cryptography expert sees as a backdoor. The researchers said they obtained two encryption algorithms, GEA-1 and GEA-2, which are proprietary and thus not public, “from a source.” They then analyzed them and realized they were vulnerable to attacks that allowed for decryption of all traffic.

When trying to reverse-engineer the algorithm, the researchers wrote that (to simplify), they tried to design a similar encryption algorithm using a random number generator often used in cryptography and never came close to creating an encryption scheme as weak as the one actually used: “In a million tries we never even got close to such a weak instance,” they wrote. “This implies that the weakness in GEA-1 is unlikely to occur by chance, indicating that the security level of 40 bits is due to export regulations.”

Researchers dubbed the attack “divide-and-conquer,” and said it was “rather straightforward.” In short, the attack allows someone who can intercept cellphone data traffic to recover the key used to encrypt the data and then decrypt all traffic. The weakness in GEA-1, the oldest algorithm developed in 1998, is that it provides only 40-bit security. That’s what allows an attacker to get the key and decrypt all traffic, according to the researchers.

“To meet political requirements, millions of users were apparently poorly protected while surfing for years.”

A spokesperson for the organization that designed the GEA-1 algorithm, the European Telecommunications Standards Institute (ETSI), admitted that the algorithm contained a weakness, but said it was introduced because the export regulations at the time did not allow for stronger encryption.

[…]

Raddum and his colleagues found that GEA-1’s successor, GEA-2 did not contain the same weakness. In fact, the ETSI spokesperson said that when they introduced GEA-2 the export controls had been eased. Still, the researchers were able to decrypt traffic protected by GEA-2 as well with a more technical attack, and concluded that GEA-2 “does not offer a high enough security level for today’s standards,” as they wrote in their paper. 

[…]

Source: Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened

Volkswagen says more than 3.3 million customers had their information exposed after one of its vendors left a cache of customer data unsecured on the internet.

The car maker said in a letter that the vendor, used by Volkswagen, its subsidiary Audi and authorized dealers in the U.S. and Canada, left the customer data spanning 2014 to 2019 unprotected over a two-year window between August 2019 and May 2021.

The data, which Volkswagen said was gathered for sales and marketing, contained personal information about customers and prospective buyers, including their name, postal and email addresses, and phone number.

But more than 90,000 customers across the U.S. and Canada also had more sensitive data exposed, including information relating to loan eligibility. The letter said most of the sensitive data was driver’s license numbers, but that a “small” number of records also included a customer’s date of birth and Social Security numbers.

Volkswagen would not name the vendor, when asked. “We have also informed the appropriate authorities, including law enforcement and regulators, and are working with external cybersecurity experts and the vendor to assess and respond to this situation,” said a spokesperson, via a crisis communications firm.

It’s the latest security incident involving driver license numbers in recent months. Insurance giants Metromile and Geico admitted earlier this year that their quote forms had been abused by scammers trying to obtain driver license numbers. Several other car insurance companies have also reported similar incidents involving the theft of driver license numbers. Geico said it was likely an effort by scammers to file and cash fraudulent unemployment benefits in another person’s name.

[…]

Source: Volkswagen says a vendor’s security lapse exposed 3.3 million drivers’ details | TechCrunch

Indonesia’s government has admitted to leaks of personal data from the agency that runs its national health insurance scheme

On May 20th Kominfo, Indonesia’s Ministry of Communication and Information Technology, acknowledged it was aware of a post on notorious stolen-data-mart Raidforums offering to sell a million records leaked from the Badan Penyelenggara Jaminan Sosial (BPJS), an agency that runs national health insurance scheme Jaminan Kesehatan Nasional (JKN).

The Ministry said it had found leaked data and that the leak was not “massive”.

By May 21st, the Ministry stated it had identified an entity trying to sell the data and found the data itself on three sites – bayfiles.com, mega.nz, and anonfiles.com. The Ministry claimed only the last-named site had not responded to takedown requests, and that it hosted only around 100,000 records.

Later on the 21st a new announcement raised the number of stolen records to a million, said the fields matched those used by the BPJS, and said further investigation is needed to understand the nature of the data and extent of the breach.

[…]

Source: Indonesia’s national health insurance scheme leaks at least a million citizens’ records • The Register

[…]

Check Point Research (CPR) recently discovered that in the last few months, many application developers put their data and users’ data at risk. By not following best practices when configuring and integrating 3^rd party cloud services into applications, millions of users’ private data was exposed. In some cases, this type of misuse only affects the users, however, the developers were also left vulnerable. The misconfiguration put users’ personal data and developer’s internal resources, such as access to update mechanisms and storage at risk.

In this research, CPR outlines how the misuse of real-time database, notification managers, and storage exposed over 100 million users’ personal data (email, passwords, names, etc.) and left corporate resources vulnerable to malicious actors.

[…]

 

Source: Mobile app developers’ misconfiguration of third party services leave personal data of over 100 million exposed – Check Point Research

An NHS Digital-run vaccine-booking website exposed just how many vaccines individual people had received – and did so with no authentication, according to the Guardian.

The booking page, aimed at English NHS patients wanting to book first and second coronavirus jabs, would tell anyone at all whether a named person had had zero, one or two vaccination doses, the newspaper reported on Thursday.

All you need, it says, are the date of birth and postcode of the person whose vaccination status you wanted to check up on.

[…]

Vaccination status is set to become a political hot potato as the UK restarts its economy following the 2020 COVID-19 shutdown. Government policy is to enforce vaccine passports, initially as a means of deterring overseas travel but rumours persist that they will be required for domestic activities. To that end, the ruling Conservatives’ insincere promise in December that vaccine passports wouldn’t become reality at all has prompted a 350,000 strong Parliamentary petition against them.

Carelessness around health data in general has been a feature of the current government’s tech-driven approach to tackling COVID-19. Such repeated incidents have a habit of lodging themselves in the public’s consciousness, making it harder to gain consent for genuine health-boosting measures based on handing data over to public sector bodies.

Source: NHS Digital booking website had unexpected side effect: It leaked people’s jab status • The Register

Russian spies from APT29 responded to Western agencies outing their tactics by adopting a red-teaming tool to blend into targets’ networks as a legitimate pentesting exercise.

Now, the UK’s National Cyber Security Centre (NCSC) and the US warn, the SVR is busy exploiting a dozen critical-rated vulns (including RCEs) in equipment ranging from Cisco routers through to VMware virtualization kit – and the well-known Pulse Secure VPN flaw, among others.

“In one example identified by the NCSC, the actor had searched for authentication credentials in mailboxes, including passwords and PKI keys,” warned the GCHQ offshoot today.

Roughly equivalent to MI6 mixed with GCHQ, the SVR is Russia’s foreign intelligence service and is known to infosec pros as APT29. A couple of weeks ago, Britain and the US joined forces to out the SVR’s Tactics, Techniques and Procedures (TTPs), giving the world’s infosec defenders a chance to look out for the state-backed hackers’ fingerprints on their networked infrastructure.

[…]

They include:

• A severe hole in Pulse Secure’s Zero Trust Remote Access VPN software;
• An arbitrary code execution vuln in F5 BIG-IP app delivery controllers;
• An exploitable flaw in the Cisco RV320 WAN router (live code for the exploit exists in the wild);
• A critical vuln in Citrix (Netscaler) ADC load-balancers (publicly disclosed, ironically, by now-US-sanctioned Positive Technologies);
• A critical RCE vuln in VMware’s HTML5 client for its vSphere hybrid cloud suite; and
• An exploitable hole in Oracle’s WebLogic Server permitting remote code execution

On top of all that the SVR is also posing as legitimate red-team pentesters: looking for easy camouflage, the spies hopped onto GitHub and downloaded the free open-source Sliver red-teaming platform, in what the NCSC described as “an attempt to maintain their accesses.”

There are more vulns being abused by the Russians and the full NCSC advisory on what these are can be read on the NCSC website. The advisory includes YARA and Snort rules.

[…]

Source: Russian cyber-spies changed tactics after the UK and US outed their techniques – so here’s a list of those changes • The Register

[…]

Peloton, the at-home fitness brand synonymous with its indoor stationary bike and beleaguered treadmills, has more than three million subscribers. Even President Biden is said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes.

As Biden was inaugurated (and his Peloton moved to the White House — assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton’s API for user account data without it checking to make sure the person was allowed to request it. (An API allows two things to talk to each other over the internet, like a Peloton bike and the company’s servers storing user data.)

But the exposed API let him — and anyone else on the internet — access a Peloton user’s age, gender, city, weight, workout statistics and, if it was the user’s birthday, details that are hidden when users’ profile pages are set to private.

Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public.

But that deadline came and went, the bug wasn’t fixed and Masters hadn’t heard back from the company, aside from an initial email acknowledging receipt of the bug report. Instead, Peloton only restricted access to its API to its members. But that just meant anyone could sign up with a monthly membership and get access to the API again.

TechCrunch contacted Peloton after the deadline lapsed to ask why the vulnerability report had been ignored, and Peloton confirmed yesterday that it had fixed the vulnerability. (TechCrunch held this story until the bug was fixed in order to prevent misuse.)

[…]

Masters has since put up a blog post explaining the vulnerabilities in more detail.

Munro, who founded Pen Test Partners, told TechCrunch: “Peloton had a bit of a fail in responding to the vulnerability report, but after a nudge in the right direction, took appropriate action. A vulnerability disclosure program isn’t just a page on a website; it requires coordinated action across the organisation.”

But questions remain for Peloton. When asked repeatedly, the company declined to say why it had not responded to Masters’ vulnerability report. It’s also not known if anyone maliciously exploited the vulnerabilities, such as mass-scraping account data.

[…]

Source: Peloton’s leaky API let anyone grab riders’ private account data | TechCrunch

Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.

Bill Demirkapi, an independent security researcher who’s currently a sophomore at the Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online.

Demirkapi encountered one lender’s site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API — a capability that allows lenders to automate queries for FICO credit scores from the credit bureau.

[…]

Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”

Demirkapi’s Experian credit score lookup tool.

KrebsOnSecurity put that tool to the test, asking permission from a friend to have Demirkapi look up their credit score. The friend agreed and said he would pull his score from Experian (at this point I hadn’t told him that Experian was involved). The score he provided matched the score returned by Demirkapi’s lookup tool.

In addition to credit scores, the Experian API returns for each consumer up to four “risk factors,” indicators that might help explain why a person’s score is not higher.

For example, in my friend’s case Bill’s tool said his mid-700s score could be better if the proportion of balances to credit limits was lower, and if he didn’t owe so much on revolving credit accounts.

“Too many consumer finance company accounts,” the API concluded about my friend’s score.

[…]

Source: Experian API Exposed Credit Scores of Most Americans – Krebs on Security

Microsoft has taken a look at memory management code used in a wide range of equipment, from industrial control systems to healthcare gear, and found it can be potentially exploited to hijack devices.

[…]

Drilling down to the nitty-gritty: Microsoft’s Azure Defender for IoT security research group looked at memory allocation functions, such as malloc(), provided by real-time operating systems, standard C libraries, and software development kits all aimed at embedded electronics: that’s Internet-of-Things (IoT) devices, industrial control systems, and so-called operational technology (OT).

The team found a programming blunder common among much of the software: integer overflows during heap memory allocation. This occurs when an attacker is able to, usually via malicious data inputs, trick application code into making a very large memory allocation for a buffer to hold further incoming information.

The trouble is that a vulnerable memory allocator could take that large size – eg, 0xffffffff on a 32-bit embedded system – and add something like 8 to it because the requested memory block needs eight bytes of metadata to describe it. The size then overflows to 7 and the allocator finds space in memory that’s seven bytes in size for the requested buffer.

The allocator returns a pointer to that small space to the application, which assumes the allocation succeeded for the huge request, and then copies way more than seven bytes of data into the buffer from the attacker. This causes the application to overwrite the memory allocation metadata, structures, and contents. Now the attacker who sent over the data can take full control of the system by overwriting function pointers or altering other values.

The allocations should fail due to the large sizes, but the integer overflow allows them to partially succeed and in a way that’s exploitable. To pull this off, an attacker would need to be able to feed data to the application – either as a file or network traffic or whatever – that causes it to allocate a huge block of heap memory. It would be nice if application code trapped oversize allocations, but in any case, Microsoft found OS and library-level code let it all sail through, too, due to the overflows.

[…]

For devices that cannot be patched immediately, we recommend mitigating controls such as: reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioral indicators of compromise; and strengthening network segmentation to protect critical assets.”

What is affected? Good question. The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has a summary here.

[…]

its advisory here

Source: BadAlloc: Microsoft looked at memory allocation code in tons of devices and found this one common security flaw • The Register

Online shoppen en de rekening naar iemand anders sturen, blijkt kinderlijk eenvoudig met Afterpay. Dat constateert de Consumentenbond, die de beveiliging van de achterafbetaaldienst heeft onderzocht.

Honderden consumenten kregen spookfacturen van Afterpay en Klarna, betaaldiensten waarmee consumenten online aankopen pas na ontvangst hoeven te betalen. De bedragen varieren van enkele tientjes tot honderden euro’s.

Met een simpele truc bestelt de oplichter online op naam en adres van een ander. Vervolgens laat hij het pakket naar een ander afleveradres sturen, het zijne. Als Afterpay na een maand nog geen betaling heeft ontvangen, stuurt het een herinnering naar het opgegeven factuuradres.

Het bedrijf zegt dat het zijn fraudebestrijding op orde heeft. Consumenten die een onterechte rekening kregen kunnen aangifte doen bij de politie.

‘Het slachtoffer moet zijn onschuld bewijzen, terwijl het lek bij Afterpay zit,’ zegt de Consumentenbond. ‘Ook vragen een aangifte aan te leveren is niet in de haak. Afterpay vraagt zo persoonsgegevens af te staan, die notabene al een keer zijn misbruikt. We hebben de Autoriteit Persoonsgegevens hierover geïnformeerd, want we betwijfelen of dit volgens de regels is.’

Source: ‘Bestelfraude via Afterpay kinderlijk eenvoudig’ – Emerce

The US Department of Defense puzzled Internet experts by apparently transferring control of tens of millions of dormant IP addresses to an obscure Florida company just before President Donald Trump left the White House, but the Pentagon has finally offered a partial explanation for why it happened. The Defense Department says it still owns the addresses but that it is using a third-party company in a “pilot” project to conduct security research.

“Minutes before Trump left office, millions of the Pentagon’s dormant IP addresses sprang to life” was the title of a Washington Post article on Saturday. Literally three minutes before Joe Biden became president, a company called Global Resource Systems LLC “discreetly announced to the world’s computer networks a startling development: It now was managing a huge unused swath of the Internet that, for several decades, had been owned by the US military,” the Post said.

The number of Pentagon-owned IP addresses announced by the company rose to 56 million by late January and 175 million by April, making it the world’s largest announcer of IP addresses in the IPv4 global routing table.

[…]

Brett Goldstein, the DDS’s director, said in a statement that his unit had authorized a “pilot effort” publicizing the IP space owned by the Pentagon.

“This pilot will assess, evaluate, and prevent unauthorized use of DoD IP address space,” Goldstein said. “Additionally, this pilot may identify potential vulnerabilities.”

Goldstein described the project as one of the Defense Department’s “many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated.”

[…]

The Washington Post and Associated Press weren’t able to dig up many details about Global Resource Systems. “The company did not return phone calls or emails from The Associated Press. It has no web presence, though it has the domain grscorp.com,” an AP story yesterday said. “Its name doesn’t appear on the directory of its Plantation, Florida, domicile, and a receptionist drew a blank when an AP reporter asked for a company representative at the office earlier this month. She found its name on a tenant list and suggested trying email. Records show the company has not obtained a business license in Plantation.” The AP apparently wasn’t able to track down people associated with the company.

The AP said that the Pentagon “has not answered many basic questions, beginning with why it chose to entrust management of the address space to a company that seems not to have existed until September.” Global Resource Systems’ name “is identical to that of a firm that independent Internet fraud researcher Ron Guilmette says was sending out email spam using the very same Internet routing identifier,” the AP continued. “It shut down more than a decade ago. All that differs is the type of company. This one’s a limited liability corporation. The other was a corporation. Both used the same street address in Plantation, a suburb of Fort Lauderdale.”

The AP did find out that the Defense Department still owns the IP addresses, saying that “a Defense Department spokesman, Russell Goemaere, told the AP on Saturday that none of the newly announced space has been sold.”

[…]

Madory’s conclusion was that the new statement from the Defense Department “answers some questions,” but “much remains a mystery.” It isn’t clear why the Defense Department didn’t simply announce the address space itself instead of using an obscure outside entity, and it’s unclear why the project came “to life in the final moments of the previous administration,” he wrote.

But something good might come out of it, Madory added: “We likely won’t get all of the answers anytime soon, but we can certainly hope that the DoD uses the threat intel gleaned from the large amounts of background traffic for the benefit of everyone. Maybe they could come to a NANOG conference and present about the troves of erroneous traffic being sent their way.”

Source: Pentagon explains odd transfer of 175 million IP addresses to obscure company | Ars Technica

Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. A few months ago, they announced that they added Signal support to their software.

[…]

They produce two primary pieces of software (both for Windows): UFED and Physical Analyzer.

UFED creates a backup of your device onto the Windows machine running UFED (it is essentially a frontend to adb backup on Android and iTunes backup on iPhone, with some additional parsing). Once a backup has been created, Physical Analyzer then parses the files from the backup in order to display the data in browsable form.

When Cellebrite announced that they added Signal support to their software, all it really meant was that they had added support to Physical Analyzer for the file formats used by Signal. This enables Physical Analyzer to display the Signal data that was extracted from an unlocked device in the Cellebrite user’s physical possession.

One way to think about Cellebrite’s products is that if someone is physically holding your unlocked device in their hands, they could open whatever apps they would like and take screenshots of everything in them to save and go over later. Cellebrite essentially automates that process for someone holding your device in their hands.

[…]

we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.

As just one example (unrelated to what follows), their software bundles FFmpeg DLLs that were built in 2012 and have not been updated since then. There have been over a hundred security updates in that time, none of which have been applied.

The exploits

Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.

For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.

Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices.

[…]

In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice,

[…]

We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time.

Source: Signal >> Blog >> Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective

Nice – so installing Signal on your phone means there is a real possibility that you will get a Cellebrite breaking file on your phone. If they tap you, they will unknowingly break the Cellebrite unit permanently.

Two file-scrambling nasties, Qlocker and eCh0raix, are said to be tearing through vulnerable QNAP storage equipment, encrypting data and demanding ransoms to restore the information.

In response, QNAP said on Thursday users should do the following to avoid falling victim:

• Install the latest software updates for the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps on their QNAP NAS gear to close off vulnerabilities that can be exploited by ransomware to infect devices.
• Install the latest Malware Remover tool from QNAP, and run a malware scan. The manufacturer said it has “released an updated version of Malware Remover for operating systems such as QTS and QuTS hero to address the ransomware attack.”
• Change the network port of the web-based user interface away from the default of 8080, presumably to mitigate future attacks. We’ll assume for now that vulnerable devices are being found and attacked by miscreants scanning the internet for public-facing QNAP products – we’ve asked the manufacturer to comment on this.
• Make sure they use strong, unique passwords that can’t easily be brute-forced or guessed.
• If possible, follow the 3-2-1 rule on backups: have at least three good recent copies of your documents stored on at least two types of media, at least one of which is off-site. That means if your files are scrambled, you have a good chance of restoring them from a backup untouched by the malware, thus avoiding having to cough up the demand, if you make sure the software nasty can’t alter said backups.

Source: If you have a QNAP NAS, stop what you’re doing right now and install latest updates. Do it before Qlocker gets you • The Register

Web sites for customers of agricultural equipment maker John Deere contained vulnerabilities that could have allowed a remote attacker to harvest sensitive information on the company’s customers including their names, physical addresses and information on the Deere equipment they own and operate.

The researcher known as “Sick Codes” (@sickcodes) published two advisories on Thursday warning about the flaws in the myjohndeere.com web site and the John Deere Operations Center web site and mobile applications. In a conversation with Security Ledger, the researcher said that a he was able to use VINs (vehicle identification numbers) taken from a farm equipment auction site to identify the name and physical address of the owner. Furthermore, a flaw in the myjohndeere.com website could allow an unauthenticated user to carry out automated attacks against the site, possibly revealing all the user accounts for that site.

Sick Codes disclosed both flaws to John Deere and also to the U.S. Government’s Cybersecurity and Infrastructure Security Agency (CISA), which monitors food and agriculture as a critical infrastructure sector. As of publication, the flaws discovered in the Operations Center have been addressed while the status of the myjohndeere.com flaws is not known.

[…]

the national security consequences of the company’s leaky website could be far greater. Details on what model combines and other equipment is in use on what farm could be of very high value to an attacker, including nation-states interested in disrupting U.S. agricultural production at key junctures, such as during planting or harvest time.

The consolidated nature of U.S. farming means that an attacker with knowledge of specific, Internet connected machinery in use by a small number of large-scale farming operations in the midwestern United States could launch targeted attacks on that equipment that could disrupt the entire U.S. food supply chain.

Despite creating millions of lines of software to run its sophisticated agricultural machinery, Deere has not registered so much as a single vulnerability with the Government’s CVE database, which tracks software flaws.

[…]

“Unlike many industries, there is extreme seasonality in the way John Deere’s implements are used,” Jahn told Security Ledger. “We can easily imagine timed interference with planting or harvest that could be devastating. And it wouldn’t have to persist for very long at the right time of year or during a natural disaster – a compound event.”

[…]

Source: Deere John: Researcher Warns Ag Giant’s Site Provides a Map to Customers, Equipment | The Security Ledger

Apple’s AirDrop feature is a convenient way to share files between the company’s devices, but security researchers from Technische Universitat Darmstadt in Germany are warning that you might be sharing way more than just a file.

According to the researchers, it’s possible for strangers to discover the phone number and email of any nearby AirDrop user. All a bad actor needs is a device with wifi and to be physically close by. They can then simply open up the AirDrop sharing pane on an iOS or macOS device. If you have the feature enabled, it doesn’t even require you to initiate or engage with any sharing to be at risk, according to their findings.

The problem is rooted in AirDrop’s “Contacts Only” option. The researchers say that in order to suss out whether an AirDrop user is in your contacts, it uses a “mutual authentication mechanism” to cross-reference that user’s phone number and email with another’s contacts list. Now, Apple isn’t just doing that willy nilly. It does use encryption for this exchange. The problem is that the hash Apple uses is apparently easily cracked using “simple techniques such as brute-force attacks.” It is not clear from the research what level of computing power would be necessary to brute-force the hashes Apple uses.

[…]

Source: Apple AirDrop Security Flaw Exposes iPhone Numbers, Emails: Researchers

[…]

WhatsApp representatives told Forbes that the easiest way to protect yourself against this kind of an attack is to make sure you’ve associated an email address with your two-step verification process so the attacker won’t be able to spoof your identity. You can do that right now by pulling up WhatsApp, loading its Settings, tapping on Two-Step Verification, and inputting your email address (or checking to make sure you’ve already done so).

This isn’t going to block the attack per se, but it’ll make it a lot easier for WhatsApp’s customer service team to help you out should you find yourself in a “prevented from authenticating my account” feedback loop—which is what will happen if an attacker reaches out to WhatsApp posing as you, claiming that your account has been hacked and that WhatsApp should deactivate it. (You’ll then “receive” codes to revert the mistaken de-registration, only you won’t be able to input them because of the previous trick, which will have temporarily banned you for entering too many incorrect 2FA codes.)

[…]

Source: How to Keep Attackers From Locking You Out of WhatsApp

A user in a low level hacking forum on Saturday published the phone numbers and personal data of hundreds of millions of Facebook users for free online.

The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.

Insider reviewed a sample of the leaked data and verified several records by matching known Facebook users’ phone numbers with the IDs listed in the data set. We also verified records by testing email addresses from the data set in Facebook’s password reset feature, which can be used to partially reveal a user’s phone number.

A Facebook spokesperson told Insider that the data was scraped due to a vulnerability that the company patched in 2019.

[…]

This is not the first time that a huge number of Facebook users’ phone numbers have been found exposed online. The vulnerability that was uncovered in 2019 allowed millions of people’s phone numbers to be scraped from Facebook’s servers in violation of its terms of service. Facebook said that vulnerability was patched in August 2019.

Facebook previously vowed to crack down on mass data-scraping after Cambridge Analytica scraped the data of 80 million users in violation of Facebook’s terms of service to target voters with political ads in the 2016 election.

[…]

 

Source: Stolen Data of 533 Million Facebook Users Leaked Online

Yes, this is one of the risks of centralised databases