Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. A few months ago, they announced that they added Signal support to their software.

[…]

They produce two primary pieces of software (both for Windows): UFED and Physical Analyzer.

UFED creates a backup of your device onto the Windows machine running UFED (it is essentially a frontend to adb backup on Android and iTunes backup on iPhone, with some additional parsing). Once a backup has been created, Physical Analyzer then parses the files from the backup in order to display the data in browsable form.

When Cellebrite announced that they added Signal support to their software, all it really meant was that they had added support to Physical Analyzer for the file formats used by Signal. This enables Physical Analyzer to display the Signal data that was extracted from an unlocked device in the Cellebrite user’s physical possession.

One way to think about Cellebrite’s products is that if someone is physically holding your unlocked device in their hands, they could open whatever apps they would like and take screenshots of everything in them to save and go over later. Cellebrite essentially automates that process for someone holding your device in their hands.

[…]

we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.

As just one example (unrelated to what follows), their software bundles FFmpeg DLLs that were built in 2012 and have not been updated since then. There have been over a hundred security updates in that time, none of which have been applied.

The exploits

Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.

For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.

Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices.

[…]

In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice,

[…]

We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time.

Source: Signal >> Blog >> Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective

Nice – so installing Signal on your phone means there is a real possibility that you will get a Cellebrite breaking file on your phone. If they tap you, they will unknowingly break the Cellebrite unit permanently.

Two file-scrambling nasties, Qlocker and eCh0raix, are said to be tearing through vulnerable QNAP storage equipment, encrypting data and demanding ransoms to restore the information.

In response, QNAP said on Thursday users should do the following to avoid falling victim:

• Install the latest software updates for the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps on their QNAP NAS gear to close off vulnerabilities that can be exploited by ransomware to infect devices.
• Install the latest Malware Remover tool from QNAP, and run a malware scan. The manufacturer said it has “released an updated version of Malware Remover for operating systems such as QTS and QuTS hero to address the ransomware attack.”
• Change the network port of the web-based user interface away from the default of 8080, presumably to mitigate future attacks. We’ll assume for now that vulnerable devices are being found and attacked by miscreants scanning the internet for public-facing QNAP products – we’ve asked the manufacturer to comment on this.
• Make sure they use strong, unique passwords that can’t easily be brute-forced or guessed.
• If possible, follow the 3-2-1 rule on backups: have at least three good recent copies of your documents stored on at least two types of media, at least one of which is off-site. That means if your files are scrambled, you have a good chance of restoring them from a backup untouched by the malware, thus avoiding having to cough up the demand, if you make sure the software nasty can’t alter said backups.

Source: If you have a QNAP NAS, stop what you’re doing right now and install latest updates. Do it before Qlocker gets you • The Register

Web sites for customers of agricultural equipment maker John Deere contained vulnerabilities that could have allowed a remote attacker to harvest sensitive information on the company’s customers including their names, physical addresses and information on the Deere equipment they own and operate.

The researcher known as “Sick Codes” (@sickcodes) published two advisories on Thursday warning about the flaws in the myjohndeere.com web site and the John Deere Operations Center web site and mobile applications. In a conversation with Security Ledger, the researcher said that a he was able to use VINs (vehicle identification numbers) taken from a farm equipment auction site to identify the name and physical address of the owner. Furthermore, a flaw in the myjohndeere.com website could allow an unauthenticated user to carry out automated attacks against the site, possibly revealing all the user accounts for that site.

Sick Codes disclosed both flaws to John Deere and also to the U.S. Government’s Cybersecurity and Infrastructure Security Agency (CISA), which monitors food and agriculture as a critical infrastructure sector. As of publication, the flaws discovered in the Operations Center have been addressed while the status of the myjohndeere.com flaws is not known.

[…]

the national security consequences of the company’s leaky website could be far greater. Details on what model combines and other equipment is in use on what farm could be of very high value to an attacker, including nation-states interested in disrupting U.S. agricultural production at key junctures, such as during planting or harvest time.

The consolidated nature of U.S. farming means that an attacker with knowledge of specific, Internet connected machinery in use by a small number of large-scale farming operations in the midwestern United States could launch targeted attacks on that equipment that could disrupt the entire U.S. food supply chain.

Despite creating millions of lines of software to run its sophisticated agricultural machinery, Deere has not registered so much as a single vulnerability with the Government’s CVE database, which tracks software flaws.

[…]

“Unlike many industries, there is extreme seasonality in the way John Deere’s implements are used,” Jahn told Security Ledger. “We can easily imagine timed interference with planting or harvest that could be devastating. And it wouldn’t have to persist for very long at the right time of year or during a natural disaster – a compound event.”

[…]

Source: Deere John: Researcher Warns Ag Giant’s Site Provides a Map to Customers, Equipment | The Security Ledger

Apple’s AirDrop feature is a convenient way to share files between the company’s devices, but security researchers from Technische Universitat Darmstadt in Germany are warning that you might be sharing way more than just a file.

According to the researchers, it’s possible for strangers to discover the phone number and email of any nearby AirDrop user. All a bad actor needs is a device with wifi and to be physically close by. They can then simply open up the AirDrop sharing pane on an iOS or macOS device. If you have the feature enabled, it doesn’t even require you to initiate or engage with any sharing to be at risk, according to their findings.

The problem is rooted in AirDrop’s “Contacts Only” option. The researchers say that in order to suss out whether an AirDrop user is in your contacts, it uses a “mutual authentication mechanism” to cross-reference that user’s phone number and email with another’s contacts list. Now, Apple isn’t just doing that willy nilly. It does use encryption for this exchange. The problem is that the hash Apple uses is apparently easily cracked using “simple techniques such as brute-force attacks.” It is not clear from the research what level of computing power would be necessary to brute-force the hashes Apple uses.

[…]

Source: Apple AirDrop Security Flaw Exposes iPhone Numbers, Emails: Researchers

[…]

WhatsApp representatives told Forbes that the easiest way to protect yourself against this kind of an attack is to make sure you’ve associated an email address with your two-step verification process so the attacker won’t be able to spoof your identity. You can do that right now by pulling up WhatsApp, loading its Settings, tapping on Two-Step Verification, and inputting your email address (or checking to make sure you’ve already done so).

This isn’t going to block the attack per se, but it’ll make it a lot easier for WhatsApp’s customer service team to help you out should you find yourself in a “prevented from authenticating my account” feedback loop—which is what will happen if an attacker reaches out to WhatsApp posing as you, claiming that your account has been hacked and that WhatsApp should deactivate it. (You’ll then “receive” codes to revert the mistaken de-registration, only you won’t be able to input them because of the previous trick, which will have temporarily banned you for entering too many incorrect 2FA codes.)

[…]

Source: How to Keep Attackers From Locking You Out of WhatsApp

A user in a low level hacking forum on Saturday published the phone numbers and personal data of hundreds of millions of Facebook users for free online.

The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.

Insider reviewed a sample of the leaked data and verified several records by matching known Facebook users’ phone numbers with the IDs listed in the data set. We also verified records by testing email addresses from the data set in Facebook’s password reset feature, which can be used to partially reveal a user’s phone number.

A Facebook spokesperson told Insider that the data was scraped due to a vulnerability that the company patched in 2019.

[…]

This is not the first time that a huge number of Facebook users’ phone numbers have been found exposed online. The vulnerability that was uncovered in 2019 allowed millions of people’s phone numbers to be scraped from Facebook’s servers in violation of its terms of service. Facebook said that vulnerability was patched in August 2019.

Facebook previously vowed to crack down on mass data-scraping after Cambridge Analytica scraped the data of 80 million users in violation of Facebook’s terms of service to target voters with political ads in the 2016 election.

[…]

 

Source: Stolen Data of 533 Million Facebook Users Leaked Online

Yes, this is one of the risks of centralised databases

News that Ubiquiti’s cloud servers had been breached emerged on January 11, 2021, when the company emailed customers the text found in this support forum post. That missive stated: “We recently became aware of unauthorized access to certain of our information technology systems hosted by a third-party cloud provider.”

That announcement continued, “We have no indication that there has been unauthorized activity with respect to any user’s account,” but also recommended customers change their passwords because if their records had been accessed, hashed and salted passwords, email addresses, and even physical addresses and phone numbers could be at risk.

An update on Wednesday this week stated an investigation by outside experts “identified no evidence that customer information was accessed, or even targeted,” however.

Crucially, the update also revealed that someone “unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials.” The update does not suggest the extortion attempt was fanciful.

Ubiquiti has not said when the external experts decided customer data was untouched. Which leaves the company in the interesting position of perhaps knowing its core IP has leaked, and not disclosing that, while also knowing that customer data is safe and not disclosing that, either.

The update contains another scary nugget in this sentence: “Please note that nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11.”

But the January 11 notification makes no mention of “the security of our products.”

The update on Wednesday was published two days after Krebs On Security reported that it has seen a letter from a whistleblower to the European Data Protection Supervisor that alleges Ubiquiti has not told the whole truth about the incident.

Krebs said the letter described the attack on Ubiquiti as “catastrophically worse than reported.”

“The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk,” the letter reportedly claimed, adding that Ubiquiti’s legal team “silenced and overruled efforts to decisively protect customers.”

The whistleblower separately claimed that whoever was able to break into Ubiquiti’s Amazon-hosted servers, they could have swiped cryptographic secrets for customers’ single sign-on cookies and remote device access, internal source code, and signing keys – far more than the Wi-Fi box maker disclosed in January. The intruder, it is said, obtained a Ubiquiti IT worker’s privileged credentials, got root access to the business’s AWS systems, and thus had a potential free run of its cloud-hosted storage and databases.

Backdoors were apparently stashed in the servers, too, and, as Ubiquiti acknowledged this week, a ransom was demanded to keep quiet about the break-in.

[…]

The update ends with another call for customers to refresh their passwords and enable two-factor authentication. The Register fancies some readers may also consider refreshing their Wi-Fi supplier. ®

PS: It’s not been a great week for Ubiquiti: it just promised to remove house ads it added to the web-based user interface of its UniFi gear.

Source: Wi-Fi slinger Ubiquiti hints at source code leak after claim of ‘catastrophic’ cloud intrusion emerges • The Register

Security has never been one of their strong points so this is not really surprising…

OpenSSL, the most widely used software library for implementing website and email encryption, has patched a high-severity vulnerability that makes it easy for hackers to completely shut down huge numbers of servers.

[…]

On Thursday, OpenSSL maintainers disclosed and patched a vulnerability that causes servers to crash when they receive a maliciously crafted request from an unauthenticated end user. CVE-2021-3449, as the denial-of-server vulnerability is tracked, is the result of a null pointer dereference bug. Cryptographic engineer Filippo Valsorda said on Twitter that the flaw could probably have been discovered earlier than now.

“Anyway, sounds like you can crash most OpenSSL servers on the Internet today,” he added.

Hackers can exploit the vulnerability by sending a server a maliciously formed renegotiating request during the initial handshake that establishes a secure connection between an end user and a server.

“An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client,” maintainers wrote in an advisory. “If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack.”

The maintainers have rated the severity high. Researchers reported the vulnerability to OpenSSL on March 17. Nokia developers Peter Kästle and Samuel Sapalski provided the fix.

Certificate verification bypass

OpenSSL also fixed a separate vulnerability that, in edge cases, prevented apps from detecting and rejecting TLS certificates that aren’t digitally signed by a browser-trusted certificate authority. The vulnerability, tracked as CVE-2021-3450, involves the interplay between a X509_V_FLAG_X509_STRICT flag found in the code and several parameters.

Thursday’s advisory explained:

If a “purpose” has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named “purpose” values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application.

In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose.

[…]

Source: OpenSSL fixes high-severity flaw that allows hackers to crash servers | Ars Technica

[…]

Working from home, whether as a permanent option or as part of hybrid models, may become standard, and so the corporate world needs to consider how best to keep their networks protected whilst also catering to a remote workforce.

To this end, Cloudflare has contributed a new zero-trust solution for browser sessions. On Tuesday, the web security firm launched Cloudflare Browser Isolation, software that creates a “gap” between browsers and end-user devices in the interests of safety.

Instead of employees launching local browser sessions to access work-related resources or collaborative tools, the service runs the original, requested web page in the cloud and streams a replica to the end-user.

Cloudflare says that tapping into the firm’s global network to run browser sessions circumvents the usual speed downgrades and potential lag caused by typical, pixel-based streaming.

As there is no direct browser link, this can mitigate the risk of exploits, phishing, and cyberattacks. In addition, Cloudflare automatically blocks high-risk websites based on existing threat intelligence.

The solution has now been made available through Cloudflare for Teams.

[…]

Source: Cloudflare debuts zero-trust browsing service for remote enterprise workforce | ZDNet

Data of visitors to Diergaarde Blijdorp, Apenheul, Dierenpark Amersfoort and dozens of other theme parks are on the street. Ticket seller Ticketcounter is also extorted for 3 tons.

An employee accidentally posted data online where they didn’t have to. As a result, the data could be found there for months (from 5 August 2020 to 22 February 2021). The data is then offered for sale on the dark web.

This mainly concerns data of people who have purchased day tickets via the website.

Source: Groot datalek bij Ticketcounter, ook hack bij InHolland – Emerce

It turns out they kept all this data they shouldn’t have.

The database contained the data of 1.5 million people who had purchased a ticket through Ticketcounter. These include their names, email addresses, telephone numbers, dates of birth and address details. If people with iDEAL have paid for their entrance ticket, their bank account number (IBAN) has also fallen into the wrong hands.

Source: Datalek Ticketcounter treft ook bezoekers musea en attracties

Why did they keep all this data? And why wasn’t it encrypted?

It was leaked when someone made a backup which a) wasn’t encrypted and b) was placed somewhere stunningly easy to find. Now they are being extorted to the tune of 7 BTC which they are not planning to give.

Ticketcounter makes it sound like they are some kind of victim in this but their security practices are abysmal and hopefully they will be fined a serious amount.

A serious flaw in Zoom’s Keybase secure chat application left copies of images contained in secure communications on Keybase users’ computers after they were supposedly deleted.

Source: Exclusive: Flaws in Zoom’s Keybase App Kept Chat Images From Being Deleted | The Security Ledger

[…]

Here in France, we’ve just experienced the country’s biggest ever data breach of customer records, involving some half a million medical patients. Worse, the data wasn’t even sold or held to ransom by dark web criminals: it was just given away so that anyone could download it.

Up to 60 fields of personal data per patient are now blowing around in the internet winds. Full name, address, email, mobile phone number, date of birth, social security number, blood group, prescribing doctor, reason for consultation (such as “pregnancy”, “brain tumour”, “deaf”, “HIV positive”) and so on – it’s all there, detailed across 491,840 lines of plain text.

Data journalism couldn’t be easier, and indeed the newspaper hacks have been on the beat, contacting the doctors listed in the file and phoning up some of the patients on their mobile numbers to ask how they feel about the data breach. The doctors knew nothing about it, and of course the patients whose personal info had been stolen – including Hervé Morin, ex-Minister of Defence, as it turns out – hadn’t the faintest idea.

According to an investigation by daily newspaper Libération, warning signs that something was afoot were first reported on 12 February in a blog by Damien Bancal at security outfit Zataz. Some dark web spivs began discussing in Turkish-language channels on Telegram about how to sell some medical records stolen from a French hospital. Some of them then tried independently to put the data on the market and got into an argument that spilled over into Russian-language channels.

One of them, it seems, got pissed off and decided to take revenge by posting an extract of the data publicly. This was rapidly spread around Telegram’s other lesser spivlet channels and soon afterwards ended up being shared on conventional social media.

A closer look at the file reveals that it didn’t come from a hospital after all. It turns out the various dates on the patient records refer not to doctors’ appointments but to when patients had to submit a test specimen: in other words, the data is likely to have been stolen from French bio-medical laboratories conducting the specimen analysis.

Further probing by Libé revealed that the hack may relate to data stored using a system called Mega-Bus from Medasys, a company since absorbed into Dedalus France. Dating back to 2009, Mega-Bus hasn’t been updated and laboratories have been abandoning it for other solutions over the last couple of years. No patient records entered into these newer systems can be found in the stolen file, only pre-upgrade stuff entered into Mega-Bus, apparently.

[…]

Source: Half a million stolen French medical records, drowned in feeble excuses • The Register

Whether you’re looking to make a change in your password management just because, or you’re a LastPass user annoyed with the service’s recent changes to its free tier, switching to the much-loved (and free) Bitwarden service is a good choice. Bitwarden is now the best free password manager for most people—since it works across all of your devices to add convenience and security to your logins—and setting it up is quick and easy.

To get started, head to Bitwarden’s site and create an account. It’s free to do, and all you need to worry about is giving yourself a solid master password. Make it a good one, and one that you don’t use anywhere else, because it’ll be one of the gatekeepers for all of your other passwords that you’ll store on the service. Once you’ve created your account and logged in, make sure you verify your email address using the option in the upper-right corner.

[…]

Source: Why You Should Switch From LastPass to Bitward’s Password Manager

As the U.S. continues to chart the damage from the sweeping “SolarWinds” hack, France has announced that it too has suffered a large supply chain cyberattack. The news comes via a recently released technical report published by the Agence Nationale de la sécurité des systèmes d’information—or simply ANSSI—the French government’s chief cybersecurity agency. Like the U.S., French authorities have implied that Russia is probably involved.According to ANSSI, a sophisticated hacker group has successfully penetrated the Centreon Systems products, a French IT firm specializing in network and system monitoring that is used by many French government agencies, as well as some of the nation’s biggest companies (Air France, among others). Centreon’s client page shows that it partners with the French Department of Justice, Ecole Polytechnique, and regional public agencies, as well as some of the nation’s largest agri-food production firms.Illustration for article titled France Just Suffered a SolarWinds-Style CyberattackThe SolarWinds Hack Just Keeps Getting More WildNow the Chinese are involved. That’s one of the newest allegations to emerge in the SolarWinds…Read moreWhile ANSSI did not officially attribute the hack to any organization, the agency says the techniques used bear similarities to those of the Russian military hacker group “Sandworm” (also known as Unit 74455). The intrusion campaign, which dates back at least to 2017, allowed the hackers to breach the systems of a number of French organizations, though ANSSI has declined to name the victims or say how many were affected.

Source: France Just Suffered A Very ‘Solar Winds’-Like Cyberattack

Now that Apple has officially begun the transition to Apple Silicon, so has malware.

Security researcher Patrick Wardle published a blog detailing that he’d found a malicious program dubbed GoSearch22, a Safari browser extension that’s been reworked for Apple’s M1 processor. (The extension is a variant of the Pirrit adware family, which is notorious on Macs.) Meanwhile, a new report from Wired also quotes other security researchers as finding other, distinct instances of native M1 malware from Wardle’s findings.

The GoSearch22 malware was signed with an Apple developer ID on Nov. 23,  2020—not long after the first M1 laptops were first unveiled. Having a developer ID means a user downloading the malware wouldn’t trigger Gatekeeper on macOS, which notifies users when an application they’re about to download may not be safe. Developers can take the extra step of submitting apps to Apple to be notarized for extra confirmation. However, Wardle notes in his writeup that it’s unclear whether Apple ever notarized the code, as the certificate for GoSearch22 has since been revoked. Unfortunately, he also writes that since this malware was detected in the wild, regardless of whether Apple notarized it, “macOS users were infected.”

[…]

Source: The M1 Malware Has Arrived

Personal information of more than 243 million Brazilians was exposed for more than six months thanks to weakly encoded credentials stored in the source code of the Brazilian Ministry of Health’s website. The data leak exposed both living and deceased Brazilians’ medical records to possible unauthorized access. The incident was the second reported by Brazilian publication Estadão and among several others recently affecting South America’s largest nation’s healthcare system.

Sistema Único de Saúde data leak exposed patients’ medical records

For more than six months, personal data belonging to anyone registered with Sistema Único de Saúde (SUS), Brazil’s national health system, could be viewed.

The data leak exposed people’s full names, addresses, phone numbers, and full medical records of Brazilians that signed up for the government’s public-funded healthcare system.

Approximately 32 million medical records belonged to deceased Brazilians, given that the country’s population was 211 million in 2019.

The database login credentials were encoded using Base64 encoding, which could be easily decoded. Anybody could have viewed the website’s source code and the database credentials using the F12 keyboard shortcut or the “View Source Code” option from the browser’s menu.

Subsequently, the exposed database logins could have allowed anybody access to Brazilians’ medical records.

Just last month, Estadão also reported another data leak exposing more than 16 million Brazilian COVID-19 patients’ medical records. The breach occurred after an employee uploaded on GitHub a spreadsheet containing usernames, passwords, and the E-SUS-VE system access keys.

Source: Brazil’s Health Ministry’s Website Data Leak Exposed 243 Million Medical Records for More Than 6 Months – CPO Magazine

German software designer Jonas Strehle has published a proof of concept on GitHub that he says demonstrates a method in which the favicon’s cache can be used to store a unique identifier for a user that is readable “in the browser’s incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers.”As Motherboard points out, Strehle started building the project after reading a research paper from the University of Illinois at Chicago that describes the technique. The basic gist of the method starts with the fact that favicon’s get cached in your browser the first time you visit a website. When you return to the site, the browser checks to see if the favicon has been stored in its own special home on your machine that’s called the F-Cache. If the data is out of date or missing, the browser requests data from the website’s servers. Strehle explained what happens next in a write up on his website: A web server can draw conclusions about whether a browser has already loaded a favicon or not: So when the browser requests a web page, if the favicon is not in the local F-cache, another request for the favicon is made. If the icon already exists in the F-Cache, no further request is sent. By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client. When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser.

Source: Researchers Say Favicons Can Track You Across the Web

Do you have an iPhone or iPad? You should update your device right now to iOS 14.4. No, not later today or after lunch or whatever. Update now.Why is it so crucial to update your iOS software as soon as possible? As TechCrunch first reported, Apple is reporting three security vulnerabilities that “may have been actively exploited” by hackers.We don’t have any real details yet, but Apple rarely has to admit such stunning vulnerabilities. The researchers who reported the security flaws have been granted anonymity by Apple.As Apple explains: Kernel Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited. Description: A race condition was addressed with improved locking. CVE-2021-1782: an anonymous researcher WebKit Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A logic issue was addressed with improved restrictions. CVE-2021-1871: an anonymous researcher CVE-2021-1870: an anonymous researcher

Source: Update Your iPhone and iPad Right Now

Security researchers from Qualys have identified a critical heap buffer overflow vulnerability in sudo that can be exploited by rogue users to take over the host system.

Sudo is an open-source command-line utility widely used on Linux and other Unix-flavored operating systems. It is designed to give selected, trusted users administrative control when needed.

The bug (CVE-2021-3156) found by Qualys, though, allows any local user to gain root-level access on a vulnerable host in its default configuration. Qualys is disclosing its findings in a coordinated release with operating systems vendors, and has bestowed the errant code with the memorable name of the mythical mischief-maker Baron Samedi.

The following versions of sudo are affected: 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1. Qualys developed exploits for several Linux distributions, including Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2), and the security biz believes other distributions are vulnerable, too.

Ubuntu and Red Hat have already published patches, and your distro may have as well, so get to it.

In their write-up, Qualys researchers explain, “set_cmnd() is vulnerable to a heap-based buffer overflow, because the out-of-bounds characters that are copied to the ‘user_args’ buffer were not included in its size.”

[…]

The bug was introduced in July 2011 (commit 8255ed69) and has persisted unfixed until now.

[…]

Source: Decade-old bug in Linux world’s sudo can be abused by any logged-in user to gain root privileges • The Register

Dutch police have arrested two individuals on Friday for allegedly selling data from the Dutch health ministry’s COVID-19 systems on the criminal underground.

The arrests came after an investigation by RTL Nieuws reporter Daniel Verlaan who discovered ads for Dutch citizen data online, advertised on instant messaging apps like Telegram, Snapchat, and Wickr.

The ads consisted of photos of computer screens listing data of one or more Dutch citizens.

The reporter said he tracked down the screengrabs to two IT systems used by the Dutch Municipal Health Service (GGD) — namely CoronIT, which contains details about Dutch citizens who took a COVID-19 test, and HPzone Light, one of the DDG’s contact-tracing systems.

Verlaan said the data had been sold online for months for prices ranging from €30 to €50 per person.

Buyers would receive details such as home addresses, emails, telephone numbers, dates of birth, and a person’s BSN identifier (Dutch social security number).

Two men arrested in Amsterdam within a day

In a press release today, Dutch police said they started an investigation last week when they learned of the ads and arrested two suspects within 24 hours of the complaint.

Both men were arrested in Amsterdam on Friday, and were identified as a 21-year-old man from the city of Heiloo and a 23-year-old man from the city of Alblasserdam. Their homes were also searched, and their computers seized, police said.

According to Verlaan, the two suspects worked in DDG call centers, where they had access to official Dutch government COVID-19 systems and databases.

Source: Dutch COVID-19 patient data sold on the criminal underground | ZDNet

It turns out you can buy searched subsets of the information, eg people from Amsterdam or search by name.

Millions of people – basically everyone who’d ever had a corona test – were affected.

Original sauce: Illegale handel in privégegevens miljoenen Nederlanders uit coronasystemen GGD (RTL news)

It also turns out that the GGD was warned repeatedly of their poor security measures over the years and nothing was done about it. Andre Rouwvoet, the boss of the GGD was also warned and says it’s one of those things that couldn’t be helped. This is simply not true. The most obvious questions are:

1. Why wasn’t the data deleted after no longer being relevant (it’s kept  for traceability of other people exposed and so loses relevance after 10 – 14 days)
2. Why could helpdesk people access all of this huge database?
3. Why wasn’t there a system op alarms in place to shout out when people were bulk exporting data?

The JSOF research labs are reporting 7 vulnerabilities found in dnsmasq, an open-source DNS forwarding software in common use. Dnsmasq is very popular, and we have identified approximately 40 vendors whom we believe use dnsmasq in their products, as well as major Linux distributions.

The DNS protocol has a history of vulnerabilities dating back to the famous 2008 Kaminsky attack. Nevertheless, a large part of the Internet still relies on DNS as a source of integrity, in the same way it has for over a decade, and is therefore exposed to attacks that can endanger the integrity of parts of the web.

DNSpooq

The Dnspooq vulnerabilities include DNS cache poisoning vulnerabilities as well as a potential Remote code execution and others. The list of devices using dnsmasq is long and varied. According to our internet-based research, prominent users of dnsmasq seem to include Cisco routers, Android phones, Aruba devices, Technicolor, and Red-Hat, as well as Siemens, Ubiquiti networks, Comcast, and others listed below. Depending on how they use dnsmasq, devices may be more or less affected, or not affected at all.

[…]

The DNSpooq vulnerability set divides into 2 types of vulnerabilities:

1. DNS cache poisoning attacks, similar to the Kaminsky attack, but different in some aspects.
2. Buffer overflow vulnerabilities that could lead to remote code execution.

[…]

The DNSpooq cache poisoning vulnerabilities are labeled:
CVE-2020-25686, CVE-2020-25684, CVE-2020-25685

[…]

These [buffer overflow] vulnerabilities are labeled:
CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681

[…]

Source: DNSPOOQ – JSOF

WhatsApp groups are showing up on Google search yet again. As a result, anyone could discover and join a private WhatsApp group by simply searching on Google. This was first discovered in 2019, and was apparently fixed last year after becoming public. Another old issue, which also appeared to have been fixed but seems to be cropping up again, is user profiles showing up through search results. People’s phone numbers and profile pictures could be surfaced through a simple a Google search, because of the issue.

By allowing the indexing of group chat invites, WhatsApp is making several private groups available across the Web as their links can be accessed by anyone using a simple search query on Google — although we are not sharing the exact details, this was verified by Gadgets 360. Someone who finds these links can join the groups and would also be able to see the participants and their phone numbers alongside the posts being shared within those groups.

Update: WhatsApp replied to say, “Since March 2020, WhatsApp has included the ‘noindex’ tag on all deep link pages which, according to Google, will exclude them from indexing.” Gadgets 360 was able to confirm that the search results are no longer visible on Google anymore; however, WhatsApp’s statement did not mention this fix. The full statement is at the end of this story. Rajshekhar Rajaharia, who informed about the indexing issue, commented on the statement given by WhatsApp and said, “Adding the ‘noindex’ tag is not a proper solution as links surface again on search results in a a few months. Big tech companies like WhatsApp should look for a proper solution if they really care users’ privacy.”

Source: WhatsApp Private Groups Were Accessible Again to Anyone Searching on Google | Technology News

Private groups on WhatsApp are usually only accessible by those who have been sent an invite link by a moderator. However, these links were indexed by Google, making them discoverable by everyone. The same issue was exposed in February last year.

Following the latest privacy breach, WhatsApp said it has resolved the problem with Google.

“Since March 2020, WhatsApp has included the “noindex” tag on all deep link pages which, according to Google, will exclude them from indexing. We have given our feedback to Google to not index these chats,” the Facebook-owned messaging app said in a statement.

WhatsApp also warned users not to post group chat invite links on publicly accessible websites.

Source: WhatsApp private group chat links appear in Google search again

Cybersecurity researcher Rajshekhar Rajaharia tweeted that WhatsApp Web users’ data was being indexed on Google again, pointing out that this was the third time the issue had occurred.

When information is indexed, it can be found in a search engine and made public. As such, companies generally take measures to prevent private data from being indexed.

15 Jan 2021, If you are using @WhatsApp Web, your Mobile Number and Messages are being index by @Google again. Don’t know why WhatsApp is still not monitoring their website and google. This is 3rd time.#Infosec #Privacy #infosecurity #GDPR #Whatsapp #Privacy #Policy #Google pic.twitter.com/D6o1emxDgv

— Rajshekhar Rajaharia (@rajaharia) January 15,2021

He had pointed out a similar issue earlier on Jan 11, where users’ profiles and invitations to join group chats were exposed on Google, which enabled strangers to potentially find users’ phone numbers or even join chats.

[…]

In regards to the latest leak, Rajshekhar noted that WhatsApp was using a “Robots.txt” file and a “disallow all” setting, to instruct Google not to index anything.

Though a Robots.txt, or robots exclusion protocol, is generally used to instruct web crawlers (which index pages) to stay away, Google was still indexing WhatsApp user data.

Rajshekhar explained why this was still occurring: Google requires page owners not to use Robots.txt when using the “noindex” tag, as stated in its search indexing help page.

This is because the features clash, with Google unable to detect the “noindex” tag if it was being stopped by Robot.txt.

Source: WhatsApp users’ phone numbers and chats exposed on Google