In one of the largest law enforcement busts ever, European police and crime agencies hacked an encrypted communications platform used by thousands of criminals and drug traffickers. By infiltrating the platform, Encrochat, police across Europe gained access to a hundred million encrypted messages. In the UK, those messages helped officials arrest 746 suspects, seize £54 million (about $67 million) and confiscate 77 firearms and two tonnes of Class A and B drugs, the National Crime Agency (NCA) reported. According to Vice, police also made arrests in France, the Netherlands, Norway and Sweden.

Encrochat promised highly secure phones that, as Vice explains, were essentially modified Android devices. The company installed its own encrypted messaging platform, removed the GPS, camera and microphone functions and offered features like the ability to wipe the device with a PIN. The phones could make VOIP calls and send texts, but they did little else. They ran two operating systems, one of which appeared normal to evade suspicion. Encrochat used a subscription model, which cost thousands of dollars per year, and users seemed to think that it was foolproof.

Law enforcement agencies began collecting data from Encrochat on April 1st. According to the BBC, the encryption code was likely cracked in early March. It’s not clear exactly how officials hacked the platform, which is now shut down.

Source: European police hacked encrypted phones used by thousands of criminals | Engadget

Folks running Bitdefender’s Total Security 2020 package should check they have the latest version installed following the disclosure of a remote code execution bug.

Wladimir Palant, cofounder of Adblock-Plus-maker Eyeo, tipped off Bitdefender about the flaw, CVE-2020-8102, after discovering what he called “seemingly small weaknesses” that could be exploited by a hostile website to take control of a computer running Bitdefender’s antivirus package. The bug, privately reported in April, was patched in May.

[…]

It’s important to note that Bitdefender said the bug was within its Chromium-based “secure browser” SafePay, which is supposed to protect online payments from hackers and is part of its Total Security 2020 suite. Meanwhile, Palant said the vulnerability was within a component called Online Protection within that suite, meaning it could be exploited by any website opened in any browser on any computer running Bitdefender’s vulnerable antivirus package.

[…]

When the antivirus suite wanted to flag up suspicious or broken HTTPS certificates, which are sometimes a sign shenanigans may be afoot, Bitdefender’s code generated a custom error page that appeared as though it came from the requested website. It would do this by modifying the server response.

It’s generally preferable that antivirus vendors stay away from encrypted connections as much as possible

There was nothing to stop a web server with a bad certificate from requesting the contents of Bitdefender’s custom error page, though, because as far as your browser is concerned, the error page came from the web server anyway.

Thus, a malicious web server could serve a page with a good certificate, and cause a new window to open with a page from the same domain and server albeit with an invalid certificate. Bitdefender’s code would jump in, and replace the second webpage with a custom error page. The first page with the good certificate could then use XMLHttpRequest to fetch the contents of the error page, which your browser would hand over.

That error page contained the Bitdefender installation’s session tokens, which could be used to send system commands to the security software suite on the user’s PC to execute. Palant’s proof-of-concept exploit worked against a Windows host, allowing a malicious page to install, say, spyware or ransomware on a victim’s computer.

“The URL in the browser’s address bar doesn’t change,” Palant explained. “So as far as the browser is concerned, this error page originated at the web server and there is no reason why other web pages from the same server shouldn’t be able to access it. Whatever security tokens are contained within it, websites can read them out.

Source: Three words you do not want to hear regarding a ‘secure browser’ called SafePay… Remote. Code. Execution • The Register

Netgear has issued patches to squash security vulnerabilities in two router models that can be exploited to, for instance, open a superuser-level telnet backdoor.

Those two devices are the R6400v2 and R6700v3, and you can get hot-fixes for the holes here. However, some 77 models remain reportedly vulnerable, and no fixes are available. For the full list of Netgear SOHO products said to be at-risk, see the afore-linked page.

Exploit code, developed by infosec outfit Grimm, is available on GitHub for all the models said to be vulnerable: it opens telnet daemon on port 8888, if successful. There’s technical details here.

The bugs lie in the web-based control panel of the Linux-powered equipment. It can be hijacked by sending it specially crafted data, bypassing the password protection, via the local network, or the internet if it is exposed to the world, or by tricking a victim into opening a webpage that automatically connects to the device on the LAN. Once exploited, the device can be commanded to open a backdoor, change its DNS and DHCP settings to redirect users to phishing websites, and so on.

How we got to this situation is an interesting tale. In January, Trend Micro’s Zero-Day Initiative (ZDI) privately contacted Netgear on behalf of a security researcher, called d4rkn3ss, at the Vietnamese government’s national telecoms provider. The egghead had found a way into R6700 routers via a classic buffer overflow attack, and Netgear was informed of the weakness.

ZDI and Netgear eventually agreed on a deadline of June 15 to release any necessary security updates: on that day, ZDI would go public with details of the flaw. At the end of May, Netgear asked for an extension to the end of June. ZDI rejected the request, and on Monday, emitted its advisory.

“This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Netgear R6700 routers,” ZDI explained. “Authentication is not required to exploit this vulnerability.

“The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.”

Since it’s remote code execution, you can completely take over the router.

Speaking to The Register, ZDI senior manager of vulnerability analysis Abdul-Aziz Hariri said: “Since authentication is not required to reach this bug, anyone who can connect to the local network of the router would be capable of exploiting this vulnerability. Since it’s remote code execution, you can completely take over the router.

“In most scenarios, the attacker would be able to possibly upload a custom backdoor software and establish persistence or launch further attacks, like man-in-the-middle attacks.”

While ZDI waited for Netgear to release its patches, Grimm privately reported to Netgear in May it had found the same security hole in a bunch of the manufacturer’s products. When ZDI went public, so did Grimm: publishing an in-depth advisory showing how to exploit the holes, and released full, working proof-of-concept exploit code.

Three days later, Netgear released the aforementioned hot-fixes for two of the models. “We have already provided hot fixes for the R7000 and the R6700. The rest are forth coming,” the router-maker told The Register on Thursday.

The Grimm team noted that Netgear’s firmware lacked basic protections, such as ASLR for its programs, which makes the bugs in the equipment easy to exploit.

Source: Netgear was told in January its routers can be hacked and hijacked. This week, first patches released – after exploits, details made public • The Register

And this is why responsible disclosure is a good idea.

A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, researchers at Awake Security told Reuters, highlighting the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions.

Alphabet Inc’s (GOOGL.O) Google said it removed more than 70 of the malicious add-ons from its official Chrome Web Store after being alerted by the researchers last month.

[,,,]

Most of the free extensions purported to warn users about questionable websites or convert files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools.

Based on the number of downloads, it was the most far-reaching malicious Chrome store campaign to date, according to Awake co-founder and chief scientist Gary Golomb.

Google declined to discuss how the latest spyware compared with prior campaigns, the breadth of the damage, or why it did not detect and remove the bad extensions on its own despite past promises to supervise offerings more closely.

It is unclear who was behind the effort to distribute the malware. Awake said the developers supplied fake contact information when they submitted the extensions to Google.

“Anything that gets you into somebody’s browser or email or other sensitive areas would be a target for national espionage as well as organized crime,” said former National Security Agency engineer Ben Johnson, who founded security companies Carbon Black and Obsidian Security.

The extensions were designed to avoid detection by antivirus companies or security software that evaluates the reputations of web domains, Golomb said.

If someone used the browser to surf the web on a home computer, it would connect to a series of websites and transmit information, the researchers found. Anyone using a corporate network, which would include security services, would not transmit the sensitive information or even reach the malicious versions of the websites.

“This shows how attackers can use extremely simple methods to hide, in this case, thousands of malicious domains,” Golomb said.

After this story’s publication, Awake released its research, including the list of domains and extensions. here

All of the domains in question, more than 15,000 linked to each other in total, were purchased from a small registrar in Israel, Galcomm, known formally as CommuniGal Communication Ltd.

Awake said Galcomm should have known what was happening.

In an email exchange, Galcomm owner Moshe Fogel told Reuters that his company had done nothing wrong.

“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” Fogel wrote. “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.”

[…]

Malicious developers have been using Google’s Chrome Store as a conduit for a long time. After one in 10 submissions was deemed malicious, Google said in 2018 here it would improve security, in part by increasing human review.

But in February, independent researcher Jamila Kaya and Cisco Systems’ Duo Security uncovered here a similar Chrome campaign that stole data from about 1.7 million users. Google joined the investigation and found 500 fraudulent extensions.

Source: Exclusive: Massive spying on users of Google’s Chrome shows new security weakness – Reuters

Zoom today said it will make end-to-end (E2E) encryption available to all of its users, regardless of whether they pay for it or not.

The videoconferencing overnight-sensation has walked back its initial plan to limit E2E cryptography to schools and paid-for accounts, after facing a storm of criticism for the restriction. It will, from next month, offer strong E2E encryption (E2EE) as a beta to any free account holder willing to hand over their contact number, as well as offering it to enterprise customers. We note that Google Meet and other rival services do not offer E2EE.

“Today, Zoom released an updated E2EE design on GitHub,” Zoom CEO Eric Yuan said. “We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform.

“This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform.”

It should be noted that Zoom already encrypts call in transit with AES-256-GCM cryptography, but that isn’t truly end-to-end: E2EE ensures only the meeting participants, and no one else, can encrypt and decrypt the video, voice, and other data flowing between them during a confab. Zoom points out that that this encryption won’t work on PTSN phone lines. This also excludes SIP/H.323 commercial conferencing gear.

Earlier this year, Yuan argued that Zoom couldn’t protect free calls with E2EE because to do so would thwart important law enforcement operations.

“Free users, for sure, we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Yuan told analysts back in April.

In May, Zoom asked for help from digital rights groups who, apparently, told them to stop messing about and give people encrypted calls, law enforcement concerns be damned.

“Since releasing the draft design of Zoom’s end-to-end encryption (E2EE) on May 22, we have engaged with civil liberties organizations, our CISO council, child safety advocates, encryption experts, government representatives, our own users, and others to gather their feedback on this feature,” Yuan said today.

To satisfy the legal issues and requirements, Zoom is asking users to verify their phone numbers by entering a single-use code delivered via text message. “Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts,” Yuan said. “We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse.”

Needless to say, Zoom has taken no shortage of heat for its handling of security issues since the coronavirus lockdown made the service a household name and brought the upstart under scrutiny.

In response, Zoom moved to bring in the likes of ex-Yahoo! and Facebook CSO Alex Stamos and Luta Security and its founder Katie Mousourris to get its protections up to snuff.

Source: Zoom will offer proper end-to-end encryption to free vid-chat accounts – not just paid-up bods – once you verify your phone number… • The Register

Hundreds of thousands of sensitive dating app profiles – including images of “a graphic, sexual nature” – were exposed online for anyone stumbling across them to download.

Word of the uncontrolled emission burst forth from vpnMentor this week, which claims it found a misconfigured AWS S3 bucket containing 845GB of private dating app records.

Data exposed included photos, many of a graphic, sexual nature; private chats and details of financial transactions; audio recordings; and limited personally identifiable information, the biz stated, adding that it thinks it found sufficient data to blackmail people.

“Aside from exposing potentially millions of users of the apps to danger, the breach also exposed the various apps’ entire AWS infrastructure through unsecured admin credentials and passwords,” vpnMentor’s researchers wrote.

The haul is estimated to contain hundreds of thousands of users’ data, all exposed to the public internet without any authentication. We note vpnMentor thinks this figure could be in the millions.

The storage silo was used by nine rather niche dating apps, including SugarD, which connects sugar daddies with sugar babies, whom they financially support with gifts and cash. Gay Daddy Bear, which targets plus-sized, hairy gay men, was also exposed, we’re told. Data from the-self-explanatory-but-puzzling-in-other-ways Herpes Dating was also revealed.

Just who built the apps and made the fateful decision to misconfigure the buckets is not known, though vpnMentor suspects the nine services share a common developer. Whoever is to blame, they ignored the regular warnings Amazon Web Services sends to S3 customers regarding controlling and limiting access to cloud-hosted data.

Users of the apps can take some small comfort from the fact the buckets were taken offline on 27 May, a day after the researchers informed one of the websites about the risk of unauthorized access

Source: 845GB of racy dating app records exposed to entire internet via leaky AWS buckets • The Register

UK-based infosec outfit Keepnet Labs left an 867GB database of previously compromised website login details accessible to world+dog earlier this year – then sent lawyers’ letters to bloggers in a bid to erase their reports of its blunder.

A contractor left the Keepnet Elasticsearch database unsecured back in March after disabling a firewall, exposing around five billion harvested records to the public internet, the firm admitted in a statement yesterday.

The database was indexed by a search engine, and came to the attention of noted infosec blogger Volodymyr “Bob” Diachenko, who wrote it all up. Keepnet disputed Diachenko’s initial characterisation of the breach, and things spiralled from there.

As reported by news website Verdict, Keepnet was stung by Diachenko’s initial post about the gaffe, which Keepnet interpreted as the blogger blaming the business for leaking its own customers’ data – none of its own clients’ data was exposed, but rather info from previous publicly known database exposures. Diachenko said the database contained email addresses, hashed passwords, the sources of the information, and other details, all gathered from previous leaks by hackers.

What actually happened, Keepnet later insisted, was that a contractor had screwed up by turning off a firewall. The 867GB database, claimed Keepnet, contained email addresses harvested from other data spillages that took place between 2013 and 2019.

“As part of the Keepnet Labs Solution, we provide a ‘compromised email credentials’ threat intelligence service. To provide this service, we are continuously collecting publicly known data-breach data from online public resources. We then store this data in our own secure Elasticsearch database and provide companies with the information relating to their business email domains via our Keepnet platform,” the firm insisted.

Nonetheless, Keepnet responded to the bloggerati by sending lawyers’ letters to all and sundry, demanding its name be removed from the posts about the prone Elasticsearch database. Unfortunately for Keepnet, one of those letters landed on the doormat of veteran infosec scribbler Graham Cluley. Not one to be cowed, Cluley removed the firm’s name from his blog post – then tweeted about it.

Following a legal threat from ███████ ████ I have removed their name from this article on my site:https://t.co/kQOzgzoVHa

I hope readers will accept my apologies for what is clearly unsatisfactory, but I can ill-afford to get embroiled in a legal fight. pic.twitter.com/zcIkqirwb9

— Graham Cluley (@gcluley) June 3, 2020

In a subsequent post about the kerfuffle, Cluley said: “I gave Keepnet Labs multiple opportunities to tell me what was incorrect in my article, or to offer me a public statement that I could include in the article. I told them I was keen to present the facts accurately.” This is best practice for bloggers and standard practice for reputable news organs.

El Reg has received its fair share of lawyers’ letters commissioned by red-faced company execs determined to disrupt and deter news reporting of their doings. The letter sent to Cluley (seen by The Register and screenshotted at the link just above) seemingly complained that Cluley had defamed the company. It called out words that weren’t actually in his blog post; cited part of an EU directive that has nothing to do with defamation law either in the political bloc or in the UK as justification; and threatened legal action, injunctions, costs and damages (£££) unless the entire blog post was deleted.

Whether the Elasticsearch database truly was exposed for just 10 minutes as Keepnet claimed, and whether those 10 minutes were long enough for it to be indexed, that index to be seeded through BinaryEdge, Diachenko to notice the new result, click around as required, download 2MB of it, inspect the download and then figure out who owned the database, is all moot. Keepnet’s actions after the discovery eclipsed the original screw-up completely.

An unrepentant Keepnet said in its statement: “We have been working over the past few months to get in contact with the authors of posts who have shared inaccurate aspects of this story and have politely asked them to update their articles,” which is a funny way of saying “hired a lawyer to threaten a defamation lawsuit unless the posts were deleted.” This was only ever going to produce one result, and not the one Keepnet wanted.

As Cluley put it: “Security firms should be examples for all businesses on how to behave after a security breach. Transparency, disclosure of what went wrong, and what steps are being taken to ensure that something similar doesn’t happen again are key to building trust and confidence from customers and the rest of the industry.”

For what it’s worth, El Reg didn’t cover the breach at the time it was first reported because, well, it involved public information becoming public again. It is to be hoped that Keepnet’s entirely self-inflicted reputational harm here teaches its founder a sharp and valuable lesson.

Keepnet did not respond last week when we asked the firm for comment.

Source: Keepnet kerfuffle: Firing legal threats at bloggers did infosec biz more damage than its exposed database • The Register

Japanese car maker Honda has been hit by ransomware that disrupted its production of vehicles and also affected internal communications, according to reports.

The ransomware, of an as-yet unidentified strain, appeared to have spread through the multinational firm’s network. A Honda spokesman told the media it appeared to have “hit the company’s internal servers.”

Some Honda factories around the world were forced to suspend production, though output from Turkey, India, USA and Brazil locations remain on hold at the time of writing.

At this time Honda Customer Service and Honda Financial Services are experiencing technical difficulties and are unavailable. We are working to resolve the issue as quickly as possible. We apologize for the inconvenience and thank you for your patience and understanding.

— Honda Automobile Customer Service (@HondaCustSvc) June 8, 2020

Sky News reported yesterday that Honda’s networks began to suffer “issues” on Monday, and that “the company believed it was the result of unauthorised attempts to breach its systems.”

A Honda spokesbeing told several outlets: “We can confirm some impact in Europe and are currently investigating the exact nature.”

Another statement from the firm today added: “Work is being undertaken to minimise the impact and to restore full functionality of production, sales and development activities.”

In the meantime, multiple researchers have suggested the culprit was Ekans, with one Milkr3am, posting screenshots on Twitter of a sample submitted to VirusTotal today that checks for the internal Honda network name of “mds.honda.com”.

Professor Alan Woodward of the University of Surrey told El Reg: “With a just-in-time system you need only a small outage in IT to cause a problem. As it happens I think Honda have recovered quite quickly. A few countries’ facilities are still affected but they seem to be coming back very fast, which suggests they had a good response plan in place.”

The speed at which the malware spread in Honda’s network indicates that some the company has centralised functions, “the usual culprits are finance,” he added.

Source: Hospital-busting hacker crew may be behind ransomware attack that made Honda halt car factories, say researchers • The Register

WhatsApp claims it fixed an issue that was showing users’ phone numbers in Google search results, TechCrunch reports. The change comes after security researcher Athul Jayaram revealed that phone numbers of WhatsApp users who used the Click to Chat feature were being indexed in search.

Click to Chat allows users to create a link with their phone number in plain text. According to Jayaram, because the links don’t have a robot.txt file in the server root, they cannot stop Google or other search engine bots from crawling and indexing the links. Jayaram says as many as 300,000 phone numbers may have appeared in Google search results, and they could be found by searching “site:wa.me.”

As TechCrunch notes, Jayaram isn’t the first to report this issue. WaBetaInfo pointed it out in February. While the issue seems to be fixed, it’s a pretty big security flaw and apparently it’s been a problem for at least several months.

Source: WhatsApp was exposing users’ phone numbers in Google search | Engadget

IBM’s cloud has gone down hard across the world.

We’d love to tell you just how hard the service has hit the dirt, but even the Big Blue status page is intermittently unavailable:

IBM Cloud status page … Click to enlarge

Your humble hack has an IBM Cloud account, and when attempting to login in the hope that a customer-facing page could offer some information, he saw only the following error message:

Click to enlarge

IBM’s social feeds are silent on the outage at the time of writing.

One Australian IBM Cloud user told us that the outage has run for at least two hours, and means he is unable to deliver business services that customers depend on as they start their days. The breakdown is said to be global.

Clients are mad as hell because the blunder appears to have hit after business hours on the east coast of America, and IBM has not been responsive.

@IBMcloud we understand networking is a complicated thing and sometimes ‘shit happens’. But in some parts of the world is really late, and there’s people on duty after hours so… a short briefing message would be much appreciated, because right now this is what i’m visioning pic.twitter.com/8SreDv73sB

— mani (@spiralpain) June 9, 2020

All my customers impacted globally.. not sure how will I be able to convince them to host their applications on @ibmcloud again ? 40 Minutes.. hard down. .even their status page is intermittently unavailable…

— Constable सत्यान्वेशी !!!!! (@GoFindTheTruth) June 9, 2020

The Register has asked IBM to explain the outage, and we will update this story if and when more information becomes available. ®

Updated to add at 0020 UTC on June 10

The user we spoke to earlier tells us that their IBM-hosted services have come back to life. However, the IBM Cloud status page is still not working, and when this vulture tried to view it or to log on, this appeared…

Your cloud is important to us. If you’d like to know more, press refresh for an hour or more.

Final update at 0140 UTC on June 10

The IBM Cloud’s status page is live again, and users can log in once more.

The status page lists fifteen active events though offers almost no detail other than the admission that: “Technical teams are engaged and have identified a broad network incident that is impacting many cloud services.” That information appears in a notification titled “Watson Platform users are unable to access console or applications in all regions.”

Source: From off-prem to just off: IBM Cloud goes down planet-wide so hard even the status page didn’t work • The Register

Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO’s investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne’s former chief policy officer, Katie Moussouris, call a “perversion.”

Bug bounty vs. VDP

A vulnerability disclosure program (VDP) is a welcome mat for concerned citizens to report security vulnerabilities. Every organization should have a VDP. In fact, the US Federal Trade Commission (FTC) considers a VDP a best practice, and has fined companies for poor security practices, including failing to deploy a VDP as part of their security due diligence. The US Department of Homeland Security (DHS) issued a draft order in 2019 mandating all federal civilian agencies deploy a VDP.

Regulators often view deploying a VDP as minimal due diligence, but running a VDP is a pain. A VDP looks like this: Good-faith security researchers tell you your stuff is broken, give you 90 days max to fix it, and when the time is up they call their favorite journalist and publish the complete details on Twitter, plus a talk at Black Hat or DEF CON if it’s a really juicy bug.

[…]

“Bug bounties are best when transparent and open. The more you try to close them down and place NDAs on them, the less effective they are, the more they become about marketing rather than security,” Robert Graham of Errata Security tells CSO.

Leitschuh, the Zoom bug finder, agrees. “This is part of the problem with the bug bounty platforms as they are right now. They aren’t holding companies to a 90-day disclosure deadline,” he says. “A lot of these programs are structured on this idea of non-disclosure. What I end up feeling like is that they are trying to buy researcher silence.”

The bug bounty platforms’ NDAs prohibit even mentioning the existence of a private bug bounty. Tweeting something like “Company X has a private bounty program over at Bugcrowd” would be enough to get a hacker kicked off their platform.

The carrot for researcher silence is the money — bounties can range from a few hundred to tens of thousands of dollars — but the stick to enforce silence is “safe harbor,” an organization’s public promise not to sue or criminally prosecute a security researcher attempting to report a bug in good faith.

The US Department of Justice (DOJ) published guidelines in 2017 on how to make a promise of safe harbor. Severe penalties for illegal hacking should not apply to a concerned citizen trying to do the right thing, they reasoned.

Want safe harbor? Sign this NDA

Sign this NDA to report a security issue or we reserve the right to prosecute you under the Computer Fraud and Abuse Act (CFAA) and put you in jail for a decade or more. That’s the message some organizations are sending with their private bug bounty programs.

[…]

The PayPal terms, published and facilitated by HackerOne, turn the idea of a VDP with safe harbor on its head. The company “commits that, if we conclude, in our sole discretion, [emphasis ours] that a disclosure respects and meets all the guidelines of these Program Terms and the PayPal Agreements, PayPal will not bring a private action against you or refer a matter for public inquiry.”

The only way to meet their “sole discretion” decision of safe harbor is if you agree to their NDA. “By providing a Submission or agreeing to the Program Terms, you agree that you may not publicly disclose your findings or the contents of your Submission to any third parties in any way without PayPal’s prior written approval.”

HackerOne underscores that safe harbor can be contingent on agreeing to program terms, including signing an NDA, in their disclosure guidelines. Bug finders who don’t wish to sign an NDA to report a security flaw may contact the affected organization directly, but without safe harbor protections.

“Submit directly to the Security Team outside of the Program,” they write. “In this situation, Finders are advised to exercise good judgement as any safe harbor afforded by the Program Policy may not be available.”

[…]

security researchers concerned about safe harbor protection should not rest easy with most safe harbor language, Electronic Frontier Foundation (EFF) Senior Staff Attorney Andrew Crocker tells CSO. “The terms of many bug bounty programs are often written to give the company leeway to determine ‘in its sole discretion’ whether a researcher has met the criteria for a safe harbor,” Crocker says. “That obviously limits how much comfort researchers can take from the offer of a safe harbor.”

“EFF strongly believes that security researchers have a First Amendment right to report their research and that disclosure of vulnerabilities is highly beneficial,” Crocker adds. In fact, many top security researchers refuse to participate on bug bounty platforms because of required NDAs.

[…]

Health insurance in the US is typically provided by employers to employees, and not to independent contractors. However, legal experts tell CSO that the bug bounty platforms violate both California and US federal labor law.

California AB 5, the Golden State’s new law to protect “gig economy” workers that came into effect in January 2020, clearly applies to bug bounty hunters working for HackerOne, Bugcrowd and Synack, Leanna Katz, an LLM candidate at Harvard Law School researching legal tests that distinguish between independent contractors and employees, tells CSO.

[…]

“My legal analysis suggests those workers [on bug bounty platforms] should at least be getting minimum wage, overtime compensation, and unemployment insurance,” Dubal tells CSO. “That is so exploitative and illegal,” she adds, saying that “under federal law it is conceivable that not just HackerOne but the client is a joint employer [of bug finders]. There might be liability for companies that use [bug bounty platform] services.”

“Finders are not employees,” Rice says, a sentiment echoed by Bugcrowd founder Ellis and Synack founder Jay Kaplan. Synack’s response is representative of all three platforms: “Like many companies in California, we’re closely monitoring how the state will apply AB 5, but we have a limited number of security researchers based in California and they represent only a fractional percentage of overall testing time,” a Synack representative tells CSO.

Using gig economy platform workers to discover and report security flaws may also have serious GDPR consequences when a security researcher discovers a data breach.

Bug bounty platforms may violate GDPR

When is a data breach not a data breach?

When a penetration testing consultancy with vetted employees discover the exposed data.

A standard penetrating testing engagement contract includes language that protects the penetration testers — in short, it’s not a crime if someone asks you to break into their building or corporate network on purpose, and signs a contract indemnifying you.

This includes data breaches discovered by penetration testers. Since the pen testers are brought under the umbrella of the client, say “Company X,” any publicly exposed Company X data discovered is not considered publicly exposed, since that would legally be the same as a Company X employee discovering a data breach, and GDPR’s data breach notification rules don’t come into play.

What about unvetted bug bounty hunters who discover a data breach as part of a bug bounty program? According to Joan Antokol, a GDPR expert, the EU’s data breach notification regulation applies to bug bounty platforms. Antokol is partner at Park Legal LLC and a longstanding member of the International Working Group on Data Protection in Technology (IWGDPT), which is chaired by the Berlin Data Protection Commissioner. She works closely with GDPR regulators.

“If a free agent hacker who signed up for a project via bug bounty companies to try to find vulnerabilities in the electronic systems of a bug bounty client (often a multinational company), was, in fact, able to access company personal data of the multinational via successful hacking into their systems,” she tells CSO, “the multinational (data controller) would have a breach notification obligation under the GDPR and similar laws of other countries.”

[…]

ISO 29147 standardizes how to receive security bug reports from an outside reporter for the first time and how to disseminate security advisories to the public.

ISO 30111 documents internal digestion of bug reports and remediation within an affected software maker. ISO provided CSO with a review copy of both standards, and the language is unambiguous.

These standards make clear that private bug bounty NDAs are not ISO compliant. “When non-disclosure is a required term or condition of reporting bugs via a bug bounty platform, that fundamentally breaks the process of vulnerability disclosure as outlined in ISO 29147,” Moussouris says. “The purpose of the standard is to allow for incoming vulnerability reports and [her emphasis] release of guidance to affected parties.”

ISO 29147 lists four major goals, including “providing users with sufficient information to evaluate risk due to vulnerabilities,” and lists eight different reasons why publishing security advisories is a standardized requirement, including “informing public policy decisions” and “transparency and accountability.” Further, 29147 says that public disclosure makes us all more secure in the long term. “The theory supporting vulnerability disclosure holds that the short-term risk caused by public disclosure is outweighed by longer-term benefits from fixed vulnerabilities, better informed defenders, and systemic defensive improvements.”

Source: Bug bounty platforms buy researcher silence, violate labor laws, critics say | CSO Online

A report from consumer advocates Which? highlights the shockingly short lifespan of “smart” appliances, with some losing software support after just a few years, despite costing vastly more than “dumb” alternatives.

That lifespan varies between manufacturers: Most vendors were vague, with Beko offering “up to 10 years” and LG saying patches would be issued as required. Samsung said it would offer software support for a maximum of two years, according to the report.

Only one manufacturer, Miele, promised to issue software updates for a full decade after the release of a device, but then Miele tends to make premium priced products.

[…]

For consumers, that ambiguous (if not outright short) lifespan raises the possibility they could be forced to replace their expensive white goods before they otherwise would. According to the consumer watchdog, fridge-freezers typically last 11 years.

If a manufacturer decides to withdraw software support, or switch off central servers, users could find themselves with a big, frosty brick in their kitchen. In the wider IoT world, there’s precedent for this.

In 2016, owners of the Revolv smart home hub were infuriated after the Google-owned Nest deactivated the servers required for it to work. More recently, Belkin flicked the kill switch on its WeMo NetCam IP cameras, offering refunds only to those users whose devices were still in warranty and had the foresight to keep their receipts.

There’s another cause for concern. Given that smart appliances are essentially computers with a persistent connection to the internet, there’s a risk hackers could co-opt unpatched fridges and dishwashers, turning them into drones in vast botnets.

Again, there’s precedent. The Mirai botnet, for example, was effectively composed of hacked routers and IP cameras.

Source: Smart fridges are cool, but after a few short years you could be stuck with a big frosty brick in the kitchen • The Register

A hapless IT bod found the Have I Been Pwned service (HIBP) answering its own question in a way he really didn’t want – after a breach report including a SQL string KO’d his company’s helpdesk ticket system.

A pseudonymous blogger posting under the name Matt published a tortured account of what happened when a breach notification email from HIBP was ingested into his firm’s helpdesk ticket system and was automatically assigned a ticket ID.

The company used version 9.4.5 of the GLPi open source helpdesk system, a rather old product but quite functional. As Matt put it: “All was well until we received an email from haveibeenpwned to our helpdesk support address, which automatically got logged as a support ticket.”

When one of your email addresses is included in a breach picked up by HIBP, you can generate a report that tells you where your details were found. Included in the email with the link to the report is the HIBP header logo graphic, partly formed from ASCII text which reads as so:

‘;–have I been pwned?

Problems arose when Matt received that email. While he looked at it and took the relevant actions, GLPi had encountered an issue. “I and the other techs quickly noticed that every single ticket description had been deleted and replaced with partial header data from the HIBP email,” wrote Matt.

This caused some headaches, requiring a restore from the previous day’s backups. Not ideal and quite disruptive.

That evening Matt started fault-finding, eventually narrowing down the ticket-wiping problem to one of either assigning the HIBP email to yourself in GLPi or adding yourself as a “watcher” of it. In both cases, Matt suspected, some kind of SQL injection was happening.

“I managed to shrink the exploit down to six characters (‘;– ” – the space and double-quote at the end appear to be required though this could do with more testing) to achieve the same kind of malicious behaviour, in this case deleting all content of the descriptions for every ticket in the database,” he wrote.

Eventually he figured it out. GLPi 9.4.5 is vulnerable to a SQL injection flaw which just happened to be triggered by the formatting of HIBP’s breach report email. As Matt put it, “GLPI supports HTML emails, which get rendered (almost) normally within the interface. Simply hiding the text in an attribute or the <head> or something will keep it invisible to the tech. You’ve just gotta wait for them to assign it to themselves.”

Buoyed by his success, Matt zoomed off to GLPi’s Github page to find contact details for its maintainers to warn them of the flaw. There he made an equally important discovery: GLPi had since been updated to version 9.4.6. Not only that, but the latest version fixed the SQLi vuln.

“If you’re running GLPI, make sure you’re on the latest release. Or look for alternative software,” he concluded, apparently rather crestfallen from all those excellent but ultimately needless efforts.

Source: Have I Been Pwned breach report email pwned entire firm’s helldesk ticket system • The Register

Adobe technicians scrambled on Wednesday to restore multiple cloud services after a severe outage left customers stranded.

Starting around 0600 PDT (1300 UTC) Adobe’s status board began lighting up with red outage notifications. At the time this article was written, 13 major issues were ongoing and five had been resolved. By issues, Adobe means people can’t use some of its stuff in the cloud nor access their documents.

Creative Cloud reported eight major issues in progress, Experience Cloud had two, and Adobe Services had four.

Adobe Stock, Cloud Documents, Team Projects, Premiere Rush, Creative Cloud Assets, Collaboration, Publish Services, Adobe Admin Console, Spark, Lightroom, Account Management, and Sign In were all having trouble in the Americas region.

So too were Adobe Analytics, Experience Manager, Social, Target, Audience Manager, Cross-Cloud Capabilities, Campaign, Platform Core Services, Data Science Workspace, Experience Cloud Home, Data Foundation, Query Service, and Journey Orchestration.

Adobe didn’t respond to a request for more information about the problems. We note its status board says not all customers are necessarily affected by the IT breakdown.

Via Twitter, the Photoshop giant’s support account said an inquiry into the outage is underway. “Our teams are investigating the issue and working to get this resolved ASAP,” the company said.

The Adobe status board right now

Predictably, customers who recall when Adobe software ran locally lamented their dependence on Adobe’s cloud.

“Adobe’s servers are currently down,” wrote Element Animation on Twitter. “If you pay for any of their software, you can’t use it right now. Remember when we used to own our own software?”

Source: Photostopped: Adobe Cloud evaporates in mass outage. Hope none of you are on a deadline, eh? • The Register

Samsung will launch a new standalone turnkey security chip to protect mobile devices, the company announced today.

The chip, which has the said-once-never-forgotten name “S3FV9RR” – aka the Mobile SE Guardian 4 – is a follow-up to the dedicated security silicon baked into the Galaxy S20 smartphone series launched in February 2020.

The new chip is Common Criteria Assurance Level 6+ certified, the highest certification that a mobile component has received, according to Samsung. CC EAL 6+ is used in e-passports and hardware wallets for cryptocurrency.

It has twice the storage capacity of the first-gen chip and supports device authorisation, hardware-based root of trust, and secure boot features. When a bootloader initiates, the chip initiates a chain of trust sequence to validate each components’ firmware. The chip can also work independently from the device’s main processor to ensure tighter security.

“In this era of mobility and contactless interactions, we expect our connected devices, such as smart phones or tablets, to be highly secure so as to protect personal data and enable fintech activities such as mobile banking, stock trading and cryptocurrency transactions,” said Dongho Shin, senior vice president of marketing at Samsung System LSI, which makes logic chips for the South Korean conglomerate.

“With the new standalone security element solution (S3FV9RR), Samsung is mounting a powerful deadbolt on smart devices to safeguard private information.” Which should be handy for all manner of devices – perhaps even Internet of things devices.

Source: Galaxy S20 security is already old hat as Samsung launches new safety silicon • The Register

Called Spectra, this attack works against “combo chips,” specialized chips that handle multiple types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, LTE, and others.

“Spectra, a new vulnerability class, relies on the fact that transmissions happen in the same spectrum, and wireless chips need to arbitrate the channel access,” the research team said today in a short abstract detailing an upcoming Black Hat talk.

More particularly, the Spectra attack takes advantage of the coexistence mechanisms that chipset vendors include with their devices. Combo chips use these mechanisms to switch between wireless technologies at a rapid pace.

Researchers say that while these coexistence mechanisms increase performance, they also provide the opportunity to carry out side-channel attacks and allow an attacker to infer details from other wireless technologies the combo chip supports.

[…]

“We specifically analyze Broadcom and Cypress combo chips, which are in hundreds of millions of devices, such as all iPhones, MacBooks, and the Samsung Galaxy S series,” the two said.

[…]

“In general, denial-of-service on spectrum access is possible. The associated packet meta information allows information disclosure, such as extracting Bluetooth keyboard press timings within the Wi-Fi D11 core,” Classen and Gringoli say.

“Moreover, we identify a shared RAM region, which allows code execution via Bluetooth in Wi-Fi. This makes Bluetooth remote code execution attacks equivalent to Wi-Fi remote code execution, thus, tremendously increasing the attack surface.

Source: New Spectra attack breaks the separation between Wi-Fi and Bluetooth | ZDNet

Community platform Nextdoor is courting police across the country, creating concerns among civil rights and privacy advocates who worry about possible conflicts of interest, over-reporting of crime, and the platform’s record of racial profiling, per a Thursday report by CityLab.

That effort included an all-expenses-paid meeting in San Francisco with members of Nextdoor’s Public Agencies Advisory Council, which includes community engagement staffers from eight police departments and mayor’s offices, according to CityLab. Other outreach has included enlisting current and former law enforcement officers to promote the app, as well as partnerships with local authorities that enable them to post geo-targeted messages to neighborhoods and receive unofficial reports of suspicious activity through the app. According to CityLab, attendees of the meeting in San Francisco had to sign nondisclosure agreements that could shield information on the partnerships from the public.

[…]

Nextdoor has “crime and safety” functions that allow locals to post unverified information about suspicious activity and suspected crimes, acting as a sort of loosely organized neighborhood self-surveillance system for users. That raises the possibility Nextdoor is facilitating racial profiling and over-policing, especially given its efforts to build relationships with authorities and its booming user base (reportedly past 10 million). During the ongoing coronavirus pandemic, Nextdoor has seen skyrocketing user engagement—an 80 percent increase, founder Prakash Janakiraman told Vanity Fair earlier this month.

“There are compelling reasons for transparency around the activities of public employees in general, but the need for transparency is at its height when it comes to law enforcement agencies,” ACLU Speech, Privacy, and Technology Project staff attorney Freed Wessler told CityLab. “It would be quite troubling to learn that police officers were investigating and arresting people using data from private companies with which they have signed an NDA.”

Nextdoor and its fellow security and safety apps, including Amazon’s Ring doorbell camera platform and the crime-reporting app Citizen, are also implicitly raising fears of widespread crime at a time when national statistics show crime rates have plummeted across the country, Secure Justice executive director and chair of Oakland’s Privacy Advisory Commission Brian Hofer told CityLab. Nextdoor marketing materials, for example, assert that Nextdoor played a role in crime reduction in Sacramento.

Source: Report: Nextdoor Building Relationships With Law Enforcement

Dubbed NXNSAttack, the flaw [PDF] can be abused to pull off a classic amplification attack: you send a small amount of specially crafted data to a DNS server, which responds by sending a lot of data to a victim’s server. If you have an army of hacked PCs or devices – a botnet – at your command, and can find a DNS service that’s vulnerable, you can theoretically generate enough network traffic to overwhelm a victim’s system and knock it offline for all users.

Although denial-of-service attacks are a little 1990s, blasting a business off the web can lead to a loss of sales, reputation damage, and so on.

Lior Shafir and Yehuda Afek of Tel Aviv University, along with Anat Bremler-Barr of the Interdisciplinary Center, also in Israel, found the vulnerability which is illustrated below. APNIC, which oversees IP address allocation among other duties for the Asia-Pacific region, has a deep dive here.

How does it work?

Here’s a summary. You, as the attacker, need to set up a domain name like badperson.com. You want to take down victim.com‘s DNS servers. You connect to a recursive DNS server on the internet – such as one provided by your ISP or a cloud platform – and you ask it to resolve, say, i.am.a.badperson.com into an IP address. The recursive server contacts your DNS server for your dot.com for that information.

Your name server tells the recursive server it needs to look up another.victim.com, sad.victim.com, tragic.victim.com, fashion.victim.com, and so on, to get the answer it seeks. This message neglects to include any glue records containing IP addresses. So the recursive server – key word recursive – connects to the DNS server for victim.com and asks for the records on all those sub-domains, and the victim.com DNS server replies with error messages for the non-existent sub-domains.

As you can see, you’ve turned that one request into a small storm of data exchanged between the recursive and the victim.com name servers. If you get a botnet to do this many times a second or minute, you can flood both of those name servers with packets, preventing legit look-ups from getting through from netizens, and the systems will appear down. According to the academics, you can perform double amplification of network traffic by extending the attack recursively. If the servers start to cache their look ups, and do not send any further packets, simply specify new and unique sub-domains.

[…]

To mitigate the problem, the researchers suggest name servers implement an algorithm they devised dubbed Max1Fetch that reduces the storm of traffic between the DNS components involved.

The trio said they responsibly disclosed the hole well in advance of going public, and various DNS software makers have already patched, or are in the process of patching, the vulnerability – at least some of which using the Max1Fetch method. We’re told the following software suppliers and service providers have fixed up their vulnerable DNS server software:

ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), CZ.NIC Knot Resolver (CVE-2020-12667), Cloudflare, Google, Amazon, Microsoft, Oracle (DYN), Verisign, IBM Quad9, and ICANN.

You should check for updates for your DNS server installation, and install them to avoid being blown over by a distributed denial-of-service attack. “If you operate your own DNS resolver, no matter what brand it is, please upgrade to the latest version now,” APNIC urged

Source: DNS this week stands for Drowning Needed Services: Design flaw in name server system can be exploited to flood machines offline • The Register

A technician at ADT remotely accessed hundreds of customers’ CCTV cameras to spy on people in their own homes, the burglar-alarm biz has admitted.

At least one of the victims was a teenage girl, and another a young mother, according to court filings.

Last month, an ADT customer in Dallas, Texas, spotted and reported an unexpected email address listed as an admin user on their home security system. An internal investigation by ADT revealed it was the personal email of one of its employees, and he had seemingly used it to view the home’s camera system nearly a hundred times.

A probe found the same technician had made himself an admin on 220 customers’ accounts, meaning he could lock and unlock doors remotely, as well as access the live feed of cameras connected to the ADT network. His access is said to have stretched back seven years.

When ADT dug into the logs, it became clear their rogue insider had been regularly spying on customers, including, it is claimed, accessing the video feed from the bedroom of one teenage girl dozens of times. That teenager this week sued ADT for negligence and emotional distress, seeking a class-action lawsuit against the US corp, and naming the technician in question: it is alleged Telesforo Aviles was responsible.

ADT reassured them both that the security system was perfectly safe

The allegations are the stuff of nightmares: the lawsuit [PDF] details how the teenage daughter and her mother were initially uncomfortable about the idea of installing security cameras inside their house, though ADT “reassured them both that the security system was perfectly safe,” according to court filings, and a technician later fitted the kit.

But then, on April 24, “ADT called to explain that one of its technicians had gained access” to her mother’s account “and had been watching” the mother and daughter “on approximately 73 different occasions,” according to court filings.

Her lawsuit then alleges, “based upon the cameras’ wide-angle lens and placement, the ADT employee had an opportunity to watch at least” the teenager “nude, in various states of undress, getting ready for bed, and moments of physical intimacy.”

Fool me once

An almost identical [PDF] lawsuit has been filed by a second person – a young mother – whose security system installation “included an indoor security camera with a wide-angle view that provided a visual of a bathroom, entryway, family room and dining space, stairs, and into the master bedroom.”

To its credit, when ADT heard about the unauthorized access, it did the right thing: it fired the worker, reported him to the cops, and then contacted all those affected explaining the situation.

According to ADT, its unnamed technician abused a service mode function while physically present in customers’ homes in the Dallas area to add his personal email address – a feature that is “neither necessary nor permitted,” and which the company will remove in an upcoming software update. ADT technicians do not have remote access to that function, but once the technician included himself on the system while physically present, he could access the surveillance gear remotely.

Source: Rogue ADT tech spied on hundreds of customers in their homes via CCTV – including me, says teen girl • The Register

EasyJet has admitted that a “highly sophisticated cyber-attack” has affected approximately nine million customers.

It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit and debit card details “accessed”.

The firm has informed the UK’s Information Commissioner’s Office while it investigates the breach.

EasyJet first became aware of the attack in January.

It told the BBC that it was only able to notify customers whose credit card details were stolen in early April.

“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted,” the airline told the BBC.

“We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.”

Stolen credit card data included the three digital security code – known as the CVV number – on the back of the card itself.

Source: EasyJet admits data of nine million hacked – BBC News

A computer programmer applying for unemployment on Arkansas’s Pandemic Unemployment Assistance program discovered a vulnerability in the system that exposed the Social Security numbers, bank account and routing numbers and other sensitive information of some 30,000 applicants. Anyone with basic computer knowledge could have accessed personal information for malicious purposes.

Alarmed, the computer programmer called the Arkansas Division of Workforce Services Friday morning and was told by an operator that there was no one available who could talk to him. He then tried someone at the Arkansas State Police Criminal Investigation Division, who told the programmer he would find the person he needed to talk with to fix the situation. The programmer later called the Arkansas Times for advice on whom to call. The Times alerted the Division of Workforce Services to the issue at 4:30 p.m. Soon after a message appeared on the website that said, “The site is currently under maintenance.”

[…]

In exploring the website, the computer programmer determined that by simply removing part of the site’s URL, he could access the administrative portal of the site, where he had the option of editing the personal information of applicants, including bank account numbers. From the admin portal, he viewed the page’s source code and saw that the site was using an API (application programming interface) to connect with a database. That API was also left unencrypted, and he could access all of the applicants’ raw data, included Social Security numbers and banking information.

In about two minutes, the computer programmer described the vulnerability to another programmer the Arkansas Times engaged, who then used the information to easily enter the system. To access the sensitive information, the second programmer only needed to create an account, not actually apply for assistance.

Another person who applied for Pandemic Unemployment Assistance told the Times on Friday that when he applied for assistance, submitted his documentation and reached a “review” page, he saw the documentation for another applicant. He said it took three days for the state to remove the other applicant’s information. Then he said documentation for yet another applicant appeared. “It took two days and repeated phone calls to get the second name off,” he said. “Then the next day was when they erased it all and told us we had to reapply.”

Source: Social Security numbers, banking information left unprotected on Arkansas PUA website – Arkansas Times

an announcement from Samsung and Korean provider SK Telecom that the world’s first 5G smartphone complete with a quantum random number generator (QRNG) is due to launch next week.

The current Samsung Galaxy flagship S20 series all come with a new secure element security solution including a dedicated security chip that can prevent hackers from stealing data even if they have their hands on your hardware.

The Galaxy A Quantum, however, turns the security dial up to 11.

Although it’s a Galaxy A71 5G at heart, the rebranded and updated smartphone comes complete with one important security extra: a QRNG chip developed by ID Quantique.

When random just is not random enough

Random number generators are a vital part of many security solutions, but they often aren’t as random as you might expect. Indeed, “pseudo-random” number generators are not uncommon, but these are a weak spot cryptographically and, as such, are something of a honeypot for hackers. What the ID Quantique QRNG brings to the security party is not only a genuinely random number generator but one able to generate perfectly unpredictable randomness.

The QRNG chip found in the Samsung Galaxy A Quantum is provably random, has full entropy from the first bit, and has been both designed and manufactured specifically for mobile handsets.

The quantum randomness is achieved by way of “shot noise” from a light source captured by a CMOS image sensor. A light-emitting diode (LED) and an image sensor are contained within the chip, and that LED emits a random number of photons thanks to something called quantum noise, ID Quantique explains. Those photons are then captured and counted by the image sensor pixels and provide a series of random numbers fed into a random bit generator algorithm.

The algorithm further distills the “entropy of quantum origin” to create the perfectly unpredictable random bits. If any failure is detected during the physical process, the stream is disabled and an automatic recovery procedure starts another.

With uses such as two-factor authentication, biometric authentication for mobile payments, and blockchain-based document storage wallets, the QRNG will be put to good use.

A new chapter in quantum security history

Grégoire Ribordy, co-founder and CEO of ID Quantique, said, “With its compact size and low power consumption, our latest Quantis QRNG chip can be embedded in any smartphone, to ensure trusted authentication and encryption of sensitive information. It will bring a new level of security to the mobile phone industry. This is truly the first mass-market application of quantum technologies.” Ryu Young-sang, vice-president at SK Telecom, said the Galaxy A Quantum is a “new chapter in the history of the quantum security industry.”

Source: Samsung Surprise As World’s First Smartphone With Quantum Technology Launches May 22

Britain’s Ministry of Defence contractor Interserve has been hacked, reportedly leaking the details of up to 100,000 of past and current employees, including payment information and details of their next of kin.

The Daily Telegraph reports that up to 100,000 employee details were stolen, dating back across a number of years. Interserve currently employs around 53,000 people.

A source told the paper that names, addresses, bank details, payroll information, next of kin details, personnel and disciplinary records had been swiped.

The intrusion took place “earlier this month,” the tight-lipped firm said in a statement.

[…]

Interserve holds a number of public sector contracts comprising, among others, some of the Ministry of Defence’s more important bases. The company website says it has a presence on 35 MoD sites, including: the Falkland Islands; the vital mid-Atlantic RAF staging post on Ascension Island; Gibraltar; and Cyprus. The contract for the overseas bases is reportedly worth around £500m.

Closer to home, Interserve also maintains the vital and secretive MoD bunkers at Corsham, coyly referred to as “the cutting edge global communications hub for the Ministry of Defence”. Corsham is in fact the home of the MoD’s Global Operations Security Control Centre, as well as the Joint Security Co-ordination Centre, plus a Cyber Security Operations Centre.

Informed sources whispered to El Reg that quite a few people at Corsham would be unhappy with news that a contractor with full access to the sensitive site has been hacked.

Source: Brit defense contractor hacked, up to 100,000 past and present employees’ details siphoned off – report • The Register

Security researchers at Comparitech have reported that an estimated 24,000 Android apps are leaking user data because of misconfigured Firebase databases.

Firebase is a popular backend service with SDKs for multiple platforms, including Android, iOS, web, C++ and Unity (for games). Features include two NoSQL database managers, Cloud Firestore and the older Realtime Database. Data is secured using rules which “work by matching a pattern against database paths, and then applying custom conditions to allow access to data at those paths”, according to the docs. This is combined with authentication to lock up confidential data while also allowing access to shared data.

“A common Firebase misconfiguration allows attackers to easily find and steal data from storage. By simply appending ‘.json’ to the end of a Firebase URL, the attacker can view and download the contents of vulnerable databases,” the report explained.

How common a problem is it? The Comparitech security team reviewed just over half a million apps, comprising, they say, about 18 per cent of apps in the Play store. “In that sample, we found more than 4,282 apps leaking sensitive information,” the report claimed.

Source: Researchers spot thousands of Android apps leaking user data through misconfigured Firebase databases • The Register