EasyJet has admitted that a “highly sophisticated cyber-attack” has affected approximately nine million customers.

It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit and debit card details “accessed”.

The firm has informed the UK’s Information Commissioner’s Office while it investigates the breach.

EasyJet first became aware of the attack in January.

It told the BBC that it was only able to notify customers whose credit card details were stolen in early April.

“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted,” the airline told the BBC.

“We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.”

Stolen credit card data included the three digital security code – known as the CVV number – on the back of the card itself.

Source: EasyJet admits data of nine million hacked – BBC News

A computer programmer applying for unemployment on Arkansas’s Pandemic Unemployment Assistance program discovered a vulnerability in the system that exposed the Social Security numbers, bank account and routing numbers and other sensitive information of some 30,000 applicants. Anyone with basic computer knowledge could have accessed personal information for malicious purposes.

Alarmed, the computer programmer called the Arkansas Division of Workforce Services Friday morning and was told by an operator that there was no one available who could talk to him. He then tried someone at the Arkansas State Police Criminal Investigation Division, who told the programmer he would find the person he needed to talk with to fix the situation. The programmer later called the Arkansas Times for advice on whom to call. The Times alerted the Division of Workforce Services to the issue at 4:30 p.m. Soon after a message appeared on the website that said, “The site is currently under maintenance.”

[…]

In exploring the website, the computer programmer determined that by simply removing part of the site’s URL, he could access the administrative portal of the site, where he had the option of editing the personal information of applicants, including bank account numbers. From the admin portal, he viewed the page’s source code and saw that the site was using an API (application programming interface) to connect with a database. That API was also left unencrypted, and he could access all of the applicants’ raw data, included Social Security numbers and banking information.

In about two minutes, the computer programmer described the vulnerability to another programmer the Arkansas Times engaged, who then used the information to easily enter the system. To access the sensitive information, the second programmer only needed to create an account, not actually apply for assistance.

Another person who applied for Pandemic Unemployment Assistance told the Times on Friday that when he applied for assistance, submitted his documentation and reached a “review” page, he saw the documentation for another applicant. He said it took three days for the state to remove the other applicant’s information. Then he said documentation for yet another applicant appeared. “It took two days and repeated phone calls to get the second name off,” he said. “Then the next day was when they erased it all and told us we had to reapply.”

Source: Social Security numbers, banking information left unprotected on Arkansas PUA website – Arkansas Times

an announcement from Samsung and Korean provider SK Telecom that the world’s first 5G smartphone complete with a quantum random number generator (QRNG) is due to launch next week.

The current Samsung Galaxy flagship S20 series all come with a new secure element security solution including a dedicated security chip that can prevent hackers from stealing data even if they have their hands on your hardware.

The Galaxy A Quantum, however, turns the security dial up to 11.

Although it’s a Galaxy A71 5G at heart, the rebranded and updated smartphone comes complete with one important security extra: a QRNG chip developed by ID Quantique.

When random just is not random enough

Random number generators are a vital part of many security solutions, but they often aren’t as random as you might expect. Indeed, “pseudo-random” number generators are not uncommon, but these are a weak spot cryptographically and, as such, are something of a honeypot for hackers. What the ID Quantique QRNG brings to the security party is not only a genuinely random number generator but one able to generate perfectly unpredictable randomness.

The QRNG chip found in the Samsung Galaxy A Quantum is provably random, has full entropy from the first bit, and has been both designed and manufactured specifically for mobile handsets.

The quantum randomness is achieved by way of “shot noise” from a light source captured by a CMOS image sensor. A light-emitting diode (LED) and an image sensor are contained within the chip, and that LED emits a random number of photons thanks to something called quantum noise, ID Quantique explains. Those photons are then captured and counted by the image sensor pixels and provide a series of random numbers fed into a random bit generator algorithm.

The algorithm further distills the “entropy of quantum origin” to create the perfectly unpredictable random bits. If any failure is detected during the physical process, the stream is disabled and an automatic recovery procedure starts another.

With uses such as two-factor authentication, biometric authentication for mobile payments, and blockchain-based document storage wallets, the QRNG will be put to good use.

A new chapter in quantum security history

Grégoire Ribordy, co-founder and CEO of ID Quantique, said, “With its compact size and low power consumption, our latest Quantis QRNG chip can be embedded in any smartphone, to ensure trusted authentication and encryption of sensitive information. It will bring a new level of security to the mobile phone industry. This is truly the first mass-market application of quantum technologies.” Ryu Young-sang, vice-president at SK Telecom, said the Galaxy A Quantum is a “new chapter in the history of the quantum security industry.”

Source: Samsung Surprise As World’s First Smartphone With Quantum Technology Launches May 22

Britain’s Ministry of Defence contractor Interserve has been hacked, reportedly leaking the details of up to 100,000 of past and current employees, including payment information and details of their next of kin.

The Daily Telegraph reports that up to 100,000 employee details were stolen, dating back across a number of years. Interserve currently employs around 53,000 people.

A source told the paper that names, addresses, bank details, payroll information, next of kin details, personnel and disciplinary records had been swiped.

The intrusion took place “earlier this month,” the tight-lipped firm said in a statement.

[…]

Interserve holds a number of public sector contracts comprising, among others, some of the Ministry of Defence’s more important bases. The company website says it has a presence on 35 MoD sites, including: the Falkland Islands; the vital mid-Atlantic RAF staging post on Ascension Island; Gibraltar; and Cyprus. The contract for the overseas bases is reportedly worth around £500m.

Closer to home, Interserve also maintains the vital and secretive MoD bunkers at Corsham, coyly referred to as “the cutting edge global communications hub for the Ministry of Defence”. Corsham is in fact the home of the MoD’s Global Operations Security Control Centre, as well as the Joint Security Co-ordination Centre, plus a Cyber Security Operations Centre.

Informed sources whispered to El Reg that quite a few people at Corsham would be unhappy with news that a contractor with full access to the sensitive site has been hacked.

Source: Brit defense contractor hacked, up to 100,000 past and present employees’ details siphoned off – report • The Register

Security researchers at Comparitech have reported that an estimated 24,000 Android apps are leaking user data because of misconfigured Firebase databases.

Firebase is a popular backend service with SDKs for multiple platforms, including Android, iOS, web, C++ and Unity (for games). Features include two NoSQL database managers, Cloud Firestore and the older Realtime Database. Data is secured using rules which “work by matching a pattern against database paths, and then applying custom conditions to allow access to data at those paths”, according to the docs. This is combined with authentication to lock up confidential data while also allowing access to shared data.

“A common Firebase misconfiguration allows attackers to easily find and steal data from storage. By simply appending ‘.json’ to the end of a Firebase URL, the attacker can view and download the contents of vulnerable databases,” the report explained.

How common a problem is it? The Comparitech security team reviewed just over half a million apps, comprising, they say, about 18 per cent of apps in the Play store. “In that sample, we found more than 4,282 apps leaking sensitive information,” the report claimed.

Source: Researchers spot thousands of Android apps leaking user data through misconfigured Firebase databases • The Register

Samsung has patched a serious security hole in its smartphones that can be exploited by maliciously crafted text messages to hijack devices.

It appears no user interaction is required: if Samsung’s messaging app bundled with phones since 2015 receives a booby-trapped MMS, it will parse it automatically before the user even opens it. This will trigger a vulnerability in the Skia graphics library, used by the app to decode the message’s embedded Qmage image. The end result is code execution on the device, allowing the miscreant who sent it to potentially snoop on their victim and come up with other mischief.

The remote-code execution flaw, labeled SVE-2020-16747, was discovered and reported by Google Project Zero’s Mateusz Jurczyk. You can find an in-depth explanation of the bug here.

Today I’m happy to release new research I’ve been working on for a while: 0-click RCE via MMS in all modern Samsung phones (released 2015+), due to numerous bugs in a little-known custom “Qmage” image codec supported by Skia on Samsung devices. Demo: https://t.co/8KRIhy4Fpk

— j00ru//vx (@j00ru) May 6, 2020

Samsung has pushed out updates to supported phones to squash the bug, which should be installed ASAP before someone weaponizes an exploit for this programming blunder. If you are still waiting for a patch, switching your default message app to another messaging application, and not Samsung’s, and disabling automatic MMS parsing, may help.

The patch coincides with Android’s monthly release of security fixes: all owners of devices running supported versions of Android will want to check for and install relevant updates in May’s patch batch.

This latest wedge includes fixes for a remote code execution flaw in the Android AAC decoder (CVE-2020-0103) and a critical Android framework elevation-of-privilege bug (CVE-2020-0096) that together can be exploited to gain total control of the device.

The other vulnerabilities at the 01 patch level are as follows. For the Android framework, two additional elevation-of-privilege bugs (CVE-2020-0097, CVE-2020-0098) that grant malware already on the device not-quite-total control over a device, and for the media framework, one EoP flaw (CVE-2020-0094) and three information disclosure bugs (CVE-2020-0093, CVE-2020-0100, CVE-2020-0101).

The Android system patches cover the aforementioned AAC remote code bug as well as four EoP (CVE-2020-0102, CVE-2020-0109, CVE-2020-0105, CVE-2020-0024) and three information disclosure bugs (CVE-2020-0092, CVE-2020-0106, CVE-2020-0104) holes.

At the 05 level, patches for components outside of the core Android package, fixes were posted for two kernel flaws allowing EoP (CVE-2020-0110) and information disclosure (CVE-2019-19536). Four fixes were posted for information disclosure bugs in MediaTek components (CVE-2020-0064, CVE-2020-0065, CVE-2020-0090, CVE-2020-0091).

A total of 18 patches were posted for flaws in Qualcomm components, though the details on those bugs were not given.

Those with supported Google-branded devices should get the May fixes directly from the Chocolate Factory, while other Android devices should see the fixes come from their respective vendors and carriers. This can happen anywhere from immediately to several weeks from now, to never, depending on the supplier.

Source: One malicious MMS is all it takes to pwn a Samsung smartphone: Bug squashed amid Android patch batch • The Register

GitHub has made its automated code-scanning tools available to all open-source projects free of charge.

The aim, said the code repo house, is to help developers suss out potential security vulnerabilities ahead of time, and to do so at a scale that will work for both small and large projects.

The feature, based on the code-checking tools GitHub bought last year when it gobbled up UK-based Semmle, automatically graphs and scans code when a new push request is made and checks it for a number of common errors that can cause security vulnerabilities.

GitHub senior product manager Justin Hutchings told The Register that a key component of the Semmle (and now GitHub) scanning was CodeQL, the query language that graphs and then checks code for mistakes.

“It turns out that capability is extremely useful in security,” said Hutchings. “Most security problems are bad data flow or bad data usage in one way or another.”

While the feature itself will be new to GitHub, the underlying Semmle tools have been in use for years, which is why GitHub believes they’ll hit the ground running when they launch for free with open-source projects and as an add-on for the paid (enterprise), closed-source part of GitHub.

Although the code-scanning feature could be seen as most beneficial to smaller projects without enough work hours needed to thoroughly check for bugs, Hutchings noted that by making the feature cloud-based, bigger developers are also getting something on their wishlist.

“A lot of our commercial customers are excited about being able to run this at scale on our cloud,” he told us.

“Security analysis is compute intensive, you are dealing with millions of lines of code. You want to do this rapidly and we are finally bringing this capability into a hosted cloud environment, so they can scale up more quickly than they could previously.”

In addition to scanning for security bugs, GitHub is also adding the option for commercial developers to scan offline repositories and for exposed secrets (keys, credentials, etc) that could lead to network breaches and data leaks if let out onto the public internet. Previously limited to public repositories (such as AWS or Google Cloud), the secret-scanning feature will now be able to run on private GitHub repositories.

This addition, Hutchings said, is not just a security feature but also a stability feature, as it helps developers keep up with security policies that require changing keys at regular intervals by tracking and logging the changes. In this way, developers can avert outages and downtime that might otherwise occur when keys changes don’t get properly reported and handled.

Source: GitHub blasts code-scanning tool into all open-source projects • The Register

Very cloudy indeed!

There’s a hacker/security researcher with the Twitter handle GreenTheOnly that has been doing some interesting work with used Tesla parts. This time specifically, he’s acquired three Tesla Model 3 integrated media control units (MCU) and Autopilot (HW) units (known as the ICE computer, just for Models 3 and Y), and a Model X MCU unit. These were purchased off eBay, and despite having been reset, Green found that plenty of private owner information and passwords were still easily recoverable from the units.

[…]

There’s a number of reasons why Tesla owners may need to replace these units: if you’re adding on Autopilot to an existing car, for example, some early models had data-logging issues that caused failure after a few years, and various other wear-and-tear and failure issues.

Once he had the units, Green found that there was a surprising amount of data still on them, from what appear to be debugging screenshots taken every time a Model 3 starts up:

…to far more compromising data, which he described to InsideEVs:

“…owner’s home and work location, all saved wi-fi passwords, calendar entries from the phone, call lists and address books from paired phones, Netflix and other stored session cookies.”

That’s a security hole big enough to drive a Model X through, even with the Falcon Doors stuck open. And, speaking of the Model X, the unit he got from that model was physically crushed, but data was still recoverable.

Green gave more details on his Twitter feed, clarifying that the Spotify passwords are stored as plain text, and that the Netflix and Gmail passwords are stored in cookie format:

The ability to get calendar events and owner’s phone book and call history are also huge security breaches, too.

When owners decide to upgrade their cars’ computer, Tesla will only let them keep their original hardware for, according to a Tesla owners’ forum, a $1,000 fee. Yes, it’s strange to have to pay the company to take hardware that you should have owned when you bought your car, but Tesla has a history with non-traditional ideas of just what you think you’ve bought with your car.

Source: Researcher Discovers That Old Tesla Media Control Units Are Full Of Owner’s Private Data Even After A Factory Reset

Not only can malicious people make airliners climb and dive without pilot input – they can also control where and when they do so, research from Pen Test Partners (PTP) has found.

TCAS spoofing, the practice of fooling collision detection systems aboard airliners, can be controlled to precisely determine whether an airliner fitted with TCAS climbs or descends – and even to produce climb rates of up to 3,000ft/min.

Building on earlier research into the bare-bones concept [PDF], PTP said it had figured out how to shape and control airliners’ automatic TCAS responses so they moved up or down at precisely known points.

In a blog post the firm said: “We rationalised this to the point where we only needed three fake aircraft to provide [a Resolution Advisory] that caused a climb of over 3,000 ft/min.”

[…]

The prospect of a rollercoaster ride is less scary (or realistic) than it might seem; a recent Oxford University study showed that when airliner pilots are presented with too many spoof warnings, they simply disable the system responsible – and look out of the window so they keep flying safely.

Source: Sweet TCAS! We can make airliners go up-diddly-up whenever we want, say infosec researchers • The Register

Israeli cyber-security side-channel expert Mordechai Guri has devised a way to pilfer data from devices that have been air-gapped and silenced.

Organizations with extreme security needs may keep certain computer hardware disconnected from any network, a practice known as air-gapping, to preclude the possibility of miscreants hacking in from compromised systems on the network, or from across internet. Attacks on such systems generally require some manner of physical access to introduce malware: an unauthorized person has to get their hands on the machine, typically briefly and unnoticed, to install malicious software, thus getting around the air-gap.

Perhaps the most widely reported air gap attack of this sort is said to have involved the covert introduction of the Stuxnet centrifuge-knackering malware around 2007, after three years of planning, to the nuclear fuel enrichment lab in Natanz, Iran, apparently from a USB stick.

Guri, head of research and development at Ben-Gurion University of the Negev, Israel’s Cyber-Security Research Center, told The Register in an email that air-gapped networks are not just for sensitive military facilities. They are used, he said, by many regulated industries to protect sensitive private data, intellectual property, and critical infrastructure.

In previous work, Guri and colleagues have explored various ways to attack air-gapped systems. Two years ago, for example, he and several other researchers developed a technique dubbed MOSQUITO to exfiltrate data from air-gapped systems using ultrasonic transmissions between speakers.

An obvious defense against acoustic data transmission is to disable any speakers on the protected device, a practice known as audio-gapping.

But Guri’s latest research shows that’s not enough. He and his team have found a way to turn the power supply in an isolated, muted machine into a speaker of sorts, one capable of transmitting data at a rate of 50 bits/sec.

He calls the attack POWER-SUPPLaY. The technique has the potential to be used against PC workstations and servers, as well as embedded systems and IoT devices that have no addressable audio hardware.

“We show that malware running on a PC can exploit its power supply unit (PSU) and use it as an out-of-band speaker with limited capabilities,” a paper [PDF] detailing the technique explained. “The malicious code intentionally manipulates the internal switching frequency of the power supply and hence controls the waveform generated from its capacitors and transformers.”

Source: OK, so you’ve air-gapped that PC. Cut the speakers. Covered the LEDs. Disconnected the monitor. Now, about the data-leaking power supply unit… • The Register

De Universiteit Antwerpen verbiedt het gebruik van videobelapp Zoom. De applicatie zou niet veilig genoeg en de universiteit wil geen risico’s nemen nadat men vorig jaar al eens het slachtoffer is geworden van een cyberaanval.

Ook Google en de Amerikaanse ruimtevaartorganisatie NASA namen onlangs het besluit om Zoom niet meer te gebruiken.

Bij de stad Antwerpen wordt Zoom nog volop gebruikt. ‘Door het nemen van gepaste veiligheidsmaatregelen en gebruikmakend van de beveiligingsopties van Zoom zelf werden onnodige risico’s vermeden’, zegt woordvoerder Dirk Delechambre.

Source: Universiteit Antwerpen verbiedt videobelapp Zoom – Emerce

Sorry Dirk, you’re wrong. There is no “safe” way to use the app.

Netsweeper’s internet filter has a nasty security vulnerability that can be exploited to hijack the host server and tamper with lists of blocked websites. There are no known fixes right now.

For those unfamiliar, Netsweeper makes software that monitors and blocks connections to undesirable websites and servers. It’s aimed at parents, schools, government offices, and companies. It has a lot of customers in the Middle East, where it’s used to prevent access to content not meant for the local populace, according to investigative Canadian non-profit Citizen Lab.

The flaw, yet to be given a CVE number, was discovered by an anonymous researcher, and documented this week by SecuriTeam Secure Disclosure team leader Noam Rathaus. The bug is present in the web-based Netsweeper administration tool versions 6.4.3 and earlier. It doesn’t require any authentication to exploit: if you can reach the software over the local network or public internet, you can compromise it.

What Rathaus’s source found was that the control panel’s login script, /webadmin/tools/unixlogin.php, fails to fully sanitize user-supplied data, allowing miscreants to commandeer the machine. The login script accepts three parameters: timeout, login, and password. If you set the HTTP request referer header to a specific string, such as webadmin/admin/service_manager_data.php, the login script will execute a shell script that ultimately uses the password parameter unsafely in a Python invocation.

The second parameter, $2, below is derived from the original user-supplied password, in this line in the wonky shell script:

password=$($PYTHON -c "import crypt; print crypt.crypt('$2','\$$algo\$$salt\$')")

If you supply a password that causes $2 to contain, for example…

($P>YTHON -c "import crypt; print crypt.crypt('g','');import os;os.system('id >/tmp/pwnd')#','\$$algo\$$salt\$')")

…you inject and execute a command that stores the Netsweeper software’s user ID to the file /tmp/pwnd. It’s left as an exercise for the reader to turn this remote-code execution into something malicious.

Rathaus told The Register that, in the worst case scenario, a hacker could exploit the bug to not only take over the host server, but also manipulate how users have their content filtered and delivered by Netsweeper.

“[You can] control what data they receive when they access sites and download files,” he said. “This is the worst part – as they can be made to unintentionally download malware and viruses.”

Source: What’s worse than an annoying internet filter? How about one with a pre-auth remote-command execution hole and there’s no patch?

An employee of controversial surveillance vendor NSO Group abused access to the company’s powerful hacking technology to target a love interest, Motherboard has learned.

The previously unreported news is a serious abuse of NSO’s products, which are typically used by law enforcement and intelligence agencies. The episode also highlights that potent surveillance technology such as NSO’s can ultimately be abused by the humans who have access to it.

“There’s not [a] real way to protect against it. The technical people will always have access,” a former NSO employee aware of the incident told Motherboard. A second former NSO employee confirmed the first source’s account, another source familiar confirmed aspects of it, and a fourth source familiar with the company said an NSO employee abused the company’s system. Motherboard granted multiple sources in this story anonymity to speak about sensitive NSO deliberations and to protect them from retaliation from the company.

NSO sells a hacking product called Pegasus to government clients. With Pegasus, users can remotely break into fully up-to-date iPhone or Android devices with either an attack that requires the target to click on a malicious link once, or sometimes not even click on anything at all. Pegasus takes advantage of multiple so-called zero day exploits, which use vulnerabilities that manufacturers such as Apple are unaware of.

[…]

esearchers have previously tracked installations of Pegasus to Saudi Arabia, the United Arab Emirates, Mexico, and dozens of other countries. NSO says its tool should exclusively be used to fight terrorism or serious crime, but researchers, journalists, and tech companies have found multiple instances of NSO customers using the tool to spy on dissidents and political opponents. David Kaye, the United Nations special rapporteur on the promotion and protection of the right to freedom of opinion and expression, has noted that there is a “legacy of harm” caused by Pegasus.

This latest case of abuse is different though. Rather than a law enforcement body, intelligence agency, or government using the tool, an NSO employee abused it for their own personal ends.

[…]

“It’s nice to see evidence that NSO Group is committed to preventing unauthorized use of their surveillance products where ‘unauthorized’ means ‘unpaid for.’ I wish we had evidence that they cared anywhere near as much when their products are used to enable human rights violations.”

“You have to ask, who else may have been targeted by NSO using customer equipment?” John Scott Railton, a senior researcher from University of Toronto’s Citizen Lab, which has extensively researched NSO’s proliferation, told Motherboard. “It also suggests that NSO, like any organisation, struggles with unprofessional employees. It is terrifying that such people can wield NSA-style hacking tools,” he said.

Source: NSO Employee Abused Phone Hacking Tech to Target a Love Interest – VICE

A vulnerability existed in Microsoft’s Slack for Suits tool, Teams, that could have let a remote attacker take over accounts by simply sending a malicious GIF, infosec researchers claim.

The pwn-with-GIF vuln was possible, said Cyberark, thanks to two compromisable Microsoft subdomains along with a carefully crafted animated image file.

Although it was a responsibly disclosed theoretical vuln, and was not abused in the wild as far as is known, it illustrates that not all online collaboration platforms are as secure as one might hope.

“Even if an attacker doesn’t gather much information from a Teams’ account, they could use the account to traverse throughout an organization (just like a worm),” mused Cyberark researcher Omer Tsarfati.

The Israeli infosec outfit said it had alerted Redmond to the two subdomains, resulting in their DNS entries being tweaked. The rest of the Teams vuln was patched last Monday, 20 April.

Source: We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit • The Register

In a blunder described as “astonishing and worrying,” Sheffield City Council’s automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.

The ANPR camera system’s internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield’s road network.

Britain’s Surveillance Camera Commissioner Tony Porter described the security lapse as “both astonishing and worrying,” and demanded a full probe into the snafu.

Source: Nine million logs of Brits’ road journeys spill onto the internet from password-less number-plate camera dashboard • The Register

Financial Times reporter Mark Di Stefano allegedly spied on Zoom meetings at rival newspapers the Independent and the Evening Standard to get scoops on staff cuts and furloughs due to the coronavirus pandemic, according to a report from the UK’s Independent. And Di Stefano he did a comedically bad job of covering his tracks.

Di Stefano reportedly logged in to a Zoom meeting being held by the Independent last week using his Financial Times email address, causing his name to appear for everyone else on the call, though his own video camera was disabled. Di Stefano logged out after “16 seconds,” according to the Independent, but a few minutes later, another login was recorded that was connected to Di Stefano’s phone number. That user stayed on the call until the end of the meeting, according to journalists in the Zoom meeting.

How do we know it was probably Di Stefano? It’s not like he made his knowledge of the call’s contents secret. After the call, he tweeted about the changes at the two news outlets on April 23, including the fact that ad revenue is down between 30 and 50 percent. The FT reporter also tweeted that the Independent’s website had just experienced its biggest traffic month ever.

Di Stefano’s tweets were apparently going out before some people at the two news outlets even knew what was going on at their own workplaces, according to the Independent.

[…]

Di Stefano caught plenty of flak from Twitter users over the past two days, making fun of his less-than-perfect deception on Zoom, with plenty of Simpsons references—like the time that Mr. Burns put on a bad mustache to appear as “Mr. Snrub.”

Source: Journalist Allegedly Spied on Zoom Meetings of Rivals in Hilariously Dumb Ways

IBM Data Risk Manager offers security-focused vulnerability scanning and analytics, to help businesses identify weaknesses in their infrastructure. At least some versions of the Linux-powered suite included four exploitable holes, identified and, at first, privately disclosed by security researcher Pedro Ribeiro at no charge. Three are considered to be critical, and one is high risk.

The software flaws can be chained together to achieve unauthenticated remote code execution as root on a vulnerable installation, as described in an advisory Ribeiro published today on GitHub.

Prior to going public, Ribeiro had tried to get CC/CERT to privately coordinate responsible disclosure with IBM, but Big Blue refused to accept the bug report. He said the mainframe giant replied thus: “We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for ‘enhanced’ support paid for by our customers.”

“This is an unbelievable response by IBM, a multi-billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide,” said Ribeiro in his disclosure.

The vulnerabilities consist of authentication bypass, command injection, insecure default password, and arbitrary file download. Using the first three, an unauthenticated remote user can run arbitrary code, and there’s now a Metasploit module to do so. Vulnerabilities one and four allow an unauthenticated attacker to download arbitrary files from the system. There’s also a Metasploit module for that attack chain.

The flaws don’t yet have CVE designations, and as far as we can tell, no patches nor updates to address the holes are available right now. The first three have been confirmed to affect IBM Data Risk Manager 2.0.1 to 2.0.3. Ribeiro believes versions 2.0.4 to 2.0.6, the latest release, are also vulnerable but that has not been confirmed. The fourth affects IDRM 2.0.2 and 2.0.3, and possibly 2.0.4 to 2.0.6. The Register asked IBM whether 2.0.6 is affected but IBM’s spokesperson did not respond.

IBM however did say that it had fumbled the report. “A process error resulted in an improper response to the researcher who reported this situation to IBM,” a company spokesperson told The Register. “We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”

Ribeiro dismissed IBM’s response in an email to The Register. “Well, what can I say,” he said. “It’s a joke right? I think it’s pretty sad that I have to disclose a zero-day and shame them publicly to get them to patch critical vulnerabilities in a security product, while they sell themselves as an elite company providing security services.”

Source: IBM == Insecure Business Machines: No-auth remote root exec exploit in Data Risk Manager drops after Big Blue snubs bug report • The Register

One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees. The hackers soon uncovered a major security vulnerability in Zoom’s software that could have allowed attackers to covertly control certain users’ Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers.

Now Zoom’s videoconferencing service has become the preferred communications platform for hundreds of millions of people sheltering at home, and reports of its privacy and security troubles have proliferated. Zoom’s defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes — like elementary school classes and family celebrations — for which it was never intended.

[…] The former Dropbox engineers, however, say Zoom’s current woes can be traced back two years or more, and they argue that the company’s failure to overhaul its security practices back then put its business clients at risk. Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom’s security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work. As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom’s software code and that of a few other companies. The former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom’s code — and troubled by Zoom’s slowness in fixing them.

Source: Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox – Slashdot

Bitdefender researchers have recently found spearphishing campaigns, either impersonating a well-known Egyptian engineering contractor or a shipment company, dropping the Agent Tesla spyware Trojan. The impersonated engineering contractor (Enppi – Engineering for Petroleum and Process Industries) has experience in onshore and offshore projects in oil and gas, with attackers abusing its reputation to target the energy industry in Malaysia, the United States, Iran, South Africa, Oman and Turkey, among others, based on Bitdefender telemetry. The second campaign, impersonating the shipment company, used legitimate information about a chemical/oil tanker, plus industry jargon, to make the email believable when targeting victims from the Philippines.

Oil & gas has been under tremendous stress in recent weeks, as the global COVID-19 pandemic lowered oil demand. Oil prices per barrel have dropped by more than half to the lowest since 2002. However, a disruptive dispute over oil production between Russia and Saudi Arabia ended with an agreement at the recent meeting between the OPEC+ alliance and the Group of 20 nations, aiming to slash oil production output and balance prices.

While the malware payload itself is not as sophisticated as those used in more advanced and targeted attacks, the fact that they’ve been orchestrated and executed during this time, and before the “historic OPEC+ deal”, suggests motivation and interest in knowing how specific countries plan to address the issue.

Cybercriminals are often opportunistic and leverage popular media topics in spearphishing campaigns that usually target large numbers of victims. However, we recently found a campaign that seems to specifically target the oil & gas sector, based on a telemetry spike on March 31st. Interestingly, the payload is a spyware Trojan that packs keylogging capabilities, and has not been associated with oil & gas spearphishing campaigns in the past.

The second campaign that impersonated a shipping company seems to have started on April 12 and targeted only a handful of shipping companies based in the Philippines over the course of two days.

Carefully Crafted Spearphishing

The spearphishing email mimics Egyptian state oil company Engineering for Petroleum and Process Industries (Enppi) and claims to invite the recipient to submit a bid for equipment and materials, as part of a project (Rosetta Sharing Facilities Project) on behalf of a well-known gas company (Burullus).

[…]

The Agent Tesla spyware Trojan has reportedly been around since 2014, but has undergone constant improvements and updates. It reportedly operates under a malware-as-a-service offering, with its developers offering various pricing tiers based on different licensing models. Agent Tesla operators seem to have stayed in business for quite some time

Some of its most known and popular capabilities involve stealth, persistence and security evasion techniques that ultimately enable it to extract credentials, copy clipboard data, perform screen captures, form-grabbing, and keylogging functionality, and even collect credentials for a variety of installed applications.

Security researchers have already documented the full extent of Agent Tesla’s capabilities in various pieces of research. What’s interesting is that, until now, it has not been associated with campaigns targeting the oil & gas vertical.

Source: Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal – Bitdefender Labs

Since it exploded onto the scene in January after a newspaper exposé, Clearview AI quickly became one of the most elusive, secretive and reviled companies in the tech startup scene.

The controversial facial recognition startup allows its law enforcement users to take a picture of a person, upload it and match it against its alleged database of 3 billion images, which the company scraped from public social media profiles.

But for a time, a misconfigured server exposed the company’s internal files, apps and source code for anyone on the internet to find.

Mossab Hussein, chief security officer at Dubai-based cybersecurity firm SpiderSilk, found the repository storing Clearview’s source code. Although the repository was protected with a password, a misconfigured setting allowed anyone to register as a new user to log in to the system storing the code.

The repository contained Clearview’s source code, which could be used to compile and run the apps from scratch. The repository also stored some of the company’s secret keys and credentials, which granted access to Clearview’s cloud storage buckets. Inside those buckets, Clearview stored copies of its finished Windows, Mac and Android apps, as well as its iOS app, which Apple recently blocked for violating its rules. The storage buckets also contained early, pre-release developer app versions that are typically only for testing, Hussein said.

The repository also exposed Clearview’s Slack tokens, according to Hussein, which, if used, could have allowed password-less access to the company’s private messages and communications.

Clearview has been dogged by privacy concerns since it was forced out of stealth following a profile in The New York Times, but its technology has gone largely untested and the accuracy of its facial recognition tech unproven. Clearview claims it only allows law enforcement to use its technology, but reports show that the startup courted users from private businesses like Macy’s, Walmart and the NBA. But this latest security lapse is likely to invite greater scrutiny of the company’s security and privacy practices.

[…]

Ton-That accused the research firm of extortion, but emails between Clearview and SpiderSilk paint a different picture.

Hussein, who has previously reported security issues at several startups, including MoviePass, Remine and Blind, said he reported the exposure to Clearview but declined to accept a bounty, which he said if signed would have barred him from publicly disclosing the security lapse.

It’s not uncommon for companies to use bug bounty terms and conditions or non-disclosure agreements to prevent the disclosure of security lapses once they are fixed. But experts told TechCrunch that researchers are not obligated to accept a bounty or agree to disclosure rules.

Ton-That said that Clearview has “done a full forensic audit of the host to confirm no other unauthorized access occurred.” He also confirmed that the secret keys have been changed and no longer work.

Hussein’s findings offer a rare glimpse into the operations of the secretive company. One screenshot shared by Hussein showed code and apps referencing the company’s Insight Camera, which Ton-That described as a “prototype” camera, since discontinued.

A screenshot of Clearview AI’s app for macOS. It connects to Clearview’s database through an API. The app also references Clearview’s former prototype camera hardware, Insight Camera.

According to BuzzFeed News, one of the firms that tested the cameras is New York City real estate firm Rudin Management, which trialed use of a camera at two of its city residential buildings.

Hussein said that he found some 70,000 videos in one of Clearview’s cloud storage buckets, taken from a camera installed at face-height in the lobby of a residential building. The videos show residents entering and leaving the building.

Source: Security lapse exposed Clearview AI source code | TechCrunch

A critical vulnerability in VMware’s vCenter management product allowed any old bod on the same network to remotely create an admin-level user, research by Guardicore Labs has revealed.

The astonishing vuln (CVE-2020-3952), details of which were quite spare when VMWare issued a patch last week, was rated by VMware itself as CVSS v3 10.0, the highest level.

Admins in charge of VMware estates should probably patch this one immediately, if they haven’t already.

Guardicore researcher JJ Lehman told The Register: “You have to be network accessible but you don’t have to be authenticated in any way to pull this off. Which means as an attacker who has already breached the perimeter of a network, as long as [you have] access to the vCenter, you essentially control everything on their VMware hosts.”

The virtualization vendor issued an advisory note and patch on 9 April that explained that a “malicious actor with network access to port 389 on an affected vmdir deployment may be able to extract highly sensitive information such as administrative account credentials”.

“It’s very unique,” Guardicore head of research Ofri Ziv told The Reg, explaining that the 10.0 CVSS impact rating on an enterprise virtualization product caught his enterprise security team’s eye. “This is why this is such a critical issue and this is why we believe it’s important for people to understand and mitigate it as fast as possible.”

He added that Guardicore had not seen evidence of the vuln being abused in the wild, though Lehman explained that by its nature, it would be difficult to see traces of its use.

Source: That critical VMware vuln allowed anyone on your network to create new admin users, no creds needed • The Register

In February, a researcher detailed a widely circulating Android backdoor that’s so pernicious that it survives factory resets, a trait that makes the malware impossible to remove without taking unusual measures.

The analysis found that the unusual persistence was the result of rogue folders containing a trojan installer, neither of which was removed by a reset. The trojan dropper would then reinstall the backdoor in the event of a reset. Despite those insights, the researcher still didn’t know precisely how that happened. Now, a different researcher has filled in the missing pieces. More about that later. First, a brief summary of xHelper.

[…]

Once installed, xHelper installs a backdoor that remotely installs apps downloaded from an attacker-controlled server. It also executes commands as a superuser, a powerful privilege setting that gives the malware unfettered system rights.

[…]

Last week, Kaspersky Lab researcher Igor Golovin published a post that filled in some of the gaps. The reinfections, he said, were the result of files that were downloaded and installed by a notorious trojan known as Triada, which ran once the xHelper app was installed. Triada roots the devices and then uses its powerful system rights to install a series of malicious files directly into the system partition. It does this by remounting the system partition in write mode. To make the files even more persistent, Triada gives them an immutable attribute, which prevents deleting, even by superusers. (Interestingly, the attribute can be deleted using the chattr command.)

A file named install-recovery.sh makes calls to files added to the /system/xbin folder. That allows the malware to run each time the device is rebooted. The result is what Golovin described as an “unkillable” infection that has extraordinary control over a device.

[…]

The researcher initially thought that it might be possible to remove xHelper by remounting the system partition in write mode to delete the malicious files stored there. He eventually abandoned that theory.

“Triada’s creators also contemplated this question, and duly applied another protection technique that involved modifying the system library /system/lib/libc.so,” Golovin explained. “This library contains common code used by almost all executable files on the device. Triada substitutes its own code for the mount function (used to mount file systems) in libc, thereby preventing the user from mounting the /system partition in write mode.”

Fortunately, the reinfection method divined in last week’s report works only on devices running older Android versions with known rooting vulnerabilities. Golovin, however, held out the possibility that, in some cases, xHelper may maintain persistence through malicious files that come preinstalled on phones or tablets.

People can disinfect devices by using their recovery mode, when available, to replace the infected libc.so file with the legitimate one included with the original firmware. Users can then either remove all malware from the system partition or, simpler still, reflash the device.

Source: The secret behind “unkillable” Android backdoor called xHelper has been revealed | Ars Technica