To do so, the Qatari researchers first collected dozens of bitcoin addresses used for donations and dealmaking by websites protected by the anonymity software Tor, run by everyone from WikiLeaks to the now-defunct Silk Road. Then they scraped thousands of more widely visible bitcoin addresses from the public accounts of users on Twitter and the popular bitcoin forum Bitcoin Talk.

By merely searching for direct links between those two sets of addresses in the blockchain, they found more than 125 transactions made to those dark web sites’ accounts—very likely with the intention of preserving the senders’ anonymity—that they could easily link to public accounts. Among those, 46 were donations to WikiLeaks. More disturbingly, 22 were payments to the Silk Road. Though they don’t reveal many personal details of those 22 individuals, the researchers say that some had publicly revealed their locations, ages, genders, email addresses, or even full names. (One user who fully identified himself was only a teenager at the time of the transactions.) And the 18 people whose Silk Road transactions were linked to Bitcoin Talk may be particularly vulnerable, since that forum has previously responded to subpoeanas demanding that it unmask a user’s registration details or private messages. “You have irrefutable evidence mapping this profile to this hidden service,” says Yazan Boshmaf, another of the study’s authors.

Source: Your Sloppy Bitcoin Drug Deals Will Haunt You for Years

Checkmarx researchers disclosed two flaws (CVE-2018-6017, CVE-2018-6018) and a proof of concept (see video below) for an app that could sit on the wireless network of, say, an airport or hotel and observe actions including profile views, swipes, and likes.

The first issue, CVE-2018-6017, results from the Tinder’s app’s use of insecure HTTP connections to access profile pictures. By observing traffic on a public Wi-Fi network (or some other snooping position on a network), a miscreant could see what profiles are being viewed and match them with the victim’s device. If a scumbag has compromised the network when the victim turns on the Tinder app, the victim’s profile information could also be intercepted and viewed.

The second flaw, CVE-2018-6018, is what allows the attacker to see specific actions like swipes and likes. Though the Tinder API uses HTTPS connections for traffic it handles, the specific actions each move their encrypted packets with a set length.

By checking packets for specific byte sizes (278 bytes for a left swipe to reject, 374 bytes for a right swipe to approve, and 581 bytes for a like), the attacker could combine the actions with the unsecured HTTP profile and photo traffic to work out who is swiping who.

The recommendation for users is simple enough: avoid public Wi-Fi networks wherever possible. Developers, meanwhile, should take steps to make sure all app traffic is secured.

Source: Swipe fright: Tinder hackers may know how desperate you really are • The Register

Apple has released security patches for iOS and macOS that include, among other things, Meltdown and Spectre fixes. The new versions should be installed as soon as possible.
[…]
Less-hyped, but still serious, are vulnerabilities in the macOS kernel that include an exploitable race condition (CVE-2018-4092), a validation issue (CVE-2018-4093), and memory initialization bug (CVE-2018-4090) that could also allow restricted memory to be read.
[…]
Two other kernel flaws, CVE-2018-4097 and CVE-2018-4082, allow an app to run code as the kernel, thus hijacking the whole machine. The first is “a logic issue [..] addressed with improved validation,” discovered by Resecurity Inc, and the second “a memory corruption issue […] addressed through improved input validation” found and reported by Russ Cox of Google.

Other noteworthy bugs include CVE-2018-4094, a bug in both Sierra and High Sierra discovered by five researchers at Yonsei University in Seoul, South Korea. The memory corruption bug allows remote code execution attacks simply by processing a maliciously crafted audio file.

The WebKit browser engine received three fixes for remote code execution flaws (CVE-2018-4088, CVE-2018-4089,CVE-2018-4096) that are also patched in Safari with version 11.0.3.

The QuartzCore component contained a remote code execution flaw (CVE-2018-4085) that can be exploited via web content, while Wi-Fi had a restricted memory access flaw (CVE-2018-4084), and a bug in the operating system’s process sandbox (CVE-2018-4091) could allow programs to get around access restrictions.
Meanwhile, on mobile…

For iOS devices, Apple has served up the 11.2.5 update. It includes a fix for the CVE-2018-4094 audio-file remote-code execution flaw as well as the three kernel memory leak bugs (CVE-2018-4090, CVE-2018-4092, CVE-2018-4093), and the QuartzCore, and WebKit flaws included in the macOS update.

Researcher Abraham “cheesecakeufo” Masri gets credit for CVE-2018-4100, a patched flaw in iOS that allows text messages to crash the iPhone, while Zimperium zLabs’ Rani Idan was credited for CVE-2018-4095 and CVE-2018-4087, a pair of arbitrary code execution flaws in Core Bluetooth.

Masri’s text-message bug, CVE-2018-4100, is also fixed in macOS’s LinkPresentation code to prevent weird text in webpages and messages from stalling desktop apps.

Many of the same iOS flaws are addressed for the Apple Watch in watchOS 4.2.2, and in the AppleTV with tvOS 11.2.5.

Source: It’s 2018 and your Macs, iPhones can be pwned by playing evil music • The Register

Bizzarely these are only now being patched?

Electron is a node.js and Chromium framework that lets developers use Web technologies (JavaScript, HTML and CSS) to build desktop apps. It’s widely-used: Skype, Slack, Signal, a Basecamp implementation and a desktop WordPress app all count themselves as adopters.

Slack users should update to version 3.0.3 or better, and the latest version of Skype for Windows is protected, Microsoft told Cyberscoop.

Electron has only published limited details of CVE-2018-1000006, but it affects Windows applications that use custom protocol handlers in the framework.

Here’s what the advisory has to say:

“Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

“Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.

A ray of sunshine to close: “macOS and Linux are not vulnerable to this issue”, Electron’s developers said.

Source: Skype, Signal, Slack, other apps inherit Electron vuln

As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.

Based on this, we are updating our guidance for customers and partners:

We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.
We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week.
We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.

Source: Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners

Dark Caracal [PDF] appears to be controlled from the Lebanon General Directorate of General Security in Beirut – an intelligence agency – and has slurped hundreds of gigabytes of information from devices. It shares its backend infrastructure with another state-sponsored surveillance campaign, Operation Manul, which the EFF claims was operated by the Kazakhstan government last year.

Crucially, it appears someone is renting out the Dark Caracal spyware platform to nation-state snoops.

“This is definitely one group using the same infrastructure,” Eva Galperin, the EFF’s director of cybersecurity, told The Register on Wednesday. “We think there’s a third party selling this to governments.”

Dark Caracal has, we’re told, been used to siphon off information from thousands of targets in over 21 countries – from private documents, call records, audio recordings, and text messages to contact information, and photos from military, government, and business targets, as well as activists and journalists.
[…]
The primary way to pick up Pallas on your gadget is by installing infected applications – such as WhatsApp and Signal ripoffs – from non-official software souks. Pallas doesn’t exploit zero-days to take over a device, but instead relies on users being tricked into installing booby-trapped apps, and granting the malicious software a large variety of permissions. Once in place, it can thus surreptitiously record audio from the phone’s microphone, reveal the gizmo’s location to snoops, and leak all the data the handset contains to its masters.

In addition, the Dark Caracal platform offers another surveillance tool: a previously unseen sample of FinFisher, the spyware package sold to governments to surveil citizens. It’s not known if this was legitimately purchased, or a demo version that was adapted.

On the desktop side, Dark Caracal provides a Delphi-coded Bandook trojan, previously identified in Operation Manul, that commandeers Windows systems. Essentially, marks are tricked into installing and running infected programs signed with a legitimate security certificate. Once up and running, the software nasty downloads more malware from command-and-control servers. The code pest can also be stashed in Microsoft Word documents, and executed using macros – so beware, Office admins.

Source: Someone is touting a mobile, PC spyware platform called Dark Caracal to governments • The Register

Lenovo has patched an ancient vulnerability in switches that it acquired along with IBM’s hardware businesses and which Big Blue itself acquired when it slurped parts of Nortel.

The bug, which Lenovo refers to as “HP backdoor”, for reasons it has not explained, has been in present in ENOS (Enterprise network operating system) since at least 2004 – when ENOS was still under the hand of Nortel.

Lenovo’s advisory says the issue “was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions”.

There are three vulnerable scenarios, the advisory said:

Authentication via the Telnet or serial consoles, if used for local authentication, “or a combination of RADIUS, TACACS+, or LDAP and local authentication under specific circumstances”;
The Web management interface is vulnerable when the user is authenticating via “a combination of RADIUS or TACACS+ and local authentication”, and then only in “an unlikely condition”; and
“SSH for certain firmware released in May 2004 through June 2004”, again with a combination of RADIUS or TACACS+.

The “unlikely conditions” Lenovo referred to depend on which interface is potentially being attacked.

For SSH access, the management interface is only vulnerable if the system is running firmware created between May and June 2004; RADIUS and/or TACACS+ is enable; the related “backdoor / secure backdoor” local authentication fallback is enabled (in this case, “backdoor” refers to a RADIUS configuration setting); and finally, a RADIUS or TACACS+ timeout occurs.

Source: Lenovo inherited a switch authentication bypass – from Nortel • The Register

F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel’s Active Management Technology (AMT) and potentially affects millions of laptops globally.

The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, “admin,” as this default is most likely unchanged on most corporate laptops. The attacker then may change the default password, enable remote access and set AMT’s user opt-in to “None.” The attacker can now gain remote access to the system from both wireless and wired networks, as long as they’re able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.

Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable in a so-called “evil maid” scenario. “You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.” Sintonen points out that even a minute of distracting a target from their laptop at an airport or coffee shop is enough to do the damage.

Source: F-Secure Press Room | Global

Let’s Encrypt – a SSL/TLS certificate authority run by the non-profit Internet Security Research Group (ISRG) to programmatically provide websites with free certs for their HTTPS websites – on Thursday said it is discontinuing TLS-SNI validation because it’s insecure in the context of many shared hosting providers.

TLS-SNI is one of three ways Let’s Encrypt’s Automatic Certificate Management Environment (ACME) protocol validates requests for TLS certificates, which enable secure connections when browsing the web, along with the confidence-inspiring display of a lock icon. The other two validation methods, HTTP-01 and DNS-01, are not implicated in this issue.

The problem is that TLS-SNI-01 and its planned successor TLS-SNI-02 can be abused under specific circumstances to allow an attacker to obtain HTTPS certificates for websites that he or she does not own.

Such a person could, for example, find an orphaned domain name pointed at a hosting service, and use the domain – with an unauthorized certificate to make fake pages appear more credible – without actually owning the domain.

Source: Let’s Encrypt plugs hole that let miscreants grab HTTPS web certs for strangers’ domains • The Register

Researchers at the firm Digital Interruption on Tuesday warned that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application – a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability to parent company inVR, Inc., Digital Interruption researcher and founder Jahmel Harris told The Security Ledger.

Jahmel estimated that more than 19,000 records were leaked by the application, but did not have an exact count.

Source: Adult Themed Virtual Reality App spills Names, Emails of Thousands | The Security Ledger

Spare a thought for Jasper Spaans, who hosts the Linux Kernel Mailing List archive from a single PC that lives in his home. And since things always happen this way the home machine died while he was on holiday.

The archive was therefore unavailable for much of the weekend, although Linux developers could still use mirrors like Indiana University’s effort.

Spaans quickly learned of the outage and he said it was a simple issue, that a brief power outage left the server waiting for a luks – Linux Unified Key Setup – password.

The sad part is that that machine has an initrd with remote ssh access for passing the passphrase (because of a sucky java-based kvm), but I can’t reach the bugger from the outside. A vps + cryptops might be a thing for when this hardware dies though.
— jasper spaans (@spaans) January 10, 2018

But once he got home, it became apparent the problem was rather more serious.

Bad news for the fans of https://t.co/MTS96wBH6B : the main board of the server somehow did not survive the outage 🙁
Expect prolonged downtime while I source replacement parts. (Any recommendations for mini-itx server boards? Currently looking at https://t.co/IHGz1wyxeS )
— jasper spaans (@spaans) January 13, 2018

The hardware Spaans needed appears to have arrived: in the 30 minutes The Reg worked on this story, lkml.org came back to full life.

Source: Wait, what? The Linux Kernel Mailing List archives lived on ONE PC? One BROKEN PC? • The Register

While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell’s EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools—EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection—could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server’s file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.

The first of the vulnerabilities, designated in MITRE’s Common Vulnerabilities and Exposures (CVE) list as CVE-2017-15548, allows an attacker to gain root access to the servers. This would potentially give someone direct access to backups on the server, allowing them to retrieve images of virtual machines, backed-up databases, and other data stored within the affected systems.

The second vulnerability, CVE-2017-15549, makes it possible for an attacker to potentially upload malicious files into “any location on the server file system” without authentication. And the third, CVE-2017-15550, is a privilege escalation bug that could allow someone with low-level authenticated access to access files within the server. The attacker could do this by using a Web request crafted to take advantage of “path traversal”—moving up and down within the directory structure of the file system used by the application

Source: EMC, VMware security bugs throw gasoline on cloud security fire | Ars Technica

Wi-Fi router vendors have started issuing patches to defend their products against Google Chromecast devices.TP-Link and Linksys were first out of the blocks with firmware fixes, and TP-Link has posted this explanation of the issue.

The bug is not in the routers, but in Google’s “Cast” feature, used in Chromecast, Google Home, and other devices. Cast sends multicast DNS (MDNS) packets as a keep-alive for connections to products like Google Home, and it seems someone forgot to configure the feature to go quiet when Chromecast devices are sleeping.

That, at least, is how Vulture South reads the issue that TP-Link’s engineer described:“These packets normally sent in a 20-second interval. However, we have discovered that the devices will sometimes broadcast a large amount of these packets at a very high speed in a short amount of time. This occurs when the device is awakened from the ‘sleep mode’, and could exceed more than 100,000 packets in a short amount of time.”It continues: “The longer your device is in ‘sleep’, the larger this packet burst will be.”

If left alone long enough, TP-Link warned, the burst will fill up the router’s memory and leave a reboot the only option to restore connectivity.

Source: Okay, Google: why does Chromecast clobber Wi-Fi connections? • The Register

Only admins can add new members to private groups. But the researchers found that anyone in control of the server can spoof the authentication process, essentially granting themselves the privileges necessary to add new members who can snoop on private conversations. The obvious examples that come to mind are hackers who manage to gain access to WhatsApp servers or a government successfully pressuring WhatsApp to give it access to targeted group chats.

Perhaps even more troubling, a compromised admin with control of the server could manipulate the messages that would alert group members that someone new had been added, according to the researchers. However, WhatsApp denies this is an issue.

Wired confirmed the researchers’ findings with a WhatsApp spokesperson. While the company, which is owned by Facebook, acknowledges the issue of server security, the spokesperson pushed back on the idea that attackers could block, cache, or otherwise prevent the alert that new members have been added.

Source: WhatsApp Security Design Could Let an Infiltrator Add Members to Group Chats [Updated]

An Apple developer has uncovered another embarrassing vulnerability in macOS High Sierra, aka version 10.13, that lets someone bypass part of the operating system’s password protections.This time, a vulnerable dialog box was found in the System Preferences panel for the App Store settings. The bug, reported by developer Eric Holtam to the Open Radar bug tracker, has since been verified by Mac-toting netizens.The bug allows a user logged in with admin rights (this is important to note) to get around the password requirement when making changes in the App Store settings panel. Open the App Store settings panel, click on the padlock to make changes, a password prompt pops up, type in any string of text, and the “password” is accepted, unlocking the preferences panel.Aaron Lint, veep of research at infosec biz Arxan, claimed the trick can also be used to bypass the login requirements for some other settings panels as well, but not the important “Users and Groups” and “Security and Privacy” controls.

Source: Stop us if you’ve heard this one: Apple’s password protection in macOS can be thwarted • The Register

Yahoo! Mail – yes, amazingly it is still a thing – is today taking a break from business as usual norms with the service down for almost the past seven hours.Since circa 9am, the email service has received hundreds of complaints an hour on downdetector.co.uk, with users moaning about persistant “error 15” messages, and others telling of short periods of functionality before being kicked out of their accounts.Yahoo’s customer care Twitter account belatedly acknowledged the outage after 2pm, saying it had “received reports that users are seeing temporary access errors when accessing #YahooMail”, and that it was “working to fix this as quickly as possible.”More than a full hour later, the social media ninjas at Yahoo updated the customer base to say it still didn’t know when it would be able to make things better.

Source: Yahooooo! says! its! email! is! scrahoooo-ed! • The Register

The joys of the cloud…

Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital My Cloud NAS drives have a hardcoded backdoor, meaning anyone can access them — your files could be at risk. It isn’t even hard to take advantage of it — the username is “mydlinkBRionyg” and the password is “abc12345cba” (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company apparently did nothing until November 2017. Let’s be realistic — not everyone stays on top of updates, and a backdoor never should have existed in the first place.

Source: Western Digital ‘My Cloud’ devices have a hardcoded backdoor — stop using these NAS drives NOW!

My disk is encrypted, but all it takes to bypass this protection is for an attacker — a malicious hotel housekeeper, or “evil maid,” for example — to spend a few minutes physically tampering with it without my knowledge. If I come back and continue to use my compromised computer, the attacker could gain access to everything.Edward Snowden and his friends have a solution. The NSA whistleblower and a team of collaborators have been working on a new open source Android app called Haven that you install on a spare smartphone, turning the device into a sort of sentry to watch over your laptop. Haven uses the smartphone’s many sensors — microphone, motion detector, light detector, and cameras — to monitor the room for changes, and it logs everything it notices. The first public beta version of Haven has officially been released; it’s available in the Play Store and on F-Droid, an open source app store for Android.

Source: Edward Snowden’s New App Uses Your Smartphone to Physically Guard Your Laptop

You can bypass Windows Hello with a low-res printed photoIn a report published yesterday, German pen-testing company SySS GmbH says it discovered that Windows Hello is vulnerable to the simplest and most common attack against facial recognition biometrics software — the doomsday scenario of using a printed photo of the device’s owner.Researchers say that by using a laser color printout of a low-resolution (340×340 pixels) photo of the device owner’s face, modified to the near IR spectrum, they were able to unlock several Windows devices where Windows Hello had been previously activated.The attack worked even if the “enhanced anti-spoofing” feature had been enabled in the Windows Hello settings panel, albeit for these attacks SySS researchers said they needed a photo of a higher resolution of 480×480 pixels (which in reality is still a low-resolution photo).

Source: Windows 10 Facial Recognition Feature Can Be Bypassed with a Photo

a prototype tool created by researchers from the University of California San Diego (UCSD) aims to bring greater transparency to such breaches. The system, called Tripwire, detects websites that were hacked, as is detailed in this study.

Here’s here how it works: To detect breaches, the researchers created a bot that automatically registered accounts on thousands of websites. Each of those accounts shared a password with a unique associated email address. Working with a “major email provider,” the researchers were then notified if there was a successful login on any of the email accounts. Since the email accounts were created for the study, any login was assumed to be the result of a security breach on the website associated with that account.

“While Tripwire can’t catch every data breach, it essentially has no false positives—everything it detects definitely corresponds to a data breach,” Joe DeBlasio, a Ph.D student of Jacobs School of Engineering at UCSD and an author on the research paper, told Gizmodo. “Tripwire triggering means that an attacker had access to data that wasn’t shared publicly.”

As part of the study, the researchers monitored over 2,300 sites from January 2015 through February of this year, and found that 19 of the sites (or one percent) had been compromised. The study notes that the system found “both plaintext and hashed-password breaches”—if your password is hashed, it is indecipherable to a hacker. Arguably the most damning finding of the study was that, at the time it was published, all but one of the compromised websites failed to notify their users that they had suffered a breach. Only one site told researchers they would force a password reset.

Source: Researchers Made a Clever Tool to Detect Hacks Companies Haven’t Told Users About

A Google security researcher has found and helped patch a severe vulnerability in Keeper, a password manager application that Microsoft has been bundling with some Windows 10 distributions this year.”I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages,” said Tavis Ormandy, the Google security researcher who discovered the recent vulnerability.”I checked and, they’re doing the same thing again with this version,” the expert added, referring to the Keeper app bundled with some Windows 10 versions.”I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password,” Ormandy added.To prove his point, the expert also created a demo page where Keeper users can see the vulnerability in action.

Source: Windows 10 Bundles a Password Manager. Password Manager Bundles a Security Flaw