image
As the 2020 presidential election draws closer and primary season looms around the corner, Microsoft has launched a bug-bounty program specifically aimed at its ElectionGuard product, which the software giant has positioned as performing “end-to-end verification of elections.” ElectionGuard is a free open-source software development kit that secures the results of elections and makes those results securely available to approved third-party organizations for validation; it also allows individual voters to confirm that their votes were correctly counted. The bounty program invites security researchers (“whether full-time cybersecurity professionals, part-time hobbyists or students”) to probe ElectionGuard for high-impact vulnerabilities and share them with Microsoft under Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a “clear, concise proof of concept” (PoC) are eligible for awards ranging from $500 to $15,000 depending on the severity of the bug found. In-scope products include the ElectionGuard specification and documentation (such as data-transmission issues like information leakage); the verifier reference implementation (bugs that allow attackers to say elections are valid when they aren’t); and C Cryptography implementations (such as bugs that allow key or vote discovery by observing SDK messages). The program is one prong of the company’s wider “Defending Democracy” program, under which Microsoft has pledged to protect campaigns from hacking;…

Source

image
A new data privacy bill threatens large tech firms, like Facebook, with tough penalties – including monetary fines and up to 20 years of jail time for executives – if they violate user privacy policies. The “Mind Your Own Business Act,” proposed by Sen. Ron Wyden (D-Ore.) on Thursday, gives the Federal Trade Commission (FTC) the ability to establish privacy and security standards for tech platforms. If companies violate these standards, they could face fines of up to 4 percent of a company’s global turnover – the same provision used by the already-enacted General Data Protection Regulation (GDPR) laws in the EU. In addition, senior executives who “knowingly lie to the FTC” could face up to 10- to 20-year criminal penalties under the act. “Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences,” said Wyden, in a press statement. “A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government.” Under the new bill, the FTC would also create a national “Do Not Track” system that bars companies from tracking consumers on the web, selling or sharing their data, or targeting advertisements based on their personal information. “Companies that wish to condition products and services on the sale or sharing of consumer data must offer another, similar privacy-friendly version of their product, for which they can charge a reasonable fee,” according to Wyden’s release. “This fee will be waived…

Source

image
A cryptomining infection managed to spread to half of all workstations at a major international airport in Europe – shining a spotlight on security for operational tech and IT convergence. Researchers at Cyberbit found the XMRig Monero mining malware, which was a known strain called “Playerz,” but which skated by antivirus solutions on the endpoints by adding a new tweak. The malware “was modified just enough to evade the vast majority of existing signatures for it” according to Meir Brown, head of research at Cyberbit, adding that it was detected by only 16 out of 73 detection products on VirusTotal. “The modification was really simple: the MD5 was modified, however, the attacker kept the use of the original tools and even the original file names…which is an indication of simple modification, nevertheless this was sufficient to evade most AV products,” he told Threatpost. The malicious mining activity also raised no red flags with airport personnel, according to an analysis posted this week by the firm. “Its business impact was relatively minor, limited to performance degradations leading to quality of service and service interruptions, as well as a significant increase in power consumption throughout the airport,” the analysis noted. “The malware may have been used for months.” This is the advantage of cryptomining for financially motivated threat actors, according to Brown: Persistence. “We see growing usage of cryptominers in recent attacks and we see a trend to switch…

Source

image
A critical Linux bug has been discovered that could allow attackers to fully compromise vulnerable machines. A fix has been proposed but has not yet been incorporated into the Linux kernel. The flaw (CVE-2019-17666), which was classified as critical in severity, exists in the “rtlwifi” driver, which is a software component used to allow certain Realtek Wi-Fi modules, used in Linux devices, to communicate with the Linux operating system. Specifically, the driver is vulnerable to a buffer overflow attack, where a buffer (a region in physical memory storage used to temporarily store data while it is being moved) is allocated in the heap portion of memory (a region of process’s memory which is used to store dynamic variables). That excess data in turn corrupts nearby space in memory and could alter other data, opening the door for malicious attacks. This specific flaw could enable attackers to launch a variety of attacks – from crashing vulnerable Linux machines to full takeover. “The bug is serious… if an attacker is currently using that Realtek driver (rtlwifi), then it’s vulnerable to this bug and someone on a wireless distance range can potentially attack him,” Nico Waisman, principal security engineer at Github, who discovered the bug and posted his findings Thursday on Twitter, told Threatpost. Found this bug on Monday. An overflow on the linux rtlwifi driver on P2P (Wifi-Direct), while parsing Notice of Absence frames. The bug has been around for at least 4 years…

Source

image
As it becomes more difficult and expensive to infiltrate environments via malware, cybercriminals may start turning in the future to a more viable and less costly alternative: Insider threats. This podcast is brought to you by Code42. Threatpost talks to Tim Brown, vice president of security at SolarWinds, about various trends he’s seeing around insider threats – including the potential for insider threats to be seen as a more viable option in the cybercrime world than malware. “One of the things that a number of folks in the security industry see is that malware’s continuing its exponential climb, we expect to see a drop off, right? And that drop off is going to be when it’s more economically feasible to hire an insider than it is to utilize malware to infiltrate data and infiltrate systems,” he told Threatpost. “So at some point in time, we believe that that’s going to occur.” Brown also talked about how to spot telltale signs behind notorious insider threats such as Edward Snowden, what the top insider threats are, and why departing employees as a threat are increasingly pushing companies to update their offboarding policies. For the full podcast, see below or download here. Below is a lightly-edited transcript of the podcast. Lindsey O’Donnell: This is Lindsey O’Donnell with Threatpost. Welcome back to the Threatpost podcast. And I’m joined today with Tim Brown, the Vice President of Security at SolarWinds. And we’re going to talk today about insider threats. So Tim,…

Source

image
Online retailer Zappos will give customers a 10 percent discount to its online store as settlement for a 2012 data breach that affected 24 million customers, while lawyers in the case will win $1.6 million in fees. The news shows customers once again getting the short end of the stick when it comes to financial restitution for data breaches, in which lawyers and government regulators tend to get the biggest payoff. The company unveiled the settlement in a notice of class action from the U.S. District Court, District of Nevada posted on the company’s website, which also included links to relevant court documents (PDF). In the breach, attackers compromised Zappos systems and accessed personal information belonging to more than 24 million of its customers. Zappos is a large retailer, mainly known for its shoe business, though it also sells a large range of other goods, including clothing and accessories. The settlement notice applies to “anyone who had an online Zappos.com account on or before January 15, 2012, and for whom Zappos had an email address for the account in its records at that time,” according to the post. Those affected must follow certain conditions outlined in the settlement and respond by Nov. 29, 2019. People also can choose to opt out of the settlement, which also must be completed by the same date. If a user chooses to “do nothing,” he or she “will not receive a benefit of the settlement and you will give up certain legal rights,” according to the…

Source

image
A recent wide-scale campaign indicates that a decade-old botnet is shifting gears from distributing ransomware to delivering millions of sextortion threats to innocent recipients. Worse, researchers say that the botnet’s spam campaign can affect up to 27 million potential victims. The botnet, Phorpiex, has been active for almost a decade and currently controls almost 500,000 computers globally. The botnet is known for distributing malware such as GandCrab as well as cryptocurrency miners on infected hosts. However, researchers with Check Point say the botnet has recently been spotted in a five-month campaign cashing in on a new form of revenue generation: Wide-scale sextortion. “Phorpiex, a veteran botnet, has found a way to use [its infected computers] to generate easy income on a long term basis,” Check Point researchers said in a Wednesday analysis. “This new activity might be connected with the termination of Gandcrab, a ransomware that Phorpiex used to distribute, or just because plain-text emails still manage to infiltrate many cyber-defense lines. In any case, Phorpiex…is continuously propagating sextortion emails – by the millions.” Sextortion is a type of attack where bad actors email spam messages to victims claiming to have sexual content and private data on the recipient — then, they demand a blackmail payment in exchange for not exposing the supposedly hacked data. Most of the time, the attackers are merely bluffing and hoping the intended victims will fall…

Source

image
A Dark Web “carding store” called BriansClub, which specializes in selling stolen payment card information, has itself become a victim, with thieves making off with 26 million credit- and debit-card records. The site appears to be a target of “hacking back,” since the data was shared with financial institutions in an effort to cut off any potential card fraud. The data set represents everything uploaded to BriansClub in the last four years, according to independent researcher Brian Krebs (ironically, the forum’s namesake). Of those, 14 million of the payments cards are unexpired, Krebs said in a posting this week. The marketplace’s wares come in the form of digital card information that could be encoded on a card with a magnetic strip in order to produce counterfeit payment cards. Its total inventory, according to the going black market rates analyzed by Flashpoint, is worth $414 million. However, Krebs also noted that BriansClub has only sold 9.1 million stolen cards in that time period (granted, still earning the site $126 million worth of Bitcoin). “It’s interesting to note that Krebs thinks the supply of stolen cards for sale on BriansClub outstrips demand – there are literally more stolen credit cards up for sale than criminals know what to do with,” Paul Bischoff, privacy advocate with Comparitech, said via email. Meanwhile researchers noted that the data that has been delivered to banks and card issuers provides invaluable intel for them. “This hack is a great…

Source

image
A mistake made by website developers left an official re-election website for President Donald Trump open to attack. The error, impacting hundreds of other websites as well, is tied to a website development tool called Laravel, used to test sites before they go live. The tool, accidentally left active on a slew of sites, would allow hackers to hijack the site’s email servers and intercept, send or read email messages sent from the site’s domain. “The tool, a PHP framework called Laravel, includes a ‘debug mode’ that lets developers identify errors and misconfigurations before websites go live,” said researchers Bob Diachenko and Sebastien Kaul, working on the behalf of security firm Comparitech, in a report posted Thursday. “The problem is that many developers fail to disable the debug mode after going live, exposing back-end website details like database locations, passwords, secret keys and other sensitive info,” they said. The Trump domain that was left exposed is DonaldJTrump.com, a website used to solicit campaign donations and invite visitors to sign-up for Trump campaign emails. Diachenko said he discovered the exposed tool on a subdomain (leadops.donaldjtrump.com) of donaldtrump.com on Oct. 11 and at that time sent a flurry of emails to the site and other Trump-related website privacy contacts with no response. On Oct. 15, he emailed Trump campaign manager Brad Parscale and got no response. The following day, researchers contacted NYPD Police Commissioner James P….

Source

image
Cisco Systems has released a security update stomping out critical and high-severity flaws impacting its Aironet access points, which are entry-level wireless access points (APs) used by mid-size enterprises in their offices or small warehouses. It also issued a slew of additional patches addressing other flaws in its products. The most severe of the AP bugs is a critical glitch that could allow unauthenticated, remote attackers to gain unauthorized access to targeted devices – giving them elevated privileges such as the ability to view sensitive data and tamper with the device configuration. The flaw exists in Cisco’s software that powers the Aironet networking APs, which allow other Wi-Fi devices to connect to a wired network. “An exploit could allow the attacker to gain access to the device with elevated privileges,” said Cisco in a Wednesday advisory. “While the attacker would not be granted access to all possible configuration options, it could allow the attacker to view sensitive information and replace some options with values of their choosing, including wireless network configuration. It would also allow the attacker to disable the [access point], creating a denial of service (DoS) condition for clients associated with the [access point].” The vulnerability (CVE-2019-15260) has a CVSS score of 9.8 out of 10.0, making it critical in severity. The flaw specifically stems from insufficient access control for certain URLs on impacted Aironet devices. An attacker could…

Source