The technique can be used to spread disinformation while leveraging the trust people have in Google's search results.

Source

Cybersecurity researcher has discovered online a massive database containing records of more than 202 million Chinese citizens that remained accessible to anyone on the Internet without authentication until last week.

The unprotected 854.8 gigabytes of the database was stored in an instance of MongoDB, a NoSQL high performance and cross-platform document-oriented database, hosted by an

Source

image
Cybersecurity researcher has discovered online a massive database containing records of more than 202 million Chinese citizens that remained accessible to anyone on the Internet without authentication until last week. The unprotected 854.8 gigabytes of the database was stored in an instance of MongoDB, a NoSQL high performance and cross-platform document-oriented database, hosted by an American server hosting company. In total, the database contained 202,730,434 records about job candidates from China, including candidates' personal information such as their full name, date of birth, phone number, email address, marriage status, and driver’s license information, along with their professional experience and job expectations. Bob Diachenko, director of cyber risk research at Hacken.io and bug bounty platform HackenProof, discovered the existence of database two weeks ago, which had been secured shortly after his notification on Twitter. However, it is worth noting that “MongoDB log showed at least a dozen IPs who might have accessed the data before it was taken offline,” Diachenko said. Though the source of the data is still unknown, Diachenko believes someone might have used an old resume scraping tool called “data-import” to collect all these job seekers' resumes from different Chinese classified websites, like bj.58.com. Diachenko believes so because the format of the leaked database exactly matches the way scraping tool stores collected information. Diachenko also communicated with the BJ.58.com team, who then told him that the leaked data did not originate from its website, but suggested that it could have been leaked from a third party that collects data from many CV websites. “We have searched all over the database of us and investigated all the other storage, turned out that the sample data is not leaked from us,” BJ.58.com told Diachenko. This isn't the first time when MongoDB instances are found exposed to the Internet. In recent years, we have published several similar reports where unprotected MongoDB servers exposed billions of records.

Source

image
Security researchers have discovered three vulnerabilities in Systemd, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems. The vulnerabilities, assigned as CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866, actually resides in the “systemd-journald” service that collects information from different sources and creates event logs by logging information in the journal. The vulnerabilities, which were discovered and reported by security researchers at Qualys, affect all systemd-based Linux distributions, including Redhat and Debian, according to the researchers. However, some Linux distros such as SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not affected, as “their userspace [code] is compiled with GCC's -fstack-clash-protection.” The first two flaws are memory corruptions issues, while the third one is an out-of-bounds read issue in systemd-journald that can leak sensitive process memory data. Researchers have successfully created proof-of-concept exploits, which they are planning to release in the near future. “We developed an exploit for CVE-2018-16865 and CVE-2018-16866 that obtains a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average,” the researchers write in an advisory published Wednesday. CVE-2018-16864 is similar to a Stack Clash vulnerability Qualys researchers discovered in 2017 that can be exploited by malware or low privileged users to escalate their permission to root. According to the researchers, CVE-2018-16864 existed in systemd's codebase since April 2013 (systemd v203) and became exploitable in February 2016 (systemd v230), while CVE-2018-16865 was introduced in December 2011 (systemd v38) and became exploitable in April 2013 (systemd v201), Qualys says. However, the third vulnerability (CVE-2018-16866) was introduced in systemd's codebase in June 2015 (systemd v221), but according to the researchers, it was “inadvertently fixed in August 2018.” If you are using a vulnerable Linux system, keep tabs on the latest updates by your respective Linux distribution and install the patches as soon as they are released.

Source

Security researchers have discovered three vulnerabilities in Systemd, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems.

The vulnerabilities, assigned as CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866, actually resides in the “systemd-journald” service

Source

image
Security researchers have been warning about a simple technique that cybercriminals and email scammers are already being using in the wild to bypass security features of Microsoft Office 365, including Safe Links, which are originally designed to protect users from malware and phishing attacks. Safe Links has been included by Microsoft in Office 365 as part of its ATP (Advanced Threat Protection) solution that works by replacing all URLs in an incoming email with Microsoft-owned secure URLs. Therefore, every time users click on a link provided in an email, Safe Links first sends them to a Microsoft owned domain, where it immediately checks the original link for anything suspicious. If Microsoft's security scanners detect any malicious element, it then warns the users about it, and if not, it redirects them to the original link. However, researchers at the cloud security company Avanan have revealed how attackers have been bypassing both Office 365's URL reputation check and Safe Links URL protection features by using Zero-Width SPaces (ZWSPs). Supported by all modern web browsers, zero-width spaces (listed below) are non-printing Unicode characters that typically used to enable line wrapping in long words, and most applications treat them as regular space, even though it is not visible to the eye. Zero-Width Space Phishing Attack Demonstration According to the researchers, attackers are simply inserting multiple zero-width spaces within the malicious URL mentioned in their phishing emails, breaking the URL pattern in a way that Microsoft does not recognize it as a link. “Microsoft email processing did not recognize this URL as a legitimate URL, and neither applied URL reputation checking nor converted it with Safe Links for post-click checking,” the researchers say in a blog post published Wednesday. “The email was delivered to the intended recipient; but in their inbox, users did not see the ZWSPs in the URL.” However, when the end-users clicked on the link in the email, they were landed to a credential harvesting phishing website. Researchers also provided a video demonstration showing what happened when they sent a malicious URL to an Office 365 inbox without any ZWSP characters inserted in the URL and with ZWSP characters inserted into the URL. The Z-WASP attack is another chain in a list of exploits, including the baseStriker and ZeroFont attacks, that are designed to obfuscate malicious content and confuse Microsoft Office 365 security. The security firm discovered the Z-WASP attack on more than 90 percent of Avanan's Office 365 customers and reported the issue to Microsoft on November 10th last year after confirming its nature. Avanan then worked with the Microsoft security team continuously on assessing the scope of the vulnerability, which was then addressed on January 9th.

Source

Security researchers have been warning about a simple technique that cybercriminals and email scammers are already being using in the wild to bypass security features of Microsoft Office 365, including Safe Links, which are originally designed to protect users from malware and phishing attacks.

Safe Links has been included by Microsoft in Office 365 as part of its ATP (Advanced Threat

Source

image
Almost every activity on the Internet starts with a DNS query, a key function of the Internet that works as an Internet's directory where your device looks up for the server IP addresses after you enter a human-readable web address (e.g., thehackernews.com). Since DNS queries are sent in clear text over UDP or TCP without encryption, the information can reveal not only what websites an individual visits but is also vulnerable to spoofing attacks. To address these problems, Google announced Wednesday that its Public DNS (Domain Name System) service finally supports DNS-over-TLS security protocol, which means that the DNS queries and responses will be communicated over TLS-encrypted TCP connections. The DNS-over-TLS has been designed to make it harder for man-in-the-middle attackers to manipulate the DNS query or eavesdrop on your Internet connection. Launched over eight years ago, Google Public DNS, at IP addresses 8.8.8.8 and 8.8.4.4, is world's largest public Domain Name Service recursive resolver that most people prefer instead of using default DNS services from their ISPs or carriers. “Starting today, users can secure queries between their devices and Google Public DNS with DNS-over-TLS, preserving their privacy and integrity,” Google wrote in a blog post. “Now users can secure their connections to Google Public DNS with TLS, the same technology that protects their HTTPS web connections.” The search engine giant also says that it implemented the DNS-over-TLS specification along with the RFC 7766 recommendations to minimize the overhead of using TLS, which include support for: TLS 1.3 for improved security and faster connections TCP fast open Pipelining of multiple queries Out-of-order responses over a single connection to its public DNS server You can use Google's DNS-over-TLS in two ways, strict or opportunistic privacy. In strict privacy mode, your device or system will create a secure TLS connection on port 853 to the DNS server, which if fails, the server will respond with an error. However, in the opportunistic privacy mode, if the client cannot establish a secure connection on port 853, it falls back to communicating with the DNS server on the standard DNS port 53 over UDP or TCP without any security or privacy. Google has made DNS-over-TLS available for Android 9 Pie users starting Wednesday. So, if you run Android 9 on your smartphone, you can switch to DNS-over-TLS today. To do so, just head on to the networking section of your Android device's Settings app, and enter “dns.google” as the Private DNS server. More detailed instructions on the DNS-over-TLS are available here. Google is not the first one to offer DNS-over-TLS. Last year, Cloudflare, well-known Internet performance and security company, also launched its new “1.1.1.1” that it claims to be the world's fastest and privacy-focused secure DNS service, which supports both DNS-over-TLS and DNS-over-HTTPS to ensure maximum privacy.

Source

Almost every activity on the Internet starts with a DNS query, a key function of the Internet that works as an Internet's directory where your device looks up for the server IP addresses after you enter a human-readable web address (e.g., thehackernews.com).

Since DNS queries are sent in clear text over UDP or TCP without encryption, the information can reveal not only what websites an

Source

image
Remember “The Shadow Brokers” and the arrest of a former NSA contractor accused of stealing 50 Terabytes of top secret documents from the intelligence agency? It turns out that, Kaspersky Lab, which has been banned in US government computers over spying fears, was the one who tipped off the U.S. government and helped the FBI catch NSA contractor Harold T. Martin III, unnamed sources familiar with the investigation told Politico. In October 2016, the U.S. government arrested and charged Martin, 51, with theft of highly classified documents, including most sensitive NSA hacking tools and top-secret information about “national defense,” that he siphoned from government computers over the period of two decades. The breach is believed to be the largest heist of classified government material in America's history, far bigger than Edward Snowden leaks. According to the sources, the Antivirus firm learned about Martin after he sent unusual direct messages via Twitter to its two researchers in 2016, just 30 minutes before the Shadow Brokers hacking group began leaking classified NSA hacking tools on the Internet. “The case unfolded after someone who U.S. prosecutors believe was Martin used an anonymous Twitter account with the name ‘HAL999999999' to send five cryptic, private messages to two researchers at the Moscow-based security firm,” Politico reports. “The first message sent on Aug. 13, 2016, asked one of the researchers to arrange a conversation with ‘Yevgeny' — presumably Kaspersky Lab CEO Eugene Kaspersky, whose given name is Yevgeny Kaspersky.” The timing of the Twitter messages, the Shadow Brokers leaks, and other clues like HAL999999999 Twitter profile linked to Martin and Martin access to the NSA's elite hacking unit, immediately triggered a red flag at Kaspersky, who then reported the communication to the NSA. However, it should be noted that Martin, who is set to go on trial in June, is currently facing 20 counts of unauthorized and willful retention of national defense information, and the FBI doesn't have any evidence to link him with the Shadow Brokers. By the way, don't confuse the Martin case with the case of Nghia Hoang Pho, 67, a developer for the the NSA's Tailored Access Operations Division who was sentenced to 5.5 years in prison last year to illegally taking classified documents home, which were later stolen by Russian hackers from his home PC that was running Kaspersky antivirus. In the Pho's case, the U.S. government accused Kaspersky Lab of colluding with the Russian intelligence agency to obtain and expose the classified NSA data from the NSA employee's computer. Ironically, Martin was arrested at a time when the FBI was engaged in an aggressive campaign against Kaspersky Labs to discredit it and get its software banned from US federal computers for the sake of national security. Even though Kaspersky Lab vigorously and repeatedly denied these accusations, its software and services was banned for government use by a law signed by President Donald Trump in December of 2017 and later by the Department of Homeland Security (DHS) over spying fears. At the time of his arrest in August 2016, Martin worked for Booz Allen Hamilton Holding Corp, the same company previously employed Edward Snowden who also leaked classified documents in 2013 that exposed secret surveillance programs carried out by the NSA.

Source