image
Unencrypted, sensitive and confidential user data originating from millions of mobile devices is carried on the Tor network every day. Now researchers say they have devised away to scoop up that data and create personal profiles for specific mobile users, that include GPS coordinates, web addresses, phone numbers and keystrokes. Adam Podgorski and Milind Bhargava, Deloitte Canada researchers working independently, said they were able to cull the data and piece together the profiles by harvesting data from three Tor network Exit Nodes (Tor Exit Nodes are the gateways where encrypted Tor traffic hits the internet). Tor, the anonymizing software and network, carries the unencrypted mobile device traffic without user consent or knowledge, the researchers said. Podgorski and Bhargava estimate the source of the traffic to be 95 percent Android and 5 percent iOS, originating from applications installed by the device’s OEM, wireless telecom operators, applications downloaded onto the device by users or via advertisers. “We believe that the source of the unencrypted traffic is Tor code being installed on these mobile phones, and users are not aware of its existence,” Bhargava said. While the developers of The Tor Project offer an Android app called Orbot, researchers said the Tor functionality is being baked by third parties into the offending apps. One theory behind why Tor is being used by mobile developers is because they wrongly think all Tor traffic is automatically either…

Source

image
Commercial shipping environments are rife with vulnerabilities, according to researchers – up to and including unpatched “mystery boxes” that no one knows anything about. “In every single [nautical pen] test to date we have unearthed a system or device, that of the few crew that were aware, no one could tell us what it is was for,” said Andrew Tierney, researcher with Pen Test Partners, writing in a blog on Monday. “In other scenarios an undocumented system or device would be considered a malicious implant. In maritime cyber security it’s business as usual.” In one case, a monitoring system was uncovered whose purpose was not known – although it was connected to the main engine. Fleet management had no record of its purchase or installation; all hardware was unlabeled. It had been installed by a third party with whom a commercial arrangement had stopped several years ago, Tierney said. In addition to the connection to the engine, it also connected to a console on the bridge via Ethernet – but the crew had covered it up, because they had no use for it. Tierney noted that the box seemed “suspicious,” and he embarked on an investigation, uncovering that the box was aggregating sensor data using a common ICS approach and the standard protocol specification for shipboard communications, NMEA 0183. “We weren’t particularly surprised to see NMEA 0183 data over [User Datagram Protocol (UDP)] being sent to broadcast,” he explained – UDP being an alternative communications protocol…

Source

image
Bad actors are taking advantage of a recently-disclosed iOS bug with a fake website claiming to give iPhone users the ability to jailbreak their phones. In reality, researchers warn, the site ultimately enables attackers to conduct click fraud. A jailbreak, a method to escape Apple’s limitations on what apps and code can run on the iPhone, is appealing to users who want to install custom code, add features or perform security research outside the purview of the Apple ecosystem. The fake website centers around a vulnerability called “checkm8,” which affects hundreds of millions of iPhones and gives attackers system-level access to handsets via an unblockable hack. Specifically, the site purports to let users download checkra1n, a soon-to-be-released jailbreak that uses the checkm8 flaw. The fake website for the jailbreak (checkrain[.]com) was registered within 24 hours of the jailbreak’s official website (checkra1n[.]com). However, unlike the real website, this fake website does not download the jailbreak but instead involves the end user in pay-per-click online advertising fraud. “This new malicious actor Talos discovered claims to provide the checkra1n jailbreak,” said researchers with Cisco Talos in a Tuesday post. “The site even claims to be working with popular jailbreaking researchers such as ‘CoolStar’ and Google Project Zero’s Ian Beer. The page attempts to look legitimate, prompting users to seemingly download an application to jailbreak their phone. However, there…

Source

image
A vulnerability in Sudo, a core command utility for Linux, could allow a user to execute commands as a root user even if that root access has been specifically disallowed. Sudo is a utility that allows a system administrator to give certain users (or groups of users) the ability to run commands in the context of any other user – including as root – without having to log in with a different profile. Sudo also logs all commands and arguments in a centralized audit trail system, so admins know which user performed which command and in which context. Admins can also specifically disallow root access for certain users, as a security policy. So, for instance, user Alice might have the ability to oversee the files and work of her department, but she doesn’t have superuser privileges. The bug (CVE-2019-14287) allows attackers to circumvent this built-in security option to block root access for specified users. Red Hat, which rated the flaw with a 7.8 severity score out of 10 on the CvSS scale, explained in a posting Monday that “a flaw was found in the way Sudo implemented running commands with arbitrary user ID. If a Sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction.” The vulnerability, which was discovered by Joe Vennix of Apple Information Security, can be exploited by merely specifying the user ID of the person executing commands to be “-1” or “4294967295.” Thanks to the…

Source

image
Shipping services company Pitney Bowes was hit with a ransomware attack that disrupted customer access to key services, the company said Monday. The attack comes on the heels of an FBI advisory on Oct. 2 that U.S. companies should be on alert for ransomware attacks, which are increasing in sophistication. A malware attack encrypted information on some systems but did not seem to access any customer or employee data, the company said in a statement on its website. Officials immediately asked the Enterprise Outage Response Team to address the situation following its awareness of the attack, the company said. “Our technical team is working to restore the affected systems, and it is working closely with third-party consultants to address this matter,” according to the statement. Systems affected included Pitney Bowes’ mailing system products and customers’ access to Your Account. A number of other services were offline or unavailable due to the attack, including SendPro Online in the United Kingdom and Canada, according to Pitney Bowes. “Clients are unable to refill postage or upload transactions on their mailing machine,” the company said in the statement. “Your Account and the Pitney Bowes Supplies web store cannot be accessed. This in turn impacts clients subscribed to AutoInk and our Supplies App.” More than 1.5 million customers worldwide use Pitney Bowes’ services, which streamline shipping and mailing for clients, which include some Fortune 500 companies. The company…

Source

image
About a year ago, top deepfake artist Hao Li came to a disturbing realization: Deepfakes, i.e. the technique of human-image synthesis based on artificial intelligence (AI) to create fake content, is rapidly evolving. In fact, Li believes that in as soon as six months, deepfake videos will be completely undetectable. And that’s spurring security and privacy concerns as the AI behind the technology becomes commercialized – and gets in the hands of malicious actors. Li, for his part, has seen the positives of the technology as a pioneering computer graphics and vision researcher, particularly for entertainment. He has worked his magic on various high-profile deepfake applications – from leading the charge in putting Paul Walker into _Furious 7 _after the actor died before the film finished production, to creating the facial-animation technology that Apple now uses in its Animoji feature in the iPhone X. But now, “I believe it will soon be a point where it isn’t possible to detect if videos are fake or not,” Li told Threatpost. “We started having serious conversations in the research space about how to address this and discuss the ethics around deepfake and the consequences.” The security world too is wondering about its role, as deepfakes pop up again and again in viral online videos and on social media. Over the past year, security stalwarts and lawmakers say that the internet needs a plan to deal with various malicious applications of deepfake video and audio – from scams,…

Source

image
"BriansClub," one of the largest underground stores for buying stolen credit card data, has itself been hacked. The data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone. An ad for BriansClub has been using my name and likeness for years to peddle millions of stolen credit cards. Last month, KrebsOnSecurity was contacted by a source who shared a plain text file containing what was claimed to be the full database of cards for sale both currently and historically through BriansClub[.]at, a thriving fraud bazaar named after this author. Imitating my site, likeness and namesake, BriansClub even dubiously claims a copyright with a reference at the bottom of each page: "© 2019 Crabs on Security." Multiple people who reviewed the database shared by my source confirmed that the same credit card records also could be found in a more redacted form simply by searching the BriansClub Web site with a valid, properly-funded account. All of the card data stolen from BriansClub was shared with multiple sources who work closely with financial institutions to identify and monitor or reissue cards that show up for sale in the cybercrime underground. The leaked data shows that in 2015, BriansClub added just 1.7 million card records for sale. But business would pick up in each of the years that followed:…

Source

image
Apple is sending some browsing history of iOS 13 Safari users to Tencent Holdings Limited, a Chinese multinational conglomerate. The data shared is tied to the Safari Safe Browsing technology. Revelations of the relationship have drawn criticism from security and privacy experts. Apple’s Safari Browser on iOS has a “Fraudulent Website Warning” feature set as a default that has used Google Safe Browsing technology as a back-end. But Safari users noticed recently information provided by Apple about this feature on iOS that acknowledges the company sends “information calculated from a website address” not only to Google Safe Browsing, but also to “safe browsing” technology from Tencent. Moreover, Apple—”as is standard for this sort of news”—has divulged very little about the privacy implications of shifting Safe Browsing to use Tencent’s servers, which is troubling at best, and could be a privacy disaster, at worst, said Matthew Green, a cryptographer and professor at Johns Hopkins University, an analysis posted on Sunday. “The changes probably affect only Chinese-localized users … although it’s difficult to know for certain,” he wrote. “However, it’s notable that Apple’s warning appears on U.S.-registered iPhones.” Click to Zoom There are a slew of problems with this scenario, not the least of which is that Tencent has close ties to the Chinese government, observed Tom Parker from Reclaim the Net in a blog post. “Tencent works closely with the Chinese Communist Party,” he…

Source

image
The proliferation of software within 5G networks is one of the top security challenges facing the next generation of mobile networks, according to a report out this week from the European Union. 5G networks are fundamentally different than prior wireless networks in that they are largely software-defined and virtualized; network functions, historically defined in hardware, become virtual software capabilities in 5G, all orchestrated via a flexible software control plane. Even the air interfaces in the radio access network (RAN) are software-defined in 5G. Also, 5G networks will make use of edge computing, where applications, general-purpose compute, storage, and associated switching and control functions that are required to run them are housed relatively close to end users and internet of things (IoT) endpoints or both. That’s a shift from centralized architectures common to 4G and before, and creates a much larger computing footprint. All of this vastly expands the attack surface and the possibility for the emergence of rafts of exploitable vulnerabilities throughout the architecture — in places that were never exposed before, the EU warned. “With 5G networks increasingly based on software, risks related to major security flaws, such as those deriving from poor software development processes within suppliers are gaining in importance,” the 33-page report, released Wednesday, noted. “They could also make it easier for threat actors to maliciously insert backdoors into…

Source

image
Imperva, the security vendor, said this week that a misconfiguration of an Amazon Web Services (AWS) cloud instance allowed hackers to exfiltrate information on customers using its Cloud Web Application Firewall (WAF) product. Formerly known as Incapsula, the Cloud WAF analyzes requests coming into applications, and flags or blocks suspicious and malicious activity. The company announced the breach in August, but at the time said it didn’t know how the attackers were able to gain access. In a Thursday post, CTO Kunal Anand laid out what happened. He explained that in October 2018, the attackers stole and used an administrative AWS API key in one of Imperva’s production AWS accounts, to access a database snapshot containing emails, hashed and salted passwords, and some customers’ API keys and TLS keys. “I’ll start by going back to 2017 when our Cloud WAF, previously known as Incapsula, was under significant load from onboarding new customers and meeting their critical demands,” he wrote in the blog post. “That year, our product development team began the process of adopting cloud technologies and migrated to AWS Relational Database Service (RDS) to scale our user database.” At that point, Imperva created a database snapshot for testing; and also, an internal compute instance was misconfigured and publicly accessible, he said. That compute instance contained the AWS API key that the hackers were then able to lift and access the snapshot in October 2018. Because the database…

Source