image
Threatpost editors Lindsey O’Donnell and Tom Spring discuss the biggest news of the week ended Feb. 22, including a report about flaws in password managers, and a 19-year-old flaw found in WinRAR. The Threatpost team also discussed an upcoming webinar on Feb. 27 at 2 p.m. ET. Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout will join Threatpost senior editor Tara Seals to discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/8745746/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) Transcript below: Lindsey O’Donnell: Welcome to the Threatpost news wrap for the week ended February 22, and you’ve got the Threatpost team here: myself, Lindsey O’Donnell, and editor-in-chief Tom spring. Tom, how’s it going? Tom Spring: Pretty good, Lindsey, I just heard a little ding. LO: Yes, the emails for RSA keep coming – can’t really get rid of that. TS: Is that another RSA email in your inbox? LO: Well, with RSA coming in two weeks, we’re really ramping up discussion with vendors and getting a lot of pitches for that. TS: For sure. I’m actually really psyched about RSA and there’s some really awesome sessions and I’m really looking forward to meeting some of the contacts and some of my peers and it’s going to be a really fun show. But I agree the noise factor coming out of the RSA conference in March is just enormous. I have to put my computer on mute because I just get too many pings for requests to me, new research, everything. If the noise factor is any indication of what’s going to be going on at RSA, it should be pretty good, right? LO: Yeah, I’m excited. I mean, it’s only a couple of days, but so much happens in those days, security wise, and there’s just such an opportunity to meet with researchers and really learn about new reports and what to look out for. So there’s definitely a lot to look forward to there. But looking to the present, despite starting off with having President’s Day on Monday, we really had a pretty insane week, news-wise – Tom, what are you seeing from your end of the spectrum? TS: Well, it’s kind of like you can’t cover it all and you sort of have to pick and choose. We had some some really good strong stories this week. I was a little overwhelmed by the cavalcade of news that came pouring in over the past couple days, from keyloggers, Drupal core, critical remote-execution bugs – to new research on Microsoft Edge that shows it lets Facebook run Flash code behind users’ backs to reverse location search warrants. I mean, we really ran the gamut in terms of the news, which was just a waterfall of information that we sorted through. But you did a pretty good job. I mean, you covered a couple stories in between making RSA conference appointments with that 19-year-old bug that WinRAR plugged. I love WinRAR, WinRAR is my go to media player and I was really alarmed that there was a bug that lasted so long. Tell me a little bit more about the bug. LO: Yeah, I feel like the main point and the main takeaway there was that it was 19 years old. I was thinking back to what existed 19 years ago and you know I was basically a kid at that point. So for background, WinRAR, which as you mentioned is this popular Windows data compression tool, had and patched a serious code-execution flaw. The platform itself is amazingly popular. I think they said it had 500 million users. So the issue stemmed from a third-party dynamic link library within WinRAR, and because that dynamic link library hadn’t been updated since [2005], that allowed the researchers with Check Point who discovered this flaw to essentially extract malicious files in the tool. So what could happen is a hacker could use spear-phishing or some sort of similar tactic to send an unknowing victim a disguised malicious file, and when the victim opens that file in WinRAR, that file would automatically extract in their startup folder and then malware could quickly be planted on their system. So that was patched, and I mean it’s a fairly easy to carry out a path-traversal flaw. And not only was it patched, but then when I reached out to WinRAR, they said that in terms of that third-party library I was talking about, because it hadn’t been updated for so long, and they didn’t have access to its source code even, they decided to drop that format support in order just to completely protect its user database. TS: Yeah, the code-reuse in these repositories is notorious for creating these kind of vulnerabilities where a component is used by a developer and it hasn’t been updated, and the developer doesn’t do due diligence, and all of a sudden the component becomes an exploit or a vulnerability is found in the component, and the component is never updated. And then the repository file never gets updated and the code goes out the door. Veracode does a lot of really interesting work, they have a lot of interesting studies on code-reuse and it’s pretty alarming how many software programs really have these types of problems where they’re relying on third-party libraries to basically do basic functions in their software where you have these glitches. But there’s not much of a pass you can give WinRAR for a 19 year old bug like that, I mean that’s a different story. LO: Right and especially given the fact that the specific library hadn’t been updated since 2005 or 2006 or whatever it was, but it is kind of hard to, as you said, keep track of those types of things as well. And another point is that when I was looking on social media for some of the reaction to this and talking to different researchers, looking at a different side of the story is that as far as we can tell there hasn’t been any sort of exploit of this vulnerability. So while it has existed for 19 years, it hasn’t been found by the bad guys for 19 years – so at least there’s that. TS: Well I’ve gotta say, I’ve always wondered whether or not these exploits have actually really been discovered. I mean if you’re a criminal and you find an exploit or you find a vulnerability and it’s working for you, you’re not going to jump up and down and say, ‘hey look what I found.’ You’re going to quietly exploit it until your moneymaker, so to speak, dries up. So good for WinRAR, I gotta tell you it warms my heart to hear that they’re fixing their software and next time I launch the media player and it asks me to update I definitely will. LO: Yes, but I feel like that wasn’t the only big news we had. In fact, you wrote a very big story about a research report that was written about different password managers and a flaw found in those managers, and that really kind of piqued the interest of the security world. Can you talk a little bit about that and what their reaction to that story has been so far this week? TS: Well, you know, I think it was a big story for us. I don’t know how much it resonated throughout the internet or throughout the infosec community. I think it was a memory management issue with these password managers: 1password, DashLane, KeePass and Lastpass. These four password managers represent a huge, huge user base. These researchers, independent security evaluators took a close look at them and they found that when the actual password managers were in use, that the way that it’s saved, the master password or individual credentials, was in an insecure memory within Windows 10 PCs. Now, this doesn’t impact any of the mobile applications. But it does impact the Windows PC ecosystem in a sense that the master keys could be plucked from memory in clear text. Now, there are lots of caveats to that; the application needs to be in use. And also it would have to be from a local attacker, meaning the person would have to have access to your PC to exploit and to grab the passwords from memory. The other option would be if a remote attacker was able to have access to your system, which obviously presents a whole new host of problems that you have to contend with –nevermind them being able to pluck a password out of insecure memory. But the story gets a little more interesting in a sense that these password manager companies said, ‘yeah, you know, we understand what the issue is here and there are trade offs and it’s an acceptable risk.’ Now I’m oversimplifying what they stated, but I really feel like they pushed back on the research and they said that the storage of the password in the memory was something that they were aware of and that they did not see it as a huge risk given the prerequisite for being able to [exploit this]. And they more or less can each came out with these statements saying, “the research is interesting, we understand the problem and here’s why you shouldn’t worry about the problem too much.” And I think one of them actually did update their their tool to make sure that they had some process memory protection built in. I think it was LastPass. And then the researchers came back and said, “hey listen, you know you guys are not the only password managers on the block, and other password managers do protect the memory and it’s not an impossibility and you know … it’s not an acceptable risk.” But importantly, they also said that these password managers are awesome. And you should keep on using them. They have their flaws. And if the trade-off is you don’t use a password manager, then shame on you. Because these do serve a purpose. And they’re better than nothing, essentially. And, you know, given the incredible amount of password reuse and the incredible amount of breaches and I think it does make sense to keep on using a password manager to make sure that you use the best password-management practices possible. LO: Yeah, I mean, I think that this story is almost reminiscent if you remember that two-factor authentication report that we wrote about earlier this year. It’s almost reminiscent of that because there’s a lot of opinions about password managers and whether they’re kind of worth this specific security risk or whether it’s worth even discussing the risks if it causes people to stop using such an effective security tool. But you know for for ISE, the research firm that had written the report, at least they had, it was almost like a disclaimer that said that it’s better to have password managers than to not have password managers. So at least, you know, they took note of that. And at the same time were advocating for the password-manager firms in question to tighten up their application memory management. It’s definitely kind of a tricky balancing act there because you do want to promote the security tools but then you also, when there is a security issue with the security tool, that that raises a whole different question. But what did what did the researcher say? Did you talk to the researcher in in response to what the password managers had said? Did he have anything else to add to that? TS: Yeah, Adrian Bednarek, he was the lead researcher on this, he reached out to me, we connected via Twitter private message, and he was very vocal, and again I think I said it before, he said, “hey listen, you can use data sanitization in the context of memory and make sure that clear text passwords are not available for hackers.” And again he stressed the fact that these are great password managers, they are better than nothing and that you should still keep on using them, but he did stress the point that you can effectively fix this problem and the companies that said that it was an acceptable risk or it was a known vulnerability that they were not going to address is not acceptable. So he’s sort of, you know, responded to the criticisms that these guys said, doubling down on his assertion in this initial research saying, you could be doing better. LO: Well, I’d be curious to see if 1password and DashLane and KeePass change their view at some point, their viewpoint of memory-management issues, looking at if this is an acceptable risk or if they, like LastPass, also decide to do some sort of patch. So it should be something to keep an eye on. TS: Yeah, for sure. For sure. LO: You know, those were kind of the big stories that we saw this week. I know looking forward to next week, we actually have (for those listeners of this podcast who don’t know) a big webinar coming up on Wednesday. And I’m actually going to attach a link to this podcast article where you can learn more and register. But it should be a really great discussion about enterprise mobile security and the top mobile threats that we’ll face in the future. We’re talking with a panel of experts from Google, Gartner, Lookout — with our own editor, Tara Seals. So we’re excited about that. We’ve been preparing for that. And there’s actually been a whole lot of mobile-related news over the past month so I think it should be perfect timing to kind of discuss some of the bigger themes and implications of these these risks and threats. TS: Yeah, no, it should be a pretty interesting webinar and I’m interested to see what comes out of it especially with such great speakers. LO: Well, I think I better get back to my RSA emails and getting back to the the daily work. TS: It’s been an interesting week and we’ll rest up and do it all over again on Monday. LO: Sounds good, everyone tune in for the Threatpost news wrap next Friday and thanks for listening today. For direct download click here.

Source

image
Do you use a password manager? Or do you think they pose too much of a risk, holding all the keys to the kingdom? Weigh in with our poll, below. A little background: There have been vulnerabilities found before in this kind of software, which is meant to take the headache out of remembering multiple unique passwords by remembering them for you. Malware has also been found targeting it. The latest is word that a local adversary can crack open and steal passwords stored by the 1Password, Dashlane, KeePass and LastPass utilities. Adrian Bednarek with Independent Security Evaluators (ISE) said that each of them “fails in implementing proper secrets sanitization for various reasons,” Bednarek wrote in his research report. The firms have fiercely hit back on the assessment that this poses a serious risk, and indeed, even for ISE, this was far from a deal breaker. But at the same time, they also advocated that password-manager firms tighten up their application memory management. How do you feel about password managers? Take our short poll and let us know. Also feel free to comment on this post with any meatier thoughts you may have. Take Our Poll Take Our Poll Take Our Poll Take Our Poll Take Our Poll

Source

image
By David Balaban VPN is a wonderful thing that you all have probably heard about. I assume it was something like this: “Using a VPN you can visit websites blocked by state services and engage in any network activity without fear of revealing your actual IP address.” If you thought that Virtual Private Network is a magic tool […] This is a post from HackRead.com Read the original post: Understanding VPN through open systems interconnection model

Source

image
Fraud investigators say they've uncovered a sophisticated new breed of credit card skimmers being installed at gas pumps that is capable of relaying stolen card data via mobile text message. KrebsOnSecurity has since learned those claims simply don't hold water. An earlier version of this story cited an alert sent by the U.S. Secret Service and interviews with a company that helps merchants secure their payment terminals. The claims were that a circular device found on the side of a gas pump was a skimmer that was believed to be responsible for communicating with other Bluetooth-based skimmers found embedded in the pumps, and that its purpose was to gather stolen card data and send it off wirelessly to the skimmer thieves via text message. Since that story was published, I heard from a reader who works in security for the company that owns the compromised filling station in question. This person asked not to be quoted directly, but shared information showing that the mysterious circular device was not a Bluetooth anything. Rather, he said, it is little more than a GPS-based tracker that can be bought at Amazon and other online stores for about $100-$150. The source shared a clearer image of the “skimmer,” and a review of the components shown there indicate this thing is indeed a GPS tracker — the kind of device that a suspicious husband or wife might attach to the undercarriage of the family car to track the other's whereabouts in real time: The most likely explanation as to why this tracker was on the side of a gas pump to begin with is that someone who was being tracked discovered it and left it at the station. The source also said claims that this was found beneath an NFC reader on the pump are not correct either. However, he said it was true that there were multiple gas pumps at the station that were internally compromised with Bluetooth skimming devices. While I am not wild about having to post this correction, I also don't believe it would be right to simply unpublish the original story — flawed as it is. So in the interests of full transparency, what follows is the original piece, minus the lede. Original story: A memo sent by the U.S. Secret Service last week to its various field offices said the agency recently was alerted to the discovery of a fraud device made to fit underneath the plastic cap for the contactless payment terminal attached to the exterior of a fuel pump. Here's a look at the back side of that unwelcome parasite: A multi-functional wireless device found attached to a contactless payment terminal at a gas station. As we can see from the above image, it includes GSM mobile phone components, allowing it to send stolen card data wirelessly via text message. In contrast, most modern pump skimmers transmit stolen card data to the thieves via Bluetooth. The white rectangular module on the right is the mobile phone component; the much smaller, square module below and to the left is thought to be built to handle Bluetooth communications. Bluetooth requires the fraudsters who placed the devices to return to the scene of the crime periodically and download the stolen data with a mobile device or laptop. Using SMS-based skimmers, the fraudsters never need to take that risk and can receive the stolen card data in real-time from anywhere there is mobile phone service. Gas stations are beginning to implement contactless payments at the pump to go along with traditional magnetic stripe and chip card-based payments. These contactless payments use a technology called “near field communication,” or NFC, which exchanges wireless signals when an NFC-enabled card or mobile device is held closely to a point-of-sale device. Because this tiny round device was found hidden inside of an NFC card reader on the outside of a gas pump, investigators said they initially thought it might have been designed to somehow siphon or interfere with data being transmitted by contactless payment cards. But this theory was quickly discarded, as contactless cards include security features which render data that might be intercepted largely useless for future transactions (or at least hardly worth the up-front investment, craftsmanship and risk it takes to deploy such skimming devices). Mark Carl is chief executive officer at ControlScan, a company in Alpharetta, Ga. that helps merchants secure their payment card technology. Carl's company is the one that found the skimmer and alerted local authorities, which in turn alerted the Secret Service. Carl said his team is still trying to reverse engineer the device found inside the NFC reader at the pump, but that so far it appears its purpose is to act as a Bluetooth communications hub for other skimming devices found at the scene. Turns out, investigators also discovered traditional Bluetooth-based skimming devices attached to the power and networking cables inside various pumps at the compromised filling station. One of several traditional Bluetooth-enabled card skimming devices found inside pumps at a compromised filling station. Investigators believe this device and others like it found at the station may have been part of a local Bluetooth network that used a device hidden inside the NFC reader on a pump to relay stolen card data via text message. “Based on the chipsets, and that there were other traditional skimmers in other pumps at the site, we believe this device [the round gizmo found inside the NFC reader] is likely the hub for a Bluetooth local area network,” Carl told KrebsOnSecurity. “So an attacker can install multiple skimmers in different pumps, feed all of that data to this device with Bluetooth, and then relay it all via the cellular connection.” Many readers have asked if they should be scanning fuel pumps with their smart phones using the built-in Bluetooth component or Android mobile app like Skimmer Scanner. If this seems like fun, then by all means go right ahead, but I wouldn't count on these methods failing to detect a Bluetooth skimmer at the pump as proof that the pump is skimmer-free. For one thing, the skimmer detection app detects only one type of Bluetooth module used in these schemes (HC-05), and there are least three other types commonly found embedded in compromised pumps (HC-06, HC-08 and FCD_1608). And trying to do this with your mobile phone alone is not likely to yield any more conclusive results. Better advice is to patronize filling stations that have upgraded their pumps in the past few years to add more digital and physical security features. As I wrote in last summer's “How to Avoid Card Skimmers at the Pump,” newer and more secure pumps typically feature a horizontal card acceptance slot along with a raised metallic keypad — much like a traditional payphone keypad. One other tip from that story: Some pump skimming devices are capable of stealing debit card PINs as well, so it’s a good idea to avoid paying with a debit card at the pump. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance). This advice often runs counter to the messaging pushed by fuel station owners themselves, many of whom offer lower prices for cash or debit card transactions. That’s because credit card transactions typically are more expensive to process.

Source

image
Credential-stealing malware targeting premium accounts on adult websites almost tripled in 2018, corresponding with a rise in the number of offers related to stolen porn credentials on Dark Web markets. That’s according to Thursday research from Kaspersky Lab, which found that the malware is typically some kind of repurposed banking trojan; the bad code, organized into botnets, intercepts victims’ internet traffic and redirects them to fake webpages that mirror an authentic adult site they are attempting to visit. From there, it’s an easy phish to harvest credentials. In addition to exposing victims’ personal information, these attacks can also lead to victims being locked out of their account, for which they could be paying a yearly subscription of up to $150, according to the analysis. Pornhub was the most commonly copied page, with Kaspersky Lab detecting 37,144 attempts to visit phishing versions of the No. 1 adult website; that’s compared to just 1,161 total attempts to visit phishing versions of Youporn, Xhamster and Xvideos. “Although the number of phishing may seem high, it’s important to note that in relation to the amount of site visits (33.5 billion visits in 2018), the percentage of phishing attempts is very small (less than .0001%),” Pornhub said in a statement. “This low percentage rate can be attributed to the fact that Pornhub actively monitors and removes phishing websites and offers two-factor authentication when logging into Pornhub accounts.” Porn Site Attacks and Malware Families Increase The number of malware attacks attempting to steal porn website credentials increased almost three-fold in just a year, Kaspersky Lab found, rising from 307,868 attack attempts in 2017 to more than 850,000 in 2018. “Based on the data we were able to collect, in 2017 there were 27 variations of bots, belonging to three families of banking trojans, attempting to steal credentials (Betabot, Neverquest and Panda),” according to the report. “These trojans were after credentials to accounts for 10 famous adult content websites (Brazzers, Chaturbate, Pornhub, Myfreecams, Youporn, Wilshing, Motherless, XNXX, X-videos). During 2017, these bots attempted to infect more than 50,000 users over 307,000 times.” The number of variations of malware spotted fell from 27 to 22, but the number of families increased from three to five, indicating the increasing popularity of pornography credentials in the underground. Adult Site Credentials Heat Up In 2018, Kaspersky Lab experts found around 10,000 unique offers for premium-access credentials to porn websites, approximately double the number of offers seen in 2017. The price, however, remained the same – around $5 to $10 for each account. “Premium access credentials to porn websites might not seem like the most obvious thing to steal,” said Oleg Kupreev, security researcher at Kaspersky Lab, in a media statement. “However, the fact that the number of sales offers relating to such credentials on the Dark Web is rising, and the increased efforts to distribute such malware, shows that this is a profitable and popular line of illegal business.” Cybercriminals that buy the credentials can monetize these in many ways, including taking the stolen access to pornographic websites and reselling it at a cheaper price than the cost of a direct subscription. Other techniques include social-engineering/extortion of the original user, using them to crack other accounts and so on. In analyzing 20 of the top-rated Tor marketplaces listed on DeepDotWeb – an open Tor site that contains a dynamic ranking of dark markets evaluated by Tor administrators based on customers’ feedback – Kaspersky Lab found that all of them contained one to more than 3,000 offers for credentials to adult-content websites. In total, 29 websites displayed more than 15,000 offers to buy one or more accounts for pornography websites. Beyond Credentials There’s another kind of threat to adult-site visitors: Bad actors are also using fake porn websites to distribute various kinds of malware. “Most malware that reaches users’ computers from malicious websites is usually disguised as videos,” the report explained. “Users who do not check the file extension and go on to download and open it are sent to a webpage that extorts money. This is achieved by playing the video online or for free only after the user agrees to install a malicious file disguised as a software update or something similar.” To attract users to the malicious websites in the first place, the most common first-stage infection scenarios for both PC and mobile porn-disguised malware involve the manipulation of search query results – i.e., the adversaries change malicious websites’ content and descriptions so they appear higher up on the search results pages. For instance, cybercriminals are actively using popular porn tags (such as “Pornstar” or “HD-porn”) to promote malware in search results. In 2018, 87,227 unique users downloaded malware disguised as porn, the report found. Porn Payloads: Click to Enlarge As for payloads, there’s a wide variety of porn-themed malware samples out there, with Kaspersky Lab observing 642 families and 57 types of PC threats. Kupreev noted that this means the risk to adult-content enthusiasts actually goes beyond simple account compromise. “Users of adult-content websites should keep in mind that such malware can remain unnoticed on a victim’s device for a long time, spying on their private actions and allowing others to do the same, without logging the user out so as not to arouse their suspicion,” he said. “Even those who simply visit the site but don’t have a premium account could be in danger, as they might risk exposing their private data.” And indeed, trojan-downloaders are rising in popularity as a payload in these kinds of attacks, the research found, coming in as the No. 1 payload on PCs with a 45 percent share. “This can be explained by the fact that such malicious programs are multipurpose: once installed on a victim’s device, the threat actor could additionally download virtually any payload they want: from DDoS-bots and malicious ads clickers to password stealers or banking trojans,” the report noted. “As a result, a criminal would need to infect the victim’s device only once and would then be able to use it in multiple malicious ways.” On Android devices, 89 percent of infected files disguised as pornography turned out to be adware. Overall, 87,227 unique users downloaded porn-disguised malware in 2018, with 8 percent of them using a corporate rather than personal network to do this. Interested in learning about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET. Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout join Threatpost senior editor Tara Seals. They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon.

Source

image
Exclusive — A security researcher has identified an unsecured server that was leaking detailed personal details of nearly half a million Indian citizens… thanks to another MongoDB database instance that company left unprotected on the Internet accessible to anyone without the password. In a report, Bob Diachenko shared with The Hacker News, disclosed that two days ago he found a 4.1 GB-sized highly sensitive database online, named “GNCTD,” containing information collected on 458,388 individuals located in Delhi, India. Though it's not clear if the exposed database is linked to Government of National Capital Territory of Delhi (GNCTD), Diachenko found that the database contains references and email addresses with “transerve.com” domain for users registered with “senior supervisor,” and “super admin” designations. Based upon the information available that website, Transerve Technologies is a Goa-based company that offers geospatial technology-based SaaS solutions and specializes in smart city solutions and advanced data collection technology. The company's data collector, location intelligence and precision mapping tool help businesses and Governments to utilize Geo-location data to make smart decisions intelligently. The leaked database contains the following tables: EB Users (14,861 records) Households (102,863 records) Individuals (458,388 records) Registered Users (399 records) Users (2,983 records) “It remains unknown just how long database was online and if anyone else accessed it,” Diachenko said. The database table containing registered users includes email addresses, hashed passwords and usernames for administrator access, as analyzed by Diachenko. “The most detailed information contained in ‘Individuals' collection which was basically a pretty detailed portrait of a person, incl. health conditions, education, etc.,” Diachenko said. “Households collection contained fields such as ‘name', ‘house no', ‘floor number', ‘geolocation', area details, 'email_ID' of a supervisor, ‘is the household cooperating for survey' field, ‘type of latrine', ‘functional water meter', ‘ration card number', ‘internet facility available' and even ‘informan name' field.” When Transerve didn't respond to responsible disclosure sent via email, Diachenko contacted Indian CERT, which further coordinated with the company to take its exposed database offline immediately. “The danger of having an exposed MongoDB or similar NoSQL databases is a huge risk. We have previously reported that the lack of authentication allowed the installation of malware or ransomware on thousands of MongoDB servers,” Diachenko said. “The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.” MongoDB is the most popular, open-source NoSQL database used by companies of all sizes, from eBay and Sourceforge to The New York Times and LinkedIn. This isn't the first time when MongoDB instances are found exposed to the Internet. In recent years, we have published several reports where unprotected database servers have already exposed billions of records. None of this is MongoDBs fault, as administrators are always advised to follow the security checklist provided by the MongoDB maintainers. On older versions of MongoDB before version 2.6.0, the default configuration makes the database listening on a publicly accessible port, where admins are supposed to reconfigure it appropriately for online use, but, unfortunately, many don't. Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Source

image
By Waqas Presence of infected games and apps that are costing innocent users financial and data losses is not a new phenomenon. However, it is indeed surprising that a firm that promises to fight app piracy is itself involved in this horrendous act. According to the latest research from Oracle, there is a new ad fraud […] This is a post from HackRead.com Read the original post: Major Android ad fraud scam campaign drains battery & eats data

Source

image
A week after Adobe fixed a critical zero-day vulnerability in its Acrobat Reader, the company issued another patch after a researcher dug up a way to bypass the original fix. This previous vulnerability (CVE-2019-7089) was fixed in Adobe’s regularly scheduled security update last week. But Adobe said that its recent patch for the sensitive data leakage vulnerability, which could enable information disclosure, had a hole. “Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS,” said Adobe in its unscheduled Thursday update. “These updates address a reported bypass to the fix for CVE-2019-7089 first introduced in 2019.010.20091, 2017.011.30120 and 2015.006.30475 and released on February 12, 2019.” The zero-day vulnerability in Adobe Reader, disclosed by Alex Infuhr from cure53 in a Jan. 26 post, enabled bad actors to steal victims’ hashed password values, known as “NTLM hashes.” The vulnerability allowed a PDF document to automatically send a server message block (SMB) request to an attacker’s server as soon as the document is opened. SMB protocols enable an application or user of an application to access files on a remote server. Embedded in these SMB requests are NTLM hashes (NTLM is short for NT LAN Manager). The critical vulnerability was temporarily patched last week by 0patch before Adobe issued its official patch. “This vulnerability… allows a remote attacker to steal user’s NTLM hash included in the SMB request,” said Mitja Kolsek with 0patch in a Monday post. “It also allows a document to ‘phone home’, i.e., to let the sender know that the user has viewed the document. Obviously, neither of these is desirable.” And while Adobe patched the flaw last week, a bypass for the fix, tracked by CVE-2019-7815, exists and can ultimately lead to information disclosure: “Successful exploitation could lead to sensitive information disclosure in the context of the current user,” according to Adobe’s update. In a Feb. 13 Twitter exchange, Infuhr said that he had discovered a bypass for the patch and would report it to Adobe. Infuhr did not respond to a request for comment from Threatpost by publication. No it does not seem to properly patched as I discovered a bypass. Going to report the bypass to Adobe — alex (@insertScript) February 13, 2019 Impacted are versions of Adobe Acrobat and Reader for Windows and macOS – specifically, Acrobat DC and Acrobat Reader DC continuous, versions 2019.010.20091 and earlier; Acrobat 2017 and Acrobat Reader 2017 Classic, versions 2017.011.30120 and earlier; and Acrobat DC and Acrobat Reader DC Classic 2015, versions 2015.006.30475 and earlier. The update received a “priority 2” rating, meaning that it resolves vulnerabilities in a product that has historically been at elevated risk – but that there are currently no known exploits. Infuhr, who discovered the proof of concept for the original vulnerability, was also credited with reporting the issue.

Source

image
The Drupal open-source content management system platform has issued an advisory for a highly critical remote-code execution (RCE) flaw in the Drupal core. The vulnerability (CVE-2019-6340) arises from the fact that “some field types do not properly sanitize data from non-form sources,” according to Drupal’s Wednesday advisory, which was published a day after it warned admins that a major security update was coming. Insufficient input validation can result in various kinds of code injection, opening the door for cross-site scripting, site or server hijacking, and in some cases can be used to phish user credentials or spread malware. Drupal said that the vulnerability in question can lead to arbitrary PHP code-execution in some cases. CMS flaws are coveted by cybercriminals since they provide access to potentially millions of vulnerable sites at once. For its part, Drupal provides a back-end framework for at least 4.6 percent of all websites worldwide – ranging from personal blogs to corporate, political and government sites. Though that percentage sounds tiny, it’s the third-most popular web platform in the world after WordPress and Joomla; and given that there are around 1.6 billion websites online today, that works out to Drupal powering about 73.6 million of them. Those using Drupal 8.6.x can upgrade to Drupal 8.6.10 to fix the issue; and those using Drupal 8.5.x or earlier can upgrade to Drupal 8.5.11. The Drupal 7 Services module itself is meanwhile unaffected, but admins should still apply other contributed updates, the team said. Affected contributed projects include 0Auth 2.0, Entity Registration, Font Awesome Icons, JSON:API and RESTful Web Services, among others, so admins also need to grab updates for those if they’re in use. There is some inherent mitigation for the issue: A site is only affected by the flaw if it has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests; or if the site has another web-services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. To mitigate the vulnerability before applying the updates, admins should disable all web services modules, or configure web servers to not allow PUT/PATCH/POST requests to web services resources. “Note that web services resources may be available on multiple paths depending on the configuration of your server(s),” according to the advisory. “For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the ‘q’ query argument. For Drupal 8, paths may still function when prefixed with index.php/.” Interested in learning about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET. Join Threatpost senior editor Tara Seals, Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout. They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.

Source

image
Developers of Drupal—a popular open-source content management system software that powers millions of websites—have released the latest version of their software to patch a critical vulnerability that could allow remote attackers to hack your site. The update came two days after the Drupal security team released an advance security notification of the upcoming patches, giving websites administrators early heads-up to fix their websites before hackers abuse the loophole. The vulnerability in question is a critical remote code execution (RCE) flaw in Drupal Core that could “lead to arbitrary PHP code execution in some cases,” the Drupal security team said. While the Drupal team hasn't released any technical details of the vulnerability (CVE-2019-6340), it mentioned that the flaw resides due to the fact that some field types do not properly sanitize data from non-form sources and affects Drupal 7 and 8 Core. It should also be noted that your Drupal-based website is only affected if the RESTful Web Services (rest) module is enabled and allows PATCH or POST requests, or it has another web services module enabled. If you can't immediately install the latest update, then you can mitigate the vulnerability by simply disabling all web services modules, or configuring your web server(s) to not allow PUT/PATCH/POST requests to web services resources. “Note that web services resources may be available on multiple paths depending on the configuration of your server(s),” Drupal warns in its security advisory published Wednesday. “For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the “q” query argument. For Drupal 8, paths may still function when prefixed with index.php/.” However, considering the popularity of Drupal exploits among hackers, you are highly recommended to install the latest update: If you are using Drupal 8.6.x, upgrade your website to Drupal 8.6.10. If you are using Drupal 8.5.x or earlier, upgrade your website to Drupal 8.5.11 Drupal also said that the Drupal 7 Services module itself does not require an update at this moment, but users should still consider applying other contributed updates associated with the latest advisory if “Services” is in use. Drupal has credited Samuel Mortenson of its security team to discover and report the vulnerability.

Source