image
Conventional wisdom says that once an attacker is in the system, moving laterally from network to network, the damage is already done. The adversary has found a way in and more than likely identified the data they’re after. They simply need to exfiltrate it, the last step of the kill chain, to land the final blow. In some scenarios, however, it’s what the attacker doesn’t do that could have a more devastating outcome on the enterprise. Data manipulation attacks where an adversary does not take the data, but instead make subtle, stealthy tweaks to data for some type of gain, can be just as crippling for organizations compared to theft. The ability of attackers to manipulate and shift data around is a real threat – one that could cause widespread financial and even physical harm as a result – if done successfully. Data Manipulation Attack Examples Consider the stock market. Hypothetically speaking, if an attacker were to successfully breach the IT systems and databases responsible for updating a stock ticker symbol and manipulate data to show a billion-dollar tech giant like Apple, Microsoft, Google or Amazon taking a nose dive, it would cause immediate chaos and panic would ensue. It could result in people selling off their stocks in a frenzy – the culmination of a deliberate and effective attack. Data manipulation attacks don’t always have to result in a tangible financial gain. If an attacker managed to carry out a similar attack against health record information for patients in hospitals and altered critical data like drug dosages and prescriptions that need to be administered, it could result in sickness or even death. These types of attacks are commonly carried out by malicious insiders, individuals who have privileged access to critical data in the first place. If an insider got their hands on blueprints for a manufacturing facility that was being built, they could make minor modifications to drawings that could set the organization up for systemic failure. Understated and difficult to detect, an attack like this could ultimately put a company out of business and give a competitor, perhaps in an adversarial nation state, the ability to take over market share. I’ve seen this play out firsthand. When you have a “trusted” insider as the culprit, it makes it all that more difficult to detect and track down. Who is Behind Data Manipulation Attacks? Attackers like data manipulation attacks because they’re hard to detect and they undermine trust and confidence. If there’s no way to verify that data, like blueprints, documents, or source code are legitimate, it can erode trust from the inside out. Attacks that compromise integrity can jeopardize an entire supply chain. It only takes one flaw, far down a chain, to disrupt or delay the production of goods in an organization’s cashflow. Carmaker Tesla sued a former employee last summer after CEO Elon Musk alleged the insider stole confidential and trade secret information after he failed to get a promotion. While the employee purportedly exported gigabytes of confidential data he also made changes to the Tesla Manufacturing Operating System, the set of basic commands for Tesla’s manufacturing lines, under false usernames, apparently in an act of sabotage. Manipulating sensitive data, like source code, isn’t flashy but is something that can cause the market to slowly unravel over time. For organizations, it’s inevitable that attackers will take data. It’s more of a challenge to determine when an attacker makes a small change to data, then leaves the scene of the crime. For threat hunters, from a digital forensic perspective, there’s typically always a trace left behind. Anomalies in system logs, edits to files at suspicious times, and alarms on threat signatures to detect suspicious techniques and malicious behavior, can be telltale signs of data manipulation. Mitigating Against Data Manipulation Attacks To combat these types of attacks, organizations need to ensure they have endpoint visibility on their IT systems. If an outsider successfully penetrates a network, they’ll need to move laterally through the environment to find the data they’re after. It’s critical for incident responders or threat hunters to be able to follow in their proverbial forensic footsteps, to proactively hunt and detect this type of activity before something irreversible is done. The MITRE ATT&CK Framework has been buzzed about across the industry lately for good reason. The knowledge base – a living, breathing breakdown of adversary TTPs and behaviors – outlines in great detail each phase of a cyber attack and the best methods for detecting and mitigating each technique. The framework can greatly help threat hunters looking to speed up their hunting cycle. While attackers may not necessarily leave the endpoint with data in these types of attacks, organizations would benefit from using endpoint detection and response tools to gain better visibility into behaviors and data movement. Organizations can also use file integrity monitoring solutions to identify and track real-time changes to files, folders, and other settings. Logging activity can also help but it’s not a silver bullet. IT teams need to develop internal controls to audit this information and ensure they constantly have eyes on the glass, triaging logs generated by their environment. Data manipulation attacks can have disastrous consequences and cause a significant disruption to a business, country, or even the world in some circumstances. Being prepared is the first step to potentially limiting or preventing the impact of these attacks.

Source

image
Microsoft acknowledged an elevated privilege flaw in its Exchange Server could allow a remote attacker with a simple mailbox account to gain administrator privileges. Both a Microsoft advisory and a US-CERT alert were issued on Tuesday warning users of the elevation of privilege flaw, dubbed “PrivExchange,” which has a “high severity” CVSS score of 8.3. The flaw exists due to a perfect storm of default settings in Microsoft Exchange Server and the mail server and calendaring server that run on Windows Server operating systems. According to Microsoft, Exchange 2013 and newer versions are impacted. Currently, Microsoft has not issued a patch to fix the bug. However, there are workaround fixes. The advisory comes weeks after a proof of concept was released outlining how a regular Exchange mail user could utilize two Python-based tools – privexchange.py and ntlmrelayx.py – to eventually gain domain administrator privileges. Administrators have access to the entire Exchange Server organization and can perform almost any task against any Exchange Server object. “To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user,” Microsoft said in its Tuesday advisory. The Flaw PrivExchange was first outlined in a proof of concept in a Jan. 21 post called “Abusing Exchange: One API call away from Domain Admin,” by Dirk-jan Mollema, security researcher with Fox-IT. The proof of concept takes advantage of several default settings in Exchange, said Mollema. Firstly, Exchange has a feature (called Exchange Web Services, or EWS) which essentially allows it to authenticate to an attacker-controlled computer account from the Exchange server. Attackers can therefore set EWS parameters (PushSubscription EWS Call) to authenticate to an Exchange server. The server then authenticates the account via NTML. NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication and is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN). Credit: Dirk-Jan Mollema In another default faux pas, Exchange fails to set signing and sealing flags on NTLM authentication traffic. Therefore, the attacker could perform an NTLM relay attack, where they forward the NTLM authentication to other machines on the network – specifically, that of an administrator. Because Exchange fails to flag NTLM traffic, it would not recognize this. Finally, servers have access to high-privilege processes by default – including that of a domain controller. With admin privileges, the attacker could gain access to the domain controller which gives them an array of malicious powers. “Because of the privileges gained by this attack attackers could control anything in active directory, such as accessing systems, reading and modifying data, and adding backdoors for persistence,” Mollema told Threatpost. The attack is “relatively easy to carry out” and already an array of other implementations of the PoC tools have been released that allow attackers to perform the attack through an infected workstation, he told Threatpost. Workarounds While Microsoft said that a planned update is in the works, currently no solutions exist to fix the flaw. However, if Exchange users think their systems are at high risk, a workaround exists. Potential impacted users would have OnPrem deployments, as Exchange Online is not impacted; as would have systems with NTLM, as Systems that have disabled NTLM are not affected. To address this vulnerability, users could essentially define and apply the “Throttling Policy” for EWSMaxSubscriptions to have a value of zero. The EwsMaxSubscriptions parameter specifies the maximum number of active “push and pull” subscriptions that an Exchange Web Services user can have on a specified Exchange server at the same time – so this would limit the number to zero and block the Exchange server from sending any notification. “This will prevent the Exchange server from sending EWS notifications, and prevent client applications which rely upon EWS notifications from functioning normally,” said Microsoft. “Examples of impacted applications include Outlook for Mac, Skype for Business, notification reliant LOB applications, and some iOS native mail clients.” Microsoft did not respond to a request for comment from Threatpost on when the upcoming fix would be; as well as whether they have seen the vulnerability being exploited in the wild. “The workarounds Microsoft communicated are effective and I recommend sysadmins to look at implementing those till a patch is released,” Mollema told Threatpost. In Other Microsoft Update News… Separately, Microsoft on Tuesday released its February Non-Security Microsoft updates; and acknowledged recent disruptions in its Windows Update service. The non-security updates include updates for Microsoft Office (2010, 2013, and 2016) as well as Microsoft Outlook, Power Point, Access, Skype for Business. Microsoft also confirmed that recent Windows Update service connectivity issues last week was due to a “data corruption issue in an external DNS service provider global outage” on Jan. 29. “The issue was resolved on the same day and Windows Update is now operating normally, but a few customers have continued to report issues connecting to the Windows Update service,” Microsoft said. “We expect these issues will go away as downstream DNS servers are updated with the corrected Windows Update DNS entries.”

Source

image
The developers behind the privacy-minded Zcash cryptocurrency have recently discovered and patched a highly dangerous vulnerability in the most secretive way that could have allowed an attacker to coin an infinite number of Zcash (ZEC). Yes, infinite… like a never-ending source of money. Launched in October 2016, Zcash is a privacy-oriented cryptocurrency that claims to be more anonymous than Bitcoin, as the sender, recipient, and value of transactions remain hidden. In a blog post published today, the Zerocoin Electric Coin Company—the startup behind Zcash—revealed that one of its employees, Ariel Gabizon, discovered the vulnerability in its code on 1st March 2018, the night prior to his talk at the Financial Cryptography conference almost a year ago. Gabizon contacted Sean Bowe, a Zcash Company's cryptographer, immediately after discovering the counterfeiting vulnerability, as dubbed by the team, and the team decided to keep the flaw secret in order to avoid the risk of attackers exploiting it. According to the company, only four Zcash employees were aware of the issue before a fix was covertly included in the Zcash network on 28th October 2018. Besides this, since “discovering this vulnerability would have required a high level of technical and cryptographic sophistication that very few people possess,” the company believes that no one else was aware of this flaw and that no counterfeiting occurred in Zcash. Now, the Zcash team detailed all about the vulnerability on its official site to inform the broader public, which if exploited, would have allowed an attacker to print an infinite amount of Zcash tokens. Details of the Catastrophic Zcash Vulnerability According to the team, the counterfeiting vulnerability resided in the variant of zk-SNARKs—an implementation of zero-knowledge cryptography Zcash uses to encrypt and shield the transactions—which has independently been implemented by other projects. Both Komodo blockchains and Horizen (previously known as ZenCash) suffered from the same issue and reportedly fixed it on their platforms after being notified by the Zcash team back in mid-November 2018 via an encrypted email. The vulnerability was the result of a “parameter setup algorithm” that allowed “a cheating prover to circumvent a consistency check” and thereby transformed “the proof of one statement into a valid-looking proof of a different statement.” Anyone with access to the multi-party computation (MPC) ceremony transcript, which is used to set up the privacy features for Zcash, would have been able to create false proofs, granting them the ability to create an unlimited amount of shielded coins. Though the developers found no evidence of counterfeiting occurred in Zcash, they confirmed that the vulnerability had existed for years. “The vulnerability had existed for years but was undiscovered by numerous expert cryptographers, scientists, third-party auditors, and third-party engineering teams who initiated new projects based upon the Zcash code,” the company writes. Since Zcash is private, even if someone could have counterfeited Zcash in the past, there's no way to find out. However, the Zcash Company argued that it “studied the blockchain for evidence of exploitation: An attack might leave a specific kind of footprint. We found no such footprint.” Fixes for this vulnerability were implemented in the Zcash Sapling network upgrade in October 2018, and some, including former NSA whistleblower Edward Snowden, have applauded the team's handling of the flaw.

Source

image
LAS VEGAS – Contrary to the pop-culture image of the hoodie-clad lone hacker with mad keyboard “skillz” siphoning off funds and making people’s lives miserable with a few lines of brilliant code, increasingly cybercrime “takes a village”. The true face of cybercrime today is a more democratic one. Modern financial crime rings are made up of a wide range of people with complementary toolsets—from coders to willing corporate insiders wanting to be paid for installing malware on a network and more. According to Maya Horowitz, director of threat intelligence and research at Check Point Software, speaking reporters at the CPX 360 event in Las Vegas, gone are the days when cybercrime activities were the sole domain of highly technical individuals. “You have to understand that there are many different people involved in each attack – you have a technical person that writes the code, sure; but different people distribute the malware, especially with the spread of as-a-service offerings,” she explained. “Someone else is responsible for taking stolen money out of an account; and there’s a person that writes the infection vector; and someone who crafts phishing messages.” Horowitz was commenting on the second part of Check Point’s 2019 Under the Hood report, released Wednesday at the event, which lays out an underground ecosystem populated by a number of job descriptions, which mirrors the legitimate business world in many ways. For instance, cybercrime collaborative environment includes programmers, who develop malware to extort or steal data from potential victims; merchants who trade and sell the victim’s stolen data; IT technicians who build and maintain the IT infrastructure (servers, databases, etc.) for criminals; hackers that search and find vulnerabilities in systems, applications and networks; fraudsters, who create and carry out new ways to scam and manipulate potential victims; hosting services, which provide hosting services for criminals’ fraudulent content and sites; and management types, who hire and form their cybercrime teams and manage the operation. Horowitz added, “In all, you have five to seven people involved, minimum, in a campaign. And because there are more roles, and non-technical roles, it means there are more actors out there than ever before.” There are even ads for jobs – a sort of Dark Web classifieds section. “You will see adds for people to write malware or a phishing campaign, or someone who’s an insider in a bank who can install it,” Horowitz said. “There are ads looking for someone who can sell identities – passports and photos, you name it … all of these things are commonly offered or requested.” As-a-Service Models: The New Normal As a result of a confluence of these factors, there is now what Check Point calls a “continuous rise” of the underground malware-as-a-service industry. The report explained that this has completely changed the ecology of cybercrime: “In today’s cyber-underworld, anyone who is willing to pay can easily obtain the suitable tools and services needed to launch any kind of cyber-attack,” according to the report, shared with Threatpost prior to publication. “While this may not be a completely new phenomenon, over the past year we have witnessed a significant growth in attacks orchestrated with cyber weapons or products acquired via these underground services,” according to the report. “When cybercrime is democratized, the number of cyberattacks increases … never does a day go by when organizations are not under constant attack from the ever-growing number of malware, infiltrating IT networks from an increasing number of entry points.” The services offered online include malware kits, stolen data, and turn-key packages that contain malware ready for distribution along with a comprehensive management panel which allows unskilled hackers to easily track and control their infection rates and revenues. Check Point analysis shows that malware-as-a-service options available run the gamut, with infamous names like AZORult, File-Locker and Kraken all on offer. “The authors of GandCrab ransomware even offer technical support and tutorial videos for their product,” according to the report. Moving to New Channels Unsurprisingly, in an effort to curb the cybercrime scourge, authorities have made a concerted effort to take down Dark Web marketplaces, including the Hansa Market and Alpha Bay shutdowns in 2017, and more recent actions like the credentials market taken out by the Feds recently. And that, in turn, has pushed the bad guys to get creative and shift to new channels to evade authorities. One notable trend is a transition to the increasingly popular and highly secure mobile messaging app, Telegram, to pursue their trade. “There are dozens of telegram groups that communicate and share tools with each other,” Horowitz explained. “We’re aware of one group that’s likely Iranian, speaking Persian – there are 100,000 participants in this group, called ‘AmirHack.'”

Source

image
Ever sent a message on Facebook Messenger then immediately regretted it, or an embarrassing text to your boss in the heat of the moment at late night, or maybe accidentally sent messages or photos to a wrong group chat? Of course, you have. We have all been through drunk texts and embarrassing photos many times that we later regret sending but are forced to live with our mistakes. Good news, Facebook is now giving us a way to erase our little embarrassments. After offering a similar feature to WhatsApp users two years ago, Facebook is now rolling out a long-promised option to delete text messages, photos, or videos inside its Messenger application starting from Tuesday, February 5. You Have 10 Minutes to Delete Sent Facebook Messages The unsend feature allows users to delete a message within 10 minutes of sending it, for both individual and group chats. Previously, Messenger offered the “delete” option that allowed users to only delete messages for them—but the recipient can still see the message. Now, the option includes two choices “remove for everyone” and “remove for you,” giving users more control over their already sent messages. The social network promised the unsend feature in Messenger after it was revealed last year that Facebook CEO Mark Zuckerberg had an option to “delete” messages that were sent on the messaging app. As promised, the company has now made the unsend option available to all users. Obviously, unsend does not mean unseen. If you send a message and the receiver see it immediately after receiving it, and before you think of deleting it, the unsend feature won't help you. But your quickest move might help you unsend the message so that it is not seen on the other side of the conversation. Here's How to Unsend Messages on Facebook Messenger It is quite simple and straightforward. Long press on the message you want to remove. You will get both a standard emoji response window on the top of that message, as well as three options at the bottom of the screen: Copy, Remove, and Forward. Selecting the Remove option will then display two options: “Remove for Everyone” and “Remove for You.” You know what you have to do now. Tapping the “Remove for Everyone” option will remove the message from the chat so that nobody can see the message after that. It should be noted that the unsend feature also works for removing photos and videos sent to a user. Just like WhatsApp, Messenger will replace the removed chat bubble with a text message notifying everyone in the conversation that the message has been removed. But remember, you will have up to 10 minutes to remove the message after being sent. The Remove for You option will function in the same way the previous Delete option works. Facebook is not the first one to offer an “unsend” feature in its chat services, including WhatsApp and Messenger. Secure messaging app Telegram has also been allowing its users to remove messages since years.

Source

image
Prosecutors in Northern California have charged two men with using unauthorized SIM swaps to steal and extort money from victims. One of the individuals charged allegedly used a hacker nickname belonging to a key figure in the underground who's built a solid reputation hijacking mobile phone numbers for profit. According to indictments unsealed this week, Tucson, Ariz. resident Ahmad Wagaafe Hared and Matthew Gene Ditman of Las Vegas were part of a group that specialized in tricking or bribing representatives at the major wireless providers into giving them control over phone numbers belonging to people they later targeted for extortion and theft. Investigators allege that between October 2016 and May 2018, Hared and Ditman grew proficient at SIM swapping, a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. The Justice Department says Hared was better known to his co-conspirators as “winblo.” That nickname corresponds to an extremely active and at one time revered member of the forum ogusers[.]com, a marketplace for people who wish to sell highly prized social media account names — including short usernames at Twitter, Instagram and other sites that can fetch thousands of dollars apiece. Winblo's account on ogusers[.]com Winblo was an associate and business partner of another top Oguser member, a serial SIM swapper known to Oguser members as “Xzavyer.” In August 2018, authorities in California arrested a hacker by the same name — whose real name is Xzavyer Clemente Narvaez — charging him with identity theft, grand theft, and computer intrusion. Prosecutors allege Narvaez used the proceeds of his crimes (estimated at > $1 million in virtual currencies) to purchase luxury items, including a McLaren — a $200,000 high-performance sports car. According to the indictments against Hared and Ditman, one of the men (the indictment doesn't specify which) allegedly used his ill-gotten gains to purchase a BMW i8, an automobile that sells for about $150,000. Investigators also say the two men stole approximately 40 bitcoins from their SIM swapping victims. That's roughly $136,000 in today's conversion, but it would have been substantially more in 2017 when the price of a single bitcoin reached nearly $20,000. Interestingly, KrebsOnSecurity was contacted in 2018 by a California man who said he was SIM swapped by Winblo and several associates. That victim, who asked not to be identified for fear of reprisals, said his Verizon mobile number was SIM hijacked by Winblo and others who used that access to take over his Twitter and PayPal accounts and then demand payment for the return of the accounts. A computer specialist by trade, the victim said he was targeted because he'd invested in a cryptocurrency startup, and that the hackers found his contact information from a list of investors they'd somehow obtained. As luck would have it, he didn't have much of value to steal in his accounts. The victim said he learned more about his tormentors and exactly how they'd taken over his mobile number after they invited him to an online chat to negotiate a price for the return of his accounts. “They told me they had called a Verizon employee line [posing as a Verizon employee] and managed to get my Verizon account ID number,” said my victim source. “Once they had that, they called Verizon customer service and had them reset the password. They literally just called and pretended to be me, and were able to get my account tied to another SIM card.” The victim said his attackers even called his mom because the mobile account was in her name. Soon after that, his phone went dead. “The funny thing was, after I got my account back the next day, there was a voicemail from a Verizon customer service agent who said something like, ‘Hey [omitted], heard you were having trouble with your line, hope the new SIM card is working okay, give us a call if not, have a nice day.'” RECKONING The indictments against Hared and Ditman come amid a series of arrests, charges and sentences targeting admitted and suspected SIM swappers. Last week, Joel Ortiz — a 20-year-old college student valedictorian accused of stealing more than $5 million in cryptocurrency in a slew of SIM hijacking attacks — became the first to be convicted for the crime, accepting a plea deal for a 10-year prison term. Many of the people being arrested and charged with SIM swapping were part of a tight circle of individuals who spent money almost as quickly as they stole it. The video below was posted to the Instagram account “0,” a username that was hijacked by Ortiz. The video shows a birthday party celebration for Xzavyer Narvarez at the Hyde Sunset club in Los Angeles. Notice the Twitter bird symbols at the bottom of each card brought out by the club's female attendants. Another video posted by Ortiz — to a hijacked, highly sought Instagram account “T” — shows members of this group dumping out $200 bottles of glow-in-the-dark Dom Perignon champagne onto designer watches that cost thousands of dollars each. Also last week, 20-year-old Dawson Bakies pleaded not guilty in Manhattan Supreme Court to 52 counts of identity theft, grand larceny, and computer trespass tied to alleged SIM swapping activity. According to the New York Post, Bakies, who lives with his mom in Columbus, Ohio, allegedly called customer-service representatives posing as his victims and was able to port their phone numbers to a device he controlled. In November 2018, authorities in New York arrested 21-year-old Manhattan resident Nicholas Truglia on suspicion of using SIM swaps to steal approximately $1 million worth of cryptocurrencies from a Silicon Valley executive. Truglia also is being sued by cryptocurrency angel investor Michael Terpin, who alleges that Truglia used a SIM swap against AT&T to steal $24 million in cryptocurrencies from him. WHAT CAN YOU DO? SIM swappers tend to target people with plenty of funds in the bank or in cryptocurrency exchanges, but as my victim source's story shows, they often also SIM swap individuals who only appear to be high rollers. In the process, they may also rifle through your personal email and try to extort victims in exchange for turning over access to hijacked accounts. There are several steps that readers can take to insulate themselves from SIM swapping attacks. First and foremost, do not re-use passwords to important accounts anywhere else. Also, take full advantage of the most robust form of multi-factor authentication available for the accounts you care about. The web site twofactorauth.org breaks down online service providers by the types of secondary authentication offered (SMS, call, app-based one-time codes, security keys). Take a moment soon to review this important resource and harden your security posture wherever possible. If the only two-factor authentication offered by a company you use is based on sending a one-time code via SMS or automated phone call, this is still better than relying on simply a password alone. But one-time codes generated by a mobile phone app such as Authy or Google Authenticator are more secure than SMS-based options because they are not directly vulnerable to SIM-swapping attacks. If available, physical security keys are an even better option. Further reading: Hanging Up on Mobile in the Name of Security Busting SIM Swappers and SIM Swap Myths

Source

image
You've always been warned not to share remote access to your computer with any untrusted people for many reasons—it's basic cyber security advice, and common sense, right? But what if I say, you should not even trust anyone who invites or offers you full remote access to their computers? Security researchers at cybersecurity firm Check Point have discovered more than two dozen vulnerabilities in both open-source RDP clients and Microsoft's own proprietary client that could allow a malicious RDP server to compromise a client computer, reversely. RDP, or Remote Desktop Protocol, allows users to connect to remote computers. The protocol is usually used by technical users and IT administrators to remotely connect to other devices on the network. RDP was initially developed by Microsoft for its Windows operating system, but there are several open source clients for the RDP protocol that can be used on Linux as well as Unix systems. Check Point researchers recently conducted a detailed analysis of three popular and most commonly used RDP clients—FreeRDP, rdesktop, and Windows built-in RDP client—and identified a total of 25 security flaws, some of which could even allow a malicious RDP server to remotely take control of computers running the client RDP software. FreeRDP, the most popular and mature open-source RDP client on Github, has been found vulnerable to six vulnerabilities, five of which are major memory corruption issues that could even result in remote code execution on the client's computer. rdesktop, an older open-source RDP client that comes by default in Kali Linux distributions, has been found to be the most vulnerable RDP client with a total of 19 vulnerabilities, 11 of which could allow a malicious RDP server to execute arbitrary code on the client's computer. Though Windows built-in RDP client does not contain any remote code execution flaw, researchers discovered some interesting attack scenarios that are possible because the client and the server share the clipboard data, allowing the client to access and modify clipboard data on the server end and vice-versa. “A malicious RDP server can eavesdrop on the client's clipboard—this is a feature, not a bug. For example, the client locally copies an admin password, and now the server has it too,” researchers say while explaining the first attack scenario. “A malicious RDP server can modify any clipboard content used by the client, even if the client does not issue a ‘copy' operation inside the RDP window. If you click ‘paste' when an RDP connection is open, you are vulnerable to this kind of attack,” reads the second attack scenario. What's more? In another video, researchers demonstrated how the clipboard attack using Microsoft's RDP software could even allow malicious RDP server to trick client system into saving a malware file in Windows' startup folder, which will automatically get executed every time the system boots. Researchers reported the vulnerabilities to the developers of the impacted RDP clients in October 2018. FreeRDP patched the flaws as part of its v2.0.0-rc4 release and rolled out the software release to its GitHub repository less than a month after being notified. Rdesktop patched the issues as part of its v1.8.4 release and rolled out the fix in mid-January. Microsoft acknowledged the researchers' findings but decided not to address the issues. The tech giant said: “We determined your finding is valid but does not meet our bar for servicing. For more information, please see the Microsoft Security Servicing Criteria for Windows (https://aka.ms/windowscriteria).” However, Windows RDP client users can protect themselves against the attacks demonstrated by the researchers by merely disabling the clipboard-sharing feature, which comes enabled by default, when connecting to a remote machine.

Source

image
With so many data breaches happening almost every week, it has become difficult for users to know if their credentials are already in possession of hackers or being circulated freely across the Internet. Thankfully, Google has a solution. Today, February 5, on Safer Internet Day, Google launches a new service that has been designed to alert users when they use an exact combination of username and password for any website that has previously been exposed in any third-party data breach. The new service, which has initially been made available as a free Chrome browser extension called Password Checkup, works by automatically comparing the user's entered credential on any site to an encrypted database that contains over 4 billion compromised credentials. If the credentials are found in the list of compromised ones, Password Checkup will prompt users to change their password. Wondering if Google can see your login credentials? No, the company has used a privacy-oriented implementation that keeps all your information private and anonymous by encrypting your credentials before checking them against its online database. “We designed Password Checkup with privacy-preserving technologies to never reveal this personal information to Google,” the company emphasizes. “We also designed Password Checkup to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords. Finally, all statistics reported by the extension are anonymous.” You can also check this easy 4-step visual explanation to learn more about how it works under the hood. Moreover, it is not yet another “weak password warning tool” that alerts users whenever they use a commonly used or easily crackable password for any website. “We designed Password Checkup only to alert you when all of the information necessary to access your account has fallen into the hands of an attacker,” Google says. “We will not bother you about outdated passwords youn have already reset or merely weak passwords like ‘123456.' We only generate an alert when both your current username and password appear in a breach, as that poses the greatest risk.” The Chrome browser extension, Password Checkup, is available from today, and anyone can download it for free. Besides launching the new Chrome extension, Google also lists five Official Security Tips which includes keeping your software up-to-date, using unique passwords for every site, taking the Google security checkup, setting up a recovery phone number or email address, and making use of two-factor authentication. Chrome users can follow these security tips to keep themselves safe on the Internet.

Source

image
Here is an internet of things flaw that can tip the scales to a hacker’s advantage. Researchers have discovered a bevy of flaws a consumer smart scale that could allow hackers to launch a variety of attacks, from man-in-the-middle to denial of service attacks. Checkmarx researchers reported the vulnerabilities on Monday and outlined four “medium” severity bugs linked to the connected scale The device, the Smart Scale PW 5653 BT, is made by China-based AEG and features Bluetooth for analyzing weight, body fat, and other data points. AEG is a premium brand for Chinese consumers introduced by home appliances firm Electrolux Group and Midea Group as a joint venture. However, after testing the IoT device, its Bluetooth security, and its mobile apps (Smart Scale for Android and iOS) researchers found several security and privacy flaws. “The Checkmarx Security Research Team found several security issues that have impact on the clients using the smart scale, its associated apps, and for the company itself,” said David Sopas, researcher with Checkmarx in a Monday report. Researchers have advised AEG to issue a patch that fixes clients’ smart scales to prevent malicious users from damaging the hardware, but have not heard back. “It took many attempts to get a response from Electrolux (AEG), and to date, we are not aware of any fixes that were released as a result of our communication,” Erez Yalon, head of Checkmarx’s security research group, told Threatpost. Denial of Service The most severe of the flaws discovered in the IoT device is a Denial of Service vulnerability, which allows attackers to trigger a special request via Bluetooth that crashes the smart scale. The flaw has a CVSS score of 7.1, making it a medium-severity vulnerability. The design vulnerability exists because the Bluetooth service “Immediate Alert” – which exposes a control point that allows another peer device to cause the device to immediately alert – allowed researchers to send special requests. When the device is in standby mode, researchers were able to send the request and crash the smart scale (see a proof of concept video below): For the victim that means they would need to remove the batteries or wait until the batteries run out, and the device would lose most of its information during this crash, researchers said. “Now the only way to get the smart scale working again is to remove one of the batteries or wait until they run out, because the screen is frozen with the light on,” researchers said. “We kept it for 30 minutes and the smart scale never went off. It’s also important to mention that resetting the smart scale removes information, such as other configuration steps the user took in the past.” Other Flaws Another design flaw (with a CVSS score of 5.3) exists in a configuration of the Generic Attribute Profile (GATT) in the device, which establishes in detail how to exchange all profile and user data over a BLE connection. The GATT configuration keeps the MAC addressed fixed, meaning that a bad actor within Bluetooth range could track the victim. Another vulnerability (CVSS score of 5.3) allows an attacker within Bluetooth range to “change the name of the device to something offensive or even to trick innocent users,” researchers said. “Also it can be used to better identify the specific device to aid in combining this attack with other attacks.” Finally, some requests made by the mobile application don’t use HTTPS, which could allow bad actors to launch a man-in-the-middle attack and intercept the information sent between the mobile application and the host. Click to Expand. Researchers said that they also discovered issues with the mobile applications connected to the device, Smart Scale for Android and Smart Scale for iOS, which are developed by a Chinese company named VTrump. Specifically, researchers discovered the iOS app was sending private information to a server in China associated with Lotuseed, a mobile data analysis software platform based in China. More alarming, the data was being sent without https, meaning that the communications between the app and Chinese server are not encrypted. “After we notified VTrump about our findings, they declined to make the changes we suggested,” researchers said. “Later, however, we tested again and found that they ‘fixed’ the app by adding encryption, however, they were still sending the same private information. I don’t believe that this type of information is necessary for a smart scale to collect, much less send to a third party for data analysis.” IoT Issues IoT issues are nothing new – just on Monday, the European Commission issued a recall for a popular smartwatch for children, citing “serious” privacy issues that could allow a bad actor to track or communicate with kids remotely. Meanwhile, in a recent report analyzing 12 different IoT devices, researchers with Dark Cubed and Pepper IoT reported security failures that ranged from a lack of encryption for data and missing encryption certificate validations. IoT security issues are only getting worse – not better. In the first half of 2018, researchers at Kaspersky Lab said they picked up three times as many malware samples targeting IoT devices as they did for the entirety of 2017. Yalon that IoT devices and the apps that accompany them must all be held to a higher standard. “Consumers must require more from the vendors selling us IoT devices,” he said. “Users must demand that data is only collected if it is needed to enable the functionality of the device/app, and that the vendors encrypt any data they send and collect, and protect our privacy. If they don’t, and fail to take responsibility even when confronted with the findings, they must be held accountable.”

Source

image
By Uzair Amir There is very good news for Mozilla Firefox users. After improving the user experience with tracking protection function offering content blocking features and other changes in Firefox 63, Mozilla is aiming for another significant update in the upcoming version of the browser. The new version of Mozilla Firefox called Firefox 67, which is planned to […] This is a post from HackRead.com Read the original post: Upcoming Firefox version to offer fingerprinting & cryptomining protection

Source