image
A recently-discovered phishing scam was found peddling malware, using a new technique to mask its malicious landing page: A fake Google reCAPTCHA system. The campaign targeted a Polish bank and its users with emails, said researchers with Sucuri. These emails contained a link to a malicious PHP file, which eventually downloaded the BankBot malware onto victims’ systems. This Android-targeted banking malware, first discovered in 2016, is a remotely controlled Android banking trojan capable of stealing banking details by impersonating bank apps, looking at text messages and displaying unsolicited push notifications. In this specific case, BankBot was scooping up various private data, including SMS and call logs, contacts and location, researchers said. “During a recent investigation, we discovered a malicious file related to a phishing campaign that targeted a Polish bank,” said Luke Leak with Sucuri, in a Thursday analysis. “This campaign employed both the impersonation and panic/bait techniques within an email in order to lure victims into downloading banking malware.” The emails asked victims for confirmation for a recent transaction, along with a link to a malicious PHP file. Researchers said that users of the bank who saw the email would likely be alarmed that it was asking for confirmation of an unknown transaction, prompting them to click the malicious link. “This makes it a bit more unique from the phishing content that we typically find, which often consists of a PHP mailer and file(s) used to construct the phishing page itself,” said Leak. “In most cases, it’s just a replica of the login page for whatever institution they are targeting.” When the victims clicked on the link, the malicious PHP file would send them a fake “404 error” page. The PHP code then loaded a fake Google reCAPTCHA using a combination of HTML elements and JavaScript. reCAPTCHA is Google’s authentication mechanism used for distinguishing bots from true site users. The fake reCAPTCHA looks real, and makes victims feel as though the landing page is legitimate, researchers said. “This page does a decent job at replicating the look of Google’s reCAPTCHA, but since it relies on static elements, the images will always be the same unless the malicious PHP file’s coding is changed,” said Leak. “It also doesn’t support audio replay, unlike the real version.” The PHP code then determined which form of malware to download on the victim’s device. If the victim uses Android, it would drop a malicious .apk, and if not, it downloaded a .zip dropper. Besides “BankBot,” the Android malware is also labeled as “Banker” and “Artemis” on VirusTotal by varying anti-virus programs. “Shortly after the discovery of the apps trojanized with BankBot on Google Play in the beginning of 2017, we have confirmed that the malicious apps were derived from source code made public on underground forums in December 2016,” said ESET researchers, in an analysis of BankBot. “The public availability of the code has led to a surge in both the number and sophistication of mobile banking trojans.” Phishing scams have continued to step up their game over the past year, with bad actors are continuously updating their methods to become trickier. That includes using new tactics like Google Translate or custom fonts to make the scams seem more legitimate. Leak said this type of phishing campaign “can cause serious headaches for website owners.” “The malicious directories used in these campaigns are uploaded to a website after it has been compromised,” said Leak. “When dealing with this type of malware, it is important to delete the files contained in a complaint, however; we strongly encourage administrators to scan all other existing website files and database for malware as well. You’ll also want to update all of your passwords to prevent the attackers from accessing the environment again.”

Source

image
By Waqas Sucuri’s cybersecurity researchers have identified a highly sophisticated phishing campaign that is specifically targeting online banking users. The attack, for now, has been directed against a Polish bank in which attackers are exploiting Google reCAPTCHA systems as well as panic-eliciting tactics to lure victims into clicking on infected, malicious links that are already embedded in […] This is a post from HackRead.com Read the original post: Android banking malware distributed with fake Google reCAPTCHA

Source

image
Alice and Bob, the beloved (or not-so-beloved, depending) placeholder characters often used in cryptography examples, have been spotted in the middle of a web of deceit and intrigue by eagle-eyed Redditers. Think lies. Broken hearts. Even…murder. Yep, you heard that right. It all starts with the Wikipedia page for explaining what man-in-the-middle (MiTM) attacks are, which uses a helpful Alice-and-Bob (and Mallory) example to make things a bit clearer: Source: Wikipedia However, someone (presumably of the coder or crypto persuasion) decided to edit that example to, shall we say, move the plot along a bit further: Source: Reddit Sadly for the story of Alice and Bob (RIP), the travesty is that we’re not sure if she ever found love. And it’s unclear if Mallory was ever pinged for the crime. That’s because after being noticed, posted and thoroughly appreciated on Reddit, the Wikipedia page was alas edited back to its same old utilitarian self. Fortunately though, there’s a whole Subreddit devoted to programmer humor, so proof does still exist that coders can be funny too. What’s your favorite code-humor example? Feel free to comment below. Interested in learning about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET. Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout join Threatpost senior editor Tara Seals. They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon.

Source

image
By David Balaban We live in a world where anonymity and online privacy are impossible things. Your phone calls can be tapped, smartphone data can be stolen, and even the camera and microphone can be turned on remotely. You can be watched from the satellite, in real time. We all live in the matrix and its special services […] This is a post from HackRead.com Read the original post: Taking Care of Your Personal Online Security (For Paranoids)

Source

image
Every app installed on your smartphone with permission to access location service “can” continually collect your real-time location secretly, even in the background when you do not use them. Do you know? — Installing the Facebook app on your Android and iOS smartphones automatically gives the social media company your rightful consent to collect the history of your precise location. If you are not aware, there is a setting called “Location History” in your Facebook app that comes enabled by default, allowing the company to track your every movement even when you are not using the social media app. So, every time you turn ON location service/GPS setting on your smartphone, let’s say for using Uber app or Google Maps, Facebook starts tracking your location. Users can manually turn Facebook’s Location History option OFF from the app settings to completely prevent Facebook from collecting your location data, even when the app is in use. However, unfortunately, disabling Location History would also break some Facebook features that rely on location data like checking into a nearby location, tagging locations in an uploaded photo or while using Nearby Friends, a feature that lets friends share their locations with each other. When talking about iOS, Apple offers its users more control over such situations at device level where users don’t want to completely stop an app from using location, allowing them to choose if an app can also access location data in the background or not. However, people using Facebook on Android have an all-or-nothing option when it comes to location sharing, which means either they have to grant Facebook full access to their location data or completely prevent the social network from seeing your location at all, without any option for accessing your location data only when the app is open. How to Stop Facebook From Tracking You When Not in Use Facebook has finally changed this behavior by introducing a new privacy setting to its Android app, giving users more explicit, granular control over background collection of their location data. Here’s how you can prevent Facebook from tracking your location when the app is not in use: Open the Facebook app on your Android smartphone Go to the Settings menu on the top right corner (looks like this ☰) Tap on Settings & Privacy Choose Privacy Shortcuts Select Manage your location settings Now, toggle “Background Location” to OFF If you enable this setting, two things will happen—”you would share your location when you weren’t using the app, and you would allow Facebook to store a history of your precise locations.” “We’re not making any changes to the choices you’ve previously made nor are we collecting any new information as a result of this update,” Facebook’s post reads. “For people who previously chose to turn their Location History setting ‘on,’ the new background location setting is ‘on.’ For people who had turned Location History ‘off’ – or never turned it on in the first place – the new background location setting is ‘off.'” With this update, Facebook gives users a dedicated way to choose whether or not to share their location when they are not using the social media app. iOS users need not worry about such features, as Apple already offers iPhone users an option to block an app from using their location in the background when the app is not open. If you are an iPhone user and have not already stop Facebook—or any other app—from tracking your location in the background, you can follow these simple steps: Go to Settings Select Privacy Choose “Location Services” If you want to completely stop all apps from tracking you, turn Location Services off. If you want to limit this setting depending on every app, tap each app and choose “Never” or “While Using.” Make sure apps that don’t require your location, like most games, photo sharing apps and editors, are set to “Never.” Meanwhile, Facebook is also sending out alerts to both Android and iOS users, asking them to review their location settings.

Source

image
The bug bounty landscape continues to change along with the concept and rules around vulnerability disclosure. Meanwhile, companies such as GitHub, Microsoft and others continue to keep pace, launching or expanding bounty programs. Even the European Commission is getting in on the action. On January 14, it launched its own bug bounty program for free open source projects that EU institutions rely on. Making matters worse is a new breed of cybercriminals that target an evolving IoT device landscape. Threatpost editor Lindsey O’Donnell discusses the challenges and opportunities behind bug bounty programs with HackerOne CEO Marten Mickos, as well as the evolving landscape. Transcript below: Threatpost: Hi everyone. This is Lindsey O’Donnell with Threatpost. And I’m here today with Marten Mickos, the CEO of HackerOne. Martin, thanks for joining us today. Marten Mickos: Thanks for inviting me. TP: How are you? Mickos: Pretty good. I love it here in Boston. TP: Yeah, we’re getting a little bit of cold weather. But it could be worse. So why don’t you introduce yourself and HackerOne, for those who might not know about the company. Mickos: I’m Marten Mickos, CEO of HackerOne. HackerOne is the company that organizes bug bounty programs and what’s called vulnerability disclosure programs. So in essence, we are the world’s largest provider of hacker-powered security, meaning security services provided by freelance, security researchers, and experts that we just call hackers because we believe in the power of hackers, and we think hackers are good. TP: So I feel like bug bounty programs have really been gaining traction over the past few years, especially with the concept of vulnerability disclosure really evolving. What have you been seeing, from your perspective, throughout 2018? And what are some of the big trends that we should be keeping an eye on in 2019. Mickos: Bug bounty programs started in the tech sector and primarily in the San Francisco Bay Area. Now it’s spreading all over the world, and we see very strong interest from the government side. So the government is eager to run bug bounty programs to recommend them to everybody, even to mandate them to some. Like in the “Hack The DHS” act that passed in December 2018, they mandated DHS to run a bug bounty program. So we’re seeing how society now accepts that the best way to find what’s wrong with your system is to ask the world around you. TP: What about the demographics that you’re seeing with some of the bounty hunters? Is there any popular type of age range? What are you seeing there. Mickos: We have over 300,000 hackers signed up on the platform. So we have every type of person in that community. But if you look at the large groups, we have noted that nearly half of them are 25 or younger. So it’s a very young generation, the youngest are 14 years old. It takes them a year or two to get the hang of it, and start producing good vulnerability reports. So there’s a lot of that. When you look at what they do for a living or what their day job is, if they’re young, they are students in school or college. Many of them have a security job at daytime and this is an evening or a weekend hobby. And then we have some full time bug hunters who do nothing but hunt bugs. TP: And then looking at a company that may want to start up a bug bounty program, what are your suggestions for kind of the first steps there? I mean, what’s the very first step that such a company could take? Mickos: When a company wants to run a business bounty program, the first thing they need to make sure is that they have the capacity to fix the bugs once we find them, because we always find them. So if you’re coming to us, we say, how will you make sure your engineering group will prioritize and fix the bugs once we start finding them. And with that in shape, we can launch a program very quickly. What you do is you pick the the attack surface, the scope that you start with, then we recommend that companies start with a small scope and a limited program. And maybe even just by inviting a few known hackers to start with to get it going. Later, we can expand scope, we can expand the bounty table, we can invite more people and open up the program to everybody. But we usually recommend that they start small, start with baby steps and get going. TP: I’m curious, because IoT is something that’s near and dear to my heart, at least – what are you seeing with Internet of Things and the kind of interest around setting up programs with IoT devices? Do you think that’s something that’s really gaining traction? And would you say that IoT is different in the bug bounty landscape than some of the other products and systems? Mickos: Very good question. IoT certainly is different when it comes to bug bounty programs. And we see them come and go, and we have a good number of them on HackerOne, but it hasn’t taken fully off yet. And one reason is that if you run a bug bounty program for an IoT product, you need to get the product in the hands of the hackers and we have shipped out a lot of different devices to hackers all over the world. So we know how to do it, but it hasn’t really taken on yet. That’s one thing. The other thing for an IoT vendor is that once they find a vulnerability and fix it, they have to roll out the fix as well. So they need to have a product that can be activated from afar or updated from afar and and that’s another hurdle for them to overcome before they can be fully successful with the bug bounty program. TP: Should be interesting to see where that goes in the coming years. Mickos: Absolutely and of course, this is an area where the government is very active, because IoT devices typically are used by consumers. So it’s a question of protection of the integrity of consumers and the privacy of consumer so it becomes a legal responsibility at some point. TP: That’s really interesting. So, something that came up in the news recently, was the EU announcing that they would fund programs for finding bugs in, was it 14 open source projects? Just an array of open source projects. Can you talk a little bit about that and kind of the hope there. Mickos: We have done a number of programs for the European Commission for a while already. And this is a new initiative they call EU FOSSA, where they’ve selected open source projects that may not have the funding themselves to run a bug bounty program, and EU is funding the program on behalf of them. So it’s a very good way of going to the heart of the problem, which is open source libraries and products that are used all over the place, but there isn’t necessarily an organization or funding to fix the security vulnerabilities. But now there is. TP: Right. What kind of challenges are you seeing right now in the bug bounty landscape? I know a couple of people in the infosec space have mentioned concerns about companies relying solely on bug bounty programs. Do you see that as a challenge? Do you see any other challenges that the landscape needs to overcome at this point? Mickos: The only challenge is the hunt for the bug and the difficulty in finding them, and we always find them. Everything else is manageable and can be handled, there are always detractors who will say that this or that is not working. It’s not true. We are seeing it very clearly in the statistics of our programs, that the rate at which it is growing, the rate at which feed people are fixing the bugs, we are making huge progress progress all the time, hackers are making good money on this. Products are getting more secure, architectures are getting fixed, this is the only way we can fix our digital society. And we will stumble a little bit on the way there. But those are small, small problems in the grand scheme of things because we are fixing the world. TP: What are you most excited for in 2019 about the bug bounty landscape – any specific programs to look out for anything else? Mickos: I always get so excited by the hackers themselves, like the fact that we can have somebody as young as 14 on the platform, filing a report, fixing software that a much older software developer developed. And it gives me this conviction and belief and evidence that the future generation, they know how to fix what’s broken, and they will make sure we have a good future. I think it’s endless optimism and sort of positive vibes in that. TP: Speaking of that, I’m sure you saw the news of the Apple FaceTime bug that was discovered earlier this week, or I guess it was discovered weeks ago, essentially by a teenager. So I mean, it’s just another example of someone who is of the next generation who is really coming out and finding these bugs. Mickos: But there’s sort of a bigger question: We must trust the young, we must give the young responsibility, we must give them recognition when they do something useful, and then they will do more useful stuff. TP: Great point. Alright, well, thank you so much, Martin. Mickos: Thank you.

Source

image
The data-breach onslaught continued this week with casualties sprinkled across the globe. Victims included retailers, banks and one state-owned gas station. The theme this was the Indian subcontinent, with consumers in Pakistan and India feeling the main brunt of the proceedings. A point-of-sale malware incident right here in the U.S. leads off this week’s weekly round-up. U.S. Restaurant-Goers Bitten by PoS Malware A company that provides point-of-sale (PoS) systems and services for restaurant locations said that malware was able to scrape payment-card data from diners for about three weeks in January. North Country Business Products (NCBP) said that consumers who used credit and debit cards at its business partner restaurants between January 3 and January 24 are potentially affected. It didn’t venture to put a number on how many consumers could be affected, but it’s worth noting that NCBP’s reach is long, with partner restaurants running the gamut from Collins’ Irish Pub in Flagstaff, Ariz. To Vinyl Taco in Grand Forks, N.D. The full list of affected locations is available in its website notice. As is typical with PoS malware, the specific information potentially accessed includes the cardholder’s name, card number, expiration date and CVV – everything an enterprising cybercriminal needs to clone a card, or many cards. The company didn’t offer details as to how the malware was able to make its way onto its systems. Joker’s Stash Underground Credit Card Dumps Meanwhile, three sizable dumps of credit-card information were found to have shown up on the Joker’s Stash Dark Web forum. Group-IB told ZDNet that two contain the collective card details of 69,189 Pakistani bank customers, mostly from Meezan Bank Ltd. – and, crucially, include the PIN numbers for the cards. “Pakistani banks’ cards are rarely sold on underground cardshops. This, and the fact that all the cards came on sale with PIN codes explains the high price, which was kept at 50 USD per card, while usually the price per card on Dark Web forums ranges from 10 to 40 USD,” Group-IB said. That values the two caches at $3.5 million. Also this week, a Joker’s Stash ad appeared for the “DaVinci Breach,” a dump containing the card details for over 2.15 million U.S. bank customers from 40 states – for now, it’s unclear where the data came from. Another Day, Another Misconfigured DB Also this week, security researcher Bob Diachenko found yet another example of a misconfigured database that was left open to the internet where anyone could see it. This one was a MongoDB with no password that contained 4.1GB of highly sensitive information on a half-million (458,388) individuals in India, collected by the Government of National Capital Territory of Delhi. The content, which seemed related to a company named Transerve, included “a pretty detailed portrait of a person,” Diachenko said, including names, voter card numbers, health conditions, education levels, addresses including house numbers and floor levels, and miscellany like “‘type of latrine’, ‘functional water meter’, ‘ration card number’, ‘internet facility available’ and even ‘informant name,’” Diachenko said. After Diachenko contacted CERT India, database was secured and taken offline. Elsewhere in India… Meanwhile, India’s state-owned gas company Indane, which has about 90 million customers, was found to have improperly secure the website that it uses to interact with its dealers and distributors, exposing millions of Aadhaar numbers. Aadhaar numbers are similar to Social Security numbers in the U.S. – they’re a government identity mechanism. Somehow, part of Indane’s site was indexed in Google, allowing access to the dealer database – even though the site is supposed to be password-protected. After being tipped off on Twitter, researcher Baptiste Robert wrote a Python script to crawl the database, and he estimates the total number of those affected to surpass 6.7 million. “By running this script, it gives us 11,062 valid dealer IDs,” he wrote in a blog post. “After more than one day, my script tested 9,490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak. Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200.” Neither Indane nor Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI), has responded to the news. Interested in learning more about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET. Join Threatpost senior editor Tara Seals and a panel of mobile security experts, including Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout. They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.

Source

image
A team of cybersecurity researchers from the University of New Haven yesterday released a video demonstrating how vulnerabilities that most programmers often underestimate could have allowed hackers to evade privacy and security of your virtual reality experience as well as the real world. According to the researchers—Ibrahim Baggili, Peter Casey and Martin Vondráček—the underlying vulnerabilities, technical details of which are not yet publicly available but shared exclusively with The Hacker News, resided in a popular virtual reality (VR) application called Bigscreen and the Unity game development platform, on which Bigscreen is built. Bigscreen is a popular VR application that describes itself as a “virtual living room,” enabling friends to hang out together in virtual world, watch movies in a virtual cinema, chat in the lobby, make private rooms, collaborate on projects together, share their computer screens or control in a virtual environment and more. Scary Things Hackers Can Do to Your VR Experience As shown in the video, the flaws in Bigscreen app literally allowed researchers to remotely hijack Bigscreen’s web infrastructure (that runs behind its desktop application) and perform multiple attack scenarios through a custom-designed command-and-control server, including: discover private rooms, join any VR room, including private rooms, eavesdrop on users while remaining invisible in any VR room, view VR users’ computer screens in real-time, stealthily receive victim’s screen sharing, audio, and microphone audio, send messages on the user’s behalf, remove/ban users from a room setup a self-replicating worm that could spread across the Bigscreen community, and many more. What’s even more Worrisome? Besides this, a different vulnerability in the Unity Engine Scripting API that researchers exploited in combination with the Bigscreen flaw, allowed them to even take complete control over VR users’ computers by secretly downloading and installing malware or running malicious commands without requiring any further interaction. Bigscreen VR App and Unity Engine Vulnerabilities According to the in-depth technical details shared with The Hacker News, multiple Bigscreen flaws in question are persistent/stored cross-site scripting (XSS) issues that reside in the input fields where VR users are supposed to submit their username, room name, room description, room category in the Bigscreen app. Since the vulnerable input boxes were not sanitized, attackers could have leveraged the flaw to inject and execute malicious JavaScript code on the application installed by other users connecting to the Bigscreen lobby and VR rooms. “The payload script will be executed upon the browser-based player entering a room affecting all members of the room. This attack vector allows for the modification/invocation of any variable/function within the scope of the Window,” researchers told The Hacker News. “In summary, the ability to execute JavaScript on the victim’s machine allows for many other attacks such as phishing pop-ups, forged messages, and forced desktop sharing.” “We observed a lack of authentication when handling private room joining and communications with the Bigscreen signaling server. As a result, several potential vulnerabilities arise, to include denial of service, manipulation of public rooms, brute force attacks, and server resource exhaustion.” As demonstrated by the team, attackers can also inject malicious JavaScript payloads to leverage an undocumented and potentially dangerous Unity Scripting API to secretly download malware from the Internet and execute it on a targeted system or for all users. “The function Unity.openLink() was found to launch web links in the default 6 browsers. An XSS attack containing an HTTP, FTP, or SMB link could cause arbitrary files to be fetched and downloaded,” researchers told The Hacker News. “We expect that most of the applications using affected Unity API may be vulnerable.” The team discovered the vulnerabilities while testing the security of VR systems through its National Science Foundation-funded project. Man-in-the-Room (MITR) Attack As dubbed by the researchers, Man-in-the-Room is one of the attack scenarios where a hacker secretly joins a VR room while remaining invisible to other users in the same room. “They can’t see you, they can’t hear you, but the hacker can hear and see them, like an invisible Peeping Tom. A different layer of privacy has been invaded,” Ibrahim Baggili, founder and co-director of the Cyber Forensics Research and Education Group, said. The team found that Bigscreen application uses Dynamically Loaded Libraries (DLLs) without integrity checking that allowed the researchers to modify the source code of selected libraries and change its behavior, letting them hide their presence from UI using XSS payloads. “Our proof-of-concept WebRTC application was able to connect to legitimate Bigscreen application. This lead to complete control over one end of audio/video/microphone/data streams. Our application was invisible in the VR room because it did not send any data to other peers,” the researchers said. The team responsibly reported their findings to both Bigscreen and Unity. Bigscreen acknowledged the security vulnerabilities in its “servers and streaming systems” and released the new Bigscreen Beta “2019 Update” that fully patched the issues. Moreover, Unity acknowledged the vulnerabilities by merely adding a note to its documentation stating that its platform “can be used to open more than just web pages, so it has important security implication you must be aware of.” Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Source

image
Threatpost editors Lindsey O’Donnell and Tom Spring discuss the biggest news of the week ended Feb. 22, including a report about flaws in password managers, and a 19-year-old flaw found in WinRAR. The Threatpost team also discussed an upcoming webinar on Feb. 27 at 2 p.m. ET. Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout will join Threatpost senior editor Tara Seals to discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/8745746/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) Transcript below: Lindsey O’Donnell: Welcome to the Threatpost news wrap for the week ended February 22, and you’ve got the Threatpost team here: myself, Lindsey O’Donnell, and editor-in-chief Tom spring. Tom, how’s it going? Tom Spring: Pretty good, Lindsey, I just heard a little ding. LO: Yes, the emails for RSA keep coming – can’t really get rid of that. TS: Is that another RSA email in your inbox? LO: Well, with RSA coming in two weeks, we’re really ramping up discussion with vendors and getting a lot of pitches for that. TS: For sure. I’m actually really psyched about RSA and there’s some really awesome sessions and I’m really looking forward to meeting some of the contacts and some of my peers and it’s going to be a really fun show. But I agree the noise factor coming out of the RSA conference in March is just enormous. I have to put my computer on mute because I just get too many pings for requests to me, new research, everything. If the noise factor is any indication of what’s going to be going on at RSA, it should be pretty good, right? LO: Yeah, I’m excited. I mean, it’s only a couple of days, but so much happens in those days, security wise, and there’s just such an opportunity to meet with researchers and really learn about new reports and what to look out for. So there’s definitely a lot to look forward to there. But looking to the present, despite starting off with having President’s Day on Monday, we really had a pretty insane week, news-wise – Tom, what are you seeing from your end of the spectrum? TS: Well, it’s kind of like you can’t cover it all and you sort of have to pick and choose. We had some some really good strong stories this week. I was a little overwhelmed by the cavalcade of news that came pouring in over the past couple days, from keyloggers, Drupal core, critical remote-execution bugs – to new research on Microsoft Edge that shows it lets Facebook run Flash code behind users’ backs to reverse location search warrants. I mean, we really ran the gamut in terms of the news, which was just a waterfall of information that we sorted through. But you did a pretty good job. I mean, you covered a couple stories in between making RSA conference appointments with that 19-year-old bug that WinRAR plugged. I love WinRAR, WinRAR is my go to media player and I was really alarmed that there was a bug that lasted so long. Tell me a little bit more about the bug. LO: Yeah, I feel like the main point and the main takeaway there was that it was 19 years old. I was thinking back to what existed 19 years ago and you know I was basically a kid at that point. So for background, WinRAR, which as you mentioned is this popular Windows data compression tool, had and patched a serious code-execution flaw. The platform itself is amazingly popular. I think they said it had 500 million users. So the issue stemmed from a third-party dynamic link library within WinRAR, and because that dynamic link library hadn’t been updated since [2005], that allowed the researchers with Check Point who discovered this flaw to essentially extract malicious files in the tool. So what could happen is a hacker could use spear-phishing or some sort of similar tactic to send an unknowing victim a disguised malicious file, and when the victim opens that file in WinRAR, that file would automatically extract in their startup folder and then malware could quickly be planted on their system. So that was patched, and I mean it’s a fairly easy to carry out a path-traversal flaw. And not only was it patched, but then when I reached out to WinRAR, they said that in terms of that third-party library I was talking about, because it hadn’t been updated for so long, and they didn’t have access to its source code even, they decided to drop that format support in order just to completely protect its user database. TS: Yeah, the code-reuse in these repositories is notorious for creating these kind of vulnerabilities where a component is used by a developer and it hasn’t been updated, and the developer doesn’t do due diligence, and all of a sudden the component becomes an exploit or a vulnerability is found in the component, and the component is never updated. And then the repository file never gets updated and the code goes out the door. Veracode does a lot of really interesting work, they have a lot of interesting studies on code-reuse and it’s pretty alarming how many software programs really have these types of problems where they’re relying on third-party libraries to basically do basic functions in their software where you have these glitches. But there’s not much of a pass you can give WinRAR for a 19 year old bug like that, I mean that’s a different story. LO: Right and especially given the fact that the specific library hadn’t been updated since 2005 or 2006 or whatever it was, but it is kind of hard to, as you said, keep track of those types of things as well. And another point is that when I was looking on social media for some of the reaction to this and talking to different researchers, looking at a different side of the story is that as far as we can tell there hasn’t been any sort of exploit of this vulnerability. So while it has existed for 19 years, it hasn’t been found by the bad guys for 19 years – so at least there’s that. TS: Well I’ve gotta say, I’ve always wondered whether or not these exploits have actually really been discovered. I mean if you’re a criminal and you find an exploit or you find a vulnerability and it’s working for you, you’re not going to jump up and down and say, ‘hey look what I found.’ You’re going to quietly exploit it until your moneymaker, so to speak, dries up. So good for WinRAR, I gotta tell you it warms my heart to hear that they’re fixing their software and next time I launch the media player and it asks me to update I definitely will. LO: Yes, but I feel like that wasn’t the only big news we had. In fact, you wrote a very big story about a research report that was written about different password managers and a flaw found in those managers, and that really kind of piqued the interest of the security world. Can you talk a little bit about that and what their reaction to that story has been so far this week? TS: Well, you know, I think it was a big story for us. I don’t know how much it resonated throughout the internet or throughout the infosec community. I think it was a memory management issue with these password managers: 1password, DashLane, KeePass and Lastpass. These four password managers represent a huge, huge user base. These researchers, independent security evaluators took a close look at them and they found that when the actual password managers were in use, that the way that it’s saved, the master password or individual credentials, was in an insecure memory within Windows 10 PCs. Now, this doesn’t impact any of the mobile applications. But it does impact the Windows PC ecosystem in a sense that the master keys could be plucked from memory in clear text. Now, there are lots of caveats to that; the application needs to be in use. And also it would have to be from a local attacker, meaning the person would have to have access to your PC to exploit and to grab the passwords from memory. The other option would be if a remote attacker was able to have access to your system, which obviously presents a whole new host of problems that you have to contend with –nevermind them being able to pluck a password out of insecure memory. But the story gets a little more interesting in a sense that these password manager companies said, ‘yeah, you know, we understand what the issue is here and there are trade offs and it’s an acceptable risk.’ Now I’m oversimplifying what they stated, but I really feel like they pushed back on the research and they said that the storage of the password in the memory was something that they were aware of and that they did not see it as a huge risk given the prerequisite for being able to [exploit this]. And they more or less can each came out with these statements saying, “the research is interesting, we understand the problem and here’s why you shouldn’t worry about the problem too much.” And I think one of them actually did update their their tool to make sure that they had some process memory protection built in. I think it was LastPass. And then the researchers came back and said, “hey listen, you know you guys are not the only password managers on the block, and other password managers do protect the memory and it’s not an impossibility and you know … it’s not an acceptable risk.” But importantly, they also said that these password managers are awesome. And you should keep on using them. They have their flaws. And if the trade-off is you don’t use a password manager, then shame on you. Because these do serve a purpose. And they’re better than nothing, essentially. And, you know, given the incredible amount of password reuse and the incredible amount of breaches and I think it does make sense to keep on using a password manager to make sure that you use the best password-management practices possible. LO: Yeah, I mean, I think that this story is almost reminiscent if you remember that two-factor authentication report that we wrote about earlier this year. It’s almost reminiscent of that because there’s a lot of opinions about password managers and whether they’re kind of worth this specific security risk or whether it’s worth even discussing the risks if it causes people to stop using such an effective security tool. But you know for for ISE, the research firm that had written the report, at least they had, it was almost like a disclaimer that said that it’s better to have password managers than to not have password managers. So at least, you know, they took note of that. And at the same time were advocating for the password-manager firms in question to tighten up their application memory management. It’s definitely kind of a tricky balancing act there because you do want to promote the security tools but then you also, when there is a security issue with the security tool, that that raises a whole different question. But what did what did the researcher say? Did you talk to the researcher in in response to what the password managers had said? Did he have anything else to add to that? TS: Yeah, Adrian Bednarek, he was the lead researcher on this, he reached out to me, we connected via Twitter private message, and he was very vocal, and again I think I said it before, he said, “hey listen, you can use data sanitization in the context of memory and make sure that clear text passwords are not available for hackers.” And again he stressed the fact that these are great password managers, they are better than nothing and that you should still keep on using them, but he did stress the point that you can effectively fix this problem and the companies that said that it was an acceptable risk or it was a known vulnerability that they were not going to address is not acceptable. So he’s sort of, you know, responded to the criticisms that these guys said, doubling down on his assertion in this initial research saying, you could be doing better. LO: Well, I’d be curious to see if 1password and DashLane and KeePass change their view at some point, their viewpoint of memory-management issues, looking at if this is an acceptable risk or if they, like LastPass, also decide to do some sort of patch. So it should be something to keep an eye on. TS: Yeah, for sure. For sure. LO: You know, those were kind of the big stories that we saw this week. I know looking forward to next week, we actually have (for those listeners of this podcast who don’t know) a big webinar coming up on Wednesday. And I’m actually going to attach a link to this podcast article where you can learn more and register. But it should be a really great discussion about enterprise mobile security and the top mobile threats that we’ll face in the future. We’re talking with a panel of experts from Google, Gartner, Lookout — with our own editor, Tara Seals. So we’re excited about that. We’ve been preparing for that. And there’s actually been a whole lot of mobile-related news over the past month so I think it should be perfect timing to kind of discuss some of the bigger themes and implications of these these risks and threats. TS: Yeah, no, it should be a pretty interesting webinar and I’m interested to see what comes out of it especially with such great speakers. LO: Well, I think I better get back to my RSA emails and getting back to the the daily work. TS: It’s been an interesting week and we’ll rest up and do it all over again on Monday. LO: Sounds good, everyone tune in for the Threatpost news wrap next Friday and thanks for listening today. For direct download click here.

Source

image
Do you use a password manager? Or do you think they pose too much of a risk, holding all the keys to the kingdom? Weigh in with our poll, below. A little background: There have been vulnerabilities found before in this kind of software, which is meant to take the headache out of remembering multiple unique passwords by remembering them for you. Malware has also been found targeting it. The latest is word that a local adversary can crack open and steal passwords stored by the 1Password, Dashlane, KeePass and LastPass utilities. Adrian Bednarek with Independent Security Evaluators (ISE) said that each of them “fails in implementing proper secrets sanitization for various reasons,” Bednarek wrote in his research report. The firms have fiercely hit back on the assessment that this poses a serious risk, and indeed, even for ISE, this was far from a deal breaker. But at the same time, they also advocated that password-manager firms tighten up their application memory management. How do you feel about password managers? Take our short poll and let us know. Also feel free to comment on this post with any meatier thoughts you may have. Take Our Poll Take Our Poll Take Our Poll Take Our Poll Take Our Poll

Source