Month: August 2019

Google wants Android users to feel that its platform is secure, and knows that people’s confidence can be shaken when the media is full of headlines of the latest security scare.

And it’s with that in mind that Google announced this week that it was expanding its bug bounty program, that rewards security researchers who responsibly disclose vulnerabilities so users can be patched as quickly as possible.

Google, which admittedly has rather deep pockets when it comes to funding such things, has said it is changing its Google Play Security Reward Program (GPSRP) so that it not only covers its own products, but additionally includes all apps in the official Google Play store which have had 100 million or more installs.

In other words, if you were to find a serious security hole in a popular Android app you could contact Google rather than the app’s developer, and Google will be happy to not only alert the developer about the flaws, but also pay you handsomely for your work.

Although Google is encouraging app developers to start their own bug bounty program through which researchers can be rewarded for disclosing vulnerabilities responsibly, it says that all popular Android apps with 100 million or more installs are now automatically eligible under GPSRP.

“This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps,” wrote Adam Bacchus, Sebastian Porst, and Patrick Mutchler of Google’s Android Security & Privacy group. “If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google.”

Google says that it has helped over 300,000 app developers fix flaws in approximately one million Android apps on Google Play already, paying out $265,000 in the past. A rise in the rewards offered has seen Google pay out $75,500 in just the past few months.

Let’s not turn a blind eye to the reality here. Google has not done a great job in the past of policing the apps in its official Google Play store. On countless occasions malicious apps have been found that put Android users and their data at risk. And it’s even more common for poorly-coded mobile apps to contain vulnerabilities – even if they were not created with malicious intent.

As such, it’s hard to complain about Google expanding its bug bounty program to encourage more security researchers to look for security holes in the most widely used apps.

In addition, Google has announced a new initiative: the Developer Data Protection Reward Program (DDPRP).

DDPRP is another bounty program, but this time built specifically with the intention of identifying and mitigating “data abuse issues in Android apps, OAuth projects, and Chrome extensions.”

“In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent.

According to Google, a single DDPRP report could net a researcher a bounty as large as $50,000.

At the end of July, the FBI arrested a 33-year-old woman in Seattle in connection with a massive data breach at financial services firm Capital One.

33-year-old software engineer Paige Thompson, who also went by the online handle of “erratic”, was suspected of breaking into Amazon Web Services (AWS) servers used by Capital One, and stealing data related to 100 million credit card applications.

Prosecutors said that the breach included 140,000 social security numbers and 80,000 bank account numbers, culled from the many millions of card applications.

Capital One blamed the security breach on a “configuration vulnerability”.

In the latest development of this ongoing investigation, Thompson has been charged in relation to not just hacking Capital One, but a further 30 organisations. And in some cases, according to an indictment unsealed yesterday, the former Amazon systems engineer exploited servers at hacked companies to mine cryptocurrency.

The indictment alleged that Thompson exploited the fact that certain Amazon cloud customers had “misconfigured web application firewalls on the servers”, and that this misconfiguration was exploited to “obtain credentials for accounts of those customers that had permission to view and copy data stored by the customers on their Cloud Computing Company servers.”

The indictment continues to allege that Thompson used those stolen credentials to access and copy other data stored on the Amazon cloud servers, including personal identifying information, and offers a motive:

“The object also was to sue the access to the customers’ servers in other ways for Paige A Thompson’s own benefit, including by using those serves for ‘cryptojacking’.”

Regular readers of Hot for Security will be all too familiar with the rapid rise of cryptojacking, where computer power can be stolen by unauthorised parties to “mine” for cryptocurrency. Most users’ experience of cryptojacking has been within their web browser, but it’s just as possible – and indeed even more attractive – for the persons doing the cryptomining to take advantage of the increased processing power offered by servers.

Other than Capital One, none of the victim organisations have been named – although some have been loosely described as a public research university, a telecoms conglomerate, and a state agency.

Thompson is schedule to be arraigned on September 5 2019, and – if eventually convicted of the charges – could face up to 25 years in prison.

Ironically, investigators were directed towards Thompson as a suspect after an acquaintance of hers warned Capital One that stolen data had been published on Github.

The name associated with the Github account? “paigeadelethompson.”

Ransomware
operators compromised the New Kent County Public Schools system in the State of
Virginia this week, holding students’ data ransom, in the latest of a long
string of cyber-attacks targeting school systems across the United States.

The school
district’s superintendent, Brian J. Nichols, said in a message to families Tuesday that
files on the district’s internal systems were encrypted in a ransomware attack,
causing “an undue burden as we work to start school on time and ready for our
students to learn.”

“We are
unable to access these files without paying a ransom,” Nichols said. It isn’t
clear if the school district intends to pay the ransom. The sum demanded by the
hackers is also undisclosed.

Administrators
are working to rebuild the systems with the help of a team of cybersecurity
experts. The school district has also enlisted the help of the FBI to investigate
the attack. Based on the preliminary findings, investigators don’t believe the
attackers obtained any personal identifying information.

Despite the
hurdles, New Kent County Public Schools will open on time, the superintendent
said.

“Our open
house events will continue as scheduled. We will work through our registration
process and our bus routing.  We will
make sure our students are scheduled for their classes the first day of school,”
Nichols said.

Ransomware is
among the most prolific forms of malware creeping its way into virtually any
kind of computer system across every industry, including financial
institutions, hospitals, schools, as well as critical infrastructures like
energy supply. Ransomware operators continue to amass huge profits due to lax
cybersecurity practices and / or technologies employed by their victims. The
best defense against ransomware attacks is to keep regular backups of mission-critical
data offline, on a secluded infrastructure.

The
anonymous hacker who jailbroke iOS 12.4 via a recycled bug has confirmed on
Twitter that Apple’s latest update for iPhones and iPads kills the jailbreak.

A
vulnerability patched by Apple in iOS 12.3 was accidentally reintroduced by the
iPhone maker in the recent iOS 12.4 release. A hacker by the Twitter alias @Pwn20wnd
took advantage of Apple’s slip up and developed a jailbreak, a rare hack that lets
iPhone users install unauthorized apps on their devices. The company has issued
a patch for the hack in iOS 12.4.1, the latest version of the operating system
powering iPhones, iPads, as well as iPod touch players.

“I can
confirm the exploit was patched in iOS 12.4.1,” Pwn20wnd tweeted. The hacker tells those looking to
keep their jailbreak to refrain from installing the patch. However, @Pwn20wnd
is the first to admit that users on iOS 12.4 are leaving themselves vulnerable
to spyware.

“For example, he said, a malicious app could include an exploit for this bug that allows it to escape the usual iOS sandbox—a mechanism that prevents apps from reaching data of other apps or the system—and steal user data,” according to Motherboard.

In a Support article detailing the patch, Apple credits the hacker for his
“assistance,” seeming to mirror the hacker’s own ironic praise for Apple after
re-exposing a known bug.

iDevice
owners are strongly advised against installing jailbreak software. Instead, owners
of any iPhone 5s and later, iPad Air and later, or iPod touch 6th generation
should install iOS 12.4.1 without undue delay. To download the patch, on your
iDevice go to Settings -> General -> Software Update and choose Download
and Install.

Despite
losing some steam in recent times, the cryptocurrency mining craze is still
alive and kicking. Ukrainian local media reports that workers at a nuclear
power plant have been caught mining cryptocurrency using the electrical power
“freely” available to them from the very nuclear plant they worked at.

As the story
goes, Ukraine’s Security Service (SBU) last month discovered unauthorized
computer equipment at the South Ukraine Nuclear Power Station in Mykolaiv
province, near the city of Yuzhnoukrainsk. The authors reportedly used their
own equipment and the readily available electricity generated by the nuclear
plant to conduct their operation.

The unauthorized hardware included video cards, switches, hard disk drives and solid state drives, various power supplies and motherboards, as well as networking equipment that would have no place in their part of the facility. In fact, the reason the operation is considered such an offense is that the employees connected their mining gear to the web and may have leaked state secrets, according to the report by local news outlet internetua.com.

The
machine-translated report states that the Security Service of Ukraine in the country’s
Nikolaev region is investigating criminal proceedings based on allegations that
“officials of the South Ukrainian Nuclear Power Plant in the station’s
restricted premises placed unauthorized computer equipment with Internet
access, as a result of which the information was disclosed about the physical
protection of the station, which is a state secret.”

The report
doesn’t say how much cryptocurrency the rogue employees had amassed, nor does
it say how many people were involved, or what consequences await them. However,
investigators reportedly found a number of security guards among the
participants.

Government
officials’ decisions related to cybersecurity actively impact voting decisions
among Americans, according to a recent study.

Awareness about cyber-security among U.S. residents today so high that Americans are now using this knowledge as a factor in their decision making. New research by The Harris Poll reveals that 64% of registered voters will not vote for candidates who approve of making ransomware payments. The results undoubtedly reflect the public opinion regarding recent ransomware attacks targeting U.S. municipalities.

Ransomware
operators have collected more than a million dollars from just two attacks on
the Florida cities of Riviera Beach and Lake City. Wanting to see their
taxpayer money spent more wisely, 79% of registered voters will now consider
candidates’ stances on cybersecurity when making future voting decisions,
according to the study.

66% of
Americans believe that government organizations should never make ransomware
payments to cyber criminals, a stance shared by the Federal Bureau of Investigation
and the National Conference of Mayors alike. As for businesses, 64% of
Americans believe they should never
make ransomware payments to cyber criminals, period. Asked to elaborate, 86% reasoned
that when organizations make ransomware payments, they are encouraging cyber
criminals to continue with such attacks.

Furthermore,
70% of respondents agree that when organizations do make ransomware payments to
cyber criminals, it is likely because they were left with no other choice. And 1
in 5 Americans have experienced a ransomware attack on a personal and/or work
device. Of those who experienced an attack on a work device, 46% say their
company paid the ransom.

Finally, the
survey also revealed that Americans would support a federal income tax to hep
fund government efforts to defend against cyber-attacks.

For the first time in years, hackers have created a working exploit that can jailbreak the latest, fully-updated version of iOS.

And a goof by Apple has allowed them do it.

The result? Millions of Apple iPhone and iPad users who thought they were doing the right thing by updating their devices to iOS 12.4 are at an increased risk of being successfully attacked by hackers through the vulnerability.

Normally iPhones and iPads running the latest version of iOS are locked down, preventing users from installing code that has not been scrutinised by Apple’s security team and reducing the chances of malware infiltrating devices.

But a jailbroken iPhone or iPad opens doors for unauthorised and pirated iOS apps to be installed, which may be boobytrapped to spy upon your communications or even – potentially – hold your data to ransom.

Normally the source code for a jailbreak exploit is not made publicly available before Apple has pushed out a security update to prevent it from working.

In this case, however, things have definitely not gone to plan.

The story starts in March, when researcher Ned Williamson uncovered a security hole in iOS. However, he didn’t make details of the vulnerability public until after Apple had issued a patch – in the form of iOS 12.2 – in May.

That, most of us would have thought, would have been the end of the matter. However, somehow Apple managed to undo its patch when it released iOS 12.4 in late July.

iOS 12.4, if you recall, was an important security update for Apple’s mobile operating system because it fixed a critical vulnerability that could allow a remote attacker to attack an iPhone just by sending a maliciously-crafted iMessage.

Now we learn that although Apple successfully closed one critical security hole in iOS 12.4, it unwittingly reopened an old one.

A security researcher by the name of Pwn20wnd has publicly released a jailbreak that exploits the bug that came back from the dead.

An obvious fear is that organised criminal gangs and state-sponsored hackers might attempt to exploit the vulnerability to launch attacks, steal data, and spy on persons of interest.

Pwn20wnd told Motherboard that “it is very likely that someone is already exploiting this bug for bad purposes.”

No doubt Apple is working feverishly to fix the vulnerability once and for all and investigate how it could have made the mistake of reopening an on old security hole that everyone thought had already been patched.

When Apple does release an update to iOS, make sure to install it as soon as possible – and let’s hope they don’t break anything else in the process.

A teenage British hacker has been sentenced to 20 months in prison after pleading guilty to selling hacking services and stolen personal data for cryptocurrency.

19-year-old Elliott Gunton was no stranger to the authorities, having previously been convicted in December 2016 for his role in the infamous hack of the telecoms firm TalkTalk.

Gunton, 17 years old at the time, avoided a prison sentence in relation to the TalkTalk breach, but was given a 12-month youth rehabilitation order.

You would like to think that such a close call would teach Gunton to keep on the straight and narrow in future, but unfortunately it did not.

On September 8 2017, Gunton hacked Australian designer Phil Darwen, who runs the “A Designer’s Mind” Instagram account with more than 1.4 million followers.

Gunton seized control of the Instagram account for two weeks, setting up an auto-reply that sent “grotesquely offensive” messages to Darwen’s customers.

At the time Gunton was being monitored by police under a sexual harm prevention order (SHPO), after he had been found to be in possession of indecent images.

Under the terms of the SHPO, police checked Gunton’s laptop every six months to check that he was complying. The SHPO banned Gunton from using incognito mode to hide his browsing activity, delete his browser history, or do anything else that prevented police checking his laptop from determining what sites he had been visiting.

However, police readily admitted that their checks would not actually determine if internet browsing histories had been deleted.

“Our unit does not have specialist software for home visits and we have to rely on the honesty of the offender. It would be impossible for us to know if he has deleted any history.” The Eastern Daily Press reported Detective Constable Jamie Hollis, of the public protection unit at Norfolk Police, as saying.

It was only in April 2018, when authorities learnt that Gunton was planning to appeal his SHPO that they seized his computer for a “thorough search”, and found software had been installed to wipe his internet history and activities.

In a subsequent search of Gunton’s home, police seized an iPhone and a £10,000 Rolex watch hidden in a safe. In addition, investigators discovered that Gunton had received significant deposits in his Bitcoin wallet, including over $100,000 on just a single day.

Police were suspicious of his earnings, and Gunton claimed he had amassed a cryptocurrency fortune worth more than $380,000 through online trading.

However, police found evidence on his computer that Gunton Gunton had offered to supply compromised personal identifiable information (PII) of individuals to third-parties, to assist fraudsters in hijacking mobile phone numbers through SIM swap fraud.

And despite Gunton’s attempts to wipe any evidence of wrongdoing from his computer, the authorities discovered “fragments” of conversations where he discussed criminal activity with others.

Bizarrely, despite attempting to wipe digital evidence from his hard drive, Gunton was not afraid to brag on his @Gambler Twitter account about his money-making activities:

Gunton received a 20 month prison sentence at Norwich Crown Court last week, but was immediately released due to having already served his sentence while on remand.

He has, however, been ordered to pay back £407,359, and has been issued with a three and a half year Community Behaviour Order which – amongst other restraints – limits his access to the internet, requires him to share his browsing history and any passwords with the police, and forbids him from deleting his internet history or using VPNs or proxies.

“Gunton was exploiting the personal data of innocent businesses and people in order to make a considerable profit but he did not succeed in hiding all of his ill-gotten gains which enabled us to seize hundreds of thousands of pounds worth of Bitcoin,” said Detective Sergeant Mark Stratford of the Norfolk constabulary.