Month: October 2019

Is nothing sacred?

The highly popular “Untitled Goose Game” has been found to be vulnerable to an attack that could allow hackers to run malicious code on your computer.

“Untitled Goose Game”, which allows players to take control of a truly horrendous goose terrorising an unsuspecting village, is considered by some to be the one of the year’s most fun indie video games and is available for Windows, MacOS and Nintendo Switch.

And as word spread of just how much fun it was possible to have making a mischief of yourself honking at an elderly man in his garden and almost giving him a heart attack, the game quickly became a viral sensation.

HONK!

Now, with details published of a vulnerability in the way the game reads its save files, “viral” might almost take on a different meaning.

Security researcher Denis Andzakovic of Pulse Security found a remote code execution vulnerability in “Untitled Goose Game” that could be exploited by hackers.

According to Andzakovic, if an attacker was able to trick a game player into loading a poisoned save file for the game, the vulnerability could be leveraged to execute malicious code.

Such a technique could be used to plant other malware or spyware onto the computer of an fan of “Untitled Goose Game”. Not that such an fan is likely to have much of value on their infected computer, as they will be spending on their time pretending to be an anti-social goose rather than getting any work done…

As a proof-of-concept, the researcher was able to create a boobytrapped save file for the game which, when loaded, ran Windows Calculator. Of course, the payload could easily be changed for something nastier.

Fortunately, Andzakovic believes in responsible disclosure and informed House House – the Australian developers of “Untitled Goose Game” – of the issue in October, and patches for the game have now been rolled out.

Version 1.0.6 and later of “Untitled Goose Game” are said to be patched against the vulnerability, and one week after the 1.0.6 update was issued, Andzakovic went public with his findings.

There is no evidence that anybody, other than the security researcher who found the flaw, has tried to exploit the vulnerability. But unusual examples of software flaws like this are a salutary reminder to all programmers to think carefully about how an attacker might attempt to exploit weaknesses in their code, and potentially compromise the computer of the very people they are trying to entertain.

HONK!

Authorities from the Nuclear Power Corporation of India
Limited (NPCIL) have admitted that malware, believed to originate from the
Lazarus Group, infected the administrative network of the Kudankulam Nuclear
Power Plant.

Initial reports about possible problems with the
Kudankulam Nuclear Power Plant (KKNPP) surfaced a couple of days ago when a
researcher who used to work for India’s National Technical Research
Organization (NTRO) made the connection by using published results from
VirusTotal. Now, the NPCIL has admitted that intruders had access to an
administrative network.

Pukhraj Singh, the researcher who discovered the
intrusion, referred to the event as casus belli, a Latin term used to describe
an act of war. Talking
with Ars Technica, Singh explained that he called the event an act of war because
of a second target, which he also reported to the government, but didn’t want name
publicly.

“Indication of malware in the NPCIL system is
correct,” said NPCIL Associate Director A. K. Nema in a communique.
“The matter was conveyed by CERT-in when it was noticed by them on September 4,
2019. The matter was immediately investigated by DAE specialists.”

“The investigation revealed that the infected PC
belonged to a user who was connected to an Internet-connected network used for
administrative purposes. This is isolated from the critical internal network.
The networks are being continuously monitored.”

The attackers used malware called DTrack, which is a tool
commonly employed by the Lazarus Group, a North Korean state actor. The fact
that the intrusion was found accidentally could mean the hackers didn’t want to
make their presence known. It’s unclear whether any information was stolen, and
there’s no indication of what the second target might be.

Magecart hackers compromised the online shop of the
American Cancer Society and may have had access to all online payments made by
visitors. The e-skimming attack was caught early, but it’s not known how much
data was intercepted.

An e-skimming group named Magecart inserted malicious
code into the cancer society’s Cancer.org shop. The sole purpose of the
intrusion was to intercept credit card payments, with personal data most likely
ending up on the dark web.

Magecart is comprised of a series of criminal groups that
focus on e-skimming attacks, designed to infiltrate websites and capture credit
card information. They can gain entry through leaked credentials, a phishing
campaign, or known vulnerabilities found in backend software used by the
companies.

The intrusion was detected by researcher Willem de Groot, who explained to TechCrunch that the attackers mimicked legit analytics code to cover their tracks. Even if the code was obfuscated, the researcher figured out that a third-party server was receiving the information.

The American Cancer Society has yet to make an official
statement, but researchers saw that the small piece of code was removed after a
few days.

Interestingly enough, the FBI recently issued an advisory regarding the potential impact of e-skimming on small and medium businesses. The American Cancer Society intrusion goes to show that all types of organizations, and not just companies, are open to this kind of attack.

A hacker from New Jersey could spend the next 12 years in prison after he confessed to using keyloggers to steal data from two companies for more than a year.

Ankur Agarwal, 45, of Montville, New Jersey, admitted he placed hardware keyloggers into the network of the companies so he could steal users’ names and passwords. The end goal was to steal proprietary data regarding technology developed by the companies.

Hacking usually takes place from remote locations, but installing hardware keyloggers requires physical access to the networks. The intruder trespassed on location, then added keyloggers and laptops, which were used to siphon information from February 2017 until April 2018.

According to an Ars Technica report, Agarwal stole more than 15,000 files that included details about the technology, HR data, personal information, and emails. The hacker also sought credentials for the chief network engineer and a network engineer.

“Agarwal also obtained unauthorized access into an employee’s computer system and then fraudulently created an access badge for himself. This fraudulently obtained access badge, bearing another individual’s name, allowed Agarwal to physically trespass,” said the U.S. Attorney’s Office for the District of New Jersey.

With multiple charges against him, Ankur Agarwal is now facing a total of 12 years in jail, with a mandatory minimum of two. He has to forfeit numerous computers, devices, and all other equipment used in the crime. He’s also liable for $750,000 in fines.

Sentencing is scheduled for January 28, 2020.

Google’s
Australian arm is under fire from local watchdogs over its data collection
practices on Android devices – specifically, the counterintuitive nature of location
data settings.

On Tuesday,
October 29, the Australian Competition & Consumer Commission (ACCC)
instituted proceedings in the Federal Court against Google Australia Pty Ltd.,
alleging “they engaged in misleading conduct and made false or misleading
representations to consumers about the personal location data Google collects,
keeps and uses.”

The case
focuses on two Google Account settings that, only when switched off together,
prevent Google from collecting data about Android users’ location. The settings
are labelled ‘Location History’ and ‘Web & App Activity’.

“From January 2017 until late 2018, it was misleading for Google to not properly disclose to consumers that both settings had to be switched off if consumers didn’t want Google to collect, keep and use their location data,” the ACCC alleges.

“Our case is
that consumers would have understood as a result of this conduct that by
switching off their ‘Location History’ setting, Google would stop collecting
their location data, plain and simple,” said ACCC Char Rod Sims. “We allege
that Google misled consumers by staying silent about the fact that another
setting also had to be switched off.

“Many
consumers make a conscious decision to turn off settings to stop the collection
of their location data, but we allege that Google’s conduct may have prevented
consumers from making that choice,” said Sims.

Google
allegedly also misled consumers about the kill-switch by claiming that the only
way to stop Google from collecting and using customers’ location data was to stop
using certain Google services altogether, including Google Search and Google
Maps.

“However,
this could be achieved by switching off both ‘Location History’ and ‘Web &
App Activity’,” the suit alleges.

The ACCC is
seeking unspecified penalties and wants Google to publish “corrective notices”
about its data collection practices and the settings that customers can use to
regain control of their data. The commission also seeks the establishment of a
compliance program.

Italian banking giant UniCredit has suffered a “data incident” that exposed 3 million customer records, including full names, phone numbers and email addresses.

UniCredit
issued an urgent security notice yesterday announcing that a file containing
personally identifiable information (PII) of millions of customers had been
leaked. The file had been created in 2015, according to the announcement.

“The UniCredit cyber security team has identified a data incident involving a file generated in 2015 containing a defined set of approximately 3 million records limited to the Italian perimeter. The records consist of names, city, telephone number and email only. Consequently, no other personal data or any bank details permitting access to customer accounts or allowing for unauthorized transactions have been compromised,” reads the notice.

The leaked
data may not allow a bad actor to conduct unauthorized transactions, but it can
be used to conduct phishing scams, identity theft, and even synthetic identity
fraud – where a cybercrook combines real and fake information to create an
entirely new (but fake) identity.

UniCredit is
now investigating the incident internally and has informed the relevant
authorities. The announcement ends with UniCredit saying it takes cybersecurity
very seriously – so much so that “the Group has invested an additional 2.4
billion euro in upgrading and strengthening its IT systems and cyber security.”

The bank has
also implemented a strong identification process for payment transactions and
other privilege-based actions that requires a one-time-password or biometric
identification.

The incident
marks UniCredit’s fourth data breach in as many years, after two breaches in
2016 and another in 2017.

UniCredit was
also the first company fined under the GDPR in Romania, after exposing Romanian
customers’ personal identification numbers through a misconfigured online
portal. This week’s incident is similar, meaning UniCredit is likely to incur
another penalty under the legislation that protects EU residents’ personally
identifiable data. The fine is typically calculated based on the severity of
the leak. The incident in Romania was fairly minor, yet serious enough to make
UniCredit cough up 130,000 euros. Considering the scope of this week’s incident
in Italy, a new penalty would likely be higher.

Creative
software giant Adobe has issued a security notice confirming the embarrassing
exposure of over 7 million user accounts, potentially leaving users vulnerable to
phishing scams.

On Friday, an Adobe blog entry titled “Security Update” disclosed that a misconfigured “environment” led to the exposure of customer information. The full announcement reads:

“At Adobe, we believe transparency with our customers
is important. As such, we wanted to share a security update.

Late last week,
Adobe became aware of a vulnerability related to work on one of our prototype
environments. We promptly shut down the misconfigured environment, addressing
the vulnerability.

The
environment contained Creative Cloud customer information, including e-mail
addresses, but did not include any passwords or financial information. This
issue was not connected to, nor did it affect, the operation of any Adobe core
products or services.

We are
reviewing our development processes to help prevent a similar issue occurring
in the future.”

The announcement is short on details. However, a report by Comparitech sheds more light on the issue. The site reportedly made the discovery in partnership with security researcher Bob Diachenko, who immediately notified Adobe. The company patched the flaw the same day (October 19).

The exposed Elasticsearch database held close to 7.5 million Creative Cloud user accounts and could be accessed without a password or any other authentication. It is estimated that the database exposed user data for about a week – plenty of time for someone to exfiltrate the data and use it in phishing scams and fraud.

The report also mentions that, in addition to leaking emails, the exposed database held information like: account creation date; which Adobe products the user owns; subscription status; whether the user is an actual employee at Adobe; member ID; country; Time since last login; payment status. In other words, plenty of information to craft a highly-convincing phishing scam. There is no immediate indication that the exposed information has been compromised.

Listen up if you’re still using an iPhone 5 – you need to update to iOS 10.3.4 before Sunday November 3, or you may find your smartphone loses access to the internet.

The warning comes from Apple itself, which says that an iOS update is essential for features that require the correct date and time – such as the App Store, iCloud, email, and web browsing.

In other words, if you want to do anything actually useful with your iPhone 5 beyond making calls, you had best update its operating system.

Some affected iPhone 5 users report that they have seen a warning message appear on their device’s home screens advising them to take action now, rather than leave it until it’s too late.

In its advisory, Apple explains that the problem is related to an essential update required to properly maintain accurate GPS location information. GPS-enabled devices from other manufacturers were affected by the GPS Rollover issue earlier this year on April 6:

“Starting just before 12:00 a.m. UTC on November 3, 2019, iPhone 5 will require an iOS update to maintain accurate GPS location and to continue to use functions that rely on correct date and time including ‌App Store‌, ‌iCloud‌, email, and web browsing. This is due to the GPS time rollover issue that began affecting GPS-enabled products from other manufacturers on April 6, 2019. Affected Apple devices are not impacted until just before 12:00 a.m. UTC on November 3, 2019.”

To avoid the problem, iPhone 5 and users of the 4th generation iPad are advised to update to iOS 10.3.4 before November 3.

If you are still running an iPhone 4s then you are advised to update your device to iOS 9.3.6 before November 3. The same advice is true for owners of the following cellular-enabled iPads: the first generation iPad mini, the iPad 2, and the third generation iPad.

The iPod touch and any iPad models that have Wi-Fi only are not affected.

Concerned iPhone users can check which version of iOS they are currently running by following these steps:

• Open Settings
• Click on General -> About
• Check the number next to Software version

Apple has shared details on how iPhone and iPad users can update their devices here.

According to Apple, iPhone 5 owners who do not manage to complete the operating system update by November 3, 2019 will be required to back up and restore using a computer in order to update as over-the-air software updates and iCloud Backup will not be available.

Significant amounts of sensitive data about employees of the US government military personnel data could now be in the public domain following its exposure in a data leak.

Israeli security researchers Noam Rotem and Ran Locar discovered 179 GB of data on an unsecured AWS server, run – they believe – by a travel services firm.

The database is thought to belong to AutoClerk, a reservation management system recently acquired by Best Western Hotels and Resorts Group, and revealed the sensitive personal details of thousands of people, including their hotel and travel reservations.

Data exposed by the unsecured web bucket, which could be accessed by anybody without the use of any passwords, included:

• Full name
• Date of birth
• Home address
• Phone number
• Dates & costs of travel
• Partial credit card details

In some cases the data even included logs for US Army generals travelling to such destinations as Moscow and Tel Aviv, as well as even individuals’ hotel room numbers and check-in times.

The researchers also note that they were able to view “many unencrypted login credentials to access accounts on additional systems external to the database”, opening the possibility that other hotel and accommodation reservation systems could also be at risk of compromise by hackers.

In its blog post announcing the researchers’ discovery, VPNMentor described the incident as “a massive breach of security for the government agencies and departments impacted.”

The researchers explained how it was able to access the sensitive data:

“Whoever owns the database in question uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing schemata from a single index at any time.”

Uncertain as to who the database belonged to, although suspecting it was AutoClerk, the researchers first contacted the United States Computer Emergency Readiness Team (CERT) without success. Ultimately it was only after reaching out to the US embassy in Tel Aviv, and making contact with the Department of Defense at the Pentagon that the unsecured database was finally closed – weeks after its initial discovery.

What’s particularly frustrating is that data leaks like this are so easy to prevent. A series of very public data breaches from unsecured web servers – some even previously from defence contractors – could have been avoided if the database owners had configured their security properly.

The US Federal Trade Commission (FTC) has released an
advisory warning the public of the risks of mobile spyware, shortly after
reaching a deal with Retina-X Studios LLC, a company making a few stalkerware
apps.

The settlement comes after it was revealed that the
MobileSpy, PhoneSheriff and TeenShield were improperly used to spy on people.
Google allows some forms of tracking, but only with the consent of the people
tracked, and it needs to show up when running.

Mobile spyware is not new, and advanced protection
solutions are trained to detect when applications are spying on people. Some of
these apps are designed for parents or companies, but people abuse them.

“According to the FTC’s complaint, Retina-X did not make
sure purchasers were using the apps for legitimate purposes. In fact, to
install the apps, purchasers often had to weaken the security protections on
your smartphone (sometimes called jailbreaking or rooting). Plus, once a
purchaser installed the app on your phone, they could remove the icon, so you
wouldn’t know they were monitoring you,” the FTC said
in the advisory.

As part of the settlement, Retina-X now has to make sure its
apps can only be used in legitimate scenarios, and all the data collected so
far, often without the user’s knowledge, must be destroyed.

The FTC advises people who suspect they might be the
victim of stalkerware to check whether their phone was rooted without their
knowledge. A phone with root access allows people to bypass some security
measures, which means that the victim won’t know when spyware apps are running.
Resetting the phone to factory settings is a good start but, if you feel that’s
not enough, you could replace the phone entirely.

Lastly, if you find stalkerware apps on your phone, it’s
advisable to consult law enforcement and domestic violence advocates on how to
proceed.