Month: January 2020

Microsoft is inviting gamers, security researchers, and technologists to pit their wits against the Xbox network in the search for security vulnerabilities.

With a newly-announced bug bounty, Microsoft is inviting bug hunters to responsibly disclose bugs and flaws that could potentially be exploited by criminals.

The company’s hope is clearly that by strengthening the Xbox Live network it will improve the experience for the more than 60 million gamers on the platform, and reduce downtime.

In order to be in the running to receive cash rewards from $500 to $20,000 for a successful proof-of-concept of remote code execution, bug hunters will need to identify a previously unreported vulnerability in the latest, fully-patched version of Xbox Live network and services. Furthermore, they are recommended to provide, “clear, concise, and reproducible steps, either in writing or in video format.”

Xbox Live vulnerabilities that Microsoft considers eligible for the bug bounty program include:

• Cross site scripting (XSS)
• Cross site request forgery (CSRF)
• Insecure direct object references
• Insecure deserialization
• Injection vulnerabilities
• Server-side code execution
• Significant security misconfiguration (when not caused by user)
• Using a component with known vulnerabilities (when demonstrated with a working proof of concept)

However, Microsoft specifically states that although denial-of-service attacks can be serious it is not including them in the Xbox Bug Bounty criteria. Furthermore, it explicitly declares that the program prohibits any kind of denial-of-service testing or any automated testing that generates significant amounts of traffic.

Clearly the last thing the company wants is for any vulnerability testers to cause more problems for their legions of gamer fans than they may already be experiencing.

In a similar vein, Microsoft says it is prohibited to launch any phishing or social engineering attacks against its customers or staff.

Vulnerabilities that Microsoft determines to be of “moderate” or “low” severity do not presently qualify for cash rewards, but may still be eligible for public acknowledgment if they result in a fix being issued.

Oh, and in case you were wondering, no Microsoft isn’t offering to send you a free Xbox to help with your testing.

For full details of the bug bounty’s rules, and how to submit a report to its security team, read Microsoft’s guidelines for the Xbox Bug Bounty Program.

Dark web marketplace moderator Bryan Connor Herrell
pleaded guilty in the United States to conspiring to engage in a racketeer-influenced
corrupt organization.

While the infamous Silk Road made a lot more headlines, another
dark web market place had many more members and a wider reach. It was called
AlphaBay, and it was shut down in July 2017.

Criminals use such marketplaces to buy and sell illegal
products, such as drugs, counterfeit goods, computer hacking tools, firearms,
fraudulent services, and stolen and fraudulent identification documents and
access devices. In just three years of operations, from 2014 to 2017, criminals
transacted an estimated $1 billion.

While the founder of AlphaBay, Alexandre Cazes, is dead, Herrell was in a position of power within the organization. As a moderator, Herrell was responsible for settling disputes between users, and the Department of Justice documents says that it was involved in over 20,000 such disputes.

“On AlphaBay, vendors and purchasers engaged in hundreds
of thousands of illicit transactions for guns, drugs, stolen identity
information, credit card numbers and other illegal items,” reads the DOJ announcement. “At the
time, AlphaBay was considered to be the world’s largest online drug marketplace.”

Herrell now faces up to 20 years in prison, but the sentence
will be determined by the court. Also, just last week, Aleksei Burkov, 29,
pleaded guilty in the United States to money laundering, device fraud and other
crimes, after he admitted running a marketplace for stolen credit card data
called Cardplanet.

It turns out that the final day of Windows 7 was not
actually the last, as Microsoft messed up an update. Now, a new patch is
required to fix a problem introduced by mistake.

The official end of life for Windows was January 14,
2020. Microsoft said that no more updates are planned. It was an unceremonious
death for a famous operating system, but a long time coming. The community came
to terms with the fact that no more updates would be released.

The supposedly final update, KB4534310, brought security fixes to the Microsoft Scripting
Engine, Windows Input and Composition, Windows Storage and Filesystems, and
Windows Server. But it also introduced a weird bug. Users who stretched the
background in Windows 7 found that it was replaced by a black image, with no
way to fix the problem.

“After installing KB4534310, your desktop wallpaper might
display as black when set to Stretch,” admitted Microsoft. “We are working on a
resolution and will provide an update in an upcoming release, which will be
released to all customers running Windows 7 and Windows Server 2008 R2 SP1.”

Initially, the company said that only users who purchased
the Extended Security Update (ESU) would receive the fix, but then decided to
extend the courtesy to all users. This means the upcoming patch for Windows 7
will be the last.

The Windows 7 operating system still has a market share of around 30%, which is sizable enough to make a difference. Users are advised to install a security solution, such as Bitdefender Total Security 2020, which is scheduled to support the operating system for the next 24 months.

Protonmail is the second encrypted email provider in the last week to find itself blocked from its Russian users, after authorities in the country said bomb threats had been spammed out claiming that bombs had been planted in public places.

Telecoms watchdog Roskomnadzor has confirmed that Protonmail, like the Dutch encrypted email service StartMail, has been blocked in Russia at the orders of the country’s intelligence agency, the FSB.

Protonmail’s VPN stablemate, ProtonVPN, was also impacted by the block the Russian government placed on the Geneva-based outfit’s services.

The action was spurred by a wave of bomb threats, sent via email, that have targeted schools, universities, healthcare facilities, shopping malls and other public places in Russia since late November 2019.

According to Roskomnadzor, the bogus emails are responsible for “creating a real threat of mass disturbance of public order and causing great concern among citizens and public outcry.”

The Russian authorities claim that by blocking access to the encrypted email services they might be able to reduce the scale of the problem.

In a statement the watchdog said that it was “confident that the owners of this resource are respectable citizens and have nothing to do with these malicious actions of extremists.”

Inevitably there have been concerns raised that Russia is putting pressure on the encrypted email services, which pride themselves on storing the least possible information (if any) about their users, and – due to the use of end-to-end email encryption – their inability to read encrypted messages or share them with third-parties.

In a blog post, StartMail emphasised that it has “not provided any information about StartMail users to the Russian authorities,” and “will never cooperate with any voluntary surveillance programs.”

The Dutch firm points out that making fake terror threats is illegal in the Netherlands, and that it is against its terms of service to use StartMail for any criminal purposes.

In a nutshell, StartMail says that if Russia wants the offending accounts shut down it should follow the appropriate process rather than block the entire service from its many legitimate users:

“If the Russian government brings a criminal matter (such as fake bomb threats) with proper evidence to the Dutch Authorities for Legal Assistance and/or to StartMail’s internal abuse team, StartMail will investigate and take action against the accounts in question if necessary. However, the Russian government has not contacted us on this matter.”

Instructions have been provided by ProtonMail on how Russian users can continue to access their email service via Tor, as well as a way of reconfiguring their VPN.

2020 is off
to a good start in the United States, with rising consumer awareness about
privacy matters, according to new research published on National Data Privacy
Day.

After America’s Health Insurance Plans (AHIP) showed in a recent study that Americans are starting to put privacy first and convenience second when it comes to their health data, a survey by privacy management firm DataGrail finds that almost three quarters of Americans would pay more to online service providers (retailers, ecommerce and social media) to ensure they don’t sell their data, show them ads, or use their data for marketing or sales.

The research
was published on January 28, which was named Data Privacy Day in an international
effort to empower individuals and business to respect privacy, safeguard data
and enable trust.

Enlisting OnePoll
to conduct an online survey, DataGrail asked 2,000 Americans aged 18 and over how
they feel about businesses collecting their data in 2020. For example, 4 out of
5 agreed there should be a law to protect their personal data.

83 percent
expect to control how their data is used at a business, a request that comes
after many Americans have experienced failures in existing protections,
DataGrail found. For instance, 62 percent of respondents said they continued to
receive emails from a company despite exercising their right to unsubscribe from
their newsletter.

‘Connected’ fears

Concerns are also increasing on the Internet of Things (IoT) front. Owners of connected devices are downright scared that their vendors are eavesdropping on them.

More than 82 percent of people in the survey confessed they had concerns about businesses monitoring or collecting data from their phone microphone, laptop webcams, or assistants like Amazon Echo and Google Home.

A ‘CCPA’ for everyone

Only 24
percent of Americans said they were familiar with or had heard of the newly
instated California Consumer Privacy Act (CCPA). They were asked how they’d
exercise their rights under similar legislation in their own state:

• 65%  would like to have access to what information businesses
  are collecting about them.
• 62% of people would like the right to
  opt-out and tell a business not to share or sell personal information.
• 58% of people would like the right to
  protections against businesses that do not uphold the value of their privacy.
• 49% of people would like the right to
  delete their personal data held by the business.

Consumers
are also more than willing to take their wallets elsewhere, even if it meant disrupting
their shopping preferences

Consumers
would be willing to change their shopping preferences and take their business
elsewhere if they discovered their private data was not protected or that their
data was being sold. Furthermore, 77% would not shop at their favorite retailer
if they found they did not keep their personal data safe, the survey shows. Americans
would also pay more for better privacy protections.

Researchers at the Department of Computer Science of the University
of Texas at San Antonio (UTSA) have recently exposed
vulnerabilities in the micromobility ecosystem that may compromise the
security, safety and privacy of users of battery-powered electric scooters.

According to the study led by assistant professor Murtuza
Jadliwala, the risks are not bound to the electric scooter itself, but also
extend to related software services and applications.

The research comes amid the growing popularity of e-scooter
as an option to ease or bypass traffic congestion, with service providers
offering riders easy payment options, flexible drop-offs and geo-location at
the tap of a button.

The full research paper, to be presented at AutoSec in March
2020, tackles multiple angles that can be used by threat actors including:

• exploiting vulnerabilities in the smartphone
  application and the communication channels
• exfiltrating data from service providers
• eavesdropping on riders over these channels
  using hardware or software
• spoofing GPS systems to direct riders to
  unintended locations

One key factor that promotes the attacks is linked to the
Bluetooth Low Energy (BLE), which most electric scooters rely on. To make use
of the vehicle, a rider needs both Bluetooth and Internet data activated on his
smartphone.

In a published sample of the study,
the researchers also warn of physical damages that may affect a rider if any of
the electronic and mechanical components are tampered with.

“Once the e-scooter is acquired, the attacker can install
malicious modules, remove or replace key components before placing it back in
the streets to control the e-scooter remotely or to covertly gather data about
the e-scooter and populace near the e-scooter,” the authors wrote.

The paper says attackers “can intentionally injure the
victim rider by remotely manipulating or interfering on the with the
e-scooter’s brakes, damaging the tires or other physical damage that could
incapacitate the e-scooter.”

An additional risk relates to the personal and sensitive
data that is automatically collected by service providers. If data sharing is
unregulated and not anonymized, the information can be used to create user
profiles. An attacker “can use the information to learn about the users and
then strategically place e-scooters on road, entice riders with suitable social
media advertisements, etc.”

Mozilla’s security team has been busy the past two weeks,
removing add-ons caught stealing user data and executing malicious code.

In a crusade to “make browsing smarter, safer, and faster,”
the Firefox administrators decommissioned
around 200 extensions and add-ons that posed security risks for users.
Plugins with hidden features that may compromise user privacy or security were
flagged and removed during the assessment.

More than half of the ban revolved around add-ons developed
by B2B software developer 2Ring. Researchers found that the add-ons promoted by
the company were actually executing code from a remote server.

Illegally collecting user data, add-ons such as WeatherPool
and Your Social, Pdfviewer – tools, RoliTrade, and Rolimons Plus suffered the
same fate. Mozilla’s Add-on
Policy reads that, “If you are collecting any personal information, the
user must provide affirmative consent (i.e., explicit opt-in from the user). It
must be clear to the user that they give consent to the collection of personal
data”.

The research team also found a batch of 30 add-ons (currently un-named) that violated the add-on policies with various types of malicious behavior. Unauthorized collection of search terms going to a third-party search provider including add-ons such as EasySearch for Firefox, EasyZipTab, FlixTab, ConvertToPDF, and FlixTab Search also warranted a ban.

Other worthy mentions include the FromDocToPDF add-on found loading
remote content into Firefox’s new tab page, and Fake Youtube Downloader,
disabled for attempting to “install other malware” in the browser. During the
banning stage, Mozilla also disabled the plugins from the browser of users who previously
installed them.

Although “Mozilla may reject or block affected versions or
entire add-ons that don’t meet the policies”, any add-on developer can set an
appeal.

Aleksei Burkov, 29, pleaded guilty in the United States to money laundering, device fraud and other crimes after he was caught running an illegal website, called Cardplanet, that sold stolen credit card data.

Burkov had been on the run since 2013 when authorities
identified him as the culprit behind Cardplanet. He took refuge in Egypt, but was
arrested in at Ben-Gurion airport near Tel Aviv in December 2015. After a
lengthy extradition process, he arrived in the United States.

All in all, the stolen credit card data from Cardplanet
was used in purchases totaling over $20 million dollars. Making matters worse, Burkov
had a secondary website called Direct Connection that worked as a gathering
place for cybercriminals, who could advertise their stolen goods, such as personal
identifying information, malicious software or money laundering services.

Members of this exclusive “club” were vetted and had to
meet specific conditions. For example, each new member needed three other
people to vouch for him, and to pay an insurance fee of $5,000.

“Burkov pleaded guilty to access device fraud and
conspiracy to commit computer intrusion, identity theft, wire and access device
fraud, and money laundering, and faces a maximum sentence of fifteen years in
prison when sentenced on May 8. Actual sentences for federal crimes are
typically less than the maximum penalties,” reads the statement
from the US Department of Justice.

Most of the credit card data was stolen in computer
intrusions, and the majority belonged to US citizens. Over a span of five
years, data for more than 150,000 stolen credit card was sold on the website, at
prices as low as $2.50. There was even a refund policy for burned cards,
according to the indictment.

In a welcome
mentality shift, Americans are starting to put their privacy first and
convenience second when it comes to their health data, according to a study by America’s
Health Insurance Plans (AHIP).

Most surveys
asking people about their experience accessing services and apps online conclude
that people value convenience more than privacy or security. But, according to
one recent study, that is starting to change – at least when it comes to
Americans and their health records.

Patients feel they deserve better access to personalized, actionable healthcare information to help them to make more informed decisions, but it should not drive up health care costs or compromise the privacy of their personal health data, according to a nationwide poll of patients and consumers from Morning Consult, conducted on behalf of America’s Health Insurance Plans (AHIP).

62% of respondents
said they were willing to forego easier access to their health information if
their data and privacy were protected better in return. This marks an important
mentality shift for consumers, likely as a result of the increasing number of
news reports about data breaches at healthcare providers.

As avid Bitdefender blog readers know, cybercrooks value health records more than any other type of data stolen in a breach. Hackers attack healthcare units and their service providers with data-stealing malware – sometimes topping it off with data-destroying ransomware – because they can fetch a handsome dollar by selling the data to fraudsters on the Dark Web. Americans have apparently been reading the news about these incidents, as 90% of respondents reported they want technology companies held to the same high standard and scrutiny as health insurance providers when it comes to protecting their information.

82% of respondents
also said they want their healthcare information delivered in a way that is
more concise and simpler to understand.

A water
supplier in Greenville, North Carolina has suffered a targeted cyber-attack that
affected online payments for half a million a people. The outage is expected to
last at least two more days as experts investigate the hack.

Greenville
Water, which serves nearly 500,000 residents of the Upstate region of South
Carolina, announced last week it was experiencing technical difficulties and
asked customers to be patient as it worked to recover from “an international
cyberattack.”

Utility
spokesperson Emerald Clark said online and pay-by-phone systems are not working,
and that the outage would likely last until the next week.

“It has
not and will not impact or compromise the safety and delivery of water that is
treated and maintained by our facilities,” Clark said.

The
spokesperson said the cyberattack was being investigated and experts “have
taken immediate and appropriate action to reinforce existing security measures
and to mitigate the potential impact, as well as determining its origin.”

“We have
been preparing for potential attacks for years and put specific protections in
place to ensure the safety of our data and the integrity of our water,” said Greenville
Water CEO David Bereskin. “While this has caused a temporary disruption, we are
fairly certain that our data has not been compromised.”

Greenville
Water has shared details of the attack with other government agencies, local
news outlet Greenville News reported.

According to
the home page of Greenville Water’s website (screenshot below), the issues
currently experienced by the supplier do not impact the safety of water treated
and maintained by its facilities.

The supplier
also urges clients not to call or email them with payment details, likely
trying to keep customers safe from hackers intercepting their data and using it
to conduct fraud.

Instead,
customers are told to visit the Greenville Water office, where cashiers are
available during normal business hours and accepting cash and check payments.

Greenville
Water doesn’t say how it determined the attack was targeted, or whether the
attackers deployed malware on its systems. The details are consistent with a
typical ransomware attack, but it remains to be confirmed if this is indeed so.