Month: May 2020

You may not have heard of Roberto Escobar, but if his surname isn’t familiar to you it surely will be to your parents.

That’s because his brother, the late Pablo Escobar, was a high profile Colombian drug lord whose Medellin cartel monopolised the cocaine trade into the United States in the eighties and nineties.

So, you would think it wouldn’t be hard for Roberto Escobar to trade off his notorious surname if he wanted some attention for his company – Escobar Inc – which manages the assets of the Escobar family.

Escobar Inc’s latest offerings? A limited edition 24 carat gold-plated iPhone 11 Pro, and a $399 Escobar folding phone promoted via the tried-and-trusted technique of a video of skimpily-clad models frolicking around.

The problem is that people who ordered phones from Escobar Inc say that they never received the product, and feel that they have been scammed. Fancy that – someone in the Escobar family might be up to no good!

Popular YouTuber Marques Brownlee does a better job than I could explaining why you really shouldn’t buy one of these phones if you don’t want to be scammed.

Other YouTuber influencers including Mrwhosetheboss made videos also warning the public not to give the company any money.

So, facing such a negative reaction on social media, Escobar Inc has found a new way tog get itself attention.

It’s filed a $2.6 billion law suit against Apple.

According to the law suit, Roberto Escobar claims that Apple is in breach of contract because it failed to “provide a phone free of exploits.” For that Escobar wants $100 million.

Furthermore, Escobar claims he is owned $500 million by Apple for not telling him when a security hole was found in FaceTime.

Finally, Escobar says that he suffered “mental and emotional distress and anguish” after – he claims – someone found out his location through the FaceTime flaw, forcing him to step up his personal security. Escobar argues in the law suit that this is worth $2 billion.

Is Apple really going to give $2.6 billion to Roberto Escobar’s company? Of course not.

And Escobar Inc doesn’t expect to win.

But Escobar Inc does expect to receive a huge amount of press coverage, which will mean more people will hear about its phones than ever before, and some might even be tempted to buy them.

Whether those people will actually ever receive the products they are expecting or a refund is another matter entirely.

Certainly I wouldn’t buy a product from a firm like Escobar Inc. Attempting to purchase a phone via its online store seemingly only possible via direct bank transfer, cryptocurrency, or a Western Union transfer.

If that doesn’t set alarm bells ringing in your head, maybe you’re on drugs yourself.

New research from Veracode found that most applications use
open-source libraries that also present vulnerabilities, but the distribution
of such libraries depends on the programming languages used.

Open-source libraries are ubiquitous, but they are not
limited to integration into open-source apps. In fact, most available apps contain
open source libraries, even if they are from private companies and are sold as
proprietary.

Not all libraries are used in equal proportions, but usage
varies depending on the existing ecosystem. For example, the Veracode research
shows that the JavaScript applications investigated have hundreds of
dependencies, with some app reaching 1,000 different libraries. The researchers
looked at 351,000 unique libraries across all major programming languages.

“Many languages have libraries that are almost a given
for inclusion in an application. JavaScript and Python, in particular, have
several core libraries that are likely to be in use for any given application,”
according to the Veracode research.

The researchers didn’t just look at the prevalence of some
dependencies, but at how safe they actually are. One method is to check which
one of the existing libraries already has exploits with public proof-of-concept
demonstrations.

PHP takes first place, as 27% of its flawed libraries
also have published exploit code. Java follows with 15.7%, and .NET with 14.2%.
Equally interesting is that not all vulnerable libraries have attached CVEs,
which means there’s no effort to fix their flaws.

The research also shows that 71% of the 85,000 apps investigated
include libraries with flaws. Moreover, almost all scanned applications have an
unfixed flaw in an external library. Fortunately, it looks like most of the
fixes needed are minor and would not break functionality in the apps using
them, with 73.8% of the libraries needing only a small update.

The good news that comes out of the research is that over
90 % of the highest priority security flaws have a fix available to them today.

Japanese
Telecoms Giant NTT Suffers Data Breach, Takes Four Days to Learn of Intrusion

Japanese
telecommunications company Nippon Telegraph & Telephone (NTT) has suffered
a data breach that resulted in the leak of hundreds of client records from a subsidiary.

Ranked 55th
in the Fortune Global 500, NTT is the fourth-largest telecommunications company
in the world by revenue and the fifth largest publicly traded company in Japan.

The company
disclosed a data breach this week, saying hackers breached several layers of
its IT infrastructure – presumably originating from an NTT base in Singapore –
and reached an internal Active Directory to steal data on 621 customers from
communications subsidiary NTT Communications. The attackers then reportedly uploaded
that data to a remote server in their control.

It is unclear if the customers are individual users or partner companies / service providers of NTT Communications. The hack occurred on May 7, and NTT said it only learned of it four days later, as reported by ZDNet’s Catalin Cimpanu.

NTT is
apparently taking diligent steps to inform affected parties, as it just
recently confirmed the intrusion. The firm also said it plans to notify all
customers “when it becomes clear what should be notified.”

As the
company investigates the hack, NTT is already upgrading its systems to harden
its infrastructure. Ironically, the firm recently rolled out its 2020 Global
Threat Intelligence Report with the reminder that “the threat landscape is
continuously changing, especially during these tumultuous times.”

The report warns that Internet of Things (IoT) devices are increasingly used as entry points in cyber-attacks and recommends that “businesses strive to be both secure by design and cyber-resilient.”

The team at Security Detectives has discovered another leaky database. BigFooty, a popular Australian sports fan website, was found to be leaking around 132 GB (70 million records) of private information belonging to its 100,000 members. The data in some instances included “technical information relating to the company’s web and mobile sites.

The information was found on a compromised Elasticsearch server, and included data from the website’s forum, as well as private messages sent between users.

Although BigFooty.com did not reply to the research team’s initial contact, website admins have posted a data breach notification on their forum:

“Recently we learned of a security breach on BigFooty’s search index which, due to a mis-configuration, was publicly accessible without restriction,” the notice says. “This search index included content that may have been removed from public view on the forum, and other content where access was restricted. Access to the index was blocked as soon as we became aware of the issue on the 14th of May and commenced assessment of the breach. Whilst we now know that there was some unwanted interaction by unauthorised people, our investigation leads us to believe the whole index was not copied.”

What type of data did the leak expose?

The investigators noted that the website is predominantly anonymous and, while participants are not always identified, private information is frequently shared in messages, including:

• Usernames used to access Big.Footy.com
• Passwords to live streams
• Data relating to ad spammers
• Email addresses
• Relationships between users
• Mobile phone numbers
• User comments including personal threats and racist material
• Personal information relating to real-world activities, intentions and behavior

Additional website data such as server information, operating system and browser information, error and access logs, IP addresses and GPS data was also included in the databases.

“Although many user messages were available publicly, whether or not users could be identified depends on the data they shared in their correspondence”, the researchers said. “Many users shared mobile phone numbers, passwords to access other content and highly sensitive information relating to private activities.”

Since exposed private messages were publicly viewable, the information can be used to trace specific users. If active members shared additional personal information or sensitive data in their chats, it can be used for blackmail or to inflict reputational damage.

“Even though usernames, passwords and identities were not always matched, there remains a significant risk that the titbits of information available could be used to commit identity fraud, and consequently, create financial, social and reputational damage on users,” Security Detectives warned.

BigFooty has also informed members who have shared personal contacts, passwords or financial information in private boards or conversations to monitor their bank accounts and immediately change their passwords.

Members are also advised to avoid sharing sensitive data and passwords on message boards or in the comment sections. Passwords are for your eyes only. Sharing such private information can lead to account takeover attacks, identity theft and serious financial damage.

An advanced Russian government cyber-espionage unit has been exploiting a known Exim email server vulnerability since August 2019, according to an NSA security alert.

The NSA said the Russian hackers are part of the GRU Main Center for Special Technologies (GTsST), field post number 74455, and it believes the group has been leveraging the unpatched critical vulnerability (CVE-2019-10149) in Exim servers to gain remote control over affected machines and potentially conduct espionage operations.

While the patch for addressing the vulnerability introduced in Exim version 4.87 has been available since June 5, 2019, many systems likely remain unpatched. By exploiting it, attackers gain the ability to add privileged users, alter network security settings, modify SSH configuration for remote access, and even deploy additional exploitation tools.

“When CVE-2019-10149 is successfully exploited, an actor is able to execute code of their choosing,” reads the NSA security alert. “When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain.”

The group, known as “Sandworm,” is believed to have also developed the BlackEnergy malware responsible for Ukraine’s power outage in 2015 and 2016, and the NotPetya ransomware that targeted Ukraine in June 2017.

While it is unclear what damages the attacks could have inflicted or what public or private organizations might have been targeted, it is not the first time the NSA hasn’t shied away from pointing the finger at Russian, Chinese, Iranian, and North Korean operations.

The advisory also urges IT security and administrators to patch their systems, deploy defense-in-depth strategies and use network-based security appliances capable of detecting and blocking exploits.

“Update Exim immediately by installing version 4.93 or newer to mitigate this and other vulnerabilities. Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used,” warns the NSA security alert.

With the launch of the NHS contact-tracing app just around the corner, 48% of UK citizens do not trust the UK government to keep their information safe from bad actors, according to a nationwide survey released on May 27.

The new NHS COVID-19 contact-tracing app is designed to “slow the spread of coronavirus whilst protecting your privacy,” as it won’t ask for any personal information such as name or email, and won’t collect any personal information. As an additional precaution, the NHS states that “all users are assigned a random installation ID by the NHS.

The National Health Service will securely store the “first part of your postcode, your installation ID, and your phone make and model.”

Despite the extra layers of security promoted by the NHS, around 43% of respondents expressed concerns that the app would give malicious actors the opportunity to send smishing messages or phishing emails, and 52% said that they lack the know-how to differentiate between a legitimate email or text message and a phishing or smishing message.

Their worry is quite understandable. The COVID-19 pandemic has been accompanied by a surge in coronavirus-related attacks, and the number of phishing emails mimicking government and health institutions has skyrocketed.

The report revealed additional concerns as well. 33% of respondents said they worry the app could allow the government to track their whereabouts, while 36% believe the app might let the government collect data on them.

Although the app’s initial testing started on the Isle of Wight, the British government hopes that the nationwide release “will play a central role in how the UK manages the rate of COVID-19 transmission alongside restrictions on social distancing.”

Even with guarantees of privacy and anonymity of users, cyber criminals will likely try leveraging the release of the contact-tracing app. There are also concerns regarding the exploitation of Bluetooth vulnerabilities, since the app uses low-energy Bluetooth signals to keep track of any possible infected persons by transmitting an anonymous ID.

Malware experts at Microsoft have warned businesses to be on their guard against hackers plotting to plant the PonyFinal ransomware on compromised IT systems.

Attacks incorporating the Java-based PonyFinal ransomware have been seen in the wild since the beginning of April, with reports coming in from India, Iran, and the United States.

What makes the PonyFinal ransomware particularly effective is that the hackers behind attacks spend time researching their intended victims and creating a plan for how best to maximise the ransom they might be able to extract.

In a series of tweets, Microsoft’s security intelligence team stressed that it’s more important for organisations to focus on the way in which the attack is delivered than the malicious payload.

And there’s definitely some truth in that. Much of the media attention on ransomware attacks focuses on companies being locked out of their encrypted data, and the dilemma as to whether they should pay the ransom or not.

What is perhaps more useful to IT security teams is to place more emphasis upon how an attack begins in the first place, and what methods are being used by a hacking gang to plant ransomware on the company’s computer systems.

After all, if an attack can be made to stumble at the first hurdle, your company hopefully won’t ever have to deal with the nightmare scenario of how to recover their encrypted data.

According to the researchers, hackers have gained access to potential victims by brute-forcing their way into company servers, compromising internet-facing web systems and obtaining privileged credentials.

Common vectors for initial infection can include brute force of RDP, vulnerable internet-facing systems, and weak application settings.

In some instances, the attackers have deployed Java Runtime Environment (JRE), which PonyFinal needs to run. However, stealthier attacks have also been seen where attackers have taken advantage of the existence of a JRE installation already existing on an endpoint computer.

Phillip Misner, security program manager at Microsoft, told Dark Reading that the criminals behind the PonyFinal attacks were moulding their attacks for specific targets.

“Like all of these human-operated ransomware campaigns, this is a cut above your normal criminal organization. These are attackers with the ability to choose multiple payloads and who spend their time doing research to see how they can extract the most money from the compromises they do.”

Don’t become the next victim. Take steps inside your company to reduce the chances of a ransomware attack succeeding.

HackerOne, a bug bounty platform used by numerous
companies and people around the world, just celebrated a new milestone, reaching
$100 million in bounties paid.

The term “hacker” might be associated in popular culture
with malicious intent, but that’s not exactly the case. In fact, there are many
types of hackers, and some of them just make the world a safer place.

One way to achieve that is through platforms such as
HackerOne, which brings companies and hackers together in a procedure that has
a single goal, to help developers fix problems in their apps with the assistance
of hackers.

Companies offer bounties to hackers who can compromise
their products. The bigger the flaws they find, the bigger the bounties. In
fact, just recently, HackerOne paid $2.4 million in less than a week. From the
looks of it, companies are willing to keep increasing those bounties because it
ultimately means they are investing in their products and keeping them safe at
the same time.

“Over time, we observed something amazing and unexpected.
Hackers were collaborating across time zones and cultures, sharing insights,
tools, and techniques,” wrote HackerOne on tits blog.
“What’s more, hackers and security teams running bounty programs were forming
bonds that transcended a single report. More and more security teams realized
hackers are an extension of their team.”

In fact, bug bounties are becoming an integral part of
businesses as companies reserve budgets for this type of activity. In the
meantime, the term “hacker” becomes a let less frightening than it used to be.

HackerOne is not the only platform of its kind out there.
Their direct competitor is Bugcrowd, not to mention that some of the larger
companies pay bounties directly to hackers or have their own bug bounty
programs.

A 22-year old accused of publishing private data on
multiple public figures in Germany, including politicians, has been charged
with various computer crimes and other infractions.

The hacker is accused of attacks affecting around 1,000
people, stealing personal information and using it either to hurt victims by
releasing it online or by using it in blackmail attempts.

Many of these victims were compromised simply by using
the reset password feature for email accounts, which was possible in situations
where two-factor authentication wasn’t present. He also used credentials found
or acquired over the dark web, from a website shuttered by US authorities in
January 2020.

The charges levied by German authorities cover just 78
victims of the entire 1,000+ pool of affected people. The man is accused of
gathering phone numbers, credit card data, photos, and communications with
other people.

In the case of six German MPs, the hackers used the
gathered data in blackmail attempts, trying to extort around €900, in bitcoin,
threatening with the release of the data.

Some of the data collected was eventually released
between Dec. 1 and Dec. 24, 2018, on his personal Twitter account, but also
over the account of a YouTube celebrity that also fell prey to his attacks.

The hacker allegedly didn’t stop at stealing private
data. He also is accused of calling in a number of false bomb threats and mass
shootings, and even manage to have a few people investigated by the German
Police by using false crime reports.

The motivations remain unclear, as he only said that he
was annoyed by some of his victim’s public statements and simply wanted
revenge, according to a The Local DE report.

On underground criminal marketplaces the email addresses and plaintext passwords of over 26 million LiveJournal blogging accounts are being traded, despite LiveJournal’s owners refusing to acknowledge that any security breach has occurred.

The first rumours of a major security incident involving LiveJournal passwords first began bubbling up in October 2018, when data breach expert Troy Hunt tweeted that he had received multiple reports of a compromise after users complained they had received sextortion emails quoting passwords they said they only used on the platform.

At the same time Dreamwidth, a blogging platform forked from LiveJournal’s code, warned that it had also received reports of spam extortion emails demanding a Bitcoin ransom.

Dreamwidth said then that it did not believe that its own site was the source of the data breach which fuelled the emails, and declined to name the site in question “because they haven’t made a public announcement confirming the breach.”

Yesterday, however, Dreamwidth publicly named LiveJournal as the likely source of the hacked data. Worryingly, according to Dreamwidth, LiveJournal does not seem inclined to tell its users of the breach.

“We’ve contacted LiveJournal about our findings several times, and they’ve told us each time that they don’t believe the situation warrants disclosure to their users. However, at this point we must advise that you treat the file as legitimate and behave as though any password you used on LiveJournal in the past may be compromised.”

Dreamwidth says that it has in the past been the victim of credential-stuffing attacks, seemingly powered by the usernames and passwords stolen from LiveJournal.

Troy Hunt’s HaveIBeenPwned service has a copy of the breached data, and earlier today an alert was sent out to the owners of 26,372,781 LiveJournal accounts that those passwords should be considered compromised.

Clearly, it would be advisable for affected users to not only change their LiveJournal password, but also ensure that they are not reusing that same password anywhere else on the internet.

The actual password database itself seems to have been created some years ago, so there’s some hope that some users will have changed their passwords over the years anyway. But better to be safe than sorry.