Repairs & Upgrades

May 25, 2018 »

Does your BMW need a security patch?

By John E Dunn

If you’re a BMW owner, prepare to patch! Chinese researchers have found 14 security vulnerabilities affecting many models.

The ranges affected (some as far back as 2012) are the BMW i Series, X Series, 3 Series, 5 Series and 7 Series, with a total of seven rated serious enough to be assigned CVE numbers.

The vulnerabilities are in in the Telematics Control Unit (TCB), the Central Gateway Module, and Head Unit, across a range of interfaces including via GSM, BMW Remote Service, BMW ConnectedDrive, Remote Diagnosis, NGTP, Bluetooth, and the USB/OBD-II interfaces.

Some require local access (e.g. via USB) to exploit but six including the Bluetooth flaw were accessible remotely, making them the most serious.

Should owners worry that the flaws could be exploited, endangering drivers and vehicles?

On the basis of the technical description, that seems unlikely, although Keen Lab won’t release the full proof-of-concept code until 2019.

Keen Lab described the effect of its hacking as allowing it to carry out:

The execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely.

To which BMW responded:

BMW Group has already implemented security measures, which are currently being rolled out via over-the-air configuration updates. Additional security enhancements for the affected infotainment systems are being developed and will be available as software updates for customers.


2 million stolen identities used to make fake net neutrality comments

By Lisa Vaas

You may recall all those reports of fake and bot-generated comments left in what former New York Attorney General Eric Schneiderman called the “deeply corrupted” public comment period for net neutrality.

Now, it looks like two million stolen identities were used to make those fake net neutrality comments. Most crucially, two of those identities were stolen from senators.

On Monday, the two senators – Jeff Merkley (D-OR) and Pat Toomey (R-PA) – called on the Federal Communications Commission (FCC) to investigate identity theft and fraud in the public comments left for the agency during the time leading up to the decision to kill net neutrality in December.

From their letter, sent to FCC Chairman Ajit Pai:

Late last year, the identities of as many as two million Americans were stolen and used to file fake comments during the Federal Communications Commission’s (FCC’s) comment period for the net neutrality rule.

We were among those whose identities were misused to express viewpoints we do not hold. We are writing to express our concerns about these fake comments and the need to identify and address fraudulent behavior in the rulemaking process.

A public comment system that isn’t secured in some way can’t protect government agencies such as the FCC from fraudsters who pollute the process, the senators said; nor can it protect participants from having fraudsters assume their identities:

The first three words in our Constitution are, ‘We the People.’ The federal rulemaking process is an essential part of our democracy and allows Americans the opportunity to express their opinions on how government agencies decide important regulatory issues. As such, we are concerned about the aforementioned fraudulent activity. We need to prevent the deliberate misuse of Americans’ personal information and ensure that the FCC is working to protect against current and future vulnerabilities in its system.

Toomey and Merkley called on the FCC to employ simple security measures, such as CAPTCHA, or Completely Automated Procedures for Telling Computers and Humans Apart, to weed out bot-generated comments.

This technology would ensure that a human, not a machine, is using a computer to submit comments.

“Ensure?” Well, that’s giving CAPTCHA a bit more credit than it deserves, given all the ways that human researchers have found to automatically trick the tests.


Office 365 will automatically block Flash and Silverlight

By John E Dunn

If you are one of the small number of Office 365 users who enjoyed embedding Flash, Shockwave or Silverlight content inside files, time is about to run out on your unusual pastime.

Last week, Microsoft announced that, starting next month, Office 356 will start blocking these for monthly subscription users, with the same thing happening for business users on the Semi Annual (SA) Channel by January 2019.

There are a number of reasons why this is happening now, although Microsoft could have probably have pulled the feature a while ago without upsetting too many customers.

First and foremost is the end of support for Flash in less than two years, while Microsoft has been treating Silverlight like a bad smell since Windows 10 arrived in 2015.

Secondly, according to Microsoft barely anyone seems to be using this feature in Office 365, something it can be certain of given the visibility it has on what people are doing with its cloud platform.

Ironically, the one group that has shown a lot of enthusiasm for embedded Office controls are cybercriminals, who took to hiding malicious content inside otherwise harmless-looking Excel, PowerPoint and Word files.

Helped by a long sequence of Flash vulnerabilities, these attacks continue to this day. A good recent example of this was a zero-day attack on South Korean organisation’s using a Flash Player flaw channeled through Word (CVE-2018-4878).


VPNFilter – is a malware timebomb lurking on your router?

By Paul Ducklin

Researchers at Cisco Talos just published a report documenting a giant-sized IoT botnet known as VPNFilter.

More than 500,000 devices around the world are said to be infected with this malware – most of them are consumer internet routers from a range of different vendors, with some consumer NAS (network attached storage) devices known to have been hit as well.

To explain.

IoT is short for internet of things, and refers to all those internet-connected devices in our lives that are small enough, and cheap enough, and everyday enough, that we forget they’re really just tiny computers in much the same way that our laptops and mobile phones are computers.

As a result, IoT devices often end up attracting little or no attention to cybersecurity while they’re being designed, when they’re shipped, or after they’re installed.

And a botnet refers to a robot network, also known as a zombie network.

That’s where crooks implant malware on thousands, or even hundreds of thousands, of computers at the same time, in such a way that they can secretly send programmatic commands to each of them – one by one, or all at the same time.


Surprise! Student receives $36,000 Google bug bounty for RCE flaw

By John E Dunn

What’s the only thing better than a bug bounty cheque? A bug bounty cheque you weren’t expecting.

In the case of 18-year old student researcher at Uruguay’s University of the Republic in Montevideo, this cheque was to the tune of $36,337, awarded by Google for finding a surprisingly big hole in the security of its App Engine (GAE) cloud platform.

The story began when the researcher gained access to GAE’s restricted non-production environment earlier this year and found it was possible to rummage around in the platform’s internal and hidden APIs.

Google is not in a hurry to document this to outsiders, which made searching for vulnerabilities of any size a question of trial and error. This made the ease with which it was possible to find and interact with some of these APIs even more surprising.

Inside GAE’s deployment environment, the dangerous vulnerability turned out to be in one service, “app_config_service”. This proved significant because commands sent to it:

Allowed me to set internal settings such as the allowed email senders, the app’s Service Account ID, ignore quota restrictions, and set my app as a “SuperApp” and give it “FILE_GOOGLE3_ACCESS

In response to this revelation, someone at Google “bumped up the severity”, which raised its bug bounty value. However, Google’s bounty assessors added in an email:

Please stop exploring this further, as it seems you could easily break something using these internal APIs. When issuing a reward, we’ll take into account what you could have achieved if you wanted to.


Google in court over ‘clandestine tracking’ of 4.4m iPhone users

By Lisa Vaas

Google’s in trouble again over the “Safari Workaround”: the iPhone shakedown for personal information from millions of iPhone users.

In 2012, the workaround got the search giant fined by the US Federal Trade Commission (FTC) for $22.5m, fined again a year later for $17m after it got sued by dozens of states, and now has the UK’s Google You Owe Us campaign out for its own pound of flesh.

Make that a few pounds of flesh: The Google You Owe Us campaign has started the process of getting its own comeuppance, and the US fines pale in comparison to what the British group is after.

Monday marked day one in London’s high court, where the collective action is suing the company for what could be as much as £3.2bn (USD $4.3b), according to court filings.

It alleges “clandestine tracking and collation” of information that included race, physical and mental health, political leanings, sexuality, social class, financial data, shopping habits and location data. On the campaign’s site, it alleges that Google’s Safari Workaround tracked iPhone users’ internet browsing history, which Google then used to sell a targeted advertising service.


May 23, 2018 »

Server? What server? Site forgotten for 12 years attracts hacks, fines

By John E Dunn

A web server set up by an enterprising student for a conference in 2004 and then forgotten about has left the University of Greenwich nursing a £120,000 ($160,000) fine from Britain’s Information Commissioner (ICO).

Forgetting about a web server isn’t generally a good idea, but this was a particularly dangerous oversight because it had been linked to a database containing the personal data of 19,500 University staff, students, alumni, and conference attendees.

The data also included more intimate personal data of 3,500 people covering learning difficulties, staff sickness, food allergies, and extenuating circumstances put forward by students during their studies.

You can probably guess where this is heading – eventually cybercriminals chanced upon the forgotten server and did their worst.

The initial breach is thought to have occurred in 2013, before it was broken into several times during 2016 with the help of an SQL flaw and some uploaded PHP exploits that opened the way to the databases holding the good stuff.

Eventually, one of the attackers posted the data to Pastebin in January 2016, at which point the breach became public knowledge.

What went wrong? That’s the unsettling bit because on one level – at least from the perspective of 2004 – not much.

The University’s Computing and Math’s School (CMS) had held a training conference and one of the academics involved asked a student to build a web microsite. The site included a facility for conference academics to upload documents anonymously via URL, something that attackers would eventually use to their advantage.

Nobody remembered (or had the job of) shutting this down once the conference had finished and so it sat there for years as new vulnerabilities were discovered, patches were applied, skills were improved on all sides and attacks on web servers became everyday occurrences.


TeenSafe phone monitoring app leaks teens’ iCloud logins in plaintext

By Lisa Vaas

A security researcher has discovered at least two servers hosted by a “secure” monitoring app for iOS and Android, TeenSafe, that were up on Amazon Web Services (AWS) for months without the need for a passcode to get at their data.

The mobile app, TeenSafe, bills itself as being a “secure” monitoring app built by parents, for parents. It lets parents view their kids’ text messages, monitor who they’re calling and when, to track their phones’ current and historical locations, to check their browsing histories, and to see what apps they’ve installed.

The leaky servers were discovered by Robert Wiggins, a UK-based security researcher who searches for public and exposed data. The company took one server down after being contacted by ZDNet. The other server apparently held only non-sensitive data: likely, test data.

Data from more than 10,000 accounts were exposed.

Wiggins said that the unprotected servers were letting anybody see Apple user IDs, parents’ email addresses, unique phone IDs, users’ attempts to “find my iPhone” and passwords stored in plaintext.

Wiggins said that if Android data were being exposed, he didn’t come across it.

The security researcher told the BBC that the data was viewable because TeenSafe lacked basic security measures, such as a firewall, to protect it.


DrayTek router user? Patch now to keep the crooks out…

By Paul Ducklin

Network hardware vendor DrayTek has announced a security hole in its Vigor range of routers.

About 20 different models are affected, most of which seem to have firmware patches available already, so if you have a DrayTek Vigor, please go and check right away if you’re affected.

DrayTek hasn’t given precise details of how the attack works, which is probably a good thing, but it seems to involve what’s known as Cross Site Request Forgery (CSRF).

That’s where a crook can trick your browser into sending commands to websites you’re still logged in to, behind your back. In this case, the website in question is the web interface of your router.

We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers. In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router.

It seems that cybercriminals have been tricking some DrayTek Vigor routers into altering DNS settings via the router configuration interface, switching your DNS server from the one you usually use to an imposter server operated by the crooks.

Read more at’s alleged owners arrested for extortion

By Lisa Vaas

On 2 September, 2013, a California resident, Jesse T., was arrested and booked into the Sonoma County Jail.

As is standard procedure, police took his mugshot and his fingerprints. He was released 12 days later without being charged for a crime.

Jesse T. estimates that he went on to submit 100 applications for jobs in the electrical field, construction, manufacturing, and labor. He got nary a nibble: zero response, no return calls, no acknowledging emails, no invitations to come in for an interview

A year after his arrest, a friend told him she’d searched for him online and found his mugshot. Was he in prison? Jesse T. was astonished and embarrassed. What was she talking about?

Google yourself, she said.

What he found: the arrest information had been published to a site called The site listed his full name, address, gender, and the charge for which Jesse T. had been arrested. It lacked any mention of the fact that he hadn’t been charged or convicted. Also on the site, he found a link to That led him to a phone number. When he called the 800 number, a man told him he’d need to fork over $399 to have his mugshot taken down.

“That’s illegal,” said Jesse T. The man laughed and hung up. Jesse T. called a total of five times, but all he got was a recording. Then, he got a call from an unlisted number. He turned on his recorder and answered.

According to court documents, this is the transcript from that call, which Jesse T. presented to police:

Jessie T.: Hello?

Unknown male: This third time tell you f**king bitch we never answer your calls again you’ve been permanently published faggot bitch.

Jessie T.: Hey, I’d like my stuff removed.

Call ended.

This is the business model: publishes people’s mugshots, without their knowledge or consent, and then it extorts them for removal of the content.

But last week, Jesse T. was presented with a juicy fillet of poetic justice. Care for karma sauce?


May 22, 2018 »

Guilty! Anti-anti-virus crook convicted, could spend decades in jail

By Lisa Vaas

A second Russian has been convicted for his part in running Scan4you, the notoriously nasty anti-anti-virus malware scanning service designed to keep new malware out of the hands of anti-virus makers.

The US Department of Justice (DOJ) announced on Wednesday that a federal jury convicted Ruslan Bondars, 37, after a five-day trial. The charges: one count of conspiracy to violate the Computer Fraud and Abuse Act (CFAA), one count of conspiracy to commit wire fraud, and one count of computer intrusion with intent to cause damage.

His colleague in crime, Jurijs Martisevs, was arrested on a trip to Latvia in April 2017, as was Bondars. The two ran the service along with a third, unnamed, alleged co-conspirator in Virginia.

Martisevs copped a plea in March.

The DOJ said that at its height, Scan4you was the largest service of its kind, with “at least” thousands of users. The service helped malware writers to come up with “some of the most prolific malware known to the FBI,” it said.

Scan4you kept things on the down-low. Unlike anti-virus makers, which report the detection of malicious files to the anti-virus community, the anti-anti-virus service promised anonymity to those who submitted samples. Users could upload files anonymously, and the service promised not to share information about the uploaded files with the anti-virus community.

The service had quite the palate: malware submitted to it included, among other types, crypters meant to hide malware from anti-virus programs, remote-access Trojans (RATs), keyloggers, and malware tool kits to create customized malicious files.


Facebook conspiracy theories after Android app tries to “get root”

By Paul Ducklin

Facebook popped up in a slew of new cybersecurity conspiracy theories over the weekend.

Apparently, the company’s Android app suddenly started grabbing superuser rights – also known as “root access” in the Linux world. (Android is based on the Linux operating system.)

Apps with root access can pretty much do anything, rather like users with Administrator powers on Windows.

Notably, root-level apps can fiddle with protected system settings, spy on other apps as they run, peek at data from other apps, and more.

So the news that Facebook was “getting root” quickly caused alarm, given the privacy crises in which the company has been embroiled lately.

The obvious questions were: HOW was Facebook able to get root in the first place, WHY did it need root anyway, WHAT on earth has it been doing with this unwarranted privilege, and WHAT possible excuse will it come up with this time?


Real-time cellphone location data leaked for all major US carriers

By Lisa Vaas

LocationSmart – a US company that aggregates real-time location data of cellphones – has leaked the location data of all major US mobile carriers, in real time, without their consent, via its buggy website, security journalist Brian Krebs reported on Thursday.

Krebs says the data could be had without a password or any other form of authentication or authorization.

Krebs was tipped off about an unsecured service on the site by Robert Xiao, a security researcher at Carnegie Mellon University who was tinkering with a free demo of a find-your-phone service from LocationSmart. Xiao’s interest had been piqued after he read about the company supplying real-time phone location data to one of its customers – 3Cinteractive – which then reportedly supplied the data to Securus Technologies.

Securus, which provides and monitors calls to inmates, was the subject of a 10 May article from the New York Times, about how its location service – typically used by marketers who offer deals to people based on their location – can easily be used to find the real-time location of nearly any US phone to as close as a few hundred yards.


Chrome drops ‘secure’ label for HTTPS websites

By John E Dunn

When it comes to browser security, how important are the address bar icons and labels that tell users about a site’s security status?

For Google at least, they matter a lot. In 2017 the Chrome browser started marking transactional sites not using HTTPS as ‘Not Secure’. In July 2018, all sites not offering HTTPS will get this label.

This always risked making the Chrome address bar look a bit crowded. In addition to ‘Not Secure’ with a red warning triangle, there was ‘Secure’ (for sites using HTTPS), as well as the famous green padlock symbol dating back more than a decade.

But which signal matters most – virtue or deficiency?

Given that HTTPS security is rapidly becoming the norm – thanks largely to arm-twisting by Google itself – the company has announced that, in future, it will only inform users when a site is insecure.

Consequently, from Chrome version 69 due in the September, the ‘Secure’ label will disappear from HTTPS sites and the green padlock will turn grey.

At some point beyond that, the padlock will vanish completely, leaving the address bar empty save for the URL.

It’s a move that turns the address bar from something that tells people that something is good (using HTTPS) into something that only tells users when something is bad (using insecure HTTP).


May 18, 2018 »

RedHat admins, patch now – don’t let your servers get pwned!

By Paul Ducklin

RedHat Linux, together with its stablemates Fedora and CentOS, just patched a serious security bug.

This bug doesn’t need a fancy nickname, because it ended up (entirely by chance, of course) with a very memorable bug number: CVE-2018-1111.

Bug OneOneOneOne affects DHCP, short for dynamic host configuration protocol, a network-based system that helps you automate the process of getting computers to play nicely together online.

DHCP solves the problem of how to use the network itself to get a network number (in popular parlance, an IP address) in order to start using the network.

Without DHCP, you’d need to configure the IP address of each laptop, desktop or server on your network by hand.

You’d have to make sure that you didn’t accidentally give two different computers the same IP number, and in the event of an IP address collision you’d have to track down the culprits yourself and resolve the clash.

DHCP automates all this.

An unconfigured computer, called a DHCP client, pumps out a specially formatted network broadcast to say, “Tell me how to set myself up for the network”, and, if there’s a DHCP server on the network, it sends back a reply with everything the client needs to get connected.

The DHCP server typically dishes out your IP number, carefully avoiding collisions; tells you where to send your DNS queries; specifies the router to use to get onto the internet; and much more besides.


Chili’s PoS breach: Want some credit card theft with your baby back ribs?

By Lisa Vaas

Have you dug into a plate of Tex-Mex at Chili’s recently?

If so, it may be time for a potential case of indigestion. It’s not the food; it’s a point-of-sale (PoS) breach that Chili’s discovered on Friday. Its parent company, Brinker International, gave customers a heads-up on the same day.

Brinker doesn’t know how many restaurants were affected, nor how many people’s payment details got swept up by the thieves. It’s working with third-party forensics experts on the investigation, which is still assessing the scope of the breach. At this point, Brinker thinks it was limited to the past few months, between March and April.

From what it’s found so far, the company believes that malware was used to gather payment card information, including credit or debit card numbers and cardholder names from its PoS systems for in-restaurant purchases.

Brinker said that its Chili’s restaurants don’t collect taxpayer IDs, full date of birth, or federal or state identification numbers, so at least that sensitive data wasn’t compromised.

Poor Chili’s: it prides itself on being a technological innovator. In 2013, Chili’s claimed to have “revolutionized” the casual dining industry with tabletop tablets. In 2016, it introduced “a new era for online ordering” with features such as pre-order. It also announced the nationwide rollout of mobile payment on its tabletop tablets.

Unfortunately, payment systems can be both a technological innovation and a massive migraine.

We’ve seen at least 40 carwash PoS systems hacked, and their credit card data drained. In that case, the PoS system manufacturer, Micrologic, pointed the finger at vulnerabilities in the remote-access software.


Senate votes to restore net neutrality… but don’t get your hopes up

By Lisa Vaas

Six months ago, the Federal Communications Commission (FCC) repealed net neutrality.

On Wednesday, the US Senate pulled a rabbit out of its hat and (attempted to) defy the FCC, voting to keep net neutrality.

On Thursday morning, pro-net neutrality politicians rejoiced. Then, we woke up to smell the coffee, and a whole lot of wishful thinking went down the drain. It’s highly unlikely that the Republican-controlled House of Representatives will approve of rolling back the FCC’s repeal, and the White House has already said it’s all for scrapping net neutrality.

Even in the Senate, the keep-net neutrality vote passed by a whisker, with the help of three Republicans who broke party ranks. As Reuters reports, the 52 to 47 vote in the Senate was larger than expected, as Republicans John Kennedy, Lisa Murkowski and Susan Collins voted with 47 Democrats and two independents to reverse the Trump administration’s action.

It’s not even clear if the House will get to vote on the issue. Representative Mike Doyle, a Democrat, said on Wednesday that he plans to launch a discharge petition to try to force a companion vote in the House.

This is what Doyle said at a press conference after the Senate passed its bill:

It’s about protecting small businesses, students, innovators, entrepreneurs and competition. These are the policies that every American benefits from, and it enables our modern economy.

That’s why I have introduced companion [a resolution under the Congressional Review Act, or CRA] in the House and I’m going to continue to work with the leadership in the House to bring this to the floor.

The CRA is a 1996 law that allows Congress to effectively erase certain regulatory actions by a federal agency within 60 congressional days of their enactment. CRA resolutions only require a simple majority to pass the House and Senate, meaning they can’t be filibustered, but they still need the president’s signature.


ZipperDown catches 170,000 iOS apps with their pants down

By John E Dunn

These days, there seem to be two types of security vulnerabilities – those with alarming names and eye-catching logos, and those that make do with mere CVE numbers.

The latest example of the naming trend is ZipperDown, uncovered by Chinese jailbreakers Pangu Lab, affecting iOS apps and possibly some Android ones too.

The company offers only minimal detail on the flaw beyond, describing it as:

A common programming error, which leads to severe consequences such as data overwritten and even code execution in the context of affected apps.

This sounds like trouble but this time the eye-catching bit is the number of apps the company believes might suffer from it – 15,978 (9.5%) of 168,951 iOS Apps in the App Store, a collection of computer programs that have been downloaded about 100 million times.

They admit this is a guesstimate due to the impossibility of checking such a large number of apps individually.

As for other platforms:

We have confirmed that many popular Android apps have similar issues. We will release more results for Android apps in future.

The company manually verified that a number of Chinese apps are affected including Weibo, MOMO, NetEase Music, QQ Music and Kwai, while Instagram, Pandora, Dropbox, Amazon and a Google app or two are on the long list.

Working out which apps are affected will require developers to carry out manual checks, app-by-app.


Facebook crushes 583 million fake accounts in 3 months

By Lisa Vaas

On Tuesday, Facebook took yet another stab at transparency in these days of users’ and politicians’ outrage.

It came in the form of the first release of the company’s Community Standards Enforcement Report, and it was stuffed with the type of detail that Mark Zuckerberg told so many Congresspeople he’d need to get back to them on when he was first lightly sautéed and then flame-grilled in two days of testimony.

For years, Facebook has had Community Standards that explain “what stays up and what comes down.”

Last month, for the first time, Facebook published the internal guidelines it follows to enforce those standards.

Tuesday’s release of the first ever Community Standards Enforcement Report is a way to hand over the numbers that have resulted from that enforcement. With that information in hand, Facebook’s thinking goes, we can all judge for ourselves how it’s doing when it comes to getting rid of all those fake accounts and their spammy output… And posts with nudity. Or sexual activity. Or hate speech. Or terrorist propaganda.

Guy Rosen, Facebook’s vice president of product management, said in the post that the company’s disabled about 583 million fake accounts during the first three months of this year, or between 3% and 4% of monthly active users. It’s taken down nearly 1.3 billion over the past six months.

The majority of fake accounts were blocked within minutes of registration, Facebook said, touting its artificial intelligence (AI) auto-flag, auto-destroy technologies. On a daily basis, it crushes millions of fake accounts before they ever hatch.

Take down the accounts, and you’re on the road to wiping out the spam they spew, 837 million pieces of which Facebook found and flagged in Q1 2018. Nearly 100% of that spam was discovered and flagged before anyone reported it, Facebook says.

Taking down fake accounts is important not just to fight spam. It’s also crucial for battling fake news, misinformation, bad ads and scams. For example, following Facebook’s F8 developer conference, the company said that it’s started to use AI to automatically sniff out accounts linked to financial scams.


Alexa, Siri and Google can be tricked by commands you can’t hear

By John E Dunn

As tens of millions of happy delighted owners know, Siri, Alexa, Cortana and Google, will do lots of useful things in response to voice commands.

But what if an attacker could find a way to tell them to do something their owners would rather they didn’t?

Researchers have been probing this possibility for a few years and now, according to a New York Times article, researchers at the University of California, Berkeley have shown how it could happen.

Their discovery is that it is possible to hide commands inside audio such as voice statements or music streams in a way that is inaudible to humans.

A human being would hear something innocuous which the virtual assistants interpret as specific commands.

The researchers have previously demonstrated how this principle could be used to fool the Mozilla DeepSpeech speech-to-text engine.

The New York Times claims that researchers at UC Berkeley were able to:

…embed commands directly into recordings of music or spoken text. So while a human listener hears someone talking or an orchestra playing, Amazon’s Echo speaker might hear an instruction to add something to your shopping list.

How might attackers exploit this?

The obvious examples are manipulated audio buried inside a radio or TV broadcast, podcast, YouTube video or online game, or perhaps even autoplaying audio on a phishing website.

As for which commands, the answer is more or less anything the device can be asked to do from dialing a phone number, accessing a website, or perhaps even buying something.

For example, the researchers claim they were able to hide the phrase “okay google, browse to” inside the sentence “without the dataset the article is useless.”


CIA’s “Vault 7” mega-leak was an inside job, claims FBI

By Lisa Vaas

The US government has named a suspect – a former CIA employee who worked in a group that designs surveillance tools – in last year’s leak of a huge cache of the agency’s cyber weapons.

WikiLeaks dubbed the leak Vault 7.

The Feds have been investigating Joshua Adam Schulte for months, it turns out. In an 8 January 2018 court hearing, federal prosecutors acknowledged that they believed that Schulte is behind the leak of thousands of the CIA’s confidential documents and files, which were stolen from an isolated, high-security network inside CIA headquarters in Langley, Virginia and handed over to WikiLeaks.

That hearing escaped public notice at the time. As the hearing transcript shows, the prosecutor – Matthew Laroche, an assistant U.S. attorney in the Southern District of New York – said that part of the ongoing investigation was analyzing whether Schulte’s use of Tor, was allowing him to hide his location in order to “[transmit] classified information.”

Laroche said in January that Schulte “remains a target of that investigation.”

The ex-CIA employee is now in jail in Manhattan on charges of possessing, receiving and transporting child abuse imagery, according to an indictment filed in September. Schulte has pleaded not guilty to the charges, which concern a large cache of images on a server he maintained. Schulte designed the server years ago to share movies and other digital files, and he argues that between 50 and 100 people have had access to it.

Schulte has written what The Washington Post calls a “lengthy” statement, in which he said that he reported “incompetent management and bureaucracy” at the CIA to that agency’s inspector general as well as to a congressional oversight committee. When he left the CIA in 2016, his complaints made him out to be a disgruntled employee, Schulte said – the “only one to have recently departed [the CIA engineering group] on poor terms.”


May 16, 2018 »

Facebook can’t wiggle out of facial recognition lawsuit, judge says

By Lisa Vaas

Three years ago, Facebook was hit with a class action lawsuit over allegedly violating privacy rights by “secretly” sticking users’ faces into its huge database without their consent.

No, you can’t wiggle out of this one, a San Francisco federal judge said a year later, refusing to approve Facebook’s request to toss the suit.

On Monday, he said it again. In his order, US District Judge James Donato scolded Facebook, noting “a troubling theme” in the social media network’s “voluminous” submissions (there have been hundreds of pages) of briefs, documents, emails, deposition testimony and expert opinions.

Namely, they show that Facebook’s reverting to “the faulty proposition” that plaintiffs must show an “actual” injury beyond the invasion of the privacy rights afforded by Illinois’s 2008 Biometric Information Privacy Act (BIPA), over which the class action suit was filed.

That’s not what the court’s prior decisions said, Donato wrote.

The Court expressly rejected that contention in considerable detail in the class certification order and the order finding… standing to sue.

A class was certified for that exact reason. BIPA does not require additional proof of individualized “actual” harm, and so the question of whether Facebook is liable can be decided in “one stroke” for the class as a whole without a likelihood that individualized inquiries would overwhelm commonality and predominance.

Donato said that to contend otherwise is to “misread and misrepresent the Court’s orders.”

Therefore, Facebook’s got to face the facial-recognition music, he said. Donato dismissed requests by both parties to get a summary judgment decision, given that the parties can’t agree on so many things, including whether the collection of “facial geometry” amounts to facial recognition or not.


Serious XSS vulnerability discovered in Signal

By John E Dunn

Researchers have discovered a serious cross-site scripting (XSS) vulnerability affecting all desktop versions of Edward Snowden’s favorite security application, Signal.

An XSS flaw is a nuisance in any application but in Signal, used by parties that want the highest levels of privacy, this is amplified.

An attacker posing as a contact could use the flaw to send a message containing a malicious URL to set up a range of code-injection compromises using image, audio or iFrame tags, or simply to make the software crash.

Researcher Iván Ariel Barrera Oro, the flaw’s co-discoverer, described how he had chanced upon the issue completely by accident:

The critical thing here was that it didn’t required any interaction from the victim, other than simply being in the conversation.

Which meant:

Inside iframes, everything was possible, even loading code from an SMB share! This enables an attacker to execute remote code without caring about CSP [Content Security Policy].

That’s not a compromise of the software’s end-to-end encryption, but it would be helpful to an attacker trying to trick a would-be victim into giving up information about themselves.

Designated CVE-2018-10994, the flaw affects all desktop versions (Windows, Mac, Linux) but not the mobile Android or iOS apps. The vulnerable versions are v1.7.1, v1.8.0, v1.9.0, and v1.10.0, fixed by upgrading to v1.10.1 or v1.11.0-beta.3.


Facebook app left 3 million users’ data exposed for four years

By Lisa Vaas

After being burned to a crisp having been found to be manhandling Facebook users’ data, Cambridge Analytica’s ashes blew away on 2 May.

Before it did, former employees had told Gizmodo that they knew the writing was on the wall for the data analytics company, but they didn’t realize how fast the flames would engulf it.

It felt unjust, they seemed to believe. They were just a “typical member of their industry caught in a media firestorm,” as Gizmodo put it. You can see why they’d feel unfairly singled out: in short order, it became clear that Cambridge Analytica wasn’t an aberration. A twin named Cubeyou turned up in April: yet another firm that dressed up its personal-data snarfing as “nonprofit academic research,” in the form of personality quizzes, and handed over the data to marketers.

And now, we have a triplet.

A New Scientist investigation has found that yet another popular Facebook personality app used as a research tool by academics and companies – this one is called myPersonality – fumbled the data of three million Facebook users, including their answers to intimate questionnaires.

Academics at the University of Cambridge distributed data from myPersonality to hundreds of researchers via a website with lousy security… and left it there for anybody to get at, for four years.

New Scientist described the data as being “highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests.” It was meant to be stored and shared anonymously, but “such poor precautions were taken that deanonymizing would not be hard,” it reports.

People had to register as a project collaborator to get access to the full data set, and more than 280 people from nearly 150 institutions did so, including university researchers and those from companies including Facebook, Google, Microsoft and Yahoo.

No permanent academic contract? No big-name company paying you to do research? No problem. For four years, there’s been a username and password to get at the data. The credentials have been sitting on the code-sharing website GitHub. A simple web search would lead you to the working credentials.



Police dog sniffs out USB drive to snare school hacker

By Lisa Vaas

Thanks to a trained police dog sniffing out a thumb drive hidden inside a box of tissues, a high schooler in a San Francisco Bay area suburb has been accused of hacking grades: some students’ grades got bumped up, and some got elbowed down.

Local TV station KPIX reports that police in Concord – the eighth largest city in the area – say that the hack started with a phishing email.

The mail went out to teachers at Ygnacio Valley High School and linked to a website disguised to look like a Mount Diablo School District site. Concord Police Sergeant Carl Cruz told KPIX that the message prompted recipients to go to the bogus site and then…

…to log in to refresh your password or reset something.

…which one teacher did, thereby handing the hacker their login credentials,

Police aren’t releasing the name of the suspect, since he’s underage. They’re accusing him of using the teacher’s login to get into the electronic grading system and boost or lower 16 students’ grades. That includes his own grades, which he raised, police claim.

KPIX say that police traced an “electronic trail” – an IP address, one assumes – to the suspect’s house and searched it last Wednesday.

That’s where Doug the Dog and a USB drive tucked into a box of tissues comes in. The K-9 is one of the few police dogs trained to sniff out electronic devices, and “that’s what he did,” Sergeant Cruz said.

We’ve previously written about another electronics-sniffing dog named Thoreau who helped to catch an alleged pedophile by sniffing out hidden hard drives.


The next Android version’s killer feature? Security patches

By John E Dunn

Big news for Android users – the next version of Google’s mobile OS will require device makers to agree to implement regular security patches for the first time in the operating system’s history.

For now, the only evidence we have for this development is a brief and easy-to-miss comment made at last week’s I/O conference by Android’s director of security, David Kleidermacher.

Still, his words don’t leave much wiggle room:

We’ve also worked on building security patching into our OEM agreements. Now this will really lead to a massive increase in the number of devices and users receiving regular security patches.

About time security watchers will say as they survey the mess of Android’s fragmentation, which, paradoxically, has grown more pronounced as the OS has recently matured.

That maturity has come at a price – a new version every year – which sounds great until you contemplate the consequences of large numbers of devices with security vulnerabilities that won’t or can’t be patched.

Android fragmentation happens on two axes at the same time, namely the annual updates to the OS (which add new features and architecture tweaks), and monthly security updates.

Consider that in the nine years between Android Cupcake in April 2009 and the forthcoming Android P, Google will have produced 14 versions of its mobile OS.


The EFAIL vulnerability – why it’s OK to keep on using email

By Paul Ducklin

This week’s bug of the month is the trendily-named EFAIL.

Like many groovy bugs these days, it’s both a BWAIN (bug with an impressive name) and a BWIVOL (bug with its very own logo, shown in the image at the top of this article).

The name is a pun of sorts on the word “email”, and the bug is caused by a flaw in the specifications set down for two popular standards used for email encryption, namely OpenPGP and S/MIME.

Simply put, the EFAIL vulnerabilities are a pair of security holes that a crook might be able to use to trick recipients of encrypted messages into leaking out some or all of their decrypted content.

Note that this attack only applies if you are using S/MIME or OpenPGP for end-to-end email encryption.

If you aren’t using either of these add-ons in your email client, this vulnerability doesn’t affect you – after all, if the crooks can sniff out your original messages and they’re not encrypted, they’ve got your plaintext already.

Note also that this attack doesn’t work on all messages; it doesn’t work in real time; you need a copy of the original encrypted message; it only works with some email clients; and it pretty much requires both HTML rendering and remote content download turned on in your email client.

Additionally, for one of the flavors of the attack, you have to know, or be able to guess correctly, some of the plaintext from the original message.

Technically speaking, these attacks aren’t strictly due to bugs, but rather to sloppy standards in S/MIME and OpenPGP that aren’t strict enough by design to inhibit this sort of “message tweaking”.

In the short term, you can expect updates to affected email clients that do their best to suppress these holes; in the long term, you should hope for improved standards for end-to-end email encryption.

In the immediate term, we’ve provided some steps below that you can take to protect yourself right now.


Prison phone service can expose the location of anyone with a phone

By Lisa Vaas

In late April, somebody sent a letter containing meth to an inmate at an Arizona jail.

Tracking down the correspondent was no problem. Police looked at phone calls between the meth sender’s address and the inmate and then made an arrest, according to what Matthew Thomas, chief deputy of the Pinal County Sheriff’s Office, told the New York Times.

It was push-button easy thanks to the police having access to a location data lookup service from a company called Securus Technologies that provides and monitors calls to inmates. According to the Times, marketing documents show that the service, which is typically used by marketers and other businesses, gets the location data from major cellphone carriers, including AT&T, Sprint, T-Mobile and Verizon.

It’s far too easy to get that data, some say. Privacy experts, at least one legislator, and inmates’ families say the service, which is fed by data from a mobile marketing company called 3Cinteractive, enables users to look up the whereabouts of nearly any mobile phone in the country, within seconds, without verifying the warrants or affidavits that Securus requires users to upload.

The system is typically used by marketers who offer deals to people based on their location.

It brings back memories of a Google scheme, revealed last year, that aims to track users in real life. As Google announced at its annual Marketing Next conference in May 2017, it wants to go beyond just serving ads to consumers. Using an artificial intelligence (AI) tool called Attribution, it said it would follow us around to see where we go, tracking us across devices and channels – mobile, desktop and in physical stores – to see what we’re buying, to match purchases up with what ads we’ve seen, and to then automatically tell marketers what we’re up to and what ads have paid off.

The Electronic Privacy Information Center (EPIC) was none too happy about the idea. In short order, EPIC filed a complaint with the Federal Trade Commission (FTC) to stop Google from tracking in-store purchases.


May 15, 2018 »

Nest turns up the temperature on password reusers

By Lisa Vaas

Google’s Nest division of smart-home gadgets recently notified some users about a data breach that involved their credentials. For that, it deserves a pat on the back.

In a security notice sent to one user and published by the Internet Society, Nest told the user to change their password and turn on two-step verification (2SV), also known as multiple- or two-factor authentication (MFA or 2FA).

Whether you call it MFA, 2FA or 2SV, it’s an increasingly common security procedure that aims to protect your online accounts against password-stealing cybercrooks.

So why do we want to pat Nest on the back? Because the breach wasn’t a matter of Nest’s own password database getting breached or, say, from an employee being careless.

Rather, Nest spotted the password because it cropped up in a list of breached credentials, meaning two things: 1) the users whom Nest emailed have been reusing passwords, and 2) Nest’s been proactively keeping an eye out to protect them from their own password foibles.

As Online Trust Alliance Director Jeff Wilbur said in an Internet Society post on Thursday, it’s not clear how Nest figured out that the password had been compromised. Maybe Nest was alerted by security researcher Troy Hunt’s recently updated Pwned Passwords service (part of his “have i been pwned?” site)?

The service lets you enter a password to see if it matches more than half a billion passwords that have been compromised in data breaches. A hashed version of the full list of passwords can also be downloaded to do local or batch processing, Wilbur noted.

If we said it once, we’ve reused our don’t-reuse-passwords advice a thousand times. We’re not apologizing, though, since password reuse really is such an atrocious idea.

We know that cybercrooks use breached credentials to see if they work on a variety of third-party sites, be it Facebook, Netflix or many others – including online banking sites.

That, in fact, is why both Facebook and Netflix prowl the internet looking for your username/password combos to show up in troves of leaked credentials.


Is Google’s Duplex AI helpful or plain creepy?

By John E Dunn

Last week, Google CEO Sundar Pichai used the company’s annual I/O event to demo an experimental new feature of Google Assistant.

It consisted of two ordinary-sounding one-minute voice conversations, one to book a hair appointment, the other to make a restaurant reservation.

The unusual aspect of those conversations – which Google said were not staged – is that in both the caller was a computer powered by its Duplex AI technology capable of talking and responding to human beings on the other end using natural language.

The clever (or creepy) bit is that had Pichai not told audience members about the AI they would have been unlikely to have detected it.

Computer-generated voice systems are supposed to be stilted, synthesized, and limited in their responses, but this one sounded convincingly human in every way right down to its reassuringly disfluent use of “mhmm” and “um” as part of its chatter.

Duplex is robust enough that Google will start offering it to a small number of Voice Assistant Android users this summer, which they’ll use to make simple reservations like the ones in the demo.

As I/O attendees applauded, and online watchers wondered aloud whether Duplex might be good enough to pass the famous Turing test, the doubters offered a less optimistic assessment of Google’s cleverness.

Might criminals use voice AI to deceive people? What are the implications of people delegating social interaction to machines?  Will it put millions of service industry workers out of a job?

Then there are nuanced ethical issues Google faces from day one, such as do people have a right to know they are talking to a machine?


Remote code execution bug found in GPON routers, but how bad is it really?

By Maria Varmazis

An anonymous researcher, via vpnMentor, recently disclosed two vulnerabilities in several older models of Dasan-made GPON routers. The first is an authentication bypass, which can be used to trigger the second vulnerability, which allows remote code execution (RCE).

The first vulnerability can be triggered simply by appending the string ?images/ to a URL ending in .html or /GponForm/, which allows the attacker to bypass the authentication process, and from there, trigger the remote code execution.

These vulnerabilities proved to be a tempting target for attackers who would love nothing better than to take control of these vulnerable routers and add them to their botnets.

In fact, within a day of the disclosure, there were reports of the vulnerabilities being exploited in the wild. Just a few weeks later, it looks like at least five botnets, including Mirai, are working to take advantage of these bugs, according to researchers at Netlab 360.

Just how big of an impact might these vulnerabilities have? It’s the topic of debate between the researcher who found the vulnerability and Dasan, which sold the routers to ISPs in several countries.

In a blog post, the researcher states that the vulnerability is present in all GPON routers they tested, potentially resulting in “an entire network compromise.” By citing a simple Shodan search for GPON devices, they determine that over a million devices are potentially affected.

But Dasan doesn’t agree with the researcher’s findings. In an official statement, Dasan says the vulnerability is present in only two series of routers released nine years ago which, given their age, are no longer supported. Dasan’s own estimates put the number of devices affected under 240,000 – a far cry from the original researcher’s estimate of nearly a million.


2 million lines of source code left exposed by phone company EE

By Lisa Vaas

EE, which at 30 million customers is the UK’s largest mobile network, was formerly known as Everything Everywhere.

Unfortunately, the name has proved prescient: it reportedly did, in fact, leave everything for anyone anywhere to find by non-securing a critical code repository so that anyone could log in with the default username and password. As in, “admin” was both the user name and password for getting into the downloadable portal software, according to a security researcher with the Twitter handle “Six”.

As first reported by ZDNet, on Thursday, Six tweeted a screen capture that he said shows (redacted) access keys to authorize EE’s employee tool. “You trust these guys with your credit card details, while they do not care about security, or customer privacy,” Six said.

The researcher said that after waiting “many many weeks” for a reply from the company, he decided to publicly disclose the vulnerability. His motive was reportedly to “educate the wider masses about security, and how overlooked it is across the industries.”

The code repository contained two million lines of the source code behind EE’s systems, including systems that contained employee data.

Six said that he had discovered a SonarQube portal on an EE subdomain. SonarQube is an open-source platform that offers continuous code auditing to perform automatic reviews and which EE uses to seek out vulnerabilities across its website and customer portal.


May 14, 2018 »

IBM bans USB drives – but will it work?

By Paul Ducklin

A job worth doing is worth doing well.

And when a job is worth doing well, it’s often worth going all-in.

A good example is how to quit smoking: you can try cutting down a bit in the hope of tapering off; you can try smoking milder cigarettes; you can try replacing your addiction to the nicotine in cigarettes with an addiction to the nicotine in something else; you can even carry on smoking but tell everyone, including yourself, that you didn’t inhale.

But quitting doesn’t admit of half measures, and the best and quickest way to do it is simply never to smoke again, from this day forward, for evermore.

Job done. (As in, “Easier said than.”)

By all accounts, IBM has decided to do just that – go cold turkey, that is – in dealing with the problem of lost data on removable storage devices.



Firefox support for WebAuthn shows passwords the door

By John E Dunn

Something important happened in the world of passwords this week – Firefox 60 has become the first browser to support a new standard called Web Authentication (WebAuthn).

Developed as a joint effort by the industry FIDO Alliance and the World Wide Web Consortium (WC3) on the back of Universal Authentication Factor (UAF), WebAuthn is an API which deploys public key encryption to let users log into websites without needing a password.

The point of WebAuthn is to turn today’s flawed authentication model on its head.

That model typically has users authenticating themselves with passwords and, in some cases, a second factor such as a one-time code.

Passwords are widely reused, bad ones are easy to guess, strong ones are hard to remember and all passwords can be stolen by phishing attacks. The one-time codes that add so much extra protection are hardly used and can also be phished, although the window of time in which they can be used is very small.

WebAuthn aims to change all of that:

Firefox 60 will ship with the WebAuthn API enabled by default, providing two-factor authentication built on public-key cryptography immune to phishing as we know it today.

For now WebAuthn relies on hardware keys, like YubiKeys, either on their own or alongside passwords. In future it could utilize any number of authentication methods including Windows Hello, face or fingerprint ID, or even a PIN terminal.

Once a user has authenticated at their end, no credentials leave their device – all a website sees is confirmation that authentication was successful – so there is nothing to steal.


Apple boots out apps that abuse location data collection

By Lisa Vaas

There are only two weeks to go before the European Union’s General Data Protection Regulation (GDPR) officially lands, on 25 May. Surely companies have all their data protection ducks in a row by now, one imagines…?

Or not. Or, at least, over at Apple, there’s still work being done to ensure that customers’ data is on extra strong lock-down, according to 9to5mac.

Namely, Apple is reportedly looking beyond its own data privacy/security toward that of its developers. Specifically, it’s been cracking down on those developers whose apps share location data, kicking them off the App Store until they cut out any code, frameworks or Software Development Kits (SDKs) that are in violation of Apple’s location data policies.

9to5mac has seen several cases of Apple having emailed developers to let them know that, “upon re-evaluation,” their applications are in violation of sections 5.1.1 and 5.1.2 of the App Store Review Guidelines. Those sections pertain to data collection, storage, use and sharing, as well as to letting people know what type of data an app requests (including location data).

9to5mac says that in the instances it’s seen, apps aren’t doing enough to let users know what’s happening with their data. Apple doesn’t want developers to just ask for permission – it’s telling them to explain what the data’s used for and how it’s shared.


iOS 11.4 to come with 7-day USB shutout

By Lisa Vaas

Mobile forensics researchers recently discovered a major new security feature while poking around in the beta version of Apple’s upcoming iOS 11.4 release, due soon.

It’s called USB Restricted Mode: a feature that popped up in the iOS 11.3 beta but didn’t make it to the final release. The feature snips the USB data connection over the Lightning port if the device hasn’t been unlocked for a week. The device can still be charged over USB, but after 7 days, it won’t give up data without a passcode, meaning that at least some backdoor ways to get at data won’t work anymore.

ElcomSoft researchers found this explanation of how it works in Apple’s documentation:

To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.

If the device is unlocked with a passcode, the data transfer over USB will be re-enabled. But once the Lightning port has been disabled for a week, thieves or investigators won’t be able to get at data by pairing the device to a computer or USB accessory. Without a passcode to unlock the device, they won’t even be able to get into it using an existing iTunes pairing record, used to recognize PCs that are ‘trusted’ by the device, also known as a lockdown record.

As ElcomSoft researcher Oleg Afonin has explained, forensics experts have found pairing records to be “immensely handy” for extracting device data without having to first unlock it with a passcode, a fingerprint press or a trusted face.

Lockdown records aren’t foolproof when it comes to getting into phones without those unlocking techniques, but on the upside for police or thieves, you could use old records – Afonin mentioned using a year-old lockdown record. That is, you could do that up until recently. In iOS 11.3 beta Release Notes, Apple said it was adding an expiration date to lockdown records.

In a post published on Tuesday, Afonin said that it’s not clear yet whether the iPhone unlocking techniques developed by outfits such as Grayshift and Cellebrite will be blocked by the new USB Restricted Mode.


May 10, 2018 »

Watch out: photo editor apps hiding malware on Google Play

By Mark Stockley

SophosLabs has discovered apps in Google Play harboring Guerilla ad clicker malware.

The malware, identified by Sophos as Andr/Guerilla-D, found its way on to Google Play during March and April 2018, in innocent-looking photo editor apps.

Guerilla ad clicker

SophosLabs detected the malware in a total of 25 apps, all of which have been reported to Google.

Sadly, it’s not the first time this malware has made it past Google’s Android app review process and into the walled garden of Google Play. Earlier this year SophosLabs alerted Google to the presence of more than a dozen malicious apps and published a report about Guerilla malware targeting Android users.

The apps harboring the Guerilla malware work – they really are games, flashlight apps or photo editors – but while they’re doing what you’d expect, they’re also doing something you wouldn’t: contacting remote servers and receiving instructions to download malicious JAR (Java Archive) files.

That extra Java code generates fraudulent ad revenue for the app developers by making the phone click on Google ads in the background, without users realizing.


The WhatsApp text bomb – no, it won’t destroy your phone!

By Paul Ducklin

You’ve probably seen the news already: there’s a text message going around that can cause WhatsApp to freeze or crash (if those `aren’t essentially the same thing).

Just how alarmed you are depends on where you’ve looked.

Some articles have been hedging their bets by urging you to watch out for “the text bomb that could destroy your phone“, which is dramatic without actually being definitive. (After all, you could win the lottery tomorrow, but you won’t.)

Other articles have insisted that the damage is more than just theoretical – the Birmingham Mail, for instance, headlined its article to state unequivocally that “this WhatsApp text bomb is destroying recipient’s phones“.

Fortunately, the article itself is a bit more conciliatory, noting that:

If you receive [the text bomb], your phone – whether it’s an iPhone or Android – could become unresponsive, forcing you to restart it.

As far as we know, that’s about as bad as it gets, and after restarting, you should be able to delete the offending message so it doesn’t disrupt you again.


Windows-crashing bug not patch-worthy, says Microsoft

By Maria Varmazis

When is a bug not a bug? That’s the question in play with a proof of concept (PoC) published by researcher Marius Tivadar, which can crash several versions of Windows, even if they’re locked, all within seconds of launching the code.

This PoC requires a USB key with a faulty NTFS image on it to be physically inserted into a Windows PC that also has autoplay enabled. Regardless of the privilege level currently active (from user to administrator), seconds after the target PC tries to read data on the USB stick, the dreaded blue screen of death (BSOD) occurs, crashing the computer.

That’s why Tivadar classifies this bug as a denial of service attack, but a crash is as far as this specific issue goes, and at no point does any privilege escalation or unauthorized data access occur.

Tivadar says he reached out to Microsoft in July 2017 to disclose his findings, all in the hope that Microsoft would officially give this security issue a CVE and start working on a patch to fix the problem.

But because this bug requires a USB key to be physically inserted into a machine to work, Microsoft responded that this finding didn’t “meet the bar” for issuing a security patch – so no CVE and no patch will be forthcoming.


Grade hacking may cost high school its valedictorian

By Lisa Vaas

As graduation day draws near for W.S. Neal High School in East Brewton, Alabama, the school is being quizzed, hard.

The questions:

Who hacked grades for the past two years, to the extent that the school can’t figure out if the top 10 students are legitimately the top 10 students? How did the perpetrator(s) hack the grade-reporting system? What is the school doing to prevent this from happening again?

Those questions came from Monica Fountain, just one of many parents who are furious that the school might not be able to find answers in time to pick a valedictorian or salutatorian for graduation in two weeks, on 22 May.

The issue was first reported by the Mobile, Alabama TV station WKRG.

Escambia County Superintendent John Knott confirmed to WKRG that when the school was finalizing the Top 10 students, staff discovered that somebody had altered students’ grades. Knott couldn’t comment on who was involved, nor how many students’ grades could have been affected. As far as whether the school can have a valedictorian or salutatorian, Knott said that it will depend on when the investigation is wrapped up.

To those of us familiar with cyber forensics, that’s not unreasonable. These things take time. It’s not necessarily easy, or fast, to trace hackers and quickly come up with suspects’ identities. What’s more, prematurely releasing details about an ongoing investigation can jeopardize the outcome, whether it’s by tipping off suspects so they can destroy evidence, or by falsely naming suspects before enough evidence has been amassed to form a solid case. People prematurely reported as suspects might well turn out to be innocent, but that hasn’t stopped people from prosecuting them in the court of public opinion and social media.

But those of us who might not be familiar with the time involved in finding hackers want answers, and they want them now.

As you can see by the reactions on a Facebook post Monica Fountain put up about the incident, the town is outraged. Some say it’s unfair to the kids who’ve worked so hard to get their good grades, that scholarships could be jeopardized, and even that the school is hiding the identity of the hacker(s) for some reason.


Patch now! Microsoft and Adobe release critical security updates

By John E Dunn

After time off in April, 0-days have returned with a small bang in May’s Patch Tuesday from Microsoft.

The loudest is a remote code execution vulnerability in the Windows VBScript Engine affecting all versions of Windows, first spotted being exploited by nation state cybercriminals three weeks ago by Chinese security firm Qihoo 360.

Dubbed ‘Double Kill’ (CVE-2018-8174), it can be deployed in a number of ways, including by luring an Internet Explorer user to a malicious website with embedded VBScript, using an ActiveX control marked ‘safe for initialization’, or via a malicious RTF file in an Office document.

Any one of these scenarios gives attackers control over the victim’s computer for data theft, eavesdropping or deploying ransomware, Microsoft said, hence the need to apply a patch as a high priority.

The next 0-day is CVE-2018-8120, an elevation-of-privilege vulnerability in the Win32k subsystem of Windows 7 32/64-bit and Windows Server 2008 R2.

An attacker would need to be logged into the target already in order to exploit the flaw, which is why it’s listed as ‘important’ rather than critical.

Microsoft hasn’t said how it’s being exploited, but having this kind of vulnerability to hand is gold for cybercriminals, which is why it should also be on the immediate fix list for anyone running Windows 7.

Two others worth mentioning are CVE-2018-8141, a kernel information disclosure flaw affecting Windows 10 1709, and CVE-2018-8170, an elevation of privilege vulnerability in Windows 1709 and 1703 32-bit.


Critical bug in 7-Zip – make sure you’re up to date!

By Paul Ducklin

Two months ago, a cybersecurity researcher who calls himself LANDAVE, or just Dave for short, found a security vulnerability in the handy, popular, free utility 7-Zip.

7-Zip is a sort-of Swiss Army Officer’s Knife of file decompression tools that many users install as one of their main add-on Windows apps.

It not only supports its own brand of mega-compressed archive files with the extension .7z, but also knows how to extract data from most other archive formats, too.

Conventional ZIPs, gzip and bzip2 files, Unix tar and cpio archives, Windows CAB and MSI files, Macintosh DMG files, CD images (ISOs), and many more, along with an optional two-pane file management interface that’s perfect for old-school fans of Midnight Commander.

7-Zip also includes support for RAR files, and that’s where the vulnerability came from, apparently inherited from open source code from the standalone UnRAR utility.


« older