May 18, 2018
RedHat admins, patch now – don’t let your servers get pwned!
By Paul Ducklin
RedHat Linux, together with its stablemates Fedora and CentOS, just patched a serious security bug.
This bug doesn’t need a fancy nickname, because it ended up (entirely by chance, of course) with a very memorable bug number: CVE-2018-1111.
Bug OneOneOneOne affects DHCP, short for dynamic host configuration protocol, a network-based system that helps you automate the process of getting computers to play nicely together online.
DHCP solves the problem of how to use the network itself to get a network number (in popular parlance, an IP address) in order to start using the network.
Without DHCP, you’d need to configure the IP address of each laptop, desktop or server on your network by hand.
You’d have to make sure that you didn’t accidentally give two different computers the same IP number, and in the event of an IP address collision you’d have to track down the culprits yourself and resolve the clash.
DHCP automates all this.
An unconfigured computer, called a DHCP client, pumps out a specially formatted network broadcast to say, “Tell me how to set myself up for the network”, and, if there’s a DHCP server on the network, it sends back a reply with everything the client needs to get connected.
The DHCP server typically dishes out your IP number, carefully avoiding collisions; tells you where to send your DNS queries; specifies the router to use to get onto the internet; and much more besides.
Read more at https://nakedsecurity.sophos.com/2018/05/16/redhat-admins-patch-now-dont-let-your-servers-get-pwned/
Chili’s PoS breach: Want some credit card theft with your baby back ribs?
By Lisa Vaas
Have you dug into a plate of Tex-Mex at Chili’s recently?
If so, it may be time for a potential case of indigestion. It’s not the food; it’s a point-of-sale (PoS) breach that Chili’s discovered on Friday. Its parent company, Brinker International, gave customers a heads-up on the same day.
Brinker doesn’t know how many restaurants were affected, nor how many people’s payment details got swept up by the thieves. It’s working with third-party forensics experts on the investigation, which is still assessing the scope of the breach. At this point, Brinker thinks it was limited to the past few months, between March and April.
From what it’s found so far, the company believes that malware was used to gather payment card information, including credit or debit card numbers and cardholder names from its PoS systems for in-restaurant purchases.
Brinker said that its Chili’s restaurants don’t collect taxpayer IDs, full date of birth, or federal or state identification numbers, so at least that sensitive data wasn’t compromised.
Poor Chili’s: it prides itself on being a technological innovator. In 2013, Chili’s claimed to have “revolutionized” the casual dining industry with tabletop tablets. In 2016, it introduced “a new era for online ordering” with features such as pre-order. It also announced the nationwide rollout of mobile payment on its tabletop tablets.
Unfortunately, payment systems can be both a technological innovation and a massive migraine.
We’ve seen at least 40 carwash PoS systems hacked, and their credit card data drained. In that case, the PoS system manufacturer, Micrologic, pointed the finger at vulnerabilities in the remote-access software.
Read more at https://nakedsecurity.sophos.com/2018/05/16/chilis-pos-breach-want-some-credit-card-theft-with-your-baby-back-ribs/
Senate votes to restore net neutrality… but don’t get your hopes up
By Lisa Vaas
Six months ago, the Federal Communications Commission (FCC) repealed net neutrality.
On Wednesday, the US Senate pulled a rabbit out of its hat and (attempted to) defy the FCC, voting to keep net neutrality.
On Thursday morning, pro-net neutrality politicians rejoiced. Then, we woke up to smell the coffee, and a whole lot of wishful thinking went down the drain. It’s highly unlikely that the Republican-controlled House of Representatives will approve of rolling back the FCC’s repeal, and the White House has already said it’s all for scrapping net neutrality.
Even in the Senate, the keep-net neutrality vote passed by a whisker, with the help of three Republicans who broke party ranks. As Reuters reports, the 52 to 47 vote in the Senate was larger than expected, as Republicans John Kennedy, Lisa Murkowski and Susan Collins voted with 47 Democrats and two independents to reverse the Trump administration’s action.
It’s not even clear if the House will get to vote on the issue. Representative Mike Doyle, a Democrat, said on Wednesday that he plans to launch a discharge petition to try to force a companion vote in the House.
This is what Doyle said at a press conference after the Senate passed its bill:
It’s about protecting small businesses, students, innovators, entrepreneurs and competition. These are the policies that every American benefits from, and it enables our modern economy.
That’s why I have introduced companion [a resolution under the Congressional Review Act, or CRA] in the House and I’m going to continue to work with the leadership in the House to bring this to the floor.
The CRA is a 1996 law that allows Congress to effectively erase certain regulatory actions by a federal agency within 60 congressional days of their enactment. CRA resolutions only require a simple majority to pass the House and Senate, meaning they can’t be filibustered, but they still need the president’s signature.
Read more at https://nakedsecurity.sophos.com/2018/05/18/senate-votes-to-restore-net-neutrality-but-dont-get-your-hopes-up/
ZipperDown catches 170,000 iOS apps with their pants down
By John E Dunn
These days, there seem to be two types of security vulnerabilities – those with alarming names and eye-catching logos, and those that make do with mere CVE numbers.
The latest example of the naming trend is ZipperDown, uncovered by Chinese jailbreakers Pangu Lab, affecting iOS apps and possibly some Android ones too.
The company offers only minimal detail on the flaw beyond, describing it as:
A common programming error, which leads to severe consequences such as data overwritten and even code execution in the context of affected apps.
This sounds like trouble but this time the eye-catching bit is the number of apps the company believes might suffer from it – 15,978 (9.5%) of 168,951 iOS Apps in the App Store, a collection of computer programs that have been downloaded about 100 million times.
They admit this is a guesstimate due to the impossibility of checking such a large number of apps individually.
As for other platforms:
We have confirmed that many popular Android apps have similar issues. We will release more results for Android apps in future.
The company manually verified that a number of Chinese apps are affected including Weibo, MOMO, NetEase Music, QQ Music and Kwai, while Instagram, Pandora, Dropbox, Amazon and a Google app or two are on the long list.
Working out which apps are affected will require developers to carry out manual checks, app-by-app.
Read more at https://nakedsecurity.sophos.com/2018/05/18/zipperdown-catches-170000-ios-apps-with-their-pants-down/
Facebook crushes 583 million fake accounts in 3 months
By Lisa Vaas
On Tuesday, Facebook took yet another stab at transparency in these days of users’ and politicians’ outrage.
It came in the form of the first release of the company’s Community Standards Enforcement Report, and it was stuffed with the type of detail that Mark Zuckerberg told so many Congresspeople he’d need to get back to them on when he was first lightly sautéed and then flame-grilled in two days of testimony.
For years, Facebook has had Community Standards that explain “what stays up and what comes down.”
Last month, for the first time, Facebook published the internal guidelines it follows to enforce those standards.
Tuesday’s release of the first ever Community Standards Enforcement Report is a way to hand over the numbers that have resulted from that enforcement. With that information in hand, Facebook’s thinking goes, we can all judge for ourselves how it’s doing when it comes to getting rid of all those fake accounts and their spammy output… And posts with nudity. Or sexual activity. Or hate speech. Or terrorist propaganda.
Guy Rosen, Facebook’s vice president of product management, said in the post that the company’s disabled about 583 million fake accounts during the first three months of this year, or between 3% and 4% of monthly active users. It’s taken down nearly 1.3 billion over the past six months.
The majority of fake accounts were blocked within minutes of registration, Facebook said, touting its artificial intelligence (AI) auto-flag, auto-destroy technologies. On a daily basis, it crushes millions of fake accounts before they ever hatch.
Take down the accounts, and you’re on the road to wiping out the spam they spew, 837 million pieces of which Facebook found and flagged in Q1 2018. Nearly 100% of that spam was discovered and flagged before anyone reported it, Facebook says.
Taking down fake accounts is important not just to fight spam. It’s also crucial for battling fake news, misinformation, bad ads and scams. For example, following Facebook’s F8 developer conference, the company said that it’s started to use AI to automatically sniff out accounts linked to financial scams.
Read more at https://nakedsecurity.sophos.com/2018/05/17/facebook-crushes-583-million-fake-accounts-in-3-months/
Alexa, Siri and Google can be tricked by commands you can’t hear
By John E Dunn
As tens of millions of happy delighted owners know, Siri, Alexa, Cortana and Google, will do lots of useful things in response to voice commands.
But what if an attacker could find a way to tell them to do something their owners would rather they didn’t?
Researchers have been probing this possibility for a few years and now, according to a New York Times article, researchers at the University of California, Berkeley have shown how it could happen.
Their discovery is that it is possible to hide commands inside audio such as voice statements or music streams in a way that is inaudible to humans.
A human being would hear something innocuous which the virtual assistants interpret as specific commands.
The researchers have previously demonstrated how this principle could be used to fool the Mozilla DeepSpeech speech-to-text engine.
The New York Times claims that researchers at UC Berkeley were able to:
…embed commands directly into recordings of music or spoken text. So while a human listener hears someone talking or an orchestra playing, Amazon’s Echo speaker might hear an instruction to add something to your shopping list.
How might attackers exploit this?
The obvious examples are manipulated audio buried inside a radio or TV broadcast, podcast, YouTube video or online game, or perhaps even autoplaying audio on a phishing website.
As for which commands, the answer is more or less anything the device can be asked to do from dialing a phone number, accessing a website, or perhaps even buying something.
For example, the researchers claim they were able to hide the phrase “okay google, browse to evil.com” inside the sentence “without the dataset the article is useless.”
Read more at https://nakedsecurity.sophos.com/2018/05/17/alexa-siri-and-google-can-be-tricked-by-commands-you-cant-hear/
CIA’s “Vault 7” mega-leak was an inside job, claims FBI
By Lisa Vaas
The US government has named a suspect – a former CIA employee who worked in a group that designs surveillance tools – in last year’s leak of a huge cache of the agency’s cyber weapons.
WikiLeaks dubbed the leak Vault 7.
The Feds have been investigating Joshua Adam Schulte for months, it turns out. In an 8 January 2018 court hearing, federal prosecutors acknowledged that they believed that Schulte is behind the leak of thousands of the CIA’s confidential documents and files, which were stolen from an isolated, high-security network inside CIA headquarters in Langley, Virginia and handed over to WikiLeaks.
That hearing escaped public notice at the time. As the hearing transcript shows, the prosecutor – Matthew Laroche, an assistant U.S. attorney in the Southern District of New York – said that part of the ongoing investigation was analyzing whether Schulte’s use of Tor, was allowing him to hide his location in order to “[transmit] classified information.”
Laroche said in January that Schulte “remains a target of that investigation.”
The ex-CIA employee is now in jail in Manhattan on charges of possessing, receiving and transporting child abuse imagery, according to an indictment filed in September. Schulte has pleaded not guilty to the charges, which concern a large cache of images on a server he maintained. Schulte designed the server years ago to share movies and other digital files, and he argues that between 50 and 100 people have had access to it.
Schulte has written what The Washington Post calls a “lengthy” statement, in which he said that he reported “incompetent management and bureaucracy” at the CIA to that agency’s inspector general as well as to a congressional oversight committee. When he left the CIA in 2016, his complaints made him out to be a disgruntled employee, Schulte said – the “only one to have recently departed [the CIA engineering group] on poor terms.”
Read more at https://nakedsecurity.sophos.com/2018/05/17/cias-vault-7-mega-leak-was-an-inside-job-claims-fbi/