Does your BMW need a security patch?

By John E Dunn

If you’re a BMW owner, prepare to patch! Chinese researchers have found 14 security vulnerabilities affecting many models.

The ranges affected (some as far back as 2012) are the BMW i Series, X Series, 3 Series, 5 Series and 7 Series, with a total of seven rated serious enough to be assigned CVE numbers.

The vulnerabilities are in in the Telematics Control Unit (TCB), the Central Gateway Module, and Head Unit, across a range of interfaces including via GSM, BMW Remote Service, BMW ConnectedDrive, Remote Diagnosis, NGTP, Bluetooth, and the USB/OBD-II interfaces.

Some require local access (e.g. via USB) to exploit but six including the Bluetooth flaw were accessible remotely, making them the most serious.

Should owners worry that the flaws could be exploited, endangering drivers and vehicles?

On the basis of the technical description, that seems unlikely, although Keen Lab won’t release the full proof-of-concept code until 2019.

Keen Lab described the effect of its hacking as allowing it to carry out:

The execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely.

To which BMW responded:

BMW Group has already implemented security measures, which are currently being rolled out via over-the-air configuration updates. Additional security enhancements for the affected infotainment systems are being developed and will be available as software updates for customers.

Read more at https://nakedsecurity.sophos.com/2018/05/25/does-your-bmw-need-a-security-patch/

2 million stolen identities used to make fake net neutrality comments

By Lisa Vaas

You may recall all those reports of fake and bot-generated comments left in what former New York Attorney General Eric Schneiderman called the “deeply corrupted” public comment period for net neutrality.

Now, it looks like two million stolen identities were used to make those fake net neutrality comments. Most crucially, two of those identities were stolen from senators.

On Monday, the two senators – Jeff Merkley (D-OR) and Pat Toomey (R-PA) – called on the Federal Communications Commission (FCC) to investigate identity theft and fraud in the public comments left for the agency during the time leading up to the decision to kill net neutrality in December.

From their letter, sent to FCC Chairman Ajit Pai:

Late last year, the identities of as many as two million Americans were stolen and used to file fake comments during the Federal Communications Commission’s (FCC’s) comment period for the net neutrality rule.

We were among those whose identities were misused to express viewpoints we do not hold. We are writing to express our concerns about these fake comments and the need to identify and address fraudulent behavior in the rulemaking process.

A public comment system that isn’t secured in some way can’t protect government agencies such as the FCC from fraudsters who pollute the process, the senators said; nor can it protect participants from having fraudsters assume their identities:

The first three words in our Constitution are, ‘We the People.’ The federal rulemaking process is an essential part of our democracy and allows Americans the opportunity to express their opinions on how government agencies decide important regulatory issues. As such, we are concerned about the aforementioned fraudulent activity. We need to prevent the deliberate misuse of Americans’ personal information and ensure that the FCC is working to protect against current and future vulnerabilities in its system.

Toomey and Merkley called on the FCC to employ simple security measures, such as CAPTCHA, or Completely Automated Procedures for Telling Computers and Humans Apart, to weed out bot-generated comments.

This technology would ensure that a human, not a machine, is using a computer to submit comments.

“Ensure?” Well, that’s giving CAPTCHA a bit more credit than it deserves, given all the ways that human researchers have found to automatically trick the tests.

Read more at https://nakedsecurity.sophos.com/2018/05/24/2-million-stolen-identities-used-to-make-fake-net-neutrality-comments/

Office 365 will automatically block Flash and Silverlight

By John E Dunn

If you are one of the small number of Office 365 users who enjoyed embedding Flash, Shockwave or Silverlight content inside files, time is about to run out on your unusual pastime.

Last week, Microsoft announced that, starting next month, Office 356 will start blocking these for monthly subscription users, with the same thing happening for business users on the Semi Annual (SA) Channel by January 2019.

There are a number of reasons why this is happening now, although Microsoft could have probably have pulled the feature a while ago without upsetting too many customers.

First and foremost is the end of support for Flash in less than two years, while Microsoft has been treating Silverlight like a bad smell since Windows 10 arrived in 2015.

Secondly, according to Microsoft barely anyone seems to be using this feature in Office 365, something it can be certain of given the visibility it has on what people are doing with its cloud platform.

Ironically, the one group that has shown a lot of enthusiasm for embedded Office controls are cybercriminals, who took to hiding malicious content inside otherwise harmless-looking Excel, PowerPoint and Word files.

Helped by a long sequence of Flash vulnerabilities, these attacks continue to this day. A good recent example of this was a zero-day attack on South Korean organisation’s using a Flash Player flaw channeled through Word (CVE-2018-4878).

Read more at https://nakedsecurity.sophos.com/2018/05/24/office-365-will-automatically-block-flash-and-silverlight/

VPNFilter – is a malware timebomb lurking on your router?

By Paul Ducklin

Researchers at Cisco Talos just published a report documenting a giant-sized IoT botnet known as VPNFilter.

More than 500,000 devices around the world are said to be infected with this malware – most of them are consumer internet routers from a range of different vendors, with some consumer NAS (network attached storage) devices known to have been hit as well.

To explain.

IoT is short for internet of things, and refers to all those internet-connected devices in our lives that are small enough, and cheap enough, and everyday enough, that we forget they’re really just tiny computers in much the same way that our laptops and mobile phones are computers.

As a result, IoT devices often end up attracting little or no attention to cybersecurity while they’re being designed, when they’re shipped, or after they’re installed.

And a botnet refers to a robot network, also known as a zombie network.

That’s where crooks implant malware on thousands, or even hundreds of thousands, of computers at the same time, in such a way that they can secretly send programmatic commands to each of them – one by one, or all at the same time.

Read more at https://nakedsecurity.sophos.com/2018/05/23/vpnfilter-is-a-malware-timebomb-lurking-on-your-router/

Surprise! Student receives $36,000 Google bug bounty for RCE flaw

By John E Dunn

What’s the only thing better than a bug bounty cheque? A bug bounty cheque you weren’t expecting.

In the case of 18-year old student researcher at Uruguay’s University of the Republic in Montevideo, this cheque was to the tune of $36,337, awarded by Google for finding a surprisingly big hole in the security of its App Engine (GAE) cloud platform.

The story began when the researcher gained access to GAE’s restricted non-production environment earlier this year and found it was possible to rummage around in the platform’s internal and hidden APIs.

Google is not in a hurry to document this to outsiders, which made searching for vulnerabilities of any size a question of trial and error. This made the ease with which it was possible to find and interact with some of these APIs even more surprising.

Inside GAE’s deployment environment, the dangerous vulnerability turned out to be in one service, “app_config_service”. This proved significant because commands sent to it:

Allowed me to set internal settings such as the allowed email senders, the app’s Service Account ID, ignore quota restrictions, and set my app as a “SuperApp” and give it “FILE_GOOGLE3_ACCESS

In response to this revelation, someone at Google “bumped up the severity”, which raised its bug bounty value. However, Google’s bounty assessors added in an email:

Please stop exploring this further, as it seems you could easily break something using these internal APIs. When issuing a reward, we’ll take into account what you could have achieved if you wanted to.

Read more at https://nakedsecurity.sophos.com/2018/05/23/surprise-student-receives-36000-google-bug-bounty-for-rce-flaw/

Google in court over ‘clandestine tracking’ of 4.4m iPhone users

By Lisa Vaas

Google’s in trouble again over the “Safari Workaround”: the iPhone shakedown for personal information from millions of iPhone users.

In 2012, the workaround got the search giant fined by the US Federal Trade Commission (FTC) for $22.5m, fined again a year later for $17m after it got sued by dozens of states, and now has the UK’s Google You Owe Us campaign out for its own pound of flesh.

Make that a few pounds of flesh: The Google You Owe Us campaign has started the process of getting its own comeuppance, and the US fines pale in comparison to what the British group is after.

Monday marked day one in London’s high court, where the collective action is suing the company for what could be as much as £3.2bn (USD $4.3b), according to court filings.

It alleges “clandestine tracking and collation” of information that included race, physical and mental health, political leanings, sexuality, social class, financial data, shopping habits and location data. On the campaign’s site, it alleges that Google’s Safari Workaround tracked iPhone users’ internet browsing history, which Google then used to sell a targeted advertising service.

Read more at https://nakedsecurity.sophos.com/2018/05/23/google-in-court-over-clandestine-tracking-of-4-4m-iphone-users/