US military given the power to hack back/defend forward

By Lisa Vaas

Hacking back – what’s also called offensive hacking, or what the Defense Department is calling “defending forward” in its new cyber strategy, or what we can think of as plain old “attacking” but without the need for the military to get an OK from the president’s National Security Council – is back.

The new version of cyber strategy, first reported by CNN on Tuesday, says that the Department of Defense (DoD) will “defend forward” to confront threats before they reach US networks: in other words, the military has gained the power to launch “preventative” cyberattacks, be they to protect election systems or the energy grid.

Our primary role in this homeland defense mission is to defend forward by leveraging our focus outward to stop threats before they reach their targets.

“The United States cannot afford inaction,” the summary reads. As it is, the US is in a “long-term strategic competition” with China and Russia, it says, which have both launched persistent cyber campaigns that pose “long-term” risk to the country, its allies and its partners.

References to state-sponsored hacks

The strategy references China-sponsored hacking and Russian tinkering with US elections and US discourse.

North Korea also rated a mention. Earlier this month, the US unsealed a criminal complaint that charged a North Korea regime-backed programmer with multiple devastating cyberattacks, including the global WannaCry 2.0 ransomware in 2017, the 2014 attack on Sony Pictures, and the $81m cyber heist in 2016 that drained Bangladesh’s central bank.

Read more at https://nakedsecurity.sophos.com/2018/09/20/us-military-given-the-power-to-hack-back-defend-forward/

FBI wants to keep “helpful” Mirai botnet authors around

By Lisa Vaas

In December 2017, the youthful authors of the devastating Mirai botnet admitted that, collectively, they were guilty of conspiracy to violate the Computer Fraud and Abuse Act (CFAA): one charge for the Mirai botnet, and two charges for a clickfraud botnet.

Which, in legalese, means…

…intentional damage to a protected computer, to wit knowingly causing the transmission of a program, code, or command to a computer with the intention of impairing without authorization the integrity or availability of data, a program, system, or information; and the computer was used in or affected interstate or foreign commerce or communication.

…and which, in English, means writing and implementing the code that led to the Mirai malware, which ensnared more than 300,000 Internet of Things (IoT) devices; launching multiple distributed denial-of-service (DDoS) attacks (including, unwisely, against security journalist Brian Krebs, whose response was to track them down and unmask them); renting the botnet out to third parties and then extorting money from hosting companies in exchange for not being targeted, or selling uniquely tailored “services” to victims in order to fend off such attacks; scanning for vulnerable devices to attack; and click fraud.

…All of which is estimated to have caused damage in excess of $100m.

Yeah, the FBI says, but they’re such smart guys. Let’s keep them around!

On Tuesday, on the FBI’s recommendation and the defense attorneys’ “Yes, please!”, an Alaskan court sentenced the three men to probation, community service and fines.

Read more at https://nakedsecurity.sophos.com/2018/09/20/fbi-wants-to-keep-helpful-mirai-botnet-authors-around/

Western Digital goes quiet on unpatched MyCloud flaw

By John E Dunn

Western Digital has failed to patch a serious security vulnerability in its MyCloud NAS drives that it was told about more than a year ago, researchers have alleged.

Worse, this is despite the fact that the issue was publicly disclosed as far back as DEF CON 25 in July last year.

The latest flaw, discovered independently by researchers at Securify and Exploitee.rs, is an authentication bypass that could give a local attacker complete admin control over drives.

The researchers started an admin session tied to their IP address and then fooled the drive into thinking this was authenticated by setting a username=admin cookie.

That was possible because:

The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1.

No admin password, nothing – just a simple CGI request to MyCloud’s web server and an attacker would be in via a local network (a remote compromise would depend on such access being enabled).

Securify has even published a proof-of-concept comprising a few lines of code – this isn’t major league hacking.

Read more at https://nakedsecurity.sophos.com/2018/09/20/western-digital-goes-quiet-on-unpatched-mycloud-flaw/

iOS 12 is here: these are the security features you need to know about

By John E Dunn

One year to the day after iOS 11 appeared, Apple yesterday released its replacement, iOS 12.

There’s always a lot of fuss about new features, which tends to obscure the fact that iOS updates these days also come loaded with useful security upgrades and patches for software vulnerabilities.

Naked Security covered the expected iOS 12 security enhancements in August, but a quick reminder shouldn’t go amiss given that some need to be turned on by owners.

Settings you need to turn on

One of the first questions iOS 12 asks during initialization is whether owners would like to turn on automatic iOS updating. Updating happens anyway with each major update, but without automatic updating it’s still possible to miss fixes for security issues that pop up between versions.

An interesting recent example of this is the 11.4.1 update Apple offered in July to turn on USB restricted mode in response to techniques believed to be used by GrayShift and Cellebrite to bypass the iOS lock screen – it’s turned on by default in iOS 12 but users who enabled automatic updating could have had it two months ago.

Our advice is to turn this on! You can do this manually by going to Settings > General > Software Update while USB Restricted Mode is enabled via Settings > Touch ID & Passcode (Face ID & Passcode on the iPhone X) > and make sure the USB Accessories toggle is off. This will require the device to be unlocked before connecting USB devices in future, which some might find inconvenient – see Apple’s explanation of the feature for background.

Read more at https://nakedsecurity.sophos.com/2018/09/19/ios-12-is-here-these-are-the-security-features-you-need-to-know-about/

Here we Mongo again! Millions of records exposed by insecure database

By Lisa Vaas

Yet another MongoDB database instance has been found belly-up, unprotected and exposing 11 million customer records.

Former Kromtech security researcher Bob Diachenko, who made the discovery on Monday, said the database instance was revealing records that included personal details such as email addresses, full name, gender, and physical addresses (zip code, state, city of residence). The database also contained DNS data and information on server response.

To be precise, the 43.5GB dataset contained 10,999,535 email addresses, all of them Yahoo-based.

There weren’t many indications of who the database belongs to. The database name itself gave no indication of ownership – nor did the exposed data include administrator emails, system logs or host information.

But there was one hint: a small suffix in several records. Diachenko said one example was “Yahoo_090618_ SaverSpy,” while ZDNet mentioned “Content-SaverSpy-09092018”. Which lead some to conclude the database might belong to a coupon/discount company named SaverSpy: a daily deals website operated by Coupons.com.

Neither SaverSpy nor Coupons.com responded to inquiries from ZDNet and Diachenko, but within a few hours of those inquiries, the database was taken offline.

Read more at https://nakedsecurity.sophos.com/2018/09/19/here-we-mongo-again-millions-of-records-exposed-by-insecure-database/

State Department scores an F on 2FA security

By Danny Bradbury

Five Senators have discovered that the State Department is breaking the law by not using multi-factor authentication (MFA or 2FA) in its emails. They’ve sent a letter to Secretary of State Mike Pompeo, and they want answers.

The letter, from Senators Ron Wyden, Cory Gardner, Edward Markey, Rand Paul and Jeanne Shaheen, referenced reports from federal auditors that the Department of State was failing to meet basic federal cybersecurity standards.

The General Services Administration (GSA), which is the US department dealing with government procurement, property management and information delivery, analysed federal cybersecurity this year, stated the letter.

The GSA’s report found that the Department of State had deployed “enhanced access controls” across just 11% of required agency devices.

MFA or 2FA requires users to enter a second piece of information along with their password. This is linked to a physical asset that only they hold, thwarting imposters trying to steal their accounts remotely. That second piece of information could be biometric, such as your fingerprint; a hardware key, such as Google’s recently-announced dongle; or a code delivered to a mobile phone.

Federal agencies in the Executive Branch are legally required to enable 2FA for any accounts with elevated privileges under the Federal Cybersecurity Enhancement Act, passed as part of an omnibus spending bill in December 2015.

Read more at https://nakedsecurity.sophos.com/2018/09/18/state-department-scores-an-f-on-2fa-security/