December 10, 2017
Massive botnet chews through 20,000 WordPress sites
By Danny Bradbury
WordPress users are facing another security worry following the discovery of a massive botnet. Attackers have infected 20,000 WordPress sites by brute-forcing administrator usernames and passwords. They are then using those sites to infect even more WordPress installations.
The botnet, which WordPress security company Wordfence discovered last week, infects sites using a feature known as XML-RPC. This is an interface that lets one piece of software make requests to another by sending it remote procedure calls (RPCs) written in the extensible markup language (XML).
Legitimate blogging programs use this feature to send blog content for WordPress sites to format and publish. Attackers can also use it to try multiple passwords and then manipulate a site if they gain access.
The attackers wrote a script that would launch an XML-RPC-based brute force attack, automatically generating a range of usernames and passwords in the hope that one of them will work and give it access to a privileged account. At that point, they can use that account to infect that site with the botnet software.
The password-building mechanism takes lists of usernames along with lists of common passwords and uses simple algorithms to create new password combinations from the usernames. So, it might try the username ‘alice’ with passwords like alice123, alice2018, and so on. It might not be very effective on a single site, but when used across many sites, the attackers’ chances of success increase, says Wordfence.
Read more at https://nakedsecurity.sophos.com/2018/12/10/massive-botnet-chews-through-20000-wordpress-sites/
Android click fraud apps mimic Apple iPhones to boost revenue
By John E Dunn
SophosLabs has uncovered an unusual click fraud campaign in which malicious Android apps masquerade as being hosted on Apple devices to earn extra rewards.
Advertising click fraud, where a malicious app or process bombards websites with bogus traffic to earn advertising revenue, is a rapidly growing form of cybercrime on mobile and can be hard to spot.
This may go some way to explaining why Google’s Play store failed to detect the malicious design embedded inside a total of 22 apps which kicked off their click fraud campaign in June this year.
Named Andr/Clickr-ad by researchers, the malicious apps were downloaded a total of two million times with one, Sparkle Flashlight, accounting for half of this.
It’s the second time that SophosLabs has discovered malicious ad fraud apps on Google Play, after noticing the separate Andr/Guerilla-D ad fraud campaign lurking inside 25 apps in March and April.
Fake Apple traffic
What sets Clickr-ad apart from previous examples is its sophisticated attempt to pass off much of the traffic the apps generate as coming from a range of Apple models such as the iPhone 5, 6 and 8.
Read more at https://nakedsecurity.sophos.com/2018/12/10/android-click-fraud-apps-mimic-apple-iphones-to-boost-revenue/
Microsoft’s gutting Edge and stuffing it with Chromium
By Lisa Vaas
Microsoft on Thursday announced that it’s going to spend the next year or so gutting its Edge browser and filling it with Chromium: the same open-source web rendering engine that powers Google’s Chrome browser (Chrome is Chromium with some Google extras), Opera, Vivaldi, Yandex, Brave and others.
This is an extraordinary step: some say it points to open source having won the browser wars, for better or worse. Better for web compatibility, says Microsoft, worse for a monoculture where if one thing breaks, a whole lot of other things break.
Terrible for any browser that’s trying to succeed outside of the near-total control of our online lives that Google already enjoys, Mozilla says. The open-source foundation regularly points out that Firefox is the only independent browser that isn’t tied to a profit-driven company, including Google with Chrome, Apple with Safari, and Microsoft with Edge.
Back in the day, Internet Explorer – the predecessor to Edge – not only ruled the browser roost; its stranglehold precipitated an epic antitrust case accusing Microsoft of abusing its monopoly position over Windows. But that was then, and this is now, and Explorer’s replacement, Edge, has a tiny share of the browser marketplace.
Read more at https://nakedsecurity.sophos.com/2018/12/10/microsofts-gutting-edge-and-stuffing-it-with-chromium/
Microsoft calls for laws on facial recognition, issues principles
By Lisa Vaas
In a year in which facial recognition has made massive strides to invade personal privacy and settle in as a favored tool for government surveillance, Microsoft isn’t just open to government regulation; it’s asking for it.
On Thursday, in a speech at the Brookings Institution, Microsoft President Brad Smith warned about facial recognition technology spreading “in ways that exacerbate societal issues.” Never mind any dents to profits, he said, we need legislation before the situation gets more dystopian than it already is.
We don’t believe that the world will be best served by a commercial race to the bottom, with tech companies forced to choose between social responsibility and market success. We believe that the only way to protect against this race to the bottom is to build a floor of responsibility that supports healthy market competition. And a solid floor requires that we ensure that this technology, and the organizations that develop and use it, are governed by the rule of law.
We must ensure that the year 2024 doesn’t look like a page from the novel 1984.
Smith said that Microsoft, after much pondering, has decided to adopt six principles to manage the risks and potential for abuse that come along with facial recognition: fairness, transparency, accountability, non-discrimination, notice and consent, and lawful surveillance. He said that Microsoft will publish a document this week with suggestions on implementing the principles.
The good, the bad, and the intrusive
It’s not as if facial recognition is being used to solely create worlds of ubiquitous surveillance, in which you’re shamed for jaywalking, you’re publicly humiliated for your financial troubles, or law enforcement uses it to surveil crowds that are overwhelmingly composed of innocent people.
Read more at https://nakedsecurity.sophos.com/2018/12/10/microsoft-calls-for-laws-on-facial-recognition-issues-principles/
Flash zero-day exploit spotted – patch now!
By John E Dunn
If you’re among the holdouts still running Flash, you have some more updating homework to do. Adobe has issued an out-of-band patch after researchers spotted a Flash zero-day flaw being exploited in the wild.
The discovery was made by Qihoo 360 which on 29 November noticed a targeted APT (Advanced Persistent Threat) attack against a healthcare clinic used by Russian Government officials.
Codenamed “Operation Poison Needles” by Qihoo in honor of its medical theme, the attack uses a Word document mocked up to look like a job application questionnaire embedding a Flash Active X control.
Anyone on the receiving end of the attack will receive a phishing email with an attached RAR archive containing the boobytrapped document executing the payload.
The fix
The vulnerability, a use after free flaw, is now identified as CVE-2018-15982 and affects all Flash versions up to and including 31.0.0.153. Patching it on Windows, macOS and Linux, and ChromeOS requires downloading 32.0.0.101.
For good measure, the patch applies a separate fix for CVE-2018-15983, a privilege escalation caused by the insecure library loading of DLLs.
Read more at https://nakedsecurity.sophos.com/2018/12/07/flash-zero-day-exploit-spotted-patch-now/
Kids’ VTech tablets vulnerable to eavesdropping hackers
By Lisa Vaas
VTech, the Hong-Kong-based smart-toy maker has hit another bump in the road.
This time around, it’s a serious security flaw in the software of VTech’s flagship tablet, the Storio Max, which is called the InnoTab Max in the UK. The flaw could allow hackers to remotely take control of the device and spy on the 3- to 11-year-old children for whom it’s marketed.
The vulnerability was discovered earlier this year by Elliott Thompson, a security consultant with the London penetration-testing firm SureCloud. On Wednesday, SureCloud said in a post that Thompson had found a vulnerable service enabled on the tablet that could be exploited by a script placed on a website, where a child could visit it, trigger the flaw and be none the wiser.
An attacker would then gain full root control over the device, including access to its webcam, speakers and microphone. In other words, an attacker could eavesdrop on a child using the tablet or talk to them.
The Max tablets are designed to enable parents to restrict their kids’ access to websites that they’ve personally vetted. The flaw pops a hole in that bubble of trust, given that an attacker could exploit the vulnerability to boobytrap that collection of supposedly “safe” sites.
Read more at https://nakedsecurity.sophos.com/2018/12/07/kids-vtech-tablets-vulnerable-to-eavesdropping-hackers/
Unencrypted medical data leads to 12-state litigation
By Danny Bradbury
Twelve US states are suing an electronic healthcare record provider who lost 3.9 million personal records in 2015.
The Attorneys general of Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin clubbed together to file suit against Indiana-based Medical Informatics Engineering (MIE) and its subsidiary NoMoreClipboard (NMC) this week. The states, who each have residents affected by the breach, are negotiating a payout with the company.
MIE sells web-based electronic health record services to healthcare providers via NMC’s Webchart web-based portal.
Starting on 7 May 2015, hackers pilfered 3.9 million people’s personal information from MIE’s back-end systems, stealing not only names, addresses and social security numbers but also health data. This included lab results, health insurance policy information, diagnoses, disability codes, doctors’ names, medical conditions and the names and birth statistics of children.
The complaint accuses MIE of failing to properly secure its computer systems, not telling people about its system weaknesses, and then failing to provide timely notifications of the incident.
MIE failed to encrypt sensitive information, even though it said it did, the lawsuit says. It also used test accounts sharing the passwords “tester” and “testing”, established so that a client’s employees didn’t have to log in with a unique user ID.
Pen testers uncovered the issue and highlighted the risk but the lawsuit says that MIE took no action.
One of these test accounts allowed the thieves to explore the health record database with SQL injection attacks, gaining further access to privileged accounts called ‘checkout’ and ‘dcarlson’.
Read more at https://nakedsecurity.sophos.com/2018/12/07/unencrypted-medical-data-leads-to-12-state-litigation/
Hacker-besieged DNA data tucked away under military care
By Lisa Vaas
On Wednesday, Genomics England – an ambitious project to map the DNA of a million Brits – proudly announced that it had completed the “100,000 Genomes Project” started in 2013, having sequenced 100,000 whole genomes in the National Health Service (NHS).
The project goal is to improve treatments for patients with rare inherited diseases and cancer, and to uncover new diagnoses. So far, it’s involved the creation of 13 NHS Genomic Medicine Centers (GMCs), a state-of-the-art sequencing center, and an automated analytics platform to return whole genome analyses to the NHS. It’s crunched through 85,000 people’s genomes (participants with cancer have three genomes sequenced: healthy and cancerous cells within their tumor and a third from their blood).
Unfortunately, the servers in those data centers are bare. The Telegraph reports that following a swarm of attacks on the machines holding the data, Genomics England had to shuffle the genomes over to servers at a military base for safekeeping.
Read more at https://nakedsecurity.sophos.com/2018/12/07/hacker-besieged-dna-data-tucked-away-under-military-care/