Microsoft fixes critical bugs in CryptoAPI, RD Gateway and .NET

By Danny Bradbury

The CryptoAPI cryptographic bug that Microsoft reported in its Patch Tuesday release yesterday was so big that it warranted its own story. Here, we look at some of the other nasties that Microsoft fixed.

Among the most serious bugs were remote code execution (RCE) flaws affecting the Windows Remote Desktop Gateway, which is a Microsoft service that lets authorised remote users connect to resources on a network via the Remote Desktop Connection (RDP) client.

These pre-authentication bugs don’t require any user interaction to exploit, and involve an attacker sending a specially crafted request via RDP. Labelled CVE-2020-0609 through 11, the bugs affect Windows Server 2012 and 2012 R2, along with Windows Server 2016 and 2019. Rated 9.8 in CVSS, these are red hot bugs that companies should fix immediately.

In an analysis of the Microsoft patches, Johannes Ullrich at SANS explained:

Remember BlueKeep? The RD Gateway is used to authenticate users and allow access to internal RDP services. As a result, RD Gateway is often exposed and used to protect the actual RDP servers from exploitation.

There were several other critical bugs in Microsoft’s patch this month, all overshadowed by the cryptographic whopper that we cover elsewhere but still important to everyday users and admins.

CVE-2020-0603 is a critical RCE bug in ASP.NET Core stemming from improper object handling in memory. A user would have to open a specially crafted file to be hit, which an attacker could send via email.

Read more at https://nakedsecurity.sophos.com/2020/01/15/microsoft-fixes-critical-bugs-in-cryptoapi-rd-gateway-and-net/

Malicious npm package taken down after Microsoft warning

By John E Dunn

Criminals have been caught trying to sneak a malicious package on to the popular Node.js platform npm (Node Package Manager).

The problem package, 1337qq-js, was uploaded to npm on 31 December, after which it was downloaded at least 32 times according to figures from npm-stat.

According to a security advisory announcing its removal, the package’s suspicious behaviour was first noticed by Microsoft’s Vulnerability Research team, which reported it to npm on 13 January 2020:

The package exfiltrates sensitive information through install scripts. It targets UNIX systems.

The data it steals includes:

• Environment variables
• Running processes
• /etc/hosts
• uname -a
• npmrc file

Any of these could lead to trouble, especially the theft of environment variables which can include API tokens and, in some cases, hardcoded passwords.

Anyone unlucky enough to have downloaded this will need to rotate those as a matter of urgency in addition to de-installing 1337qq-js itself.

Read more at https://nakedsecurity.sophos.com/2020/01/15/malicious-npm-package-taken-down-after-microsoft-warning/

Peekaboo Moments baby-recording app has a bad database booboo

By Lisa Vaas

No need to wait until you’ve gurgled out of your mother’s womb to experience the joys of having your privacy breached, thanks to a mobile app called Peekaboo Moments.

Bithouse Inc. – the developer of the mobile app, which is designed to capture photos, audio, weight, length, video and diaries of tots starting as early as their zygote days – has left an Elasticsearch database flapping wide open, leaving thousands of infants’ videos and images exposed, unsecured and up for babbling its contents to any internet busybody who knows where to look.

The database was discovered by Dan Ehrlich, who runs the Texas-based cybersec startup Twelve Security. Ehrlich told Information Security Media Group (ISMG) that the 100GB database contains more than 70 million log files, with data going back as far as March 2019. The logs record when someone uses the Peekaboo app, what actions they took and when.

And my oh my, what actions you can take! As the Peekaboo Moment developer croons on the app’s Google Play listing, users can…

Take photos, videos for your little ones! Starting from pregnancy, newborn to every first ‘papa’ & ‘mama’, these memories will be auto-organized by age of child.

Users can also record the weight, length and birth dates of their babies, as well as their location data, in latitude and longitude, down to four decimal points: an accuracy that translates to within about 30 feet. In other words, this could be Baby’s First PII Breach.

The open database has exposed at least 800,000 email addresses, detailed device data, and links to photos and videos. The frosting on the cupcake: Ehrlich found that the Peekaboo Moments’ API keys for Facebook – which enable users to take content they’ve uploaded to Facebook and post it in the Peekaboo app – have also been exposed, potentially enabling an attacker to get access to content on users’ Facebook pages.

Read more at https://nakedsecurity.sophos.com/2020/01/15/peekaboo-moments-baby-recording-app-has-a-bad-database-booboo/

Apple says no to unlocking shooter’s phone; AG and Trump lash back

By Lisa Vaas

No surprise here: Apple has yet again said no to the FBI’s request to break iOS encryption – this time, as it investigates the 6 December mass shooting at a naval base in Pensacola, Florida.

No surprise redux: Attorney General William Barr is using Apple’s “No” as a “perfect” illustration of why “the public needs to be able to get access to digital evidence”. In other words, this is why we need a backdoor, the FBI says.

We have asked Apple for its help in unlocking the shooter’s phones. So far, Apple has not given any substantive assistance. This situation perfectly illustrates why it is critical that the public be able to get access to digital evidence once it’s received a court order based on probable cause.

In a press conference on Monday, Barr confirmed that the FBI’s investigation has uncovered multiple anti-American screeds posted by the killer, Mohammed Saeed Alshamrani, a member of the Saudi Royal Air Force who was taking flight classes in Florida. He murdered three young US Navy students and wounded eight others before being shot to death by authorities.

Barr said that the evidence points to the shooter being motivated by Jihadist ideology, as can be seen in messages Alshamrani posted to social media. One message stated that “the countdown has begun.” He posted messages up to two hours before the attack, and the FBI is keen to know who else he might have been communicating with.

Read more at https://nakedsecurity.sophos.com/2020/01/15/apple-says-no-to-unlocking-shooters-phone-ag-and-trump-lash-back/

Fleeceware is back in Google Play – massive fees for not much at all

By Paul Ducklin

Last September, we wrote about “fleeceware“, a term we coined to describe apps that charge huge amounts but give you very little in return.

Technically, the apps themselves aren’t malware, because the code in the app doesn’t do anything illegal, dangerous, sneaky, snoopy, subversive or surreptitious.

The treachery lies in the payment model – the fleeceware we identified back in September 2019 didn’t charge a fee for the app, but instead sold you a subscription to go along with the app.

And what subscriptions they were!

How about a QR code reader, much like the one already built into your mobile phone’s camera app, that was free for a three-day trial…

…but then suddenly cost you a massive €104.99 even if you uninstalled the app straight after trying it and never used it again.

The app’s free, don’t forget; it’s the subscription that you’re being charged for, and Google permits app developers to ask that sort of money.

Read more at https://nakedsecurity.sophos.com/2020/01/14/fleeceware-is-back-in-google-play-massive-fees-for-not-much-at-all/

‘Cable Haunt’ vulnerability exposes 200 million cable modem users

By John E Dunn

A fortnight in to 2020 and we have the first security flaw considered important enough to be given its own name: Cable Haunt – complete with eye-catching logo.

First discovered by Danish company Lyrebirds some time ago, Cable Haunt is an unusual flaw which in Europe alone is said to affect up to 200 million cable modems based on the Broadcom platform.

Specifically, the flaw is in a normally hidden software layer called the spectrum Analyzer (SA) used by Internet Service Providers (ISPs) to troubleshoot a subscriber’s connection quality.

According to Lyrebirds, this analyzer has several problems starting with the basic problem that the WebSocket interface used to control the tool from a web browser is unsecured.

Because parameters sent via this are not restricted by the modem, it accepts JavaScript running in the browser – which gives attackers a way in as long as they can reach the browser (although not in Firefox, apparently).

Using HTTPS instead of an exposed WebSockets would have dodged that bullet by implementing Cross-Origin Resource Sharing (CORS) security.

Having to reach a browser inside the network with access to the modem explains why the flaw is given the apparently ‘medium’ CVSS rating of 4.8. The qualification to this, of course, is that remotely compromising a browser is well within the reach of a competent hacker.

Read more at https://nakedsecurity.sophos.com/2020/01/14/cable-haunt-vulnerability-exposes-200-million-cable-modem-users/