KidsGuard stalkerware leaks data on secretly surveilled victims

By Lisa Vaas

“KidsGuard?”

What an inappropriate name. It should be called KidsStalk-N-Dox, given that the makers of this consumer-grade stalkerware left a server open and unprotected, regurgitating the private data it slurped up from thousands of victims’ devices after a parent or other surveillance-happy person stealthily installed it.

The spyware app’s unprotected Alibaba cloud storage bucket was found by Till Kottmann. He’s a developer who reverse-engineers apps to see how they tick (or leak, in this case). Kottmann shared a copy of the Android version of KidsGuard with TechCrunch, which first reported on the data breach on Thursday.

Kottmann’s findings amount to “Goodness, Grandma, what enormous bites you take out of victims’ privacy with those big, keyloggy teeth of yours.”

this is sick https://t.co/dSu2AErBYF

—

Till Kottmann (@deletescape) February 16, 2020

KidsGuard comes from a company called ClevGuard that promises that its “excellent products” will deliver “all the information” from a targeted device, including real-time location, text messages, browser history, photos, videos, recordings of phone calls, keylogger data for every keystroke entered and the app where it came from, and all the data from all the social apps – hopping over the end-to-end encryption of, for example, WhatsApp.

Read more at https://nakedsecurity.sophos.com/2020/02/24/kidsguard-stalkerware-leaks-data-on-secretly-surveilled-victims/

Google purges 600 Android apps for “disruptive” pop-up ads

By Lisa Vaas

You know those ads that obscure your whole screen when you’re trying to make a phone call, unlock your device or use your phone’s GPS?

Technically, they’re called disruptive or out-of-app ads, and they maddeningly pop up outside of the app that hosts them, sometimes causing users to mistakenly click them, thereby frustrating users and wasting advertisers’ money.

On Thursday, Google kicked nearly 600 of the offending apps off its Play store and banned them from its ad monetization platforms, Google AdMob and Google Ad Manager, for violating its disruptive ads policy and disallowed interstitial policy.

Disruptive ads are those that come at you in unexpected ways, including by getting in the way of a device’s functions. While they do occur in-app, Google has recently seen a rise in what it calls “out-of-context ads” – those created by malicious developers who program them to pop up when the user isn’t actually active in their app.

Per Bjorke, Google’s senior product manager for ad traffic quality, said in a Google security blog post that the developers behind these apps keep coming up with ways to deploy them and mask what they’re up to. But Google has been working on technology to detect them, and it’s led to Thursday’s purge:

We recently developed an innovative machine-learning based approach to detect when apps show out-of-context ads, which led to the enforcement we’re announcing today.

Also on Thursday, Google detailed a three-step plan to keep the Play Store and Android ad ecosystem from getting polluted by disruptive ads and other challenges.

One of those steps is doubling down on protecting advertisers from invalid traffic like that coming from disruptive, out-of-app ads. Sweeping the Play store of such apps on Thursday is one example, Google said, given that its investigations are ongoing and it plans to keep taking action against this kind of abuse.

Read more at https://nakedsecurity.sophos.com/2020/02/24/google-purges-600-android-apps-for-disruptive-pop-up-ads/

Apple chops Safari’s TLS certificate validity down to one year

By John E Dunn

Barely noticed by web users, the life expectancy of SSL/TLS certificates has lowered dramatically over the last decade.

Used as the foundation of HTTPS authentication, just over a decade ago domain registrars were selling SSL/TLS certificates that were valid for between 8 and 10 years.

In 2011, a new body called the Certification Authority Browser Forum (CA/Browser Forum), which included all the big browser makers, decided this was too long and imposed a limit of five years.

Then, in 2015 the time limit was dropped to three years, followed by a further drop in 2018 to only two years.

How low could this go?

This week, we learned that the latest answer is one year, or 398 days including the renewal grace period, a change that will apply from 1 September 2020.

What makes this new limit noteworthy, however, is that it was reportedly announced at a CA/Browser Forum meeting by a single member, Apple, in relation to one browser, Safari.

Although not yet officially confirmed, it’s a bold move that presumably prefigures similar announcements by other big browser makers, especially Google, which has assiduously promoted the idea of a one-year limit in recent CA/Browser Forum ballots.

That browser makers were voted down might explain why Apple has decided to enforce the change unilaterally, apparently against the wishes of the Certificate Authorities (CAs) which issue certificates as a business.

The browser makers are adamant that reducing validity is good for security because it reduces the time period in which compromised or bogus certificates can be exploited.

In theory, it also makes it less likely that in future, certificates using retired encryption (certificates based on SHA-1 being a prime example) will be able to soldier on when everyone knows they are vulnerable.

Read more at https://nakedsecurity.sophos.com/2020/02/24/apple-chops-safaris-tls-certificate-validity-down-to-one-year/

The Amazon Prime phishing attack that wasn’t…

By Paul Ducklin

Earlier this week, we received a moderately believable Amazon Prime phish via email.

The scam had an Account Locked subject line, with a warning that we wouldn’t be able to buy or sell anything via Amazon’s services until we verified our account.

To add a bit more fear and urgency, the crooks went on to warn us that if we didn’t complete the verification process within 24 hours, then our account would be deactivated, not merely suspended.

The “good” news, of course, is that verifying our account was as easy as clicking a link in the email:

Your Prime Membership Account Has Been Suspended Due To The Following Problems Below:

Invalid Card Number

Your Billing Address Does Not Match Our Records

Unverified Email Address

You will not be able to Buy and Sell on amazon until you have click the link below to confirm your account details before 24hrs of receiving this message.

We will be forced to deactivate your account automatically if you do not verify your identity.

We don’t think that Naked Security readers would fall for this one, for several reasons.

Read more at https://nakedsecurity.sophos.com/2020/02/21/the-amazon-prime-phishing-attack-that-wasnt/

Data of 10.6m MGM hotel guests posted for sale on Dark Web forum

By Lisa Vaas

The personal data of 10,683,188 MGM hotel guests that leaked sometime in or before 2017 was posted for sale on the Dark Web this week, ZDNet reports.

It doesn’t matter that the data isn’t freshly baked: it’s still edible. ZDNet called hotel guests whose details were included in the data dump and found that, while some of the phone numbers had been disconnected, many were still valid, as “the right person answered the phone.”

The data was first spotted by an Israeli security researcher calling themselves Under the Breach who claims to have “deep relations” with various threat actors that gives them “pre-breach information on many publicly traded companies.”

Under the Breach says they spotted some Vegas-big names among the leaked guest records, including Twitter CEO Jack Dorsey, pop star Justin Bieber, and government officials from the Department of Homeland Security (DHS) and the Transportation Security Administration (TSA).

Under the Breach came across the leaked files on an online forum commonly used by hackers, they told Business Insider. The researcher said that they’d cross-referenced the information with publicly available data and emails that had been exposed in previous breaches.

A spokesperson for MGM Resorts confirmed the security breach, saying that the data is old. The dump included full names, addresses, phone numbers, emails and birthdays, but MGM says that no payment information was compromised. The hotel chain hasn’t confirmed the identity of any of the affected guests; nor has Twitter commented on whether or not Dorsey’s information was involved.

ZDNet confirmed the authenticity of the data on Wednesday. None of the hotel guests whom the news outlet contacted had stayed at the hotel more recently than 2017. But regardless of how long ago the initial breach happened, the personally identifiable information (PII) is still valuable for use in spearphishing campaigns or in SIM-swap attacks, as Under the Breach told ZDNet.

Read more at https://nakedsecurity.sophos.com/2020/02/21/data-of-10-6m-mgm-hotel-guests-posted-for-sale-on-dark-web-forum/

Adobe fixes critical flaws in Media Encoder and After Effects

By John E Dunn

After fixing a fat pile of critical security flaws as part of last week’s Patch Tuesday update, Adobe has come back with two more that need urgent attention.

This is what’s called an out of band update, which means that a vulnerability is too risky or likely to be exploited to leave to the next scheduled update.

The first is in the Windows and macOS versions of the After Effects graphics software and affects anyone running version 16.1.2 and earlier.

Identified as CVE-2020-3765 after being reported to Adobe only days ago, the company offers little detail on the vulnerability itself beyond stating that the update:

Resolves a critical out-of-bounds write vulnerability that could lead to arbitrary code execution in the context of the current user.

Assuming that this flaw can be triggered merely by opening a booby-trapped data file – for example, by opening an email attachment or downloading a file from a poisoned website – you should apply the patch as soon as you can.

The second is also an out-of-bounds write weakness, this time in Adobe Media Encoder, affecting Windows and macOS versions 14.02. Identified as CVE-2020-3764, this requires similar current user access.

There is no evidence that either of these flaws is being exploited in the wild, but you never know, hence the need to patch now.

Read more at https://nakedsecurity.sophos.com/2020/02/21/adobe-fixes-critical-flaws-in-media-encoder-and-after-effects/

ISS World “malware attack” leaves employees offline

By Paul Ducklin

Global facilities company ISS World, headquartered in Denmark, has shuttered most of its computer systems worldwide after suffering what it describes as a “security incident impacting parts of the IT environment.”

The company’s website currently shows a holding page, with no clickable links on it:

On 17 February 2020, ISS was the target of a malware attack. As a precautionary measure and as part of our standard operating procedure, we immediately disabled access to shared IT services across our sites and countries, which ensured the isolation of the incident.

The root cause has been identified and we are working with forensic experts, our hosting provider and a special external task force to gradually restore our IT systems. Certain systems have already been restored. There is no indication that any customer data has been compromised.

Some media outlets – for example, the BBC – have mentioned ransomware prominently in their coverage of the issue, perhaps because of the suddenness of the story, but at the moment we simply don’t know what sort of malware was involved.

As you can imagine, facilities companies that provide services such as cleaning and catering rely heavily on IT systems for managing their operations.

But one silver lining for ISS World is that many, perhaps most, of its staff don’t rely on computers to carry out their hour-by-hour work, and most staff work on customer sites:

The nature of our business is to deliver services on customer sites mainly through our people and as such we continue our service delivery to customers while implementing our business continuity plans. Our priority is to ensure limited or no disruption while we fully restore all systems.

Nevertheless, a report in the UK claims that 43,000 staff worldwide, including 4000 in the UK, don’t have access to email, a serious operational blow to any modern business.

ISS World has promised, via its one-page, static website, that it is “currently estimating when IT systems will be fully restored and are assessing any potential financial impact”, and that it will “provide a further update when we have significant, additional information.”

Read more at https://nakedsecurity.sophos.com/2020/02/20/iss-world-malware-attack-leaves-employees-offline/

Ransomware attack forces 2-day shutdown of natural gas pipeline

By Lisa Vaas

The US Department of Homeland Security (DHS) on Tuesday said that an infection by an unidentified ransomware strain forced the shutdown of a natural-gas pipeline for two days.

Fortunately, nothing blew up. The attacker never got control of the facility’s operations, the human-machine interfaces (HMIs) that read and control the facility’s operations were successfully yanked offline, and a geographically separate central control was able to keep an eye on operations, though it wasn’t instrumental in controlling them.

Where this all went down is a mystery.

The alert, issued by DHS’s Cybersecurity and Infrastructure Security Agency (CISA), didn’t say where the affected natural gas compression facility is located. It instead stuck to summarizing the attack and provided technical guidance for other critical infrastructure operators so they can gird themselves against similar attacks.

The alert did get fairly specific with the infection vector, though: whoever the attacker was, they launched a successful spearphishing attack, which enabled them to gain initial access to the facility’s IT network before pivoting to its operational technology (OT) network.

OT networks are where hardware and software for monitoring and/or controlling physical devices, processes and events reside. Some examples are SCADA industrial control systems, programmable logic controllers (PLCs), and HMIs.

After the attacker(s) got their hands on both the IT and OT networks, they deployed what CISA called “commodity” ransomware, encrypting data on both networks. Staff lost access to HMIs, data historians and polling servers. Data historians – sometimes referred to as process or operational historians – are used in several industries, and they do what you might expect: record and retrieve production and process data by time and store the information in a time series database.

Read more at https://nakedsecurity.sophos.com/2020/02/20/ransomware-attack-forces-2-day-shutdown-of-natural-gas-pipeline/

Nearly half of hospital Windows systems still vulnerable to RDP bugs

By Danny Bradbury

Almost half of connected hospital devices are still exposed to the wormable BlueKeep Windows flaw nearly a year after it was announced, according to a report released this week.

The report, called 2020 Vision: A Review of Major IT & Cyber Security Issues Affecting Healthcare, comes from CyberMDX, which provides cybersecurity systems for hospitals.

It says that 22% of a typical hospital’s Windows devices are exposed to BlueKeep. The proportion of Windows devices connected to a network that are vulnerable is far higher, at 45%, it adds.

CyberMDX gathers these kinds of metrics via its own platform, which tells it about the machines it’s protecting in the field. It told us that it has analyzed a little over a million data points collected from machines across hundreds of facilities.

The BlueKeep bug, first reported in May 2019, is wormable, meaning that an attacker can trigger it without human interaction. An exploit could spread by sending malicious packets via the Remote Desktop Protocol (RDP) to Microsoft’s Remote Desktop Service (RDS).

It affected Windows 7 and Windows Server 2008, and Microsoft issued patches when it first reported the bug. However, as with many patches, it has taken companies a long time to apply, and there is a ‘long tail’ of machines still online and vulnerable.

The problem doesn’t just lie with BlueKeep. According to the CyberMDX report, 25% of connected devices in hospitals are also exposed to another flaw: DejaBlue.

News of DejaBlue surfaced in August when Microsoft patched another two RDP bugs, this time affecting versions of Windows up to and including Windows 10. These bugs, CVE-2019-1181 and 1182, are also wormable.

Like BlueKeep, the bug was exploitable using a maliciously crafted RDP message. The saving grace for some users is the use of Network Level Authentication (NLA), which when turned on requires authentication before an attacker can trigger an exploit. However, if the attacker has valid credentials, they could still mount the attack.

Read more at https://nakedsecurity.sophos.com/2020/02/20/nearly-half-of-hospital-windows-systems-still-vulnerable-to-rdp-bugs/