Tech News - Cybersecurity

With the growing cybersecurity threats, Microsoft took over six internet domains acting on a court order, and introduced AccountGuard for emails. Microsoft AccountGuard is a move extending their Defending Democracy Program which will be applicable to both organizational and personal email accounts. Microsoft’s Digital Crimes Unit (DCU) executed a court order to take over six internet domains created by a group known as Strontium, or alternatively Fancy Bear or APT28. The group is widely associated with the Russian government. The six internet domains, my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email, office365-onedrive.com impersonated the real websites. Of late, there have been instances of foreign entities launching cyber strikes to disrupt elections. What is Microsoft AccountGuard? Microsoft AccountGuard will provide “state-of-the-art cybersecurity protection” without any additional cost. This applies to individuals, campaigns and related political institutions. Brad Smith, President at Microsoft stated: “To be clear, we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains.” The technology is free of charge to candidates, campaigns and related political institutions using Office 365. Microsoft AccountGuard will provide these features: Cross-account threat detection and notification: Microsoft’s Threat Intelligence Center will enable them to detect and notify of attacks in a unified way on both organizational and personal emails. When threats are verified, Microsoft will provide personal and expedited recommendations to affected political campaigns and their staff to secure the concerned systems. The unified notification system will provide a comprehensive view of attacks against the campaign/organization. Security guidance and ongoing education: Microsoft will provide guidance to make officials’, political campaigns and eligible organizations to further secure their network and email systems. This includes multi-factor authentication, installing latest security update to control access of data. AccountGuard will also show updated briefings and training to address evolving cyber-attack trends. Early adopter opportunities: There will be preview releases of the new security features which are used in large corporate and government accounts. If you are eligible for Microsoft AccountGuard you can request an invitation to enroll. A quick look at Microsoft’s Defending Democracy Program The Defending Democracy Program is a global effort as Microsoft tries to scale its efforts and reach other democratic countries to protect their processes in the coming years. Microsoft has identified 2018 as a critical year for governments and tech companies to work together towards making elections more secure. The Defending Democracy Program consist of some steps that include: Protecting campaigns from hacks by better account monitoring and increasing response measures to attacks. Supporting proposals like the Honest Ads Act to increase online political advertising transparency. In addition, adopting self-regulatory measures across Microsoft platforms. Exploring technological solutions to protect and preserve the electoral processes. And also interact with federal, state, and local officials to identify and fix cyber threats. Defending against disinformation, propaganda and fake news by partnering with institutions and think tanks who are dedicated to counter such activities. Microsoft will focus on the U.S. midterm elections of November 2018. They are piloting new cross-industry protections; this will also be done in the 2020 U.S. presidential elections. Tom Burt, Corporate Vice President, Customer Security & Trust stated: “Expect to hear more from us on what we’re doing, both on our own and in partnership with governments and our industry colleagues, to put our cybersecurity expertise to work for the defense of democracy.” Visit the Microsoft Blog for more details on AccountGuard and the defending democracy program. Google introduces Cloud HSM beta hardware security module for crypto key security Top 5 cybersecurity trends you should be aware of in 2018 Microsoft Edge introduces Web Authentication for passwordless web security

Today, DoorDash revealed to its users that their platform suffered a major data breach on May 4, 2019, affecting approximately 4.9 million consumers, dashers, and merchants who joined the platform on or before April 5, 2018. When DoorDash became aware of the attack earlier this month they recruited private security experts to investigate it. The investigation revealed that user data was accessed by an unauthorized third party, who is still unknown. The food delivering company has taken preventive actions to block further unauthorized access. Though DoorDash is uninformed of any user passwords being compromised in the breach, they have requested all their users to reset their passwords and use an exclusive password just for DoorDash. In the official blog post, DoorDash has listed the type of user data that might have got compromised in the data breach. Profile information including names, email addresses, delivery addresses, order history, phone numbers, and more. For some customers, the last four digits of their consumer payment cards. However, DoorDash maintains that customers “full credit card information such as full payment card numbers or a CVV was not accessed.” Also, DoorDash confirms that the accessed information is not enough to make any fraudulent charges on the payment card. For some Dashers and merchants, the last four digits of their bank account number. Again DoorDash confirms that the full bank account information was not accessed and the accessed information is insufficient to perform any illicit withdrawals from the bank account. Approximately 1 lakh Dashers driver’s license numbers were also compromised Read Also: DoorDash buys Square’s food delivery service Caviar for $410 million In the blog post, DoorDash says that they have now taken necessary remedial steps to avoid such security breaches by including additional protective security layers around the data, security protocols that govern access to systems and have also enrolled private expertise to identify and repel threats more accurately in the future. Currently, DoorDash is in the process of reaching out to its affected customers. DoorDash has also clarified that the customers who joined the platform after April 5, 2018, are not affected by this data breach. However, DoorDash has neither clarified the details of how the third party accessed the user’s data nor have they explained how the company came to know about the data breach. The blog post also does not throw any light on why the company took so long in detecting this security breach. Many users are indignant about DoorDash’s lack of detailing in the blog post. https://twitter.com/peterfrost/status/1177572308136976385 https://twitter.com/benrothke/status/1177339060282523648 Many people are also of the opinion that until substantial penalties are levied against these companies, data breaches will continue to occur. Many are of the opinion that companies should stop asking for personal information while confirming a customer. A user on Hacker News comments, “In other words... "We leaked a bunch of your personal information, but at least it's not enough data to steal your money!" All of these leaks have the cumulative effect of making ineffective very commonly used security verification questions: "Can I verify that last 4 of your social? And the last 4 of your credit card?" How long will it take for us to accept that this kind of data can no longer be assumed private? The sooner, the better, mainly so companies stop using it as a secondary form of identity verification.” Head over to the DoorDash blog for more details about the data breach. StockX confirms a data breach impacting 6.8 million customers Following Capital One data breach, GitHub gets sued and AWS security questioned by a U.S. Senator Facebook fails to fend off a lawsuit over a data breach of nearly 30 million users Cloudflare finally launches Warp and Warp Plus after a delay of more than five months Tesla Software Version 10.0 adds Smart Summon, in-car karaoke, Netflix, Hulu, and Spotify streaming

Earlier this month, Google upgraded its home security and alarm system, Nest Secure to work with its Google Assistant. This meant that Nest Secure customers would be able to perform tasks like asking Google about the weather. The device came with a microphone for this purpose, without it being mentioned on the device’s published specifications. On Tuesday, a Google spokesperson got in touch with Business Insider and told them that the miss was an “error” on their part. “The on-device microphone was never intended to be a secret and should have been listed in the tech specs. Further, the Nest team added that the microphone has “never been on” and is activated only when users specifically enable the option. As an explanation as to why the microphone was installed in the devices, the team said that it was in order to support future features “such as the ability to detect broken glass.” Before sending over an official statement to Business Insider, the Nest team replied to a similar concern from a user on Twitter, in early February. https://twitter.com/treaseye/status/1092507172255289344 Scott Galloway, professor of marketing at the New York University Stern School of Business, has expressed strong sentiments regarding this news on Twitter https://twitter.com/profgalloway/status/1098228685155508224 Users have even accused Google of “pretending the mistake happened” and slammed Google over such an error. https://twitter.com/tshisler/status/1098231070275686400 https://twitter.com/JoshConstine/status/1098086028353720320   Apart from Google, there have also been multiple cases in the past of Amazon Alexa and Google home listening to people’s conversations, thus invading privacy. Earlier this year, a family in Portland, discovered that its Alexa-powered Echo device had recorded their private conversation and sent it to a random person in their contacts list. Google’s so-called “error” can lead to a drop in the number of customers buying its home security system as well as a drop in the trust users place  in Google’s products. It is high time Google starts thinking along the line of security standards and integrity maintained in its products. Amazon’s Ring gave access to its employees to watch live footage of the customers, The Intercept reports Email and names of Amazon customers exposed due to ‘technical error’; number of affected users unknown Google Home and Amazon Alexa can no longer invade your privacy; thanks to Project Alias!  

Google has announced a FIDO2 based local user verification for Google Accounts, for a simpler authentication experience when viewing saved passwords for a website. Basically, you can now use fingerprint or screen lock instead of passwords when visiting certain Google services. This password-free authentication service will leverage the FIDO2 standards, FIDO CTAP, and WebAuthn, which is designed to “provide simpler and more secure authentication experiences. They are a result of years of collaboration between Google and many other organizations in the FIDO Alliance and the W3C” according to a blog post from the company. This new authentication process is designed to speed up the process of logging into Google accounts as well as being more secure by replacing the password typing system with a direct biometric authentication system. How this works is that if you tap on any one of your saved passwords on passwords.google.com, then Google will prompt you to "Verify that it’s you," at which point, you can authenticate using your fingerprint or any other method you usually use to unlock your phone (such as using a pin number or a touch pattern). Google has not yet made it clear which Google services could be used by the biometric method; the blog post cited Google's online Password Manager, as the example. Source: Google Google is also being cautious about data privacy, noting, “Your fingerprint is never sent to Google's servers - it is securely stored on your device, and only a cryptographic proof that you've correctly scanned it is sent to Google's servers. This is a fundamental part of the FIDO2 design. This sign-in feature is currently available on all Pixel devices. It will be made available to all Android phones running 7.0 Nougat or later "over the next few days.  Google Titan Security key with secure FIDO two factor authentication is now available for purchase Google to provide a free replacement key for its compromised Bluetooth Low Energy (BLE) Titan Security Keys Cloud Next 2019 Tokyo: Google announces new security capabilities for enterprise users

Yesterday, a ransomware virus affected City Power Johannesburg, the electricity distributor for some parts of South Africa’s capital city. City Power notified citizens via Twitter that the virus has encrypted all its databases, applications and network and that the ICT team is trying to fix the issue. https://twitter.com/CityPowerJhb/status/1154277777950093313 Due to the attack, City Power’s website was restraining users from lodging a complaint or purchasing pre-paid electricity. https://twitter.com/CityPowerJhb/status/1154278402003804160 The city municipality, owners of the City Power, tweeted, it also “affected our response time to logged calls as some of the internal systems to dispatch and order material have been slowed by the impact”. Chris Baraniuk, a freelance science and technology journalist, tweeted, “The firm tells me more than 250,000 people would have had trouble paying for pre-paid electricity, potentially leaving them cut off”. City Power hasn’t yet released information on the scale of the impact. The ransomware attack occurs amidst existing power outages According to iAfrikan, the ransomware attack struck the city while it was “experiencing a strain on the power grid due to increased use of electricity during Johannesburg's recent cold winter weather”. The strain on the grid has resulted in multiple power outages in different parts of the city. According to Bleeping Computers, Business Insider South Africa reported that an automated voice message on City Power's phone helpline said, "Dear customers, please note that we are currently experiencing a problem with our prepaid vending system. We are working on this issue and hope to have it resolved by one o'clock today (25 July 2019)". The city municipality tweeted yesterday, “most of the IT applications and networks that were affected by the cyberattack have been cleaned up and restored.” The municipality apologized for their inconvenience and assured the customers that none of their details were compromised. https://twitter.com/CityPowerJhb/status/1154626973056012288 Many users have raised requests tagging the municipality and the electricity distribution board on Twitter. City Power replied, “Technicians will be dispatched to investigate and work on restorations”. Later it tweeted asking them to cancel their request and that the power had been restored. https://twitter.com/GregKee/status/1154397914191540225 A recent tweet today at 10:47 am (SAST) from the City Power says, “Electricity supply points to be treated as live at all times as power can be restored anytime. City Power regrets any inconvenience that may be caused by the interruption”. https://twitter.com/CityPowerJhb/status/1154674533367988224 Luckily, City Power Johannesburg escaped from paying a ransom Ransomware attack blocks the company’s or individual’s system until a huge ransom--in a credit or in Bitcoin--is paid to the attackers to relieve their systems. According to Business Insider South Africa, attackers usually convert the whole information with the databases into “gibberish, intelligible only to those with the right encryption key. Attackers then offer to sell that key to the victim, allowing for the swift reversal of the damage”. There have been many instances in this year and Johannesburg has been lucky enough to escape from paying a huge ransom. Early this month, a Ryuk ransomware attack encrypted Lake City’s IT network in the United States and the officials had to approve a huge payment of nearly $500,000 to restore operations. Similarly, Jackson County officials in Georgia, USA, paid $400,000 to cyber-criminals to resolve a ransomware infection. Also, La Porte County, Indiana, US, paid $130,000 to recover data from its encrypted computer systems. According to The Next Web, the “ever-growing list of ransomware attacks has prompted the United States Conference of Mayors to rule that they would not pay ransomware demands moving forward.” Jim Trainor, who formerly led the Cyber Division at FBI Headquarters and is now a senior vice president in the Cyber Solutions Group at risk management and insurance brokerage firm Aon, told CSO, “I would highly encourage a victim of a ransomware attack to work with the FBI and report the incident”. The FBI “strongly encourages businesses to contact their local FBI field office upon discovery of a ransomware infection and to file a detailed complaint at www.ic3.gov”. Maintaining good security habits is the best way to deal with ransomware attacks, according to the FBI. “The best approach is to focus on defense-in-depth and have several layers of security as there is no single method to prevent compromise or exploitation,” they tell CSO. To know more about the City Power Johannesburg ransomware attack in detail, head over to The Bleeping Computer’s coverage. Microsoft releases security updates: a “wormable” threat similar to WannaCry ransomware discovered Atlassian Bitbucket, GitHub, and GitLab take collective steps against the Git ransomware attack Anatomy of a Crypto Ransomware

Two days ago, on September 7, Wikipedia confirmed with an official statement that it was hit by a malicious attack a day before causing it to go offline in many countries at irregular intervals. The “free online encyclopedia” said the attack was ongoing and the Site Reliability Engineering team is working to curb the attack and restore access to the site. According to downdetector, users across Europe and parts of the Middle East experienced outages shortly before 7pm, BST on September 6. Also Read: Four versions of Wikipedia goes offline in a protest against EU copyright Directive which will affect free speech online The UK was one of the first countries that reported a slow and choppy use of the site. This was followed by reports of the site then being down in several other European countries, including Poland, France, Germany, and Italy. Source: Downdetector.com By Friday evening, 8.30 pm (ET), the attack extended to an almost-total outage in the United States and other countries. During this time, there was no spokesperson available for comment at the Wikimedia Foundation. https://twitter.com/netblocks/status/1170157756579504128 On September 6, at 20:53 (UTC) Wikimedia Germany then informed users by tweeting that a “massive and very” broad DDoS (Distributed Denial of Service) attack on the Wikimedia Foundation servers, making the website impossible to access for many users. https://twitter.com/WikimediaDE/status/1170077481447186432 The official statement on the Wikimedia foundation reads, “We condemn these sorts of attacks. They’re not just about taking Wikipedia offline. Takedown attacks threaten everyone’s fundamental rights to freely access and share information. We in the Wikimedia movement and Foundation are committed to protecting these rights for everyone.” Cybersecurity researcher, Baptiste Robert, with the online name Elliot Anderson wrote on Twitter, “A new skids band is in town. @UKDrillas claimed they are behind the DDOS attack of Wikipedia. You’ll never learn... Bragging on Twitter (or elsewhere) is the best way to get caught. I hope you run fast.” https://twitter.com/fs0c131y/status/1170093562878472194 https://twitter.com/atoonk/status/1170400761722724354 To know about this news in detail, read Wikipedia’s official statement. Other interesting news in Security “Developers need to say no” – Elliot Alderson on the FaceApp controversy in a BONUS podcast episode [Podcast] CircleCI reports of a security breach and malicious database in a third-party vendor account Hundreds of millions of Facebook users’ phone numbers found online, thanks to an exposed server, TechCrunch reports

Jens "atom" Steube, the developer of the popular Hashcat password cracking tool recently developed a new technique to obtain user credentials over WPA/WPA2 security. Here, attackers can easily retrieve the Pairwise Master Key Identifier (PMKID) from a router. WPA/WPA2, the Wi-Fi security protocols, enable a wireless and secure connection between devices using encryption via a PSK(Pre-shared Key). The WPA2 protocol was considered as highly secure against attacks. However, a method known as KRACK attack discovered in October 2017 was successful in decrypting the data exchange between the devices, theoretically. Steube discovered the new method when looking for new ways to crack the WPA3 wireless security protocol. According to Steube, this method works against almost all routers utilizing 802.11i/p/q/r networks with roaming enabled. https://twitter.com/hashcat/status/1025786562666213377 How does this new WPA/WPA2 attack work? The new attack method works by extracting the RSN IE (Robust Security Network Information Element) from a single EAPOL frame. RSN IE is an optional field containing the PMKID generated by a router when a user tries to authenticate. Previously, for cracking user credentials, the attacker had to wait for a user to login to a wireless network. They could then capture the four-way handshake in order to crack the key. However, with the new method, an attacker has to simply attempt to authenticate to the wireless network in order to retrieve a single frame to get access to the PMKID. This can be then used to retrieve the Pre-Shared Key (PSK) of the wireless network. A boon for attackers? The new method makes it easier to access the hash containing the pre-shared key, which needs to be cracked. However, this process takes a long time depending on the complexity of the password. Most users don’t change their wireless password and simply use the PSK generated by their router. Steube, in his post on Hashcat, said,"Cracking PSKs is made easier by some manufacturers creating PSKs that follow an obvious pattern that can be mapped directly to the make of the routers. In addition, the AP mac address and the pattern of the ESSID  allows an attacker to know the AP manufacturer without having physical access to it." He also stated that attackers pre-collect the pattern used by the manufacturers and create generators for each of them, which can then be fed into Hashcat. Some manufacturers use patterns that are too large to search but others do not. The faster one’s hardware is, the faster one can search through such a keyspace. A typical manufacturer’s PSK of length 10 takes 8 days to crack (on a 4 GPU box). How can users safeguard their router’s passwords? Creating one’s own key rather than using the one generated by the router. The key should be long and complex by consisting of numbers, lower case letters, upper case letters, and symbols (&%$!) Steube personally uses a password manager and lets it generate truly random passwords of length 20 - 30. One can follow the researcher's footsteps in safeguarding their routers or use the tips he mentioned above. Read more about this new WiFi security attack on Hashcat forum. NetSpectre attack exploits data from CPU memory Cisco and Huawei Routers hacked via backdoor attacks and botnets Finishing the Attack: Report and Withdraw

It might not even be December yet, but if you're interested in cybersecurity Christmas has come early. Packt has once again teamed up with Humble Bundle to bring readers a diverse set of titles covering some of the most important and cutting edge trends in contemporary security. While the offer runs, you can get your hands on $1,533 worth of eBooks and videos, for just $15. That's one steal that Packt wholeheartedly approves. Go to Humble Bundle now. As always, you'll also be able to support charity when you buy from Humble Bundle. You can choose who to donate to, but this month the featured charity is Innocent Lives Foundation. What you get in Packt's cybersecurity Humble Bundle For as little as $1 you can get your hands on: Nmap: Network Exploration and Security Auditing Cookbook - Second Edition Network Analysis Using Wireshark 2 Cookbook - Second Edition Practical Cyber Intelligence Cybersecurity Attacks (Red Team Activity) [Video] Python For Offensive PenTest: A Complete Practical Course Or you can pay as little as $8 to get all of the above as well as: Cryptography with Python [Video] Digital Forensics and Incident Response Hands-On Penetration Testing on Windows Industrial Cybersecurity Metasploit Penetration Testing Cookbook - Third Edition Web Penetration Testing with Kali Linux - Third Edition Hands-On Cybersecurity for Architects Mastering pfSense - Second Edition Mastering Kali Linux [Video] Alternatively, for as little as $15, you'll get all of the products above, but also get:   Mastering Kali Linux for Advanced Penetration Testing - Second Edition Kali Linux - An Ethical Hacker's Cookbook Learning Malware Analysis Cybersecurity - Attack and Defense Strategies Practical Mobile Forensics - Third Edition Hands-On Cybersecurity with Blockchain Metasploit for Beginners CompTIA Security+ Certification Guide Ethical Hacking for Beginners [Video] Mastering Linux Security and Hardening [Video] Learn Website Hacking / Penetration Testing From Scratch [Video]

Data leaks have become commonplace. Every week we hear of at least one data breach that has existed maybe over months or years without the users knowing their data is compromised. Yesterday, a team of researchers from vpnMentor reported a massive data breach that may impact millions of Ecuadorians. The research team led by Noam Rotem and Ran Locar discovered a leaky Elasticsearch database that included 18GB of personal data affecting over 20 million individuals, outnumbering the total number of citizens (16.6 million) in the small South American country. The vpnMentor research team discovered the Ecuador breach as part of our large-scale web mapping project. The team further discovered the data breach on an unsecured server located in Miami, Florida. This server appears to be owned by Ecuadorian company, Novaestrat, a consulting company providing services in data analytics, strategic marketing, and software development. The major information leaked during this breach includes personal information of individuals and their family members, employment details, financial information, automotive records, and much more. The researchers said the breach was closed on September 11, 2019, and are still unaware of the exact details of the breach. However, they said that the information exposed appears to contain information provided by third-party sources.“These sources may include Ecuadorian government registries, an automotive association called Aeade, and Biess, an Ecuadorian national bank,” the researchers wrote in their official document. Details of the data exposed during the Ecuador breach The researchers said that in the database, the citizens were identified using by a ten-digit ID code. In some places in the database, that same ten-digit code is referred to as “cedula” and “cedula_ruc”. “In Ecuador, the term “cédula” or “cédula de identidad” refers to a person’s ten-digit national identification number, similar to a social security number in the US. The term “RUC” refers to Ecuador’s unique taxpayer registry. The value here may refer to a person’s taxpayer identification number,” the researchers mention. On running a search with a random ID number to check the validity of the database, the researchers were able to find a variety of sensitive personal information. Personal information such as an individuals name, gender, dates of birth, place of birth, addresses, email addresses, phone numbers, marital status, date of marriage if married, date of death if deceased, and educational details. Financial information related to accounts held with the Ecuadorian national bank, Biess. Details such as account status, the current balance in the account, amount financed, credit type, location and contact information for the person’s local Biess branch. Automotive records including car’s license plate number, make, model, date of purchase, most recent date of registration, and other technical details about the model. Employment information including employer name, employer location, employer tax identification number, job title, salary information, job start date, and end date was also exposed. ZDNet said it “verified the authenticity of this data by contacting some users listed in the database. The database was up to date, containing information as recent as 2019.” “We were able to find records for the country's president, and even Julian Assange, who once received political asylum from the small South American country, and was issued a national ID number (cedula),” ZDNet further reports. Also Read: Wikileaks founder, Julian Assange, arrested for “conspiracy to commit computer intrusion” 6.77m children’s data under the age of 18 were exposed Under a database index named "familia" (means family in Spanish), “information about every citizen's family members, such as children and parents, allowing anyone to reconstruct family trees for the entire country's population,” ZDNet reports. This index included details of children, some of whom were born as recent as this spring. They found 6.77 million entries for children under the age of 18. These entries contained names, cedulas, places of birth, home addresses, and gender. Also Read: Google faces multiple scrutinies from the Irish DPC, FTC, and an antitrust probe by US state attorneys over its data collection and advertising practices The information leaked may pose a huge risk to individuals as using their email ids and phone numbers, attackers may send them phishing emails to target individuals with scams and spam Hackers and other malicious parties could use the leaked email addresses and phone numbers to target individuals with scams and spam. Researchers said that these phishing attacks could be tailored to the individuals using exposed details to increase the chances that people will click on the links. The Ecuador breach was closed on September 11, 2019, and the database was eventually secured only after vpnMentor reached out to the Ecuador CERT (Computer Emergency Response Team) team, which served as an intermediary. A user on Hacker News writes, “There needs to be fines for when stuff like this happens. The bottom line is all that matters to bosses, so unless engineers can credibly point to the economic impact of poor security decisions, these things will keep happening.” https://twitter.com/ElissaBeth/status/1173532184935878658 To know more about the Ecuador breach in detail, read vpnMentor’s official report. Other interesting news in Security A new Stuxnet-level vulnerability named Simjacker used to secretly spy over mobile phones in multiple countries for over 2 years: Adaptive Mobile Security reports UK’s NCSC report reveals significant ransomware, phishing, and supply chain threats to businesses Endpoint protection, hardening, and containment strategies for ransomware attack protection: CISA recommended FireEye report Highlights

Earlier this month, at DEF CON 2019, a Turkish security researcher, Özkan Mustafa Akkuş presented a zero-day remote code execution vulnerability in Webmin, a web-based system configuration system for Unix-like systems. Following this disclosure, its developers revealed that the backdoor was found in Webmin 1.890. A similar backdoor was also detected in versions 1.900 to 1.920. The vulnerability was found in a Webmin security feature that allows an administrator to enforce a password expiration policy for other users’ accounts. The security researcher revealed that the vulnerability was present in the password reset page. It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges on affected servers. They just need to add a simple pipe command ("|") in the old password field through POST requests. This vulnerability is tracked as CVE-2019-15107. The Webmin zero-day vulnerability was no accident Jamie Cameron, the author of Webmin, in a blog post talked about how and when this backdoor was injected. He revealed that this backdoor was no accident, and was in fact, injected deliberately in the code by a malicious actor. He wrote, “Neither of these were accidental bugs - rather, the Webmin source code had been maliciously modified to add a non-obvious vulnerability,” he wrote. The traces of this backdoor goes back to April 2018 when the development build server of Webmin was exploited and a vulnerability was introduced to the ‘password_change.cgi’ script. The team then reverted this file to its checked-in version from GitHub. The attacker again modified this file in July 2018. However, this time they added the exploit to code that executed only when changing of expired passwords was enabled. The team then replaced the vulnerable build server with a new server running CentOS7 in September 2018. But, this also did not solve the problem because the build directory that had the modified file was copied across from backups made on the original server. After being informed about the zero-day exploit on 17th August 2019, the team released an updated version of Webmin 1.930 and Usermin version 1.780 addressing the vulnerabilities. These releases also address cross-site scripting (XSS) vulnerabilities that were disclosed by a different security researcher. In order to ensure that such attacks are not repeated in the future the team is taking a few steps: Updating the build process to use only checked-in code from Github, rather than a local directory that is kept in sync. Rotated all passwords and keys accessible from the old build system. Auditing all GitHub check-ins over the past year to look for commits that may have introduced similar vulnerabilities. To know more in detail, check out the official announcement by Webmin. Attackers are exploiting vulnerabilities revealed at DEF CON and Black Hat A ZDNet report posted last week, revealed that attackers are now exploiting the vulnerabilities that were made public earlier this month. Bad Packet reported on Twitter that it detected several “active exploitation attempts” by attackers on Friday. https://twitter.com/bad_packets/status/1164764172044787712 Many attackers are also targeting vulnerabilities in Pulse Secure VPN and Fortinet's FortiGate VPN. Some of these vulnerabilities were discussed in a Black Hat talk named ‘Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs.’ Bad Packets in a blog post shared that its honeypots have detected an “opportunistic mass scanning activity” targeting Pulse Secure VPN server endpoints vulnerable to CVE-2019-11510. This vulnerability discloses sensitive information using which unauthenticated attackers can get access to private keys and user passwords. https://twitter.com/bad_packets/status/1164592212270673920 Security researcher, Kevin Beaumont tweeted that hackers are scanning the internet for vulnerable devices to retrieve VPN session files from Fortinet's FortiGate. https://twitter.com/GossiTheDog/status/1164536461665996800 Puppet launches Puppet Remediate, a vulnerability remediation solution for IT Ops New Bluetooth vulnerability, KNOB attack can manipulate the data transferred between two paired devices Apple announces ‘WebKit Tracking Prevention Policy’ that considers web tracking as a security vulnerability  

Yesterday, Mozilla announced that Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension. This prevents on-path observers from intercepting the TLS SNI extension and using it to determine which websites users are visiting. Why SNI is needed? SNI is required when multiple servers are sharing the same IP address. It is an extension to the TLS protocol using which clients are able to indicate which hostname they are attempting to connect to. This permits servers to present multiple certificates on the same IP address and TCP port number. To put this in simple words, SNI helps make large-scale TLS hosting work. How encrypted SNI (ESNI) works First, a public key is published by the server on a well-known DNS record, which is then fetched by the client before connecting. Next, the client replaces the SNI extension in the ClientHello with an encrypted SNI extension. The encrypted SNI is basically, the original SNI extension, but encrypted using a symmetric encryption key derived using the server’s public key. The server owns the private key and derives the symmetric encryption key as well. It can then decrypt the extension and therefore terminate the connection or forward it to a backend server). Since the encryption key can only be derived by the client and the server it is connecting to, encrypted SNI cannot be decrypted and accessed by third parties. How you can enable encrypted SNI (ESNI) Currently, ESNI is not supported for all the Firefox users. However, Firefox Nightly users can try out this feature by following these steps: First, ensure that you have DNS over HTPPS (DoH) enabled. To do that you can check out this article posted by Mozilla. Next, you need to set the network.security.esni.enabled preference in about:config to true. Head over to Mozilla Security Blog to read more about encrypted SNI. Is Mozilla the most progressive tech organization on the planet right now? Google Chrome, Mozilla Firefox, and others to disable TLS 1.0 and TLS 1.1 in favor of TLS 1.2 or later by 2020 Mozilla announces $3.5 million award for ‘Responsible Computer Science Challenge’ to encourage teaching ethical coding to CS graduates

Yesterday, Quora announced that one of their systems was hacked and approximately 100 million user's data has been exposed to an unauthorized third-party. The breach was discovered on 30th November, after which the team immediately notified law enforcement and hired a digital forensics and security consulting company to uncover details of the attack. Quora is a strongly knit community of experts and intellectuals that is estimated to have almost 700 million visits per month and is the 95th largest site in the world. Adam D’Angelo, CEO of Quora states that for approximately 100 million Quora users, the following information may have been compromised: Account information such as name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users Public content and actions, including questions, answers, comments, and upvotes Non-public content and actions, like answer requests, downvotes, and direct messages Quora claims that users who post questions and answers anonymously are safe as the site does not store the identities of people who post anonymous content. Quora has started notifying users whose data has been compromised, via email. They are also logging out all Quora users who may have been affected. Users that use a password as their authentication method, Quora will be invalidating their passwords. Quora has also advised users to head over to their help center for answers to more specific questions related to the breach. The breach comes right after the Marriott International hotel group breach that impacted half a billion users. Quora concludes that “The investigation is still ongoing, we have already taken steps to contain the incident, and our efforts to protect our users and prevent this type of incident from happening in the future are our top priority as a company.” Head over to Quora’s official site to know more about this news. A new data breach on Facebook due to malicious browser extensions allowed almost 81,000 users’ private data up for sale, reports BBC News Uber fined by British ICO and Dutch DPA for nearly $1.2m over a data breach from 2016 Use TensorFlow and NLP to detect duplicate Quora questions [Tutorial]

On Friday, DockerHub informed its users of a security breach in its database, via email written by Kent Lamb, Director of Docker Support. The breach exposed sensitive information including some usernames and hashed passwords, as well as tokens for GitHub and Bitbucket repositories, for approximately 190K users. The company said this number is only five percent of DockerHub's entire user base. Lamb highlighted that the security incident which took place a day prior, i.e. on April 25, where the company discovered unauthorized access to a single Hub database storing a subset of non-financial user data. "For users with autobuilds that may have been impacted, we have revoked GitHub tokens and access keys, and ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place," Lamb said in his email. The GitHub and Bitbucket access tokens stored in Docker Hub allow developers to modify their project's code and also help in auto building the images on Docker Hub. In cases where a third-party gains access to these tokens would allow them to gain access to code within the private repositories. They can also easily modify it depending on the permissions stored in the token. Misusing these tokens to modify code and deploy compromised images can lead to serious supply-chain attacks as Docker Hub images are commonly utilized in server configurations and applications. “A vast majority of Docker Hub users are employees inside large companies, who may be using their accounts to auto-build containers that they then deploy in live production environments. A user who fails to change his account password and may have their accounts autobuilds modified to include malware”, ZDNet reports. Meanwhile, the company has asked users to change their password on Docker Hub and any other accounts that shared this password. For users with autobuilds that may have been impacted, the company has revoked GitHub tokens and access keys, and asked the users to reconnect to their repositories and check security logs to see if any unexpected actions have taken place. Mentioning DockerHub’s security exposure, a post on Microsoft website mentions, “While initial information led people to believe the hashes of the accounts could lead to image:tags being updated with vulnerabilities, including official and microsoft/ org images, this was not the case. Microsoft has confirmed that the official Microsoft images hosted in Docker Hub have not been compromised.” Docker said that it is enhancing the overall security processes and also that it is still investigating the incident and will share details when available. A user on HackerNews commented, “I find it frustrating that they are not stating when exactly did the breach occur. The message implies that they know, due to the "brief period" claim, but they are not explicitly stating one of the most important facts. No mention in the FAQ either. I'm guessing that they are either not quite certain about the exact timing and duration, or that the brief period was actually embarrassingly long.” https://twitter.com/kennwhite/status/1122117406372057090 https://twitter.com/ewindisch/status/1121998100749594624 https://twitter.com/markhood/status/1122067513477611521 To know more about this news, head over to the official DockerHub post. Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram Liz Fong-Jones on how to secure SSH with Two Factor Authentication (2FA) WannaCry hero, Marcus Hutchins pleads guilty to malware charges; may face upto 10 years in prison

Last week, Citrix, the American cloud computing company, disclosed that it suffered a data breach on its internal network. They were informed of this attack through the FBI. In a statement posted on Citrix’s official blog, the company’s Chief Security Information Officer Stan Black said, “the FBI contacted Citrix to advise they had reason to believe that international cybercriminals gained access to the internal Citrix network. It appears that hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown.” The FBI informed Citrix that the hackers likely used a tactic known as password spraying to exploit weak passwords. The blog further states that “Once they gained a foothold with limited access, they worked to circumvent additional layers of security”. In wake of these events, a security firm Resecurity reached out to NBC news and claimed that they had reasons to believe that the attacks were carried out by Iranian-linked group known as IRIDIUM.  Resecurity says that IRIDIUM "has hit more than 200 government agencies, oil and gas companies, and technology companies including Citrix." Resecurity claims that IRIDIUM breached Citrix's network during December 2018. Charles Yoo, Resecurity's president, said that the hackers extracted at least six terabytes of data and possibly up to 10 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement. “It's a pretty deep intrusion, with multiple employee compromises and remote access to internal resources." Yoo further added that his firm has been tracking the Iranian-linked group for years, and has reasons to believe that Iridium broke its way into Citrix's network about 10 years ago, and has been “lurking inside the company's system ever since.” There is no evidence to prove that the attacks directly penetrated U.S. government networks. However, the breach carries a potential risk that the hackers could eventually enter into sensitive government networks. According to Black, “At this time, there is no indication that the security of any Citrix product or service was compromised.” Resecurity said that it first reached out to Citrix on December 28, 2018, to share an early warning about “a targeted attack and data breach”. According to Yoo, an analysis of the indicated that the hackers were focused in particular on FBI-related projects, NASA and aerospace contracts and work with Saudi Aramco, Saudi Arabia's state oil company. “Based on the timing and further dynamics, the attack was planned and organized specifically during Christmas period,” Resecurity says in a blog. A spokesperson for Citrix confirmed to The Register that "Stan’s blog refers to the same incident" described by Resecurity. “At this time, there is no indication that the security of any Citrix product or service was compromised,” says Black Twitter was abuzz with users expressing their confusion over the timeline of events and wondering about the consequences if IRIDIUM was truly lurking in Citrix’s network for 10 years: “Based on the timing and further dynamics, the attack was planned and organized specifically during Christmas period,” Resecurity says in a blog. https://twitter.com/dcallahan2/status/1104301320255754241 https://twitter.com/MalwareYoda/status/1104170906740350977 https://twitter.com/Maliciouslink/status/1104375001715798016 The data breach is worrisome, considering that Citrix sells workplace software to government agencies and handles sensitive computer projects for the White House communications agency, the U.S. military, the FBI and many American corporations. U.S. Senator introduces a bill that levies jail time and hefty fines for companies violating data breaches Internal memo reveals NASA suffered a data breach compromising employees social security numbers Equifax data breach could have been “entirely preventable”, says House oversight and government reform committee staff report

The National Security Agency released the Ghidra toolkit, today at the RSA security conference in San Francisco. Ghidra is a free, software reverse engineering (SRE) framework developed by NSA's Research Directorate for NSA's cybersecurity mission. Ghidra helps in analyzing malicious code and malware like viruses and can also provide cybersecurity professionals with a better understanding of potential vulnerabilities in their networks and systems. “The NSA's general plan was to release Ghidra so security researchers can get used to working with it before applying for positions at the NSA or other government intelligence agencies with which the NSA has previously shared Ghidra in private”, ZDNet reports. Ghidra’s anticipated release broke out at the start of 2019 following which users have been looking forward to this release. This is because Ghidra is a free alternative to IDA Pro, a similar reverse engineering tool which can only be available under an expensive commercial license, priced in the range of thousands of US dollars per year. NSA cybersecurity advisor, Rob Joyce said that Ghidra is capable of analyzing binaries written for a wide variety of architectures, and can be easily extended with more if ever needed. https://twitter.com/RGB_Lights/status/1103019876203978752 Key features of Ghidra Ghidra includes a suite of software analysis tools for analyzing compiled code on a variety of platforms including Windows, Mac OS, and Linux It includes capabilities such as disassembly, assembly, decompilation, graphing and scripting, and hundreds of other features Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. With Ghidra users may develop their own Ghidra plug-in components and/or scripts using the exposed API To know more about the Ghidra cybersecurity tool, visit its documentation on GitHub repo or its official website. Security experts, Wolf Halton and Bo Weaver, discuss pentesting and cybersecurity [Interview] Hackers are our society’s immune system – Keren Elazari on the future of Cybersecurity 5 lessons public wi-fi can teach us about cybersecurity