now browsing by tag


#hacking | XSS vulnerability in CKEditor prompts need for Drupal update

Source: National Cyber Security – Produced By Gregory Evans

John Leyden

20 March 2020 at 14:20 UTC

Updated: 20 March 2020 at 14:29 UTC

Text editor flaw spawns CVE

A vulnerability in a third-party library component has had a knock-on effect on software packages that rely on it, including the Drupal content management system.

The issue involves a cross-site scripting (XSS) bug in CKEditor, a rich text editor that comes bundled with various online applications.

An attacker might be able to exploit the XSS vulnerability to target users with access to CKEditor. This potentially includes site admins with privileged access.

Exploitation is far from straightforward and would involve tricking potential victims into copying maliciously crafted HTML code before pasting it into CKEditor in ‘WYSIWYG’ mode.

“Although this is an unlikely scenario, we recommend upgrading to the latest editor version,” developers of CKEditor explain in an advisory, issued earlier this month.

CKEditor 4.14 fixes this XSS vulnerability in the HTML data processor, discovered by Michał Bentkowski of Securitum, as well as offering featuring improvements and resolution for an unrelated XSS vulnerability in the third-party WebSpellChecker Dialog plugin.

An advisory from Drupal, issued on Wednesday, instructs users to update to a version of the CMS that feature the updated version of CKEditor in order to mitigate the vulnerability.

In practice, this means upgrading to either Drupal 8.8.4 or Drupal 8.7.12.

The security flaw is described as “moderately critical” by Drupal, even though attackers would need to be able to create or edit content in order to attempt exploitation.

READ MORE WordPress Terror: Researchers discover a massive 5,000 security flaws in buggy plugins

Source link

The post #hacking | XSS vulnerability in CKEditor prompts need for Drupal update appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Google develops Linux tool that tackles USB keystroke injection attacks

Source: National Cyber Security – Produced By Gregory Evans

‘Voight kampff test’ provides warnings about thumb drive malfeasance

Google has developed a tool for Linux machines that combats USB keystroke injection attacks by flagging suspicious keystroke speeds and blocking devices classified as malicious.

Keystroke injection attacks can execute malicious commands via a thumb drive connected to a host machine, by running code that mimics keystrokes entered by a human user.

In a post on the Google Open Source blog, Google security engineer Sebastian Neuner explained Google’s tool uses two heuristic variables – KEYSTROKE_WINDOW and ABNORMAL_TYPING – to distinguish between benign and malicious inputs.

Measuring the time between two keystrokes, KEYSTROKE_WINDOW can generate false positives if users hit two keys almost simultaneously, although accuracy rises along with the number of keystrokes logged.

ABNORMAL_TYPING specifies the ‘interarrival time’ – or gap – between keystrokes.

The heuristic works because automated keystroke inputs are typically faster than those of humans, among other factors.

Neuner advises users to recalibrate the default parameters by gauging their own typing speed using online utilities whilst running the Google tool in ‘monitoring’ mode.

Done over several days or even weeks, this should gradually lower the false positive rate until eliminated, he explained.

The process trains the system to recognise the normal typing pattern of a user thereby helping it to reduce the number of false alarms, instances where genuine user input is incorrectly flagged up as malign.

Simple, inexpensive, widely available

Keystroke injection tools are relatively inexpensive and widely available online, noted Neuner.

Darren Kitchen, founder of pen test tool developer Hak5, is well placed to comment. He invented keystroke injection in 2008 and pioneered the first tool to simulate attacks: the USB Rubber Ducky, which featured in the iconic hacker TV Series Mr. Robot.

“Keystroke injection attacks are popular because they’re simple – the barrier to entry is extremely low,” Kitchen, also founder and host of the popular Hak5 Podcast, told The Daily Swig. “I developed the now de facto language, Ducky Script, so anyone can learn it in a minute or two.”

Keystroke injection attacks are also difficult to detect and prevent, according to Neuner, since they’re delivered via the most widely used computer peripheral connector: the humble USB.

Keystrokes are also sent “in a human eyeblink while being effectively invisible to the victim” sitting at the computer, he said. Kitchen pointed out that the “USB Rubber Ducky can type over 1,000 words per minute with perfect accuracy and never needs a coffee break”.

Kitchen recounts how he developed keystroke injection to “automate my then mundane IT job – fixing printers in the terminal with one-liners”, before realizing that it “violated the inherent trust computers have in humans.

“That’s a flaw that’s hard to fix,” he continued, “because we want computers to trust us, and the way we speak to them (Alexa notwithstanding) is by keystrokes.”

‘Hacking the Gibson’

However, the attack is “only as powerful as the user that logged in”, said Kitchen, adding that he probably wouldn’t be “hacking the Gibson” since his machines are restricted in what the ordinary user can do.

“On the other hand, if you’re in an organization that has ignored security best practices over the past decade, and all of your ordinary users have administrative privileges, then yeah – keystroke injection attacks are a problem (and you probably have many more).”

Neuner, who posted two videos demonstrating an attack against a machine with and without the tool installed, advised against viewing Google’s utility as a comprehensive fix.

“The tool is not a silver bullet against USB-based attacks or keystroke injection attacks, since an attacker with access to a user’s machine (required for USB-based keystroke injection attacks) can do worse things if the machine is left unlocked,” he said.

The security engineer added that Linux tools like fine-grained udev rules or open source projects like USBGuard, through which users can define policies and block specific or all USB devices while the screen is locked, can add further protection.

Matthias Deeg, head of research and development at German pen testing firm SySS GmbH, said it remained to be seen how effective Google’s tool would prove.

“In my opinion, this new tool is interesting and may actually help preventing automated keystroke injection attacks, for instance via bad USB devices,” Deeg, who has researched wireless input devices, including their use for keystroke injection attacks, told The Daily Swig.

“However, we have not yet tested this tool and its implemented heuristics used for detecting automated keystroke injection attacks, and thus cannot say how easily it can be bypassed by tweaking the keystroke injection behavior of the attacker tool. This appears to be a good old cat-and-mouse game.”

A Github README for the Google tool includes a step-by-step setup and operation guide. The utility is run as a systemd daemon, which is enabled on reboot.

RELATED WHID Elite: Weaponized USB gadgets boast multiple features for the stealthy red teamer

Source link

The post #hacking | Google develops Linux tool that tackles USB keystroke injection attacks appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Windows SMB: Accidental bug disclosure prompts emergency security patch

Source: National Cyber Security – Produced By Gregory Evans

John Leyden

13 March 2020 at 12:45 UTC

Updated: 13 March 2020 at 12:49 UTC

Don’t Panic: Potentially wormable flaw only present in latest systems

Microsoft released an out-of-band security update to patch a remote code execution (RCE) vulnerability impacting Server Message Block (SMB) on Thursday, just two days after its regular Patch Tuesday releases.

The software vendor was obliged to rush out a fix after security partner inadvertently disclosed details of the flaw, which is of a type previously exploited by high-profile threats such as the WannaCry worm.

If left unaddressed, the vulnerability (CVE-2020-0796) in Microsoft SMB 3.1.1 (SMBv3) could be exploited by a remote attacker to plant malicious code on vulnerable systems.

Exploitation would involve sending a specially crafted, compressed data packets to a targeted SMBv3 server.

The flaw stems from bugs in how “Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests”, an advisory from Microsoft explains.

New flaws on the Block

SMB is a networking protocol that’s used for sharing access to file and printers. The same protocol that was vulnerable to the EternalBlue (CVE-2017-0144) exploit harnessed by the infamous the WannaCry ransomware.

The vulnerability exists in a new feature that was added to Windows 10 version 1903, so older versions of Windows do not support SMBv3.1.1 compression are immune from the security flaw.

Both Windows 10 clients and Windows Server, version 1903 and later, need patching

Preliminary scans by security experts suggest only 4% of publicly accessible SMB endpoints are vulnerable.

Server-side workarounds have been released for organizations running affected software but unable to rapidly roll out patches. This includes disabling compression for SMBv3 as well as blocking TCP port 445 at the perimeter firewall.

Accidental disclosure

Satnam Narang, principal security engineer at security tools vendor Tenable, commented: “The vulnerability was initially disclosed accidentally as part of the March Patch Tuesday release in another security vendor’s blog.

“Soon after the accidental disclosure, references to it were removed from the blog post.”

At the time of writing, no proof of concept exploit code for CVE-2020-0796 has been publicly released.

Narang added that how readily exploitable this vulnerability might prove to be currently remains unknown.

“This latest vulnerability evokes memories of EternalBlue, most notably CVE-2017-0144, a remote code execution vulnerability in SMBv1 that was used as part of the WannaCry ransomware attacks,” Narang explained.

“It’s certainly an apt comparison, so much so that researchers are referring to it as EternalDarkness. However, there is currently little information available about this new flaw and the time and effort needed to produce a workable exploit is unknown.”

RELATED Microsoft Exchange Server admins urged to treat crypto key flaw as ‘critical’

Source link

The post #hacking | Windows SMB: Accidental bug disclosure prompts emergency security patch appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | UK ministers will no longer claim ‘no successful examples’ of Russian interference | Technology

Source: National Cyber Security – Produced By Gregory Evans

Ministers have been told they can no longer say there have been “no successful examples” of Russian disinformation affecting UK elections, after the apparent hacking of an NHS dossier seized on by Labour during the last campaign.

The dropping of the old line is the first official admission of the impact of Kremlin efforts to distort Britain’s political processes, and comes after three years of the government’s refusal to engage publicly with the threat.

Cabinet Office sources confirmed the position been quietly changed while an investigation into the alleged hacking of the 451-page cache of emails from a special adviser’s personal email account by the security services concludes.

Boris Johnson and his predecessor as prime minister, Theresa May, have both appeared reluctant to discuss Kremlin disinformation, with Johnson refusing to allow a report on Russian infiltration in the UK to be published before the election.

Versions of the “no successful examples” statement were regularly deployed in response to allegations of Russian interference in the Brexit referendum, to the frustration of MPs who believed a full investigation was necessary.

Officials said the revised position about Russian interference was set out by Earl Howe, the deputy leader of the House of Lords, in a parliamentary answer earlier this year, when he was asked if there were plans to investigate interference by foreign governments in December’s election.

The peer said the government was determined to protect the integrity of the democratic process in the UK. “As you would expect, the government examines all aspects of the electoral process following an election, including foreign interference, and that work is ongoing,” he said.

Stephen Kinnock, a Labour MP, said the government was being slow in acknowledging the disinformation threat from Russia. “From the hacking of NHS emails to the St Petersburg troll factories and bot farms, it’s clear that the Kremlin is pursuing a deliberate strategy of online disinformation and manipulation that is undermining our democracy.”

Security sources said that Russian strategy of “hack and leak” and “disinformation and misinformation” – which first came to prominence with the hack of Democratic emails in the run-up to the 2016 US presidential election that handed victory to Donald Trump – was becoming widespread internationally.

Last month, the Foreign Office said Russia’s GRU spy agency had carried out a series of “large-scale, disruptive cyber-attacks” in Georgia “in an attempt to undermine Georgia’s sovereignty, to sow discord and disrupt the lives of ordinary Georgian people”.

But despite the strong words in support of an ally in the Caucasus, ministers had been reluctant to publicly call out any Russian disinformation efforts in the UK – and there has been little public acknowledgement of the NHS hack during the election, first reported by the Guardian.

The scale of the Russian threat will be examined in the long-awaited report on Kremlin infiltration into British politics from the independent intelligence and security committee, which cannot be published until Downing Street appoints a new set of members following the election.

Earlier this week, it emerged that among those in the frame were the error-prone former transport secretary Chris Grayling and recently sacked environment minister Theresa Villiers.

The NHS emails are believed to have been hacked from an adviser’s personal Gmail account, and were disseminated online via Reddit, under the headline “Great Britain is practically standing on her knees working on a trade agreement with the US”.

Initially ignored, the documents covering six rounds of UK-US trade talks were eventually picked up by Labour from the posting and produced during a dramatic press conference by Jeremy Corbyn, who said they showed the NHS was “on the table” in the negotiations.

Following an investigation, Reddit concluded “we believe this was part of a campaign that has been reported as originating from Russia” and said it bore the hallmarks of the earlier Secondary Infektion disinformation operation, which was exposed by Facebook in 2018.

Source link

The post #hacking | UK ministers will no longer claim ‘no successful examples’ of Russian interference | Technology appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | U.S.-Iran Tensions Mount After Death of Two Americans

Source: National Cyber Security – Produced By Gregory Evans

The U.S. launched a series of air strikes targeting an Iran-backed militia in Iraq on Thursday, the day after two American service members were killed during an exchange of rocket fire between U.S. forces and the group. It is a dramatic escalation in a months-long confrontation between Washington and Tehran, and U.S. officials worry the fight could intensify as a spate of pressures mounts in Iran: a large outbreak of COVID-19, a collapse in the price of oil prices that sustain its economy, and continuing domestic hardships caused by America’s tough economic sanctions against the government.

The U.S. deaths came during a rocket attack on a base in Iraq on Wednesday that also killed one British citizen and injured 14 others, including contractors for U.S. firm DynCorp International. “The United States will not tolerate attacks against our people, our interests, or our allies,” Secretary of Defense Dr. Mark T. Esper said on Thursday. “As we have demonstrated in recent months, we will take any action necessary to protect our forces in Iraq and the region.”

The U.S. said the strikes were defensive, and targeted five military sites belonging to Kataib Hezbollah, the group the U.S. says carried out Wednesday’s attack, including at least one weapons storage depot north of the Shi’ite shrine city of Karbala, a U.S. military official told TIME, speaking anonymously because he was not authorized to describe the strikes publicly.

Tensions in the region had been slowly ratcheting up before the U.S. strike. Rather than ending what had been an ongoing proxy war between Washington and Tehran, President Donald Trump’s lethal drone strike early this year that killed Major Gen. Qasem Soleimani, the head of the Iranian Revolutionary Guard Corps’ paramilitary Quds Force, risked escalating the conflict, said three U.S. intelligence officials, who spoke only on the condition of anonymity.

Days later, Iran launched more than a dozen missiles at U.S. troops on two Iraqi military bases. While no Americans were killed, more than 100 have reported brain injuries as a result of the explosions. “The Iranian regime probably does not consider scores to have been entirely settled with the U.S. after the assassination of Soleimani,” says former CIA Mideast analyst Paul Pillar.

Indeed, Iranian-backed militias operating in Iraq have continued to attack U.S. forces. Fred Kagan, a resident scholar at the American Enterprise Institute, a Washington think tank, described Wednesday’s strikes as part of that continuum. The Iranians “wanted to be on an escalation path” after Soleimani’s death, Kagan says, but were deflected by their military’s apparently mistaken downing of a Ukrainian airliner and, now, the world’s third-largest caseload of coronavirus. “Their attention has been pulled elsewhere, but this is not the first time they have taken a shot,” since the U.S. strike on Soleimani, Kagan says.

Related Stories

Privately, current and former U.S. intelligence officials and outside experts have been warning for weeks that the coronavirus outbreak and plunging oil prices, coming atop the Trump administration’s effort to exert “maximum pressure” on Iran’s economy through sanctions, could cause the hardline regime in Tehran to blame others for the hardships and lash out.

Gen. Kenneth McKenzie, the head of the U.S. Central Command, told the Senate Armed Services Committee (SASC) on Thursday that the coronavirus outbreak in Iran, where there are now more than 10,000 confirmed cases, “probably makes them—in terms of decision-making—more dangerous, rather than less dangerous.”

The price of benchmark Brent Light crude oil has dropped about 50% so far this year, in part because of the damage the virus has inflicted on the economy of China. China accounts for 20 percent of Iran’s oil exports, the nation’s economic lifeblood. “The drop in oil prices intensifies Iran’s economic motivations not just to sit there and take it,” former CIA officer Pillar said before Wednesday’s attack. “Lashing out is more likely than folding and accepting U.S. demands.”

Two of the U.S. officials said Tehran is more likely to blame the plummeting oil price on its archenemy Saudi Arabia’s refusal to make a deal with Russia to boost prices by cutting oil production. “This doesn’t mean there will be another Pearl Harbor, but we could see more actions such as last year’s attacks on Saudi Arabia, which were partly intended to send the message that if Iran can’t export its oil, then other Persian Gulf producers will have problems exporting theirs,” says Pillar.

In response, they said, the U.S. has been trying to improve Saudi air defenses, especially in the Kingdom’s oil-rich Eastern Province, where Iran attacked oil facilities last September with a combination of drones and low-flying cruise missiles launched from near the Iraq-Iran border.

A possibly greater danger, one U.S. official said on Wednesday, is renewed Iranian cyberattacks on Saudi Arabia and other Sunni Muslim nations in the Gulf. “Hacking is harder to trace quickly than a missile or even a drone attack, and Iran has developed fairly respectable cyberwarfare capabilities,” the official said, requesting anonymity to discuss classified material.

The U.S. has also been negotiating with the Iraqi government to improve that country’s air and missile defenses, but Baghdad’s instability has interfered with that effort, McKenzie told the House of Representatives Armed Services Committee on March 10.

Spotlight Story

Why Overreacting to the Threat of the Coronavirus May Be Rational

The problem with COVID-19 is that it’s unclear what to do.

The U.S. officials declined to say whether American spy agencies have increased their satellite and other surveillance of Iran’s missile sites, naval bases, and other military targets in response to the threat of new Iranian attacks on coalition forces in Iraq, oil and gas facilities, and shipping in the Persian Gulf.

For the last three years, there has been an abiding belief within the Trump Administration that inflicting greater economic damage on Iran through a “maximum pressure” campaign and killing military leaders such as Soleimani will force Tehran to curtail its nuclear and missile programs and support for terrorist groups like Kataib Hezbollah and other allies in Lebanon, Syria, Iraq, Yemen, and Africa.

But many in the intelligence community disagree with this strategy. The administration has ignored repeated U.S. and foreign intelligence analyses, repeated in this year’s still-unreleased Worldwide Threat Assessment, warning that the maximum pressure campaign might backfire, and that Iran is unlikely to abandon its efforts to develop nuclear weapons. An International Atomic Energy Agency report this month said Iran’s enriched uranium stockpile was 1,510 kg, more than three times the 300kg limit set under the 2015 nuclear agreement, which the Trump Administration abandoned in 2018.

Even military officials warn the Trump administration’s policies are making the country more dangerous. “As the maximum pressure campaign against Iran continues, they are unable to respond really economically or diplomatically, the two channels that we’re using to apply pressure on them,” McKenzie told the SASC on Thursday. “As they seek to find a way to respond, the only way that’s left is the military component.”

McKenzie said Iran can accomplish that two ways: Through their state military or through their system of proxy militias. Because Iranian leadership is most interested in survival, they typically choose not to use their own military, he said, and stage attacks instead through proxies that are unattributable to Tehran or fall below the threshold for a U.S. response.

“That poses a real danger for them because I’m not sure they do have a good understanding of where our redlines are and where we’re not going to be pushed,” he said.

The U.S. strike came just days after the House approved a resolution that forbids President Donald Trump from launching a military attack against Iran without congressional authorization. The measure, which passed on a rare bipartisan 227-186 vote, was drawn up to rein in the president’s power in the wake of his unilateral decision in January to kill Soleimani. It now goes to the White House, where Trump is expected to veto it.

—With reporting by Kimberly Dozier and W.J. Hennigan in Washington

Contact us at editors@time.com.

Source link

The post #hacking | U.S.-Iran Tensions Mount After Death of Two Americans appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | US healthcare technology: Move to standardize APIs for patient data access receives mixed response

Source: National Cyber Security – Produced By Gregory Evans

Emma Woollacott

12 March 2020 at 15:38 UTC

Updated: 12 March 2020 at 15:42 UTC

Interoperability rules largely welcomed, but potential privacy and security issues must be addressed, experts warn

New rules giving patients better access to their medical data have been approved by the US Department of Health and Human Services (DHSS) – but experts warn that security may not be entirely sewn up.

Currently, many electronic health record contracts contain provisions that either prevent or are perceived to prevent the sharing of information related to the records in use, such as screenshots or video.

From the beginning of next year, though, health plans doing business in Medicare, Medicaid, CHIP, and federal exchanges will be required to share patients’ health data.

Meanwhile, a new API will allow developers to create apps allowing patients to access their own data, as well as integrating a health plan’s information with their electronic health record (EHR).

“Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel, and every other component of their lives,” says Don Rucker, national coordinator for health information technology.

“This requires using modern computing standards and APIs that give patients access to their health information and give them the ability to use the tools they want to shop for and coordinate their own care on their smartphones.”

Predatory apps and snake oil warning

The new rules are generally being welcomed – with reservations.

“I’m not sure diving in headfirst by giving patients apps to access their own healthcare records via mobile apps is a good idea,” says Paul Bischoff, privacy advocate for security research firm Comparitech.com.

“Patients might not know what they’re agreeing to when handing over permission to apps to access their health records. This could lead to predatory apps that leverage medical records to sell snake oil.”

Meanwhile, says Tim Mackey, principal security strategist with the Synopsys Cybersecurity Research Center, the nature of the US’ insurance-based healthcare system means that patients may need to be careful about the information they share.

“Given the sensitive nature of medical records, and the potential for a pre-existing condition to negatively influence future patient care, vetting of both app creators and medical data usage in care decisions are concerns,” he says.

“As consumers embrace apps as a proxy for physical identification and their mobile devices as a central store for their most sensitive data, both the security of those apps and the potential for compromise of a mobile device become increasing concerns.”

Much-needed security standard

According to the DHSS, similar apps already exist, in the form of Medicare Blue Button 2.0, which allows patients to securely connect their Medicare Part A, Part B and Part D claims and other data to apps and other tools.

More than 2,770 developers from over 1,100 organizations are working in the Medicare Blue Button 2.0 sandbox, it says, and 55 organizations have applications in production.

But, says David Jemmett, CEO and founder of security firm Cerberus Sentinel, it could be hard to implement a comprehensive security standard.

“As things stand currently, you don’t know if your portal has been checked for security standards unless there has been certification to meet a number of additional standards,” he says.

“Often the code itself goes unchecked and third-party companies can be building them for the interface, but there is no one to go line by line, ensuring security standards are met to certify the software.”

READ MORE EU to give €100bn MedTech industry a security health check

Source link

The post #hacking | US healthcare technology: Move to standardize APIs for patient data access receives mixed response appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Bug Bounty Radar // The latest bug bounty programs for February 2020

Source: National Cyber Security – Produced By Gregory Evans

New web targets for the discerning hacker

Global awareness of hackers continued to ramp up throughout the month of February, with the launch of new and improved bug bounty programs and the realization that some heroes wear… black hoodies.

That was the feeling, at least, in the French city of Lille, which hosted a two-day live hacking event as part of the 2020 Forum International de la Cybersécurité, an annual security conference and trade show.

The event saw 100 hackers finding bugs in the systems of The Red Cross, Oui SNCF, secure messaging provider Olvid, and Cybermalveillance.gouv.fr, a cybersecurity division of the French government.

“Bug bounties are not only for Uber or Deezer, it’s for any organization inspired by cybersecurity and willing to address the bugs in its systems,” Rodolphe Harand, manager of YesWeHack, the bug bounty platform that hosted the live hacking competition, told The Daily Swig.

Not long after the event, French cyber awareness site Cybermalveillance.gouv.fr announced that it was going public with its bug bounty program, one that it had been running privately on the YesWeHack platform since December 2019.

Bounties awarded for high risk and critical flaws are also set to double under the program’s public scope, The Daily Swig reported this month, alongside an interview with the Belgium-based platform intigriti, which has its sights set on global expansion.

If you’re interested in bug bounty market news, February was full of statistics related to payouts and hacker insights, as Facebook highlighted the $2 million it paid out to security researchers through its bug bounty program in 2019.

Dropbox also patted itself on the back, having doled out $1 million in cash to security researchers since its vulnerability rewards program began in 2014.

In related news, HackerOne published its 2020 Hacker Report, which found that although bug bounty payouts across the platform continue to rise, nearly two-thirds of security researchers (63%) have withheld the disclosure of security vulnerabilities on at least one occasion.

The reasons behind this were multifaceted, but the factors that stood out were fear of reprimand, lack of a clear reporting channel, and organizations being unresponsive to previous bug reports.

“I think we really need to disambiguate what people mean by the term ‘bug bounty’,” Casey Ellis, founder of Bugcrowd, told The Daily Swig in a recent chat about the uptake of IoT bug bounty programs.

“They are usually thinking about a public bug bounty, which definitely is the last line of defense.”

Read the full interview with Bugcrowd founder Casey Ellis.

The latest bug bounty programs for February 2020

February saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:


Program provider: HackerOne

Program type: Private bug bounty

Max reward: $15,000

Outline: Celo, an open banking platform, puts forward a private bug bounty program, with four of its domains in scope.

Notes: Quick responses to bug submissions and rewards based on the Common Vulnerability Scoring Standard are among Celo’s promises.

Visit the Celo bug bounty page at HackerOne for more info


Program provider: HackerOne

Program type: Private bug bounty

Max reward: Undisclosed

Outline: The task management app has launched a private bug bounty program with few details aside from an expanded list of vulnerabilities it considers out of scope.

Notes: Evernote pitches itself as uber responsive, with plans to triage bugs within 10 business days of a successful report submission.

Visit the Evernote bug bounty page at HackerOne for more info

Google API Security Rewards Program

Program provider: HackerOne

Program type: Public bug bounty

Minimum reward: $50

Outline: Google has added another bug bounty program to its repertoire. Security researchers can now report vulnerabilities found in third-party applications accessing OAuth Restricted Scope.

Notes: “Developers of OAuth apps using restricted scopes, with more than 50,000 users, are automatically enrolled into the program after they have passed the security assessment requirement,” outlines the program. Theft of insecure private data through unauthorized access reaps a $1,000 reward. Vulnerabilities must be reported to the relevant app developer first.

Visit the Google API Security Rewards Program at Hackerone for more info

Kindred Group

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $2,500

Outline: Online gambling operator Kindred Group has entered the bug bounty scene with HackerOne, putting its two platforms, which host brands like Unibet, bingo.com, iGame, and MariaCasino, in scope.

Notes: Remote code execution, SQL injection, and other critical bugs pay $2,500. Less severe vulnerabilities, such as Flash-based reflective XSS or captcha bypass, generate a $150 reward.

Visit the Kindred Group bug bounty page at HackerOne for full program details

Microsoft Azure – enhanced

Program provider: Independent

Program type: Public bug bounty

Max reward: $40,000

Outline: Microsoft’s established Azure Bounty Program has expanded its scope to include Azure Sphere to run alongside the general release of the IoT security platform.

Notes: “The goal of the Microsoft Bug Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers,” Microsoft says. Many low-severity issues are out of scope.

Visit the latest Microsoft blog post for full program details

Microsoft Xbox

Program provider: Independent

Program type: Public bug bounty

Max reward: $20,000

Outline: Awards range from $500 to $20,000 for vulnerabilities found in the Xbox Live network and services, although Redmond says higher payouts are possible.

Notes: In-scope vulnerabilities include all the regular suspects with full PoC exploit: cross-site scripting, cross-site request forgery, insecure direct object references, insecure deserialization, code injection flaws, server-side code execution, significant security misconfiguration (when not caused by user), and exploits in third-party components.

Visit the Xbox bug bounty page for full program details


Program provider: HackerOne

Program type: Public bug bounty

Max reward: $10,000

Outline: Ethereum-based banking alternative Monolith has linked with HackerOne to let hackers find bugs in its smart contract wallet and the internet-facing Monolith platform.

Notes: “The most important class of bugs we’re looking for are ones that would cause our users to lose their funds or have them rendered frozen and unusable within their Smart Contract Wallet,” Monolith says.

Visit the Monolith bug bounty page at HackerOne for full program details


Program provider: Independent

Program type: Public bug bounty

Max reward: $10,000

Outline: Developers at imToken, a popular cryptocurrency wallet, have launched a new bug bounty program covering the TokenCoreX library that underpins the application.

Notes: The program is a partnership with blockchain security specialists SlowMist, and covers defects in the implementation of the core encryption algorithm, along with vulnerabilities in chain-related logic code or the wallet application layer. Rewards are paid in Tether cryptocurrency, with critical vulnerabilities amounting to issues that result in an attacker stealing crypto-assets.

Visit the latest imToken blog post for more info


Program provider: HackerOne

Program type: Public bug bounty

Max reward: $2,500

Outline: Business software provider Visma wants security researchers to break their domains, with payouts ranging from $100 for low impact bugs to $2,500 for those defined as critical.

Notes: Critical exploits include RCE and SQL injection. Low-rated vulnerabilities such as open redirect or application level denial-of-service also warrant payouts. “Any reports outside these categories will be triaged on a case by case basis by Security Analysts from Visma,” the company adds.

Visit the Visma bug bounty page at HackerOne for more info

Other bug bounty and VDP news

  • Katie Moussouris, quite possible the Queen of the bug bounty, spoke on the Threatpost podcast about the challenges in implementing successful programs
  • The Hacker News ran an interview with the Open Bug Bounty project, a non-profit that’s demonstrated significant growth over the past year.
  • Bug hunter Alex Chapman published a blog post on his transition from pen tester to full-time bounty hunter.
  • Hyatt expanded its public bug bounty program on its one-year anniversary last month with HackerOne, widening its scope with  higher bounties.
  • Marriott is running a vulnerability disclosure program (unpaid) with HackerOne, as are mobile banking providers bunq, Canadian banking provider Koho, photo video editing app PicsArt, and Belgium-based REM-B Hydraulics.
  • Bugcrowd also saw the SoundCloud bug bounty program increase its rewards last month, now offering a maximum $4,500 for high priority bugs.

To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line. Read more bug bounty news from The Daily Swig.

RELATED Bug Bounty Radar // January 2020

Source link

The post #hacking | Bug Bounty Radar // The latest bug bounty programs for February 2020 appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | NTSA arrests reveal reluctance to upgrade number plates system

Source: National Cyber Security – Produced By Gregory Evans

The government has, since 2015, been planning to produce new-generation number plates that would be impossible to copy.

The proposed plates would have anti-counterfeit features that include holograms, watermarks, and laser markers which, if implemented, would provide the necessary checks against double registration of cars.

When they were arrested in Ngara, Nairobi, Michael Onyango Oduor, 54, and Sylvester Onyango, 30, were found actively trying to hack the NTSA website and the Transport Information Management System (TIMS). The third suspect, 33-year-old Antony Rugut Korir, was picked at NTSA offices where he works at the call centre.

He is suspected to have been assisting the hackers to access the NTSA network.

After the arrest, detectives recovered Sh1.18 million in 100 US dollar bills, three motor vehicles and a fibre laser cutting machine  used to cut number plates.

A compressor machine that was being used for painting number plates, one number plate, five desktop computers, laptops, logbooks, modems, hard drives and flash drives were also recovered.

But even as the NTSA grapples with the fake number plates’ menace, the correctional services department under the same Interior ministry is on the spot for failure to initiate production of the new-generation number plates.

 The government has, for the past five years, been seeking to replace the current plate production system, whose loopholes crooks have exploited to steal cars or dump cars meant for export in the country.

 The current system produces 1,000 pairs of licence plates per day, as opposed to a new generation system that could  make 6,000.

In 2015, the state department for correctional services advertised for the supply of raw materials for number plate blanks and hot stamping foils.

However, the tender was challenged in court and the matter was finally settled in 2017.

The Attorney General advised that the tender be awarded to the initial winners as per the High Court ruling.

President Uhuru Kenyatta visited Kamiti Prison in February 2017 and was shown machines for the new generation number plates.

In March 2019, the parliamentary committee on security also made a similar visit, but not much has been heard from the government since then.

Despite the noble plans, the  old number plates continued to be issued. The reason given is that the laser marking machine is yet to be delivered.

Sources indicate the machine was ordered in 2018 but the firm that won the tender, Tropical Technology Limited, is yet to deliver.

 According to sources in the prisons department, the company declined to deliver the machine despite having imported it after the prisons department declined to issue  a local purchase order.

“Production and roll-out of new-generation number plates was rescheduled to commence on July 1, 2018, but could not be executed until the process of procuring the laser marking machine – which is for validating  licence plates – had been concluded. “In July 2019, the department of correctional services declined to accept a consignment of number plate blanks from Tropical Technology in fulfillment of their order, even though it had accepted the previous two consignments from the company,” said a source.

Last year, the government sent a delegation to Germany with the aim of buying a new machine but, according to sources, they were advised that the machine they were looking for produces 30 million plates a year and would require several countries to come together.

NTSA was hived off the Kenya Revenue Authority in 2012. According to sources, the move  delinked the entire vehicle  importation, declaration, inspection and registration process with disastrous consequences to the security of the country.

“Now importers and motor vehicle dealers do not fear or bother about KRA in their schemes to import and declare motor vehicles as transit goods meant for South Sudan, Rwanda or Congo.

“Once they get to Busia or Malaba border, the cars are hidden, the paperwork is perfected, transit bonds cancelled and customs entry into Kenya is retired and archived.

“The crooks create a fictitious entry in the system and take them to NTSA.

“The fellows in ICT at NTSA deploy a malware or manipulate the registration system to allow the insertion of special characters such as dots, commas and apostrophes during the input of the chassis number.

“The TIMS can’t detect that the chassis number is for a motor vehicle that was meant for transit to a second country,” said the source.

The most lucrative cars are those with high-engine capacity such as Range Rover, Toyota Prado, Audi, BMW, Porche and Jaguar.

They are illegally diverted to the local market and registered without paying tax.

Insiders said separating the vehicle importation process from registration was a big mistake.

NTSA should have been left to manage the licensing, registration and transfer of vehicles from one owner to another.

“The delay in implementing the new number plate registration process is deliberate. KRA is forced to release cars from Mombasa port before they have number plates, which gives crooks at the NTSA leeway to tamper with the declaration and registration process,” said another source.

Efforts to get a comment from NTSA Director-General George Njao were fruitless as our calls and text messages went unanswered.

Last week, the National Police Service disclosed that it was trying to impound  about 450 vehicles registered illegally to evade paying tax.

Unscrupulous businessmen colluded with rogue employees to infiltrate the NTSA website and fraudulently register vehicles.

 NTSA admitted that its database had been infiltrated and that some vehicles got into the system without following the laid-down procedures.

NTSA, in a statement, listed  37 names of individuals and companies whose data was used to  register vehicles fraudulently.

The scandal raises questions on the safety of motorists’ data in the TIMS register.

Just last year, the then Interior CS Fred Matiang’i called for investigations after it emerged that some NTSA employees had colluded with KRA officials and  car dealers to clone car number plates.

One of the cars with duplicated plates was used during the Dusit D2 attack.

The NTSA circular listed 42 vehicles  issued with new number plates when they were destined for other countries including South Sudan, Uganda, Malawi, Uganda, Burundi, the DRC and Tanzania.

Last year, police impounded hundreds of vehicles after it emerged that their number plates had been cloned or they were fraudulently registered.

Some 19 NTSA employees were arrested in connection to the plate-cloning ring but they were later released.

Source link

The post #hacking | NTSA arrests reveal reluctance to upgrade number plates system appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Black Hat Asia 2020 postponed due to coronavirus epidemic

Source: National Cyber Security – Produced By Gregory Evans

Security conference was due to open its doors in Singapore next month

The upcoming Black Hat Asia security conference has been postponed due to ongoing concerns surrounding the latest coronavirus outbreak, event organizer Informa has confirmed.

“After careful consideration of the health and safety of our attendees and partners, we have made the difficult decision to postpone Black Hat Asia 2020 due to the coronavirus outbreak,” read an announcement, issued via  the official Black Hat Events Twitter account.

Black Hat Asia was due to take place at the Marina Bay Sands in Singapore from March 31 to April 3.

The Asian edition, one of three Black Hat security conferences that take place around the world each year, celebrated its 10th anniversary in 2019, with infosec luminary Mikko Hyppönen delivering the keynote.

Security expert Mikko Hyppönen delivering the keynote at Black Hat Asia last year

With its origins being traced to Wuhan, China, the coronavirus outbreak in question refers specifically to the novel strain of pathogen now known as COVID-19.

According to a situation report (PDF) from the World Health Organization yesterday (February 13), there have been nearly 47,000 confirmed cases of infection globally, with more than 1,300 deaths.

News of the Black Hat Asia postponement follows a similar announcement earlier this week that Mobile World Congress 2020 would not go ahead in Barcelona this month due to concerns surrounding the virus.

DEF CON China, a hacking event that was slated to take place in Beijing in April, was also postponed last month due to concerns surrounding COVID-19.

“Our sympathies are with those affected during this difficult time,” an announcement on the Black Hat Events website read.

“Please know we are planning to host Black Hat Asia 2020 in the fall this year. We hope you are able to join us and will provide an update with the new event dates as soon as possible.”

The announcement as it appears on the Black Hat Asia website

RELATED The next arms race: Cyber threats pulled into stark focus at Black Hat Asia 2019

Source link

The post #hacking | Black Hat Asia 2020 postponed due to coronavirus epidemic appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | E-governance to put an end to bureaucratic tangles

Source: National Cyber Security – Produced By Gregory Evans

No one knows who first started the practice of binding government documents with red tape during the colonial era. It could have been red, white or blue – any colour. Here this red tape got translated into ‘redtapism’ and red tape oppression favouring the bureaucracy started, rather than serving the people. Its implication, at the beginning, was to indicate inertness of bureaucracy, but later ‘speed money’ or illegal transaction got attached to it.
Electronic governance (E-governance) has brought about a positive change amid this red tape oppression in Bangladesh. Processing of around 90 per cent documents under 25 ministries are now being done electronically. As many as 3.2 million e-mails were exchanged, and more than 10 million documents were settled. There is a positive change in the system and it hurt the ‘bribe business’ in the offices. 

In some cases speed money was no longer needed, since the officials involved were having a difficult time coping with the fast change of the system. Harassment and public suffering are declining. But one thing must be remembered that at the end of the day the man behind the machine is the most important one. So after witnessing the efficiency of the e-documents in this earlier stage, there is no point of taking it for granted.
The policymakers should be aware that dishonest officials will always be naturally looking for a viable alternative. So, while developing the software or the system, it is important that the operators have the knowledge and understanding about the malpractice of the e-governance and the solution for that. The staff must have a minimum level of skills. We are on the brink of a fourth industrial revolution, so we might consider that at one point robots might be used for office management. That means we are faced with a new situation entirely.
Electronic document management is creating transparency in government work, bringing accountability. The challenge is to keep this system from being corrupted by itself. There will be a risk of mechanical malfunction. There might be attempts to reincarnate the invisible ghost of speed money by devising new schemes by attempting misuse of the new system. Here a simple mistake can bring a big disaster. It will be a matter of great regret, if the e-document management remains faulty, because the penalty will be severe.
It is important to make certain that the benefit e-document is now providing by reducing harassment sustains and prevents malpractice. Lesson must be taken from the Bangladesh Bank heist where the system was hacked.
That incident showed that even though e-document brings speed in processing important and sensitive documents, it can also cause great disaster from a simple inadvertency. So, it is very important to keep the mischievous nature of hacking in mind.
We wish the government’s initiative to create a revolution by reducing the use of paper in official work all the success, something that is happening during the Golden Jubilee of our independence in 2021. It is important to ensure that there is no flaw and carelessness and necessary protection and security measures are taken.

Source link

The post #hacking | E-governance to put an end to bureaucratic tangles appeared first on National Cyber Security.

View full post on National Cyber Security