Naked
now browsing by tag
WhatsApp “Martinelli” hoax is back, warning about “Dance of the Pope” – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
If you follow @NakedSecurity on Twitter, you’ll have noticed that we warned last week about an old WhatsApp hoax that suddenly reappeared.
The bogus news is generally known as the “Martinelli hoax”, because it starts like this:
If you know anyone using WhatsApp you might pass on this. An IT colleague has advised that a video comes out tomorrow from WhatsApp called martinelli do not open it , it hacks your phone and nothing will fix it. Spread the word.
When we last wrote about “Martinelli”, back in 2018, we noted that the hoax was given a breath of believability because the text above was immediately followed by this:
If you receive a message to update the WhatsApp to WhatsApp Gold, do not click!!!!!
This part of the hoax has a ring of truth to it.
Back in 2016, hoax-checking site Snopes reported that malware dubbing itself WhatsApp Gold, was doing the rounds.
The fake WhatsApp was promoted by bogus messages that claimed, “Hey Finally Secret WhatsApp golden version has been leaked, This version is used only by big celebrities. Now we can use it too.”
So WhatsApp Gold was actual malware, and the advice to avoid it was valid, so the initiator of the Martinelli hoax used it to give an element of legitimacy to their otherwise fake warning about the video.
The latest reincarnation of the hoax has kept the text of the original precisely, including the five-fold exclamation points and the weird extra spaces before punctuation marks.
The new hoax even claims that the video first mentioned several years ago still “comes out tomorrow.”
But there’s a new twist this time, with yet another hoax tacked on the end referring to yet another video “that formats your mobile.”
This time, the video is called Dance of the Pope:
Please inform all contacts from your list not to open a video called "Dance of the Pope". It is a virus that formats your mobile. Beware it is very dangerous. They announced it today on BBC radio. Fwd this message to as many as you can!
Ironically, Snopes suggests that this piece of the hoax – which is basically the same as the Martinelli hoax but with a different video name – is even older than the Martinelli part, dating back to 2015.
Quite why the hoax has reappeared now is not clear, though it may have been triggered by March 2020 news headlines about wunderkind Brazilian footballer Martinelli.
Martinelli currently plays for Arsenal in England, but has been tipped to appear in the Brazilian national squad at just 18 years of age; he’s also been the subject of media speculation that he might get poached from Arsenal by Spanish heavyweights Real Madrid.
Is it even possible?
In theory, playing a deliberately booby-trapped video file on your mobile phone could end up in a malware infection, if your phone has an unpatched bug in its media player software that a crook could exploit.
In practice, however, that sort of bug is very rare these days – and typically gets patched very rapidly and reported very widely.
In other words, if the creator of this warning knew enough about the “bug” to predict that it could infect any mobile phone, and could warn you about this “attack” in a video that isn’t even out yet, it’s highly unlikely that you wouldn’t have heard about the actual bug itself either from the vendor of your phone or from the world’s cybersecurity news media.
Additionally, even if there were a dangerous bug of this sort on your phone and your phone were at risk, it’s unlikely that “nothing would fix it”.
As for the imminent and unconquerable danger of an alleged double-whammy video attack of “threats” that first surfaced in 2015 and 2016…
…well, if the videos were supposed to “come out tomorrow” more than four years ago, we think you can ignore them today.
What to do?
- Don’t spread unsubstantiated or already-debunked stories online via any messaging app or social network. There’s enough fake news at the moment without adding to it!
- Don’t be tricked by claims to authority. Anyone can write “they announced it today on BBC radio,” but that doesn’t tell you anything. For all you know, the BBC didn’t mention it at all, or announced it as part of a hoax warning. Do your own research independently, without relying on links or claims in the message itself.
- Don’t use the “better safe than sorry” excuse. Lots of people forward hoaxes with the best intentions, but you can’t make someone safer by “protecting” them from something that doesn’t exist. All you are doing is wasting everyone’s time.
- Don’t forward a cybersecurity hoax because you think it’s an obvious joke. What’s obvious to you might not be to other people, and your comments may get repeated as an earnest truth by millions of people.
- Don’t follow the advice in a hoax “just in case”. Cybersecurity hoaxes often offer bogus advice that promises a quick fix but simply won’t help, and will certainly distract you from taking proper precautions.
- Patch early, patch often. Security updates for mobile phones typically close off lots of holes that crooks could exploit, or shut down software tricks that adware and other not-quite-malicious apps abuse to make money off you. Take prompt advantage of updates!
- Use a third-party anti-virus in addition to the standard built-in protection. Sophos Intercept X for Mobile is free, and it gives you additional protection not only against unsafe system settings and malware, but also helps to keep you away from risky websites in the first place.
- Don’t grant permissions to an app unless it genuinely needs them. Mobile malware doesn’t need to use fancy, low-level programming booby-traps if you invite it in yourself and then give it more power that it needs or deserves.
The post WhatsApp “Martinelli” hoax is back, warning about “Dance of the Pope” – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Tor browser fixes bug that allows JavaScript to run when disabled – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
The Tor browser has fixed a bug that could have allowed JavaScript to execute on websites even when users think they’ve disabled it for maximum anonymity.
The Tor Project revealed the issue in the release notes for version 9.0.6, initially suggesting users manually disable JavaScript for the time being if the issue bothered them.
That was subsequently revised after the NoScript extension – used by Tor to control the execution of JavaScript, Java, Flash and other plugins – was updated to version 11.0.17.
Whether the issue matters depends on how users have configured Tor to treat JavaScript.
Tor’s ‘standard’ setting enabled JavaScript by default, which users can upgrade to either ‘safer’, which disables JavaScript on non-HTTPS sites, or ‘safest’, which disables JavaScript completely.
Each setting has its pros and cons. Leaving JavaScript enabled opens users to the hypothetical risk that their anonymity might be compromised, for example using a vulnerability in the underlying Firefox browser.
There have been a small number of reports of this happening, for example in 2013, and again in 2016 when Mozilla issued a patch to fix a real-world JavaScript attack aimed at Tor by a government. On the other hand, many websites rely on JavaScript and disabling it can cause them to break, or at least work less well.
The new upgrade alert is urgent for anyone using Tor in the ‘safest’ setting. In short, the bug might in some circumstances allow JavaScript to continue to function even though this setting disallows that. Tor release notes advise that the extension will normally update automatically:
Noscript 11.0.17 should solve this issue. Automatic updates of Noscript are enabled by default, so you should get this fix automatically.
Why not just use NoScript to whitelist JavaScript on trusted sites, as is the case when used with non-Tor browsers?
Users can’t do this in Tor because doing so might make things even less secure – the act of enabling JavaScript only on some websites could itself become an inadvertent cookie used to fingerprint users as they pop up around the web.
That means that for everyone using Tor, JavaScript is either on or off with no ambiguous ‘on sometimes’ halfway house.
Things could be worse. Last year, a problem with digital signatures caused Firefox and Tor to temporarily stop trusting lots of add-ons, including NoScript. Unsure of what was going on, cautious users who understood NoScript’s importance had stopped using Tor until the problem was fixed.
Latest Naked Security podcast
The post Tor browser fixes bug that allows JavaScript to run when disabled – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Intel patches graphics drivers and offers new LVI flaw mitigations – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
Intel’s March security updates reached its customers this week and on the face of it, the dominant theme is the bundle of flaws affecting the company’s Graphics drivers.
There are 17 of these all told, including six high-severity flaws, starting with CVE-2020-0504, a buffer overflow leading to a denial of service flaw whose CVSS score of 8.4 suggests the need for urgent attention.
Intel doesn’t offer much detail on the individual flaws beyond the fact they allow the usual trio of privilege escalation, information disclosure and denial of service, all of which require local access.
Beyond this lie fixes for another 11 flaws affecting product lines including SmartSound, BlueZ, the Max 10 FPGA, the NUC firmware, and the Programmable Acceleration Card (PAC) N3000.
However, the star flaw of the month is CVE 29, the Load Value Injection (LVI) weakness (CVE-2020-0551) publicised this week by a diverse group of mainly academic security researchers.
Following in the footsteps of a series of chip-level flaws with impressive names (Spectre, Meltdown, Fallout, ZombieLoad, RIDL, CacheOut), this one is what might light-heartedly be called a ‘NOBWAIN’ (Not a Bug With an Impressive Name).
According to the researchers, LVI is unlike previous side-channel processor attacks:
Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle – ‘inject’ – the attacker’s data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim’s fingerprints or passwords.
Reported to Intel last April, it’s a novel technique which could, for example, be used to steal data from Software Guard eXtension (SGX) enclaves, a secure memory location inside post-2015 Intel processors used to store things like encryption keys, digital certificates, and passwords.
There is no simple fix for LVI, researchers claimed, but Intel said it would, from this week, release mitigations for the SGX platform and software development kit from this week. Beyond that, it downplayed the issue:
Due to the numerous complex requirements that must be satisfied to successfully carry out the LVI method, Intel does not believe LVI is a practical exploit in real-world environments where the OS and VMM are trusted.
The full list of affected processors can be found on Intel’s website, essentially all processors that come with SGX.
For now, because LVI is a theoretical exercise, it isn’t an issue the average Intel user needs to worry about. There are no known exploits of this, or any of the previous hardware flaws found since Spectre and Meltdown were made public more than two years ago.
However, it’s clear that chip designers have some work on their hands building defences against these attacks into future hardware. These days, buyers largely upgrade to achieve higher processor performance. It now looks as if security might soon be just as compelling a reason.
Latest Naked Security podcast
The post Intel patches graphics drivers and offers new LVI flaw mitigations – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
biometrics, machine learning, privacy and being a woman in tech – Naked Security Podcast – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
To celebrate International Women’s Day we invite you to this all-female splinter episode. We discuss privacy, biometrics, machine learning, social media, getting into cybersecurity and, of course, what it’s like to be a woman in tech.
Host Anna Brading is joined by Sophos experts Hillary Sanders, Michelle Farenci and Alice Duckett.
Listen now!
The post biometrics, machine learning, privacy and being a woman in tech – Naked Security Podcast – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Cathay Pacific fined over crooks slurping its database for over 4 years – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
The UK’s Information Commissioner’s Office (ICO) said on Wednesday that it’s fined Cathay Pacific Airways £500,000 (USD $647,015, €576,992) for failing to secure passengers’ personal details, leading to malware being installed on its server that harvested millions of people’s names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.
Cathay said at the time that the intruders also accessed 403 expired credit card numbers, as well as 27 credit card numbers that didn’t have a CVV attached.
This wasn’t a one-time security fail, the ICO said. All that data was at risk for over four years.
Cathay, which is based in Hong Kong, first realized in March 2018 that its database had been hit by a brute-force attack. As we’ve explained previously, you can think of such an attack like this:
→ Brute force is the way you open those cheap bicycle locks with wheels numbered 0 to 9 if you forget the code. You turn the dials to 0-0-0 and then click round systematically, counting up digit by digit, until the lock pops open.
Once it found that its database had been rifled through in 2018, Cathay Pacific hired a cybersecurity firm and subsequently reported the incident to the ICO.
Investigations found that the airline lacked appropriate security to secure customers’ data from October 2014 to May 2018. The data was exposed for longer than that, though: Cathay said in October 2018 that its system had been compromised at least seven months prior. As the New York Times reported, Cathay learned in May 2018 that passenger data had been exposed after first discovering suspicious activity on its network in March.
Why didn’t the company announce the breach earlier? It didn’t say.
The incident led to the exposure of a huge trove of personal data belonging to 111,578 people from the UK and about 9.4 million more worldwide.
The ICO says that Cathay Pacific’s systems were entered via a server connected to the internet. Enabled by what the office called a “catalog of errors,” crooks managed to install data-harvesting malware. The security sins turned up by the ICO’s investigation included some basic ones: for example, the ICO found back-up files that weren’t password-protected, unpatched internet-facing servers, use of operating systems that were no longer supported by the developer, and inadequate anti-virus protection.
Steve Eckersley, ICO Director of Investigations:
People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.
This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected.
The fine imposed on the company would have caused a lot more hurt if the breach had been discovered after the General Data Protection Regulation (GDPR) went into effect.
In July 2019, the ICO flexed its new GDPR muscles for real, imposing record fines on Marriott and British Airways (BA) for their data breaches. It said it was looking to fine BA a record £183.39 million (US $229.34 million at the time) for a breach discovered in September 2018. By diverting user traffic to a bogus site, attackers managed to steal personal data from about 500,000 customers, including their names, addresses, logins, payment card and travel booking details.
Marriott’s breach was similar to Cathay Pacific’s, given that attackers got into the company’s Starwood guest reservation database and stayed there for years: the unauthorized access started in 2014, and the breach was discovered and reported to the ICO in November 2018.
Though it escaped the weight of the GDPR hammer, the ICO Says that Cathay Pacific’s breach was “a serious contravention” of Principle 7 of the 1998 Data Protection Act, which states that “appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.”
For full details on the fine, check out the ICO’s Monetary Penalty Notice.
Latest Naked Security podcast
The post Cathay Pacific fined over crooks slurping its database for over 4 years – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Chrome 80 encryption change blocks AZORult password stealer – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
Evidence is emerging that a barely noticed change made to Chrome 80, released on 4 February, might have disrupted the hugely successful data and user profile stealing malware AZORult.
AZORult first appeared in 2016, since then it has been used to thieve huge amounts of information from victims, including everything from cryptocurrency data, passwords, web browsing history and cookies, to credentials for FTP clients, desktop Telegram, and Skype chats.
You name it, AZORult will try to steal it, often posing as legitimate software such as the installer for ProtonVPN.
The malware went into a relative decline in 2018. And now, according to research by Israeli security company Kela, chatter on crime forums suggests cybercriminals believe that Chrome 80’s move to encrypt locally saved passwords and cookies using AES-256 has killed the malware’s attempts to steal data for good.
When running on Windows, Chrome previously relied on Microsoft’s systemwide Data Protection API (DPAPI), which has proved susceptible to popular credential cracking tools such as Mimikatz.
“All the older cracked versions of different stealers are finished,” Kela translates a Russian language commenter on a crime forum as having said.
Credential drought
Apparently, AZORult’s problem is that in the wake of growing fragmentation, its development seems to have stalled. Other data stealers such as Racoon and Kpot are said to have evolved to cope with the change, although how successfully is not explained.
The evidence for AZORult’s demise is supported by Kela’s figures showing that the Genesis crime market where user profiles and credentials are traded has seen a sudden and dramatic drop in those connected to AZORult.
Genesis is viewed by some security companies as one of the most innovative crime marketplaces because it trades mostly in user ‘fingerprints’ that criminals can use to emulate or spoof victims. This includes unique aspects of their browsing behavior, IP address, software installation and computer hardware.
Until now, the go-to for that has been AZORult. In an interview with ZDNet, Kela’s Raveed Laeb said that the Genesis database of stolen credentials had gone down from 335,000 to around 230,000 in a matter of weeks.
While the marketplace is unlikely to disappear, Chrome’s evolution is likely to spell the death knell for AZORult, at least:
With no apparent heir to fix the deep issues caused by the new Chrome update, it seems that actors – if we’re extrapolating from Genesis – have actually decided to move on to new stealers.
Chrome’s switch to AES-256 also affects other browsers based on Chromium, including Microsoft’s new Edge browser, Opera and Brave.
The only way for AZORult to adjust to this change would be to patch the original source code, but this is no longer available.
Nevertheless, the data stealing function of AZORult will be taken up by plenty of willing rivals. It’s a case of one down, plenty more to go.
Are browser password managers safe?
Demonstrably not. Which is why the easiest way to dodge the issue of browser password manager weaknesses is not to use them at all, opting instead for a full-blown password manager.
Unlike browsers, these are extensions dedicated to the job of securing passwords. They offer more sophisticated security design, and will work across different platforms, browsers and computers. The additional security they offer over browser password stores is more than worth the minimal time spent setting them up.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast.
The post Chrome 80 encryption change blocks AZORult password stealer – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Brave beats other browsers in privacy study – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
Users looking for a privacy-focused browser might want to consider Brave first, according to a study published this week.
Douglas Leith, professor of computer systems at Trinity University, examined six browsers for his report – Web Browser Privacy: What Do Browsers Say When They Phone Home? He found that Brave’s Chromium-based browser is the least likely to reveal unique identifying information about the computer using it.
The study examined six browsers: Chrome, Firefox, Safari, Brave, Edge, and Yandex. It used several tests to deduce whether the browser can track the user’s IP address over time, and whether it leaks details of web page visits. To do this, it looked at the data shared on startup after a fresh install, on a restart, and after both pasting and typing a URL into the address bar. It also explored what the browser did when it was idle.
Even though Mozilla makes a talking point of privacy in Firefox, it was Brave, developed by Mozilla’s founder (and creator of JavaScript) Brendan Eich, that won out. Brave, which has accused Google of privacy violations, is “by far the most private of the browsers studied” when used with its out of the box settings, according to the paper.
The study placed browsers in one of three privacy classes, based on the time span over which they retain identifiers. Brave gets the top class all to itself because it uses what the study calls ‘ephemeral’ identifiers that link a handful of transmissions and then reset. This means it doesn’t remember your identifier across browser restarts.
The paper lumps Safari, Firefox, and Chrome together in the second band. These browsers share some privacy issues, the paper warns, including auto-tagging each browser instance with unique session and browser instance identifiers that can persist across restarts. These behaviours can be disabled but they’re turned on silently by default, the paper claims.
The research picks out four identifiers that Firefox uses. Two created by the browser persist across browser restarts, while the third changes between browser sessions but could be linked together because old and new values are sent together in a telemetry message, the paper said. The fourth identifier, created by the server, is associated with an open web socket used for Firefox’s push services. Firefox also sends user IP addresses with these identifiers.
Leith’s paper acknowledges that Mozilla deletes the IP addresses sent with these identifiers after 30 days, but frets that the company is “silent on the uses to which the IP data is put.” He worries that this could be used to track the user’s location, adding:
That does not mean such linking actually takes place, only that the potential exists for it to be done.
Leith had asked Mozilla whether it used IP addresses for location tracking, and also asked for the company’s IP address usage policy as part of its push service. He received no response. Mozilla spokesperson Justin O’Kelly didn’t address those issues specifically with us, but responded:
Firefox does collect some technical data about how users interact with our product, but that does not include the user’s browsing history. This data is transmitted along with a unique randomly generated identifier. IP addresses are retained for a short period for security and fraud detection and then deleted. They are stripped from telemetry data and are not used to correlate user activity across browsing sessions.
Leith’s paper also calls out Safari, which it said allows all the third-party sites listed on its start page to set cookies without user consent. It also phones home to icloud.com even from machines that aren’t registered with that Apple service, the paper warns, calling this connection “spurious”.
Apple was also the most aggressive browser when it came to sending data that users typed into the address bar back to Apple servers for autocomplete purposes, the paper warned:
The requests to Apple include identifiers that persist across browser restarts and so can be used to link requests together and so reconstruct browsing history.
Apple didn’t respond to our request for comment.
Google’s Chrome phones home almost every letter typed into the search bar for autocomplete purposes, the paper said. Even after unticking the ‘allow telemetry’ box, the browser sets up a cookie with Google’s server that it then communicates each time the browser is opened, Leith found, and this happens even if the user isn’t logged into Google. Google declined to comment for our article but pointed us to its Chrome Privacy White Paper.
The issue for many of these browsers seems to be not so much what they’re doing, as the fact that they do it by default, leaving non-techie or unaware users open to more information gathering. From Leith’s paper:
In summary, Chrome, Firefox and Safari can all be configured to be much more private but this requires user knowledge (since intrusive settings are silently enabled) and active intervention to adjust settings.
The paper reserves the gravest concerns for the third, least private group that it identified, containing Edge and Yandex. These use identifiers linked to the device hardware, it said, persisting across fresh browser installs. They can also be used to link different apps running on the same device.
Edge also contacts a Microsoft advertising server, the paper said, which sends back several identifiers that Edge then echoes in subsequent requests to that server. It added:
Loading of the Edge welcome page sets a number of cookies. In particular, this includes a cookie for vortex.data.microsoft.com, which appears to be a data logging server, and allows data transmitted to this server to be linked to the same browser instance.
Even pasting (rather than typing) a URL into the address bar contains what the paper calls “unwanted consequences”, including leaking user browsing history to Bing via the search engine’s autocomplete API, and once again contacting vortext.data.microsoft.com.
Microsoft’s Edge privacy page says that it sends device identifiers as part of a diagnostics reporting service that users can turn off. Users can also delete this data on the server. According to its Edge privacy white paper, people can turn off Search Suggestions to stop it sending your search terms to Bing, which otherwise keeps them for six months.
Yandex didn’t respond to the paper’s allegations that its browser, popular among Russian speakers, sends user browsing data to Yandex servers as part of its autocomplete API, along with the text of web pages to its translation service. It also sends the SHA-1 hashed MAC address of a machine to Yandex, along with browser identifiers, enabling them to be tied together, Leith’s paper said.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast.
The post Brave beats other browsers in privacy study – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Adobe fixes critical flaws in Media Encoder and After Effects – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
After fixing a fat pile of critical security flaws as part of last week’s Patch Tuesday update, Adobe has come back with two more that need urgent attention.
This is what’s called an out of band update, which means that a vulnerability is too risky or likely to be exploited to leave to the next scheduled update.
The first is in the Windows and macOS versions of the After Effects graphics software and affects anyone running version 16.1.2 and earlier.
Identified as CVE-2020-3765 after being reported to Adobe only days ago, the company offers little detail on the vulnerability itself beyond stating that the update:
Resolves a critical out-of-bounds write vulnerability that could lead to arbitrary code execution in the context of the current user.
All that tells us is that exploiting the flaw would require access to the user’s machine which shouldn’t detract from the need to patch the issue.
The second is also an out-of-bounds write weakness, this time in Adobe Media Encoder, affecting Windows and macOS versions 14.02. Identified as CVE-2020-3764, this requires similar current user access.
There is no evidence that either of these flaws is being exploited in the wild, but you never know, hence the need to patch now.
The update
The fix for After Effects (APSB20-09) is to upgrade to version 17.0.3. For Media Encoder (APSB20-10) it’s version 14.0.2.
It’s unusual for Adobe to issue out of band updates. Excluding the later than usual patching of a slew of flaws last October, the last was three emergency fixes for ColdFusion the month before that.
Despite the inconvenience, this is to be applauded. The sooner a critical is patched, the sooner everybody stops worrying about it.
Latest Naked Security podcast
The post Adobe fixes critical flaws in Media Encoder and After Effects – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Dell fixes privilege elevation bug in support software – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
Users of Dell SupportAssist should patch their software immediately to fix a software bug that could lead to arbitrary code execution, the PC vendor said this week.
SupportAssist is a Dell software product that comes preinstalled on most of its Windows-based endpoints. It performs diagnostic tasks and streamlines the creation of support tickets for Dell machines by sending back the appropriate data to Dell operatives. It can even provide predictive maintenance for users with premium accounts, warning of components that look like they’re close to failure.
According to a Dell advisory, a vulnerability in the program lets a locally-authenticated low-privilege user force the SupportAssist program binaries to load arbitrary dynamic-link libraries (DLLs). DLLs are executable files that can contain data and other resources, and they’re often used as a way to break down applications into modular parts.
By forcing the SupportAssist software to run a DLL, an attacker could have it run with the Dell application’s privileges, effectively mounting a privilege elevation attack.
The flaw that enables the attacker to run a DLL is an uncontrolled search path vulnerability. These bugs allow malicious actors to manipulate file paths, making their malicious files executable by the target system.
The vulnerability affects versions of SupportAssist dating back to 2.0, but Dell has fixed the problem in the latest versions of its software. For business PCs, version 2.1.4 contains the fix. For home PCs, it’s version 3.4.1.
The good news is that for some users the problem will resolve itself thanks to the SupportAssist application’s auto-update facility. If this option is enabled, SupportAssist will automatically upgrade to the latest version.
Users that don’t have the automatic update feature enabled can implement the fix by opening the software, clicking the ‘Settings‘ icon at the top right, and clicking ‘About SupportAssist‘. The program will then check to see if there’s a new version available. If it finds one, it’ll display an ‘Update Now‘ link for you to click.
The vulnerability has been assigned CVE-2020-5316, which has not yet been updated at the time of writing.
This isn’t the first uncontrolled path vulnerability that Dell has grappled with. The company found a similar flaw in the PC Doctor component of SupportAssist in June 2019.
Latest Naked Security podcast
The post Dell fixes privilege elevation bug in support software – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Data about inmates and jail staff spilled by leaky prison app – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
Inmates’ and correctional facilities employees’ data has been sloshed onto the web, unencrypted and unsecured, in yet another instance of a misconfigured cloud storage bucket.
Security researchers at vpnMentor came across the leak on 3 January during a web-mapping project that was scanning a range of Amazon S3 addresses to look for open holes in systems.
The leaky bucket belongs to JailCore, a cloud-based app meant to manage correctional facilities, including by helping to ensure better compliance with insurance standards by doing things like tracking inmates’ medications and activities. That means that the app handles personally identifiable information (PII) that includes detainees’ names, mugshots, medication names, and behaviors: going to the lavatory, sleeping, pacing, or cursing, for example.
JailCore also tracks correctional officers’ names, sometimes their signatures, and their personally filled out observational reports on the detainees.
Some of the PII is meant to be freely available to the public: details such as detainee names, dates of birth and mugshots are already publicly available from most state or county websites within rosters of current inmates. But another portion of the data is not: that portion includes specific medication information and additional sensitive data, vpnMentor says, such as the PII of correctional officers.
JailCore closed down the data leak between 15 and 16 January: 10 or 11 days after vpnMentor notified it about the breach (and about the same time that the security firm reached out to the Pentagon about it). The company initially refused to accept vpnMentor’s disclosure findings, the firm said.
Risk of identity theft
The leaky bucket held 36,077 PDFs of data from an Amazon server belonging to JailCore. The security researchers didn’t open each file, but the records that they did open pertained to correctional facilities in Florida, Kentucky, Missouri, Tennessee and West Virginia.
JailCore says that it’s a startup that’s currently working with six jails, totaling 1,200 inmates. It thinks that a tiny portion of real people’s information was involved in the breach. From one of its comments cited by vpnMentor:
Of those 6 jails, only 1 is using the application to track medication compliance in a 35 inmate jail and only 5 of those 35 inmates in that jail has a prescribed medication. Meaning all other reports with any mention of medication were all used for demonstration purposes only.
JailCore asked vpnMentor to bear in mind that detainees aren’t free citizens, and that’s a whole ‘nuther can of worms when it comes to privacy rights:
These are incarcerated individuals, not free citizens. Meaning, the same privacy laws that you and I enjoy, they do not.
[…] You cannot look at this like an example of a private citizen getting certain private information hacked from the cloud. These are incarcerated individuals who are PROPERTY OF THE COUNTY (this is even printed on their uniforms) … they don’t enjoy our same liberties.
Does that mean that it’s OK to expose prison inmates to the risk of identity theft? vpnMentor’s take on that risk:
Knowing the full name, birthdate, and, yes, even the incarceration record of an individual can provide criminals with enough information to steal that person’s identity. Considering that the person whose identity is stolen is in jail, cut off from normal access to a cellphone or their email, the damage could be even greater, as it will take longer to discover.
When Vice’s Motherboard contacted JailCore, a representative acknowledged that the records were in fact generated by its app and confirmed that JailCore had sealed up the hole. The JailCore rep also told the publication that the company doesn’t think that any of the compromised PII is personally sensitive or compromising in any way.
A tub full of leaky buckets
And thus does JailCore join the Who’s Who list of organizations that have misconfigured their Amazon S3 buckets and thereby inadvertently regurgitated their private data across the world: Dow Jones; a bipartisan duo including the Democratic National Committee (DNC) and the Republican National Committee (RNC); and Time Warner Cable – to name just a few.
In fact, back in 2017, security vendor Threat Stack conducted a survey of 200 AWS users in early 2017 and found that 73% left SSH open to the public, and 62% weren’t using two-factor authentication (2FA) to secure access to their data.
Amazon took a proactive step by scanning its customers’ S3 buckets and sending warnings when it found spillage, reaching out to customers with bad security before crooks had a chance to.
It doesn’t have to be this way. There’s help out there for organizations that can take a deep breath, step away from their servers, and plunge in to learn how to better secure them: Amazon has an FAQ about how to access AWS Simple Storage Service (S3) controls and encryption.
The post Data about inmates and jail staff spilled by leaky prison app – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
D5 Creation