NCSC urges UK universities to shield themselves from possible cybersecurity threats

The National Cyber Security Centre (NCSC) has published a report that outlines the cybersecurity threats to UK universities and academia. This report aims to raise awareness of cyberthreats and encourage universities to implement security-conscious policies. The report asserts that the primary threats to UK universities in the cyberworld are for financial gain and stealing intellectual data. Cybercrime will possibly bring major difficulties to universities, but state-sponsored espionage has the potential to cause long-term damage. State-sponsored espionage may cause damage to the value of research, fall in investment by public or private sector in the affected universities, or damage to UK’s knowledge advantage. If foreign direct investments are restricted, cyber threats to universities will probably increase as it provides an alternate way to access sensitive data. Universities are key contributors to the economy, skills development and innovation in the UK. In doing this, they handle personal and research data, intellectual property and other assets, each of which has significant value to others. Emails, personal information of students and staff, technical resources, and intellectual property are said to be of primary interest to a nation state. These data can be used for different purposes including commercial gain and advancing similar research efforts. Phishing attacks and injecting malicious software are common attacks targeted at universities. Usually, university websites provide ample data about students, staff, and the university to craft a phishing email. Introducing malware in university systems aids attackers in stealing data, gaining long-time access, or even demanding a ransom after encrypting all the data available. The NCSC recommends a few strategies against the attack: (1) Create awareness among students and staff about cyberattacks, particularly phishing emails; (2) Implement better access-control policies, especially for research and intellectual property of high value, (3) Reconsider network design to build smaller, private networks without impacting information sharing within the university.

 

New zero-day affects all versions of phpMyAdmin found

A cross-site request forgery (CSRF) flaw, or XSRF, was identified in phpMyAdmin. The vulnerability doesn’t give much access to an attacker other than the URL of a targeted server. phpMyAdmin is one of the most popular, and free, tools for managing the MySQL and MariaDB databases over the web. An unpatched zero-day vulnerability has been discovered in phpMyAdmin by a cybersecurity researcher that can allow attackers to trick authenticated users into executing an unwanted action. However, on the safer side, the flaw doesn't allow attackers to delete any database or table stored on the server. The security researcher and pentester Manuel Garcia Cardenas recently published details and proof-of-concept on the zero vulnerability in phpMyAdmin, the widely used tool to manage the database for websites created with Joomla, WordPress, and many other content management platforms. The vulnerability identified as CVE-2019-12922 is a cross-site request forgery (CSRF) flaw, also known as XSRF--a well-known flaw. Given a medium rating, the vulnerability only allows an attacker to delete any server configured in the setup page of a phpMyAdmin panel on a victim's server. An attacker only has to send a crafted URL to a logged-in targeted web administrators on the same browser. As soon as they click on it, it will have them tricked for unknowingly deleting the configured server.​ According to the researcher’s post to the Full Disclosure mailing list, the attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user, in this way making possible a CSRF attack due to the wrong use of HTTP method.

 

Google Calendars possibly leaking private information online

Thousands of Google Calendars have been found to be exposing private data online. More than 8000 such Google Calendars were discovered. These were indexed by Google’s search engine which means anyone can access data and add events to these Calendars. Avinash Jain, a security researcher from India discovered these Google Calendars and published a blog post about it. This is not a bug or vulnerability in the Google Calendar services. It is the intended behavior for collaboration. Employees may make calendars public for a specific group of people and intend to share the link with them only. But it gets indexed on Google and anyone can access it. “While this is more of an intended setting by the users and intended behavior of the service but the main issue here is that anyone can view anyone public calendar, add anything on it — just by a single search query without being shared the calendar link,” says Avinash in the blog. The discovered calendars belonged to various organizations and exposed sensitive information such as internal presentation links, employee email addresses, event names, and more. This means that a single employee’s mistake may cause sensitive organizational data to be public. An advanced search query on Google can list all publicly shared calendars and grant access to the sensitive data they contain. Google doesn’t notify the Calendar creator when someone accesses it or adds an event. This makes it hard for users to identify if someone other than the intended group of people is accessing it. Check your Google Calendar settings to make sure you’re not unintentionally making your data public. GSuite admins can go through Google’s guide to understand better how the sharing works. There is also an option of creating alerts when Google docs, presentations, and calendars go public.​

 

Critical vulnerability in Harbor cloud native registry allows privilege escalation

A security researcher, Aviv Sasson discovered a critical vulnerability in Harbor cloud native registry that could allow attackers to take control of Harbor registries with the default configuration. The privilege escalation vulnerability tracked as CVE-2019-16097 allows attackers to send a malicious request to a vulnerable machine and register a new user with the privileges of an administrator. Researchers have found 1,300 vulnerable Harbor registries that could allow anyone to gain admin privileges to the registry under its default settings. Once an attacker gains privilege access to a Harbor registry, he could download the images of private projects and inspect them for vulnerabilities. They can delete all of the images in the registry or could even upload malicious versions of the images to the registry. The attacker can create a new user and set it to be admin. After that, they can connect to Harbor registry via the Docker command line tool with the new credentials and replace the current images with anything they desire. These can include malware, crypto miners or even worse. The vulnerability impacts versions 1.7.0 through 1.8.2. However, the Harbor team released the patch to address this issue. The patch is included in the latest Harbor versions 1.7.6 and 1.8.3. All users are recommended to update their Harbor installations because this vulnerability gives anyone full access to their registry.

 

LastPass fixes vulnerability that could expose user credentials

Popular password manager LastPass patched a security flaw that allowed access to credentials of the last logged in account. This vulnerability has been fixed in the latest version of the application. Tavis Ormandy, a Google Project Zero researcher, published a report that details the steps to reproduce the bug. This bug is considered to be high severity by Ormandy because it works on the execution of JavaScript and does not require any user interaction. The vulnerability can be exploited by luring the potential victim to a malicious website and extracting previously entered credentials from the browser extension. Ormandy believes that exploiting this bug isn’t hard as an attacker could hide a malicious link behind a trusted URL such as Google Translate. The bug was reported by Google on August 29, and the patch went live on September 13. It was privately disclosed by Google and there is no evidence of any exploitation in the wild. Ferenc Kun, security engineering manager at LastPass said, “To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times. This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis,” in a blog published by the company. The fix is available in the latest version, 4.33.0, released last week. The blog also states that the bug was limited to Chrome and Opera browsers, but the update has been deployed to all browsers as a precaution.​ Although the update should apply automatically, make sure you’re using the latest version as some browsers may disable automatic updates for extensions. LastPass also recommends users to follow general best practices such as using unique passwords for different sites, enabling multi-factor authentication, and not revealing the password manager’s master password to anyone.​

 

Edited and compiled by cyber security specialist James Aguilan.