13 July 2018
Facebook privacy loophole allowed personal data of 'closed' group members to be downloaded
A Chrome browser extension called Grouply.io allowed marketers to harvest the personal information of members of private Facebook groups. The loophole was investigated by security researcher Fred Trotter. Trotter had been contacted by Andrea Downing, a moderator of a members-only Facebook group for women with a high genetic risk of developing breast cancer. The Facebook group's members frequently shared highly personal information about their conditions, including surgical details. Facebook groups have three accessibility categories: public, closed and secret. In public groups, the list of members and all posts of the group publicly accessible. In closed groups, the messages are private, while secret groups cannot be searched. The BRCA Sisterhood group used the 'closed' rather than the ‘secret' setting as its moderators wanted posts to be searchable. However, Downing was shocked to discover that the names, employers, locations and email addresses of the group's members could be downloaded easily by anyone using the Grouply.io extension. Trotter, a specialist in health data security, found that the Grouply.io extension was taking advantage of a Facebook privacy loophole. He was also able to obtain this information manually without having to use the extension. He reported the issue to Facebook on 29 May. Facebook denied the glitch was a loophole.
Arch Linux PDF reader package poisoned
Arch Linux has pulled a user-provided AUR (Arch User Repository) package, because it contained malware. If you're an Arch Linux user who downloaded a PDF viewer named "acroread" in the short time it was compromised, you'll need to delete it. While the breach isn't regarded as serious, it sparked a debate about the security of untrusted software. The user repository included the acroread package, which had been abandoned by its maintainer. Someone using the handle “xeactor” adopted the package and modified it to download malicious scripts from a remote server. When that was discovered, maintainer Eli Schwartz reverted the commits, suspended xeactor's account, and discovered (and removed) two other packages with similar modifications. A later post in the Arch Linux mailing list suggested the “attack” was a warning of another issue. As Bennett Piater wrote: “A script that creates 'compromised.txt' in the root and all home folders looks like a warning to me.”
Hacker exploits FTB flaw in Netgear routers to steal US military documents
Insikt Group, part of security research firm Recorded Future, was surprised to find a seller claiming to have 'highly sensitive' information about the USA's MQ-9 Reaper military drone on sale for just $150. Military documents tend to be one of those 'rare and expensive' propositions, so the offer could have been written off as a hoax. However, Insikt Group analysts confirmed the documents' validity after establishing contact, as well as learning how they were obtained. The hacker told the analysts that s/he had exploited a known FTP vulnerability in Netgear routers. They used the Shodan search engine to scour the internet for high-profile vulnerable routers, of which there are still many, despite the flaw being exposed more than two years ago. The attacker gained access to the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at a base in Nevada. Ironically, this individual had recently completed the Cyber Awareness Challenge, but had still failed to change the FTP password from its default setting. Using the compromised router, the hacker was able to steal documents including Reaper maintenance course books and the list of airmen assigned to Reaper AMU. Although these aren't classified, they could still give an adversary an advantage in combat against the drone.
Stolen certificates from D-Link used to sign password-stealing malware
Criminals recently stole code-signing certificates from router and camera maker D-Link and another Taiwanese company and used them to pass off malware that steals passwords and backdoors PCs, a researcher said Monday. The certificates were used to cryptographically verify that legitimate software was issued by D-Link and Changing Information Technology. Microsoft Windows, Apple’s macOS, and most other operating systems rely on the cryptographic signatures produced by such certificates to help users ensure that executable files attached to emails or downloaded on websites were developed by trusted companies rather than malicious actors masquerading as those trusted companies. Somehow, members of an advanced persistent-threat hacking group known as BlackTech obtained the certificates belonging to D-Link and Changing Information Technology, the researcher with antivirus provider Eset said in a blog post. The attackers then used the certificates to sign two pieces of malware, one a remotely controlled backdoor and the other a related password stealer. Both pieces of malware are referred to as Plead and are used in espionage campaigns against targets located in East Asia. The Japan Computer Emergency Response team recently documented the Plead malware here. AV provider Trend Micro recently wrote about BlackTech here. “The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region,” Eset researcher Anton Cherepanov wrote in Monday’s post.
Timehop data breach is worse than they initially said
Time capsule app Timehop has revealed that it made a boo-boo when it initially shared details over the weekend of a data breach involving millions of users’ names, email addresses, and phone numbers. An updated advisory from the firm reveals that the hackers, who initially struck last December but made off with the organisation’s data on July 4th, also purloined users’ dates of birth, gender, and country codes. The company has also provided a breakdown of the breached Personally Identifiable Information (PII), noting that the figures should be considered separately of one another and are not additive. The total number of breached records was approximately 21 million, says Timehop. No company relishes the idea of updating a security advisory to detail that the situation is actually worse than initially thought, but Timehop should be applauded for its openness and transparency. I’m impressed that after realising it had been breached on July 4th Timehop took prompt action, and has been upfront in both its customer advisory and the technical security report it has published. A hacker first broke into a third-party cloud service used by Timehop in December 2017 using an administrator’s password. That account should have been protected with multi-factor authentication, but wasn’t. mThe hacker was then able to create his or her own admin account, meaning even if the original breached account’s password was changed they still had access to Timehop’s cloud services.
Proofpoint Cloud Account Defense detects compromised Microsoft Office 365 accounts
Proofpoint announced the availability of Proofpoint Cloud Account Defense (CAD) to detect and protect Microsoft Office 365 accounts, preventing attackers from causing financial and data loss. Cybercriminals have a way to compromise corporate email systems, this time by using brute force attacks to steal Microsoft Office 365 login credentials of corporate users and then logging in as an imposter on the system. These hacking techniques work even if the company has deployed single sign on or multi-factor authentication (MFA) as part of their security system. Once the hacker has logged in masquerading as a real employee, they have a spectrum of choices while operating within a corporation’s email instance to cause financial harm and data loss. The Proofpoint CAD solution helps organizations detect, investigate, and remediate Microsoft Office 365 compromises. CAD provides user-centric visibility necessary to detect and investigate compromised accounts and thwart email account compromise (EAC) credential theft tactics including credential reuse, brute force attacks, and credential-stealing malware. EAC tactics, combined with business email compromise (BEC) social engineering, are hallmarks of groups like the 70+ cybercriminals arrested during the recent Operation Wire Wire federal effort that recovered approximately $14 million in lost funds.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.