Cyber Security Training from QA

Cyber Pulse: Edition 52

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


8 February 2019

Flaws In SS7 Exploited To Empty Bank Accounts Of The Metro Bank

The Metro Bank in the UK has fallen victim to a malicious Signaling System 7 (SS7) attack. The flaws in SS7 were previously exploited by hackers to intercept text messages and track phones across the globe. However, the cybercriminals have taken this attack to an all new level by emptying bank accounts of victims. According to Motherboard, the National Cyber Security Center (NCSC) said that it is aware of latest targets of cybercriminals. The NCSC confirmed that the hackers are exploiting the SS7 to intercept codes used for banking. SS7 is a protocol used by telecom companies to coordinate how they route texts and calls around the world. Meanwhile, Metro Bank has acknowledged that it has faced an SS7 attack. The firm has notified the law enforcement agencies about the attack. It believes that a small number of its customers may have been impacted by this attack. Metro Bank has enhanced its security protections to prevent such attacks. In addition, it has advised customers to review their bank account for any suspicious activity.

The UK Grills Google for Potential Data Privacy Violations

After France and Sweden slashed Google for its data privacy violation, UK’s data regulatory body Information Commissioner Office (ICO) is now investigating the tech giant for another violation regarding GDPR adherence. Earlier, Google was fined $57 million by France, followed by Sweden asking it to furnish more information regarding its privacy policy on location data. The ICO is now cooperating with other regulatory bodies in Europe to investigate deeper into the search engine’s data privacy policies. “This is mainly due to people becoming more informed about their rights and exercising them, which has generated greater engagement as organizations turn to us for advice. Google is an organization that offers products and services to a large number of individuals both in the UK and worldwide. We have received complaints regarding Google which are being reviewed,” said a spokesperson for ICO. Google’s privacy woes continue to trouble GDPR despite the former emphasizing on the guidelines associated with GDPR. The UK investigation comes ahead of fourth quarter financial results for Google's parent company Alphabet.

E-ticketing Flaw Allow Hackers to Print Boarding Passes

E-ticket systems used by 8 major airlines, including Southwest, suffer from a lax security that could expose personal identifiable information and result in tampering. Researchers at Wandera published a report highlighting vulnerability found in check-in emails delivered to passengers. The issue comes from the use of unencrypted check-in links sent to passengers via email. When a person clicks on the link, they are directed to a site to check in for their flight, make changes or print their boarding pass. Because the links are unencrypted, Wandera warns that a malicious actor connected to the same Wi-Fi network could intercept the link request and gain access to the person's check-in page. Once a hacker has access to the page, they could view a significant amount of personal information, from names and addresses to Passport and ID numbers. They could also access specific details about the flight including booking references, flight times and numbers and seat assignments.

MacOS Zero-Day Vulnerability Found in Keychain

A German security researcher published a video describing the new zero-day vulnerability that impacts Apple’s MacOS. The researcher Linus Henze noted that the vulnerability could allow a malicious application running on a MacOS system to gain access to passwords stored in the Keychain password management system. Henze explained that the vulnerability is present in the Keychain password management system’s access control and could allow the malicious app to retrieve passwords from the user’s Keychain file without the need of admin privileges nor the keychain master password. Henze disclosed that this vulnerability impacts all MacOS versions up to latest 10.14.3 Mojave and stated that Apple’s lack of a bug bounty program for MacOS is the primary reason for the exploit. It is to be noted that Apple runs bug bounty programs for all its products except MacOS.

Multiple RDP Vulnerabilities Allow Hackers To Gain System Control

Security researchers have discovered multiple vulnerabilities in the Remote Desktop Protocol (RDP) that can result in the so-called ‘reverse RDP attack’. These vulnerabilities can allow bad actors to take control of computers. Discovered by researchers at CheckPoint, there are a total of 25 security issues in the RDP. Of these, 16 issues have been found in the open source FreeRDP RDP client and its fork rdesktop, as well as in Microsoft’s own RDP client implementation. Once the attackers get a foothold of the RDP client by using one of the discovered vulnerabilities, they can expand the scope of the attack to the machine’s entire local network. Eleven vulnerabilities with a major security impact are discovered in the 1.83 version of the rdesktop RDP client, while FreeRDP 2.0.0-rc3 contains five vulnerabilities of major security impact. The researchers were also able to find a vulnerability in the Mstsc client too. In order to address these issues, the users have been advised to disable the shared RDP clipboard feature in their clients until a security patch is released. In addition, RDP clients should always be kept up to date to protect their computers from being exploited by such vulnerabilities.

Dating App Exposes Private Photos Due to Authentication Flaw

Dating app Jack’d has been found containing an authentication flaw which allows attackers to download private photos of its users. It appears that anyone can look up and download photos from a web browser without logging or registering on their site. This can allow attackers to stack entire image databases and use it for extortion or other malicious purposes. Even after The Register informed the app developers of this issue three months ago, there has been no update regarding a security patch. The flaw was first discovered by security researcher Oliver Hough. He came across a programming error in the application that led to this vulnerability. Instead of allowing images that should only be viewed by Jack’d users, the bug is the reason anyone can view them without a login. Further technical details of the vulnerability have not been disclosed as of now to prevent any exploitation. Jack’d’s parent company, Online Buddies, has also shied away on responding to this issue, which could potentially lead to breach incidents.

New GandCrab v5.1 Ransomware Comes With New Exploit Kit

It was only a few months back that free decryption tools were made available for GandCrab version 5.0 - 5.0.3. And, while these tools are yet to be made public, a new version of GandCrab has appeared. The developers of GandCrab released the new version - GandCrab v5.1 - within 24 hours of the release of the decryption tools. According to an extensive report from Coveware, the latest version of the ransomware comes with a variety of distribution changes and UX updates to the GandCrab TOR sites. The ransomware’s TOR site comes with a hidden private chat that can be enabled using one of the discount codes. This allows dishonest data recovery firms to hide the final cost of the GandCrab decryption process from its customers, along with their chats with the GandCrab support. The discount code can be requested over chat. However, it can only be activated on the systems of targeted users.

Zcash Team Fix Vulnerability That Allowed Counterfeiting

Zcash, which is a popular cryptocurrency like Bitcoin and Ethereum, had a critical flaw which could have jeopardized its usability on a large scale. The vulnerability lied in zk-SNARK parameters, from the key generation method used in Zcash. It allowed attackers to create counterfeit Zcash in large numbers. Ariel Gabizon, the cryptographer who uncovered this flaw, saw that zk-SNARK was having additional logical elements that led to a soundness bug. He found that zero-knowledge proofs which are used in Zcash could be faked by creation of false proofs due to the soundness bug. Thus, an attacker could create an unlimited amount of shielded coins where the verifier will be affected by the bug.Zcash Company, the creators of Zcash, revealed in a blog that the vulnerability was patched completely. The company mentions that attackers needed to have specific information from Zcash’s MPC protocol transcript to exploit the flaw. Apparently, this transcript was removed as soon as the flaw was discovered but it was reconstructed once Zcash Company remedied the issue.

Mumsnet reports itself to regulator over data breach

Mumsnet has reported itself to the information commissioner after a data breach resulted in users accidentally logging into the accounts of strangers. A botched upgrade to the software the forum runs on meant that for three days, if two users tried to log in at the same time, there was the possibility that their accounts would be switched. Each user was able to post as the other, see their account details, and read private messages. The company doesn’t know how many user accounts were affected, but says that over the three days the bug was live, from Tuesday afternoon to Thursday morning, about 4,000 users logged in. Of that, only 14 users have reported an issue. Mumsnet founder Justine Roberts apologised to users in a post, saying: “You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We will of course be reporting this incident to the information commissioner.”

 

Visit cyber.qa.com for more information on how QA can help solve the Cyber Security skills gap and subscribe to Cyber Pulse.

 

Useful links

Cyber Pulse: Edition 51

Cyber Pulse: Edition 50

Cyber Pulse: Edition 49

Cyber Pulse: Edition 48

Cyber Pulse: Edition 47

Cyber Pulse: Edition 46

Cyber Pulse: Edition 45

Cyber Pulse: Edition 44

Cyber Pulse: Edition 43

Cyber Pulse: Edition 42

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.