Thursday 14 September 2017

EquifaxSuffered Data Breach After It Failed to Patch Old Apache Struts Flaw

The massive Equifax data breach that exposed highly sensitive data of as many as 143 million people was caused by exploiting a flaw in Apache Struts framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed.

Credit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies.

Rated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1.

This flaw is separate from CVE-2017-9805, another Apache Struts2 vulnerability that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13.

Right after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its proof-of-concept (PoC) exploit code was uploaded to a Chinese site.

Despite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of nearly half of the US population.

"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted," the company officials wrote in an update on the website with a new "A Progress Update for Consumers."

"We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

CVE-2017-5638 was a then-zero-day vulnerability discovered in the popular Apache Struts web application framework by Cisco's Threat intelligence firm Talos, which observed a number of active attacks exploiting the flaw.

The issue was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser.

At the time, Apache warned it was possible to perform a remote code execution attack with "a malicious Content-Type value," and if this value is not valid "an exception is thrown which is then used to display an error message to a user."

Also Read: Steps You Should Follow to Protect Yourself From Equifax Breach

For those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers. The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS.

Since the hackers are actively exploiting the vulnerabilities in the Apache Struts web framework, Cisco has also initiated an investigation into its products against four newly discovered security vulnerabilities in Apache Struts2.

Other companies that also incorporate a version of Apache Struts 2 should also check their infrastructures against these vulnerabilities.

Equifax is currently offering free credit-monitoring and identity theft protection services for people who are affected by the massive data leak and has also enabled a security freeze for access to people's information.

While the company was initially criticised for generating a PIN that was simply a time and date stamp and easy-to-guess, the PIN generation method was later changed to randomly generate numbers.

Windows 10 to Give More Control Over App-level Permissions

Microsoft has been gradually changing its privacy settings in Windows 10 with the Fall Creators Update to give its users more controls over their data.

In April, Microsoft addressed some initial privacy concerns in the Windows 10 Creators Update with simplified data collection levels—Security, Basic, Enhanced, and Full—and eventually revealed its data collection practices.

Now, the software giant is making another privacy-related change with the upcoming Windows 10 Fall Creators Update, which is due for release in October 2017, giving you much more control over what apps can do with your device.

Just like apps on your smartphone's app store, apps on Windows Store also require permission to access your computer's critical functionalities like camera, microphone, calendar, contacts, and music, pictures and video libraries.

While Android and iOS allow you to limit an app's permissions to access these sensitive things, these permissions have currently been provided to all apps implicitly in the Fall Creators Update, except for access to location data that needs an explicit user permit.

But that's going to be changed.

For each new app installed on the Windows 10 Fall Creators Update, the operating system will prompt users for access to their device's camera, microphone, contacts, calendar, and images and other information, requiring an explicit opt-in for each app.

"Starting with the Fall Creators Update, we’re extending this experience to other device capabilities for apps you install through the Windows Store," Microsoft wrote in a post detailing the privacy improvements.

"You will be prompted to provide permission before an app can access key device capabilities or information such as your camera, microphone, contacts, and calendar, among others. This way you can choose which apps can access information from specific features on your device."

However, when users install the Fall Creators Update, existing applications on their device will retain their permissions, but new apps installed from the official Windows Store will require their access to be enabled explicitly.

In order to review and manage your existing app permissions, head on to Start → Settings → Privacy. To learn more about Windows app permissions, head on to this link.

Microsoft is set to test these privacy changes with Windows Insiders shortly. The Windows 10 Fall Creators Update will be released on October 17th.

SonyPlayStation Social Media Accounts Hacked; Claims PSN Database Breach

After hacking social media accounts of HBO and its widely watched show Game of Thrones, a notorious group of hackers calling itself OurMine took control over the official Twitter and Facebook accounts for Sony's PlayStation Network (PSN) on Sunday.

After taking over the accounts, OurMine, Saudi Arabian group of hackers which claims to be a "white hat" security firm, posted its first tweet on Sunday evening, claiming to have breached PlayStation Network and stolen its database.

The tweet followed by a series of tweets encouraging the company to contact the hacking group through its website to buy its IT security service in an effort to protect itself from future cyber attacks.

"PlayStation Network Databases leaked #OurMine," the first tweet by OurMine on the compromised PlayStation Twitter account read.

"No, we aren't going to share it, we are a security group if you work at PlayStation then please go to our website," the followed Tweet read.

The hacking group also posted similar content on the PlayStation Network's official Facebook page that has more than 37 million followers.

Both tweets and Facebook messages posted by the hacking group were deleted shortly.

At the time, it is unclear if OurMine has access to PSN's database or their Tweets and Facebook posts were just to spread fear among the company and its customers.

However, the company suffered a massive data breach in 2011, when the PlayStation hack exposed the personal details of the entire PSN user base (over 77 Million at the time), including users names, date of births, email addresses, and credit card details.

The hacking incident was the largest identity theft on record, which forced Sony to shut down its entire system for almost a month. Anonymous took responsibility for the data breach.

Ourmine is the same hacking group that previously compromised social media accounts of major companies CEOs, including Facebook CEO Mark Zuckerberg, Twitter CEO Jack Dorsey, and Google CEO Sundar Pichai.

In the majority of cases, Ourmine gains access to the social media accounts by using credentials exposed in previous, publicly known data breaches.

However, the group does not seem to ever go beyond just demonstrating its ability to take over the account, without doing significant damage to the accounts or its protected information.

OurMine markets itself as a security firm that offers companies security against cyber attacks, charging up to $5,000 for a "scan" of their social media accounts, site security holes, and other security vulnerabilities.

Smart Devices Can Be Hijacked to Track Your Body Movements And Activities Remotely

If your smartphones, tablets, smart refrigerators, smart TVs and other smart devices are smart enough to make your life easier, their smart behavior could also be leveraged by hackers to steal data, invade your privacy or spy on you, if not secured properly.

One such experiment has recently been performed by a team of student hackers, demonstrating a new attack method to turn smart devices into spying tools that could track your every move, including inferring sexual activity.

Dubbed CovertBand, the attack has been developed by four researchers at the University of Washington's Paul G. Allen School of Computer Science & Engineering, and is so powerful that it can record what a person is doing through a wall.

The CovertBand tracking system makes use of the built-in microphones and speakers—found in smartphones, laptops, tablets, smart assistant and other smart devices—as a receiver to pick up reflected sound waves, tracking the movements of anyone near the audio source.

Here's how the CovertBand Attack works:

The attacking approach involves remotely hijacking of smart devices to play music embedded with repeating pulses that track one's position, body movements, and activities both near the device and through walls.

To do so, the attackers would first trick victims into installing a third-party Android app on their smart device that does not require rooting.

Once installed, the malicious app secretly uses the AudioTrack API to play the acoustic signals at 18-20 kHz and to mask this high-frequency sound, the app 'covered' Covertband's pulses by playing songs or other audio clips over them that act as a sonar.

These sound waves would then bounce off people and objects, which is picked up by a microphone.

The app then uses AudioRecord API to record the signals simultaneously on two microphones to achieve 2D tracking. The recorded data is then received by the attacker on a laptop over Bluetooth for offline processing.

Since the attack requires access only to a speaker and microphone, an attacker could leverage a lot of smart devices that already exist in the victim's home to spy on unsuspecting targets.

"A remote adversary who compromises one of these [smart] devices, perhaps via a Trojan application in an app store or via a remote exploit, could use our methods to remotely glean information about an individual's home activities. An attacker could also find more surreptitious ways to execute such an attack," said the researchers.

"For example, a streaming music app with voice control has all the permissions (speaker and microphone) needed to execute our attack. As a simple example, an attacker could utilise the advertising library embedded inside a music application to determine whether the user is near the phone when an ad is played."

Video Demonstration of CovertBand Attack

The researchers demonstrated how the CovertBand attack could potentially enable an attacker to differentiate between different types of people's movements even when they are in different body positions and orientations.

The researchers experiment specifically focuses on two classes of motion:

· Linear motion — when the subject walks in a straight line.

· Periodic motion — when the subject remains in approximately the same position (lying on his or her back on the floor) but performs a periodic exercise.

According to the research paper [PDF], these motions would be differentiated by looking at the spectrograms, but are sufficient enough to potentially enable privacy leakage.

"For example, (1) models information that might be of interest to intelligence community members, e.g., to track the location of a target within a room and ( 2) could be used to infer sexual activity, for which the importance of protecting might vary depending on the target's culture and cultural norms or might vary depending on the target's public visibility, e.g., celebrity status or political status," the research paper reads.

How Intelligence Agency could use CovertBand

While explaining different scenarios, the researchers explained how spy agencies could use such tools for leaking information about obscured activities of a target even in the presence of background or cover noise.

Imagine a spy "Alice" entering a foreign country and renting a hotel room adjacent to an individual "Bob," whom she intends to discreetly and covertly surveil.

Since the Alice can not enter the country with dedicated surveillance hardware, she would simply use the CovertBand attack to do 2D tracking of subjects even through walls, "something she could run on her phone and that would avoid arousing Bob’s suspicion."

To demonstrate this, the researchers showed a scenario where Bob pretended to go through a routine in the bathroom while Alice used CovertBand to track his movements.

They were able to determine that Bob walk around inside of a bathroom and likely spent less than 20 seconds sitting on the toilet and brushing his teeth.

"We placed the speaker setup 15 cm outside the bathroom door and performed four trials during which Bob spent less than 20 seconds doing each of the following: showering, drying o on the scale, sitting on the toilet, and brushing his teeth. During the experiment, the bathroom fan was ON, and we could not hear Bob performing any of the activities inside the bathroom," the research paper reads.

The researchers believe their attack could be refined to enable the sensing of more subtle motions like the movement of hands, arms, or even fingers to gain both resolution and accuracy even in the absence of a direct path.

Protecting yourself from such attacks involves impractical defences for most people, like playing your own 18-20 kHz signals to jam CovertBand, but this could discomfort your pets and children, or soundproofing your homes with no windows.

Infographic: New Pulse of India study shows overriding optimism for the future of India

59% of Indians say their country is heading in the right direction

In the run up to their nation’s Independence Day, the citizens of India have revealed overriding optimism for the future of their country. According to fresh YouGov research, 59% of residents claim India is heading in the right direction, while 67% believe it will be more respected by 2020.

The confidence is highlighted by the inaugural Pulse of India study which will interview over 1,000 residents in India every month to gauge changes in citizens’ perception of their country’s morale, leadership, quality of life and their biggest concerns.

The results also reveal undeniable support for the current Prime Minster Narendra Modi with 79% of the Indian public in favour of his leadership. In fact YouGov’s insight shows him to be one of the most popular Indian leaders in recent times by some margin. When asked who they think should be the next Indian Prime Minister – respondents chose Narendra Modi as the most popular with a favorability rating of 69%, compared to Arun Jaitley who is the second most favorable leader with a score of 28%, and Rajnath Singh in third with a rating of 22%.

Interestingly respondents place candidates from the current ruling Bharatiya Janata Party at the top of their most favoured leader list while opposition candidates score relatively lower - Sonia Gandhi and Rahul Gandhi have a score of 14% and 11% respectively.

When it comes to quality of life, the findings indicate Indians are the most fulfilled by their quality of entertainment and staying connected, while healthcare and entrepreneurship need to be improved in the country. 57% of residents claim they are equally satisfied with both their internet/bandwidth and their entertainment options, whilst 54% are satisfied with their telephone connectivity.

However there are mixed feelings over India’s ability to provide satisfactory healthcare, education and career opportunities. Just over a third (39%) are satisfied with the service provided by doctors, while 34% equally claim they were satisfied with both the country’s primary education and job opportunities.

Indians are the most disgruntled about their country’s ability to support entrepreneurship and the quality of the roads and transport. Just 6% are satisfied with opportunities available to start up a new business in India, while 5% of believe the transport and roads to be satisfactory.

Critically, the study also highlights Indian’s are very concerned for the safety of their nation’s women – 63% of respondents said as much. Top of the list of the country’s biggest fears however is its border issues with Pakistan and China - 72% of respondents claim their biggest concern is the unrest in Kashmir and the current border issues with Pakistan, while 66% fear the country’s current border issues with China.

Commenting on the findings, Alok Jha, Managing Director of YouGov India said, “The Pulse of India is designed to track the morale of Indian’s citizens and understand critical changes in resident’s perception of their country. Our latest findings, indicate a feeling of optimism about the current and future direction of India among its citizens, not least attributed to the leadership of Prime Minister Modi, who enjoys popularity ahead of his rivals within and outside the BJP. The study does reveal there is much to be done to improve the basic infrastructure, healthcare, education and career opportunities the country has to offer, not to mention addressing the border conflicts with Pakistan and China. Despite these concerns however, the air of optimism leading up to 2020 bodes well for the Indian government and brand Modi.”

Over 500 Android Apps On Google Play Store Found Spying On 100 Million Users

Over 500 different Android apps that have been downloaded more than 100 million times from the official Google Play Store found to be infected with a malicious ad library that secretly distributes spyware to users and can perform dangerous operations.

Since 90 per cent of Android apps is free to download from Google Play Store, advertising is a key revenue source for app developers. For this, they integrate Android SDK Ads library in their apps, which usually does not affect an app's core functionality.

But security researchers at mobile security firm Lookout have discovered a software development kit (SDK), dubbed Igexin, that has been found delivering spyware on Android devices.

Developed by a Chinese company to offer targeted advertising services to app developers, the rogue 'Igexin' advertising software was spotted in more than 500 apps on Google's official marketplace, most of which included:

· Games targeted at teens with as many as 100 million downloads

· Weather apps with as many as 5 million downloads

· Photo editor apps with 5 Million downloads

· Internet radio app with 1 million downloads

· Other apps targeted at education, health and fitness, travel, and emoji

Chinese Advertising Firm Spying On Android Users

The Igexin SDK was designed for app developers to serve targeted advertisements to its users and generate revenue. To do so, the SDK also collects user data to help target interest-based ads

But besides collecting user data, the Lookout researchers said they found the SDK behaved maliciously after they spotted several Igexin-integrated apps communicating with malicious IP addresses that deliver malware to devices unbeknownst to the creators of apps utilizing it.

"We observed an app downloading large, encrypted files after making a series of initial requests to a REST API at http://sdk[.]open[.]phone[.]igexin.com/api.php, which is an endpoint used by the Igexin ad SDK," the researchers explain in a blog post.

"This sort of traffic is often the result of malware that downloads and executes code after an initially "clean" app is installed, in order to evade detection."

Once the malware is delivered to infected devices, the SDK can gather logs of users information from their device, and could also remotely install other plugins to the devices, which could record call logs or reveal information about users activities.

How to Protect Your Android From This Malware

Google has since removed all the Android apps utilizing the rogue SDK from its Play Store marketplace, but those who have already installed one such app on their mobile handsets, make sure your device has Google Play Protect.

Play Protect is Google's newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.

In addition, you are strongly advised to always keep a good antivirus application on your device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.

Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day. Last month, we saw first Android malware with code injecting capabilities making rounds on Google Play Store.

A few days after that, researchers discovered another malicious Android SDK ads library, dubbed "Xavier," found installed on more than 800 different apps that had been downloaded millions of times from Google Play Store.