Week of July 27, 2018


Week of July 27, 2018

Bluetooth Vulnerability Puts Millions of Devices at Risk: Here’s What You Should Do*:

  • A new vulnerability found in commonly available Bluetooth allows a cyber criminal to intercept and monitor the data exchanged from a device in proximity, and it puts millions of devices at risk.
  • The loophole affects devices from Broadcom, Qualcomm, Intel, and Apple among others.
  • The researchers identified that the Bluetooth specification recommends, but does not require, that a device supporting the Secure Simple Pairing or LE Secure Connections features validate the public key received over the air when pairing with a new device.
  • It is possible that some vendors may have developed Bluetooth products that support those features but do not perform public key validation during the pairing procedure. In such cases, connections between those devices could be vulnerable to a man-in-the-middle attack that would allow for the monitoring or manipulation of traffic.
  • For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure.
  • The reason these attacks work is that, in order to communicate, pairing needs to be done for communication between both devices, then they agree on a certain parameter. Following which, they produce their keys and while making a connection the Bluetooth devices don’t validate the parameters properly or sufficiently.
  • According to the CERT list, devices from Apple, Intel and Qualcomm have been affected by the Bluetooth vulnerability.
  • It is worth noting that Apple and Intel have already released firmware and software updates to fix the vulnerability.
  • It is not known whether Google, Android Open Source Project (AOSP) and Linux have also been affected. Microsoft isn’t part of the list.
  • If you’re using a Qualcomm or Apple device, you should immediately install the latest firmware or software update.
  • As Bluetooth is a globally used framework, it’s a very attractive target for hackers and its scale and spread enhances its vulnerability.
  • From an affected end user’s security viewpoint, there is not much one can do except to make sure they are on the latest software update from their manufacturer or alternatively turn off Bluetooth if their device is susceptible and has not received an update.
  • By doing this, users can avoid unwanted pairing or connections; also, when Bluetooth is left on, Bluetooth packets are broadcasted which contain Bluetooth hardware details which make it easier to track the victim.

*Source: Hindustan Times, July 27, 2018


New Spectre Attack Enables Secrets to be Leaked Over a Network*:

  • When the Spectre and Meltdown attacks were disclosed earlier this year, the initial exploits required an attacker to be able to run code of their choosing on a victim system.
  • This made browsers vulnerable, as suitably crafted JavaScript could be used to perform Spectre attacks.
  • Cloud hosts were susceptible, too. But outside these situations, the impact seemed relatively limited.
  • The impact is now a little larger – researchers have described NetSpectre, a fully remote attack based on Spectre.
  • With NetSpectre, an attacker can remotely read the memory of a victim system without running any code on that system.
  • All the variants of the Spectre attacks follow a common set of principles.
  • Each processor has an architectural behaviour (the documented behaviour that describes how the instructions work and that programmers depend on to write their programs) and a microarchitectural behaviour (the way an actual implementation of the architecture behaves).
  • These microarchitectural disturbances can be detected and measured by timing how long it takes to access data that should (or shouldn't) be in the cache, allowing a malicious program to make inferences about the values stored in memory.
  • These information paths are known collectively as side channels.
  • NetSpectre builds on these principles; it just has to work a lot harder to exploit them.
  • For the networked attack, rather than measuring cache performance, the attack measures the time taken to respond to network requests.
  • The disturbance to the microarchitectural state is such that it can cause a measurably different response time to the request.
  • Two different remote measurements were developed.
  • The first is a variation on the cache timing approach already demonstrated with Spectre.
  • The attacker makes the remote system perform a large data transfer (in this case, a file download), which fills the processor's cache with useless data.
  • The attacker then calls the leak gadget to will speculatively load (or not load) some value in the processor's cache, followed by the transmit gadget.
  • If the speculative execution loaded the value then the transmit gadget will be fast; if it didn't, it'll be slow.
  • The second measurement is novel and doesn't use the cache at all.
  • Instead, it relies on the behaviour of the AVX2 vector instruction set on Intel processors.
  • The units that process AVX2 instructions are large and power hungry.
  • NetSpectre does, however, make the label "sensitive code" rather broader than it was before; there are now many more pathways and system components that might potentially be used to leak information.
  • The slow transfer rates mean that the utility of NetSpectre is limited, but this underscores how the initial Spectre research was a launching point for a wide range of related attacks.

*Source: ArsTechnica, July 26, 2018


Study Warns of Rising Hacker Threats to SAP, Oracle Business Software*:

  • At least a dozen companies and government agencies have been targeted and thousands more are exposed to data breaches by hackers exploiting old security flaws in management software.
  • The Department of Homeland Security issued an alert that highlights the risks posed to thousands of unpatched business systems from software makers Oracle and SAP.
  • The alarm was raised because firms store highly sensitive data – including financial results, manufacturing secrets and credit card numbers – in the vulnerable products, known as enterprise resource planning (ERP) software and in related applications for managing customers, employees and suppliers.
  • In an alert entitled “Malicious cyber activity targeting ERP applications”, the Homeland Security’s National Cybersecurity and Communications Integration Center highlighted signs of increasing hacker focus on ERP applications.
  • Many of these issues date back a decade or more, but the new report shows rapidly rising interest by hacker activists, cyber criminals and government spy agencies in capitalizing on these issues.
  • These attackers are ready to exploit years-old risks that give them full access to SAP and Oracle systems without being detected. The urgency level among chief security officers and CEOs should be far higher.
  • Both companies release regular patches to known security bugs in their software. However, customers are often reluctant to make fixes out of fear doing so might disrupt their manufacturing, sales or finance activities.
  • The new alert follows a 2016 Homeland Security department warning to some SAP customers after Onapsis uncovered plans by Chinese hackers to exploit out-of-date software used by dozens of companies.
  • In their latest research, two firms identified some 17,000 SAP and Oracle software installations exposed to the internet at more than 3,000 top companies, government agencies, and universities.
  • Digital Shadows combed through Google searches, social media chatter and the dark web where they found discussions in Chinese and Russian hacker forums regarding how to use specific SAP and Oracle vulnerabilities.
  • They also discovered some hackers were eavesdropping on discussion boards where third-party technology contractors share work tips, including default passwords that hackers can use to access some systems.

*Source: Reuters, July 25, 2018


Gmail Users Warned of Cyber Threat*:

  • Gmail users have been alerted about a new Google Mail feature which could be leveraged by online crooks to carry out a wave of scams.
  • The company, in April, unveiled its brand new design which introduced a clean new user interface and a swathe of new features including the ability to snooze a message, auto-generate smart replies and self-destruct emails in the brand new "Confidential Mode".
  • It's the Confidential Mode which is at the center of security fears.
  • Central to these fears was the new "Confidential Email" feature that can require users to click a link to access these messages.
  • If you're a Gmail user using the official Google Mail website, then the "Confidential Email" appears when you click to open it.
  • It shows a date for when the content will expire and informs the users that the email can't be forwarded or downloaded.
  • However, it’s different if you're a Gmail user viewing the message as a third-party client or a non-Gmail user who receives a confidential email.
  • In those cases, instead of the message appearing in their browser, users must click a button to view the email. And this is where the security fears lie.
  • With the Gmail redesign, scammers could send out fake versions of confidential email alerts and trick a user into entering sensitive details.
  • The tech giant is committed to protecting the security of users' personal information and hence, had created "machine learning" algorithms to detect potential phishing scams that cyber criminals carry out.
  • Phishing scams are where cyber criminals try to trick victims into clicking on seemingly trustworthy links in order to steal sensitive personal information.

*Source: The Quint, July 23, 2018


Facebook Suspends another Data-Analytics Firm for Potential Policy Violations*:

  • Facebook, still dealing with fallout from the scandal over user data improperly obtained by consulting firm Cambridge Analytica, has suspended another data-analytics firm over possible policy violations.
  • It has temporarily suspended the firm, Crimson Hexagon, while it looks into whether it violated data-sharing policies.
  • Facebook said that based on its investigation so far, Crimson Hexagon did not obtain any Facebook or Instagram information inappropriately.
  • Facebook said the analytics company is cooperating with the probe.
  • In a blog post Friday, Crimson Hexagon said the company's governmental customers are allowed to use its platform only for specific approved use cases and that "under no circumstances is surveillance a permitted use case."
  • “Government entities that leverage the Crimson Hexagon platform do so for the same reasons as many of our other non-government customers: a broad-based and aggregate understanding of the public's perception, preferences and sentiment about matters of concern to them,” the CTO of Crimson Hexagon wrote.
  • Crimson Hexagon collects only publicly available social-media data that anyone can access, not private data.
  • The Facebook data accessed by Cambridge Analytica was private.
  • What Cambridge Analytica did was explicitly illegal, while the collection of public data is completely legal and sanctioned by the data providers that Crimson engages with, including Twitter and Facebook, among others.
  • The company boasts that it has the world's largest volume of unstructured text and images across social, online public, and enterprise-held data sources.
  • Per Facebook's policies, users can opt to share their information with developers on Facebook and Instagram.
  • In addition, the social-media company offers application programming interfaces to let developers use public or aggregated information for business purposes.
  • In the wake of the Cambridge Analytica flap, Facebook said it suspended 200 third-party apps that had access to large amounts of user info pending review of whether they misused that data.
  • Facebook claims it changed its policies in 2014 to prevent apps from accessing info on users' friends in the way that led to the harvesting of data that wound up on Cambridge Analytica's servers.

*Source: NBC News, July 21, 2018


DNS Rebinding Vulnerabilities Expose 496M Enterprise Devices to Risk*:

  • A decade-old attack vector is still a real risk for enterprises, potentially enabling hackers to gain access to private internal networks.
  • An Internet of Things (IoT) security vendor estimated that approximately 496 million devices used by enterprises are at risk from DNS rebinding attacks.
  • They looked at enterprise devices to see if they were at risk from the decade-old attack vector that gives attackers access to a local network through a manipulation of how DNS (Domain Name Service) works.
  • Enterprises might have thought that most of these devices essentially could get away with a very weak HTTP server because presumably they are sitting on an internal network and there are a bunch of firewalls that are protecting devices.
  • DNS rebinding gives you the ability to sidestep the firewall and use one of the internal network devices as a proxy into internal devices.
  • With DNS rebinding, a local private IP address is somehow exposed by an attacker and then is connected to a public address, enabling an attacker to access assets and resources that an organization has not made publicly accessible.
  • Basically, what would happen is an attacker creates a local malicious DNS server and tricks a victim into reaching out to the DNS server, via a phishing or other attack.
  • An attacker could use a victim's web browser as a proxy to connect to other devices within a network.
  • By enabling access to devices that are not intended to be accessible to the public internet, an attacker can discover other potentially vulnerable assets that can be compromised.
  • There are multiple things organizations can do to limit the risk of DNS rebinding attacks.
  • In general, manufacturers of devices should be putting up very high security on any accessible server, it's no excuse that these devices were meant to sit on an internal network.
  • Organizations should make sure that all devices are fully patched, even if they are only on the internal network.
  • There might be a perception in some organizations that because the devices are not publicly accessible that they don't need to be patched.
  • Using a DNS security proxy or third-party DNS service is also an option to help protect against DNS rebinding attacks, though that option isn't always practical for enterprises.

*Source: E Week, July 21, 2018


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top