Leading the latest edition of the ISMG Security Report: ISMG's Managing Editor, Security and Technology, Jeremy Kirk, details Australia's HealthEngine caught in a data-sharing fiasco
In this report, you'll also hear (click on player beneath image to listen):
Nebraska Medicine's CIO, Brian Lancaster, on the IT transition to microsegmentation to prevent fraud; IDology's CEO, John Dancu, discuss the disconnect between consumer PII exposure and social networks, and the need for banks to move to dynamic KBA; ISMG's SVP Editorial, Tom Field, highlight a real case of romance fraud takedown at this week's ISMG Fraud and Breach Prevention Summit in Chicago.The ISMG Security Report appears on this and other ISMG websites on Fridays. Don't miss the June 14 and 21 editions, which respectively discuss Banco De Chile's "bait and switch" attack and the highlights of ISMG's Chicago Fraud and Breach Prevention Summit.
A recently addressed privacy bug on Nametests.com resulted in the data of over 120 million users who took personality quizzes on Facebook to be publicly exposed.
Patched as part of Facebook’s Data Abuse Bounty Program, the vulnerability resided in Nametests.com serving users’ data to any third-party that requested it, something that shouldn’t normally happen.
Facebook launched its Data Abuse Bounty Program in April, as part of its efforts to improve user privacy following the Cambridge Analytica scandal. The company also updated its terms on privacy and data sharing, but also admitted to tracking people over the Internet, even those who are not Facebook users.
The issue in Nametests.com was reported by Inti De Ceukelaire, who discovered that, when loading a personality test, the website would fetch all of his personal information from http://nametests.com/appconfig_user and display it on the page.
Websites shouldn’t normally be allowed to access the information, as web browsers do prevent such behavior. The data requested from Nametests.com, however, was wrapped in JavaScript, meaning that it could be shared with other websites.
“Since NameTests displayed their user’s personal data in JavaScript file, virtually any website could access it when they would request it,” the researcher explains.
To verify that this was indeed happening, he set up a website that connected to Nametests.com and would fetch information about the visitor. The access token provided by Nametests.com could also be used to gain access to the visitor’s posts, photos and friends, depending on the permissions granted.
“It would only take one visit to our website to gain access to someone’s personal information for up to two months,” De Ceukelaire says.
Another issue the researcher discovered was that the user information would continue to be exposed even after they deleted the application. With no log out functionality available, users would have had to manually delete the cookies on their devices to prevent their data from being leaked.
The bug was reported to Facebook’s Data Abuse program on April 22 and a fix was rolled out by June 25, when the researcher noticed that third-parties could no longer access visitors’ personal information as before.
The vulnerability could “have affected Facebook information people shared with nametests.com. To be on the safe side, we revoked the access tokens for everyone on Facebook who has signed up to use this app. So people will need to re-authorize the app in order to continue using it,” Facebook said.
The social platform also donated $8,000 (they apparently doubled the $4,000 bounty because the researcher chose to donate it to charity) to the Freedom of the Press foundation.
“I also got a response from NameTests. The public relations team claims that, according to the data and knowledge they have, they found no evidence of abuse by a third party. They also state that they have implemented additional tests to find such bugs and avoid them in the future,” the researcher notes.
Related: Facebook, Google 'Manipulate' Users to Share Data Despite EU Law: Study
Related: Facebook Admits Privacy Settings 'Bug' Affecting 14 Million Users
A team of researchers from universities worldwide have devised a new set of DMA-based Rowhammer attacks against the latest Android OS, along with a lightweight defense to prevent such attacks on ARM-based devices.
Rowhammer is a vulnerability impacting dynamic random-access memory (DRAM) chips that can be abused to gain kernel privileges on Linux systems. Discovered in 2012 but documented only in 2014, the bug can also be exploited remotely using JavaScript or via graphics processing units (GPUs).
Last year, researchers from Graz University of Technology, the University of Pennsylvania (and University of Maryland), and University of Adelaide revealed a series of attack methods able to bypass existing defenses against Rowhammer.
Now, eight researchers from Vrije Universiteit Amsterdam, Amrita University India, UC Santa Barbara, and EURECOM propose RAMpage, a set of attacks that target the latest Android versions with a root exploit and app-to-app exploits that bypass all defenses.
In a research paper (PDF), they also propose GuardION, lightweight defenses that mitigate Rowhammer exploitation on ARM systems by isolating DMA buffers with DRAM-level guard rows.
Furthermore, the researchers claim that re-enabling higher order allocations, which Google disabled to prevent attacks, would improve system performance.
Rowhammer is a hardware bug that “consists of the leakage of charge between adjacent memory cells on a densely packed DRAM chip.” This means that, when a row of bits in the DRAM module is used, the neighboring rows are slightly affected, and attackers can abuse this to completely subvert a system’s security.
The issue is particularly serious on mobile devices, where hardware upgrades are not possible, the security researchers argue. They also note that existing software defenses are not effective and present attacks can circumvent all currently proposed and implemented defense techniques.
To exploit Rawhammer, an attacker needs to land a security-sensitive page into a vulnerable physical memory location and also needs to access the DRAM chip fast enough to hit the same rows before they are refreshed. They also have to determine the virtual addresses that map to the two physical rows adjacent to the victim row.
To mitigate the risks, Google disabled the contiguous heap, but left the system heap available. The company also reduced internal system heap pools to two and enforced that the system heap only returns memory pages from highmem.
By exhausting the system heap, the researchers were able to get contiguous pages and find exploitable bit flips via double-sided Rowhammer. The researchers then tricked the system into releasing pre-allocated cached memory, including the row with the vulnerable page, and developed a root exploit leveraging this attack technique.
The researchers also say it is possible to corrupt buffers belonging to another app or process, an attack scenario that could abuse privileged apps for increased damage. They also argue that an attacker could try to exhaust the Contiguous Memory Allocator (CMA) bit map, or to corrupt system memory from CMA-allocated memory. Such attacks, however, are technically challenging, the experts admit.
GuardION, the newly proposed mitigation against DMA-based Rowhammer exploits on mobile devices, focuses on limiting the capabilities of an attacker’s uncached allocations. Expensive fine-grained isolation can be applied for each DMA allocation, and GuardION isolates buffers with two guard rows: one at the ‘top’ and another at the ‘bottom’.
“This enforces a strict containment policy in which bit flips that are triggered by reading from uncached memory cannot occur outside the boundaries of that DMA buffer. In effect, this design defends against Rowhammer by eradicating the ability of the attacker to inject bit flips in sensitive data,” the researchers claim.
The mitigation, however, is based on the premises that bit flips don’t occur in memory pages physically located more than one row away from the aggressor rows. Such flips have never been reported before and the Rowhammer attack itself makes such incidents unlikely to ever occur.
According to the research paper, not only is GuardION’s performance impact negligible, but its integration with the current Android code base is rather easy. A prototype implementation contains only 844 lines of code and touches only 9 files in the Android source code. The researchers are in the process of submitting the patch to Google for adoption.
Related: Android Phones Vulnerable to Remote Rowhammer Attack via GPU
Russian law enforcement this week said two individuals were arrested for compromising accounts of loyalty program members from popular websites.
The unnamed cybercriminals allegedly compromised around 700,000 accounts from companies such as PayPal, Ulmart, Biglion, KupiKupon, Groupon, and others. They are also said to have put 2,000 of these accounts up for sale for $5 each.
“The detainees admitted on the spot that they had earned at least 500,000 rubles. However, the real amount of damage remains to be determined,” Group-IB, which aided with the investigation, says.
The hackers’ activity stirred interest in November 2015, after the website of a large online store fell to a large-scale cyber-attack in which the personal accounts of the store’s loyalty program members were compromised. Miscreants compromised around 120,000 accounts within a month.
The investigators discovered that the attackers “had collected compromised account information from various Internet services on hacker forums and used special programs to automatically guess passwords of accounts on the website of the online store.”
The miscreants relied on people’s habit of reusing the same login/password on multiple websites. If the logins and passwords were used on the targeted websites, the hackers would access those personal accounts.
The cybercriminals would check the accumulated bonuses on each account and would sell them on hacker forums at $5 per account or 20-30% of the nominal balance of the accounts. The buyers could then abuse the accounts to pay for products with the bonuses.
The hackers, Group-IB says, weren’t only selling compromised accounts, but also offered services for hijacking accounts: they would change the phone number and e-mail on the accounts of the online store. Such services were offered at a price of 10% of the bonus balance on the account.
To hide their tracks, the attackers used anonymizers, launched the attacks from different IP addresses, and also changed the digital fingerprint of the browser (User-Agent). Overall, they sent authorization requests from more than 35,000 unique IP addresses.
Large retailers started checking all orders with payment bonuses in early 2016, which determined the hackers to target lesser-known online stores.
“In addition, the hackers began to work on tips—information about new online stores with bonus programs and coupon services where it was possible to access personal accounts, for which the attackers promised to pay up to 50% of the amount received from the further sale of the compromised accounts,” Group-IB reports.
The leader in these attacks was a resident of Ryazan Region, born in 1998. His partner, born in 1997, who provided technical support for their joint online store, resided in Astrakhan Region.
During a search, investigators seized evidence of the group’s unlawful activities, along with narcotics. The suspects have confessed to the crimes but the investigation is still ongoing.
Related: Ukrainian Suspected of Leading Carbanak Gang Arrested in Spain
Related: Russian Police Arrest Man Involved in Android Banking Trojan Scheme
Security Researcher Vinny Troia has discovered another sensitive database exposed on the internet. This one uses Elasticsearch, which allows easy data searching over the internet. Elasticsearch offers security including authentication and role-based access control -- but not all customers deploy it.
Troia was interested in Elasticsearch security and used Shodan to find U.S. Elasticsearch databases visible on the internet. According to a report in Wired, he found around 7,000. One stood out -- a database owned by Florida-based data broker firm Exactis and containing personal data on both consumers and businesses.
What makes this discovery exceptional was the sheer size of the database, the sensitivity of the content, and the complete lack of security. Precise details are difficult to ascertain, and Exactis has not been forthcoming with details. However, it appears to contain something like 340 million records (230 million on consumers and 110 million on business contacts); making it a far bigger potential breach than last year's Equifax breach.
The Exactis website claims the firm has consumer data on 218 million individuals and 110 million households. Eight-eight million have email addresses and matching postal addresses, and 112 million include residential phone numbers. Business data includes 21 million companies, 40 million postal addresses, 21 million records with email addresses and matching postal address, and 52 million with business phone numbers.
How much of this was exposed is not known, but it is potentially everything. It doesn't include social security numbers or payment details, but goes into great detail for each individual, including interests, habits and the age and gender of children. It apparently includes more than 400 variables ranging from religion, pets, whether a person smokes, to personal interests.
Troia reported his findings to both Exactis and the FBI; and the database is no longer accessible. However, there is no way of knowing whether anyone other than Troia also located and accessed the data. While Exactis sells this data to businesses to help compile compelling and personalized marketing campaigns, in the hands of cyber criminals the same data could equally be used to compile compelling and personalized phishing campaigns. Any hope that cyber criminals don't use Shodan in the same way and to the same effect as Troia is unfounded.
Robert Capps, VP and Authentication Strategist for NuData Security comments, "If U.S. citizens did not think their personal information has ever been compromised, this should convince them it definitely is. This latest breach blows up the 2018 tab with 230-million records exposed in just one incident."
Chris Olson, CEO of The Media Trust, believes that government must now take a lead. "Data providers need to keep in mind that they are prime targets for cybercriminals who want to commit identity theft and have tools to find databases on publicly accessible servers. While we have yet to find out whether the data they have exposed on a public server has been misappropriated by malicious actors, the scope of and negligence behind this leak could prompt greater demand among already wary U.S. consumers for stronger regulations around data privacy like the EU's GDPR. Such regulations would restrict how personal data is not only stored but used in the U.S."
Carl Wright, chief revenue officer for AttackIQ, holds a similar view. "When a breach such as this occurs, it reinforces the need for government to hold these organizations accountable to the individuals impacted. This will be the only way to ensure that corporations take the necessary steps to secure consumer data. Corporations and government entities must be required to continuously prove that their cyber security protections are able to defeat or detect attackers."
This already happens in Europe with the EU's General Data Protection Regulation (GDPR). It seems to be beginning in the U.S. Yesterday, California Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 (Assembly Bill 375).
"With GDPR now in full effect," comments Richard Henderson, global security strategist at Absolute, "I've been expecting legislation such as this to start to reach consumer-focused states in the US for some time. Other states like New York and Massachusetts will likely follow suit and draft their own citizen-friendly data rights laws. Many individual states will not sit on their hands waiting for a federal initiative that may never come."
The California Act will not come into effect until the beginning of 2020 -- but it will undoubtedly make firms like Exactis re-evaluate what they do, how they do it, and how they secure it. The legislation says, for example, "The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified."
Meanwhile, 'victims' of the Exactis breach are not waiting for the new law. A proposed class action was lodged in the Florida federal court on Thursday, claiming that Exactis made no attempt to follow best practice guidelines to protect the data. "Despite these well-publicized Senate and other expert reports, defendant failed to heed the recommendations, and inexplicably left its server -- and the personal information which rested thereon -- vulnerable and available to even the most basic cyberattack," claims the suit. It asserts negligence, unjust enrichment claims, and claims under Florida's Deceptive and Unfair Trade Practices Act, and seeks compensatory, punitive, and exemplary damages.
Referring to the California Act, Henderson adds, "I think we are on the threshold of a new period of customer-focused data protections. State and local governments have waited a long time for organizations to take care of this, and based on the colossal number of breaches and rampant digital thefts that continue to occur, they've had enough."
Related: Elasticsearch Servers Latest Target of Ransom Attacks
Related: Honeypot Catches 8,000 Attempts to Exploit Critical Elasticsearch Flaw
Google this week announced expanded compiler-based mitigations in Android P, in an attempt to make bugs harder to exploit and prevent specific types of issues from becoming vulnerabilities.
One of these is Control Flow Integrity (CFI), which represents a set of mitigations meant to “confine a program's control flow to a call graph of valid targets determined at compile-time.” Android already supports CFI implementation in select components, but the next platform release will expand that support, the search giant says.
“This implementation focuses on preventing control flow manipulation via indirect branches, such as function pointers and virtual functions,” Google explains.
The idea is to use valid branch targets to reduce the set of allowable destinations an attacker can call, while indirect branches are used to detect runtime violations of the statically determined set of allowable targets, in which case the process aborts.
By restricting control flow to a small set of legitimate targets, Google attempts to make code-reuse attacks much harder to execute, while also making memory corruption vulnerabilities more difficult or even impossible to exploit.
CFI requires compiling with Link-Time Optimization (LTO), which also results in reduced binary size and improved performance, although compile time increases. According to Google, testing has revealed “negligible overhead to code size and performance.”
In Android P, CFI will be enabled by default widely within the media frameworks and other security-critical components, including NFC and Bluetooth.
Android P also expands the number of libraries that will benefit from Integer Overflow Sanitization, which was meant to safely abort process execution when an overflow is detected. Thus, an entire class of memory corruption and information disclosure vulnerabilities are mitigated.
Google has expanded the use of these sanitizers in the media framework with each release and also improved them to reduce performance impact.
“In testing, these improvements reduced the sanitizers' performance overhead by over 75% in Android's 32-bit libstagefright library for some codecs. Improved Android build system support, such as better diagnostics support, more sensible crashes, and globally sanitized integer overflow targets for testing have also expedited the rollout of these sanitizers,” the Internet company says.
Google decided to bring integer overflow sanitization to libraries where complex untrusted input is processed or security bulletin-level integer overflow flaws were reported. Thus, in Android P, the libui, libnl, libmediaplayerservice, libexif, libdrmclearkeyplugin, and libreverbwrapper libraries will benefit from these sanitizers.
“Moving forward, we're expanding our use of these mitigation technologies and we strongly encourage vendors to do the same with their customizations,” Google notes.
Related: Google Turns TLS on By Default on Android P
Related: Android Vendors Regularly Omit Patches in Security Updates