#HackerNews – ESIST

Simple bug could lead to RCE flaw on apps built with Electron Framework

Your daily selection of the hottest trending tech news!

According to The Hacker News

A critical remote code execution vulnerability has been discovered in the popular Electron web application framework that could allow attackers to execute malicious code on victims’ computers.

Electron is an open source app development framework that powers thousands of widely-used desktop applications including WhatsApp, Skype, Signal, WordPress, Slack, GitHub Desktop, Atom, Visual Studio Code, and Discord.

Besides its own modules, Electron framework also allows developers to create hybrid desktop applications by integrating Chromium and Node.js framework through APIs.

Since Node.js is a robust framework for server-side applications, having access to its APIs indirectly gives Electron-based apps more control over the operating system installed on the server.

To prevent unauthorised or unnecessary access to Node.js APIs, Electron framework by default sets the value of “webviewTag” to false in its “webPreferences” configuration file, which then sets “nodeIngration” to false.

This configuration file with the hardcoded values of some parameters was introduced in the framework to prevent real-time modifications by malicious functions, i.e., by exploiting a security vulnerability like cross-site scripting (XSS).

Moreover, if an app developer skips or forgets to declare “webviewTag: false” in the configuration file, even then the framework by default considers the value of “nodeIntegration” as false, to take a preventive measure.

However, Trustwave researcher Brendan Scarvell has released proof-of-concept (PoC) code that attackers can inject into targeted applications running without “webviewTag” declared, by exploiting a cross-site scripting flaw, to achieve remote code execution.

The exploit re-enables “nodeIntegration” in runtime, allowing attackers to gain unauthorised control over the application server and execute arbitrary system commands.

It should be noted that the exploit would not work if the developer has also opted for one of the following options:

nativeWindowOption option enabled in its webPreferences.

Intercepting new-window events and overriding event.newGuest without using the supplied options tag.

The vulnerability, tracked as CVE-2018-1000136, was reported to the Electron team by Scarvell earlier this year and affected all versions of Electron at the time of discovery.

Electron developers patched the vulnerability in March 2018 with the release of versions 1.7.13, 1.8.4, and 2.0.0-beta.4.

So, app developers should ensure their applications are patched, or at least not vulnerable to this issue.

For more technical details on the Electron vulnerability and PoC exploit code, you can head on to the Trustwave’s blog post.

It should also be noted that the Electron bug has nothing to do with the recently discovered flaw in Signal app, which has also recently patched a critical cross-site scripting vulnerability that leads to remote code execution, whose full technical details are scheduled to be published exclusively on The Hacker News this evening.

Critical vulnerability under “massive” attack imperils high-impact sites

Enlarge / One of two publicly available exploits for a critical Apache Struts vulnerability.

Kevin Beaumont

In a string of attacks that have escalated over the past 48 hours, hackers are actively exploiting a critical vulnerability that allows them to take almost complete control of Web servers used by banks, government agencies, and large Internet companies.

The code-execution bug resides in the Apache Struts 2 Web application framework and is trivial to exploit. Although maintainers of the open source project patched the vulnerability on Monday, it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update, researchers are warning. Making matters worse, at least two working exploits are publicly available.

“If you run it against a vulnerable application, the result will be the remote execution of commands with the user running the server,” Vicente Motos wrote of one of the exploits in a post published late Wednesday afternoon on the Hack Players website. “We have dedicated hours to reporting to companies, governments, manufacturers, and even individuals to patch and correct the vulnerability as soon as possible, but the exploit has already jumped to the big pages of ‘advisories,’ and massive attempts to exploit the Internet have already been observed.”

Researchers at Cisco Systems said they are seeing a “high number of exploitation events” by hackers attempting to carry out a variety of malicious acts. One series of commands that attackers are injecting into webpages stops the firewall protecting the server and then downloads and executes malware of the attacker’s choice. The payloads include “IRC bouncers,” which allow the attackers to hide their real IP address during Internet chats; denial-of-service bots; and various other packages that conscript a server into a botnet.

“These are several of the many examples of attacks we are currently observing and blocking,” Cisco’s Nick Biasini wrote. “They fall into two broad categories: probing and malware distribution. The payloads being delivered vary considerably, and to their credit, many of the sites have already been taken down and the payloads are no longer available.”

The vulnerability resides in what’s known as the Jakarta file upload multipart parser, which according to official Apache Struts 2 documentation is a standard part of the framework and needs only a supporting library to function. Apache Struts versions affected by the vulnerability include Struts 2.3.5 through 2.3.31, and 2.5 through 2.5.10. Servers running any of these versions should upgrade to 2.3.32 or 2.5.10.1 immediately.

It’s not clear why the vulnerability is being exploited so widely 48 hours after a patch was released. One possibility is that the Apache Struts maintainers didn’t adequately communicate the risk. Although they categorize the vulnerability security rating as high, they also describe it as posing a “possible remote code execution” risk. Outside researchers, meanwhile, have said the exploits are trivial to carry out, are highly reliable, and require no authentication. It’s also easy to scan the Internet for vulnerable servers. It’s also possible to exploit the bug even if a Web application doesn’t implement file upload functionality.

The vulnerability is indexed as CVE-2017-5638. Security firm Qualys and the Metasploit Project have more details here and here.

Join our fans by liking us on Facebook, or follow us on Twitter, Google+, feedly, flipboardand Instagram.

This article and images was originally posted on Ars Technica

by DAN GOODIN

Hackers downloaded US government climate data and stored it on European servers during Trump’s inauguration

As Donald Trump was sworn into office as the new president of the US on Jan. 20, a group of around 60 programmers and scientists were gathered in the Department of Information Studies building at the University of California-Los Angeles, harvesting government data.

A spreadsheet detailed their targets: Webpages dedicated to the Department of Energy’s solar power initiative, Energy Information Administration data sets that compared fossil fuels to renewable energy sources, and fuel cell research from the National Renewable Energy Laboratory, to name a few out of hundreds.

Many of the programmers who showed up at UCLA for the event had day jobs as IT consultants or data managers at startups; others were undergrad computer science majors. The scientists in attendance, including ecologists, lab managers, and oceanographers, came from universities all over Southern California. A motley crew of data enthusiasts who assemble for projects like this is becoming something of a trend at universities across the country: Volunteer “data rescue” events in Toronto, Philadelphia, Chicago, Indianapolis, and Michigan over the last few weeks have managed to scrape hundreds of thousands of pages off of EPA.gov, NASA.gov, DOE.gov, and whitehouse.gov, uploading them to the Internet Archive. Another is planned for early February at New York University.

Hackers, librarians, scientists, and archivists had been working around the clock, at these events and in the days between, to download as much federal climate and environment data off government websites as possible before Trump took office. But suddenly, at exactly noon on Friday as Trump was sworn in, and just as the UCLA event kicked off, some of their fears began to come true: The climate change-related pages on whitehouse.gov disappeared. It’s typical of incoming administrations to take down some of their predecessor’s pages, but scrubbing all mentions of climate change is a clear indication of the Trump administration’s position on climate science.

“We’re having a heart attack,” said Laurie Allen on Friday afternoon. Allen is the assistant director for digital scholarship in the University of Pennsylvania libraries and the technical lead on a recent data-rescuing event there. “In the last four days I think we’ve been working 22 hours a day, because we were hearing that these precise changes were going to happen.”

“I wish we had been wrong about our concerns. But this is what we internally had predicted and prepared for,” added Bethany Wiggin, the director of the environmental humanities program at Penn and another organizer of the data-rescuing event.

Over the first 100 days of the new administration, a volunteer team of programmers will be scanning government websites and comparing them to the archived, pre-Trump versions, to check for changes. “We’ll be letting people know what the changes exactly are. We hope to produce a weekly report on changes,” Wiggin says, perhaps in the form of a newsletter.

While Wiggin and Allen say the changes to whitehouse.gov are disconcerting, they also note they are small potatoes compared with what could come next: the large government data sets related to climate change and environmental health that scientists use for research. For example, there’s a massive Environmental Protection Agency database of air quality monitoring data that might become a target of Trump-appointed EPA administrator Scott Pruitt’s office, based on Pruitt’s history of suing the EPA to roll back air pollution regulations.

That’s where the data rescuing hackathons come in: The volunteer programmers at each event have been writing custom scripts to harvest the bigger, more complicated federal data sets, too. And they’re sharing the scripts with each other. “These events build onto each other. We might use tools that were built at other events,” says Irene Pasquetto, one of the organizers of the UCLA event.

Large data sets are being organized and uploaded to datarefuge.org, a website based on a version of the open-source data portal software Ckan, customized by Allen. All the various data-rescue hackathons are using the site for data storage, and hope it will act as an alternative repository for pre-Trump federal information during the new administration.

There will, thanks to Michael Riedyk, CEO of the Canadian data-archiving company Page Freezer, also be a copy stored outside the US.

The night before the inauguration, Riedyk was reading an article online about the Penn data-rescuing event, and thought it wouldn’t hurt also host that data in a second location, and he had just the spot in mind. His company offered monthly subscriptions to companies and government agencies who wanted their web pages archived on a daily basis. Plus, it had servers in Europe.

“We built this huge archiving cloud that crawls websites to preserve them, either to comply with regulation or for legal protection,” Riedyk says. “I thought, wow, we have that complete infrastructure in place.” So Riedyk got in touch with Wiggin, who helped organize the Philadelphia event, and offered his services for free. “I said, ‘We can archive these for you, and figure out how to open up to the public later.’”

Wiggin directed Riedyk to members of the Environmental Data & Governance Initiative, a group working to track changes to science availability, who sent him back 30,000 science-related government web pages and the domain names of 150 complete websites that they had identified as possibly under threat by the new administration, or of vital use to researchers.

By the next day, shortly after Trump took office, Riedyk’s team was almost done. “We’ve captured a significant portion,” he says. “I expect we’ll have everything on that list by today or tomorrow.”

From there, his company will use web crawlers to scan each page on a weekly basis. Page Freezer’s proprietary software will allow them to see if anything changes. “We have all kinds of really cool tools to highlight what changed—we can see exactly how people have edited or deleted.” So if the Trump administration alters a page on, say, a US Environmental Protection Agency website, Page Freezer will know.

Page Freezer has three data centers, one in the US, one in Europe, and one in Canada; the US government data will be archived on their European servers. “That’s where we had most of our capacity available right now,” Riedyk says. But it could also put the information out of reach of the US government: In a 2016, a US appeals court ruled that Microsoft did not have to turn over to the Department of Justice a customer’s emails that were stored on a server in Dublin, Ireland. The second circuit court said that warrants obtained under the Stored Communications Act, which governs electronic records, are limited to searches within US borders. That’s not to say the law would not be challenged again, but having a copy of these key scientific datasets stored in Europe should make getting rid of them much more difficult.

Meanwhile, as more and more “data rescuing” events bubble up across the country, the work is getting easier, says Britt Paris, a PhD student at UCLA and another organizer of the event there. Strategies for workflow and data-scraping best-practices are being handed down, one event to the other. “I feel like we have a lot of support, like we’re part of a wider network,” Paris said. “There’s a sense of going forward together.”

—

Join our fans by liking us on Facebook, or follow us on Twitter, Google+, feedly, flipboardand Instagram.

DARPA Hopes Automation Can Create the Perfect Hacker

Seven Pentagon supercomputers are getting ready to attack one another.

by Tom Simonite

Look out, human hackers. Pentagon research agency DARPA says people are too slow at finding and fixing security bugs and wants to see smart software take over the task.

The agency released details today of a contest that will put that idea to the test at the annual DEF CON hacking conference in Las Vegas next month. Seven teams from academia and industry will pit high-powered computers provided by the agency against one another. Each team’s system must run a suite of software developed by DARPA for the event. Contestants win points by looking for and triggering bugs in software run by competitors while defending their own software.

Mike Walker, the DARPA program manager leading the Cyber Grand Challenge project, claims the approach could make the world safer.

“The comprehension and reaction to unknown flaws is entirely manual today,” he said in a briefing Wednesday. “We want to build autonomous systems that can arrive at their own insights about flaws [and] make their own decisions about when to release a patch.”

When a malicious hacker finds a new flaw in a piece of commonly used software, they can typically exploit it for a year before it is fixed, Walker said. “We want to bring that response down to minutes or seconds. Hopefully we ignite a revolution where we eventually have a machine that can compete with top experts.”

Read more about it here

Source: DARPA Hopes Automation Can Create the Perfect Hacker

An online market that offered cheap hacked servers returns | ESIST

By Michael Kan

A website that offered access to hacked servers for as little as $6 is back online.

The market, called xDedic, went down June 15, right after security firm Kaspersky Lab publicly exposed it. Access to more than 70,000 compromised servers from governments, businesses and universities had been sold through the site, in the two years it was in operation.

Kaspersky Lab, however, reported its finding to law enforcement agencies and said that “several major” internet service providers helped shut the site down.

But after a brief hiatus, the makers of xDedic have been quick to revive the marketplace, security firm Digital Shadows said on Tuesday.

On June 24, an anonymous user named xDedic was spotted sharing the site’s new address on a Russian hacking forum, according to Digital Shadows.

The new xDedic site was found to be identical to the original one, although none of the previous user accounts were carried over. The domain was also shared on a French language criminal website located on the dark web.

It’s still unknown how many users the revived xDedic site currently has, but the previous site attracted 30,000 users a month, Digital Shadows said.

Once more hackers become aware of the site, it may only be a matter of time before it becomes popular again, the security firm added. The new xDedic site has opened user registration to all, but at the cost of paying $50.

On Tuesday, Kaspersky Lab said it’s also become aware of xDedic’s return and is monitoring the situation. The company is sharing all its findings with the relevant law enforcement agencies.

Kaspersky Lab has called the site a “hacker’s dream.” With cheap access to so many compromised servers, a buyer could use them to send out spam, steal data, or launch other cyber attacks.

Some evidence suggests that the xDedic site had actually sold access to as many as 170,000 servers, with the bulk of them located in the U.S. Kaspersky Lab has been alerting victims who were found to be affected.

Source: An online market that offered cheap hacked servers returns | Computerworld

Twitter CEO Jack Dorsey’s account hacked: Report | ESIST

After a series of celebrity Twitter handle hacks over the past few months, Jack Dorsey, the CEO of Twitter, had his account compromised briefly on Saturday, a media report said.

A group by the name of “OurMine” — the same group that claimed credit for compromising Facebook chief Mark Zuckerberg’s and Google CEO Sundar Pichai’s social media accounts — took credit for hacking Dorsey’s account in a tweet.

“After the hackers posted a few benign video clips, a tweet went up at 2:50AM ET saying ‘Hey, its OurMine, we are testing your security’ and linking to their website. That tweet was quickly deleted,” technology website engadget.com reported.

The message was linked to a short clip on entertainment network Vine.

“All of the OurMine messages posted to Dorsey’s account (which, as of 3:25AM or so appears to have been scrubbed of the hacker’s tweets), came through from Vine,” the report noted.

It might be possible due to the fact that Dorsey had an old/shared password on his Vine account or somehow connected it to another service that was compromised, which could have given “OurMine” access, the report said.

When clicked on the Twitter link provided by the hackers, a message, “The link you are trying to access has been identified by Twitter or our partners as being potentially harmful” was returned.

Also, the other link that was connected to Vine returned “The record was deleted by the user” message.

This hack has added another name in the list of high-profile people whose accounts have been compromised.

Recently, the group hacked the Twitter account of the microblogging site’s co-founder and former CEO Evan Williams.

Soon after the news of Twitter Co-founder Evan Williams’s account hack surfaced on Thursday, another report said that hackers might have used malware to collect more than 32 million Twitter login credentials.

According to the report on technology website Techcrunch.com, these credentials were being sold on the dark web.

Spotify’s Daniel Ek, singers Drake and Lana Del Rey, professional American football league NFL and actress-comedienne Chelsea Handler have all been hit in recent months.

In early 2015, Twitter’s Chief Financial Officer and Head of Twitter Ventures, Anthony Noto’s account was hacked that resulted in many spam messages.

Recently, popular career-oriented platform LinkedIn notified about data breach and alerted its 400 million members to stay safe.

Hit by a massive data breach that put nearly 167 million users’ passwords and personal information in the hands of hackers four years back, LinkedIn came out with an explanation and steps it has taken to protect users.

Source: Twitter CEO Jack Dorsey’s account hacked: Report | The News Minute

Beware! YouTube videos can hack your smartphone

New York: A recent research has revealed that a muffled voice hidden in a YouTube video can hack a smartphone kept nearby without you even knowing it.

According to Micah Sherr, professor at Georgetown University, voice recognition has taken off quickly on phones thanks to services like Google Now and Apple’s Siri but voice software can also make it easier to hack devices.

“It might not work every time but it’s a number’s game. If a million people watch a kitten video with a secret message embedded, 10,000 of them might have their phone nearby. If 5,000 of those load a URL with malware on it, you have 5,000 smartphones under an attacker’s control,” pcworld.com quoted Sherr as saying.

If the hackers know the ins and outs of the voice-recognition software itself and know its internal workings, they can create voice commands that are even harder to decipher by humans.

To guard against the threat, developers of voice recognition software could incorporate filters to differentiate between human and computer-generated sounds, the report added.

Source: Beware! YouTube videos can hack your smartphone

Public needs to wise up to cybersecurity, warns TalkTalk hack report – ESIST

When it comes to cyber security, the UK public need to wise up or face the consequences. That is one of the many findings of a fresh government report triggered by the TalkTalk data breach last year.

The report, titled ‘Cyber Security: Protection of Personal Data Online’, is the result of a month-long inquiry into the TalkTalk breach and subsequent handling of the incident by the firm’s chief executive Dido Harding. At the time of the hack, on Friday 23 October, the firm disclosed that customer names, addresses, dates of birth, phone numbers, email addresses, account information, credit card details and bank details had been stolen by cyber criminals.

“There needs to be a step change in consumer awareness of online and telephone scams,” the UK government said in the report. “All relevant companies should provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine. This verification mechanism should be clearly signposted and readily accessible.” For businesses hit by cyberattacks, the government said the UK data watchdog – the Information Commissioner’s Office (ICO) – should be able to “introduce a series of escalating fines” based on the lack of attention to threats that led to the breach. “A data breach facilitated by a ‘plain vanilla’ SQL attack, for example, or continued vulnerabilities and repeated attacks, could thus trigger a significant fine,” it said.

Currently, the ICO can only levy a £1,000 fixed fine against UK firms for failure to report a data breach. This power, the government said, should be strengthened. “The ICO should introduce an incentive structure that inhibits delays, for example escalating fines for delays in reporting a breach,” the report noted. “There should also be scope to levy higher fines if the organisation has not already provided guidance to all customers on how to verify communications.” Interestingly, the report also acknowledged the potential problems caused by the nascent Investigatory Powers Bill – also known as the Snoopers’ Charter. During an oral evidence session at parliament, the ICO warned the proposals creates a “haystack of potential problems” due to the massive amounts of extra data firms will be expected to store.

On this, the report noted: “We received evidence from academics who agreed on this point. The vulnerability of additional pooled data is an important concern that needs to be addressed urgently by the Government. Part of the response could be to require enhanced security requirements and background checks for those with access to large pools of personal data.” The Investigatory Powers Bill, which recently progressed in the House of Commons, seeks to grant UK police, intelligence agencies and government with enhanced surveillance capabilities. For UK firms, however, it demands that all communications and internet metadata is stored for a period of 12 months.

During her evidence to the UK parliament, Dido Harding admitted the firm “underestimated” the threat posed by hackers. “We thought that we had taken security seriously. We were underestimating the challenge,” she said, before promising urgent changes to the business. “The danger is we are asking the wrong question: are we safe? It’s a lazy question because the only really safe way is not being online.

We tend to see security as a technology issue not a business one,” she said. In the wake of the breach, TalkTalk said the fallout cost the firm up to £60m ($86m) and resulted in the loss of 101,000 customers. However, most recently it was reported that, despite this, Harding still received £1.8m ($2.6m) in bonuses last year.

Source: Public needs to wise up to cybersecurity, warns TalkTalk hack report – InteltrainInteltrain

Data breaches can lead to extortion – Tech News | ESIST

Hackers who steal data aren’t after just your bank account passwords. They can cash in through other means, too, such as threatening to expose confidential information they’ve obtained unless you pay a ransom.

The Internet Crime Complaint Centre said earlier this month that people have received threatening emails following data breaches. Those emails demand payment in bitcoins, a virtual currency, typically in amounts between US$250 (RM1,000) and US$1,200 (RM4,806).

Victims of this extortion are told their name, phone number, address, credit card information and embarrassing personal details will be released publicly, such as to their contacts on social media, if they don’t pay.

It’s difficult to determine if the crooks sending the e-mails really have your information or if they’re bluffing. But you don’t want to have to make that call.

The Internet Crime Complaint Centre says you can protect yourself by not opening e-mails or attachments from unknown senders who could be trying to access your data through phishing scams or malware. Don’t store embarrassing photos online or on your mobile devices. Use strong passwords for your accounts and change them often. Use security settings on your social media accounts.

If you get one of these e-mails (and are a US citizen), you can report it to the complaint centre at www.ic3.gov. Put the keyword “Extortion Email Scheme” in the subject line.

The FBI, which is one of the agencies that operate the complaint centre, said it does not condone paying extortion demands because that funds more criminal activity, which could be linked to organised crime. — The Morning Call/Tribune News Service

Source: Data breaches can lead to extortion – Tech News | The Star Online

Chinese hacking slows amid public scrutiny and U.S. pressure | ESIST

U.S. warnings and public scrutiny of hacks by groups believed to be China-based may have led to an overall decrease in intrusions by these groups against targets in the U.S. and 25 other countries, a security firm said

. From mid-2014, after the U.S. Government took punitive measures against China, including indicting members of the Chinese People’s Liberation Army for computer hacking, economic espionage and other charges, and raised the possibility of sanctions, FireEye has seen a notable decline in successful network compromises by China-based groups in these countries.

“We suspect that this shift in operations reflects the influence of ongoing military reforms, widespread exposure of Chinese cyber operations, and actions taken by the U.S. government,” according to the report released Monday by FireEye’s iSIGHT Intelligence.

The unit reviewed the activity of 72 groups that it suspects to be operating in China or supporting Chinese state interests.

Other security firms have also commented previously on the possible decline of hacks by China-based groups after strong measures by the U.S. But in April, Admiral Michael Rogers, Commander of the U.S. Cyber Command, told a Senate committee that cyber operations from China are still “targeting and exploiting” U.S. government, defense industry, academic and private computer networks.”

Starting with measures like the indictment of the five PLA members in May 2014, President Barack Obama authorized in April 2015 the sanctioning of individuals or entities that “engage in malicious cyber-enabled activities that create a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”

There were reports subsequently suggesting that the U.S. government could also impose sanctions on China for cyberespionage. During a September visit by Chinese President Xi Jinping to the U.S., he and Obama agreed that the two countries will not conduct or support cyber-enabled theft of intellectual property like trade secrets.

The activity by China based groups, measured by active network compromises, has dropped from over 60 intrusions in February 2013 to just a few in May this year, according to FireEye.

The decline in number of attacks does not necessarily suggest a lack of interest from the Chinese groups, but could be a shift in focus from quantity to quality, experts said.

“Through late 2015 and 2016, we saw suspected China-based groups compromise corporations’ networks in the U.S., Europe, and Japan, while also targeting government, military, and commercial entities in the countries surrounding China,” according to FireEye.

Among the targets this year were a U.S. government services company, in an apparent bid to get information on military projects, and four firms with headquarters in the U.S., Europe and Asia that made semiconductors and chemicals used in the manufacture of the devices.

Source: Chinese hacking slows amid public scrutiny and U.S. pressure | Computerworld

Share this

Share this

Share this

Share this

Share this

Share this

Share this

When it comes to cyber security, the UK public need to wise up or face the consequences. That is one of the many findings of a fresh government report triggered by the TalkTalk data breach last year.

Share this

Share this

Share this