Monthly Archives: June 2018

Facebook Says Bug Automatically Suggested Public Visibility for New User Posts

Facebook said it’s discovered a bug that automatically suggested public visibility for whenever some users created new posts.

On 7 June, Chief Privacy Officer Erin Egan said in a statement that Facebook found the bug in its audience selector. This feature lets users choose with whom they want to share their posts. For the sake of convenience, it’s supposed to auto-select the last audience with which users submitted a post, meaning it should display “Friends” if they last shared something with their friends list.

That didn’t happen between 18-27 May. During that time period, Egan explained that the audience selector suggested “Public” for new posts. This means that as many as 14 million users could have shared content publicly when they intended to only have a smaller group of people view it based upon their previous posting history.

Egan provided more information about the technical error in her statement:

This bug occurred as we were building a new way to share featured items on your profile, like a photo. Since these featured items are public, the suggested audience for all new posts – not just these items – was set to public. The problem has been fixed, and for anyone affected, we changed the audience back to what they’d been using before.

Facebook’s notification about the incident. (Source: Facebook)

In response to this flaw, Egan said that Facebook will be notifying everyone affected. Additionally, she said the social media giant will be displaying a notification to all users who posted publicly during the time frame when the bug was active. The notification directs users to a page that helps them learn more about how to protect their privacy on the platform. It can be found here.

News of this bug follows less than three months after news emerged of a data privacy scandal in which political brokerage firm Cambridge Analytica harvested the information off 87 million Facebook users’ profiles.

 

via:  tripwire

 

The Value of Capture the Flag Competitions

If you’ve ever attended an infosec or hacker conference, you’re sure to have seen the Capture the Flag or CTF. As with anything in this industry, there are ebbs and flows in the debate of the value of the competitions. Some argue that they are unrealistic. Others champion them for the skills required and the creative thinking.

Let’s be real for a moment. When is the last time that a penetration tester found the output of /etc/passwd in the comments section of a website? I know there may be fringe cases, but this is not the “norm.”

The reality is that many are thematic and fun. Traditional Capture the Flag competitions typically have some of the same elements:

  • Scanning and Enumeration
  • Web Application
  • Cryptography
  • Steganography
  • Exploitation
  • Scripting
  • Reverse Engineering

It’s kind of ironic that scanning and enumeration and exploitation are in bold. Why? They are parts of the “Ethical Hacking process,” as shown below:

Ethical Hacking Process

As time progressed, we have moved from basic CTFs to several varieties:

  • Network King of the Hill (NetKOH)
  • Social Engineering (SECTF) [Note: I may know a thing or two about these, especially the 2017 DerbyCon SECTF.]
  • OSINT CTF
  • Forensics CTF

The Value and the Series

So, what am I getting at? They are not precise mirrors of real life. That is not what they are meant to be. They are meant to be challenges to both your technical skill and creativity. Some are more “fun,” and others are more about “street cred.”

In this series, I will be discussing how Capture the Flag exercises work and some common tools and techniques used in them. For starters and a sneak preview, here are my planned topics:

  • (Theoretical Ideas) ARP Scanning with netdiscover and arp-scan
  • NMAP
  • Nikto
  • Dirbuster and dirb
  • Burp Suite
  • Vulnerability scanners
  • wp-scan
  • Reverse Shells
  • Wireless
  • A wrap-up post to tie it all together.

This is not meant to be an all-inclusive series about CTFs but rather a story of my experiences in participating in the CTFs and what I have found that works. I have recently been turned on to CTFs in helping to build one for BSides Knoxville and a Forensics CTF for my local Defcon chapter dc865.

I also accidentally discovered a vulnerability in a home router after doing a CTF because I had not reverted back to my non-CTF configuration. Here are some links regarding that vulnerability and the associated CVE:

 

via:  tripwire

Three Rhode Island State Agencies Affected by Malware Attack

A malware attack affected computing devices owned and operated by three state agencies in Rhode Island, confirmed the State’s digital security teams.

According to Call 12 for Action, the infection became noticeable on 31 May at the Department of Children, Youth and Families (DCYF), Department of Human Services (DHS) and Department of Behavioral Healthcare, Developmental Disabilities and Hospitals (BHDDH). The incident persisted into the day on 1 June when smaller PCs and hardware devices unexpectedly crashed. Officials observed nothing else that would raise their suspicions.

IT and security teams looked into the matter and confirmed that malware was to blame for the device disruptions. Chief Digital Officer Bijay Kumar said those personnel even discovered the probable delivery vector.

“In this case, we believe this could be through a generic phishing attack, clicking on a link in an email, just an external site which is clicked,” Kumar explained to Call 12 for Action. “We did some proactive upgrades and have since mitigated the issue.”

The attack is believed to have affected 400 out of the state’s 10,000 devices. Kumar confirmed that the infection didn’t compromise any information. Even so, he said the State would continue to investigate the matter further.

We take security very seriously, so we always like to err on the safer side of security so we talked to the National Guard, state police, as well as EMA to make sure we don’t leave any stone unturned to keep our system secure.

Brenna McCabe, spokeswoman for the Rhode Island Department of Administration, released a statement about the incident on 3 June. In it, she explained that the team had implemented a “technical solution” to help affected devices return to their normal functioning. She went on to say that first-of-the-month payments weren’t affected by the attack and that minimal service disruptions might occur as the three departments prepared for normal business hours on 4 June, reported The Providence Journal.

News of this attack came a few days after Atlanta’s city government disclosed that a March ransomware attack against its systems wiped out years of police dashcam footage. Since then, Atlanta officials said they will probably need another $9.5 million on top of the $5 million they already spent to further their recovery efforts.

 

via:  tripwire

Atlanta Ransomware Attack Wiped Out Years of Police Dashcam Footage

A ransomware attack targeting the city of Atlanta wiped out years of dashcam footage generated by the Atlanta Police Department.

In an exclusive interview with The Atlanta Journal-Constitution and Channel 2 Action News, Atlanta Police Chief Erika Shields revealed that a March ransomware attack against the city cost the Department years of dashcam footage. She said the impact of this data loss is minimal, however. As quoted by The Atlanta Journal-Constitution:

I’m not overly concerned, I’m really not, because that’s a tool, a useful tool, for us. But the dashcam doesn’t make the cases for us. There’s got to be the corroborating testimony of the officer. There will be other pieces of evidence. It’s not something that makes or breaks cases for us.

Others weren’t so optimistic about this revelation. Atlanta police union official Ken Allens said that the absence of dashcam footage “hurts that relationship that is already strained” between officers and what he calls an “anti-police” public. Meanwhile, Georgia State law professor Jessica Gabel Cino said that data loss was significant as “…cases are broken or they’re made on dashcam footage.”

News of the attack first emerged in late-March. City officials quickly determined that ransomware had taken down several customer-facing systems employed by the city, including bill payment applications, and had instituted a ransom of six Bitcoins (at the time worth $51,000) for the recovery of the entire system. Atlanta Mayor Keisha Lance Bottoms refused to pay the attackers and has thus far spent millions on emergency tech contracts for rebuilding the affected IT system.

At the time of this writing, recovery was ongoing.

Matthew Condland, an investigator with the Atlanta Police Department, said the attack affected more than just dashcam footage.

“As a result, last month or the month before last of the cyberattack against the city, all of my files, all 105,000 files, were corrupted,” investigator Condland testified, as quoted by WSBTV.

Shields said “we have recovered all of our criminal investigative files” and that she hasn’t heard of any impact against ongoing criminal cases.

The ransomware attack against Atlanta is a reminder to municipalities to boost their defenses against digital threats. This should include implementing some common ransomware prevention techniques.

 

via:  tripwire

Scammers Targeting Booking.com Users with Phishing Messages

Scammers recently targeted Booking.com customers with phishing messages designed to steal their sensitive financial information.

According to The Sun, criminals sent out WhatsApp messages and text messages to customers claiming that a security breach had occurred and that recipients needed to change their passwords. The attack correspondence came with a link that, when clicked, gave bad actors access to bookings. These malefactors then followed up with a second message specifying that they needed customers’ banking information to process full payment in advance of the bookings.

Marketing manager David Watts of Newcastle received one of the attack messages, staing “It looked very believable and I can believe people fell for it.”

Booking.com told The Sun that it’s aware of these attack messages. It also clarified that it had not suffered a data breach and that attackers had likely compromised the systems of hotels with which it works on a separate portal. Those criminals, it said, made off with typical booking information like customers’ names, addresses, phone numbers, dates and prices of bookings and reference numbers. The attackers then used that information to send out phishing messages, which incorporated those pieces of information to enhance their appearance of legitimacy, it explained.

This isn’t the first time scammers have targeted Booking.com users. Back in November 2014, news emerged of phishers preying on thousands of users, some of whom fell for the phish and paid the attackers. Booking.com stated that it had not suffered a breach and that criminals had hacked as many as eight hotels, but a spokesperson for one of the affected hotels denied having suffered an incident and recommended that the travel e-commerce company “ensure their investigation is thorough and appropriate action is taken.”

No doubt phishers will continue to target the travel industry in an attempt to steal customers financial data. With that said, users should make an effort to familiarize themselves with some of the most common types of phishing attacks. This resource is a good place to start.

 

via:  tripwire

Microsoft has acquired GitHub for $7.5B in stock

After a week of rumors, Microsoft today confirmed that it has acquired GitHub, the popular Git-based code sharing and collaboration service. The price of the acquisition was $7.5 billion in Microsoft stock. GitHub raised $350 million and we know that the company was valued at about $2 billion in 2015.

Former Xamarin CEO Nat Friedman (and now Microsoft corporate vice president) will become GitHub’s CEO. GitHub founder and former CEO Chris Wanstrath will become a Microsoft technical fellow and work on strategic software initiatives. Wanstrath had retaken his CEO role after his co-founder Tom Preston-Werner resigned following a harassment investigation in 2014.

The fact that Microsoft is installing a new CEO for GitHub is a clear sign that the company’s approach to integrating GitHub will be similar to hit it is working with LinkedIn. “GitHub will retain its developer-first ethos and will operate independently to provide an open platform for all developers in all industries,” a Microsoft spokesperson told us.

GitHub says that as of March 2018, there were 28 million developers in its community, and 85 million code repositories, making it the largest host of source code globally and a cornerstone of how many in the tech world build software.

But despite its popularity with enterprise users, individual developers and open source projects, GitHub has never turned a profit and chances are that the company decided that an acquisition was preferable over trying to IPO.

GitHub’s main revenue source today is paid accounts, which allows for private repositories and a number of other features that enterprises need, with pricing ranging from $7 per user per month to $21/user/month. Those building public and open source projects can use it for free.

While numerous large enterprises use GitHub as their code sharing service of choice, it also faces quite a bit of competition in this space thanks to products like GitLab and Atlassian’s Bitbucket, as well as a wide range of other enterprise-centric code hosting tools.

Microsoft is acquiring GitHub because it’s a perfect fit for its own ambitions to be the go-to platform for every developer, and every developer need, no matter the platform.

Microsoft has long embraced the Git protocol and is using it in its current Visual Studio Team Services product, which itself used to compete with GitHub’s enterprise service. Knowing GitHub’s position with developers, Microsoft has also leaned on the service quite a bit itself, too and some in the company already claim it is the biggest contributor to GitHub today.

Yet while Microsoft’s stance toward open source has changed over the last few years, many open source developers will keep a very close look at what the company will do with GitHub after the acquisition . That’s because there is a lot of distrust of Microsoft in this cohort, which is understandable given Microsoft’s history.

In fact, TechCrunch received a tip on Friday, which noted not only that the deal had already closed, but that open source software maintainers were already eyeing up alternatives and looking potentially to abandon GitHub in the wake of the deal. Some developers (not just those working in open source) were not wasting timeeven to wait for a confirmation of the deal before migrating.

While GitHub is home to more than just open source software, if such a migration came to pass, it would be a very bad look both for GitHub and Microsoft. And, it would a particularly ironic turn, given the very origins of Git: the versioning control system was created by Linus Torvalds in 2005 when he was working on development of the Linux kernel, in part as a response to a previous system, BitKeeper, changing its terms away from being free to use.

The new Microsoft under CEO Satya Nadella strikes us as a very different company from the Microsoft of ten years ago — especially given that the new Microsoft has embraced open source — but it’s hard to forget its earlier history of trying to suppress Linux.

“Microsoft is a developer-first company, and by joining forces with GitHub we strengthen our commitment to developer freedom, openness and innovation,” said Nadella in today’s announcement. “We recognize the community responsibility we take on with this agreement and will do our best work to empower every developer to build, innovate and solve the world’s most pressing challenges.”

Yet at the same time, it’s worth remembering that Microsoft is now a member of the Linux Foundation and regularly backs a number of open source projects. And Windows now has the Linux subsystem while VS Code, the company’s free code editing tool is open source and available on GitHub, as are .NET Core and numerous other Microsoft-led projects.

And many in the company were defending Microsoft’s commitment to GitHub and its principles, even before the deal was announced.

image

 

Still, you can’t help but wonder how Microsoft might leverage GitHub within its wider business strategy, which could see the company build stronger bridges between GitHub and Azure, its cloud hosting service, and its wide array of software and collaboration products. Microsoft is no stranger to ingesting huge companies. One of them, LinkedIn, might be another area where Microsoft might explore synergies, specifically around areas like recruitment and online tutorials and education.

 

via:  techcrunch

Microsoft discounts the Xbox One X for its E3 week sale

‘PUBG’ and ‘Sea of Thieves’ also get their first price cuts..

Microsoft is cutting the price of the 4K-friendly Xbox One X for the first time in what the company is calling its biggest Xbox sale of the year. All Xbox One models are dropping by $50, so the Xbox One X will set you back $449, while the Xbox One S costs $199 for the 500GB version, and $249 for 1TB. If you’ve been looking for a new controller, you can pick one up for $10 less.

There are discounts on a bunch of games too, with PlayerUnknown’s Battlegrounds, Sea of Thieves and Monster Hunter: World all sliding into the sale section for the first time; Microsoft is cutting the prices of some other games by up to 75 percent. Meanwhile, if you want to play those games online with your shiny new Xbox One X, you’ll need Xbox Live Gold, which you can get for $1 for a month. The same deal applies to Xbox Game Pass. All of these offers are available starting Thursday.

The Xbox One sale comes just as Microsoft prepares for an onslaught of news and game announcements at the E3 convention next week — Sony is running a big sale too, with a limited-edition blue console on offer. While not Xbox exclusive games, we’ll find out more about Fallout: 76 and Assassin’s Creed: Odyssey at E3. Who knows, though? Microsoft might try to get in on the battle royale craze with a winner-takes-all-style Gears of War.

 

via:  engadget

How to set up 2FA on eBay – go do it now!

A little under two years ago, I looked into how one might go about securing an eBay account using two-factor authentication (2FA).

At the time, it wasn’t clear if 2FA was supported on eBay officially or not, and I found a number of dead-end paths when trying to actually set up my account with 2FA – old documentation pages about 2FA appeared to be buried or completely deprecated, many links were completely dead. Calls to customer service didn’t help much, as the reps I spoke to had no idea what I was talking about or why I was asking.

There were legacy documentation pages about using a third-party time-based token authentication service, but these were mostly dead-ends as well and I had, to put it mildly, an extraordinarily difficult time trying to set things up.

By the end of it all, I had tried (and tried!) to set up 2FA on my account, but really to no avail. I concluded my piece with a plea for readers to let me know if I’d missed something obvious in trying to secure my account, or at the very least to ask eBay nicely to make this process easier.

Over time, many of our Naked Security readers chimed in on my story saying that either they’d had similar processes, or they’d discovered a workaround entirely.

As more time passed, the comments started to change tone entirely, that actually the 2FA process was super simple and easy to do now. Based on what readers like you had commented, it sounded like something had changed for the better. Clearly, it was past time for me to revisit this story.

I’m quite relieved and thankful to report that since I first wrote this the eBay 2FA story, eBay has not only binned its previous byzantine 2FA procedure, but it’s replaced it with something that’s both easy to find and easy to use.

Now, happily, this is how you can easily set up 2FA on your eBay account.

  • Log in to your account.
  • Go to your account settings by clicking on your name in the upper left (where it says “Hi [your name]!”) and clicking Account settings in the dropdown.
  • In the My Account menu on the left that now appears, click Personal information.
  • Scroll to the bottom of the Personal Information screen, and you’ll now see a field that says Security Information, with the 2 step verification option underneath it. If it is switched to “off”, click the Edit option on the right.
  • Follow the instructions on the screen. eBay 2FA supports voice and SMS factors (no support for time-based token authentication, like Google Authenticator or Duo, as far as I can tell).
  • You’ll get a confirmation once it’s set up. Easy peasy!

I’m relieved that eBay has now made this much easier for users, and hope if you’re an eBay user you’ll take a quick moment to get this set up on your account.

 

via:  sophos

Apple to launch its own digital health features in iOS 12

At Google I/O in May, the company introduced a series of time management tools for Android users that help better manage screen time, track app usage, and limit the phone’s ability to distract, including a “shush” mode which turns on Do Not Disturb by flipping the phone over, and a “wind down,” color reduction mode for bedtime. Now, it seems Apple will follow suit with its own digital wellbeing features in an upcoming release of the iOS mobile operating system, a new report claims.

According to Bloomberg, Apple will introduce a new set of digital wellbeing features for iOS users at its Worldwide Developer Conference (WWDC) in San Jose on Monday.

The tools will be later released as a part of iOS 12 operating system for iPhone and iPad devices, which typically arrives in the fall.

The report was light on details in terms of which specific metrics Apple will track, but says those details will arrive in a new menu inside the Settings app in iOS 12.

The initiative, called “Digital Health,” will monitor how much time users spend on devices, but it’s unclear if it will also include tools that help users silence their phones using new gestures or settings, or otherwise disengage from their devices.

The digital wellbeing movement is part of a fairly recent course correction for Silicon Valley tech companies, which are now being held accountable for the addictive nature of the devices, apps and services they’ve created.

From the beginning, tech company engineers and designers were encouraged to make their products ever more engaging by taking advantage of specific design patterns that prompt regular, addictive usage of their products, and those that increase users’ time spent in apps.

But more recently, some tech execs have come to espouse regrets for what they’ve built. Former Facebook president Sean Parker stated Facebook’s design exploited weakness in the human psyche to addict users, and said he worried about what it was doing to kids’ brains. Meanwhile, former Google exec Tristan Harris launched a coalition of technologists and activists called the Center for Humane Technology, which aims to encourage “humane design” – that is, design that reduces distractions and stress, and keeps people from being hooked on their devices.

Now the industry giants are putting some of these principles into practice.

Facebook earlier this year changed how its News Feed operates to reduce users’ time spent on the site in favor of well-being. Instagram last month introduced its first time well spent feature, by informing users “you’re all caught up” when they’ve viewed all the new posts. Google launched parental control tools in its Family Link service that allow parents to limit kids’ screen time, and introduced the above-mentioned digital wellness features for Android in May.

If Apple were to avoid the topic, it would be the odd one out at this point.

The new digital wellbeing tools will likely be detailed during Monday’s WWDC keynote address, and may include some additional protections for children through an update to iOS’s parental controls. We do know that more robust parental controls are at least coming, as Apple promised this explicitly following criticism from major shareholders about children’s iPhone addiction.

 

via:  techcrunch

The Pentagon is working on a radio wave weapon that stops a speeding car in its tracks

Vehicular terrorism is on the rise, but technology under development by the U.S. Department of Defense could save lives by disabling a weaponized car before it ever reaches its target. The Pentagon’s Joint Non-Lethal Weapons Program (JNLWD) is working on a device called a Radio Frequency Vehicle Stopper to address the prevalence of vehicle-based attacks targeting civilians, Defense One reports.

To prevent this kind of violence and other kinds of vehicular attacks (an unauthorized car rushing behind a military security gate, for instance), the Pentagon’s Radio Frequency Vehicle Stopper points high-powered microwaves at a vehicle, disabling its electrical components via the engine control unit and making the engine stall out. You can watch the technology in action in the Department of Defense video below.

 

 

As Defense One reports, the group is developing two versions of its technology, one with a 50-meter range small enough to fit in a truck bed and another larger version with a range of more than 100 meters designed to remain in place. The latter would particularly be useful in the kind of open public spaces that lend themselves to violent vehicular attacks in popular urban areas like markets and shopping hubs. This kind of technology is only becoming possible now due to breakthroughs in powering the concentrated beams emitted in these kind of notoriously energy-hungry weapons.

While vehicle-based attacks were once rarely observed outside of war-zones, they’ve occurred with increasing frequency in high-density urban areas and tourist destinations in recent years. As the attack in Toronto last week proved, the results are effortlessly deadly to unsuspecting pedestrians. It’s unfortunate that such a device is necessary at all, but if they were to become readily available, these Radio Frequency Vehicle Stoppers could discourage the rising trend of vehicular attacks, protect victims when they do occur and help law enforcement obtain additional intelligence by apprehending suspects without resorting to lethal violence.

 

 

via:  techcrunch