This week, your Lenovo X is watching you & sharing information, a client-side DNS attack emerges from academic research, a macOS vulnerability leaks safari data, hackers hit VFEmail & wipe US servers and backups, and a check-in system flaw puts major airlines at risk! Jason Wood from Paladin Security joins us for expert commentary on how Fraudsters are scamming teenage ‘money mules’ on Instagram and Snapchat!
- Your Lenovo Watch X Is Watching You & Sharing What It Learns – It appears they’ve ignored security completely when designing and implementing this watch, according to the researcher: Unfortunately, during the course of my research I found quite a few vulnerabilities in my shiny new Lenovo Watch X. Each of the vulnerabilities concern me, but a few of them are pretty disturbing. I’ll name and describe the vulnerabilities, and then share how that vulnerability could be used in an attack scenario. Its a good read and describes many different attacks, including sniffing clear-text and Bluetooth Low Engery.
- Microsoft: 70 Percent of All Security Bugs Are Memory Safety Issues – This makes sense: Speaking at the BlueHat security conference in Israel last week, Microsoft security engineer Matt Miller said that over the last 12 years, around 70 percent of all Microsoft patches were fixes for memory safety bugs. The reason for this high percentage is because Windows has been written mostly in C and C++, two “memory-unsafe” programming languages that allow developers fine-grained control of the memory addresses where their code can be executed. One slip-up in the developers’ memory management code can lead to a slew of memory safety errors that attackers can exploit with dangerous and intrusive consequences –such as remote code execution or elevation of privilege flaws.
- Client-Side DNS Attack Emerges From Academic Research – mDNSResponder is familiar from macOS, turns out its vulnerable on a variety of platforms: “We found that the client-side DNS cache poisoning attack has never been technically and practically studied before; thus, I decided to choose this project as my first project in my PhD study,” Alharbi told Dark Reading in an email interview. Alharbi’s group began to research the possible attack on Android and Ubuntu Linux. Once they demonstrated a successful attack, they moved on to see whether the same vulnerability existed for MacOS and Windows. “As expected, we found the needed vulnerability to launch the attack and succeeded in poisoning the DNS cache of these two operating systems as well,
- 620 million accounts stolen from 16 hacked websites available for sale on the dark web
- macOS Vulnerability Leaks Safari Data – The Register revealed in exclusive that some 617 million online account details stolen from 16 hacked websites are available for sale on the dark web. The advertising for the sale of the huge trove of data was published in the popular Dream Market black marketplace, data are available for less than $20,000 worth of Bitcoin. Data was collected from data breaches of popular websites including: Dubsmash (162 million); MyFitnessPal (151 million); MyHeritage (92 million); and several others.
- Linux container bug could eat your server from the inside patch now! – This bug means that a program run with root privileges inside a guest container can make changes with root privilege outside that container. Loosely put, a rogue guest could get sysadmin-level control on the host. This control could allow the rogue to interfere with other guests, steal data from the host, modify the host, start new guests at will, map out the nearby network, etc Precise details of the bug are being witheld for a further six days to give everyone time to patch, but the problem seems to stem from the fact that Linux presents the memory space of the current process as if it were a file called /proc/self/exe. Thanks to CVE-2019-5736, accessing the memory image of the runc program that’s in charge of your guest app seems to give you a way to mess with running code in the host system itself.
- Hackers hit VFEmail, wipe US servers and backups – Those who have lost years of emails are now left waiting for some good news. It doesn’t look good, though: Romero told Brian Krebs that he doesn’t have very high expectations of getting any US data back. This attack may not turn out to be as catastrophic to VFEmail as the similar one that effectively destroyed cloud code hosting service Code Spaces in 2014, but there’s no doubt that it will have a considerable negative impact on both the service and its users.
- Check-In System Flaw Puts Major Airlines at Risk – The flaw is relatively simple, as the airlines have been emailing unencrypted check-in links to passengers. Since the links are unencrypted, they could be intercepted or reused by an unauthorized third party to change the details for a reservation and gain access to user information. According to Michael Covington, vice president of product at Wandera, the company found that data including “suspicious parameters on a URL string was actually being used to transparently authenticate the user into the e-ticketing website.” Covington said that by not limiting the e-ticketing check-in URLs to one-time use, the airlines open their e-ticketing systems up to a replay attack that allows an attacker to easily gain access to passenger accounts.
- Adobe Fixes 43 Critical Acrobat and Reader Flaws – Adobe issued patches for 43 critical vulnerabilities in Acrobat and Reader – including a fix for a zero-day flaw that researchers at 0patch temporarily fixed on Monday. That bug could enable bad actors to steal victims’ hashed password values. Overall, Adobe patched 75 important and critical vulnerabilities across its products,including Acrobat Reader DC, Adobe Flash Player, Adobe Coldfusion, and Creative Cloud Desktop Application. The Tuesday morning patches are part of Adobe’s regularly-scheduled security updates. Adobe said it is not aware that any of these vulnerabilities are being actively exploited.
We have covered a number of different scams that target unsuspecting victims on HNN and here is another that I find really upsetting. It appears that bad guys are targeting teenagers because they have bank accounts, are usually broke, and don’t have enough experience to spot the scam. The original article I saw was on Sky News, but I also found additional articles by other news agencies. Right now the issue seems to largely be being reported out of the UK. I suspect that it is occurring in the US and other countries as well.
So what is this this scam that has me bent? If you have teenagers, you know they use social media a lot. My kids are constantly talking with friends via apps such as Instagram and Snapchat. The bad guys have realized that kids are here and have started targeting them with offers to get some extra money with no work. All they need to do is give over their bank details and they will make sure they get a cut of the action for their trouble. Of course, it doesn’t work out that way.
The crooks do a mix of passing money through the account to cryptocurrency, sending money over seas, and/or taking money from the victim. In the end, the victim has no money and could be up for criminal charges for participating in money laundering. It seems obvious to many of us that this is a bad play, but according to Sky News, “under 25s are six times more likely to fall victim to criminals using social media platforms than over 50s.” Sky News actually got in contact from a crook in London who said it’s “like taking candy from a baby.” Once Dan and his fellow scmucks post to a group about making easy money, they get flooded with takers.
Sky News interviewed a victim who was 15 when she fell for it. She was embarrassed for doing so, but she was hardly alone. According to her, “my siblings got scammed, my best friend got scammed and a lot of my other friends got scammed.” Wow, the whole group got taken to the cleaners. The money isn’t small numbers either. Again, according to Sky News, European law enforcement agencies were able to block nearly $40 million in transactions that involved 1,500 money mules.
There’s not a great fix for this sort of thing. The banks have fraud systems and departments that might spot issues before they get out of hand. The social media platforms are being criticized for not doing more to police the content and prevent it from reaching potential victims. All of that is out of the control of most of our listeners. And even those who have a channel to these options are probably only influencers. One defense is also to spread the news to the teens and 20 somethings that you know as well. It boils down to being skeptical and remembering money isn’t free. No matter how much we want it to be. Pass it on to others. Share with with the teenagers you know and share with those that are concerned with the well being of their teens.
This type of scam is also a good piece of news to share via your security awareness training or company newsletters. It’s dead useful to those who will be reading it and helps bolster our credibility because we are helping out our coworkers in protecting those they care about. Your awareness newsletters might not be looked at as another nagging email about password strength and generic social engineering. Check out the articles in the show notes.
Jason Wood – Founder; Primary Consultant, Paladin Security.
- RSA Conference 2019 is coming up March 4 – 8 in San Francisco! Go to rsaconference.com/securityweekly-us19 to register now using the discount code 5U9SWFD to receive $100 off a full conference pass! If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
- Join us April 1-3, at Disney’s Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Visit https://infosecworld.misti.com/ and use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass. If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
- Registration is now open for the first Security Weekly webcast of 2019! You can register for our “Rise Above Complex Workflows: Practical Ways To Accelerate Incident Response” webcast now by going to securityweekly.com/webcasts