Equifax Blames Open Source Software for Its Record Breaking Security Breach*:
- The credit rating giant claims an Apache Struts security hole was the real cause of its security breach of 143 million records.
- According to an unsubstantiated report by an equity research firm, the blame falls on the open-source server framework Apache Struts.
- Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java.
- Equifax appears to be utterly and completely clueless about their own technology.
- Adding insult to injury, the credit agency’s advice and support site looks, at first glance, to be a bogus phishing-type site: “equifaxsecurity2017”.
- A new and significant Struts security problem was uncovered on September 5th, but there is one problem with the theory that this is the security hole that led to the Equifax breach: Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed.
- It's possible that the hackers found the hole on their own, but zero-day exploits aren't that common; most security incidents are oversights of previously solved problems.
- The Apache Struts Project Management Committee said in a statement that while they’re sorry Equifax suffered from a security breach, they’re not ready to take on the burden for this security fiasco.
- Since Equifax hasn’t revealed any details, we don’t know what exactly went wrong.
- While it’s possible the company was hit by a zero-day attack, what’s more likely is that Equifax’s long list of mistakes shows how technically challenged it has been.
*Source: ZD net, September 11, 2017
Microsoft Says it Won’t Fix Kernel Flaw: It’s Not a Security Issue*:
- A design flaw within the Windows kernel that could stop antivirus software from recognizing malware isn’t going to be fixed.
- The issue, spotted this week by a security researcher, lies within a system that has been part of Microsoft’s operating system since Windows 2000 and is still active in the latest builds.
- Antivirus tools use the system to check if malicious code has been loaded into memory.
- The researcher discovered that an attacker could use poor coding behind the API to smuggle malware past scanners.
- The flaw was reported to Microsoft, but Microsoft released a statement saying, “Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update.”
*Source: The Register, September 08, 2017
Google is Fighting a Massive Android Malware Outbreak*:
- Researchers claim they have found the second-biggest outbreak to ever hit Google's platform, with as many as 21.1 million infections from one malware family.
- The malware's been dubbed ExpensiveWall after hiding inside wallpaper apps.
- Researchers warned it sent fraudulent SMS messages and charged for fake services.
- ExpensiveWall infected at least 50 apps, which together were downloaded between 1 million and 4.2 million times.
- A previous sample of the malware was installed millions of times too, taking the total number of victims to somewhere between 5.9 million and 21.1 million.
- That’s a lot, but not quite as bad as the Judy malware that hit Android in May and was downloaded as many as 36 million times.
- Google removed incriminating apps after they were notified about ExpensiveWall, though the hackers moved quickly, uploading another sample to Google Play that infected at least 5,000 devices before being removed four days later.
- ExpensiveWall doesn't just pilfer people's money, it also grabs data about the infected device, including location and IP address; it could also force users to click on online advertisements.
- ExpensiveWall was able to find a way onto Google Play by using encryption techniques to hide its malicious code.
- Google Play has been plagued by various forms of fraud over the last year – it’s apparent Google still has work to do to cut off fraudsters exploiting Android’s openness.
*Source: Forbes, September 14, 2017
Equifax is Inundated With Lawsuits After Epic Hacking*:
- More than two dozen lawsuits have been filed against Equifax after the credit reporting company said thieves may have stolen personal information for 143 million Americans.
- Most lawsuits will likely be combined into a single piece of nationwide litigation.
- Equifax has set up procedures it said are intended to help people protect their Social Security numbers and other identifying information.
- Some lawsuits criticized Equifax’s offer of a year of free credit monitoring with its TrustedID product, with one complaint suggesting Equifax might do this to lay a foundation to pitch costlier services.
- Equifax shares were down $10.03, or 8.1%, at $113.20 and they closed at $142.72, before the breach was disclosed.
- Some lawyers have said they may file securities fraud lawsuits over the share price decline.
*Source: Fortune, September 11, 2017
Chile’s Troubling Move Against Privacy*:
- The rights group Derechos Digitales released the text of a worrying draft decree, signed by President Bachelet in June, that could greatly increase intrusive government access to personal data.
- The decree, which still needs to be approved by the Comptroller General’s Office to take force, would run counter to Chileans’ right to privacy and emulates some of the worst such policies around the globe.
- The decree would require telecommunication companies to retain, for at least two years, data on electronic and mobile communications of everyone in the country.
- It greatly expands the types of data companies must store, while extending the retention period from one year to two.
- It covers information like the location data and the phone numbers called that can provide a detailed portrait of the user’s intimate life, especially when combined with other data.
- It reasonable to demand disclosure of specific data to prevent or investigate crimes, subject to safeguards, but data retention under the decree would go much farther, affecting all users, regardless of whether they are suspected of a crime.
- The European Union’s top court, has twice struck down similar blanket data retention laws, noting that they impose an unjustifiably broad infringement of the right to privacy.
- While Chile’s decree would require a court order to intercept phone and other communications, it does not include such a requirement to access data already retained.
- Without judicial control, the decree could virtually turn the Chilean government into a “big brother” capable of knowing where everyone is, and whom they are contacting.
- The draft also forbids companies from incorporating technology or equipment that can hinder the interception or recording of communications.
- If this provision is interpreted broadly to forbid encryption, it would set a troubling precedent.
- When it reviews the decree, the Comptroller General’s Office will decide whether it will protect Chileans’ right to privacy or allow the government to emulate authoritarian countries.
*Source: Huffington Post, September 09, 2017
Researcher Publishes Details on Unpatched D-Link Router Flaws*:
- A South Korean security researcher has published details about ten vulnerabilities he discovered in the firmware of D-Link DIR 850L routers without giving D-Link the chance to fix the flaws.
- The flaws can be exploited from both the router's internal (LAN) and external (WAN) connections to grant attackers the ability to intercept traffic, upload malicious firmware, or get root privileges.
- Vulnerabilities were also discovered in the MyDLink cloud service that device owners use to connect to their routers at home, from a remote connection, via Internet.
- A summary of the discovered flaws is listed in the link below.
- The researcher wrote that “due to difficulties in previous exchange with Dlink, full-disclosure is applied.”
- Security researcher and chairman of the GDI Foundation, estimates the number of D-Link 850L routers at around 95,000.
- D-Link says it’s investigating the disclosed flaws and will provide a firmware update as soon as it becomes available.
*Source: Bleeping Computer, September 09, 2017
Pedophile Probe Reveals Feds Can Easily Break Android Security*:
- Feds are constantly on the back foot in the race to crack encryption, but with modern Google Android devices they're making significant advances, allowing them to bypass the passcodes of Samsung and HTC cell phones.
- A recently unsealed warrant details a child abuse investigation, in which a suspect's Samsung S7 and unspecified HTC model were seized.
- Around August 2016 a forensic analyst found a way to bypass the lock on the Samsung device, but was only able to extract limited data.
- It appears the police have overcome the limitations of that previous hack and examiners can now bypass the locking feature and perform a full extraction.
- As for the HTC phone, cops were initially unable to bypass the lockscreen, but "advancements in HSI forensic resources" helped them get around the security mechanism and in May they were granted a warrant to search the device.
- The phone was found to contain images of children involved in sexually-explicit activity and communications between the suspect and a minor females named in an indictment.
- The news comes not long after one of U.S. law enforcement's biggest phone cracking contractors, Cellebrite, added a capability to its UFED tool that allows cops to break Samsung S7 passcodes with ease.
- The UFED device is a user-friendly tool that police can operate on the move or in their forensic labs to quickly gain access to data on a mobile device.
- A source close to Cellebrite, which has been enjoying some record business in the U.S. of late, told Forbes that the Samsung S7 feature was added in August.
- Neither HTC nor Samsung had responded to requests for comment at the time of publication.
*Source: Forbes, September 12, 2017