Bug in Git Software Could Make Software Repositories Vulnerable

Git, the software used by millions of software developers to manage their source code – the crown jewels of most corporations – is vulnerable to two different attacks.

The first bug would allow a malicious attacker to overwrite code in folders where they should not be.

The second bug allows an attacker to read arbitrary memory and applies across development platforms.

How much damage can be done is unknown, but what is the likely scenario is that a large percentage of responsible development teams will update their Git software, but a surprisingly large number will not and that is where the attackers will head.

So, what should you do?

There is a patch for multiple versions of Git.  We are starting to see more of this as serious bugs appear and the developers know that people have not updated to the current version.

Patches are available for versions 2.13(.7), 2.14(.4), 2.15(.4), 2.16(.4) and 2.17.1 (2).

Microsoft is telling developers to download 2.17.1 (2) and has blocked malicious repositories from being uploaded to Visual Studio Team Services.  How, exactly, they know what is malicious they are not saying.  They also say that they will be releasing a patch “shortly” for Visual Studio.  Hopefully shortly is just a few days.

Linux platforms like Debian are updating their software to use the new version of Git and are telling folks to upgrade.

Bottom line, if you are a software developer and use Git, it is time to upgrade.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Come On Folks – Another Amazon S3 Breach

AgentRun is a startup that helps independent insurance agents and brokers manage customer relationships (CRM) and they are the latest company to do the perp walk for leaving an Amazon storage bucket unprotected.

Compromised were thousands of client’s sensitive data files like insurance policy documents, health data, medical data, social security and medicare cards, blank checks for payment info and financial data.

Andrew Lech admitted to the faux-pas and quickly fixed it.

But not to worry;  their web site says that the service is secure and uses the latest encryption technology.  Unfortunately, it doesn’t, in this case, require passwords.  Of course, that statement is mostly meaningless, although it MAY be possible to use it in court.  Probably not sufficient to gain a win, however.

Information for this post came from ZDNet.

How do you protect yourself?

First thing – who do you think is liable for the breach?  If you said AgentRun, you are very likely wrong.  the terms of services says:

h.  … Your use of the Service is at your own risk.
i. Among other things, the Service Provider does not warrant or represent to the client that:
  • defects or bugs within the Service will be eliminated or fixed
  • the client’s use of the service will meet the client’s qualifications
  • the Service will be error free, secure or undisrupted to the client
  • any information, regarding the clients use of the Service, will be accurate, current or credible
j. Warranties do not apply to the Service except to the degree they are expressed in the Agreement.
  • The Service provider is not responsible or liable for any direct, indirect or consequential damage to client which may be incurred in relation with the service, including:
  • damage associated with corruption of, deletion of or failure to store any Client’s Content
  • damage associated with any changes or alterations which the Service Provider may make to the Service
  • damage associated with the Client’s inability to provide the Service Provider with credible and accurate account information
  • damage associated with the Client’s inability to protect and secure the Client’s account details (such as a username and password)
  • damage associated with any temporary or permanent interruption in the provision of the Service
And, to add insult to injury, it also says:
n. The client must indemnify the Service Providers, its employees, employers, affiliates, etc. for any and all claims, losses, damage, costs and liabilities resulting from the breach of the Agreement and from the use of the Clients Account.

Source for the terms of service: https://agentrun.com/legal.html

If you are a large enough company, make the vendor give you preferred terms of service if they want your business.

You need to make sure that you have GOOD cyber risk insurance and that it covers breaches at third party providers and breaches of third party (as in your client’s) data.

You should have a vendor cyber risk management program.  My guess is that AgentRun’s cyber security program may be lacking.  Don’t know for sure, but, look at the evidence.  This problem happens weekly.  

Amazon has created a whole bucket of tools for you to use to help protect yourself from self inflicted mortal wounds like this. Check out Jeff Barr’s post from last year.  Jeff is AWS’s chief evangelist.  The post can be found at https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/

Some of Amazon’s features include default encryption, automatic permission checks, detailed inventory reports and other security features.

Finally, as an executive in your company, you need to be asking your IT guys embarrassing security questions.  After all, your head will be on the chopping block if your third party provider – or you – suffer a breach.  Since sometimes it is hard to be a prophet in your own land, contract with us to be your virtual Chief Information Security Officer (vCISO).  We don’t mind asking those embarrassing questions.

 

Facebooktwitterredditlinkedinmailby feather

Fraud from Mobile Devices up 680%

RSA Security says that the number of fraudulent transactions originating from mobile devices is up 200% since 2015.  In 2015 only 5% of fraudulent transactions originated from mobile;  in 1st quarter 2018 it was 39%.

The volume of fraudulent transactions overall is up 680% and up by 63% since 1st quarter 2017.

On the other hand, you are safer on your desktop.  Since 2015, that percentage is down from 62% to 35%.

But bad guys are getting smarter too.  82% of observed fraudulent e-commerce transactions came from a new device and 32% came from a new account (like, maybe, yours) and a new device.  Hackers need your account to launder the attack through.

If the dollars involved are large enough, the FBI or local police could come knocking on your door to “ask a few questions”.

Phishing is still popular in 48% of the fraud attacks.

And RSA recovered 3.1 million stolen credit cards off the dark web in 1Q 2018.

This means that if you use a cell phone, you are a target.  Pretty much everyone, that means.

So what should you do?

Here is what RSA says:

Be very careful when downloading apps – the source, the permissions – assume the worst and work backwards from there.

Be careful on clicking – in text messages, in email or in social media.  Even if you think it is coming from a “Friend” BE CAREFUL!

Bad guys often make test purchases first – small ones.  Most credit cards will send you a text message when a charge is made – turn that feature on.  Watch out for those small transactions that are not yours.

Educate yourself and if you run a business unit, educate your people.  These attacks tend to look very real.  It is easy to fall for the bad guys.

For business devices, use mobile device management software such as Microsoft Intune which requires users to register their device.  This makes it much harder to steal credentials and use them someplace else.

Finally, use two factor authentication.  I know it is more work, but so is dealing with fraud.

If you are running an e-commerce site, up the defenses as well.  YOU wind up paying for most of the fraud.

Information for this post came from Help Net Security.

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday May 25, 2018

FCC Investigates Securus

Now that LocationSmart who’s data was used illegally by a Sheriff to track other law enforcement officers and was then hacked is out of the closet, their somewhat shady but possibly completely legal business practices are no longer in the shadows and the FCC has begun an investigation.  We shall see if the FCC does anything – stay tuned.  They say that they are working to verify that their data was always used with people’s consent.  If it was, I bet the consent was pretty subtle (Source: Ars Technica).

Comcast/Xfinity Web Site Leaks Customer Info

A bug in Comcast’s Xfinity web site that customers use to set up their Internet connection leaks customer address and WiFi network name and password, which, apparently, Comcast stores unencrypted.  All it takes is the account number and the house number of the street address.  IF the customer is providing his own router, then Comcast does not know that information and would not be able to leak it.  The “bug” will return the user’s address and password, among other info, even if the service has previously been activated.  Comcast says that there is nothing more important than their customer’s security;  they removed the feature from their web site after they were told about it (Source: ZDNet).

Apple Allows Users To See Their Own Data on Eve of GDPR

Two days before the law forced them to, Apple has debuted a new web site called PRIVACY.APPLE.COM .  Right now it only works where they have to do it or face a fine of up to $9 billion.  That is a pretty good motivator.  Apple says it will be available later in other places.  Among the data that you will be able to see is :

  • App Store, iTunes Store, iBook Store, and Apple Music activity
  • Apple ID account and device information
  • Apple online store and retail store activity
  • AppleCare support history, repair requests, and more
  • Game Center activity
  • iCloud bookmarks and Reading List
  • iCloud Calendars and Reminders
  • iCloud Contacts
  • iCloud Notes
  • Maps Report an Issue
  • Marketing subscriptions, downloads and other activity
  • Other data

Source: Cult of Mac

Chinese Hackers Find Over a Dozen Bugs in BMW Cars

Chinese security researchers have disclosed 14 vulnerabilities in a host of BMW vehicles including the 3 series, 5 series, 7 series, i series and X series.

4 flaws require physical access; another 4 can be exploited with indirect physical access.  Some of them can be exploited remotely via the entertainment system, the telematics system while others exist in the head unit.

Some of the bugs can be patched “over the air”, but others require the owner to bring the car into the dealer to fix.

One thought.  Given these researchers work for the Chinese government, how many vulnerabilities did they find and not tell us about?  That is not a far fetched scenario (Source: The Hacker News).

Facebooktwitterredditlinkedinmailby feather

Hackers Infect 500,000 Routers and Growing

Cisco has released an advisory that a half million consumer and small business routers and growing have been infected with malware dubbed VPNFilter.

The malware was detected infecting routers from:

  • Linksys
  • MikroTik
  • Netgear
  • TP-Link
  • and QNap storage devices

The researchers have not figured out a test that a consumer or small business can use to detect whether a particular router is infected or not.

On top of that, there is no “patch” that will inoculate a router against the malware.

The infections is affecting routers in 54 countries and has grown so quickly in the last month that the researchers decided to make their research public early.  They are continuing to study it.

The malware is very flexible in what it can do – including stealing credentials and destroying the router so that the user has to buy a new one.

Among other things, the malware can, apparently, steal files and also  run commands on your router which could lead to a whole variety of different compromises of your systems.

The FBI says that it has seized a server used by the attackers.  Gee, that means that they will hijack a new server and download a new version of the malware onto the compromised devices.  Given this control server was taken offline, it *MAY* mean that the hackers have to reinfect those devices, but apparently, that wasn’t too hard to do in the first place.

Information for this post came from Ars Technica.

OK, so given that, what do you do?

The article lists some of the routers affected.  Some of them, like the Linksys E1200 and E2500 and Netgear R7000 and R8000, are extremely popular.  If you have one of the routers listed in the article, you should raise your alert level.

Rebooting the router WILL NOT remove the malware.  Given that there is no easy way to detect the malware, Cisco is recommending that users of the listed routers perform a factory reset.  Beware if you do that you will lose the router’s configuration and someone will have to reprogram it.  This may involve sending out a service technician to your house or office.  This, right now, is the only known way to disinfect infected routers.

I  recommend putting a separate firewall between your ISP’s router and your internal computers.  This is another level of defense.  Two good firewalls are pfSense (which comes both as open source software and a commercial package) and the Ubiquiti Edge Router X.  Note that you will have to have some expertise or hire someone to configure  it.  This will however, give you an extra layer of protection.  And, since you are buying it, your ISP will not have the password to it.

Make sure that you change the default password in your existing router.  One possible way the infection is getting in is via default credentials.

Check to see if there are any patches to your router available from your router manufacturer.  If so, install them and repeat that process every month.

Unfortunately, unlike some attacks where there is an easy fix, this one is a bit of a dumpster fire and since it affects so many different devices, it is not likely to get fixed quickly.

 

Facebooktwitterredditlinkedinmailby feather

Amazon Sells Face Recognition Tech To Cops

Amazon is selling facial recognition technology that it has developed – called Rekognition – to law enforcement agencies and maybe others – Amazon won’t say.

While there is nothing illegal about this and if Amazon doesn’t do it, others likely would, it certainly raises privacy concerns.

Two police departments that are known to have purchased the software are using it in different ways.

The Washington County, Oregon Sheriff is using it to match suspects to people in their database.  They use it, they say, about 20 times a day.  It cost the department $400 to upload 305,000 mugshots and it costs them $6 a month to use the service.  These numbers have to be very attractive to law enforcement.

The Orlando, FL police department, however, is using it very differently.  Orlando has a series of surveillance cameras throughout the city to watch people who are out in public.  They call them public safety cameras since that likely sounds better than the 1984-esque alternative.  Using these cameras and Amazon’s facial recognition system, the city can look at the images to find “persons of interest”.  Of course, most of us won’t complain if the city we live in is safer, but it also means that likely your every move in Orlando (and maybe other cities, we do not know) could be being monitored and potentially recorded.

Some people say that if you are not doing anything wrong you shouldn’t object to being surveilled.

As we recently discovered, all of the major cell phone companies sell your location data to anyone who’s check will clear.  Is there any reason that cash-strapped cities won’t do the same?  Maybe with the pictures showing what you were doing and with whom?  Don’t know.  There are no clear universal laws covering this other than you do not have an expectation of privacy when you are outside.

So, what can or should you do?

Unfortunately, in this case, there is not a lot that you can do.

Be aware, for one, that your actions are not private, may be recorded, and you may be identified and your actions cataloged.  This is somewhat like what automated license plate readers do in some cities, only a little more intrusive.

Write to your politicians if you think that there should be limits on the surveillance that your government should be doing, absent probable cause.  It may or may not make a difference, but certainly if people do not complain, the politicians will assume you don’t care.

Finally, let your friends know what is happening.  An informed citizenry is critical to a democracy.

So stay tuned.  I suspect that Jeff Bezos won’t change his mind and stop selling this technology because even if he does, someone else will likely step in to replace him (maybe Facebook).  This story will take a while to play out.

Information for this post came from The LA Times.

Facebooktwitterredditlinkedinmailby feather