Deep Packet Inspection a threat to net neutrality, say campaigners

by

Some of Europe’s biggest ISPs and mobile operators stand accused of using Deep Packet Inspection (DPI) technology to quietly undermine net neutrality rules and user privacy.

News of the troubling allegation first reached the public domain earlier this year in an analysis by German organisation epicenter.works. It claimed it had detected 186 products offered by providers that appeared to involve applying DPI to their customers’ traffic. Deep packet inspection filters network traffic by looking at the contents of data packets.

Naked Security’s Mark Stockley explains:

Traditional network filtering is like directing road traffic based on the type of vehicle. DPI is like looking at who’s driving and what’s in the trunk.

Now a group of academics and digital rights campaigners headed by European Digital Rights (EDRi) has sent EU authorities an open letter pointing out the implications of this. The EDRi letter states:

Several of these products by mobile operators with large market shares are confirmed to rely on DPI because their products offer providers of applications or services the option of identifying their traffic via criteria such as Domain names, SNI, URLs or DNS snooping.

EU regulation outlaws DPI for anything other than basic traffic management, but it seems that providers in many countries have found a grey area that allows them to bend – and increasingly bypass – those rules.

The frontline of this is something called ‘zero rating’ whereby mobile operators attract subscribers by offering free access to a specific application – a streaming service would be one example – without that counting towards their data allowance.

By its nature, this favours larger application providers, in effect busting the principle of net neutrality that says that all applications and services should be given equal prioritisation across networks.

DPI is the technology that makes this possible because:

DPI allows IAS providers to identify and distinguish traffic in their networks in order to identify traffic of specific applications or services for the purpose such as billing them differently throttling or prioritising them over other traffic.

DPI has Phorm

DPI is a technology that’s been around in business LAN/WAN networking for years and has plenty of legitimate uses, including simply looking at traffic at a packet level to make sure important applications are given higher levels of prioritisation.

ISPs can also use it to detect traffic they deem to be in breach of terms and conditions – such as that sent by a small number of users to torrent and file-sharing sites.

Inevitably, the technology is open to abuse, as appeared to be the case in the UK when a number of UK ISPs signed up with an ad targeting company called Phorm in 2008.

Its system worked by using DPI to scan user traffic and searches for keywords, and using this data to show users individualised ads. Worse, the platform had been used in trials without the privacy implications being explained to subscribers.

The storm that erupted around (and eventually killed) Phorm turned DPI into a technology with a bad reputation that has stuck ever since in some countries.

A decade on, mobile providers are the big players and rather like early broadband networks these operate according to rules that ruthlessly conserve, meter and prioritise data capacity.

It’s the basis on which they’re doing that which EDRi objects to. Its letter to the EU paints a picture of a slow slide towards DPI and with it the end of true net neutrality. At the point, it claims, user privacy will be in deep packet trouble.

Prevention v cure

One difference in today’s battles with DPI is the emergence of standards and technologies that allow users to fight back. These include widespread HTTPS and emerging standards that secure DNS traffic such as DNS over HTTPS and encrypted Server Name Identification (SNI).

Alternatively, VPNs are an even simpler way to prevent DPI monitoring because all traffic crossing the ISP’s network is encrypted. Arguably, that’s a kludge. Not all VPNs have a trustworthy reputation and the ones that do tend to be expensive and far from seamless to set up. There’s also the possibility of DNS leaks too.

If a newer generation of privacy-oriented VPNs such Cloudflare’s proposed 1.1.1.1 Warp service don’t offer a way out for users it’ll be down to the EU to tighten the rules. Mobile companies won’t go down without a fight because DPI has been built into their business models and can’t easily be ripped out.

DPI has the potential to turn into a decade-defining fight.

Deep Packet Inspection a threat to net neutrality, say campaigners

by

Some of Europe’s biggest ISPs and mobile operators stand accused of using Deep Packet Inspection (DPI) technology to quietly undermine net neutrality rules and user privacy.

News of the troubling allegation first reached the public domain earlier this year in an analysis by German organisation epicenter.works. It claimed it had detected 186 products offered by providers that appeared to involve applying DPI to their customers’ traffic. Deep packet inspection filters network traffic by looking at the contents of data packets.

Naked Security’s Mark Stockley explains:

Traditional network filtering is like directing road traffic based on the type of vehicle. DPI is like looking at who’s driving and what’s in the trunk.

Now a group of academics and digital rights campaigners headed by European Digital Rights (EDRi) has sent EU authorities an open letter pointing out the implications of this. The EDRi letter states:

Several of these products by mobile operators with large market shares are confirmed to rely on DPI because their products offer providers of applications or services the option of identifying their traffic via criteria such as Domain names, SNI, URLs or DNS snooping.

EU regulation outlaws DPI for anything other than basic traffic management, but it seems that providers in many countries have found a grey area that allows them to bend – and increasingly bypass – those rules.

The frontline of this is something called ‘zero rating’ whereby mobile operators attract subscribers by offering free access to a specific application – a streaming service would be one example – without that counting towards their data allowance.

By its nature, this favours larger application providers, in effect busting the principle of net neutrality that says that all applications and services should be given equal prioritisation across networks.

DPI is the technology that makes this possible because:

DPI allows IAS providers to identify and distinguish traffic in their networks in order to identify traffic of specific applications or services for the purpose such as billing them differently throttling or prioritising them over other traffic.

DPI has Phorm

DPI is a technology that’s been around in business LAN/WAN networking for years and has plenty of legitimate uses, including simply looking at traffic at a packet level to make sure important applications are given higher levels of prioritisation.

ISPs can also use it to detect traffic they deem to be in breach of terms and conditions – such as that sent by a small number of users to torrent and file-sharing sites.

Inevitably, the technology is open to abuse, as appeared to be the case in the UK when a number of UK ISPs signed up with an ad targeting company called Phorm in 2008.

Its system worked by using DPI to scan user traffic and searches for keywords, and using this data to show users individualised ads. Worse, the platform had been used in trials without the privacy implications being explained to subscribers.

The storm that erupted around (and eventually killed) Phorm turned DPI into a technology with a bad reputation that has stuck ever since in some countries.

A decade on, mobile providers are the big players and rather like early broadband networks these operate according to rules that ruthlessly conserve, meter and prioritise data capacity.

It’s the basis on which they’re doing that which EDRi objects to. Its letter to the EU paints a picture of a slow slide towards DPI and with it the end of true net neutrality. At the point, it claims, user privacy will be in deep packet trouble.

Prevention v cure

One difference in today’s battles with DPI is the emergence of standards and technologies that allow users to fight back. These include widespread HTTPS and emerging standards that secure DNS traffic such as DNS over HTTPS and encrypted Server Name Identification (SNI).

Alternatively, VPNs are an even simpler way to prevent DPI monitoring because all traffic crossing the ISP’s network is encrypted. Arguably, that’s a kludge. Not all VPNs have a trustworthy reputation and the ones that do tend to be expensive and far from seamless to set up. There’s also the possibility of DNS leaks too.

If a newer generation of privacy-oriented VPNs such Cloudflare’s proposed 1.1.1.1 Warp service don’t offer a way out for users it’ll be down to the EU to tighten the rules. Mobile companies won’t go down without a fight because DPI has been built into their business models and can’t easily be ripped out.

DPI has the potential to turn into a decade-defining fight.

Cisco is a Representative Vendor in the first ever Gartner 2019 Market Guide for the NTA (Network Traffic Analysis) market

According to Gartner1, “Applying behavioral analysis to network traffic is helping enterprises detect suspicious traffic that other security tools are missing.” 

The case for network traffic analysis to uncover hidden threats

You are charged with protecting your organization and have made multiple investments to do so. But you might be under-utilizing one of the biggest investments your organization has already made – the network infrastructure. With 1 in 4 organizations running the risk of a major breach in the next 24 months, it’s not a matter of if but when you will be breached. And you need to be able to detect and respond quickly to incidents.

The network is a rich data source, and by analyzing how the different entities are “behaving” within the network, we can identify malicious activities associated with a breach. This helps detect attacks in near real-time. Today, average time to detect a breach is 197 days2. Can you really afford to wait more than 6 months to know whether you have been compromised? Additionally, network security analytics can expedite investigations to pinpoint the source of the threat so you can take appropriate actions. This considerably cuts down the time to contain a threat from the average 69 days3 to a few hours!

Cisco’s network traffic analysis (NTA) solution, Stealthwatch provides enterprise-wide visibility, from the private network to the public cloud, and applies advanced security analytics to detect and respond to threats in real-time. Using a combination of behavioral modeling, machine learning and global threat intelligence powered by Cisco Talos, Stealthwatch can quickly and with high confidence, detect threats such as command and control attacks, ransomware, DDoS attacks, illicit cryptomining, unknown malware, as well as insider threats. With a single, agentless solution, you get comprehensive threat monitoring across the data center, branch, endpoint and cloud, and even find threats hidden in encrypted traffic.

Stealthwatch has some key attributes that you should demand from your network traffic analysis solution for the following outcomes:

Contextual network-wide visibility

First and foremost, network traffic analysis provides visibility into every device on the network and what it is doing. Legacy servers, IoT, mobile, and remote users – a lot of organizations simply don’t know what’s on their network, let alone be able to protect it. And this visibility extends across all the dynamic environments that are typical of the modern digital enterprise – from the campus, branch and data center to the cloud. And with the rise in encrypted traffic and the internet going dark, you also need visibility into threats hiding in encrypted traffic.

Predictive threat analytics

Secondly, there are some unique threats that can only be detected if you are continuously monitoring network activity. Your traditional security tools will not be able to catch insider threats – caused due to a rogue employee trying to exfiltrate sensitive data or a compromised admin credential that the attackers are now using to swoop the entire organization. Additionally, you have created a lot of security policies to prevent threats, or simply to remain compliant. But how do you know those are being enforced? That the controls you have set up are actually working? Also, as mentioned earlier, network traffic analysis tries to identify malicious behavior and therefore, can help detect threats like unknown malware.

Accelerated response

Lastly, let’s talk about incident response. What do you do if you know that you have been compromised? Where do you begin investigating? With network traffic analysis, you can attribute the malicious behavior to a specific IP and perform forensic analysis to determine how the threat has moved laterally within the organization. What other devices might be infected, where is the communication occurring externally, etc. This leads to faster response in order to prevent any business impact.

Download your complimentary copy of the first ever Gartner 2019 Market Guide for the NTA (Network Traffic Analysis) market  here.

To learn more about Cisco Stealthwatch, go to https://cisco.com/go/stealthwatch

Gartner Market Guide for Network Traffic Analysis, Lawrence Orans, Jeremy D’Hoinne, Sanjit Ganguli, 28 February 2019. Source: Ponemon 2018 Cost of a Data Breach Study Source: Ponemon 2018 Cost of a Data Breach Study Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Share:

Amnesty sues maker of Pegasus, the spyware let in by WhatsApp zero day

by

Last week, Facebook’s WhatsApp whispered out a warning to update the mobile messaging app after learning that it had a vulnerability that really deserved to be shouted from the rooftops: a zero-day vulnerability that allowed hackers to silently install government spyware onto victims’ phones had been exploited in the wild.

The zero day meant that with just one call, spies could access your phone and plant spyware – specifically, the notorious Pegasus software.

Pegasus has been unleashed against Mexican political activists; targeted at the human rights-focused NGO Amnesty International in a spearphishing attack; and used against Ahmed Mansoor, a prominent human rights activist and political dissident in the United Arab Emirates who was sentenced to 10 years in jail and a fine of 1,000,000 Emirati Dirham (USD $272K) after being charged with “insulting the UAE and its symbols”.

WhatsApp quickly patched the vulnerability.

Just as quickly, Amnesty International filed a lawsuit that seeks to stop the “web of surveillance” it says is enabled by NSO Group, the Israeli firm that makes Pegasus.

Last Monday, Amnesty announced that it’s taking the Israeli Ministry of Defense (MoD) to court to force it to revoke NSO Group’s export license.

Thirty members and supporters of Amnesty International Israel and others from the human rights community are alleging that NSO Group’s spyware has been used to surveil Amnesty staff and other human rights defenders, thereby putting human rights at risk.

Referencing the June 2018 spearphishing attack on an Amnesty staff member, Danna Ingleton, Deputy Director of Amnesty Tech, said in an affidavit that the attack was “the final straw.”

NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw.

The Israeli MoD has ignored mounting evidence linking NSO Group to attacks on human rights defenders, which is why we are supporting this case. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.

How Pegasus flies

As Ingleton described in the affidavit, a Pegasus infection can happen in several ways. Most commonly, a target clicks on an exploit link, often sent as a text message. That triggers the download onto a mobile device.

Alternatively, NSO Group has reportedly figured out how to infect a device without user interaction. As Motherboard has reported, all it takes is a phone call to a targeted device to grant the attacker full access to its contents, without the need for the victim to click on a rigged link.

Once installed, Pegasus turns into what Citizen Lab has called a “silent, digital spy.” It can get at everything – including contacts, photos, call history and previous text messages – regardless of encryption or other protections. It also allows its operator the ability to remotely operate a device’s camera and microphone, enabling remote eavesdropping on conversations, as well as passive or active tracking of a target’s location data.

When Amnesty’s technology team analyzed the rigged link that had been sent via a WhatsApp message in the June 2018 spearphishing attack, they found that it was connected to a domain known to distribute and deploy NSO Group’s Pegasus spyware. Had the staff member clicked on the link – which they did not – they would have been taken to a site that would have attempted to install the spyware on their device.

In fact, the domain that hosted the link is part of a network of more than 600 suspicious domains used to trigger Pegasus infection, according to the affidavit.

Although the targeted Amnesty employee hadn’t clicked on the boobytrapped link, they were still horrified that they’d been targeted on the basis of their human rights work, in “clear violation of the right to freedom of opinion, freedom of expression, and the right to privacy, guaranteed under the International Covenant on Civil and Political Rights,” the affidavit said.

The fear is lingering: the employee has declined to have their name released in the aftermath. But he or she is only one of scores of targets: Citizen Lab has traced use of Pegasus spyware to 45 countries where its operators may have been using it in surveillance campaigns between August 2016 and August 2018.

Off-label use of government spyware?

NSO Group’s response to incidents of operators unlawfully using its software to persecute dissidents, activists and journalists has been consistent: it repeatedly points out that Pegasus is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists. From the statement it put out after the June 2018 spearphishing attack on Amnesty:

NSO Group develops cyber technology to allow government agencies to identify and disrupt terrorist and criminal plots. Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.

In the lawsuit filed last week, Amnesty says that NSO Group has been ignoring the “foreseeable risk” that governments would misuse its spyware to unlawfully surveil human rights defenders.

There is no evidence that NSO Group refused to sell its products to those governments, ascertained that those governments had proper legal frameworks and oversight mechanisms for the use of spyware in place prior to any sale, or revoked access to its products after evidence emerged of their misuse.

NSO Group claims that its Business Ethics Committee reviews and approves all transactions and that it conducts investigations into allegations of misuse. Yet it hasn’t disclosed what factors it considers when choosing who to sell to, doesn’t disclose much of anything with regards to the results of its investigations into misuse, and has failed to demonstrate what, if anything, it’s done to mitigate the risks of misuse, the affidavit says.

At a minimum, NSO Group could review the human rights record of a prospective client country. It could also monitor use of products post-sale, Amnesty says.

Trampling on human rights

The legal action is being brought by Amnesty International as part of a joint project with New York University (NYU) School of Law’s Bernstein Institute for Human Rights and Global Justice Clinic. Faculty Director Margaret Satterthwaite:

The targeting of human rights defenders for their work, using invasive digital surveillance tools, is not permissible under human rights law. Without stronger legal checks, the spyware industry enables governments to trample on the rights to privacy, freedom of opinion and expression.

The Israeli government needs to revoke NSO Group’s export license and stop it profiting from state-sponsored repression.

Amnesty sues maker of Pegasus, the spyware let in by WhatsApp zero day

by

Last week, Facebook’s WhatsApp whispered out a warning to update the mobile messaging app after learning that it had a vulnerability that really deserved to be shouted from the rooftops: a zero-day vulnerability that allowed hackers to silently install government spyware onto victims’ phones had been exploited in the wild.

The zero day meant that with just one call, spies could access your phone and plant spyware – specifically, the notorious Pegasus software.

Pegasus has been unleashed against Mexican political activists; targeted at the human rights-focused NGO Amnesty International in a spearphishing attack; and used against Ahmed Mansoor, a prominent human rights activist and political dissident in the United Arab Emirates who was sentenced to 10 years in jail and a fine of 1,000,000 Emirati Dirham (USD $272K) after being charged with “insulting the UAE and its symbols”.

WhatsApp quickly patched the vulnerability.

Just as quickly, Amnesty International filed a lawsuit that seeks to stop the “web of surveillance” it says is enabled by NSO Group, the Israeli firm that makes Pegasus.

Last Monday, Amnesty announced that it’s taking the Israeli Ministry of Defense (MoD) to court to force it to revoke NSO Group’s export license.

Thirty members and supporters of Amnesty International Israel and others from the human rights community are alleging that NSO Group’s spyware has been used to surveil Amnesty staff and other human rights defenders, thereby putting human rights at risk.

Referencing the June 2018 spearphishing attack on an Amnesty staff member, Danna Ingleton, Deputy Director of Amnesty Tech, said in an affidavit that the attack was “the final straw.”

NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw.

The Israeli MoD has ignored mounting evidence linking NSO Group to attacks on human rights defenders, which is why we are supporting this case. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.

How Pegasus flies

As Ingleton described in the affidavit, a Pegasus infection can happen in several ways. Most commonly, a target clicks on an exploit link, often sent as a text message. That triggers the download onto a mobile device.

Alternatively, NSO Group has reportedly figured out how to infect a device without user interaction. As Motherboard has reported, all it takes is a phone call to a targeted device to grant the attacker full access to its contents, without the need for the victim to click on a rigged link.

Once installed, Pegasus turns into what Citizen Lab has called a “silent, digital spy.” It can get at everything – including contacts, photos, call history and previous text messages – regardless of encryption or other protections. It also allows its operator the ability to remotely operate a device’s camera and microphone, enabling remote eavesdropping on conversations, as well as passive or active tracking of a target’s location data.

When Amnesty’s technology team analyzed the rigged link that had been sent via a WhatsApp message in the June 2018 spearphishing attack, they found that it was connected to a domain known to distribute and deploy NSO Group’s Pegasus spyware. Had the staff member clicked on the link – which they did not – they would have been taken to a site that would have attempted to install the spyware on their device.

In fact, the domain that hosted the link is part of a network of more than 600 suspicious domains used to trigger Pegasus infection, according to the affidavit.

Although the targeted Amnesty employee hadn’t clicked on the boobytrapped link, they were still horrified that they’d been targeted on the basis of their human rights work, in “clear violation of the right to freedom of opinion, freedom of expression, and the right to privacy, guaranteed under the International Covenant on Civil and Political Rights,” the affidavit said.

The fear is lingering: the employee has declined to have their name released in the aftermath. But he or she is only one of scores of targets: Citizen Lab has traced use of Pegasus spyware to 45 countries where its operators may have been using it in surveillance campaigns between August 2016 and August 2018.

Off-label use of government spyware?

NSO Group’s response to incidents of operators unlawfully using its software to persecute dissidents, activists and journalists has been consistent: it repeatedly points out that Pegasus is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists. From the statement it put out after the June 2018 spearphishing attack on Amnesty:

NSO Group develops cyber technology to allow government agencies to identify and disrupt terrorist and criminal plots. Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.

In the lawsuit filed last week, Amnesty says that NSO Group has been ignoring the “foreseeable risk” that governments would misuse its spyware to unlawfully surveil human rights defenders.

There is no evidence that NSO Group refused to sell its products to those governments, ascertained that those governments had proper legal frameworks and oversight mechanisms for the use of spyware in place prior to any sale, or revoked access to its products after evidence emerged of their misuse.

NSO Group claims that its Business Ethics Committee reviews and approves all transactions and that it conducts investigations into allegations of misuse. Yet it hasn’t disclosed what factors it considers when choosing who to sell to, doesn’t disclose much of anything with regards to the results of its investigations into misuse, and has failed to demonstrate what, if anything, it’s done to mitigate the risks of misuse, the affidavit says.

At a minimum, NSO Group could review the human rights record of a prospective client country. It could also monitor use of products post-sale, Amnesty says.

Trampling on human rights

The legal action is being brought by Amnesty International as part of a joint project with New York University (NYU) School of Law’s Bernstein Institute for Human Rights and Global Justice Clinic. Faculty Director Margaret Satterthwaite:

The targeting of human rights defenders for their work, using invasive digital surveillance tools, is not permissible under human rights law. Without stronger legal checks, the spyware industry enables governments to trample on the rights to privacy, freedom of opinion and expression.

The Israeli government needs to revoke NSO Group’s export license and stop it profiting from state-sponsored repression.

Rats leave the sinking ship as hackers’ forum gets hacked

by

Prepare yourself for the warm glow of schadenfreude: OGUsers, a forum devoted to trading stolen Instagram, Twitter and other accounts, has apparently been hacked, its forum hard drives wiped, and its user database stolen and published on a rival hacking community site for any and all comers to download for free.

As Motherboard reported last year, OGUsers – called OGU by its members – is a forum popular among hackers who specialize in hijacking people’s accounts, particularly through SIM swapping.

Trading in desirable usernames

Launched in April 2017, the forum is a market for buying and selling “OG” usernames. That’s short for “original gangster” and refers to usernames that are considered desirable, whether it’s because they’re short – such as @t or @ty – or because they’re considered cool, such as @Sex or @Eternity, or then again, because they belong to celebrities, such as, say, the Twitter accounts of Wikipedia co-founder Jimmy Wales, comedian Sarah Silverman, or NASA, to name just a few.

According to Motherboard, OGUsers traded in hijacked social media accounts, as well as in PlayStation Network, Steam, Domino’s Pizza, and other online accounts.

The administrator of OGUsers, known as “Ace”, announced the attack in a post on the forum on 12 May 2019. According to security journalist Brian Krebs, Ace told forum members that an outage had been caused by hard drive failure that erased months’ worth of private forum posts and prestige points. Ace said they’ve restored a backup from January 2019.

But we’ve since come to find out, that 12 May outage coincided with the theft of the forum’s user database and the erasure of its hard drives.

Four days after Ace’s post, the administrator of a rival hacking community, RaidForums, announced that they’d uploaded OGUsers’ database. Come and get it, RaidForums administrator Omnipotent said, raising an eyebrow at OGUsers’ use of the vulnerability-vexxed MD5 hashing function:

On the 12th of May 2019 the forum ogusers.com was breached [and] 112,988 users were affected. I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I’m the first to tell you the truth. According to his statement he didn’t have any recent backups so I guess I will provide one on this thread lmfao.

Krebs got hold of the purloined list of OGUsers’ members. He said it appears to contain the usernames, email addresses, hashed passwords, private messages and IP addresses at the time of registration for around 113,000 users – although, he said, some users are likely using multiple aliases. Motherboard also checked out the database and found that it contained users’ emails and source code.

Motherboard verified the data by searching for two accounts registered by its reporters.

Music from the tiniest violin

OGUsers’ members are, understandably, and to the delight of the universe’s karmic balance, freaked. Several threads on OGUsers have been filled with users worrying that they’ll be exposed due to the breach, while some claim that they’ve already received phishing emails, Krebs reports.

Some are furious at Ace, claiming he disabled users’ ability to remove their accounts. Krebs quoted one user who had this to say on the Discord chat:

Ace be like:

– not replace broken hard drives, causing the site to time warp back four months
– not secure website, causing user info to be leaked
– disable selfban so people can’t leave

Motherboard talked to one OGUsers member who said that the rats are leaving the sinking ship, worried about 1) getting hacked themselves and 2) a visit from the law:

It’s like a nuke dropped on the site. Some people only used OGU pms as their only contact, so if you were to look into it or an FBI agent there is a lot to find.

No, no, please don’t go, little ratties, Ace said in a post. OGUsers getting breached is just like any other site getting breached, they wrote, neglecting the part about how most of the users are presumably cybercrooks:

OGUsers has been online close to 3 years now and this the first time any breach has occurred. I do understand everyone’s frustration and I am deeply sorry this has all happened recently. You must realize other sites such as Twitter, Facebook, Dropbox, Forums you have used in the past, and many more have been breached at least once. People are targeting the site 365 days a year. Again, I am deeply sorry this occurred and I will do my best to make sure it never happens again.

… yes, it’s exactly like Twitter or Facebook or Dropbox getting breached, with the teensy weensy exception of potential incarceration for the people whose personal information was exposed.

We’d wish you good luck as you scamper, little ratties, but hey, you know… karma and all that. We wish you no luck at all in escaping the long arm of the law, and the victims of your account hijackings no doubt share that attitude.

Still, we can’t be too tickled about crooks kicking each other’s shins off. Malware is a scourge that Sophos battles all the time, so we can’t applaud too loudly, even when, say, a Nigerian scammer infects himself.

And like we said when we reported about hackers hacking hackers – if hackers can be hacked, then so can you, if you aren’t careful.

So be careful!

WordPress plugin sees second serious security bug in six weeks

by

Researchers have uncovered the second serious bug in a WordPress plugin this month that could lead to the mass compromise of WordPress websites.

The bug in the WP Live Chat Support plugin allows attackers to inject their own code into websites running it. It follows a bug discovered in the plugin six weeks ago that allowed attackers to execute code on affected websites. 

WP Live Chat Support is an open source third-party plugin for WordPress that allows users to install live chat functionality on their sites for customer support purposes. There are over 60,000 active installations of the software today, according to its WordPress page.

According to Sucuri, the vulnerability lies in an unprotected admin_init hook. A hook is a way for one piece of code to interact with and change another. 

WordPress calls the admin_init hook whenever someone visits a WordPress site’s admin page, and developers can use it to call various functions at that point.

The problem is that admin_init doesn’t require authentication, meaning that anyone who visits the admin URL can cause it to run code. WP Live Chat’s admin hook calls an action called wplc_head_basic, which updates the plugin settings without checking the user’s privileges. 

An unauthenticated attacker could use this flaw to update a JavaScript option called wplc_custom_js. That option controls the content that the plugin displays whenever its live chat support window appears. An attacker can insert malicious JavaScript into multiple pages on a WordPress-powered website, the researchers explain.

This isn’t the first time that WP Live Chat has had to patch its plugin. Last year, its developers patched CVE-2018-12426, which was a bug allowing users to upload PHP scripts to the site and execute code remotely. 

In April, Alert Logic found that the plugin was still vulnerable even after the patch. The developers introduced the flaw by writing their own file upload code rather than relying on WordPress’s built-in code, the researchers said. 

WP Live Chat support fixed the JavaScript insertion bug in version 8.0.27 and the file upload bug in 8.0.29, released on 15 May 2017. Website owners should patch now, Sucuri says:

Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous. 

However, some users complained that they were unable to update. WP Live Chat’s page in the WordPress plugin directory says it is closed to new installations. In its support forum, user Tiiunder said:

I am not able to update the plugin anymore, which is necessary because of the vulnerability which occurred the last days.

I get the message: This plugin has been closed for new installations.

Others reported the same problem, with one complaining that the plugin was part of a WordPress theme they had bought.

We were unable to get a response from the company via several channels, but it urged people to update on Twitter last week. Its blog mentions that it recently merged the free and pro versions of the plugin and points to an installation guide.

WordPress plugin sees second serious security bug in six weeks

by

Researchers have uncovered the second serious bug in a WordPress plugin this month that could lead to the mass compromise of WordPress websites.

The bug in the WP Live Chat Support plugin allows attackers to inject their own code into websites running it. It follows a bug discovered in the plugin six weeks ago that allowed attackers to execute code on affected websites. 

WP Live Chat Support is an open source third-party plugin for WordPress that allows users to install live chat functionality on their sites for customer support purposes. There are over 60,000 active installations of the software today, according to its WordPress page.

According to Sucuri, the vulnerability lies in an unprotected admin_init hook. A hook is a way for one piece of code to interact with and change another. 

WordPress calls the admin_init hook whenever someone visits a WordPress site’s admin page, and developers can use it to call various functions at that point.

The problem is that admin_init doesn’t require authentication, meaning that anyone who visits the admin URL can cause it to run code. WP Live Chat’s admin hook calls an action called wplc_head_basic, which updates the plugin settings without checking the user’s privileges. 

An unauthenticated attacker could use this flaw to update a JavaScript option called wplc_custom_js. That option controls the content that the plugin displays whenever its live chat support window appears. An attacker can insert malicious JavaScript into multiple pages on a WordPress-powered website, the researchers explain.

This isn’t the first time that WP Live Chat has had to patch its plugin. Last year, its developers patched CVE-2018-12426, which was a bug allowing users to upload PHP scripts to the site and execute code remotely. 

In April, Alert Logic found that the plugin was still vulnerable even after the patch. The developers introduced the flaw by writing their own file upload code rather than relying on WordPress’s built-in code, the researchers said. 

WP Live Chat support fixed the JavaScript insertion bug in version 8.0.27 and the file upload bug in 8.0.29, released on 15 May 2017. Website owners should patch now, Sucuri says:

Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous. 

However, some users complained that they were unable to update. WP Live Chat’s page in the WordPress plugin directory says it is closed to new installations. In its support forum, user Tiiunder said:

I am not able to update the plugin anymore, which is necessary because of the vulnerability which occurred the last days.

I get the message: This plugin has been closed for new installations.

Others reported the same problem, with one complaining that the plugin was part of a WordPress theme they had bought.

We were unable to get a response from the company via several channels, but it urged people to update on Twitter last week. Its blog mentions that it recently merged the free and pro versions of the plugin and points to an installation guide.

Kids and Mobile Devices

Background

The number of ways children today can go online and interact with others is staggering. From new social media apps and games to schools issuing Chromebooks, kids’ social lives and futures depend on their ability to make the most of technology. As parents, we want to make sure they do so in a safe and secure manner. However, this can be a challenge, as many of us never grew up in a technical environment like this. To help you, we cover the key steps to enabling today’s kids to make the most of technology safely and securely.

Education/Communication The key to protecting kids online is to education them and make sure that you talk to them and they talk to you.

The number one step you can take is communication; make sure you are always talking to your kids and they are talking to you. Far too often, parents get caught up in the technology, asking questions such as, “What apps are good or bad,” or “What is the best kids’ security software.” Ultimately, this is not a technology challenge, but a behavior and values challenge. We want kids to behave online as they would in the real world. A good place to start is to create a list of rules or expectations with your kids on how they should use technology. Here are some things to consider: (Remember, these rules will evolve as kids get older.)

Times when they can or cannot go online, and for how long. Ask your children who their online friends or followers are, and how they become friends. Do they actually know the people that they are connected to online? Talk about the types of websites they should or should not visit, games that are appropriate or not, and why. What information they can share and with whom. Children often do not realize what they post is permanent and public. In addition, they may think they are sharing a secret with just one person, but that secret can easily be shared with the world. Who they should report problems to, such as if someone online is being a bully or creepy. Treat others online as they would want to be treated themselves. There is no anonymity online; people can find out who you are. People online may not be who they claim to be.

For older children, one option is to tie these rules to their academic grades, completion of chores, or how they treat others. The better their behavior in the real world, the more they can do online. Once you decide on the rules, post them by the family computer or your child’s bedroom door.  Even better, have them review and sign the document.  That way, everyone is in full agreement. The earlier you start talking to your kids about your expectations, the better. Not sure how to start the conversation, especially with older kids? Ask them what apps they are using and how they work.  Put your child in the role of teacher and have them show you what they are doing online.

Technology

In addition to education, there are technologies you can use to monitor and help protect your kids. We find that technical solutions work best for younger children, especially protecting them from accidentally accessing inappropriate or harmful content. However, technical controls do not work as well as children get older. Older kids not only need more access to the Internet, but often use devices that you do not control or cannot monitor, such as those issued by school, gaming consoles, or computers at a friend’s or relative’s house. This is why education is so important.

Another step is to have a dedicated computer just for your kids. This way, they cannot accidentally infect your computer, which you may use for sensitive activities, such as banking online or taxes. In addition, keep their computer in a public, high-traffic area so their activities can be monitored. Just because they say they are doing homework does not mean they are actually doing homework. Finally, make sure the computer is secured, routinely backed up, and your children do not  have administrator rights to it. For mobile devices, consider a central charging station somewhere in your house.  Before your children go to bed at night, have all mobile devices placed at the charging station so your children are not tempted to use them when they should be sleeping.

Leading by Example

Do not forget that we also need to set a good example as parents. This means that when your kids talk to you, put your own digital device down and look them in the eye. Consider not using digital devices at the dinner table and never text while driving. Finally, when kids make mistakes, treat each one as an experience to learn from instead of engaging in an immediate disciplinary action. Explain “why” each time and remind them that you are only trying to protect them from the dangers they cannot yet see. Let them know they can come to you if and when they experience anything uncomfortable online, perhaps even have them take a screenshot to share with you. Make sure they also feel comfortable approaching you when they realize they themselves have done something inappropriate. Keeping communication open and active is the best way to help kids stay safe in today’s digital world.

License

OUCH! newsletter is under the Creative Commons license.  You are free to share / distribute it but may not sell or modify it.

Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques

Threat Research

This blog was authored by Danny Adamitis, David Maynor, and Kendall McKay

Executive summary

Cisco Talos assesses with moderate confidence that a campaign we recently discovered called “BlackWater” is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater’s tactics, techniques and procedures (TTPs) have evolved to evade detection. If successful, this campaign would install a PowerShell-based backdoor onto the victim’s machine, giving the threat actors remote access. While this activity indicates the threat actor is taking steps to improve its operational security and avoid endpoint detection, the underlying code remains unchanged. The findings outlined in this blog should help threat hunting teams identify MuddyWater’s latest TTPs.

Read More

Share:

Tags: