March-2017 News Bits

Cyber Security news for the month of March, 2017.

 Google Discloses Unpatched Flaw in Edge, Internet Explorer

Google Project Zero has disclosed a potentially serious vulnerability in Microsoft’s Edge and Internet Explorer web browsers before the tech giant could release patches.The details of the flaw and proof-of-concept code were made public by Google Project Zero researcher Ivan Fratric after Microsoft failed to meet the 90-day disclosure deadline.

This is the second unpatched vulnerability in a Microsoft product disclosed by Google Project Zero. Earlier, Mateusz Jurczyk released the details of a medium severity information disclosure flaw tracked as CVE-2017-0038.

Microsoft only released patches for Adobe Flas Player this month after postponing its February 2017 updates to March 14 due to an unspecified “Last minute issue.” It’s possible that the three vulnerabilities affecting Windows and the browsers were supposed to be fixed by the delayed security updates.

 CloudPets stuffed toys leak details of half a million users

Details, which include email addresses and passwords, were leaked along with access to profile pictures and more than 2 million voice recordings of children and adults who had used the CloudPets stuffed toys. CloudPets’s chief executive, Mark Myers, denied that voice recordings were stolen in a statement to NetworkWorld magazine. It would be trivial for an attacker to access the voice recordings for users with simple passwords such as 123456 or cloudpets, but those with unique secure passwords could be covered in the case of a remote attack.

While the database had been connected to the internet, it had more than 800,000 user records in it, suggesting that the data dump received is just a fraction of the full information potentially stolen. “If you’re fine with your kids’ recordings ending up in unexpected places then so be it, but that’s the assumption you have to work on because there’s a very real chance it’ll happen. There’s no doubt whatsoever in my mind that there are many other connected toys out there with serious security vulnerabilities in the services that sit behind them. Inevitably, some would already have been compromised and the data taken without the knowledge of the manufacturer or parents.”

“Connected toys that are easily accessible by hackers are sinister. The CloudPets issue highlights the fact that manufacturers of connected devices really struggle to bake security in from the start. The 2.2 million voice recordings were stored online, but not securely, along with email addresses and passwords of 800,000 users, this is unforgivable.”

WikiLeaks Publishes Vault 7, Collection of Alleged CIA Hacking Tools

WikiLeaks published a collection of hacking tools which the organization claims belong to the United States Central Intelligence Agency.The WikiLeaks dump, codenamed Vault 7, comes after a rogue hacking group calling itself The Shadow Brokers had leaked similar tools in the summer of 2016, which they claimed to have stolen from the United National Security Agency.

The dump contains only PDF documentation for the alleged CIA hacking tools, but none of the actual malware and exploits. Wikileaks has carefully reviewed the “Year Zero” disclosure and published substantive CIA documentation while avoiding the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should have analyzed, disarmed and published.

According to a summary of the included documents, there’s documentation for tools targeting Windows, Android, iOS, and even Samsung TVs. Some tools are visibly marked as “Confidential” or “Top Secret,” while others are marked with the names of other intelligence agencies, such as the FBI, NSA, GCHQ, and MI5.

Sensitive US Air Force data found exposed online

A misconfigured, unsecured backup drive containing a huge amount of sensitive data on US Air Force officers has been sitting online, accessible to anyone, for who knows how long.The discovery was made by MacKeeper security researchers, who managed to pinpoint the owner of the device – a Lieutenant in the force – and notify him of the danger.

Information about the security clearance levels of hundreds of officers, SF-86 application forms for two US four-star generals, a file that contains Defense Information Systems instructions for encryption key recovery, a scanned image of the Lieutenant’s JPAS account from the Department of Defence, some NATO documents, and scans of passports were some of the documents discovered.

“Cloud backups are a huge security risk if not managed properly. By failing to use the most basic security measure, a password, the US Air Force left all the information necessary to carry out a targeted cyber extortion campaign free for the taking,” Vishal Gupta, CEO of Seclore, commented.

“And, it remains unclear whether the data was misused – which is likely to remain the case due to the lack of information tracking and auditing capabilities. So, while we’ll never know the exact scope of the damage, this incident should serve as yet another example of why persistent data-centric security controls and auditing tools are needed to assure information isn’t put at risk by users.”

Windows, macOS Hacked at Pwn2Own 2017

Researchers hacked Windows, macOS, Firefox, Edge, Safari and Flash Player on the second day of the Pwn2Own 2017 competition taking place alongside the CanSecWest conference in Vancouver, Canada.

Adobe Flash Player was successfully targeted by both Qihoo360’s 360 Security team and Tencent’s Team Sniper, each earning $40,000 for their exploits.

The Qihoo360 team also managed to break Apple’s macOS operating system, earning $10,000 for a privilege escalation that involved an information disclosure flaw and a race condition in the kernel.

The same amount was earned by the Chaitin Security Research Lab team, which elevated privileges on macOS via an information disclosure bug and an out-of-bounds in the kernel.

The Windows operating system was hacked by both 360 Security and Team Sniper, each taking home $15,000 for exploits that involved out-of-bounds and integer overflow vulnerabilities in the kernel. Microsoft’s Edge browser was successfully targeted on the second day of Pwn2Own 2017 by two groups from Tencent: Team Sniper and Sword Team.

LastPass Fixes Three Password Theft Vulnerabilities

Engineers at LastPass fixed three different vulnerabilities in the password manager over the last 24 hours, all discovered by Google Project Zero researcher Tavis Ormandy, which could have allowed for the theft of passwords. Fixes for two other vulnerabilities, including one in LastPass’ Firefox add-on and another in LastPass for Firefox, were pushed Wednesday morning.

Ormandy first disclosed the LastPass for Firefox vulnerability in a since-deleted tweet, warning it could allow the theft of passwords for any domain. According to the Project Zero bug tracker report, the LastPass for Firefox vulnerability was similar to the remote code execution bug, Ormandy claims, because the browser loads content scripts into error pages, which could let an attacker run arbitrary script to read back a user’s password.

Ormandy sent details of an exploit he wrote for the vulnerability, just two lines of JavaScript, to LastPass on Monday. Since LastPass patched the issues, details around all three of the bugs, including a link to Ormandy’s RCE exploit, were made public by Google’s Project Zero on Tuesday. LastPass was quick to fix the most concerning issue, which like this week’s, could have allowed access to privileged LastPass RPCs, but also led to a complete remote compromise.

Learn more about how Rigid Bits is your best bet for cyber security. Contact us to get started.

Let’s Discuss Your Needs

Our experience with hundreds of businesses across diverse industries provides us with the expertise to understand your unique challenges.