Tag Archives: Disclosure

Zoom vulnerability reveals privacy issues for users

Zoom faced privacy concerns after the disclosure of a vulnerability that could allow threat actors to use the video conferencing software to spy on users.

The Zoom vulnerability, originally reported to only affect the Mac version of the software, has been found to partially affect Windows and Linux as well. Jonathan Leitschuh, software engineer at open source project Gradle, disclosed the Zoom vulnerability in a blog post earlier this week and said it “allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.”

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call,” Leitschuh added. “Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage.”

According to Leitschuh, it took Zoom 10 days to confirm the vulnerability and in a meeting on June 11, he told Zoom there was a way to bypass the planned fix, but Zoom did not address these concerns when Zoom reported the vulnerability fixed close to two weeks later. The Zoom vulnerability resurfaced on July 7, Leitschuh disclosed on July 8 and Zoom patched the Mac client on July 9. Zoom also worked with Apple on a silent background update for Mac users, released July 10, which removed the Zoom localhost from systems.

“Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner,” Leitschuh wrote. “An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack.” 

Zoom — whose video conferencing software is used by more than 4 million users in approximately 750,000 companies around the world — downplayed the severity of the issue and refuted Leitschuh’s characterization of the company.

This trust tradeoff, between making it easy and making it secure, is something that every consumer should consider.
Tom PattersonChief trust officer, Unisys

“Once the issue was brought to our Security team’s attention, we responded within ten minutes, gathering additional details, and proceeded to perform a risk assessment,” Richard Farley, CISO at Zoom, wrote in the company’s response. “Our determination was that both the DOS issue and meeting join with camera on concern were both low risk because, in the case of DOS, no user information was at risk, and in the case of meeting join, users have the ability to choose their camera settings.”

“To be clear, the host or any other participant cannot override a user’s video and audio settings to, for example, turn their camera on,” Farley added. 

Both the disclosure and response from Zoom portrayed the issue as only affecting the Mac client, but Alex Willmer, Python developer for CGI, wrote on Twitter that the Zoom vulnerability affected Windows and Linux as well.

“In particular, if zoommtg:// is registered as a protocol handler with Firefox then [Zoom] joins me to the call without any clicks,” Willmer tweeted. “To be clear, a colleague and I saw the auto-join/auto-webcam/auto-microphone behavior with Firefox, and Chromium/Chrome; on Linux, and Windows. We did not find any webserver on port 19421 on Linux. We didn’t check Windows for the webserver.”

Leitschuh confirmed Willmer’s discovery, but it is unclear if Zoom is working to fix these platform clients. Leitschuh also noted in his disclosure that the issue affects a whitehite label version of Zoom licensed to VoIP provider RingCentral. It is unclear if RingCentral has been patched.

Leitschuh told SearchSecurity via Twitter DM that “Zoom believes the Windows/Linux vulnerabilities are the browser vendors’ to fix,” but he disagrees.

Zoom did not respond to requests for comment at the time of this post.

Tom Patterson, chief trust officer at Unisys, said the tradeoff between security and ease of use is “not always a fair trade.”

“The fact that uninstalling any app doesn’t completely uninstall all components runs counter to engendering trust. In this case, it’s an architectural decision made by the manufacturers which appears to be designed to make operations much easier for users,” Patterson told SearchSecurity. “This trust tradeoff, between making it easy and making it secure, is something that every consumer should consider.”

Go to Original Article

For Sale – Logitech MX Master Wireless Mouse

FULL DISCLOSURE : The scroll wheel will not return to ratchet mode, so whilst every part of the mouse works, there is a functional issue with switching between freespin and ratchet. The wheel works as do all the buttons, including the wheel button.

For sale, boxed MX master with cable, reciever instructions. Barely used in the 3 years of ownership as I favour trackballs over mice.

Priced to sell at 30 pounds.

Price and currency: 35
Delivery: Delivery cost is not included
Payment method: Bank Transfer
Location: London
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Windows 10 zero-day disclosed on Twitter, no fix in sight

A mishandled disclosure process saw proof-of-concept code for a Windows 10 zero-day flaw released on Twitter, but Microsoft has no patch available.

A self-described retired vulnerability researcher who goes by the handle SandboxEscaper announced the Windows 10 zero-day on Twitter on Aug. 27, complete with proof-of-concept (POC) code hosted on GitHub, but didn’t notify Microsoft beforehand. The flaw is part of the Windows Task Scheduler, and it can allow an attacker to obtain system privileges.

According to the CERT Coordination Center (CERT/CC) advisory, the “Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface.”

“We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems,” Will Dormann, vulnerability analyst for CERT/CC, wrote in the advisory. “Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code.”

Dormann also confirmed on Twitter that although the POC released by SandboxEscaper was designed to be a Windows 10 zero-day and affect 64-bit systems, the exploit would also work on 32-bit systems with “minor tweaks.”

Craig Young, computer security researcher at Tripwire, based in Portland, Ore., noted that the Windows 10 zero-day would allow “the caller to manipulate file permissions of protected system files.”

“This can be used to overwrite system libraries with malicious code to hijack Windows. With this published exploit code, it is trivial for malware to take complete control of the system after the malware has been loaded,” Young wrote via email. “Without a privilege escalation bug like this, the malware would be dependent on users clicking through access control alerts or entering administrator credentials.”

Risk vs. exploit code  

Experts generally agreed the level of risk for this Task Scheduler Windows 10 zero-day wouldn’t normally be too severe, because the exploit requires local access. This means an attacker would have to trick a user into downloading and running a malicious program, or they would need to have previously gained access to a system. However, experts said the release of the POC code changes the risk profile for the Windows 10 zero-day.

Allan Liska, solutions architect at Recorded Future, based in Somerville, Mass., added that this Windows 10 zero-day is another flaw in a long history of issues in the Windows Task Scheduler service.

“At this time, there is no patch for the vulnerability. One possible mitigation is to prevent untrusted — usually guest — users from running code. However, if an attacker gains access with user-level privilege, this mitigation will not work,” Liska said in an email. “The best bet until Microsoft releases a patch is to monitor for suspicious activity from Task Scheduler, and for this specific POC, monitor for the print spooler service spawning unusual processes,” he continued.

“Though bear in mind that while the POC uses the print spooler service, this vulnerability is not limited to just the print spooler. With some minor tweaking, the POC code could be used to execute other services.”

Although there were no specific details, SandboxEscaper expressed frustration with Microsoft and infosec in general before releasing the Windows 10 zero-day on Twitter, but appeared regretful two days later.

SandboxEscaper had mentioned a battle with depression and a desire to quit vulnerability research in a number of tweets leading up to releasing the POC code, and the vast majority of commenters offered messages of empathy or aid.

Microsoft did not respond to requests for comment at the time of this post.

Fortnite vulnerability on Android causes disclosure tension

Google’s disclosure policy and Android security in general came under question after the company disclosed a flaw in the Android installer for the world’s most popular game, Fortnite. The flawed installer is only for Android users because Fortnite developer Epic Games bypassed security protections available for apps distributed through the Google Play Store, in order to maximize profits and avoid paying distribution fees to Google.

On Friday, Google disclosed the Fortnite vulnerability and described it as a risk for a man-in-the-disk attack where any “fake [Android Package Kit] with a matching package name can be silently installed” by the Fortnite installer. Google disclosed the flaw to Epic Games on Aug. 15, and Epic had produced a patch within 24 hours.

After testing the patch and deploying it to users on Aug. 16, Epic asked Google on the issue tracker page if they could have “the full 90 days before disclosing this issue so our users have time to patch their devices.” Google did not respond on the issue tracker until Aug. 24, when it noted that “now the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google’s standard disclosure practices.”

Epic Games founder Tim Sweeney accused Google on Twitter of wanting “to score cheap PR points” by disclosing the Fortnite vulnerability because Epic Games had released the game outside of the Google Play Store.

Epic Games had previously claimed the reason for not releasing Fortnite for Android through the Play Store was twofold: to maintain a “direct relationship” with customers and to avoid the 30% cut Google would take from in-app purchases. Security experts immediately expressed skepticism about the move because of the security checks in Android that need to be turned off in order to sideload an app from outside of the Play Store and the risk of malicious fakes.

Sweeney admitted on Twitter that the Fortnite vulnerability was Epic’s responsibility, but took issue with Google’s fast disclosure.

It is unclear if Epic Games contacted users directly regarding the Fortnite vulnerability and the need to update. And the company did not respond to requests for comment at the time of this post.

Sweeney did note on Twitter that the “Fortnite installer only updates when you run it or run the game” and said Google was monitoring the Fortnite vulnerability situation.

Liviu Arsene, senior e-threat analyst at Romania-based antimalware firm Bitdefender, said that “from a security perspective there’s no right or wrong in this scenario.”

From a security perspective there’s no right or wrong in this scenario.
Liviu Arsenesenior e-threat analyst, Bitdefender

“As soon as the vulnerability was reported, Epic fixed [it] within 24 hours, which is commendable, and then Google publicly disclosed it according to their policy. Technically, users are now safe and informed regarding a potential security vulnerability that could have endangered their privacy and devices,” Arsene wrote via email. “Granted, not all users will receive and install the update instantly, but the same can be said for most security patches and updates. As long as Epic is committed to delivering patches for their apps, regardless if they’re in Google Play or not, and Google is committed to finding and responsibly disclosing vulnerabilities, security is enforced and users are the ones that benefit most.”

Disclose.io launches vulnerability disclosure ‘safe harbor’

Disclose.io is a new project that promotes a framework for the standardization of norms for vulnerability disclosure with the intent to remove the threat of criminal or civil prosecution of cybersecurity researchers, a long-standing obstacle to more open research and sharing of vulnerabilities by independent experts.

Describing itself as “a collaborative and vendor-agnostic project to standardize best practices around safe harbor for good faith security research,” Disclose.io was jointly announced this week by bug bounty company Bugcrowd and Amit Elazari, a University of California, Berkeley, doctoral candidate and bug bounty legal expert. The project addresses the lack of consistency in policies on vulnerability  disclosure, the need to keep researchers safe from legal action by companies with vulnerabilities and a framework to provide researchers with a “safe harbor” from prosecution under the Computer Fraud and Abuse Act (CFAA) or the Digital Millennium Copyright Act (DMCA).

So far, Elazari has listed 21 organizations — up from 18 when the announcement was first made — that have adopted language in their bug bounty programs that follow Department of Justice guidelines for protecting bug bounty participants from prosecution under the CFAA and that also address DMCA issues.

“With growing attention to this issue and increasing adoption of bug bounties in general, as well as the emergence of best practices, I hope adoption within big players will rise,” Elazari wrote by email. “Hackers are also becoming more aware to this issue and with time safe harbor will hopefully become a competitive feature of the program — a way to get more professional eyeballs on your code. This trend will continue as long as the law continues to be murky — and that is the case especially with the CFAA.”

The Disclose.io framework builds on the Open Source Vulnerability Disclosure Framework from Bugcrowd and tech-focused law firm CipherLaw, as well as Elazari’s own #legalbugbounty standardization project, both of which provide guidance on ways to keep participants safe from prosecution under the CFAA or the DMCA for companies setting up their own vulnerability disclosure programs.

Organizations that have adopted safe harbor terms in their bug bounty or vulnerability disclosure programs include Bugcrowd, as well as Dropbox, HackerOne and Mozilla.

Risks of vulnerability disclosure

The Disclose.io project comes from the intent to protect both cybersecurity researchers from the risk of legal proceedings as a result of them disclosing vulnerabilities, as well as to protect program owners from individuals who discover vulnerabilities and act in bad faith; for example, some individuals may have ulterior motives and use bug bounty programs to gain unauthorized access to the program owner’s resources.

Amit Elazari, doctoral candidate at University of California, Berkeley, and bug bounty legal expertAmit Elazari

However, some organizations attempt to shift some of the risks of bug bounty hunting to the bug hunters, especially when bug bounty participants are not explicitly granted full authorization to all relevant assets.

“Not providing authorization is shifting the legal risk to the hacker. Since these are take-it-or-leave-it contracts, lawyers might be inclined to protect their own organization interests. The main practical barrier for adoption of safe harbor is it actually requires obtaining the rights to authorization in all assets and careful scoping and policy drafting,” Elazari wrote. “When you are authorizing access you are clarifying that one must follow the guidelines to get it, and that’s why it works well for both parties because it signals to the hacker what are the rules. If you intentionally violate the rules — you don’t get the safe harbor.”

In other news

  • Facebook security chief Alex Stamos is leaving the social networking giant and starting a research and teaching role as an adjunct professor at Stanford University’s Freeman-Spogli Institute for International Studies (FSI). His last day at Facebook is Aug. 17, almost precisely five months after The New York Times reported that his “impending exit” was set for August. Prior to his stint at Facebook, Stamos was CISO at Yahoo. In a message posted on his Facebook page, Stamos wrote that he would be continuing his work on “understanding and preventing the misuse of technology,” and would be launching “a course teaching hands-on offensive and defensive techniques and to contribute to the new cybersecurity master’s specialty” at FSI.
  • Congress passed a bill this week that will force tech companies to disclose to the Pentagon if they have allowed foreign governments to examine their software if it was sold to the U.S. military. The legislation was included in the Pentagon spending bill, which was approved by an 87-to-10 vote in the Senate after having passed in the House of Representatives last week; President Trump is expected to sign the bill into law. The new law was drafted after an investigation by Reuters discovered that companies, including Hewlett Packard, SAP and McAfee had allowed Russian agencies to examine their software products as a precondition for sale in Russia. The legislation, included in the fiscal 2019 National Defense Authorization Act, was drafted by Senator Jeanne Shaheen (D-NH), who told Reuters that the new rules would help secure the government’s technology acquisition process.
  • The CA/Browser Forum has changed its rules for how certificate authorities (CAs) are allowed to validate claims of domain ownership for issuance of trusted certificates as of Aug. 1, removing two methods of validation that have been exploited by malicious actors seeking legitimacy through domain certificates. The CA/B Forum Baseline Requirements no longer permit CAs to use the first validation method, which compared the domain certificate applicant’s contact information with domain contact information listed on domain name registrar databases. Until now, CAs could validate an applicant’s contact information with domain contact information returned by a “whois” query to the domain registrar. Also deprecated was the fifth validation method, which “allowed lawyers to write letters asserting ownership of domain names, a subject they are generally not qualified to evaluate,” wrote Timothy Hollebeek, industry and standards technical strategist at DigiCert, in a blog post announcing the move. “Neither of these methods were particularly secure, and we led the effort to get them removed, as part of an overall focus on improving validation standards.”

Zotac 1080ti mini

5 weeks old, boxed as new with invoice from Novatech.

Full disclosure – I paid £630 for this but they are going for £800+ on Ebay at the moment due to apparent shortage.

Payment via BACS please, price includes RMSD.

Price and currency: 700
Delivery: Delivery cost is included within my country
Payment method: BACS
Location: Solihull
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I have no preference…

Zotac 1080ti mini

Gemalto Sentinel flaws could lead to ICS attacks

A long disclosure and remediation process between security researchers and a hardware token vendor resulted in patches for  dangerous flaws that could have led to attacks on critical infrastructure.

Researchers from Kaspersky Lab ICS CERT said they decided to investigate Gemalto Sentinel USB tokens after penetration tests showed the “solution provides license control for software used by customers and is widely used in ICS and IT systems.”

“The solution’s software part consists of a driver, a web application and a set of other software components. The hardware part is a USB token. The token needs to be connected to a PC or server on which a software license is required,” Kasperksy researchers wrote in a report. “From researchers’ viewpoint, [the Gemalto Sentinel software] exhibited a rather curious behavior in the system: it could be remotely accessed and communicated with on open port 1947. The protocol type was defined by the network packet header — either HTTP or a proprietary binary protocol was used. The service also had an API of its own, which was based on the HTTP protocol.”

Kaspersky ICS CERT ultimately found 14 vulnerabilities in Gemalto SafeNet Sentinel tokens, the most critical of which “can be used without local privilege escalation — the vulnerable process runs with system privileges, enabling malicious code to run with the highest privileges.”

Vladimir Dashchenko, head of the ICS CERT vulnerability research team at Kaspersky Lab, told SearchSecurity this issue needs attention because “some of the ICS vendors use such license managers for SCADA software.”

“Some vulnerabilities that we found allow remote code execution, meaning an attacker can access someone else’s computing device and make their own changes. For example, vulnerabilities can provide an attacker with the ability to execute malicious code and take complete control of an affected system with the same privileges as the user running the application,” Dashchenko said via email. “Some vulnerabilities are denial-of-service (DoS) vulnerabilities, meaning an attacker has the ability to shut down a machine or network, making it unavailable to its intended users. DoS does not cause machine or network shutdown. It stops the vulnerable process. However in some cases it could possibly cause denial of service for the machine.”

Paul Brager Jr., technical product security leader at Houston-based Baker Hughes and former cybersecurity project manager focused on ICS at Booz Allen Hamilton, said the “potential implications and risks for ICS are not trivial.” 

“Open ports that allow remote interaction with engineering workstations or servers that run human machine interface or other process-oriented software licenses managed by this solution could lead to an impact to the software itself, the control assets that are managed by the software, or both,” Brager told SearchSecurity. “Worst case scenario is an impact to the processes that are being governed by the licensed solution — some of which could be critical operating processes. Also given the care that is required when patching, the risks could persist for some time.”

Gemalto Sentinel disclosure and patching

The timeline of the disclosure and patching and issues with communication from Gemalto caught the attention of the researchers. According to Kaspersky, the first set of vulnerabilities was reported to Gemalto in early 2017, but it wasn’t until late June “in response to our repeated requests” that Kaspersky received a reply.

Dashchenko clarified the timeline and noted that although Gemalto claimed it “notified all of its customers of the need to update the driver via their account dashboards; we were contacted by several developers of software that use this server, and it became clear they were not aware about the issue.”

“We have informed and sent to the vendor information regarding all of the identified vulnerabilities. In early 2017, we sent information about 11 vulnerabilities and in late June the vendor informed us that a patch had been released and information about the vulnerabilities that had been closed, along with a new version of the driver, could be found on the company’s internal user portal. On June 26, we informed Gemalto of the suspicious functionality and of three more vulnerabilities. On July 21, the vendor released a private notice about a new driver version — without any mention of the vulnerabilities closed.”

Gemalto did not respond to requests for comment at the time of this post.

Dashchenko added that Gemalto Sentinel is a “very popular licensing solution,” and noted that an advisory from Siemens listed 16 solutions that need patching against these issues.

Ken Modeste, global principal engineer at Chicago-based Underwriters Laboratories, said patching ICS is complex so users may be wary of the Gemalto Sentinel issues.

The risk associated with either down time or inadvertent failures … will typically be too high for end-users to accept.
Ken Modesteglobal principal engineer at Chicago-based Underwriters Laboratories

“Factory automation and connected control systems are vetted, tested, reliable systems. Deploying patches that have not seen significant runtime and test time can cause significant issues. Most of the implemented systems have requirements around safety, reliability and uptime. Therefore, deploying a patch to software or an embedded product can affect an operational system,” Modeste told SearchSecurity. “The risk associated with either down time or inadvertent failures associated with a patch of either the inherent device or software, or its interaction with other devices and software, will typically be too high for end-users to accept.”

Moreno Carullo, co-founder and CTO of Nozomi Networks, an ICS cybersecurity company headquartered in San Francisco, said patching is especially important because “while blocking port 1947 is an option to mitigate the problem, it is also not a solution that is suited for all business processes.”

“Blocking this port could result in the cessation of integral services as well,” Carullo told SearchSecurity. “ICS operators could have strong visibility into the network by applying technologies that are able to monitor the traffic passively to detect anomalies or suspicious activities. These technologies should also be integrated with the firewall to increase the needed visibility in such scenarios.”

Brager said the risks of patching the Gemalto Sentinel issues “could be significant, given the pervasiveness of the SafeNet solution in both enterprise and OT/ICS environments.”

“Particularly concerning is the pervasiveness of the solution in control system environments, and what could potentially mean for assets that leverage the SafeNet dongle solution to operate,” Brager said. “In those instances, patching those systems can be a significant (and time consuming) undertaking. Enterprise patching may not be nearly as complex and critical, but it too comes with its own sets of risks.”

For Sale – XFX RX 470 RS…£185 delivered

Full Disclosure: This card has been used for mining ethereum

However, I am a conservative hobbyist miner. It has been run undervolted, with reduced core clocks and very modest mem OC. I have not chased the highest possible hashrate, instead favouring stability and longevity.

I currently only squeeze out 25.5MH/s from this card, to keep temps below 75C at all times without running the fans too hard. I have modded the BIOS (mem timing and undervolt only) but am happy to flash the original back on if desired.

Supplied with original (outer only) box as pictured and original invoice from SCAN.

A loot crate box will be inside the original outer box (I used it to send my old card when I upgraded to the rx 470). It will be securely packed.[​IMG]

Price and currency: £185
Delivery: Delivery cost is included within my country
Payment method: BT, PPG
Location: Falkirk
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.