over

The EU banking regulator’s plans to reduce fraud by obliging the use of passwords, codes or a card reader to authenticate electronic payments above 10 euros have drawn fire from the payments industry.

Visa and others argue that mandated authentication checks put forward by the European Banking Authority risk disrupting online shopping without increasing security.

The concern is that making customers jump through more hoops to complete online transactions will result in increased cart abandonment rates, which will likely impact retailers’ bottom line.

The regulation threatens to cramp one-click shopping and automatic app payment technologies for anything other than small payments, the argument goes.

“Changes mean no more express checkouts or quick in-app payments from mobiles, reduced access to non-European online shopping sites, and longer queues at places like toll booths and parking,” according to Visa.

The payments technology company took the unusual step of putting out a statement lambasting the EBA’s draft plan for strong customer authentication (SCA), the final version of which is due out in January.

Robert Capps, VP of business development at behaviour-based biometrics firm NuData Security, said, “We’d tend to support Visa’s stance on this issue in several ways. While it may seem that adding more identity tests to the transaction stream should make the transaction more secure, this isn’t necessarily true.

“If the test is vulnerable to impersonation, as we see with physical biometrics, or is as vulnerable as passwords, no number of additional touchpoints will make the transaction more secure,” he added.

The proposed changes are part of the European Commission’s forthcoming Payment Services Directive 2. If ratified as part of the proposals, strong customer authentication would come into effect across Europe from 2018 onwards. ®

Sponsored: The state of mobile security maturity


The Register - Security

If you’re using a cheap Android smartphone manufactured or sold by BLU, Infinix, Doogee, Leagoo, IKU, Beeline or Xolo, you are likely wide open to Man-in-the-Middle attacks that can result in your device being thoroughly compromised.

Android smartphones backdoor

A more detailed (but not complete) list of vulnerable devices can be found in an advisory by CERT/CC.

This discovery comes less than a week after researchers from Kryptowire identified several models of Android mobile devices that contain firmware that collects sensitive data about their owners and secretly transmits it to servers owned by a company named Shanghai Adups Technology Co. Ltd.

Among these mobile devices are also some BLU smartphones.

The origin of the vulnerability (CVE-2016-6564)

Those and other devices (roughly 55 device models) are open to attack because they sport the same firmware by Chinese software company Ragentek Group.

This firmware contains a binary that is responsible for enabling over-the-air (OTA) software updating, but unfortunately the mechanism is flawed.

For one, the update requests and supplied updates are sent over an unencrypted channel. Secondly, until a few days ago, two Internet domains that the firmware is instructed to contact for updates (the addresses are hardwired into it) were unregistered – meaning anybody could have registered them and delivered malicious updates and commands to compromise the devices.

Luckily, it was researchers from Anubis Networks that did it, and the move allowed them clock over 2.8 million devices that contacted the domains in search for updates. Many of these devices are located in the US, as most of the models are sold by Best Buy and Amazon.

But even though the domains are now owned by these security companies, the fact that updates are delivered over an unencrypted channel allows attackers with a MitM position to intercept legitimate updates and exchange them for malicious ones (the firmware does not check for any signatures to assure the updates’ legitimacy).

MitM attackers could also send responses that would make the devices execute arbitrary commands as root, install applications, or update configurations.

Is this a deliberate backdoor/rootkit?

It does seem so. According to the researchers, the binary that performs OTA update checks – debugs, in the /system/bin/ folder – runs with root privileges, but its presence and the process it starts are being actively hidden by the firmware.

“It’s unclear why the author of this process wanted to purposely hide the presence of the process and local database on the device, although it’s worth noting that it did not attempt to do this comprehensively,” they researchers noted.

But they told Ars Technica that believe the backdoor capabilities were unintentional, and Ragentek is yet to comment on the discovery.

How to protect yourself?

If you’re using one of the affected devices, the right solution is to implement an update with the fix – when it becomes available. But make sure to download the update only over trusted networks and/or use a VPN to encrypt and protect the traffic from tampering.

So far, only BLU has released such an update, but the fix has not yet been checked.

A workaround that should keep you safe until a security update includes using your device only on trusted networks (eg. your home network, as opposed to open or public Wi-Fi).


Help Net Security

Three men are due to appear at the Old Bailey charged with various offences linked to an investigation into the mega TalkTalk hack a year ago.

The investigation was launched in October 2015 by the Met's Falcon Cyber Crime Unit following the hack in which 157,000 of its customers' personal details were accessed.

On Tuesday, 15 November, a 17-year-old boy pleaded guilty at Norwich Youth Court to seven offences under the Computer Misuse Act of 1990.

The boy was arrested in Norwich on 3 November last year and subsequently charged. He is due to be sentenced at Norwich Youth Court on 13 December.

The offences were all linked to the unauthorised access in October 2015 to data and programs on various organisations' websites including TalkTalk and Merit Badges as well as universities in Cambridge, Manchester, Sheffield, and Bournemouth.

As part of the wider investigation, detectives have also arrested three other individuals.

Daniel Kelley, of Llanelli, Wales, was charged on 26 September with various blackmail, cyber-crime and fraud offences, and is due to appear at the Old Bailey on Friday, 18 November.

Matthew Hanley and Conner Douglas Allsopp, both from Tamworth, were charged on 26 September with cyber crime and fraud offences and are due to appear at the Old Bailey on Monday, 21 November.

The investigation into the alleged data theft from the TalkTalk website is a joint investigation led by the Met's Cyber Crime Unit with support from Police Service Northern Ireland, Southern Wales Regional Organised Crime Unit, the National Crime Agency, and CERT UK (now the National Cyber Security Centre). ®

Sponsored: Customer Identity and Access Management


The Register - Security

Trump hotel chain fined over data breachesA chip-enabled credit card, inserted into a store's reader. Credit: Zach Miners

Trump Hotel Collection has arrived at a settlement with New York Attorney General Eric T. Schneiderman over hacks that are said to have led to the exposure of over 70,000 credit card numbers and other personal data.

The hotel chain, one of the businesses of Republican presidential candidate Donald Trump, has agreed to pay $ 50,000 in penalties and promised to take measures to beef up its data security practices, according to the attorney general’s office.

[ Make threat intelligence meaningful: A 4-point plan. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

The chain is one of many hotels and retailers that have been hit recently by malware that skimmed payment card information.

The key charges apparently against Trump Hotel Collection (THC) are that it didn’t have adequate protection and even after the attacks became known, did not quickly inform the people affected, in breach of New York law.

"It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law," Schneiderman said in a statement Friday.

In May 2015, banks analyzed fraudulent credit card transactions and figured that THC was the last merchant where a legitimate transaction had been made using the cards, suggesting that the hotel chain had been targeted in a cyberattack that resulted in the compromise of credit card information.

Further investigations found that a person with access to legitimate domain administrator credentials had infiltrated the chain's payment processing system in May 2014 and planted malware for stealing credit card information, which was noticed in computer networks at multiple locations, including its New York, Las Vegas and Chicago hotels, according to the statement by the attorney general’s office.

THC could not be immediately reached for comment. Safeguarding customer data is a top priority for the company, a THC spokeswoman
InfoWorld Security

Just two days after Yahoo! admitted hackers had raided its database of at least 500 million accounts, the Purple Palace is being dragged into court.

Two Yahoo! users in San Diego, California, filed on Friday a class-action claim [PDF] against the troubled web biz: Yahoo! is accused of failing to take due care of sensitive information under the Unfair Competition Act and the state's Consumer Legal Remedies Act, plus negligence for its poor security, and breaking the Federal Stored Communications Act.

The stolen Yahoo! database includes people's names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers about their personal lives.

“There's a sense of violation,” the plaintiffs' lawyer David Casey of Casey Gerry Schenk Francavilla Blatt & Penfield told The Register last night.

“We think they breached their duty of trust to the clients and violated privacy laws. I anticipate hundreds of cases will be filed and then those will be consolidated into one federal class action suit.”

Casey said that at least one of his clients had already seen dodgy activity on their credit card which had been attributed to the attack and another was concerned that their financial and tax data had been viewed by outsiders. The plaintiffs are seeking redress and damages from Yahoo!

The court filing also states that Yahoo! had “unreasonably delayed” telling its customers about the mega-hack. It points out that the incident, which Yahoo! blamed on state-sponsored hackers, occurred back in 2014, and the webmail giant should have detected it sooner and let people know a long time ago.

“There’s a lot of anger over the delay,” Casey said. “The delay is pretty inexplicable.”

While this is the first sueball lobbed at Yahoo!, it is unlikely to be the last. If even a fraction of the 500 million Yahoo! users targeted by hackers take action against the company, and win even a miserly award, the potential costs to the biz could count in the high multi-millions.

Under the circumstances the due diligence team at Verizon, which in July confirmed it wanted to buy Yahoo! for $ 4.8bn, are going to be recalculating their figures as to the net worth of the Purple Palace. Having such large liabilities hanging over Yahoo! can only depress its value.

Verizon told The Register that it was informed about the hack just a few days in advance of this week's staggering confession – which raises questions in itself. In late July and early August, news articles were circulating warning that stolen Yahoo! customer information was being sold on the dark web. One wonders why Verizon didn’t pick up on this earlier.

One possible theory is that while investigating the 200 million or so account records being touted on underground souks, Yahoo! discovered a separate larger break-in by government-backed hackers – and has only just confirmed that.

In the meantime, legal action will continue to mount in America, the land of the lawsuit. Yahoo! should also expect folks overseas to start lawyering up, too. It’s going to be an expensive Fall for the organization. ®

Sponsored: HPC and HPDA for the Cognitive Journey with OpenPOWER


The Register - Security

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

iOS 9.3.4 Patches Critical Code Execution Flaw

August 8, 2016 , 9:00 am

IoT Insecurity: Pinpointing the Problems

July 21, 2016 , 7:00 am

VeraCrypt Audit Under Way; Email Mystery Cleared Up

August 16, 2016 , 2:27 pm

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Fallout Over OPM Breach Report Begins

September 9, 2016 , 9:00 am

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm


Threatpost | The first stop for security news

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am

Necurs Botnet is Back, Updated With Smarter Locky Variant

June 23, 2016 , 4:10 pm

Unsecured DNSSEC Easily Weaponized, Researchers Warn

August 18, 2016 , 8:18 am

WordPress Security Update Patches Two Dozen Flaws

June 23, 2016 , 8:00 am

Planes, Trains and Automobiles Increasingly in Cybercriminal’s Bullseye

June 29, 2016 , 8:19 am

Apple Leaves iOS 10 Beta Kernel Unencrypted: Pros and Cons

June 27, 2016 , 5:13 pm

Voter Database Leak Exposes 154 Million Sensitive Records

June 24, 2016 , 10:14 am


Threatpost | The first stop for security news

UK debt relief charity Christians Against Poverty has begun writing to supporters following a data breach that exposed personal details – including phone and bank account numbers, and banking sort codes.

Unidentified hackers broke into the charity’s systems in late July. The intrusion was only detected a week later, as an alert by Christians Against Poverty (a charity that works to lift the poor out of debt) explains.

On 1 August 2016 we identified some suspicious activity on our computer systems that presents a potential security risk for those whose data is held by Christians Against Poverty.

Our investigations show that some, but not all, of our systems were compromised the previous week. As soon as we identified this we called in IT security experts who confirmed that although our servers and systems were well protected, we have been subjected to a sophisticated, illegal, external attack.

Unfortunately, this means that details belonging to supporters and clients (both current and former) may have been accessed. These details could include names, addresses, email, phone and bank account numbers/sort codes. I’m really disappointed that this has happened, but I want to reassure you that we are taking all possible steps to ensure the ongoing security of our systems.

Christians Against Poverty published the notice on 4 August, since when it has begun the process of contacting all affected parties, including supporters and poor families the charity helped with debt problems. El Reg became aware of the breach after an email notice sent to the elderly relative of a reader, Colin, was forwarded to us late last week.

Christians Against Poverty has set up a dedicated micro-site designed to respond to the concerns of affected parties. The charity’s handling of the breach has received a sympathetic response from supporters on Twitter, even though the extent of the problem goes beyond what’s sadly becoming a steady stream of login credential / password breaches.

It's unclear whether the exposed data was encrypted or not, nor why the charity itself was holding banking data on its own systems. In its FAQ, Christians Against Poverty sought to downplay the concerns of supporters and clients while admitting that they may be at heightened risk of phishing attacks.

“We are taking this issue very seriously and are continuing to investigate with the help of the police and external security experts,” it said. “Please be reassured that we are taking all possible steps to ensure the ongoing security of our systems.”

Christians Against Poverty has reported its breach to the Information Commissioner's Office, the UK’s data protection watchdogs. ®

Sponsored: The Nuts and Bolts of Ransomware in 2016


The Register - Security

Approximately 305 new cyber threats are added each week on cybercrime markets and forums, mostly located on dark nets and the deep web.

The threats include information on newly developed malware and exploits that have not yet been deployed in a cyber-attack – information that could be very useful for cyber defenders.

cyber threats underground markets

The discovery was made by Arizona State University researchers, who have developed and deployed a system for cyber threat intelligence gathering and used it on 27 marketplaces and 21 hacking forums.

The group, some members of which have also recently released the results of an investigation into the supply on 17 underground hacker markets, also noted that, in a period spanning four weeks, 16 exploits for zero-day vulnerabilities had been offered for sale.

Among these was an exploit for a remote code execution flaw in Internet Explorer 11 (priced at a little over 20 BTC), and for a RCE flaw in Android Web View (price: nearly 41 BTC).

“The Android WebView zero-day affects a vulnerability in the rendering of web pages in Android devices. It affects devices running on Android 4.3 Jelly Bean or earlier versions of the operating system. This comprised of more than 60% of the Android devices in 2015,” they explained.

“After the original posting of this zero-day, a patch was released in Android KitKit 4.4 and Lollipop 5.0 which required devices to upgrade their operating system. As not all users have/will update to the new operating system, the exploit continues to be sold for a high price. Detection of these zero-day exploits at an earlier stage can help organizations avoid an attack on their system or minimize the damage. For instance, in this case, an organization may decide to prioritize patching, updating, or replacing certain systems using the Android operating system.”

Not to mention that the vendors whose software is obviously vulnerable could try to come up with a patch or at least temporary mitigations that could minimize the risk of these exploits being leveraged against users.

The researchers’ system has also shown some promise when it comes to mapping the underlying social network of vendors.

The group is currently in the process of transitioning the system to a commercial partner, but the database they created by using it has been made available to security professionals, to help them identify emerging cyber threats and capabilities.


Help Net Security

More than 900 million Android devices that use Qualcomm chipsets are exposed to a set of four vulnerabilities called QuadRooter, Check Point security researchers warn.

The four security bugs allow an attacker to trigger privilege escalation exploits to gain root access to vulnerable devices, researchers say. Although QuadRooter affects only smartphones and tablets built using Qualcomm chipsets, the 65% share of the LTE modem baseband market that Qualcomm enjoys at the moment results in an impressively high number of devices being affected.

In fact, Check Point researchers explain that some of the most popular Android-based smartphones are vulnerable because they use Qualcomm chipsets, including the BlackBerry Priv, Blackphone 1 and Blackphone 2, Google Nexus 5X, Nexus 6 and Nexus 6P, HTC One, HTC M9 and HTC 10, LG G4, LG G5, and LG V10, New Moto X by Motorola, OnePlus One, OnePlus 2 and OnePlus 3, Samsung Galaxy S7 and Samsung S7 Edge, and Sony Xperia Z Ultra.

According to Check Point, unique vulnerabilities affect four different modules, but each vulnerability impacts the entire operating system. The affected modules include IPC Router (inter-process communication), Ashmem (Android kernel anonymous shared memory feature), kgsl (Kernel Graphics Support Layer) and kgsl_sync (Kernel Graphics Support Layer Sync).

The ipc_router module was designed to offer inter-process communication for various Qualcomm components, user mode processes, and hardware drivers; Ashmem is Android’s propriety memory allocation subsystem, which enables processes to share memory buffers efficiently; kgsl is a kernel driver (Qualcomm GPU component) that has multiple modules, including kgsl_sync, which is responsible for synchronization between the CPU and apps.

The first of the four bugs is CVE-2016-2059, where the ipc_router kernel module opens an AF_MSM_IPC socket that adds propriety features to the normal IPC functionality. The socket always starts by default as a regular endpoint and an attacker issuing an IOCTL on a regular socket can convert it to a monitoring socket, Check Point researchers note in their vulnerability report (PDF).

The second issue, CVE-2016-5340, affects the modified ashmem system present on devices based on Qualcomm chipsets, and was discovered in the is_ashmem_file function, researchers say. Because the function doesn’t properly check the file type, an attacker can use Obb, a deprecated feature in Android, to create a file named ashmem on top of a file system and then mount their own file system. The attacker can create a file called “ashmem” in the root directory and trick the system into using it as the genuine ashmem file.

The remaining two vulnerabilities are CVE-2016-2503 and CVE-2106-2504, two use after free due to race conditions in KGSL, researchers explain. CVE-2016-2503 was found in the ‘destroy’ function, which can be called simultaneously by two parallel threads, which could make the kernel force a context switch in one thread.

The CVE-2016-2504 vulnerability was found in the kgsl when a module creates an object called kgsl_mem_entry (representing a GPU memory). A user-space process can both allocate and map memory to the GPU, thus creating and destroying a kgsl_mem_entry. The system binds the allocated object to the process, and, because there’s no access protection enforced, an attacker can use another thread to free this object, invoking a use-after-free flaw.

Check Point researchers also explain that these vulnerabilities are found in Qualcomm’s software drivers that are pre-installed on devices, meaning that only the distributor or carrier can patch them, but only after Qualcomm issues fixed driver packs. Qualcomm was informed on these flaws in April and has confirmed that patches have been released for them, the researchers say.

“An attacker can exploit these vulnerabilities using a malicious app. These apps require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing,” the security researchers note.

Over the past few months, Google’s monthly Android patches have included a large number of fixes for vulnerabilities in Qualcomm drivers, after serious vulnerabilities in the company’s software were found to expose user data or to break Android’s full disk encryption. Even so, the vast majority of Android devices don’t have the latest security patches.

Related: Google Patches Tens of Critical Vulnerabilities in Android

Related: Google Patches 108 Vulnerabilities in Android

view counter

Previous Columns by SecurityWeek News:

Tags:


SecurityWeek RSS Feed