This week there's a lot of connected things: connected shoes, connected garage camera and connected GoPro. And then there's Scott's Grindr account. Awkward. Actually, since recording this weekly update the details of the issue have now been released so I'll talk about that in more detail next week. This week there's all the above and, on a more personal note, my relationship with Charlotte. Enjoy.
My shoes are connected! (that's the tweet thread of how to update the firmware in them - yep, updating the firmware in my shoes)
Sexuality, relationships and online dating are all rather personal things. They're aspects of our lives that many people choose to keep private or at the very least, share only with people of our choosing. Grindr is "The World's Largest Social Networking App for Gay, Bi, Trans, and Queer People" which for many people, makes it particularly sensitive. It's sensitive not just because by using the site it implies one's sexual orientation, but because of the sometimes severe ramifications of fitting within Grindr's target demographic. For example, in 2014 Egypt's police were found to be using Grindr to "trap gay people" which was particularly concerning in a country not exactly up to speed with LGBT equality. Another demonstration of how valuable Grindr data is came last year when the US gov deemed that Chinese ownership of the service constituted a national security risk. In short, Grindr data is very personal and inevitably, very sensitive for multiple reasons.
I contact you because i reported a serious security issue to one of the biggest dating applications for gays (Grindr) but the vendor keep ignoring me !
I sent them all the technical details but no way. The vulnerability allow an attacker to hijack any account.
He wanted help in disclosing what he believed was a serious security vulnerability and clearly, he was hitting a brick wall. I asked for technical detail so I could validated the authenticity of his claim and the info duly arrived. On a surface of it, things looked bad: complete account takeover with a very trivial attack. But I wanted to verify the attack and do so without violating anyone's privacy so I asked Scott Helme for support:
Scott's dealt with plenty of security issues like this in the past, plus he helped me out with the Nissan Leaf disclosure a few years ago too and was happy to help. All I needed was for Scott to create an account and let me know the email address he used which in this case, was email@example.com.
The account takeover all began with the Grindr password reset page:
I entered Scott's address, solved a Captcha and then received the following response:
I've popped open the dev tools because the reset token in the response is key. In fact, it's the key and I copied it onto the clipboard before pasting it into the following URL:
You'll see both the token and Scott's email address in that URL. It's easy for anyone to establish this pattern by creating their own Grindr account then performing a password reset and looking at the contents of the email they receive. When loading that URL, I was prompted to set a new password and pass the Captcha:
And that's it - the password was changed:
So I logged in to the account but was immediately presented with the following screen:
Huh, so you need the app? Alrighty then, let's just log in via the app:
And... I'm in!
Full account takeover. What that means is access to everything the original Grindr account holder had access to, for example, their profile pic (which I immediately changed to a more appropriate one):
Around this time, Scott started receiving private messages, both a request to meet personally and a request for pics:
The conversation with Luke went downhill pretty quickly and I can't reproduce it here, but the thought of that dialogue (and if he'd sent them, his pics) being accessed by unknown third parties is extremely concerning. Consider also the extent of personal information Grindr collects and as with Scott's messages, any completed fields here would immediately be on display to anyone who accessed his account simply by knowing his email address:
A couple of years ago it made headlines when Grindr was found to be sending HIV status off to third parties and given the sensitivity of this data, rightly so. This, along with many of the other fields above, is what makes it so sensational that the data was so trivially accessible by anyone who could exploit this simple flaw.
And as for the website I couldn't log into without being deferred back to the mobile app? Now that I'd logged into the app with Scott's new password, subsequent attempts simply allowed me to authorise the login request myself:
And that's it - I'm in on the website too:
This is one of the most basic account takeover techniques I've seen. I cannot fathom why the reset token - which should be a secret key - is returned in the response body of an anonymously issued request. The ease of exploit is unbelievably low and the impact is obviously significant, so clearly this is something to be taken seriously...
Except it wasn't. The person who forwarded this vulnerability also shared their chat history with Grindr support. After some to-and-fro, he provided full details sufficient to easily verify the account takeover approach on September 24. The Grindr support rep stated that he had "escalated it to our developers" and immediately flagged the ticket as "resolved". My contact followed up the next day and asked for a status update and got... crickets. The following day, he attempted to contact the help / support email addresses as well and after 5 days of waiting and not receiving a response, contacted me. He also shared a screenshot of his attempt to reach Grindr via Twitter DM which, like the other attempts to report the vulnerability, fell on deaf ears.
So I tried to find a security contact at Grindr myself:
Anyone got a security at @Grindr they can connect me to?
I'm conscious that sending a tweet like that elicits all the sorts of responses that inevitably followed it and implies that something cyber is amiss with Grindr. I only tweet publicly once reasonable attempts to make contact privately fail and based on the previous paragraph, those attempts were more than reasonable. A friend actually DM'd me on Twitter and suggested the following:
Not sure that Grindr tweet was necessary, given their DMs are open and they reached out to you fairly soon after
This is why I didn't DM them:
That route was tried and failed and I suggest the only reason their Twitter account publicly replied to me was because my tweet garnered a lot of interest.
After my tweet went out. I had multiple people immediately reach out and provide me with contact info for their security team. I forwarded on the original report and within about an hour and a half of the tweet, the vulnerable resource was offline. Shortly after, it came back up with a fix. In fairness to Grindr, despite their triaging of security reports needing work, their response after I managed to get in touch with the right people was exemplary. Here's how they responded when approached by infosec journo Zack Whittaker:
We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties. As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.
All in all, this was a bad bug with a good outcome: Grindr did well once I got in touch with them, I believe they're making some positive changes around handling security reports and, of course, the bug has been fixed. Oh - and Scott made some new friends 😊
Over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly being harvested for financial data and are often used as the entry point for deploying ransomware within compromised organizations.
A text snippet from one of the bogus Trickbot configuration updates. Source: Intel 471
On Sept. 22, someone pushed out a new configuration file to Windows computers currently infected with Trickbot. The crooks running the Trickbot botnet typically use these config files to pass new instructions to their fleet of infected PCs, such as the Internet address where hacked systems should download new updates to the malware.
But the new configuration file pushed on Sept. 22 told all systems infected with Trickbot that their new malware control server had the address 127.0.0.1, which is a “localhost” address that is not reachable over the public Internet, according to an analysis by cyber intelligence firm Intel 471.
It’s not known how many Trickbot-infected systems received the phony update, but it seems clear this wasn’t just a mistake by Trickbot’s overlords. Intel 471 found that it happened yet again on Oct. 1, suggesting someone with access to the inner workings of the botnet was trying to disrupt its operations.
“Shortly after the bogus configs were pushed out, all Trickbot controllers stopped responding correctly to bot requests,” Intel 471 wrote in a note to its customers. “This possibly means central Trickbot controller infrastructure was disrupted. The close timing of both events suggested an intentional disruption of Trickbot botnet operations.”
Intel 471 CEO Mark Arena said it’s anyone’s guess at this point who is responsible.
“Obviously, someone is trying to attack Trickbot,” Arena said. “It could be someone in the security research community, a government, a disgruntled insider, or a rival cybercrime group. We just don’t know at this point.”
Arena said it’s unclear how successful these bogus configuration file updates will be given that the Trickbot authors built a fail-safe recovery system into their malware. Specifically, Trickbot has a backup control mechanism: A domain name registered on EmerDNS, a decentralized domain name system.
“This domain should still be in control of the Trickbot operators and could potentially be used to recover bots,” Intel 471 wrote.
But whoever is screwing with the Trickbot purveyors appears to have adopted a multi-pronged approach: Around the same time as the second bogus configuration file update was pushed on Oct. 1, someone stuffed the control networks that the Trickbot operators use to keep track of data on infected systems with millions of new records.
Alex Holden is chief technology officer and founder of Hold Security, a Milwaukee-based cyber intelligence firm that helps recover stolen data. Holden said at the end of September Trickbot held passwords and financial data stolen from more than 2.7 million Windows PCs.
By October 1, Holden said, that number had magically grown to more than seven million.
“Someone is flooding the Trickbot system with fake data,” Holden said. “Whoever is doing this is generating records that include machine names indicating these are infected systems in a broad range of organizations, including the Department of Defense, U.S. Bank, JP Morgan Chase, PNC and Citigroup, to name a few.”
Holden said the flood of new, apparently bogus, records appears to be an attempt by someone to dilute the Trickbot database and confuse or stymie the Trickbot operators. But so far, Holden said, the impact has been mainly to annoy and aggravate the criminals in charge of Trickbot.
“Our monitoring found at least one statement from one of the ransomware groups that relies on Trickbot saying this pisses them off, and they’re going to double the ransom they’re asking for from a victim,” Holden said. “We haven’t been able to confirm whether they actually followed through with that, but these attacks are definitely interfering with their business.”
Intel 471’s Arena said this could be part of an ongoing campaign to dismantle or wrest control over the Trickbot botnet. Such an effort would hardly be unprecedented. In 2014, for example, U.S. and international law enforcement agencies teamed up with multiple security firms and private researchers to commandeer the Gameover Zeus Botnet, a particularly aggressive and sophisticated malware strain that had enslaved up to 1 million Windows PCs globally.
Trickbot would be an attractive target for such a takeover effort because it is widely viewed as a platform used to find potential ransomware victims. Intel 471 describes Trickbot as “a malware-as-a-service platform that caters to a relatively small number of top-tier cybercriminals.”
One of the top ransomware gangs in operation today — which deploys ransomware strains known variously as “Ryuk” and “Conti,” is known to be closely associated with Trickbot infections. Both ransomware families have been used in some of the most damaging and costly malware incidents to date.
The latest Ryuk victim is Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider that operates more than 400 facilities in the U.S. and U.K.
On Sunday, Sept. 27, UHS shut down its computer systems at healthcare facilities across the United States in a bid to stop the spread of the malware. The disruption has reportedly caused the affected hospitals to redirect ambulances and relocate patients in need of surgery to other nearby hospitals.
Posted by Kylie McRoberts, Program Manager and Alec Guertin, Security Engineer
Google’s Android Security & Privacy team has launched the Android Partner Vulnerability Initiative (APVI) to manage security issues specific to Android OEMs. The APVI is designed to drive remediation and provide transparency to users about issues we have discovered at Google that affect device models shipped by Android partners.
Another layer of security
Android incorporates industry-leading security features and every day we work with developers and device implementers to keep the Android platform and ecosystem safe. As part of that effort, we have a range of existing programs to enable security researchers to report security issues they have found. For example, you can report vulnerabilities in Android code via the Android Security Rewards Program (ASR), and vulnerabilities in popular third-party Android apps through the Google Play Security Rewards Program. Google releases ASR reports in Android Open Source Project (AOSP) based code through the Android Security Bulletins (ASB). These reports are issues that could impact all Android based devices. All Android partners must adopt ASB changes in order to declare the current month’s Android security patch level (SPL). But until recently, we didn’t have a clear way to process Google-discovered security issues outside of AOSP code that are unique to a much smaller set of specific Android OEMs. The APVI aims to close this gap, adding another layer of security for this targeted set of Android OEMs.
Improving Android OEM device security
The APVI covers Google-discovered issues that could potentially affect the security posture of an Android device or its user and is aligned to ISO/IEC 29147:2018 Information technology -- Security techniques -- Vulnerability disclosure recommendations. The initiative covers a wide range of issues impacting device code that is not serviced or maintained by Google (these are handled by the Android Security Bulletins).
Protecting Android users
The APVI has already processed a number of security issues, improving user protection against permissions bypasses, execution of code in the kernel, credential leaks and generation of unencrypted backups. Below are a few examples of what we’ve found, the impact and OEM remediation efforts.
In some versions of a third-party pre-installed over-the-air (OTA) update solution, a custom system service in the Android framework exposed privileged APIs directly to the OTA app. The service ran as the system user and did not require any permissions to access, instead checking for knowledge of a hardcoded password. The operations available varied across versions, but always allowed access to sensitive APIs, such as silently installing/uninstalling APKs, enabling/disabling apps and granting app permissions. This service appeared in the code base for many device builds across many OEMs, however it wasn’t always registered or exposed to apps. We’ve worked with impacted OEMs to make them aware of this security issue and provided guidance on how to remove or disable the affected code.
The checkUidPermission method in the PackageManagerService class was modified in the framework code for some devices to allow special permissions access to some apps. In one version, the method granted apps with the shared user ID com.google.uid.shared any permission they requested and apps signed with the same key as the com.google.android.gsf package any permission in their manifest. Another version of the modification allowed apps matching a list of package names and signatures to pass runtime permission checks even if the permission was not in their manifest. These issues have been fixed by the OEMs.
Keep an eye out at https://bugs.chromium.org/p/apvi/ for future disclosures of Google-discovered security issues under this program, or find more information there on issues that have already been disclosed.
Acknowledgements:Scott Roberts, Shailesh Saini and Łukasz Siewierski, Android Security and Privacy Team
Convenience vs. Online Security: Have Your Cake and Eat It Too
We live in a world where convenience is king. Personally, I don’t know what I would do without my calendar alerts popping up on my smartphone, ensuring that I don’t miss any important meetings (or birthdays). I can also use a variety of apps to make appointments with my family’s doctor and check up on my kids’ educational progress while they are at home distance learning. While this technology is great and convenient, it has led to increased connectivity which tends to cause security implications. At what point do we draw the line between convenience and online security, and is there a way to ultimately have both? Let’s take a look.
Are Consumers Confident in Their Online Safety?
Consumers want to live their lives fast. They are constantly on the go, prioritizing speedy technology and convenience – sometimes more than safety. As a result, basic security hygiene, like updating passwords, has fallen by the wayside. In fact, a recent survey conducted by YouGov in April of 2020 revealed that consumers are overconfident in the level of protection that their credentials provide. 77% believe that their banking credentials are the most secure, followed by online shopping (74%), and work network logins (71%). Due to consumers’ overconfidence in the strength of their credentials, over half of online shoppers admitted that they have no plans to update their login details – and even more admitted to not updating bank and work passwords. As someone who just recently wrote a blog on common password habits and how they can affect our online safety,
Finding a Balance Between Convenience and Security
As today’s users are trying to grasp what the “new normal” means for them and how they live their lives, many are branching out from the typical ways they used to order food, take workout classes, and more. Consumers are using food delivery sites that they’ve never used before and signing up for online fitness classes on new platforms to stay healthy while social distancing. But by using these unfamiliar websites to establish a sense of normalcy, users might forget to take basic security precautions like making sure these websites have the standard https:// security clearance or using a VPN. Paying attention to these security measures while exploring new platforms will allow users to enjoy the convenience of these tools without putting their online safety at risk.
According to McAfee Labs, more than 113,000 websites have been published that used COVID-19 to lure internet users into giving up their personal details. But despite the risks associated with poor security hygiene, consumers appear to be pretty indifferent. When asked if COVID-19 and increased fraud influenced them to use alternative banking or shopping apps/websites with more secure options, over three-quarters of U.S. consumers stated no, or that they didn’t know. At the onset of the pandemic when consumers were under pressure to buy scarce, staple items, 26% of consumers in the U.S. admitted to overlooking online security concerns by using third-party merchants to buy things like toilet paper and disinfecting products.
Today’s users already have so much to worry about – I can’t blame them if their online security is falling by the wayside to allow physical health and wellness to take precedent. It’s times like these when people need to prioritize their health and basic survival above all else that consumers benefit most from intrinsic security that is constantly working in the background, so they can have peace of mind.
Let Them Have Security (and Convenience!)
The good news: convenience and security don’t have to be mutually exclusive. I can still use my healthcare provider’s app to schedule appointments and check in on my kids as they distance learn without risking our family’s privacy. When it comes to balancing convenience and online security, you and your family should use trusted solutions that will allow you to enjoy all that the internet has to offer by providing security that is easy, convenient, and empowers you to enjoy a safe and private digital live.
Users can enjoy a comprehensive, yet holistic approach to protection by employing the help of a security solution like McAfee® Total Protection. Consumers are safeguarded from malware so they can continue to use their devices and web browsing to stream live workout classes, catch up with family over video conference, and more. The software’s detection capabilities are constantly being updated and enhanced without compromising users’ device performance.
McAfee Total Protection also includes McAfee® WebAdvisor – web protection that enables users to sidestep attacks before they happen with clear warnings of risky websites, links, and files. McAfee WebAdvisor allows consumers to online shop or order food from their favorite restaurant while giving them the peace of mind that they’re on a safe website.
McAfee Total Protection also includes our secure VPN to ensure your family is prepared for potential threats that could be lurking around the corner. By enabling a VPN on your device, you can feel confident that the next time you bank or pay bills online, your connection is secure. With solutions like McAfee Total Protection and McAfee WebAdvisor in place, consumers can strike a balance between convenience and security, without sacrificing either.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how an adware family known primarily for distributing browser hijackers, Linkury, has been caught distributing malware. Also, read about a newly uncovered strain of the Glupteba trojan.
Trend Micro recently encountered a variant of the Glupteba trojan and reported its attacks on MikroTik routers and updates on its command and control (C&C) servers. The use of ManageX, a type of modular adware that Trend Micro has recently analyzed, is notable in this newly uncovered strain as it aims to emphasize the modularity and the cross-platform features of Glupteba as seen through its code analysis.
Security researchers have been tracking a phishing campaign that abuses Microsoft Office 365 third-party application access to obtain specific resources from victims’ accounts. The attacker, dubbed TA2552, mostly uses Spanish-language lures and a narrow range of themes and brands. These attacks have targeted organizations with a global presence but seem to choose victims who likely speak Spanish, according to a report from Proofpoint researchers.
A new report from HackerOne presents data suggesting that the bug bounty business might be recession-proof, citing increases in hacker registrations, monthly vulnerability disclosures and payouts during a pandemic-induced economic downturn. Brian Gorenc, senior director of vulnerability research and director of Trend Micro’s Zero Day Initiative program, shared that he’s seen bug bounty activity increase with ZDI publishing 1,045 vulnerability advisories in all of 2019 and 1,235 already in 2020.
We’ve all been spending more time online since the pandemic hit, and as a result we’re sharing more personal and financial information online with each other and with organizations. Unfortunately, as ever, there are bad guys around every digital corner looking for this. Personally identifiable information (PII) is the currency of internet crime, and cyber-criminals will do whatever they can to get it.
An adware family known primarily for distributing browser hijackers has been caught distributing malware, security researchers said at the Virus Bulletin 2020 security conference.Its main method of distribution is the SafeFinder widget, a browser extension ironically advertised as a way to perform safe searches on the internet.K7 researchers say that in recent cases they analyzed, the SafeFinder widget has now also begun installing legitimate malware, such as the Socelars and Kpot infostealer trojans.
Cybersecurity researchers have uncovered a new espionage campaign targeting media, construction, engineering, electronics, and finance sectors in Japan, Taiwan, the U.S. and China. Linking the attacks to Palmerworm (aka BlackTech), likely a China-based advanced persistent threat (APT), the first wave of activity associated with this campaign began last year in August 2019.
A new variant of the InterPlanetary Storm malware has been discovered, which comes with fresh detection-evasion tactics and now targets Mac and Android devices (in addition to Windows and Linux, which were targeted by previous variants of the malware). Researchers say the malware is building a botnet with a current estimated 13,500 infected machines across 84 countries worldwide – and that number continues to grow.
A new survey has shown that consumer willingness to share more sensitive data – social security numbers, financial information and medical information – is greater in 2020 than in both 2018 and 2019. According to the NYC-based scientific research foundation ARF’s (Advertising Research Foundation) third annual privacy study, contact tracing is considered a key weapon in the fight against COVID-19.
Do you feel like you are more willing to share sensitive information online since the pandemic began? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
Computer systems for all 400 Universal
Health Services facilities around the globe have reportedly been shut down
following an attack by the Ryuk ransomware group. Ryuk is known for targeting
large organizations, but the healthcare industry has been gaining popularity
among these groups due to high volumes of sensitive information and typically
low levels of security. It’s unknown if the healthcare firm has paid ransoms
for the encrypted data or if they are restoring systems from available backups.
Global Insurance Firm Targeted by Ransomware
The Fortune 500 insurance firm AJG
was forced to take several computer systems offline over the weekend after
identifying a cyber-attack. It’s still unclear which ransomware variant was
responsible for the attack and officials with the firm haven’t revealed if customer
or employee information was stolen. Third-party researchers confirmed multiple AJG
servers, unpatched for a serious vulnerability, could have been the entry point
for the attack.
French Shipping Company Knocked Offline by Ransomware
All computer systems and websites belonging to CMA
CGM, a French shipping giant, were knocked offline by a crippling ransomware
attack. This attack on CMA CGM makes them the fourth international shipping
company to fall victim to a cyberattack, which have proven profitable, in as
many years. The company has verified that the Ragnar Locker ransomware group
was behind the attack, though they have not revealed the ransom asked.
Cyber Attack Forces Swatch to Disconnect Online Services
Though not confirmed by Swatch,
the Swiss watchmaker was reportedly forced to take many of their systems
offline after likely falling victim to a ransomware attack. While the company
did not verify the type of attack, ransomware’s prevalence this year makes it a
likely culprit. Swatch has announced they plan to seek legal action against the
DDoS Attacks See Substantial Rise in 2020
There were over 4.8 million DDoS
attacks during the first half of 2020, a 15% rise over the same period last
year. May alone saw more than 900,000 DDoS attacks, a record for most in a
single month. Ninety percent of these attacks lasted for under an hour, marking
another shift from previous years’ attacks. They have also increased in
complexity, leaving victims and researchers with little time to defend
Writing advanced malware for a threat actor requires different groups of people with diverse technical expertise to put them all together. But can the code leave enough clues to reveal the person behind it?
To this effect, cybersecurity researchers on Friday detailed a new methodology to identify exploit authors that use their unique characteristics as a fingerprint to track down other exploits