Category Archives: digital id

Watch out! Malware Analysis Sandboxes could expose sensitive data of your organization

A study conducted by researchers at Cyjax revealed that organizations expose sensitive data via sandboxes used for malware analysis.

Experts at the threat intelligence firm Cyjax analyzed file uploaded by organizations via malware analysis sandboxes and discovered that they were exposing sensitive data.

The researchers analyzed PDF documents and email files (.msg and .eml) uploaded to three unnamed sandbox services over a period of three days last week. All the sandboxes analyzed by the experts provide public feeds that allow users to view or download the files submitted by the users.

200 benign files were invoices and purchase orders. In one case, the experts discovered that a company that provides a popular deployment tool for Windows admins was submitting all received purchase orders into the sandbox. The company was ignoring that all these files were made public via the feed implemented by the sandbox service.

“By examining the invoices, we were able to determine who was using the software, as well as the contact details of those responsible for purchasing in each organisation: this is extremely useful information for a threat actor conducting a spear phishing or BEC fraud campaign,” reads the report published by Cyjax.

Cyjax reported that CVs and professional certificates were also prevalent, exposed files contained ID photographs and addresses, and in two cases passport copies. The public availability of such kind of information could expose the owners to identity theft and other scams.

The experts also discovered a large number of insurance certificates that expose various personally identifiable information (PII), such as names, phone numbers, postal and email addresses.

sandboxes

One of the files exposed via the malware analysis sandboxes appeared to be a U.S. CENTCOM requisition form for use of military aircraft. The document included confidential information such as names and contact details of the travellers, alongside the journey details (future dated) and reasons for travel.

The files also included medical and legal documents.

The researchers also analyzed the URL submitted by the users to a URL scanning service over the 3-day period. Many URLs submitted to the service were pointing to sensitive data hosted on the file sharing service WeTransfer and cloud storage services such as Google Drive.

“The volume of sensitive documents collected in only three days was staggering. In a month, a threat actor would have enough data to target multiple industries and steal the identities of multiple victims.” concludes the company.

“While the adoption of malware sandboxes is a positive development, companies need to better understand how the files they share are processed. Many providers require payment to submit files privately, meaning that everyone who uses the free service will have their files shared by default.

We predict that this problem is likely to get worse as more companies add sandboxing to their security pipeline, underscoring the importance of educating employees now.”

Pierluigi Paganini

(SecurityAffairs – sandboxes, privacy)

The post Watch out! Malware Analysis Sandboxes could expose sensitive data of your organization appeared first on Security Affairs.

A flaw in Kaspersky Antivirus allowed tracking its users online

A vulnerability in Kaspersky Antivirus had exposed a unique identifier associated with users to every website they have visited in the past 4 years.

A vulnerability in the Kaspersky Antivirus software, tracked as CVE-2019-8286, had exposed a unique identifier associated with its users to every website they have visited in the past 4 years. The exposure of this identifier allowed visited websites and commercial third-party services to track users online.

The bad news is that users might have been exposed to cross-site tracking even if they have blocked or deleted cookies.

The vulnerability was discovered by the security researcher Ronald Eikenberg, it resides in the URL scanning module, called Kaspersky URL Advisor, of the antivirus software.

Kaspersky Internet security solution injects a remotely-hosted JavaScript file directly into the HTML code of every web page visited by its users to check if the page is blacklisted for some reason (i.e. the page belongs to a list of phishing web domains).

Analyzing the string of the URL of the JavaScript, Eikenberg discovered that it was containing a unique string for every Kaspersky user that could be used to track it. The string could be easily used by websites, advertising, and analytics services to track users online.

“My first examination of Kaspersky’s script main.js showed me that, among other things, it displays green icons with Google search results if Kaspersky believes the relevant link to lead to a clean website.” reads the post published by the expert. “This could have been the end of my analysis, but there was this one small detail: The address from which the Kaspersky script was loaded contained a suspicious string:

https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.js

The part marked bold has a characteristic pattern. The structure matches a so-called Universally Unique Identifier (UUID). These IDs are used to make things, well, uniquely identifiable”

kaspersky antivirus javascript

Eikenberg installed the Kaspersky antivirus software on other computers and discovered that UUID in the source address was different on each of them. He also noticed that the IDs were persistent and did not change over time. This means that the ID was permanently associated with each system running Kaspersky Antivirus.

“That’s a remarkably bad idea. Other scripts running in the context of the website domain can access the entire HTML source any time, which means they can read the Kaspersky ID.

In other words, any website can read the user’s Kaspersky ID and use it for tracking. If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used.” continues the post. “If this assumption is correct, Kaspersky has created a dangerous tracking mechanism that makes tracking cookies look old. In that case, websites can track Kaspersky users, even if they switch to a different browser. Worse yet, the super tracking can even overcome the browser’s incognito mode.”

Eikenberg reported the issue to Kaspersky that addressed it in July. Now the same value (FD126C42-EBFA-4E12-B309-BB3FDD723AC1) is assigned for all users.

“Kaspersky has fixed a security issue (CVE-2019-8286) in its products that could potentially compromise user privacy by using unique product id which was accessible to third parties.” reads the advisory published by Kaspersky. “This issue was classified as User Data disclosure. The attacker has to prepare and deploy a malicious script on the web servers from where he will track the user.”

Affected products are:

  • Kaspersky Anti-Virus up to 2019
  • Kaspersky Internet Security up to 2019
  • Kaspersky Total Security up to 2019
  • Kaspersky Free Anti-Virus up to 2019 
  • Kaspersky Small Office Security up to 6

Experts pointed out that Kaspersky URL Advisor feature still allows checking if a visitor has Kaspersky Antivirus software installed on his computers, an information that could be used by scammers in various ways.

“That is actually valuable information to an attacker. They may use that information to distribute malware tailored to the protection software, or to redirect the browser to a suitable scamming page.” concludes the expert. “Imagine something along the lines of “Your Kaspersky license has expired. Please enter your credit card number to renew your subscription”. Of course I have reported this problem to Kaspersky as well.”

If you want to disable the URL Advisor feature from settings→ additional→ network→ un-check traffic processing box.

Pierluigi Paganini

(SecurityAffairs – CVE-2019-8286, Kaspersky Antivirus)

The post A flaw in Kaspersky Antivirus allowed tracking its users online appeared first on Security Affairs.

3Fun Dating App leaked members’ location and personal details

The 3Fun dating mobile app for “curious couples & singles” exposed the location of its members and their personal details.

What do you think about the privacy of dating apps? Well, users of 3Fun, a mobile app for arranging threesomes had an ugly surprise, their data were leaked online.

3Fun claims to have over 1.5 million members worldwide. that exchange more than 180,000 messages every day.

Researchers from Pen Test Partners discovered several severe issues in the dating app, it was exposing the near real-time location of users along with other sensitive data. Exposed data included dates of birth, sexual preferences, chat information, and private pictures. The worst news is that the data are leaked even if the user has correctly enabled privacy settings.

Experts noticed that the filters for data managed by the app were implemented only on the client-side, it was simple for them to capture the requests and remove any restriction.

Below an example of a GET request used 3Fun to send data to the users’ mobile app:

GET /match_users?from=0&latitude=xxxxxx&longitude=+yyyyyy&match_gender=63&match_max_age=61&match_min_age=30&offset=40&search_distance=100 HTTP/1.1

“BUT, that data is only filtered in the mobile app itself, not on the server. It’s just hidden in the mobile app interface if the privacy flag is set. The filtering is client-side, so the API can still be queried for the position data. FFS!” reads the analysis published by Pen Test Partners.

Experts were able to locate users located worldwide, including at the home of the prime minister, Number 10, Downing Street, and in Washington DC, at the White House. 

3fun

Experts explained that anyway, the above locations could be the result of GPS coordinates spoofing made by some experts for fun, anyway the lack of security and privacy found in 3Fun app is disconcerting.

Ill-intentioned people could use users’ locations and their private data to stalk 3Fun users or threaten them to publicly reveal their identity. 

Experts also discovered that private photos of the members were accessible to everyone because their URIs were exposed in API response. 

The experts reported their findings to the development team of 3Fun on July 1, 2019, below the reply:

“Dear Alex, Thanks for your kindly reminding. We will fix the problems as soon as possible. Do you have any suggestion? Regards, The 3Fun Team.”

The good news is that 3fun quickly resolved the issues:

“The trilateration and user exposure issues with Grindr and other apps are bad. This is a whole lot worse,” the researchers added. “It’s easy to track users in near real-time, uncovering very personal information and photos.” concludes the post.

Pierluigi Paganini

(SecurityAffairs – dating app, hacking)

The post 3Fun Dating App leaked members’ location and personal details appeared first on Security Affairs.

The US Gov is testing high-altitude balloons for surveillance

The US government is testing high-altitude balloons manufactured by Sierra Nevada to conduct surveillance over American soil.

The US government is planning to use high-altitude balloons to conduct surveillance over Americans.

The high-altitude balloons are manufactured by Sierra Nevada Corporation, they will cover a large area in the United States’ Midwest. The project is to create a network of high-altitude balloons that will allow tracking any activity on the ground.

high-altitude balloons
Source Spacenews.com

The Pentagon is testing the new system that will be used only over the American soil for security purposes, the test phase will involve 25 balloons drifting at 65,000-odd feet and will run from July 12 to September 1.

The tests have been requested by the US Southern Command (Southcom), an Agency which is responsible for disaster response, intelligence operations and security cooperation in the Caribbean and Central and South America.

The high-altitude balloons are equipped with hi-tech radars that allow tracking vehicles day or night, in any weather. 

“The US military is conducting wide-area surveillance tests across six midwest states using experimental high-altitude balloons, documents filed with the Federal Communications Commission (FCC) reveal.” states The Guardian.

“Up to 25 unmanned solar-powered balloons are being launched from rural South Dakota and drifting 250 miles through an area spanning portions of Minnesota, Iowa, Wisconsin and Missouri, before concluding in central Illinois.”

In July Sierra Nevada obtained a Special Temporary Authorization by the US Federal Communications Commission (FCC) for the use of several radio frequencies over the area for communications from the balloons.

“Purpose Of Operation: Conduct high altitude MESH networking tests over South Dakota to provide a persistent surveillance system to locate and deter narcotic trafficking and homeland security threats.” states the authorization.

Privacy advocates and American Civil Liberties Union expressed their dissent for any form of wide-area surveillance, including this one.

“We do not think that American cities should be subject to wide-area surveillance in which every vehicle could be tracked wherever they go,” said Jay Stanley, a senior policy analyst at the American Civil Liberties Union.

“Even in tests, they’re still collecting a lot of data on Americans: who’s driving to the union house, the church, the mosque, the Alzheimer’s clinic,” he said. “We should not go down the road of allowing this to be used in the United States and it’s disturbing to hear that these tests are being carried out, by the military no less.”

The Guardian added that Sierra Nevada has supplied Southcom with light aircraft used for surveillance operations conducted over Mexico, Colombia, Panama and the Caribbean sea.

High-altitude balloons are cheaper than planes and can fly for a longer time. The unmanned balloons would be able to remain in the air for days, the planes only a few hours.

“The new balloons promise a cheap surveillance platform that could follow multiple cars and boats for extended periods. And because winds often travel in different directions at different altitudes, the balloons can usually hover over a given area simply by ascending or descending.” concludes The Guardian.

Pierluigi Paganini

(SecurityAffairs – high-altitude balloons, surveillance)

The post The US Gov is testing high-altitude balloons for surveillance appeared first on Security Affairs.

Facebook dismantled influence campaigns focused on Middle East and Northern Africa

Facebook announced it dismantled covert influence campaigns in some countries in the Middle East and Northern Africa, including one tied to the Saudi government.

Facebook uncovered two separate influence campaigns, one originated in the United Arab Emirates and Egypt, and another in Saudi Arabia.

The campaigns appeared to be distinct and involved “coordinated inauthentic behavior” on Facebook and its Instagram.

“This week, we removed multiple Pages, Groups and accounts that were involved in coordinated inauthentic behavior on Facebook and Instagram. We found two separate operations: one of which originated in United Arab Emirates and Egypt, and another in Saudi Arabia.” reads the post published by Facebook.

One of the influence campaigns was conducted by individuals linked to the government of Saudi Arabia. Threat actors used a network of fake accounts and pages on Facebook to promote state propaganda.

Facebook influence campaigns

The company announced to have removed 217 Facebook accounts, 144 Facebook Pages, five Facebook Groups and 31 Instagram accounts that were involved in the campaign. The inauthentic behavior was originating from Saudi Arabia and focused primarily on the Middle East and Northern Africa, including Qatar, Saudi Arabia, UAE, Bahrain, Egypt, Morocco, Palestine, Lebanon and Jordan.

Operators behind this campaign posed as locals in targeted countries, they disseminated their content through a network of fake accounts and pages created by fictitious personas.

Facebook observed that the content posted by the threat actors aimed at express criticism of neighboring countries including Iran, Qatar and Turkey. They also called into question the credibility of Al-Jazeera news network and Amnesty International.

Facebook has no doubts, the campaign was orchestrated by individuals associated with the government of Saudi Arabia.

“Although the people behind this activity attempted to conceal their identities, our review found links to individuals associated with the government of Saudi Arabia.” continues the post.

Below the findings shared by the social network about this influence campaign.

  • Presence on Facebook and Instagram: 217 Facebook accounts, 144 Facebook Pages, 5 Facebook Groups and 31 Instagram accounts.
  • Followers: About 1.4 million accounts followed one or more of these Pages, about 26,000 accounts joined at least one of these Groups, and around 145,000 people followed one or more of these Instagram accounts.
  • Advertising: Around $108,000 spent on Facebook and Instagram ads paid for in Saudi riyal and US dollars.

The second influence campaign seems to be carried out by individuals from Egypt and the United Arab Emirates, and focused on countries in the Middle East as well as in northern and eastern Africa, including Libya,Sudan, Comoros, Qatar, Turkey, Lebanon, Syria, Jordan and Morocco.

Facebook removed 259 Facebook accounts, 102 Facebook Pages, five Facebook Groups, four Facebook Events and 17 Instagram accounts for engaging in coordinated inauthentic behavior.

Below the data published in the post:

  • Presence on Facebook and Instagram: 259 Facebook accounts (200 of which had been previously disabled by our automated systems), 102 Facebook Pages, 5 Facebook Groups, 4 Facebook Events, and 17 Instagram accounts.
  • Followers: More than 13.7 million accounts followed one or more of these Pages, about 9,000 accounts joined at least one of these Groups, and around 65,000 accounts followed at least one of these Instagram accounts.
  • Advertising: About $167,000 spent on Facebook ads paid for primarily in US dollars and Emirati dirhams.
  • Events: 4 events were hosted by these Facebook Pages. The first was scheduled for June 4, 2018, and the most recent was scheduled for June 19, 2019. Two hundred seventy people expressed interest in at least one of these events. We cannot confirm whether any of these events actually occurred.

Facebook continues to fight any abuse of its platform, especially the influence campaigns aimed at destabilizing the political contest in specific geographic areas.

Facebook recently also announced that it removed multiple pages, groups, and accounts tied to Russia involved in influence campaigns ahead of the election in Ukraine.

Pierluigi Paganini

(SecurityAffairs – influence campaigns, Facebook)

The post Facebook dismantled influence campaigns focused on Middle East and Northern Africa appeared first on Security Affairs.

Kazakhstan wants to intercept all HTTPS Internet traffic of its citizens

Bad news for citizens of Kazakhstan, the government is beginning to intercept all the encrypted traffic, and to do it, it is forcing them to install a certificate.

The Kazakhstan government is beginning to intercept all the encrypted traffic and to do it is forcing users in the country to install a certificate.

The Kazakhstan authorities issued an advisory to local Internet Service Providers (ISPs) asking them to allow their customers to access the Internet only after the installation on their devices of government-issued root certificates.

Once installed the root certificate (“trusted certificate” or “national security certificate) the ISPs will be able to spy on citizens’ encrypted HTTPS and TLS connections.

Since April, the Kazakh ISPs are informing users to install the “national security certificate” to access “allowed” HTTPS websites.

By installing a root certificate issued by a Government Organisation allows the authorities to generate a valid digital certificate for any domain they want to intercept even if the user connects it via HTTPS.

Recently the Kazakh ISP Tele2 started redirecting all HTTPS connections of its customers to a web page containing the certificate and instructions on how to install the certificate on major OS.

The certificates are issued in compliance with the Law on Communications 2004 passed in November 2015. Clause 11 of Article 26, the “Rules for Issuing and Applying a Security Certificate,” states that national ISPs must monitor the encrypted Internet traffic of their customers using government-issued security certificates.

“In accordance with the Law of the Republic of Kazakhstan on Communications, Article 26 and Clause 11 of the Rules for Issuing and Applying a Security Certificate, communications operators ensure the distribution of a security certificate to their subscribers with whom they have contracts for the provision of communications services.” states Tele2.

“The law prescribes for carriers to pass traffic using protocols that support encryption using a security certificate, with the exception of traffic encrypted by means of cryptographic protection of information in the Republic of Kazakhstan.”

Experts pointed out that since users can visit websites only via HTTP before installing the certificates, it is possible that attackers can launch a Man-In-The-Middle attack to replace certificate files and spy on users’ connections.

The Kazakhstan government initially planned to force the installation of the certificate by January 2016, but evidently failed due to a series of lawsuits.

The authorities told to the citizens that the installation of the certificates is necessary to protect them from hackers.

“A security certificate has been introduced that will become an effective tool for protecting the country’s information space from hackers, Internet fraudsters and other types of cyber threats,” continues the note.

“The introduction of a security certificate will also help in the protection of information systems and data, as well as identifying hackers and Internet fraudsters before they can cause damage.”

“It will also allow Kazakhstan Internet users to be protected from hacker attacks and viewing illegal content.”

Clearly Kazakhstan aims at fully controlling the access to the Internet and apply censorship for not allowed content.

Giving a look at the Tor metrics for Kazakhstan it is possible to observe that since April the number of connected users through Tor is increased after the announcement of the first request of the government of installing the certificates.

Pierluigi Paganini

(SecurityAffairs – Kazakhstan, surveillance)

The post Kazakhstan wants to intercept all HTTPS Internet traffic of its citizens appeared first on Security Affairs.

Mysterious hackers steal data of over 70% of Bulgarians

Hackers stole data of millions of Bulgarians, and sent it to local media, According to the media the source could be the National Revenue Agency.

Hackers have exfiltrated data from a Bulgarian government system, likely the National Revenue Agency (NRA), and have shared it with the local media.

The hackers have stolen the personal details of millions of Bulgarians and sent to the local newspaper download links for the archives containing them.

“The link was sent by anonymous hackers via Russian mail servers on Monday to the Bulgarian media. The array of 57 folders contains thousands of files that they claim to be from the Treasury’s servers, probably.” reads the Monitor website.

The National Revenue Agency is investigating the incident and verifying the authenticity of the data.

“The NRA and the specialized bodies of the Ministry of the Interior and the State Agency for National Security (SANS) check the potential vulnerability of the National Revenue Agency’s computer system.” reads a statement published by the NRA.

“Earlier today, emails of certain media have been sent a link to download files allegedly belonging to the Bulgarian Ministry of Finance. We are currently verifying whether the data is real.”

The hackers claim to have breached Treasury’s servers and have exfiltrated data from more than 110 databases. More than 5 million Bulgarian and foreign citizens are affected, consider that the country has a population composed of 7 million people.

“Your government is slow to develop, your state of cybersecurity is parodyous,” wrote the hackers.

The hacker bragged about stealing 110 databases from NRA’s network, totaling nearly 21 GB. The hacker only shared 57 databases, comprising 11GB of data out of 21 aggregate data with local news outlets but promised to release the rest in the coming days.

“Perhaps the biggest leak of personal data in Bulgaria. That’s how the 57-folder contains more than a thousand files that anonymous hackers sent to Bulgarian media on Monday.” reported the Capital website. “Upon reviewing the information, Capital has opened databases with more than 1 million rows containing PINs, names, addresses, and even earnings.”

Most of the data is very old, in some cases, information is dated back as far as 2007.

Hackers also leaked information from Department Civil Registration and Administrative Services (GRAO), Bulgaria’s customs agency, the National Health Insurance Fund (NZOK), and data from the Bulgarian Employment Agency (AZ).

The email was sent by an email address belonging to the Russian service Yandex.ru. The message sent to local media by hackers ends with a quote by WikiLeaks founder Julian Assange and calls for his release.

“Your government is stupid. Your is a parody.” closes the email.

Immediately after the leak of the data, the Democratic Bulgaria opposition party demanded the resignation of Finance Minister Vladislav Goranov.

It seems that cyber security for Bulgarian government services is very poor, tt the end of June, Bulgarian police arrested the IT expert Petko Petrov after he publicly demonstrated a security vulnerability in the kindergarten software used by local kindergartens.

Pierluigi Paganini

(SecurityAffairs – Bulgarians, hacking)

The post Mysterious hackers steal data of over 70% of Bulgarians appeared first on Security Affairs.

FTC approves a record $5 billion settlement with Facebook over Cambridge Analytica scandal

The United States Federal Trade Commission (FTC) has approved a record $5 billion settlement with Facebook over the Cambridge Analytica scandal.

Facebook will be obliged to pay a $5 Billion fine to settle the investigation conducted by the United States Federal Trade Commission (FTC) over the Cambridge Analytica scandal. In April 2018, Facebook revealed that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought.

“The Federal Trade Commission has approved a fine of roughly $5 billion against Facebook for mishandling users’ personal information, according to three people briefed on the vote, in what would be a landmark settlement that signals a newly aggressive stance by regulators toward the country’s most powerful technology companies.” reported The New York Times.

Facebook Cambridge Analytica scandal

The news is not a surprise for the expert, the settlement was anticipated by the media over the past months. The final approval will arrive in the coming weeks from the US Justice Department, that usually approves settlements reached by the FTC.

If approved, it would be the biggest fine assigned by the federal government against a tech firm.

The probe began more than a year ago, the agency found that the way Facebook manages user data violated a 2011 privacy settlement with the FTC. At the time, Facebook was accused of deceiving people about how the social network giant handled their data. The settlement obliged the company to review its privacy practices.

In the Cambridge Analytica privacy scandal, the company allowed to access to the personal data of around 87 million Facebook users without their explicit consent.

In April, Facebook disclosed its first quarter 2019 financial earnings report that revealed the company had set $3 billion aside in anticipation of the settlement with the FTC.

“This fine is a fraction of Facebook’s annual revenue. It won’t make them think twice about their responsibility to protect user data,” said Representative David Cicilline, a Democrat and chair of a congressional antitrust panel.

Recently the UK’s Information Commissioner Office (ICO) has also imposed a £500,000 fine on Facebook over the Cambridge Analytica scandal.

Pierluigi Paganini

(SecurityAffairs – Cambridge Analytica, Facebook)

The post FTC approves a record $5 billion settlement with Facebook over Cambridge Analytica scandal appeared first on Security Affairs.