Home Tags Security Vulnerability

Tag: Security Vulnerability

Xen Patches Hypervisor Breakout Risk Without Breaking the Cloud

The open-source Xen virtualization project patches a security vulnerability that could have enabled an attacker to breakout from hypervisor isolation.

But unlike a Xen flaw in 2014, this time public cloud providers do not have to reboot all their servers.

Kubernetes Security Policies Benefit from Best Practices

The open-source Kubernetes container management and orchestration system has implemented a security vulnerability disclosure policy that aims to help minimize risk.

Windows zero-day affects 600,000 older servers, but likely won’t be patched

The security vulnerability is publicly exploitable, but Microsoft only fixes "currently supported versions."

Mac OS IM tool Adium lagging on library security vulnerability

libpurple is a 'binary blob of unknown provenance' says researcher A developer is warning Adium users to pick a different messaging app because of an exploitable vulnerability in its underlying libpurple version.…

Increase in Available Security Patches + Decrease in Patch Rates =...

Annual Flexera Vulnerability Review Shows 81 Percent of All Vulnerabilities Had Available Patches, Yet Common Software Programmes Remain UnpatchedMaidenhead, U.K. – March 13, 2017 – Flexera Software, the leading provider of Software Vulnerability Management solutions for application producers and enterprises, today released Vulnerability Review 2017, the annual report from Secunia Research at Flexera Software, which presents global data on the prevalence of vulnerabilities and the availability of patches, maps the security vulnerability threat to IT... Source: RealWire

Why you need a bug bounty program

Every business needs to have a process in place for handling security vulnerability reports, but some organizations take a much more proactive approach to dealing with security researchers.To read this article in full or to leave a comment, please clic...

Xen Project asks to limit security vulnerability advisories

The organization is requesting permission to limit disclosures to only the most severe bugs.

XSS marks the spot: Steam vuln dangles potential phishing line

Flaw let users add malicious code to their profile pages Security researchers have discovered a significant security vulnerability in Steam, Valve's digital distribution platform for PC gaming.…

WhatsApp: Encrypted Message Backdoor Reports Are 'Baseless'

The security researcher cited in the report acknowledged that the word 'backdoor' was probably not the best choice.

WhatsApp this week denied that its app provides a "backdoor" to encrypted texts.

A report published Friday by The Guardian, citing cryptography and security researcher Tobias Boelter, suggests a security vulnerability within WhatsApp could be used by government agencies as a backdoor to snoop on users.

"This claim is false," a WhatsApp spokesman told PCMag in an email.

The Facebook-owned company will "fight any government request to create a backdoor," he added.

WhatsApp in April turned on full end-to-end encryption—using the Signal protocol developed by Open Whisper Systems—to protect messages from the prying eyes of cybercriminals, hackers, "oppressive regimes," and even Facebook itself.

The system, as described by The Guardian, relies on unique security keys traded and verified between users in an effort to guarantee communications are secure and cannot be intercepted. When any of WhatsApp's billion users get a new phone or reinstall the program, their encryption keys change—"something any public key cryptography system has to deal with," Open Whisper Systems founder Moxie Marlinspike wrote in a Friday blog post.

During that process, messages may back up on the phone, waiting their turn to be re-encrypted.

According to The Guardian, that's when someone could sneak in, fake having a new phone, and hijack the texts.

But according to Marlinspike, "the fact that WhatsApp handles key changes is not a 'backdoor,' it is how cryptography works.

"Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system," he wrote.

"We appreciate the interest people have in the security of their messages and calls on WhatsApp," co-founder Brian Acton wrote in a Friday Reddit post. "We will continue to set the record straight in the face of baseless accusations about 'backdoors' and help people understand how we've built WhatsApp with critical security features at such a large scale.

"Most importantly," he added, "we'll continue investing in technology and building simple features that help protect the privacy and security of messages and calls on WhatsApp."

In a blog post, Boelter said The Guardian's decision to use the word "backdoor" was probably not "the best choice there, but I can also see that there are arguments for calling it a 'backdoor.'" But Facebook was "furious and issued a blank denial, [which] polarized sides.

"I wish I could have had this debate with the Facebook Security Team in...private, without the public listening and judging our opinions, agreeing on a solution and giving a joint statement at the end," Boelter continued.
In an earlier post, Boelter said he reported the vulnerability in April 2016, but Facebook failed to fix it.

Boelter—a German computer scientist, entrepreneur, and PhD student at UC Berkeley focusing on Security and Cryptography—acknowledged that resolving the issue in public is a double-edged sword.

"The ordinary people following the news and reading headlines do not understand or do not bother to understand the details and nuances we are discussing now. Leaving them with wrong impressions leading to wrong and dangerous decisions: If they think WhatsApp is 'backdoored' and insecure, they will start using other means of communication. Likely much more insecure ones," he wrote. "The truth is that most other messengers who claim to have "end-to-end encryption" have the same vulnerability or have other flaws. On the other hand, if they now think all claims about a backdoor were wrong, high-risk users might continue trusting WhatsApp with their most sensitive information."

Boelter said he'd be content to leave the app as is if WhatsApp can prove that "1) too many messages get [sent] to old keys, don't get delivered, and need to be [re-sent] later and 2) it would be too dangerous to make blocking an option (moxie and I had a discussion on this)."

Then, "I could actually live with the current implementation, except for voice calls of course," provided WhatsApp is transparent about the issue, like adding a notice about key change notifications being delayed.

Oh Britain. Worried your routers will be hacked, but won’t touch...

Survey shows people don't act on insecure wireless routers Recent Mirai-style attacks against home broadband routers have had some effect but the majority of users have failed to act. A survey of 2,000 broadband users found the majority (53 per cent) have not changed the Wi-Fi password and other default settings, potentially opening themselves up to attack. The poll by independent switching site Broadband Genie found that more than half (54 per cent) were concerned about the possibility of their router being hacked. Shockingly, despite these concerns, the poll found that just 19 per cent had accessed the router administration controls on their router, 22 per cent had checked what devices are connected to their network, a meagre 17 per cent had changed their administrator password, and just 14 per cent had updated their router’s firmware. Women were less likely to update and change the settings on their router than men, according to the poll. A big majority (86 per cent) of users opted to stick with the router provided by their ISP rather than purchase an alternative. Ondrej Vlcek, CTO at security software firm Avast, commented: “Home routers are weak and, therefore, also vulnerable, because for the most part, internet service providers, router manufacturers and the security community have neglected to acknowledge, scrutinise, and address their weaknesses. “Over the last few months, Avast scanned over 4.3 million routers around the world and found that 48 per cent have some sort of security vulnerability. Today’s router security situation reminds me of the security of PCs in the 1990s, with simple vulnerabilities being discovered every day,” he added. Rob Hilborn, head of strategy at Broadband Genie, added: “Despite broadband being in the majority of UK homes, it feels as if routers haven’t been designed with your average consumer in mind. Usability is generally poor, and changing something as simple as a Wi-Fi password can require you to go through multiple pages and acronyms. Improving and simplifying these systems is a good place for us to start if we’re serious about the public doing more to protect their router.” More information on the survey can be found in a blog post by Broadband Genie here. ® Sponsored: Next gen cybersecurity. Visit The Register's security hub

A Look Inside Responsible Vulnerability Disclosure

It's time for security researchers and vendors to agree on a standard responsible disclosure timeline. Animal Man, Dolphin, Rip Hunter, Dane Dorrance, the Ray. Ring any bells? Probably not, but these characters fought fictitious battles on the pages of DC Comics in the 1940s, '50s, and '60s. As part of the Forgotten Heroes series, they were opposed by the likes of Atom-Master, Enchantress, Ultivac, and other Forgotten Villains. Cool names aside, the idea of forgotten heroes seems apropos at a time when high-profile cybersecurity incidents continue to rock the headlines and black hats bask in veiled glory. But what about the good guys? What about the white hats, these forgotten heroes? For every cybercriminal looking to make a quick buck exploiting or selling a zero-day vulnerability, there's a white hat reporting the same vulnerabilities directly to the manufacturers. Their goal is to expose dangerous exploits, keep users protected, and perhaps receive a little well-earned glory for themselves along the way. This process is called "responsible disclosure." Although responsible disclosure has been going on for years, there's no formal industry standard for reporting vulnerabilities. However, most responsible disclosures follow the same basic steps. First, the researcher identifies a security vulnerability and its potential impact. During this step, the researcher documents the location of the vulnerability using screenshots or pieces of code. They may also create a repeatable proof-of-concept attack to help the vendor find and test a resolution. Next, the researcher creates a vulnerability advisory report including a detailed description of the vulnerability, supporting evidence, and a full disclosure timeline. The researcher submits this report to the vendor using the most secure means possible, usually as an email encrypted with the vendor's public PGP key. Most vendors reserve the [email protected] email alias for security advisory submissions, but it could differ depending on the organization. After submitting the advisory to the vendor, the researcher typically allows the vendor a reasonable amount of time to investigate and fix the exploit, per the advisory full disclosure timeline. Finally, once a patch is available or the disclosure timeline (including any extensions) has elapsed, the researcher publishes a full disclosure analysis of the vulnerability. This full disclosure analysis includes a detailed explanation of the vulnerability, its impact, and the resolution or mitigation steps. For example, see this full disclosure analysis of a cross-site scripting vulnerability in Yahoo Mail by researcher Jouko Pynnönen. How Much Time?Security researchers haven't reached a consensus on exactly what "a reasonable amount of time" means to allow a vendor to fix a vulnerability before full public disclosure. Google recommends 60 days for a fix or public disclosure of critical security vulnerabilities, and an even shorter seven days for critical vulnerabilities under active exploitation. HackerOne, a platform for vulnerability and bug bounty programs, defaults to a 30-day disclosure period, which can be extended to 180 days as a last resort. Other security researchers, such as myself, opt for 60 days with the possibility of extensions if a good-faith effort is being made to patch the issue. I believe that full disclosure of security vulnerabilities benefits the industry as a whole and ultimately serves to protect consumers. In the early 2000s, before full disclosure and responsible disclosure were the norm, vendors had incentives to hide and downplay security issues to avoid PR problems instead of working to fix the issues immediately. While vendors attempted to hide the issues, bad guys were exploiting these same vulnerabilities against unprotected consumers and businesses. With full disclosure, even if a patch for the issue is unavailable, consumers have the same knowledge as the attackers and can defend themselves with workarounds and other mitigation techniques. As security expert Bruce Schneier puts it, full disclosure of security vulnerabilities is "a damned good idea." I've been on both ends of the responsible disclosure process, as a security researcher reporting issues to third-party vendors and as an employee receiving vulnerability reports for my employer's own products. I can comfortably say responsible disclosure is mutually beneficial to all parties involved. Vendors get a chance to resolve security issues they may otherwise have been unaware of, and security researchers can increase public awareness of different attack methods and make a name for themselves by publishing their findings. My one frustration as a security researcher is that the industry lacks a standard responsible disclosure timeline. We already have a widely accepted system for ranking the severity of vulnerabilities in the form of the Common Vulnerability Scoring System (CVSS). Perhaps it's time to agree on responsible disclosure time periods based on CVSS scores? Even without an industry standard for responsible disclosure timelines, I would call for all technology vendors to fully cooperate with security researchers. While working together, vendors should be allowed a reasonable amount of time to resolve security issues and white-hat hackers should be supported and recognized for their continued efforts to improve security for consumers. If you're a comic book fan, then you'll know even a vigilante can be a forgotten hero.  Related Content: Marc Laliberte is an information security threat analyst at WatchGuard Technologies. Specializing in network security technologies, Marc's industry experience allows him to conduct meaningful information security research and educate audiences on the latest cybersecurity ... View Full Bio More Insights

Clever Facebook Hack Reveals Private Email Address of Any User

Christmas came early for Facebook bug bounty hunter Tommy DeVoss who was paid $5,000 this week for discovering a security vulnerability that allowed him to view the private email addresses of any Facebook user. “The hack allowed me to harvest as many email addresses as I wanted from anybody on Facebook,” DeVoss said. “It didn’t matter how private you thought your email address was – I could of grabbed it.” DeVoss said on Thanksgiving Day he discovered the vulnerability and reported it to Facebook via its bug bounty program.

After weeks of going back and forth verifying what the exact bug was and how it was exploited, Facebook said it would award him $5,000 for the discovery.

And on Tuesday it did. The bug was tied to the user-generated Facebook Groups feature that allows any member to create an affinity group on the social network’s platform.

DeVoss discovered as an administrator of a Facebook Group he could invite any Facebook member to have Admin Roles via Facebook’s system to do things such as edit post or add new members. Those invitations were handled by Facebook and sent to the invited recipient’s Facebook Messages inbox, but also to the Facebook user’s email address associated with their account.
In many cases users choose to keep their email addresses private.

DeVoss discovered, despite privacy settings set by Facebook members, he was able to gain access to any Facebook user’s email address whether he was Friends with them or not. DeVoss found when he cancelled pending invitations to those invited to be Facebook Group Administrators there was a glitch. “While Facebook waits for the confirmation, the user is forwarded to a Page Roles tab that includes a button to cancel the request,” he said. Next, he switched to Facebook’s mobile view of the Page Roles tab. Here DeVoss was able to view the full email addresses of anyone he wanted to cancel from becoming a Facebook Group Administrator. “I noticed that when you clicked to cancel the administrator invitation on the mobile page, you were redirected to a page with the email address in the URL,” he said. “Now all you have to do is pluck the plaintext version of the confidential email address straight from the URL.” The impact of this vulnerability could be diverse, he wrote in a blog post outlining his discovery. “Harvesting email addresses this way contradicts Facebook’s privacy policy and could lead to targeted phishing attempts or other malicious purposes.” Facebook confirmed the hack and said it has no evidence the vulnerability was ever misused.

Facebook said it has implemented a fix to prevent the issue from being exploited. DeVoss, a software developer in Virginia, said this is the largest bug bounty payment he has ever earned. He told Threatpost he participates in a number of bug bounty programs including Yahoo’s and the Hack the Pentagon program. For its part, in October Facebook announced it has paid out more than $5 million to 900 researchers in the five years since it implemented its bug bounty program.

The company said it paid out $611,741 to 149 researchers in the first half of 2016 alone. Facebook was one of the first websites to launch a bug program when it followed in the footsteps of both Mozilla and Google in August 2011. In February, the company paid $10,000 to a 10-year-old boy from Finland after he discovered an API bug in the image sharing app Instagram, which Facebook bought for $1B in 2012. The company awarded $15,000 to Anand Prakash in March for a bug allowed him to crack open any of Facebook’s 1.1 billion accounts using a rudimentary brute force password attack.