Critical ownCloud Flaws Lead to Sensitive Information Disclosure, Authentication Bypass

Open-source file-sharing and collaboration software ownCloud is plagued by critical vulnerabilities that could lead to the exposure of credentials and other sensitive information and to authentication and validation bypass.

The most serious issue, which carries a CVSS score of 10/10, impacts the graphapi app, which uses a third-party library providing a URL that, when accessed, reveals the PHP environment’s configuration details (phpinfo).

“This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key,” ownCloud warned in an advisory.

Additional sensitive data included in phpinfo may allow an attacker to gather further information about the system and the variable should be concerning for all administrators if ownCloud is not running in a containerized environment.

“It’s important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability,” ownCloud notes. The issue impacts graphapi versions 0.2.0 to 0.3.0.

Administrators are advised to change the ownCloud admin password, the Object-Store/S3 access-key, and credentials for the mail server and database. “Additionally, we disabled the phpinfo function in our docker-containers. We will apply various hardenings in future core releases to mitigate similar vulnerabilities,” ownCloud added.

A second vulnerability, tagged with a CVSS severity score of 9.8/10, is described as an authentication bypass in the WebDAV API, through pre-signed URLs.

“It is possible to access, modify or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured (which is the default),” ownCloud explained.

Advertisement. Scroll to continue reading.

The bug impacts ownCloud core versions 10.6.0 to 10.13.0 and can be mitigated by denying the use of pre-signed URLs if there is no signing key configured for the file owner.

A third bug (CVSS score of 9/10), impacting the oauth2 app versions prior to 0.6.1, could lead to the bypass of subdomain validation.

“Within the oauth2 app an attacker is able to pass in a specially crafted redirect-URL which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker,” ownCloud said.

Related: Over a Dozen Exploitable Vulnerabilities Found in AI/ML Tools

Related: Microsoft Patches Sensitive Information Disclosure Bug in Azure CLI

Related: SAP Patches Critical Vulnerability in Business One Product

https://www.securityweek.com/critical-owncloud-flaws-lead-to-sensitive-information-disclosure-authentication-bypass/




LLM Security Startup Lasso Emerges From Stealth Mode

End-to-end generative AI security startup Lasso Security has emerged from stealth mode with $6 million in a seed funding round led by Entrée Capital, with additional investment from Samsung Next.

Established earlier this year, the Tel Aviv-based company is building technology to tackle the cyber threats faced by generative AI and large language models (LLMs) and prevent data exposure, and security and compliance risks.

By protecting every LLM touchpoint, Lasso wants to help secure businesses that leverage generative AI and other LLM technologies, to allow them to fully deploy the technologies in production environments.

Lasso says it can prevent data poisoning, model theft, malicious code generation, prompt injection, and supply chain attacks targeting LLMs, to secure commercial data and customer and employee privacy.

Additionally, the company says its product will provide oversight for sensitive data disclosures, and can identify the LLM-based tools used by employees and provide guidance on their safe use in real-time.

Lasso says it will use the investment to expand its team and improve its products.

“Our mission is to equip businesses with robust defenses to safeguard their systems, including those using generative AI technologies that leverage LLMs. Every data point, command, and prompt generated by LLMs will be under the vigilant oversight of our sophisticated security platform, enabling teams to embrace generative AI without jeopardizing their data’s safety and security,” Lasso Security CEO Elad Schulman said.

Related: Application Security Startup Aikido Raises €5 Million

Advertisement. Scroll to continue reading.

Related: Cavelo Raises CA$5 Million for Attack Surface Management Platform

Related: Tidal Cyber Raises $5 Million for Threat-Informed Defense Platform

Related: Risk Ledger Raises £6.25 Million for Supply Chain Security Solution

https://www.securityweek.com/llm-security-startup-lasso-emerges-from-stealth-mode/




Data Security Firm ALTR Banks $25M Series C 

Late-stage data security startup ALTR on Wednesday announced the closing of a $25 million funding round to continue building and marketing its SaaS-based data access governance and security products.

The company said the Series C was led by John Stafford III and included new, unidentified investors from the financial, medical, and data space.

The Florida-based ALTR  has raised more than $55 million since emerging from stealth in 2018 with ambitious plans to build data security tools on blockchain technology.

The company said the new financing will be used to speed up its go-to-market strategy by expanding its footprint across various data sources, grow partner integrations, and develop channel relations.

ALTR is selling technology that enables database administrators, data engineers, and data architects to reduce manual tasks, get visibility into data usage, automate data access controls, and secure data with rate-limiting and tokenization-as-a-service.

The suite of products offer corporate defenders the ability to see what data is used, by whom and when, including visuals for data usage heatmaps and analytics dashboards.

ALTR said its tools can also be used to control access to sensitive data with classification-based policies and apply data-masking over PII like social security numbers or email addresses to keep sensitive data private.

Get auditable query logs to prove privacy controls are working correctly and make the governance team happy.

Advertisement. Scroll to continue reading.

Related: ALTR Emerges From Stealth With Blockchain-Based Data Security Solution

Related: IBM Snaps up DSPM Startup Polar Security

Related: Symmetry Systems Raises $17.7M for DSPM Platform

Related: Palo Alto Networks to Acquire Cloud Security Start-Up Dig Security

https://www.securityweek.com/data-security-firm-altr-banks-25m-series-c/




Data Brokers Expose Sensitive US Military Member Info to Foreign Threat Actors: Study

Foreign threat actors can easily obtain sensitive information on US military members from data brokers, according to a new Duke University study whose results were published on Monday.

Data brokers collect and aggregate information and then sell it, license it or share it, either directly or through services that leverage the data. Data brokers include credit reporting agencies such as Equifax and Experian, marketing companies such as Acxiom, and data analytics and risk assessment firms such as Verisk. Another major player in this space are mobile applications that collect and sell their users’ information to third parties, often without the users’ knowledge or consent. 

Data brokers collect and sell a wide range of information, including name, demographic data, political preferences, lifestyle details, home and email address, GPS location, financial situation, and health information. 

This type of information can be highly useful to threat actors, including for scams, blackmail, profiling, causing reputational damage, and stalking. In the case of military members, the exposure of this data could pose a risk to national security.

While some data brokers take steps to ensure that this type of data does not fall into the wrong hands, the study conducted by Duke University researchers found that in many cases it’s easy and inexpensive to acquire the information of military service members and veterans, with some brokers specifically advertising such data.

The Duke researchers contacted a dozen brokers in the US to purchase information on military service members and veterans. They found that the methods used by brokers to verify the identity of customers is inconsistent and noted that these practices are highly unregulated by the US government. 

While some brokers refused to sell the data to an unverified organization, others seemed more interested in ensuring confidentiality around the purchasing of the data, not the confidentiality of the actual data. 

The researchers managed to acquire sensitive information for as little as $0.12 per record when buying thousands of records, and the price can go as low as $0.01 per individual for larger purchases.

Advertisement. Scroll to continue reading.

The researchers attempted to buy data using a US domain and a .asia domain name that had been linked to a Singaporean IP address. 

Even when the .asia domain was used, several brokers agreed to provide thousands of records, including data geofenced to strategic locations such as Washington DC, Fort Bragg in North Carolina, and Fort AP Hill and Quantico in Virginia.

“Foreign governments have historically sought data about American persons and organizations for espionage, election interference, and other purposes. Their interest in the U.S. military in particular is high, and they could obtain such data through the data brokerage ecosystem, either by purchasing it legally or by hacking into the databases of brokers or their customers,” the researchers wrote in their report.

The researchers recommended that lawmakers pass a comprehensive privacy law with strong controls on the data brokerage ecosystem, with Congress being advised to provide more funding to regulatory agencies that can enforce new policies.  

In addition, the Defense Department should conduct an internal contractual data flow assessment, which may help in restricting the exposure of sensitive military information to data brokers. 

Related: Ransomware Gang Leaks Data Allegedly Stolen From Canadian Hospitals

Related: Lost and Stolen Devices: A Gateway to Data Breaches and Leaks

https://www.securityweek.com/data-brokers-expose-sensitive-us-military-member-info-to-foreign-threat-actors-study/




Atlassian CISO Urges Quick Action to Protect Confluence Instances From Critical Vulnerability

Enterprise software maker Atlassian on Monday urged all Confluence Data Center and Server customers to patch their instances against a critical-severity vulnerability that can be exploited without authentication.

The security defect, tracked as CVE-2023-22518 (CVSS score of 9.1), is described as an improper authorization bug that impacts all Confluence versions.

While it did not share technical details on the flaw in its advisory, Atlassian instead drew attention to the high impact successful exploitation would have.

“As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker,” Atlassian CISO Bala Sathiamurthy notes.

“There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances,” Sathiamurthy continues.

According to Atlassian, the vulnerability has no impact on confidentiality, as no data exfiltration can occur from exploiting it.

The issue has been addressed with the release of Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1.

Advertisement. Scroll to continue reading.

Customers that are unable to apply the patches are advised to back up their instances and block internet access to them until they can be patched.

“Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch,” Atlassian notes.

The company also notes that, as per its policy regarding critical vulnerabilities, the patches will be back ported, and that new maintenance releases for all versions covered by the policy will become available.

“Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue,” the software maker notes.

Related: US Gov Expects Widespread Exploitation of Atlassian Confluence Vulnerability

Related: Atlassian Patches Remote Code Execution Vulnerabilities in Confluence, Bamboo

Related: Organizations Warned of Critical Confluence Flaw as Exploitation Continues

https://www.securityweek.com/atlassian-ciso-urges-quick-action-to-protect-confluence-instances-from-critical-vulnerability/




Apple Improves iMessage Security With Contact Key Verification

Apple on Friday introduced contact key verification, a new capability meant to improve the security of its iMessage service.

To ensure the privacy of conversations, iMessage offers end-to-end encryption, so that only the sender and receiver can read a message, and relies on sets of encryption keys, where public keys are stored on a key directory service, while private keys rest on the device and never leave it.

Key directory services, like Apple’s identity directory service, represent a single point of failure, where a powerful adversary may be able to compromise the service to intercept or monitor encrypted messages.

To address the shortcoming, iMessage contact key verification, Apple explains, relies on key transparency, a mechanism that uses a verifiable log-backed map data structure to deliver cryptographic proofs of inclusion, ensuring user privacy and allowing audits.

“iMessage contact key verification advances the state of the art of key transparency deployments by having user devices themselves verify consistency proofs and ensure consistency of the KT system across all user devices for an account,” Apple says.

This mechanism, the tech giant notes, is meant to protect against both key directory and transparency service compromises, allowing changes to the log-backed map while making device keys immediately verifiable.

iMessage contact key verification, Apple explains, uses an account-level elliptic curve digital signature algorithm (ECDSA) signing key that is generated on the device, stored in iCloud keychain, and available to the user on their trusted devices only.

Advertisement. Scroll to continue reading.

“Each device uses the synchronized account key to sign its iMessage public keys. The account keys and signatures are included in the IDS service database along with the existing data,” Apple notes.

When the user enables iMessage contact key verification, their devices verify that the key transparency map includes the data presented by the identity directory service, and notifies the user if a validation error occurs.

Users’ devices will periodically query the service for account information, verify the response against the key transparency mechanism, and flag inconsistencies.

“[The user’s] devices will additionally compare the KT data for identifiers, device records, and opt-in state against records stored in an end-to-end encrypted CloudKit container. This database is maintained by [the user’s] devices and is not readable or modifiable by Apple,” the tech giant explains.

Additionally, iMessage contact key verification allows users to perform manual contact verification code comparisons using the Vaudenay SAS protocol. Upon successful verification, the hash of the peer’s account key is saved to an end-to-end encrypted CloudKit container and linked to the peer’s card.

“Because the contact card is linked, all conversations with the peer’s identifiers — phone number and email address — are marked as verified. Group chats with peers that have been independently verified one-to-one are also automatically marked as verified,” Apple explains.

iMessage contact key verification is now available in the developer previews of iOS 17.2, macOS 14.2, and watchOS 10.2.

Related: Stealth Techniques Used in ‘Operation Triangulation’ iOS Attack Dissected

Related: Apple Patches Actively Exploited iOS, macOS Zero-Days

Related: NSO Group Used at Least 3 iOS Zero-Click Exploits in 2022: Citizen Lab

https://www.securityweek.com/apple-improves-imessage-security-with-contact-key-verification/




Adlumin Snags $70M to Boost Security for Mid-Market Firms

Adlumin, a Washington DC startup working on technology to boost security for mid-market firms, has banked $70 million in new financing.

The substantial Series B funding round was led by SYN Ventures, a Florida-based venture capital firm placing early-stage bets in cybersecurity startups. The company said First In Ventures, Washington Harbour Partners, and BankTech Ventures also took equity positions.

The latest financing brings the total raised by Adlumin to $83 million and stamps the company as a key player in the security operations and MDR (managed detection and response) category.

Adlumin is targeting small and mid-market organizations with an enterprise-grade offering with simplified pricing  “to defend against the same threats targeting the world’s largest businesses and government organizations.”

The company has found customers among smaller law firms, banks, financial services firms, schools, manufacturers, and healthcare providers that have been overlooked by cybersecurity vendors.

Adlumin’s security tooling, sold though one license and one platform, includes SIEM, vulnerability scanning, threat intelligence, UEBA threat hunting, honeypots, automated incident response and forensics, darknet exposure monitoring, compliance reporting and monitoring.

“[The] Adlumin platform is specifically built to enhance collaboration with service providers who can deliver the type of expert support that is difficult for organizations to hire and retain on their own,” the compahy said.

Advertisement. Scroll to continue reading.

“Adlumin offers its own managed detection and response (MDR) services that provide customers with 24×7 human insights, threat hunting and trusted support. Adlumin also works closely with managed service providers (MSPs) and managed security service providers (MSSPs) who use its platform to serve their customers,” Adlumin added.

Related: Coro Raises $75 Million for Mid-Market Cybersecurity Platform

Related: Microsoft Defender Takes Aim at Mid-Market

Related: How Mid-market Enterprises Can Protect Against Ransomware Attacks

https://www.securityweek.com/adlumin-snags-70m-to-boost-security-for-mid-market-firms/




Darwinium Raises $18 Million for Edge-Based Fraud Prevention Tech

Darwinium, a San Francisco startup in the fraud prevention space, has nabbed $18 million in new capital to build technology to help businesses deal with the deluge of bots, scams and online abuse.

The company, which has roots in Australia, said the $18 million Series A round was led by U.S. Venture Partners (USVP).  Darwinium’s seed-stage investors Blackbird, Airtree Ventures and Accomplice also took new equity positions.

Since its launch in 2021, Darwinium has raised $26 million to work on a digital security and fraud prevention platform running on the perimeter edge.

The company is boasting that its platform combines digital security with fraud prevention to create a single view of customer journeys across the web, mobile apps and APIs and provide fraud analytics with customer journey orchestration tooling.

Darwinium argues that its unique integration point — running on the perimeter edge via Content Delivery Networks (CDNs) — gives businesses a continuous view of user behavior, from pre-authentication, through account creation, login, change-of-details, and payments, all via one deployment. 

“Moving fraud and risk decisions to the perimeter edge is privacy preserving and low latency. It also removes the reliance on ‘point-in-time’ API-based solutions that are vulnerable to exploitation via operational silos and disjointed risk assessments,” the company added.

Darwinium said customers are using its platform to separate human and bot traffic, add downstream context from upstream user behavior, protect customers from account takeover and identity spoofing, identify scams and social engineering behaviors, block content and promo abuse, and detect fraudulent payments.

Advertisement. Scroll to continue reading.

Last November, Darwinium announced a $10 million seed round and said its product had already been adopted by organizations in the banking, ecommerce, gaming, payments, and travel sectors.

The company is founded by Alisdair Faulkner, who previously founded and scored an exit with ThreatMetrix, a fraud detection firm that was acquired for $817 million in 2018.

Related: Darwinium Raises $10 Million for Customer Protection Platform

Related: Descope Targets Customer Identity Market with Massive $53M Seed Round

Related: Investors Place Early $4 Million Bet on Stack Identity

Related: Prove Identity Snags $40M Funding for ID Verification Tech

https://www.securityweek.com/darwinium-raises-18-million-for-edge-based-fraud-prevention-tech/




Beyond Quantum: MemComputing ASICs Could Shatter 2048-bit RSA Encryption

San Diego-based MemComputing is researching the use of in-memory processing ASICs (Application Specific Integrated Circuits) to potentially crack 2048 bit RSA in real time.

MemComputing is a company and computing philosophy born out of theory. The theory is that if processing and data can be combined in memory, the so-called ‘von Neumann bottleneck’ can be broken. This bottleneck is latency introduced by having storage and processing separate, and the consequent necessity of communicating between the two.

As the computational complexity increases, the processing time required by classical computers also increases – but exponentially. The result of the bottleneck is that a category of complex mathematical problems cannot be solved by classical (basic von Neumann architecture) in any meaningful time frame.

“Among intractable combinatorial problems, large-scale prime factorization is a well-known challenge,” MemComputing researchers wrote in a paper titled Scaling up prime factorization with self-organizing gates: A memcomputing approach (PDF). It is the intractability of this problem that has kept RSA-based encryption theoretically secure for so long. It’s not that it is mathematically impossible, merely that it would take too long to be realistic using classical computers.

Where theory cannot be demonstrated by fact, the problem and solution are emulated in software. For cracking RSA, “Presently, sieve methods represent the state-of-the-art algorithms showing promise, with the general number field sieve method being the most effective. Nevertheless, even these methods struggle to factor a 2048-bit RSA key within a sensible timeframe, and past instances have taken almost 2700-CPU-years to factor an 829-bit number using computer clusters.”

The von Neumann bottleneck means that time-to-solution increases exponentially. “It is estimated that with current technology using the best-known algorithm (general number field sieve, GNFS), factoring a 2048-bit RSA key would take longer than the age of the universe,” the researchers added.

Quantum computers will be able to solve this problem within a meaningful timeframe. Hence the NIST-driven drive for more complex post-quantum algorithms able to continue protecting encryption. Estimates of the arrival of quantum computers vary greatly, but ‘decades’ is usually quoted.

Advertisement. Scroll to continue reading.

Enter MemComputing’s combined memory/processing. Simulation shows that the complexity/time ratio for solving difficult problems increases only polynomially rather than exponentially. In other words, difficult problems can be solved very much faster — and the time taken to do so can be massively reduced.

MemComputing effectively wanted to know how long it would take its patented in-memory processing to crack RSA, and whether it could be done in a shorter timeframe than waiting for the arrival of quantum computers. The basic study resulted from a Small Business Innovation Research (SBIR) contract with the US Air Force.

The approach taken was to use software emulation focusing on test problems from 30 to 150 bits. “Results showed that the circuit generated the appropriate congruences for benchmark problems up to 300 bits, and the time needed to factorize followed a 2nd-degree polynomial in the number of bits,” MemComputing announced. In other words, the increasing complexity of factoring large numbers with in-memory computing increases the necessary time far more slowly than the exponential increase afforded by classical computers.

“The next step is to extend the effective range beyond 300 bits, which requires customizing the SOG design to even larger factorization problems, with the end goal of realizing the capability in an Application Specific Integrated Circuit (ASIC),” continued the company.

An ASIC is a custom chip. They are already widely used for different applications. They take longer and are more costly to produce than general purpose classical computer chips, but neither are in the same league as developing and waiting for a quantum computer.

Specifically, the researchers said, “The timing for the ASIC realization of the MEMCPU Platform is also reported. The ASIC timing can be easily estimated since the MEMCPU Platform, being a circuit emulator, returns the full dynamics of the circuit, including the simulated runtime. It is worth noting that, at this point in our R&D, the forecast for the ASIC shows the possibility of solving a 2048-bit factorization problem in tens of minutes.”

This conclusion is, of course, theory rather than demonstrable fact. The theory, however, is based on a body of fact, and theoretical research underlies much of today’s demonstrable science. If it all proves practical, the feared ‘cryptopocalypse’ (the death of current encryption) might be sooner than expected – caused by in-memory computing ASICs rather than quantum computers.

Related: How Quantum Computing Will Impact Cybersecurity

Related: Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse

Related: Quantum Decryption Brought Closer by Topological Qubits

Related:US Government Publishes Guidance on Migrating to Post-Quantum Cryptography

https://www.securityweek.com/beyond-quantum-memcomputing-asics-could-shatter-2048-bit-rsa-encryption/




Pagare per Facebook?

Meta sta valutando di far pagare agli europei Facebook e Instagram, e pensa ad un abbonamento di almeno 10 euro al mese se non vogliono che vengano mostrati annunci pubblicitari personalizzati.

Le fonti citate dal Wall Street Journal hanno confermato un piano che Meta ha comunicato alle autorità europee di regolamentazione della privacy, inclusa appunto una tariffa mensile di 13 euro per accedere a Facebook o Instagram senza pubblicità mirate sui dispositivi mobili.

Leggi anche: Meta valuta abbonamento da almeno 10 euro nella Ue per Facebook e Instagram senza pubblicità

Il consenso è re

Il modello pubblicitario di Meta ha dovuto affrontare forti ostacoli nell’Unione europea. Fondamentalmente, a luglio la Corte di giustizia dell’Unione europea ha stabilito che l’azienda Big Tech non dovrebbe raccogliere dati sull’attività online dei suoi utenti per microtargetizzarli con annunci basati sul “legittimo interesse” dell’azienda e senza il loro esplicito consenso.

La sentenza ha fornito un forte sostegno alle autorità di regolamentazione della privacy, guidate dal supervisore principale di Meta, la Commissione irlandese per la protezione dei dati, che a gennaio ha ordinato a Meta di trovare una nuova base giuridica ai sensi del regolamento generale sulla protezione dei dati (GDPR). Infine, ha fornito indicazioni alla Commissione, che all’inizio del 2024 applicherà i requisiti affinché le aziende Big Tech come Meta ottengano il consenso per annunci mirati.

Ma la sentenza menziona anche che Meta potrebbe offrire agli utenti “se necessario dietro un compenso adeguato” un’alternativa per accedere alle sue piattaforme senza raccogliere i loro dati per la pubblicità.

“La CGUE ha affermato che l’alternativa alla pubblicità deve essere “necessaria” e la tariffa deve essere “adeguata”. Non credo che [160 euro] all’anno fosse quello che avevano in mente”, ha detto l’attivista per la privacy Max Schrems in un comunicato stampa.

Non è tuttavia chiaro se il piano soddisferà gli organi di vigilanza irlandesi e di altri paesi, nonché la Commissione. Le autorità per la protezione dei dati hanno già ampiamente concordato di consentire agli editori di richiedere agli utenti di pagare abbonamenti o di accettare di fornire i propri dati affinché gli annunci pubblicitari possano vedere i loro contenuti.

Parallelamente, il garante norvegese dei dati ha chiesto alla rete paneuropea di agenzie di dati, il Comitato europeo per la protezione dei dati (EDPB) di emettere un divieto a livello europeo sugli utenti di Meta tracking per mostrare i loro annunci personalizzati. Si attende una decisione nelle prossime settimane.

https://www.key4biz.it/pagare-per-facebook/461683/