Industry CMO on the Downstream Risks of “Logo Disclosures”

Cybersecurity Marketing Teams Would Benefit From an Ethics Desk

Jennifer Leggio, chief marketing officer at Flashpoint, is an executive with more than a decade’s experience in managing corporate cyber security marketing at the highest levels — much of the time seeking and advocating a greater ethical stance in marketing. At last month’s Hack in the Box Conference in Amsterdam, she delivered a keynote presentation entitled, ‘A Risk Assessment of Logo Disclosures’.

The basic premise is that failures in the coordinated approach to vulnerability disclosures can seem attractive from an initial marketing perspective, but are damaging to both the industry and its users. The ultimate problem comes from the different missions between security product development and sales teams: the first is purposed to reduce harm, while the latter is purposed to sell product.

In between these teams sit the researchers, whose function is to find weaknesses in security products so that they can be strengthened, and their users better protected. Researchers wish to have their expertise acknowledged, while developers wish to fix their products securely. Between them they have evolved the process known as coordinated disclosure: researchers report their findings to the developer who fixes the faults, and both coordinate simultaneous disclosure of the vulnerability and its fix.

It’s a process — when it works — that ensures the developer fixes the product as rapidly as possible, while the vulnerability does not become a zero-day exploit for use by cybercriminals, overseen by a CERT ‘referee’. The problem comes from undue pressure from marketers, possibly supported by the firm’s business leaders. This is the subject of Leggio’s keynote presentation: the violation of disclosure process to try to diminish competitors, sell more product, or unethically highlight research prowess.

It’s a complex issue because it cuts both ways. Research firms, probably at the behest of marketing, can disclose vulnerabilities ahead of coordination to maximize the publicity of their discovery (and therefore, their visible expertise). Similarly, developers can usurp the agreed coordination date to get fixes out before there is any indication that there was a vulnerability, thereby minimizing any perceived product weakness and negative criticism.

Both have possibly happened in recent months. On March 13, a virtually unknown Israeli firm announced the existence of 13 flaws in AMD chips, after giving AMD just 24 hours to fix them. “It very much felt like a marketing stunt,” Leggio told SecurityWeek.

Two days later, Trail of Bits blogged that they had earlier been retained by CTS to confirm the existence of the AMD flaws — which they did — but commented, “Our recommendation to CTS was to disclose the vulnerabilities through a CERT.” CTS did not follow this advice. This allowed the controversial company Viceroy Research to publish a statement on the same day as CTS disclosed the vulnerabilities:

“These findings demonstrate that AMD’s key products, and it basis for profitability and growth, the EPYC and Ryzen processors, contain severe and pervasive security flaws that put users and organizations at an unacceptable and damaging risk.”

This statement bears all the hallmarks of an attempt to short AMD stock. In January, Moneyweb had described Viceroy Research as a “three-man firm… headed by a previous social worker and two Australian youngsters.” It concluded, “there are doubts as to whether Viceroy conducts its own research or if it is merely a front for other investors that seek to avoid the limelight but profit from it.”

It is possible, then, that unknown investors immediately attempted to profit from the uncoordinated disclosure — a perfect example of the downstream risks highlighted by Leggio.

But it’s not just the researchers that sometimes break the process. Also in March 2018, Core Security released details of a vulnerability in router manufacturer MikroTik’s RouterOS. Core and MikroTik agreed on coordinated disclosure, but just before the agreed date, MikroTik quietly fixed the flaw in an OS update. Whether by design or accident, this allowed the manufacturer to avoid making any disclosure or public recognition of the pre-existing vulnerability.

The risk here is to the end user. Without ever hearing about potential problems, the user can easily assume that there are no problems. It’s a false sense of security that is patently dangerous since compromised MikroTik routers are an important part of IoT botnets. According to one firm, compromised MikroTik routers comprised 80% of a botnet (probably Reaper) that was used in a DDoS attack against Dutch financials in January 2018.

It is such downstream risks of upfront marketing-led breaches of the coordinated disclosure process that Leggio discussed in her keynote presentation. Key to her proposal is the introduction of an ethics or ‘standards desk’ overseeing marketing decisions just as some newspapers have a standards desk overseeing the more contentious news stories.

Marketing teams pushing for external disclosure, she told SecurityWeek, “should have it go through an ethical evaluation to ensure that it’s not compromising any bigger picture — like an LEA investigation — and/or is not tipping-off a cybercriminal that there might be an exploit in their malware that could help law enforcement. You’re basically using coordinated disclosure to help cyber criminals harden their own stuff — needs to be some review there.”

It requires, she added, “a shift in culture and a shift in mindset, making sure that business leaders understand that their sales teams, their marketing teams, their finance teams, their legal teams and so on, are all responsible for making sure that there is an ethical delivery in the message.”

Leggio’s talk is available in the video below:

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/AAp29N_Q1uQ/industry-cmo-downstream-risks-logo-disclosures

Schneider Electric Development Tools Affected by Critical Flaw

Security firm Tenable has disclosed the details of a critical remote code execution vulnerability affecting Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition products.

InduSoft Web Studio is a toolset designed for developing human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems and embedded instrumentation solutions, and InTouch Machine Edition is an HMI/SCADA development tool that can be used for both advanced applications and small-footprint embedded devices. The products are used worldwide in the manufacturing, oil and gas, water and wastewater, automotive, building automation, and renewable energy sectors.

The tools are impacted by a stack-based buffer overflow vulnerability that can be exploited without authentication for denial-of-service (DoS) attacks and arbitrary code execution with elevated privileges.

Tenable, whose employees discovered the flaw, reports that a malicious actor could exploit the weakness to gain complete control of the affected system and use it as a pivot point for lateral movement within the network. The company has released technical details and proof-of-concept (PoC) code.

The security hole is related to InduSoft Web Studio and InTouch Machine Edition functionality that allows HMI clients to read and write tags, and monitor alarms and events.

“The vulnerability is similar to CVE-2017-14024 in that it involves calling mbstowcs() in TCPServer.dll. However, this new vulnerability leverages command 50 instead of command 49. The vulnerability can be remotely exploited without authentication and targets the IWS Runtime Data Server service, by default on TCP port 1234,” Tenable explained.

The company says an attacker can exploit the vulnerability remotely if they are able to connect to port 1234 on the targeted machine.

„This means that if the machine is on a private network, the attacker would need to be on the same network. If, however, the machine and the service/port have been opened to the internet, then an attacker can exploit it via the internet,” Tenable Research told SecurityWeek.

The vulnerability impacts InduSoft Web Studio v8.1 and prior, and InTouch Machine Edition 2017 v8.1 and prior. Schneider Electric patched the flaw with the release of v8.1 SP1 for both products. The vendor acknowledged the issue on January 28 and released patches on April 6. The security firm has confirmed that the patch works.

The similar vulnerability referenced by Tenable, CVE-2017-14024, was patched by Schneider in September 2017. It also impacted InduSoft Web Studio and InTouch Machine Edition, and allowed remote code execution.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/J-C-HT3iL2E/schneider-electric-development-tools-affected-critical-flaw

Over a Million Dasan Routers Vulnerable to Remote Hacking

Researchers have disclosed the details of two unpatched vulnerabilities that expose more than one million home routers made by South Korea-based Dasan Networks to remote hacker attacks.

In a blog post published on Monday, vpnMentor revealed that many Gigabit-capable Passive Optical Network (GPON) routers, which are used to provide fiber-optic Internet, are affected by critical vulnerabilities. The company told SecurityWeek that the impacted devices are made by Dasan Networks.

One of the flaws, tracked as CVE-2018-10561, allows a remote attacker to bypass a router’s authentication mechanism simply by appending the string “?images/” to a URL in the device’s web interface.

The second vulnerability, identified as CVE-2018-10562, allows an authenticated attacker to inject arbitrary commands.

By combining the two security holes, a remote and unauthenticated attacker can take complete control of a vulnerable device and possibly the entire network, vpnMentor said. The company has published a video showing how the attack works:

[embedded content]

A Shodan search shows that there are more than one million GPON home routers exposed to the Internet, a majority located in Mexico (480,000), Kazakhstan (390,000), and Vietnam (145,000).

“Depending on what the attacker wants to achieve, he can be spying on the user and any connected device (TV, phones, PC and even speakers like Amazon Echo). Also he can inject malware into the browser which means even when you leave your home network your device would be hacked now,” Ariel Hochstadt, co-founder of vpnMentor, told SecurityWeek. “If the hacker is resourceful (government etc) he can enable advanced spear phishing attacks, and even route criminal activities through exploited routers (Imagine the FBI knocks on your door telling you they saw someone in your house using your IP address and selling stolen credit card numbers on the dark web).”

vpnMentor said it did try to report its findings to Dasan before making any information public, but it did not receive a response. Dasan representatives, specifically a PR agency, reached out to vpnMentor on LinkedIn after its blog post was published.

While in some cases Dasan has shown interest in working with researchers who discovered vulnerabilities in its products, there are some advisories online describing potentially critical issues that the vendor has apparently ignored.

Malicious actors have been known to target Dasan devices. Researchers reported recently that the Satori botnet had ensnared thousands of Dasan routers by exploiting a remote code execution vulnerability. The flaw in question was disclosed in December 2017 by Beyond Security, which claimed the vendor had ignored repeated attempts to report the issue.

This is not the first time vpnMentor reports finding vulnerabilities in network devices. Last month, the company disclosed the details of an unpatched command injection vulnerability that can be exploited to take control of network-attached storage (NAS) devices from LG.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/WoOZQVxWncs/over-million-dasan-routers-vulnerable-remote-hacking

Privilege Escalation Bug Lurked in Linux Kernel for 8 Years

A security vulnerability in a driver leading to local privilege escalation in the latest Linux Kernel version was introduced 8 years ago, Check Point reveals.

The security flaw provides a local user with access to a vulnerable privileged driver with the possibility to read from and write to sensitive kernel memory. Tracked as CVE 2018-8781, the vulnerability could be exploited to escalate local privileges, Check Point’s researchers say.

The bug impacts the internal mmap() function defined in the fb_helper file operations of the “udl” driver of “DisplayLink” and was discovered using a simple search.

Because drivers commonly implement their own version of file operation functions, they are prone to implementation errors, and the discovery of this vulnerability is proof of that.

In fact, there are various common vulnerabilities impacting drivers where the mmap() handler is used, such as lack of input validations and Integer-Overflows.

A classic driver, the researchers explain, holds an internal buffer representing the shared memory region with the peripheral device, and should only let the user access memory ranges inside this buffer.

The prototype of the mmap() function includes numerous fields that an attacker can control and developers should perform a series of checks and to avoid possible Integer-Overflows to eliminate issues.

According to Check Point, there are three checks that should be performed: Region start: 0 <= offset < buffer’s end; Region end: buffer’s start <= offset + length <= buffer’s end; and Region start <= Region End.

“In actual fact, the last check can be spared since the Linux kernel will sanitize the supplied length, making it practically impossible to pass the first two checks while still passing the third check,” Check Point says.

The researchers discovered the security flaw while taking a closer look at remap_pfn_range(), a function of high importance, because it maps physical memory pages to the user.

“The video/drm module in the kernel defines a default mmap() wrapper that calls that real mmap() handler defined by the specific driver,” the security researchers note.

The bug is a classic example for an Integer-Overflow: there’s an unsigned offset, thus the first check is skipped, and the calculation “offset + size,” however, can bypass the second check while still using an illegal “offset” value.

As there are only 48 bits of accessible memory on 64-bit machines, the use of a huge “offset” to bypass the check requires making sure that “info->fix.smem_start + offset” will wrap-around to a valid mappable physical address, Check Point also notes.

The vulnerability was verified on an Ubuntu 64-bit virtual machine where a simulated vulnerable driver was uploaded. The driver’s mmap() handler included the implementation to check in each test.

Two consecutive calls to mmap() on the vulnerable driver were made by user-mode code, namely a sanity check and a vulnerability check.

Setting the buffer’s address at the page-aligned physical address of the kernel’s /dev/urandom implementation results in the output providing the correct physical page and the previous physical page, respectively.

Additional checks revealed that it is possible for the user to read and write from/to the mapped pages. Thus, an attacker could eventually trigger code execution in kernel space, the researchers explain.

“While the vulnerability was found using a simple search, it was introduced to the kernel eight years ago. This fact can teach us that even on a popular open source project as the Linux Kernel, you could always hope to find vulnerabilities if you know where to search,” Check Point concludes.

The vulnerability was disclosed to the Linux Kernel on March 18 and a patch was issued the same day. After the patch was verified, the official Linux patch was issued for CVE 2018-8781 on March 21 and was integrated to the Linux Kernel the same day.

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/cqAOjLvujYQ/privilege-escalation-bug-lurked-linux-kernel-8-years

Microsoft Brings Application Guard to Windows 10 Pro

Microsoft of Monday made Windows 10 April 2018 Update available to users, which brings new features, enhancements and security updates, along with improvements to Windows Defender Security Center.

One of the main changes in the update is the availability of Windows Defender Application Guard (WDAG), which allows users to browse the Internet while being protected from sophisticated browser attacks.

First detailed in January last year, Windows Defender Security Center is receiving various enhancements to provide increased ease-of-use. The Center was designed to simplify the manner in which users view and control the security protections the platform, as well as to help people better understand and leverage the security features protecting them.

With the release of Windows 10 April 2018 Update, the Security Center offers quick access from the context menu when right-clicking on the Windows Defender Security Center icon in the notification area. This menu allows users run a quick scan, update Windows Defender Antivirus definitions, change the notifications, and open the Security Center.

Now, users can also take advantage of the Account Protection pillar in Windows Defender Security Center, which makes it easier for them to protect their identity when signing into Windows. The feature encourages local account users to connect a Microsoft Account (MSA) and password users to set up Windows Hello Face, Fingerprint or PIN for faster and more secure sign in.

Additionally, Dynamic lock now leverages the alerting system in Windows Defender Security Center to inform users when it has stopped working because the Bluetooth on their phone or device is off, Microsoft announced.

A Device Security pillar in the Security Center now delivers greater insight into the security features integrated in Windows devices. There, users can access status reporting, can manage security features built into their devices, and can also toggle features on for enhanced protections.

The update also brings along additional options for how notifications are delivered. Users can now customize the type of notifications they receive from Windows Defender Security Center, can disable or enable notifications about recent, automatic scans or about threats or files that have been blocked.

With the April 2018 update, Microsoft is also enabling Windows 10 in S mode on both Windows 10 Home and Pro PCs. In addition to flexibility and increased performance, Windows 10 in S mode also delivers more protections, as all applications are verified by Microsoft for security and performance.

The update also brings OneDrive Files Restore integration in Windows Defender, which should provide users with expanded ransomware protection. With the new feature, users can save their files to OneDrive and keep files safe from malware.

“If a ransomware threat is found on a device, Windows Defender will notify you of the threat, help you remove the ransomware from your device, and give you the option to use OneDrive Files Restore so you can recover your OneDrive files to the state they were in before the attack occurred,” Microsoft explains.

Office 365 Home subscribers, Office 365 Personal subscribers, and OneDrive for Business users can currently benefit from Files Restore, which allows them to restore their OneDrive to a previous point in time within the last 30 days.

Windows 10 April 2018 Update brings along a new Single Sign-On experience too. Now, users can sign into one Microsoft app or service on a device to be signed into all of them. Users can sign with a Microsoft account into Office 365 and use that account across a full range of Microsoft apps and services.

All Office 365 subscribers will benefit from this feature by June, Microsoft says. All they require is the April 2018 update installed and the latest version of Office. Users will be able to select which Microsoft apps they sign into.

“While all new accounts added will be able to opt into this by default, it can be extended to accounts you have already added as well. Just head to the Settings app, click ‘Accounts’ followed by ‘Email & app accounts’. Choose the account you added previously and select “Microsoft apps can sign me in” from the drop-down,” Microsoft explains.

The April 2018 Update also makes it easier for Microsoft account users to set up Windows Hello on their compatible devices, the company says. Previously, users had to dive deep into Settings to find Windows Hello, but the option to set up Windows Hello Face, Fingerprint or PIN is now accessible directly from the lock screen (by clicking the Windows Hello tile under Sign-in options).

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/MSS3nV-FqyM/microsoft-brings-application-guard-windows-10-pro

Slack Releases Open Source Secure Development Lifecycle Tool

Team collaboration solutions provider Slack last week announced that one of the secure development lifecycle (SDL) tools used internally by the company has been released as open source.

The tool, named goSDL, is a PHP-based web application designed to provide developers and project managers a list of questions and checklists that should help them improve the security of new software and features. It is meant to be used at the middle or near the end of a project.

After providing some general information about their project, developers using goSDL are instructed to answer some questions for an initial risk assessment. Among other things, developers are asked if they believe the involvement of the security team is necessary, and if their code adds new authentication features or changes existing security controls.

Once the initial assessment has been completed, goSDL requires developers to provide information about the components they are using, including web technologies, programming languages, and parsers. New components can be easily added to the questionnaire via JSON plugins.

Based on the responses provided in the previous phases, goSDL then generates security checklists that are relevant to the project. For tracking purposes, two JIRA tickets are created – one for the developer and one for the security team, allowing it to track its own review.

“The tool tailors the checklist to the developers’ specific needs, without providing unnecessary unrelated security requirements. Security experts can establish custom security guidance and requirements as checklist items for all developers,” Slack said. “This checklist is used as a guide and reference for building secure software. This encourages a security mindset among developers when working on a project and can be used to easily track the completion of security goals for that project.”

goSDL can be used with Atlassian’s Jira Enterprise issue tracker and the Trello project management application. The goSDL source code, along with usage instructions, can be found on GitHub.

“By open-sourcing goSDL, we hope to enable other growing organizations to scale their security. We also hope to learn from their experience; we welcome contributions to the tool, its modules, and its checklists, and are excited to see what pull requests will come in!” said Max Feldman of the Slack Product Security team.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/kBjUOQJEzDY/slack-releases-open-source-secure-development-lifecycle-tool

All Chrome OS Devices Now Protected Against Meltdown

The latest version of Chrome OS now keeps all devices protected from Meltdown, Google says.

Available as Chrome OS 66.0.3359.137 (Platform version: 10452.74.0), the new Chrome OS release includes additional patches for the critical processor vulnerability, in addition to various new features and bug fixes.

The Meltdown attack was disclosed in the beginning of 2018 alongside another critical CPU bug, Spectre. The two attacks are possible because design flaws in Intel, AMD, ARM and other processors allow malicious programs to bypass memory isolation and access sensitive data.

Google started rolling out Meltdown mitigations in mid-December – before the attacks became public knowledge –, pushing a kernel page-table isolation (KPTI/KAISER) patch to roughly 70 Intel-based Chromebook models from Acer, ASUS, Dell, HP, Lenovo, Samsung and others.

Last month, the company released Chrome OS 65 to make the KPTI mitigation against Meltdown available for additional Intel devices with version 3.14 of the kernel.

“Intel devices on 3.8 kernels received the KPTI mitigation against Meltdown with Chrome OS 66. All Chrome OS devices are now protected against Meltdown,” Josafat Garcia, Google Chrome, explains in a blog post.

The updated platform iteration is already rolling out to users and should arrive on all devices within days.

Late last week, Google also released an update for the Chrome browser to patch a critical security vulnerability in it, less than two weeks after Chrome 66 landed in the stable channel.

Tracked as CVE-2018-6118, the critical issue was reported by security researcher Ned Williamson on April 12. The vulnerability, a use-after-free in Media Cache, can be exploited by a malicious actor to cause denial of service and possibly execute arbitrary code.

Unfortunately, Google hasn’t provided specific details on the vulnerability itself, nor on its CVSS rating, but it did reveal that the researcher received a $10,500 reward for the discovery.

Released as version 66.0.3359.139 and available for Windows, Mac, and Linux users, the updated browser iteration patches a total of three security flaws.

The remaining two vulnerabilities were found internally and Google hasn’t released details on them either.

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/pi_Rbo9g45w/all-chrome-os-devices-now-protected-against-meltdown

Hackers Target Poorly Patched Oracle WebLogic Flaw

Hackers have been scanning the Internet for Oracle WebLogic Server installations that can be taken over using a recently addressed vulnerability. While patched systems should be protected against attacks, experts claim the fix implemented by Oracle can be bypassed.

One of the 254 issues resolved by Oracle with its April 2018 CPU is CVE-2018-2628, a critical remote command execution flaw affecting versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 of the Oracle WebLogic Server (Fusion Middleware) Java EE application server. Oracle has credited Liao Xinxi of the NSFOCUS Security Team and an individual who uses the online moniker loopx9 for reporting this security hole to the company.

Unauthenticated attackers can exploit this vulnerability remotely via the T3 transport protocol on TCP port 7001 and the task is made easy by the fact that proof-of-concept (PoC) code has already been made available.

One of the first people to disclose details of the vulnerability was Liao Xinxi himself. Developer Davide Tampellini used that information along with PoC code released by others to create a weaponized exploit that can be used to spawn a remote shell.

GreyNoise Intelligence reported seeing a “large spike” in devices scanning the Web for port 7001 shortly after the first PoCs surfaced. GreyNoise’s reports are backed by data from other companies, including SANS and Qihoo 360.

While there have not been any reports of servers actually being hacked using CVE-2018-2628, Oracle WebLogic Server has been known to be targeted by malicious actors. For instance, FireEye revealed in February that cybercriminals had been exploiting CVE-2017-10271, a WebLogic Server flaw patched by Oracle in October 2017, to deliver cryptocurrency miners. A possibly related threat group was also spotted recently exploiting the Drupal vulnerability known as Drupalgeddon2.

While users should in theory be protected against attacks exploiting CVE-2018-2628 if they have applied Oracle’s patch, a China-based security researcher who uses the online moniker Pyn3rd claims the fix can be easily bypassed.

Researcher Kevin Beaumont confirmed that bypassing the patch is possible and advised users to block port 7001 to mitigate attacks.

Oracle WebLogic flaw exploited in the wild

SecurityWeek has reached out to Oracle for comment and will update this article if the company responds.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/y-BucZTm38M/hackers-target-poorly-patched-oracle-weblogic-flaw

PDF Files Can Silently Leak NTLM Credentials

NTML credentials can be stolen via malicious Portable Document Format (PDF) files without any user interaction, Check Point security researchers warn.

Attackers looking to steal the credentials for the NT LAN Manager (NTLM) authentication protocol (which consist of a domain name, a user name, and a one-way hash of the user’s password) can do so by abusing a feature where remote documents and files can be embedded inside PDF files.

PDF files, the security researchers explain, consist primarily of objects, together with Document structure, File structure, and content streams. There are eight basic types of objects, including dictionaries, and a malicious actor can abuse these to steal NTLM credentials.

A dictionary object represents a table containing pairs of objects, called entries, where the first element is the key (a name) and the second element is the value (may be any kind of object). Represented by dictionary objects, the pages of a document are called page objects and consist of required and optional entries.

One of the optional entries is the /AA entry, defining actions performed when a page is opened (/O entry) or closed (/C entry). An action dictionary is held within /O (/C) and consists of 3 required entries: /S, /F, and /D, describing the type of action to be performed – GoToR (Go To Remote) and GoToE (Go To Embedded) –, the location location of the other PDF, and the location to go to within the document.

“By injecting a malicious entry (using the fields described above together with his SMB server details via the ‘/F’ key), an attacker can entice arbitrary targets to open the crafted PDF file which then automatically leaks their NTLM hash, challenge, user, host name and domain details,” Check Point explains.

The security researchers, who also published a proof-of-concept, explain that the victim has no way of noticing the abnormal behavior. There is no evidence of the action being performed, nor a security alert.

Once the PDF file has been executed, the NTLM details are sent to the attacker’s server to be used for various SMB relay attacks.

According to Check Point, the issue likely impacts all PDF-viewers for Windows, as all of them will reveal the NTLM credentials.

The security researchers informed Adobe on the vulnerability, but the company said a fix won’t be released, because Microsoft is already offering users the possibility to prevent such attacks from happening in the first place.

In October 2017, the software giant made some optional Windows NTLM Single Sign-On (SSO) authentication changes to prevent “authentication with resources that are not marked as internal by the Windows Firewall.”

“Microsoft is releasing this new functionality as a mitigation to NTLM dictionary attacks. Microsoft continues to recommend that customers move to public key authentication methods for applications which do not support modern authentication, and use negotiate with Kerberos authentication whenever possible,” the company explained in an advisory.

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/TTRaCmkmRT8/pdf-files-can-silently-leak-ntlm-credentials

Uber Updates Bug Bounty Program

Uber updates bug bounty program

Uber last week updated the legal terms of its bug bounty program and provided guidance for good faith vulnerability research. The changes come just months after the ride-sharing giant admitted paying a couple of individuals as part of an effort to cover up a massive security incident.

Uber says it has addressed nearly 200 flaws for which it has awarded more than $290,000 since August 2017, bringing the total paid out by the company since the launch of its bug bounty program to over $1.4 million.

The new terms provide more specific guidance on what is and what is not acceptable conduct in terms of vulnerability research. Bug bounty hunters are now also provided clearer instructions on what to do if they come across user data during their investigations.

Researchers acting in good faith are informed that Uber will not initiate or recommend legal action against them. Furthermore, if a third party files a lawsuit, the company has promised to let them know that the activities were conducted in compliance with its program.

These changes are similar to ones announced recently by Dropbox, which has promised “to not initiate legal action for security research conducted pursuant to the policy, including good faith, accidental violations.”

These updates come just months after Uber admitted suffering a data breach that resulted in the information of 57 million riders and drivers, including 25 million individuals located in the United States, being taken from the company’s systems in 2016.

Uber’s security team was contacted in November 2016 by an individual who claimed to have accessed Uber data and demanding a six-figure payment. This individual and an accomplice had found the data in an Amazon Web Services (AWS) S3 bucket used for backup purposes.

After confirming the claims, the ride-sharing firm decided to pay the hackers $100,000 through its HackerOne-based bug bounty program to have them destroy the data.

Uber CISO John Flynn admitted during a Senate hearing in February that it was wrong not to disclose the breach earlier, and admitted that the company should not have used its bug bounty program to deal with extortionists.

On its HackerOne page, Uber now tells researchers, “Don’t extort us. You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached.”

A code of conduct added by HackerOne to its disclosure guidelines shortly after news broke that Uber used the platform to pay off hackers includes an entry on extortion and blackmail, prohibiting “any attempt to obtain bounties, money or services by coercion.” It’s unclear if the code of conduct came in response to the Uber incident, but the timing suggested that it may have been.

Uber typically pays between $500 and $10,000 for vulnerabilities found in resources covered by its bug bounty program, but the company has paid out up to $20,000 for serious issues.

Uber has informed white hat hackers that they can now earn an additional $500 if their vulnerability report includes a “fully scripted” proof-of-concept (PoC).

The company also announced the launch of a pilot program in which bounties donated to a charity through HackerOne will be matched. Donations will initially be matched up to a total of $100,000, but the program may be expanded once that milestone is reached.

Related: Bug Allowed Free Uber Rides

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/xhM1J8u1Tgk/uber-updates-bug-bounty-program