Patch for macOS Root Access Flaw Breaks File Sharing
30.11.2017 securityweek Apple
The patch released by Apple on Wednesday for a critical root access vulnerability affecting macOS High Sierra appears to break the operating system’s file sharing functionality in some cases. The company has provided an easy fix for affected users.

The flaw, tracked as CVE-2017-13872, allows an attacker to gain privileged access to a device running macOS High Sierra by logging in to the root account via the graphical user interface with the username “root” and any password. Apple has disabled the root account by default and when users attempt to log in to this account, the password they enter is set as its password. If the password field is left blank, there will be no password on the root account.

The vulnerability can be exploited locally, but remote attacks are also possible if sharing services are enabled on the targeted machine.

While the issue was mentioned on Apple developer forums on November 13, the tech giant only learned about it on November 28, when a Turkish developer posted a message on Twitter. A patch was released within 24 hours, but since Apple did not have enough time to test the fix, it appears to introduce other problems.

Some users may find that the file sharing functionality no longer works after they have installed the security update for High Sierra 10.13.1.

An advisory published by Apple shortly after the release of the update provides recommendations on how to repair file sharing. Users simply need to open the Terminal, type the command sudo /usr/libexec/configureLocalKDC, and enter their administrator password when prompted. This should address the issue until Apple releases another update.

Attacks exploiting CVE-2017-13872 can also be prevented by manually setting a password for the root user account or disabling sharing services if not needed. Apple said the security hole does not affect macOS Sierra 10.12.6 and earlier.

This is not the only authentication bug found in macOS High Sierra recently. Last month, a developer noticed that the operating system had leaked the passwords for encrypted Apple File System (APFS) volumes via the password hint.

New Custom RAT Hits Targets in East Asia
30.11.2017 securityweek Virus
A newly discovered custom remote access Trojan (RAT) has been used in attacks on personnel or organizations related to South Korea and the video gaming industry, Palo Alto Networks reveals.

Called UBoatRAT, and distributed through Google Drive links, the RAT obtains its command and control (C&C) address from GitHub and uses Microsoft Windows Background Intelligent Transfer Service (BITS) to maintain persistence.

The malware was initially spotted in May 2017, when it was a simple HTTP backdoor using a public blog service in Hong Kong and a compromised web server in Japan for C&C. Since then, the developer added various new features to the threat and released updated versions during summer. The analyzed attacks were observed in September.

While the exact targets aren’t clear at the moment, Palo Alto Networks believes they are related to Korea or the video games industry, due to the fact that Korean-language game titles, Korea-based game company names, and some words used in the video games business were used for delivery.

UBoatRAT, the security researchers say, performs malicious activities on the compromised machine only when joining an Active Directory Domain, which means that most home user systems won’t be impacted, since they are not part of a domain.

The malware is delivered through a ZIP archive hosted on Google Drive and containing a malicious executable file disguised as a folder or a Microsoft Excel spread sheet. The latest variants of the malware masquerade as Microsoft Word document files.

Once running on a compromised machine, the threat checks for virtualization software such as VMWare, VirtualBox, QEmu, and then attempts to obtain Domain Name from network parameters. If it detects a virtual environment or fails to get the domain name, it displays a fake error message and quits.

Otherwise, UBoatRAT copies itself to C:\programdata\svchost.exe, and creates and executes C:\programdata\init.bat, after which it displays a specific message and quits.

The malware uses the Microsoft Windows Background Intelligent Transfer Service (BITS) – a service for transferring files between machines – for persistence. BITS jobs can be created and monitored via the Bitsadmin.exe command-line tool, which offers an option to execute a program when the job finishes transferring data or is in error, and UBoatRAT uses this option to run on the system even after reboot.

The C&C address and the destination port are hidden in a file hosted on GitHub, and the malware accesses the file using a specific URL. A custom C&C protocol is employed for communication with the attacker’s server.

Backdoor commands received from the attacker include: alive (checks if the RAT is alive), online (keeps the RAT online), upfile (uploads file to compromised machine), downfile (downloads file from compromised machine), exec (executes process with UAC Bypass using Eventvwr.exe and Registry Hijacking), start (starts CMD shell), curl (downloads file from specified URL), pslist (lists running processes), and pskill (terminates specified process).

Palo Alto researchers have identified fourteen samples of UBoatRAT, as well as one downloader associated with the attacks. The researchers also associated the malware with the GitHub account ‘elsa999’ and determined that the author has been frequently updating repositories since July.

“Though the latest version of UBoatRAT was released in September, we have seen multiple updates in elsa999 accounts on GitHub in October. The author seems to be vigorously developing or testing the threat. We will continue to monitor this activity for updates,” Palo Alto concludes.

Court Investigating Whether Uber Connived to Cover its Tracks
30.11.2017 securityweek Privacy
Uber Under Investigation

Uber, the ride-sharing giant hit with a number of scandals in recent months, is now suspected of operating a program to hide nefarious tactics.

The start of a trial in Waymo's suit against Uber over allegedly swiped self-driving car technology was put on hold this week while the court looked into whether evidence of a cover-up was withheld.

An internal letter from a former employee contended Uber had a team that "exists expressly for the purpose of acquiring trade secrets, code base, and competitive intelligence."

Techniques used included smartphones or laptop computers that couldn't be traced back to the company, and communicating through encrypted, vanishing message service Wickr, according to the letter and a transcript of courtroom testimony obtained by AFP.

"You never told me that there was a surreptitious, parallel, nonpublic system that relied upon messages that evaporated after six seconds or after six days," US District Judge William Alsup said to a member of Uber's legal team. "You never mentioned that there were these offline company-sponsored laptops that -- where the engineers could use that."

The letter signed by former Uber manager of global intelligence Richard Jacobs told of an effort to evade discovery requests, court orders, and government investigations "in violation of state and federal law, as well as ethical rules governing the legal profession."

Jacobs was questioned in court, saying he left Uber early this year with a compensation deal valued at $4.5 million that required him not to disparage the company.

Uber executives who also testified refuted references to wrongdoing and trail-covering.

Uber's deputy general counsel said the allegations in the letter were a tactic by a departing employee to get money from the company and had no merit, according to news website Recode.

The case stems from a lawsuit filed by Waymo -- previously known as the Google self-driving car unit -- which claimed former manager Anthony Levandowski took technical data with him when he left to launch a competing venture that went on to become Otto and was later acquired by Uber.

- Shifting gears -

The courtroom drama is playing out as Uber's new chief executive Dara Khosrowshahi strives to get the company on course and prepare for a stock market debut in 2019.

Khosrowshahi's stated goal of shifting Uber to an era of responsible growth -- after a period of growth at any price -- is beginning to appear Herculean.

"They have a long way to go to win back the trust of both its users who no doubt are quite frustrated in not fully knowing what all of this means to them personally, as well as the financial community," analyst Jack Gold said of Uber.

Uber is a target of investigations and lawsuits over the cover-up of a hack that compromised personal information of 57 million users and drivers.

Uber purportedly paid data thieves $100,000 to destroy the swiped information -- and remained quiet about the breach for a year.

US justice officials are also investigating suspicions of foreign bribery and use of illegal software to spy on competitors or escape scrutiny of regulators.

Challenges at Uber include conflicts with regulators and taxi operators, a cut-throat company culture, and board members feuding with investors over co-founder and ousted chief Travis Kalanick.

The hard-charging style that helped Uber succeed also made Kalanick a target for critics.

Dents to Uber's image include a visit by executives to a South Korean escort-karaoke bar, an attempt to dig up dirt on journalists covering the company, and the mishandling of medical records from a woman raped in India after hailing an Uber ride.

- SoftBank hard cash -

Japanese telecommunications giant SoftBank this week began offering to buy out Uber investors, reportedly at a price well below the value used for the startup's last funding round.

If the investment goes ahead as proposed, SoftBank would directly pump between $1 billion and $1.25 billion into Uber at the San Francisco-based startup's current valuation of $69 billion, according to a source familiar with the matter.

As a secondary investment move, the Japanese group would buy outstanding shares from large investors at a discounted price, the source said.

"SoftBank and Dragoneer have received indications from Benchmark, Menlo Ventures, and other early investors of their intent to sell shares in the tender offer," a SoftBank spokesperson told AFP.

Meanwhile, Uber's loss in the third quarter of this year widened to $1.46 from a loss of $1.1 billion in the second quarter, according to a Bloomberg report.

Kritická zranitelnost v macOS, miliony počítačů jsou ohroženy: jak se zabezpečit?

30.11.2017 SecurityWorld Apple
Apple šlápl vedle a do nejnovější verze operačního systému macOS, High Sierra, nechal dostat extrémně nebezpečnou zranitelnost. Uživatelé si však před vydáním opravných aktualizací mohou pomoci sami.

Kdokoliv, kdo má fyzický přístup k vašemu Macu, se nyní může jednoduše dostat dovnitř.

Problém poprvé odhalil zákazník Applu Lemi Orhan Ergin ve tweetu. Zda bylo rozumné ihned chybu takto zveřejnit, aby se o ní co nejsnáze dozvěděli i potenciální zločinci, o tom se dá polemizovat, avšak kritičnost zranitelnosti vystihuje dobře: „Vážený @AppleSupport, povšimli jsme si *obrovského* bezpečnostního problému v MacOS (sic) High Sierra. Kdokoli se může přihlásit pomocí jména ‚root‘ a prázdného hesla poté, co několikrát klikne na tlačítko přihlášení. Víte o tom @Apple?“

Ano – kdokoli napíše do políčka pro jméno „root“ a několikrát klikne na přihlásit, dostane se do systému. Po několika pokusech se daná osoba dostane do systému. Úspěšně to již odzkoušelo mnoho lidí.

Jde o chybu majestátních rozměrů: uživatelský účet s přízviskem „root“ je totiž – jak název napovídá – superuser, tedy uživatel schopný přepisovat práva ostatních uživatelů, nastavení systému, instalovat software, přistupovat k souborům všech uživatelů a podobně.

Americká mutace Computerworldu ihned kontaktovala Apple, dostalo se jí takové odpovědi: „Pracujeme na softwarové aktualizaci, která chybu vyřeší. Mezitím lze nastavit heslo pro administrátorský přístup (root), což znemožňuje neoprávněný přístup. Jak nato poradí tato stránka (anglicky). Pokud už máte položku ‚Root User‘ nastavenu, prosím nastavte heslo pro přístup k rootu.“

Uživatelský účet se zvýšenými pravomocemi je v základu deaktivován na většině systémů, tato chyba však u Macu umožní přihlášení jako root i přesto, že by to jít nemělo. Aktivování root účtu a nastavení hesla zabrání možnému zneužití systému pomocí výše popisované zranitelnosti.

Rychlejší je nastavení hesla pomocí Terminálu – pokud víte co děláte, můžete tuto variantu použít namísto návodu od Applu. Terminál zapněte a zadejte příkaz (bez uvozovek) „passwd root“, klepněte na enter při dotazu na staré heslo a pak zadejte heslo nové. Budete nuceni jej vepsat ještě jednou, pak jste však již proti chybě chráněni.

Chyba nijak neohrožuje starší verze macOS, týká se pouze High Sierra.

Existence této chyby je absolutně neospravedlnitelná, obzvláště u Applu, který bezpečnost systému často vychvaluje. Čím dříve přijde aktualizace systému, tím lépe.

Android Malware Steals Data from Social Media Apps
29.11.2017 securityweek Android

A newly discovered backdoor that has managed to infect over one thousand Android devices was designed to steal sensitive data from popular social media applications, Google reveals.

Dubbed Tizi, the malware comes with rooting capabilities and has been already used in a series of targeted attacks against victims in African countries such as Kenya, Nigeria, and Tanzania. Discovered by the Google Play Protect team in September 2017, the backdoor appears to have been in use since October 2015.

A fully featured backdoor, Tizi installs spyware that allows it to steal sensitive data from the targeted applications, Google says. The malware family attempts to exploit old vulnerabilities to gain root access on the infected Android devices, and its developer also uses a website and social media to lure users into installing more apps from Google Play and third-party websites.

To date, Google has identified over 1,300 devices affected by the malware. According to the company, newer Tizi variants include rooting capabilities that attempt to exploit a series of local vulnerabilities, including CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, and CVE-2015-1805.

Since most of these vulnerabilities target older chipsets, devices, and Android versions, users running a security patch level of April 2016 or later are far less exposed to Tizi's capabilities. If none of the exploits work, the Tizi apps attempting to gain root will switch to perform the action through the high level of permissions it asks from the user.

Once it has gained root on the compromised device, the threat can proceed to stealing sensitive data from popular social media apps such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.

After infection, the malware usually contacts its command and control (C&C) by sending an SMS with the device's GPS coordinates to a specific number. Subsequent communication with the C&C, however, is performed over HTTPS, but some versions of the malware also use the MQTT messaging protocol to connect to a custom server.

“The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps,” Google says.

On top of that, however, the malware can also record ambient audio and take pictures without displaying the image on the device's screen.

To stay safe, users are advised to pay close attention to the permissions they grant to newly installed applications; to enable a secure lock screen, such as PIN, pattern, or password; keeping their devices up-to-date at all times, given that the threat exploits old, known vulnerabilities; and ensure Google Play Protect is enabled.

Hackers Target U.K. Shipping Giant Clarkson
29.11.2017 securityweek Hacking
Clarkson, one of the world’s largest providers of shipping services, informed the public on Tuesday that it has suffered a security breach and the hackers may release some data taken from its systems.

Clarkson provided only few details citing the ongoing law enforcement investigation, but the information it made public suggests that it was targeted by cybercriminals who tried to get the company to pay a ransom in order to avoid having its data leaked online.

The shipping giant said the attackers gained access to its systems using a single compromised user account, which has been disabled following the incident.

The company had been expecting the hackers to publish some data on Tuesday, but so far there haven’t been any reports of that happening.

“As a responsible global business, Clarksons has been working with the police in relation to this incident,” Clarkson said in a statement. “In addition, the data at issue is confidential and lawyers are on standby wherever needed to take all necessary steps to preserve the confidentiality in the information.”

Clarkson has started notifying affected customers and individuals. The organization claims it has been conducting a cybersecurity review of its systems and it plans on rolling out new IT security measures – in addition to the ones introduced in response to this security incident.

“As you would rightly expect, we’re working closely with specialist police teams and data security experts to do all we can to best understand the incident and what we can do to protect our clients now and in the future,” said Andi Case, CEO of Clarkson. “We hope that, in time, we can share the lessons learned with our clients to help stop them from becoming victims themselves. In the meantime, I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologise for any concern this incident may have understandably raised.”

While Clarkson may have refused to pay the ransom demanded by the attackers, there are plenty of companies willing to pay up in order to avoid having to deal with a data breach becoming public knowledge.

Some studies have shown that 40% of businesses have paid the ransom demanded by hackers. Others studies said 70% accepted to pay, and half of them coughed up more than $10,000. One example is a Hollywood hospital that last year paid $17,000 to recover files encrypted by a piece of ransomware.

Some organizations attempt to negotiate with the attackers. HBO reportedly offered $250,000 to hackers who demanded millions of dollars, but the offer was not accepted. A South Korean web hosting provider also negotiated with cybercriminals, but still ended up paying $1 million after over 150 of its Linux servers were compromised.

Apple Patches Critical Root Access Flaw in macOS
29.11.2017 securityweek Apple
Apple has released a security update for macOS High Sierra in an effort to patch a critical authentication bypass vulnerability that can be easily exploited to gain root access to a system.

The flaw was first mentioned on Apple developer forums on November 13 by a user who had been trying to help others solve a macOS issue related to all their admin accounts being turned into regular accounts after updating to High Sierra. However, Apple apparently only learned of it on Tuesday after a Turkish web developer sent a tweet to Apple Support and the press started covering the issue.

Within 24 hours of the tweet, Apple announced that High Sierra has been updated to version 10.13.1 to address the vulnerability, which the company tracks as CVE-2017-13872.

Apple has described the flaw as a logic error in the validation of credentials. “An attacker may be able to bypass administrator authentication without supplying the administrator’s password,” the company said in its advisory.

According to the tech giant, the vulnerability does not affect macOS Sierra 10.12.6 and earlier versions of the operating system.

CVE-2017-13872 can be easily exploited. Access “System Preferences” from the Apple menu and click on any of the categories that require administrator privileges in order to make changes (e.g. Security & Privacy, Users & Groups, Parental Controls). Then click on the lock icon in the bottom left corner of the window and enter the username “root” with any password when prompted. The Enter key or the Unlock button must be hit twice.

Initial reports suggested that the exploit worked by entering the username “root” with a blank password. However, researcher Tom Ervin clarified that the attack works with any password. The password entered becomes the password for the root account, and if the field is left blank there will be no password on the root account.

It’s worth noting that the attack is possible only if the root account has not been enabled and a password has not been set for it – Apple has deactivated the root account by default.

Experts pointed out that the attack can be executed remotely if sharing services are enabled. Ervin has published a video showing how to conduct a remote attack:


Five Emerging Threats That Worry Global Security Professionals
29.11.2017 securityweek Security
Over the next year, five separate threats will have one major effect: the current rate of security breaches will increase and worsen. This is the view of the Information Security Forum (ISF), an international network of more than 10,000 security professionals.

The five primary threats to cyber security are the continuing evolution of crime-as-a-service; the effect of unmanaged IoT risk; the complexity of regulation; the supply chain; and a mismatch between Board expectation and Security capability.

Talking to SecurityWeek, ISF managing director Steve Durbin explained that the growing effect of crime-as-a-service is his own biggest concern. This, he suggested, is a result of the increasingly professional nature of organized cybercrime.

"Crime as a service has reached maturity, with criminal organizations providing easy access for entry level criminals," Durbin said. "I think that next year we are going to see attacks becoming more sophisticated and targeted. One of the problems is that cybercriminals have become very good at sharing information, and being able to do some of the things that the good guys are perhaps not as good at doing -- sharing intelligence and so on."

The root cause is that organized crime has moved aggressively into the dark web, resulting in what Durbin views as something similar to a very large corporation.

"There's this big umbrella organization that we call cybercrime. Underneath that we've got some very large, very professionally run cybercrime groups -- organized crime -- who are clearly looking to continue to recruit and expand, and are also happy to sell products and services to others. When I talk about criminals being better at communication," he said, "I relate it to the way that good corporations operate: they have marketing plans; they have outreach plans; they have communication around some of the services that are available as part of crime-as-a-service. They're not sharing methods and exploits to the extent that competitors could take over -- but are they are sharing it in terms of increasing their footprint. At the more sophisticated levels, cybercrime operates very much like a professional business."

For Durbin, there are a few 'mega' organized crime groups, supplemented by a number of smaller, highly capable groups, coming out of the former soviet states. But below these -- and to some degree what worries him most -- are the disorganized wannabees coming into the game on the back of crime-as-a-service. Counter-intuitively, they are disrupting and worsening the accepted status quo; and he gives ransomware as an example.

"In the 'good' old days of ransomware," he explained, "we knew that the cybercriminal was only really interested in this to get money. There was a game to be played, and everybody knew the rules. The criminals would drop some malware onto our systems to prevent us from accessing our information so that they would get paid a certain amount of money."

This was enough to make it profitable for the criminal, but not so much that the victim would not or could not pay. "What we're now seeing," he continued, "is elements of ransomware that are not following these rules. For example, keys not being handed over when ransoms are paid; and that's a concern because the rules of the game have changed." In short, the commoditization of cybercrime through crime-as-a-service is introducing anarchy that makes it difficult for defenders to plan a posture, and difficult for organized crime to remain organized.

It will be interesting to see, he added, whether a degree of self-regulation emerges. "It's possible that some of the larger crime groups will decide that the emerging aspirant criminals are actually bad for business, and decide to do something about it."

The second threat is the internet of things (IoT), with two major areas of concern. Firstly, home devices are insecure, default passwords are not always changed, and people take work home. But what really concerns him is IoT in the critical infrastructure. "Regulation and legislation would work if we were starting from a blank piece of paper," he said; but we are not. "We've been installing embedded devices in manufacturing for years. At the time, manufacturers did not consider security to be an issue, and organizations do not have clear visibility of all the devices they use."

He gave an example of a member organization, a Forbes Global 2000 company, that shut down its plant. "In the course of that shutdown, some of the machinery burst back into life because there were some IoT devices connected to the Internet that they hadn't been aware of." The company had forgotten about parts of its own IoT; but it was capable of autonomously restarting the machinery.

The third emerging threat is the increasing burden and complexity of regulation. Although it is designed to improve security, Durbin fears that regulation will pull attention and resources away from important security initiatives. The General Data Protection Regulation (GDPR) is a perfect example of complexity in requirement and lack of understanding by stakeholders. But GDPR is far from being the only new regulation coming into force, and he fears that the increasing burden of compliance and legislative variances across jurisdictions will increase the burden for multi-nationals and those businesses targeting international trade.

The fourth and fifth emerging threats -- the supply chain, and a mismatch between Board expectation and Security capability -- are really two sides of the same coin. While senior management is increasingly concerned about security, and is increasingly held responsible for the firm's security, it still does not understand what its security team is doing or is even capable of doing. This also occurs in third-party related organizations, fourth parties and beyond (the supply chain). But if the Board does not really understand its own security capabilities, it has even less understanding of the security of its supply chain; and that is a threat vector that is growing rapidly through the digitization of business.

Durbin believes the solution can only come from baking security into the whole ethos of the organization so that the security team is an integral concept rather than a separate silo. "I often talk about the day when we don't have security people because the organization has become so aware of security being integral to the business that security has become completely integrated into the business functions. Security must become inbuilt into the organization by design. We're a long way off that, but the immediate challenge that a lot of CISOs face is around communication, around being taken seriously by the organization."

If, and perhaps only when, security by corporate design becomes a reality will all five of ISF's emerging threats be brought under some semblance of control. In the meantime, Durbin feels that breaches will increase, and the security landscape will only get worse long before it gets better.

Canadian Pleads Guilty to Hacking Yahoo
29.11.2017 securityweek Attack
A 22 year-old Canadian national accused of carrying attacks on Yahoo pleaded guilty on Tuesday to charges returned by a grand jury in the Northern District of California in February 2017.

The man, Karim Baratov, aka Kay, aka Karim Taloverov, aka Karim Akehmet Tokbergenov, an immigrant from Kazakhstan, was arrested in Canada in March 2017, on a U.S. warrant. He was denied bail in April and waived his right to an extradition hearing in August, while waiting to be handed over to US marshals.

Baratov was charged with “computer hacking and other criminal offenses in connection with a conspiracy to access Yahoo’s network and the contents of webmail accounts that began in January 2014,” the U.S. Department of Justice announced.

Three other individuals were charged along Baratov, including two officers of the Russian Federal Security Service (FSB), Russia’s domestic law enforcement and intelligence service. All three are Russian nationals and residents and all remain at large: Dmitry Aleksandrovich Dokuchaev, 33; Igor Anatolyevich Sushchin, 43; and 29-year-old Alexsey Alexseyevich Belan, aka Magg.

In an indictment announced in March 2017, the United States government alleged that Dokuchaev, Sushchin and Belan compromised Yahoo’s network and gained the ability to access Yahoo accounts. Russia denied any official Russian involvement in the attacks.

Baratov was charged for hacking the webmail accounts of individuals of interest to the FSB and for sending the passwords of those accounts to Dokuchaev, in exchange for money. When looking to access individual webmail accounts at other Internet service providers, Dokuchaev asked Baratov to compromise those accounts.

As part of his plea agreement, Baratov admitted to hacking accounts on behalf of his co-conspirators in the FSB, and also revealed that he hacked over 11,000 webmail accounts in total from 2010 until March 2017, when he was arrested by Canadian authorities. He also agreed to pay restitution to his victims and to pay a fine up to $2,250,000, in addition to any prison sentence.

“Baratov advertised his services through a network of primarily Russian-language hacker-for-hire web pages hosted on servers around the world. He admitted that he generally spearphished his victims, sending them emails from accounts he established to appear to belong to the webmail provider at which the victim’s account was hosted (such as Google or Yandex),” the DoJ said.

Baratov’s emails attempted to trick victims into visiting fake web pages and entering their credentials on those pages. Once the victims’ account credentials were collected, Baratov would send screenshots of the victims’ account contents to his customers to prove access to the accounts and provided login credentials after receiving payment.

Baratov pleaded guilty to count One and counts Forty through Forty-Seven of the indictment, which charged him and his co-conspirators with stealing information from protected computers, causing damage to protected computers, and aggravated identity theft.

Baratov is currently detained in California without bail. His sentencing hearing is scheduled for Feb. 20, 2018.

Baratov’s actions appear unrelated to a 2013 breach that exposed all three billion accounts at Yahoo. The hack was initially said to have affected only 500 million accounts.

22-Year-Old Hacker Pleads Guilty to 2014 Yahoo Hack, Admits Helping Russian Intelligence
29.11.2017 thehackernews Crime

Karim Baratov, a 22-year-old Kazakhstan-born Canadian citizen, has pleaded guilty to hacking charges over his involvement in massive 2014 Yahoo data breach that affected all three billion yahoo accounts.
In March, the US Justice Department announced charges against two Russian intelligence officers (Dmitry Dokuchaev and Igor Sushchin) from Russia's Federal Security Service (FSB) and two hackers (Alexsey Belan and Karim Baratov) for breaking into yahoo servers in 2014.
While Karim Baratov (Kay, a.k.a Karim Taloverov, a.k.a Karim Akehmet Tokbergenov) was arrested in Toronto at his Ancaster home by the Toronto Police Department in March this year, Alexsey Belan and both FSB officers currently reside in Russia, unlikely to be extradited.
In the federal district court in San Francisco on Tuesday, Baratov admitted to helping the Russian spies and pleaded guilty to a total of nine counts which includes:
One count of conspiring to violate the Computer Fraud and Abuse Act by stealing information from protected computers and causing damage to protected computers.
Eight counts of aggravated identity theft.

Prosecutors believe that FSB officers directed the Yahoo hack and contracted Baratov when their targets—which included journalists, government officials, and technology company employees—used email accounts outside of Yahoo's system.
"Baratov's role in the charged conspiracy was to hack webmail accounts of individuals of interest to the FSB and send those accounts' passwords to Dokuchaev in exchange for money," his plea agreement reads.
However, according to Baratov's lawyers, at the time of the crime, Baratov had no idea he was working with Russian FSB agents.
Baratov gained unauthorized access to at least 80 non-Yahoo email accounts, including at least 50 Google accounts by obtaining their credentials through "spear phishing" attacks.
Baratov's sentencing hearing will be held on 20th February next year in federal district court in San Francisco, where he could face 70 to 87 months in jail for the first charge and 24 months for the identity theft charges.
"The illegal hacking of private communications is a global problem that transcends political boundaries. Cybercrime is not only a grave threat to personal privacy and security, but causes great financial harm to individuals who are hacked and costs the world economy hundreds of billions of dollars every year," US Attorney Brian Stretch said.
"These threats are even more insidious when cybercriminals such as Baratov are employed by foreign government agencies acting outside the rule of law."
Besides any prison sentence, Baratov has also agreed to pay compensation to the Yahoo victims and a fine up to $2,250,000 (at $250,000 per count).
Baratov's arrest is the only one in this investigation. The three other men, including two FSB officers and one criminal hacker, currently reside in Russia, with whom the United States has no extradition treaty.

macOS High Sierra Bug Lets Anyone Gain Root Access Without a Password
29.11.2017 thehackernews Apple

If you own a Mac computer and run the latest version of Apple's operating system, macOS High Sierra, then you need to be extra careful with your computer.
A serious, yet stupid vulnerability has been discovered in macOS High Sierra that allows untrusted users to quickly gain unfettered administrative (or root) control on your Mac without any password or security check, potentially leaving your data at risk.
Discovered by developer Lemi Orhan Ergin on Tuesday, the vulnerability only requires anyone with physical access to the target macOS machine to enter "root" into the username field, leave the password blank, and hit the Enter a few times—and Voila!
In simple words, the flaw allows an unauthorized user that gets physical access on a target computer to immediately gain the highest level of access to the computer, known as "root," without actually typing any password.
Needless to say, this blindingly easy Mac exploit really scary stuff.
This vulnerability is similar to one Apple patched last month, which affected encrypted volumes using APFS wherein the password hint section was showing the actual password of the user in the plain text.
Here's How to Login as Root User Without a Password
If you own a Mac and want to try this exploit, follow these steps from admin or guest account:
Open System Preferences on the machine.
Select Users & Groups.
Click the lock icon to make changes.
Enter "root" in the username field of a login window.
Move the cursor into the Password field and hit enter button there few times, leaving it blank.
With that (after a few tries in some cases) macOS High Sierra logs the unauthorized user in with root privileges, allowing the user to access your Mac as a "superuser" with permission to read and write to system files, including those in other macOS accounts as well.
This flaw can be exploited in several ways, depending on the setup of the targeted Mac. With full-disk encryption disabled, a rogue user can turn on a Mac that's entirely powered down and log in as root by doing the same trick.
At Mac's login screen, an untrusted user can also use the root trick to gain access to a Mac that has FileVault turned on to make unauthorized changes to the Mac System Preferences, like disabling FileVault.
All the untrusted user needs to do is click "Other" at the login screen, and then enter "root" again with no password.
However, it is impossible to exploit this vulnerability when a Mac machine is turned on, and the screen is protected with a password.
Ergin publicly contacted Apple Support to ask about the issue he discovered. Apple is reportedly working on a fix.
"We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."
Here's How to Temporarily Fix the macOS High Sierra Bug
Fortunately, the developer suggested a temporary fix for this issue which is as easy as its exploit.
To fix the vulnerability, you need to enable the root user with a password. Heres how to do that:
Open System Preferences and Select Users & Groups
Click on the lock icon and Enter your administrator name and password there
Click on "Login Options" and select "Join" at the bottom of the screen
Select "Open Directory Utility"
Click on the lock icon to make changes and type your username and password there
Click "Edit" at the top of the menu bar
Select "Enable Root User" and set a password for the root user account
This password will prevent the account from being accessed with a blank password.
Just to be on the safer side, you can also disable Guest accounts on your Mac. for this, head on to System Preferences → Users & Groups, select Guest User after entering your admin password, and disable "Allow guests to log in to this computer."

New Mirai Botnet Variant Found Targeting ZyXEL Devices In Argentina
29.11.2017 thehackernews BotNet

While tracking botnet activity on their honeypot traffic, security researchers at Chinese IT security firm Qihoo 360 Netlab discovered a new variant of Mirai—the well known IoT botnet malware that wreaked havoc last year.
Last week, researchers noticed an increase in traffic scanning ports 2323 and 23 from hundreds of thousands of unique IP addresses from Argentina in less than a day.
The targeted port scans are actively looking for vulnerable internet-connected devices manufactured by ZyXEL Communications using two default telnet credential combinations—admin/CentryL1nk and admin/QwestM0dem—to gain root privileges on the targeted devices.
Researchers believe (instead "quite confident") this ongoing campaign is part of a new Mirai variant that has been upgraded to exploit a newly released vulnerability (identified as CVE-2016-10401) in ZyXEL PK5001Z modems.
"ZyXEL PK5001Z devices have zyad5001 as the su (superuser) password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP’s deployment of these devices)," the vulnerability description reads.
Mirai is the same IoT botnet malware that knocked major Internet companies offline last year by launching massive DDoS attacks against Dyndns, crippling some of the world's biggest websites, including Twitter, Netflix, Amazon, Slack, and Spotify.

Mirai-based attacks experienced sudden rise after someone publicly released its source code in October 2016. Currently, there are several variants of the Mirai botnet attacking IoT devices.
The biggest threat of having the source code of any malware in public is that it could allow attackers to upgrade it with newly disclosed exploits according to their needs and targets.
"For an attacker that finds a new IoT vulnerability, it would be easy to incorporate it into the already existing Mirai code, thus releasing a new variant," Dima Beckerman, security researcher at Imperva, told The Hacker News.
"Mirai spread itself using default IoT devices credentials. The new variant adds more devices to this list. Still, we can’t know for sure what other changes were implemented into the code. In the future, we might witness some new attack methods by Mirai variants."
This is not the very first time when the Mirai botnet targeted internet-connected devices manufactured by ZyXEL. Exactly a year before, millions of Zyxel routers were found vulnerable to a critical remote code execution flaw, which was exploited by Mirai.
Secure Your (Easily Hackable) Internet-Connected Devices
1. Change Default Passwords for your connected devices: If you own any internet-connected device at home or work, change its default credentials. Keep in mind; Mirai malware scans for default settings.
2. Disable Remote Management through Telnet: Go into your router’s settings and disable remote management protocol, specifically through Telnet, as this is a protocol used to allow one computer to control another from a remote location. It has also been used in previous Mirai attacks.
3. Check for Software Updates and Patches: Last but not the least—always keep your internet-connected devices and routers up-to-date with the latest firmware updates and patches.

Google Detects Android Spyware That Spies On WhatsApp, Skype Calls
29.11.2017 thehackernews Android

In an attempt to protect Android users from malware and shady apps, Google has been continuously working to detect and remove malicious apps from your devices using its newly launched Google Play Protect service.
Google Play Protect—a security feature that uses machine learning and app usage analysis to check devices for potentially harmful apps—recently helped Google researchers to identify a new deceptive family of Android spyware that was stealing a whole lot of information on users.
Discovered on targeted devices in African countries, Tizi is a fully-featured Android backdoor with rooting capabilities that installs spyware apps on victims' devices to steal sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
"The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities," Google said in a blog post. "The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015."
Most Tizi-infected apps are being advertised on social media websites and 3rd-party app stores, tricking users into installing them.
Once installed, the innocent looking app gains root access of the infected device to install spyware, which then first contacts its command-and-control servers by sending an SMS text message with the GPS coordinates of the infected device to a specific number.
Here's How Tizi Gains Root Access On Infected Devices
For gaining root access, the backdoor exploits previously disclosed vulnerabilities in older chipsets, devices, and Android versions, including CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, and CVE-2015-1805.
If the backdoor unable to take root access on the infected device due to all the listed vulnerabilities being patched, "it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls, " Google said.
Tizi spyware also been designed to communicate with its command-and-control servers over regular HTTPS or using MQTT messaging protocol to receive commands from the attackers and uploading stolen data.
The Tizi backdoor contains various capabilities common to commercial spyware, such as
Stealing data from popular social media platforms including Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
Recording calls from WhatsApp, Viber, and Skype.
Sending and receiving SMS messages.
Accessing calendar events, call log, contacts, photos, and list of installed apps
Stealing Wi-Fi encryption keys.
Recording ambient audio and taking pictures without displaying the image on the device's screen.
So far Google has identified 1,300 Android devices infected by Tizi and removed it.
Majority of which were located in African countries, specifically Kenya, Nigeria, and Tanzania.
How to Protect your Android device from Hackers?
Such Android spyware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps in order to protect yourself:
Ensure that you have already opted for Google Play Protect.
Download and install apps only from the official Play Store, and always check permissions for each app.
Enable 'verify apps' feature from settings.
Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
Keep "unknown sources" disabled while not using it.
Keep your device always up-to-date with the latest security patches.

U.S. Charges Three Chinese Hackers for Hacking Siemens, Trimble & Moody

29.11.2017 thehackernews CyberSpy

The United States Justice Department has charged three Chinese nationals for allegedly hacking Moody's Analytics economist, German electronics manufacturer Siemens, and GPS maker Trimble, and stealing gigabytes of sensitive data and trade secrets.
According to an indictment unsealed Monday in federal court in Pittsburgh, Pennsylvania, the three men worked for a Chinese cybersecurity company, Guangzhou Bo Yu Information Technology Company Limited (Boyusec), previously linked to China's Ministry of State Security.
Earlier this year, security researchers also linked Boyusec to one of the active Chinese government-sponsored espionage groups, called Advanced Persistent Threat 3 (or APT3), which is also known as Gothic Panda, UPS Team, Buckeye, and TG-0110.
In 2013, APT3 allegedly stole the blueprints for ASIO's new Canberra building using a piece of malware that was uploaded to an ASIO employee's laptop.
According to the indictment, the three Chinese nationals—identified as Wu Yingzhuo, Dong Hao, and Xia Lei—launched "coordinated and unauthorized" cyber attacks between 2011 and 2017, and successfully steal information from a number of organizations by compromising their accounts.
The trio of hackers has alleged to have attacked Moody's Analytics, Siemens, and Trimble by sending spear-phishing emails with malicious attachments or links to malware.
The men also used customized tools collectively known as the 'ups' or 'exeproxy' malware to gain unauthorized, persistent access to the targeted companies' networks, allowing them to search for and steal confidential business information and user credentials.
"The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems," the DOJ said.
The most affected one of the three companies was IT giant Siemens. According to the indictment, the defendants:
Stole approximately 407 gigabytes of data from Siemens' energy, technology and transportation businesses in 2014.
Hacked into Trimble's network and stole at least 275 megabytes of data, including trade secrets related to global navigation satellite systems technology the company spent millions of dollars developing, in 2015 and 2016.
Accessed an internal email server at Moody's in 2011 and forwarded the account of an unidentified "prominent employee" to their own accounts, and eventually accessing the confidential messages sent to that account until 2014.
According to the DoJ, both Wu and Dong were co-founders and shareholders of Boyusec, while Lei was an employee. All the three defendants were residents of Guangzhou.
The Chinese men have been charged with a total of eight counts, including one charge of committing computer fraud and abuse, two charges of committing trade secret theft, three counts of wire fraud and four to eight counts of aggravated identity theft.
If found guilty in the court of law, the hackers face a maximum sentence of 42 years in prison.

Samsung Adopts Bugcrowd to Manage Mobile Security Rewards Program
29.11.2017 securityweek Mobil
Samsung Adopts Bugcrowd, Offering up to $200,000 Per Vulnerability Through Mobile Security Rewards Program

Bug bounties are cost-efficient partial solutions to the security skills gap. In 2015, Dice reported that that a Lead Software Security Engineer could cost more than $200,000 per year in salary, while an application security manager would cost more than another $150,000.

Employing an in-house team to continuously probe products, software, firmware and all updates for security bugs rapidly becomes an expensive exercise, with -- frankly -- no guarantee of success. Failure to find and fix security bugs and vulnerabilities before they are exploited by criminals, however, could rapidly become even more costly.

Bug bounties help to solve this problem by tapping into the largest available market of top-class security expertise -- the white hat hacker community -- and paying only on results. Adequate bounties further encourage white hat hackers to conform to a responsible disclosure ethos for all discovered vulnerabilities, provided they are confident that the vendor will uphold his part of the bargain. Third-party bounty program operators take the idea further by running the bounty scheme on the vendors' behalf, lowering administrative cost and hassle.

The 2017 Bugcrowd State of Bug Bounty Report (PDF) "highlights not only the continued growth of the bug bounty model, but also the enterprise's adoption of it, with three times more enterprise bug bounty programs launched in the past year than the previous three years combined."

Now Bugcrowd affirms this statement with the announcement that from today it will manage payment processing for the Samsung Electronics' Mobile Security Rewards Program that was launched in September 2017. "By adopting a bug bounty program covering all mobile products, Samsung is not only accessing the most powerful set of resources available, but also demonstrating [its] commitment to security. We are proud to work with such a security-centric organization to help minimize the risk to the millions of consumers using Samsung mobile devices."

Bugcrowd currently operates the rewards programs of more than 70 different companies (not all of which offer a financial bounty) including security firms BitDefender, Centrify, NETGEAR, 1Password, Okta, Cylance, LastPass. Corporate partners include MasterClass, Fiat Chrysler, Tesla and Western Union. The Samsung Electronics' Mobile Security program rewards security researchers up to $200,000 per vulnerability, depending on its severity.

Researchers are expected to keep details of any vulnerability confidential until a remedy is in place, but Samsung will provide an initial response within 48 hours 'make out best effort' to release a patch within 90 days.

"Our Mobile Security Rewards Program is yet another initiative being undertaken by Samsung to further this commitment," said Henry Lee, Senior VP of Mobile Security Technologies Group, Mobile Communications business at Samsung Electronics. "Bugcrowd helps fortify partnership with the security research community by ensuring the community receives payouts in a timely manner."

Recently Patched Dnsmasq Flaws Affect Siemens Industrial Devices
29.11.2017 securityweek ICS
Some of the vulnerabilities discovered recently by Google researchers in the Dnsmasq network services software affect several Siemens SCALANCE industrial communications products.

Dnsmasq is a lightweight tool designed to provide DNS, DHCP, router advertisement and network boot services for small networks. It can be found in Linux distributions, smartphones, routers, and many Internet of Things (IoT) devices.

Google’s security team recently found that the tool is affected by seven flaws, including ones that can be exploited via DNS or DHCP for remote code execution, information disclosure, and denial-of-service (DoS) attacks. Linux distributions, Amazon, Cisco, Synology, Sophos and other companies warned customers about the potential risks shortly after the issues were disclosed in early October.Dnsmasq flaws affect Siemens products

Earlier this month, Siemens also published an advisory to inform customers that four of the seven vulnerabilities affect some of its SCALANCE products, including W1750D controller-based direct access points, M800 industrial routers, and S615 firewalls.

Three of the flaws affecting Siemens devices, CVE-2017-13704, CVE-2017-14495 and CVE-2017-14496, can be exploited to crash the Dnsmasq process by sending specially crafted requests to the service on UDP port 53.

The SCALANCE products are also impacted by CVE-2017-14491, one of the most serious vulnerabilities discovered by Google researchers in Dnsmasq. This security hole allows an attacker to cause a DoS condition or possibly execute arbitrary code.

“In order to exploit this vulnerability, an attacker must be able to trigger DNS requests from the device, and must be in a position that allows him to inject malicious DNS responses, e.g. the attacker must be in a Man-in-the-Middle position,” Siemens said.

The company says it’s preparing patches for the vulnerable products. In the meantime, it has advised customers to apply defense-in-depth recommendations, deploy firewall rules to block incoming traffic on UDP port 53 (applies to W1750D if OpenDNS, Captive

Portal or URL redirection functionality is not used), and disable the DNS proxy and configure devices to use a different DNS server (applies to M800 and S615).

Siemens has also reported the vulnerabilities to ICS-CERT, which also published an advisory this week.

Recently Patched Dnsmasq still affect Siemens Industrial devices
29.11.2017 securityaffairs ICS

Siemens published a security advisory to confirm that four of the seven Dnsmasq vulnerabilities affect some of its SCALANCE products
In October, Google security experts disclosed seven distinct vulnerabilities in the Dnsmasq software package.

From the authors’ website, “Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot.” In practice, the Dnsmasq code has been widely leveraged in routers, firewalls, IoT devices, virtualization frameworks and even mobile devices when you need to set up a portable hotspot. In other words, there is a lot of Dnsmasq code “in the wild” and bugs in this code could be a big deal depending on the nature of the vulnerabilities.

Dnsmasq can be found in Linux distributions, smartphones, routers, and many IoT devices.

Siemens, like other companies, warned of the risks related to the set of flaws discovered by Google. Siemens published a security advisory to confirm that four of the seven vulnerabilities affect some of its SCALANCE products, including W1750D controller-based direct access points, M800 industrial routers, and S615 firewalls.

The ICS-CERT also published an advisory on the flaws affecting Siemens products.

Three of the vulnerabilities (CVE-2017-13704, CVE-2017-14495 and CVE-2017-14496) can be exploited by attackers to crash the Dnsmasq process by sending specially crafted requests to the service on UDP port 53.

“Vulnerability 1 (CVE-2017-13704) – An attacker can cause a crash of the DNSmasq process by sending specially crafted request messages to the service on port 53/udp” reads the advisory.

Dnsmasq Siemens SCALANCE products

The Siemens SCALANCE products are also affected by the CVE-2017-14491 flaw, that could be exploited by attackers to trigger a DoS condition or possibly execute arbitrary code on the vulnerable device.

“An attacker can cause a crash or potentially execute arbitrary code by sending specially crafted DNS responses to the DNSmasq process. In order to exploit this vulnerability, an attacker must be able to trigger DNS requests from the device, and must be in a position that allows him to inject malicious DNS responses, e.g. the attacker must be in a Man-inthe-Middle position.” continues the advisory.

Siemens is working on security patches to address the Dnsmasq flaws in its products. Waiting for the fixes users need to adopt the suggested mitigations, such as using firewall rules to block incoming traffic on UDP port 53 (applies to W1750D if OpenDNS, Captive Portal or URL redirection functionality is not used), and disabling the DNS proxy and configure devices to use a different DNS server (applies to M800 and S615).

Classified U.S. Army Data Found on Unprotected Server
29.11.2017 securityweek BigBrothers
Tens of gigabytes of files apparently belonging to the United States Army Intelligence and Security Command (INSCOM), including classified information, were stored in an unprotected AWS S3 bucket, cyber resilience firm UpGuard reported on Tuesday.

According to the company, its director of cyber risk research, Chris Vickery, discovered the data on an AWS subdomain named “inscom” in late September.

Fort Belvoir, Virginia-based INSCOM is an intelligence command operated by both the U.S. Army and the National Security Agency (NSA).

The AWS storage container found by UpGuard included, among others, a virtual machine image that may have been used to send, receive and handle classified data. Some of the files contained in the VM were marked as “Top Secret” and “NOFORN,” which indicates that the information cannot be shared with foreign nationals.

Metadata found by researchers indicated that a now-defunct defense contractor named Invertix had worked in some capacity on the data stored in the virtual machine. The files in the bucket also included Invertix private keys and other data that could have provided access to the contractor’s internal systems, UpGuard said.

The exposed files also included information on a failed Army program named “Red Disk.” The $93 million program, designed to allow troops to exchange information in real time, was a cloud computing component of the Distributed Common Ground System–Army (DCGS-A) intelligence platform. The misconfigured container also stored details on the DCGS-A itself.

“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser,” said UpGuard’s Dan O'Sullivan.

“It is unnecessary to speculate as to the potential value of such an exposed bucket to foreign intelligence services or malicious individual actors; the care taken to classify sections of the exposed virtual drive as ‘Top Secret’ and ‘NOFORN’ provide all the indications necessary to determine how seriously this data was taken by the Defense Department,” he added.

INSCOM has not responded to SecurityWeek’s request for comment. The data is no longer accessible, but it’s still unclear who is responsible for exposing it.

This is not the first time UpGuard claims to have found data belonging to the Pentagon and other U.S. government organizations. The list of impacted agencies includes the National Geospatial-Intelligence Agency (NGA), the Central Command (CENTCOM) and the Pacific Command (PACOM), the Secret Service, and the Department of Homeland Security (DHS).

The common denominator in these incidents were unprotected S3 buckets operated by third-party contractors.

Můžeme ještě věřit chytrým telefonům?

29.11.2017 SecurityWorld Mobilní
Fenomén posledních měsíců? Ve smartphonech se objevují bezpečnostní mezery, které vytvářejí sami výrobci.

Můžeme ještě věřit chytrým telefonům?

Víte o tom, že váš chytrý telefon může obsahovat skryté „funkce“, které vás činí zranitelnými? Nejde přitom o nedostatky z nedopatření, ale o vědomé designové prvky, díky nimž telefon funguje tak nějak za vašimi zády.

V telefonech od Googlu, Applu či OnePlus byl v posledních týdnech objeven předinstalovaný software rozbíhající potenciálně škodlivé procesy i navzdory tomu, že uživatelé se snažili přesně takovým zabránit. Je sice férově třeba říct, že motivy výrobců jsou správné, tyto procesy mají zrychlit výkon či usnadnit použití, neinformování zákazníků je však diskutabilní. Pojďme se podívat na pár příkladů těchto prohřešků proti důvěře…

Podle zjištění serveru Quartz zařízení s Androidem uplynulých jedenáct měsíců zasílala Googlu informace o poloze i přesto, že uživatelé měli tuto funkci vypnutou, a to i ve chvílích, kdy byl telefon bez SIM karty a neběžely na něm žádné aplikace. Dle Googlu to bylo kvůli analýze a snaze lepšího využití tzv. ID buněk v síti GSM pro rychlejší doručování SMS. Firma nasbíraná data údajně nijak nevyužila, ani je nemá uložená, a jejich sběr plánuje v prosinci ukončit.

Prohřešek Applu se týká pro změnu zapínání a vypínání Wi-Fi a Bluetooth, které lze od iOS 7 ovládat snadněji prostřednictvím tzv. Ovládacího centra. Funkcionalita má však jeden „háček“. Vypnutí Wi-Fi či Bluetooth z Ovládacího centra sice telefon odpojí od daných sítí a zařízení, ve skutečnosti však nevypne samotné Wi-Fi, respektive Bluetooth. iOS 11 se tak automaticky znovu napojí na nové hotspoty či zařízení, jestliže se objeví v dosahu anebo je-li telefon restartován. Chce-li uživatel opravdu vypnout Wi-Fi/Bluetooth, musí tak učinit skrz Nastavení. Apple o této rozdílné funkcionalitě informuje na své webové stránce podpory. Ale – kdo z vás tam kdy byl?

Vůbec nejvážněji se však jeví problém telefonů OnePlus, které jsou prodávány s aplikací, která může posloužit k jejich rootování. Jmenuje se EngineerMode a jde o diagnostický nástroj obvykle instalovaný na prototypy nebo zkrátka zařízení, která nejdou do prodeje pro veřejnost. Přístup k funkci umožňující rootování je sice chráněn heslem, to se však rychle objevilo veřejně na internetu a příliš polehčující okolnost není ani to, že ke zneužití aplikace je třeba mít k telefonu fyzicky přístup.

Podle OnePlus nejde o vážný bezpečnostní problém, jelikož je nepravděpodobné, aby se sešly všechny faktory umožňující zneužití, v příští softwarové aktualizaci však aplikaci odstraní. Naprostá většina uživatelů však o přítomnosti aplikace nemá tušení a firma zatím ani neuvedla, jak ji případně odinstalovat.

Vědomá přítomnost obsahu představujícího potenciální bezpečnostní riziko a neinformování uživatelů příliš neprospívá vzájemné důvěře mezi výrobcem a kupujícím. Ve všech zmíněných příkladech prakticky výrobce odebral uživateli možnost kontroly tím, že před ním skryl určitou skutečnost.

Jako by říkal „Sami sobě důvěřujeme, uživatelé tedy nepotřebují informace, aby mohli dělat vlastní rozhodnutí.“ A Google a OnePlus reagovali až poté, co byli na problém upozorněni všímavými uživateli. Až jednoho napadne, co všechno chytré telefony dělají bez našeho vědomí…

V macOS je velká díra. Každý může získat správcovský účet bez hesla
29.11.2017 CNEWS.CZ Apple

Apple macOS High Sierra
Vývojář Lemi Orhan Ergin objevil v nejnovější verzi operačního systému od Applu velkou chybu. V macOS 10.13.1 a 10.13.2 beta lze získat správcovský učet i bez znalosti hesla.

Stačí v nastavení uživatelů a skupin kliknout na ikonku zámku, do pole s uživatelským jménem zadat „root“ (heslo nechat prázdné) a potvrdit Enterem. Tím vznikne rootovský účet bez hesla, který pak lze použít při dalším přihlášení.

OS X root

OS X rootUž z popisu je zřejmé, že díru lze zneužít jen v případech, že se někdo zmocní vašeho odemknutého počítače. Na přihlašovací obrazovce ten trik nefunguje, je třeba jej provést v nastavení. A nechávat přihlášený počítač bez dozoru je riziko samo o sobě.

Apple už o chybě každopádně ví a pracuje na záplatě. Zatím jako prevenci doporučuje vytvořit účet root ručně a zadat mu heslo. Toho lze docílit příkazem v Terminálu „sudo passwd -u root“.

John Paczkowski

Here's Apple's comment on that #macOS #HighSierra security hole

23:23 - 28. 11. 2017