IT NEWS

pcTattleTale hasn’t been very careful about securing the screenshots it sneakily takes from its victims’ phones.

pcTattleTale markets itself as “employee and child monitoring software” that is undetectable by the device user, but it can also be used to spy on spouses and partners. It allows its clients to view real-time screenshots of phones of people they’re monitoring by visiting a certain URL.

The website proudly boasts:

pcTattletale is the only solution that makes “YouTube” like videos of their every tap or click. Just watch the recordings from your phone or computer using your secure pcTattletale account as they live their secret online lives.

Unfortunately, everyone else can view the images, too, if they know where to look.

According to Jo Coscia, the security researcher who discovered the issue while using a trial version of pcTattleTale, the company uploads the screenshots to an unsecured AWS bucket.

This means that anyone can view what’s inside the bucket as it doesn’t require any form of authentication—such as a user name and password.

Motherboard breaks down how anyone can access these screenshots:

The URL for images that pcTattleTale captures is constructed with the device ID—a code given by pcTattleTale to the infected device that appears to be sequentially generated—the date, and a timestamp. Theoretically, an attacker may be able to churn through different URL combinations to discover images uploaded by other infected devices.

This is, essentially, brute forcing the discovery of new devices and images linked to them. The lack of authentication makes it possible for a threat actor, or anyone who can write up a simple script really, to be able to get most if not all images from the AWS bucket.

In pcTattleTale’s promotional emails, Coscia notes, the company says it will delete users’ data after the trial period expires. However, screenshots that Coscia’s software took were still accessible after the trial period had ended.

Not only that, pcTattleTale clients who have already deleted their accounts, can still access the screenshots their app took of their victim’s phones, according to Android malware researcher Lukas Stefanko.

Bryan Fleming, owner of pcTattleTale, claims that it does delete data. In an interview with Motherboard, Fleming said: “Yes it does delete the data. I keep it there a little longer. A lot of people accidentally delete their devices and let the trial expire…Then of course they need the screen shots back.”

The stalkerware market is good. How about your relationship?

Companies that market stalkerware-type products and/or services unfortunately have track records of poor security practices. Take a look: the trainwreck is real.

pcTattleTale is one of those companies who explicitly and clearly tells potential users that, by using its software, they will be violating someone’s privacy, essentially putting the onus on users to operate at their own risk.

And, still, the market continues to thrive.

“The market’s good, you know,” Fleming says in the Motherboard piece.

Given that online stalking and stalkerware are largely accepted by Americans, we’d say that current attitudes about online stalking and stalkerware in general will remain unchanged. This is one reason why Malwarebytes continues to raise awareness about invasive monitoring apps, and (if you have kids under your care) promotes open and healthy communication between parties.

The post Phone screenshots accidentally leaked online by stalkerware-type company appeared first on Malwarebytes Labs.

Microsoft’s Threat Intelligence Center has been analyzing a custom-built backdoor that has been used by the Nobelium group since April 2021.

Nobelium is the name given to the threat actor behind the attacks against SolarWinds, the Sunburst backdoor, TEARDROP malware, GoldMax malware, and other related components.

The backdoor that aims to steal the configuration database of a server has been dubbed FoggyWeb by Microsoft.

Attack surface

As we’ve seen in previous cases, Nobelium uses various methods to steal credentials with the objective of gaining administrator level access to Active Directory Federation Services (AD FS) servers. Once this level of access has been accomplished, FoggyWeb is one of the tools that allows the attackers to gain persistence and deploy further malware.

FoggyWeb is a very targeted backdoor that is capable of exfiltrating information from an affected Active Directory Federation Services (AD FS) server. To establish persistence and enable further compromise it drops two files on the server. That action requires administrator privileges in the first place, so this backdoor builds on an earlier established compromise or stolen credentials.

DLL search order hijacking method

One of the two files that are initially dropped uses the DLL search order hijacking technique to gain persistence. All Windows systems use a common method to look for required dynamic-link libraries (DLLs) to load into a program. They all use the same search order to find a DLL. The first two locations in an environment that use the SafeDllSearchMode are:

• The directory from which the application loaded
• The system directory

So, the file %WinDir%ADFSversion.dll is dropped in the ADFS directory to make sure it gets loaded before the legitimate version.dll located in %WinDir%System32.

To avoid any error messages, the backdoor version.dll behaves as a proxy for all legitimate version.dll export function calls. It exports the same 17 function names as the legitimate version of version.dll.

What it actually does for all the 17 functions is exactly the same:

• Calling a function that loads a backdoor file from the file system, and then decrypting and executing the file in memory
• Transferring execution to the initially called target function from the legitimate version of version.dll

Basically, it adds one extra step to the original execution process, which is designed to run the second file that was dropped on the affected server: C:WindowsSystemResourcesWindows.Data.TimeZonesprisWindows.Data.TimeZones.zh-PH.pri. This file is the encrypted backdoor that gets decrypted and executed by the malicious version.dll.

When loaded, this acts as the actual backdoor. It starts an HTTP listener that listens for specific HTTP GET and POST requests. In this way it can be used to communicate with a C2 server and to retrieve the token-signing certificate of the compromised AD FS server and other files and information. For a much more detailed analysis of the decrypted backdoor we advise reading the full Microsoft blog.

Mitigation and detection

Microsoft provided some advice to server administrators that could help harden and secure AD FS deployments:

• Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system
• Reduce local Administrators’ group membership on all AD FS servers.
• Require all cloud admins to use multi-factor authentication (MFA)
• Ensure minimal administration capability via agents
• Limit on-network access via host firewall
• Ensure AD FS Admins use Admin Workstations to protect their credentials. Secure admin workstations are limited-use client machines that are built to substantially reduce the risk of compromise from malware, phishing attacks, bogus websites, and pass-the-hash (PtH) attacks, among other security risks
• Place AD FS server computer objects in a top-level Organizational Unit (OU) that doesn’t also host other servers
• Ensure that all Group Policy Objects (GPOs) that apply to AD FS servers apply only to them and not to any other servers. This limits potential privilege escalation through GPO modification
• Ensure that the installed certificates are protected against theft. This is one of the targets the backdoor is after
• Set logging to the highest level and send the AD FS and security logs to a SIEM to correlate with AD authentication as well as Azure AD (or similar)
• Remove unnecessary protocols and Windows features
• Use a long (>25 characters) and complex password for the AD FS service account
• Update to the latest AD FS version for security and logging improvements (as always, test first)

IOCs

Please read the Microsoft blog for a full list of IOCs.

Stay safe, everyone!

The post FoggyWeb, analysis of a Nobelium backdoor appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs

• Freedom Hosting operator gets 27 years for hosting dark web abuse sites
• Microsoft makes a bold move towards a password-less future
• New Mac malware masquerades as iTerm2, remote desktop and other apps
• Internet safety tips for kids and teens: a comprehensive guide for the modern parent
• Google, geofence warrants, and you
• No, Colonel Gaddafi’s daughter isn’t emailing to give you untold riches
• Patch vCenter Server “right now”, VMWare expects CVE-2021-22005 exploitation within minutes of disclosure
• Patch now! Insecure Hikvision security cameras can be taken over remotely
• MSHTML attack targets Russian state rocket centre and interior ministry
• Italian mafia cybercrime sting leads to 100+ arrests
• How to clear your cache
• Microsoft exchange autodiscover flaw reveals users’ passwords
• Parents and teachers believe digital surveillance of kids outweighs risks
• SonicWall warns users to patch critical vulnerability “as soon as possible”
• Beware! Uber scam lures victims with alert from a real Uber number
• Teaching cybersecurity skills to special needs children with Alana Robinson: Lock and Code S02E18

Other cybersecurity news

• UK ministry of defence apologises – again – after another major email blunder in Afghanistan (Source: The Register)
• Database containing personal info of 106 million international visitors to Thailand exposed online (Source: Comparitech)
• Fake WhatsApp backup message delivers malware to Spanish speakers’ devices (Source: The Daily Swig)
  Mobile phones of 5 French cabinet ministers infected by Pegasus malware (Source: France 24)
• Ransomware dropping malware swaps phishing for sneaky new attack route (Source: ZDNet)
• Phishing attacks more sophisticated, malicious emails time to coincide with periods of low energy and inattentiveness (Source: CPO magazine)
• Keeping your data secure at work (Source: Minute Hack)

Stay safe, everyone!

The post A week in security (Sept 20 – Sept 26) appeared first on Malwarebytes Labs.

School is fully back in session for kids all across the world, and for many students, that means logging back online to learn, do homework, submit assignments, and maybe even continue some distance learning, depending on their school’s pandemic precautions.

But with more Internet activity comes likely more stress for families who, understandably, worry about how to keep their children safe online. Thankfully, there are countless guides for children’s Internet safety—not to mention Malwarebytes Labs’ own comprehensive guide—but many of those guides, through no malicious intent, assume a similar skill level for all children.

But what about children with special needs?

How do you teach strong password creation for children with learning disabilities? How do you teach children how to separate fact from fiction when they have a different grasp of social cues? And how do you make sure these lessons are not only remembered for years to come, but also rewarding for the children themselves?

Today, on the Lock and Code podcast with host David Ruiz, we speak with Alana Robinson, a special education technology and computer science teacher for K – 8, about cybersecurity trainings for children with special needs, and about how, for some lessons, her students are better at remembering the rules of online safety than some adults.

“I teach 100 students, 10 classes, [and] I used not a very strong password for every student in this one class … and I said ‘By the way, everyone has this [password],’ and they’re like, when I said everyone has this same password, they’re like ‘Oh no no! That’s not a strong password, oooh’ and they literally let me have it.”

Alana Robinson

Tune in to hear all this and more on this week’s Lock and Code podcast, by Malwarebytes labs.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Teaching cybersecurity skills to special needs children with Alana Robinson: Lock and Code S02E18 appeared first on Malwarebytes Labs.

If the Internet was as safe and as private as it is essential for everyday life—increasingly required for job applications, bank transfers, doctor’s appointments, and filing taxes—then we’d likely have fewer online scams, better privacy protections, smaller data breaches, and a lower overall risk of individual cybercrimes that can wreak havoc on a person’s life.

Importantly, if the Internet were to achieve such a promise, then everyone, no matter their gender, race, income level, education, or age, could feel as safe and as private online as they deserve.

But according to the latest research by Malwarebytes, this is far from the case. Not only do a large number of people feel neither safe or private on the Internet, but many groups, including women, teenagers, and those who are Black, Indigenous, or People of Color (BIPOC), feel less private and safe than their counterparts. Some of these populations said they suffered more frequent cyberattacks, more recent cyberattacks, and were more substantially stressed by the cyberattacks themselves.

In comparison, those who felt safer and sometimes more private online had higher incomes, higher levels of education, and higher familiarity with cybersecurity tools, such as antivirus products, VPNs, and password managers.

These are the latest findings in our “Demographics of Cybercrime” report, presented in partnership with Digitunity, a nationally recognized non-profit dedicated to eliminating the technology gap, and Cybercrime Support Network, whose non-profit mission is to serve individuals and small businesses impacted by cybercrime throughout the country.

In our report, we discovered that a collection of discrepancies—higher rates of social media hacking against younger generations, higher rates of identity theft against BIPOC consumers, lower rates of cybersecurity familiarity by women—coalesced into one, unfortunate truth: The Internet is not equal for everyone online, and because of it, not everyone trusts the Internet the same way.

A full 50 percent of all respondents said they do not feel private online, and 31 percent do not feel safe online. Women feel the least private (53 percent compared to 47 percent of men) and the least safe (35 percent compared to 27 percent of men), while teenagers do not feel particularly private and BIPOC respondents do not feel very safe.

These feelings could sometimes be traced to the data itself. Women were twice as likely as men to say their identity was stolen because of earlier, physical theft of their wallet or purse. Teenagers were, perhaps understandably, twice as likely as those aged 65 and up to have their social media accounts hacked. And BIPOC consumers were the least likely of all groups to avoid any financial damage due to a cybercrime attack. Making matters worse, when BIPOC consumers did lose money, they lost more money on average than White consumers ($1,709 compared to $1,578).

In trying to better understand why these communities felt differently about the Internet, we also looked to external data on real-life experiences. We know that women are more likely to be targets of non-consensual pornography (sometimes called “revenge porn”) and cyberstalking; that those in BIPOC communities—including Asian Americans, Black people, and Hispanics—suffer increased rates of online harassment; and that younger generations, surrounded by constant privacy scandals affecting the most popular social media platforms, likely never remember a day in which the Internet was ever “private.”

The good news is that we can collectively improve the Internet experiences of everyone.

In our research, we found a clear trend between cybersecurity familiarity and feelings of safety online. As familiarity increased, so, too, did feelings of safety. But for the single tool that can most likely help consumers handle online threats like malware and malicious websites—which is antivirus protection—respondents showed a concerning lack of comfort. A full 21 percent of respondents—a little more than one in five—were neither “familiar” or “very familiar” with antivirus tools, and just 67 percent of all respondents said they used antivirus products themselves. Those trends are even worse for women, teenagers, and BIPOC individuals.

Clearly, the cybersecurity community can help. We have the tools and the expertise. With the findings from our report, we also have the knowledge that not every community is comfortable enough with our products to use them. It is on us to increase awareness and to build and deliver products that are accessible to every population.

The Internet can be a better place. It’s up to us to help make that happen.

Read the full report here.

The post Malwarebytes research shows an unequal, unsafe Internet appeared first on Malwarebytes Labs.

SonicWall has issued a security notice about its SMA 100 series of appliances. The vulnerability could potentially allow a remote unauthenticated attacker the ability to delete arbitrary files from a SMA 100 series appliance and gain administrator access to the device.

SonicWall

SonicWall is a company that specializes in securing networks. It sells a range of Internet appliances primarily directed at content control and network security, including devices providing services for network firewalls, unified threat management (UTM), virtual private networks (VPNs), and anti-spam for email.

In June of 2021 we wrote about another vulnerability in the same Secure Mobile Access (SMA) 100 series. Back then SonicWall had been made aware of an imminent ransomware campaign using stolen credentials.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed under CVE-2021-20034 and is due to an improper limitation of a file path to a restricted directory, potentially leading to arbitrary file deletion without any authentication, which can result in a remote attacker obtaining administrator access on the underlying host.

The critical bug has received a score of 9.1 out of 10 on the CVSS scale of severity. At the moment there is no evidence that this vulnerability is being exploited in the wild.

Basically the vulnerability is an improper access control vulnerability in SMA-100 allows a remote unauthenticated attacker to bypass path traversal checks and delete an arbitrary file. Which, if the attacker knows what they are doing, can potentially result in a reboot to factory default settings. With the default settings in place the attacker can gain administrator privileges by using the factory default credentials.

Affected devices

The appliances that are affected are SMA 100, 200, 210, 400, 410, and 500v. Since there are no temporary mitigations, SonicWall urges impacted customers to implement applicable patches as soon as possible. A detailed list with impacted platforms and versions can be found here.

Mitigation

SonicWall customers can log in to its MySonicWall.com website to get updated firmware for their appliances. (The update also fixes a local privilege escalation weakness, and a denial-of-service vulnerability.)

In context of the previous vulnerability, we want to add the advice to change the administrator password on the appliances, especially if they are still set to the default. Threat actors my be inclined to scan for Internet-facing devices and try to gain access by using the default or leaked credentials.

Stay safe, everyone!

The post SonicWall warns users to patch critical vulnerability “as soon as possible” appeared first on Malwarebytes Labs.

This morning Malwarebytes Labs received a scam masquerading as a security alert from Uber. The alert was pretty convincing and used the kind of language we’re used to seeing in genuine security emails and SMS messages. It read:

Your Uber account was recently logged into from iPhone in London. If this wasn't you, reset your password here: [URL redacted]

But what really caught our attention was that the fake security alert came from the phone number that the real Uber uses to send us messages. Of course that doesn’t mean that Uber has been compromised, or that somebody at Uber is running the scam—caller ID spoofing is easy and scammers use it to make their messages appear to come from Uber.

Because it spoofed the real Uber number, the scam security message appeared alongside all the real security messages we get from Uber.

We noticed that the message was a scam because the domain name (the part of the address that ends in .com) just didn’t look right. Although it contained the word “uber” it wasn’t the official Uber domain name, uber.com.

We looked it up and discovered the domain name had only been created today.

Creation Date: 2021-09-24T02:13:38Z

Because scam sites get shut down very quickly, scammers get through a lot of “burner” website names that live and die within days. Most company’s domain names have been around a while, so a very recent creation date is a big red flag.

Another quick check revealed that this absolutely brand new website was hosted in Russia. There’s nothing wrong with hosting websites in Russia, but it isn’t where Uber keeps its websites.

Confident that we were looking at a scam, we created some fake personal details, fired up a Tor browser and jumped into the rabbit hole.

The scam site

The scam site had borrowed enough Uber branding to look convincing, and like all good scam sites it had a valid security certificate and a padlock icon. A useful reminder that the padlock tells us our connection to the site is secure, but says nothing whatsoever about how secure or trustworthy a site is. Nothing.

Page one, pretty vacant

Page one asks us for our phone number. It looks good but under the hood the scammers have done as little work as possible:

• We entered a temporary SMS number instead of our real number, but it also worked without one, because the scammers don’t actually care about capturing your phone number.
• The “Or connect using a social account” link looks convincing but it’s fake. It isn’t broken, it’s just window dressing that was never designed to work.

Page two, the story changes

The next page tells us that we’ve been locked out of our account and need to verify our identity.

We've detected suspicious activity on your Uber account and have temporarily locked it as a security precaution.

Over the next few steps we'll ask you to verify your identity to help secure your account, and let you log back in.

Remember that the initial SMS message just told us we just had to reset our password. The scammers are slowly changing the message here because what they really want is a credit card number.

Page three, ID theft

On the next page the scam site asks for some personal details. This page could be here to steal our ID, or it could just be here to get us comfortable typing in our details, so we don’t think twice when we’re asked for our credit card details on the next page.

Whatever it’s for, they didn’t get anything useful from us. A “burner” site deserves nothing more than a burner ID.

Page four, billing details

Page four of the scam site asked us for both our credit card details and our bank account details. This, presumably, is the whole point of the scam.

At this stage it’s worth recalling that the scammers originally told us we needed to change our password, and later changed the story, telling us we needed to verify our identity. Now we are being asked for “billing details” and there is no mention of verifying our identity.

The scammers are presumably hoping that we will simply respond to the cues on the page—the familiar title “Billing details” and the the usual set of credit card input fields—and won’t think about how we got here.

This page is the reddest of red flags.

It goes without saying that this isn’t how you verify your identity. And remember that the scammers contacted us pretending to be Uber and we “fell” for their scam because we are Uber users. Which means Uber already has our credit card details and there is no reason for us to tell them again.

Plausible-looking credit card numbers are easy to generate, so we fed the scammers some fake details and continued on.

Page five, success?

The last page of the site tells us we have successfully verified ourselves. The purpose of this page is to reassure us that everything is OK, and that nothing is out of the ordinary, before sending us to the real Uber website.

Final page, the real Uber website

The scam site’s last act is to redirect our browser to the real Uber home page. The longer we hang about on the scam site the more likely we are to notice things that aren’t right, so as soon as they have our details the scammers send us on our way. Sending us to the real Uber site presumably also allows us to reassure ourselves that our “locked account” now works.

How not to spot a phish

This scam is a great example of things that can help you spot a scam, and the things that you might hope would help you, but actually work against you.

Things that didn’t help

• Caller ID. Caller ID spoofing is easy and you can’t rely on your phone to tell you who a call or message is from.
• The padlock icon. Anyone can give their website a padlock icon, which is a good thing—it indicates you have a “secure line” to that website—but it says nothing about the website itself, and never did.

Things that did help

• The site did not use Uber’s official domain name. The domain name looked plausible, but it was wrong.
• The story changed. Step-by-step the scammers had to change their story from “reset your password” to “enter your billing details” to get what they wanted.
• The scammers asked for things Uber would already know. Our familiarity with Uber is what made the scam believable, but it also give us an opportunity to spot it.
• Scammers always ask for something valuable, urgently. Although scams come in many different forms, they normally boil down to somebody asking for valuable information urgently. If somebody asks you for valuable information, urgently, and out of the blue, treat it as a red flag and take your time.

Because the scam happened in the UK, we reported it to the UK’s National Cyber Security Centre (NCSC). We also added it to Malwarebytes Browser Guard, and reported to Google’s Safe Browsing.

Although this site was quickly closed down, it’s likely there are others, and it will be easy for the scammers to spin up many more identical replacement sites on new domain names, so please be careful!

The post Beware! Uber scam lures victims with alert from a real Uber number appeared first on Malwarebytes Labs.

Schools in the US have been using surveillance software to keep an eye on their students, and such software has grown significantly in popularity since the COVD-19 pandemic closed campuses nationwide. And this is fine—at least according to new research released by the Center for Democracy & Technology (CDT) as a majority of parents (62 percent) and teachers (66 percent) believe that the benefits of digital surveillance outweighs the risks.

Monitoring software in schools have a range of capabilities that allow school administrators and districts to remotely:

• Block obscene material
• Track student logins to applications, including school and non-school related apps
• View the student’s screen in real-time
• Block non-educational material (e.g. YouTube)
• Close browser tabs
• Take control of student input capability
• Look at student browsing history
• Open and close applications
• Scan student conversations

Half of students surveyed also reveal that are “very or somewhat comfortable with the use of monitoring software”.

This, however, doesn’t mean that parents, teachers, and even students aren’t worried at all. In fact, they worry that such surveillance could backfire.

Both groups report they are aware of the privacy implications of using surveillance tech and how it would affect their behavior. Six in ten agreed to the statement: “I do not share my true thoughts or ideas because I know what I do online is being monitored”. The CDT also noted that 80 percent of these students are “more careful about what I search online when I know what I do online is being monitored.”

The 7-page report further states: “While a potential goal of student activity monitoring software is to prohibit access to obscene materials, these findings raise questions about whether tracking students may cause them to hesitate before accessing important resources (related to mental health, for instance).”

“Additionally, parents and teachers also express privacy concerns around the use of these tools, which include concerns about disciplinary applications as well as potential impacts on LGBTQ+ students and other unintended consequences.”

Data from the survey suggests that student monitoring software is largely used in K-12 schools. Such software is used more on school-issued devices than on personal devices. There are cases wherein schools don’t reveal that they use such software, and for those who are transparent in this regard, it’s not made clear how the software is being used or how long the software is active.

In some cases, security flaws in these monitoring software have allowed schools and districts to access students’ cameras and microphones without their knowledge or consent.

Companies that sell surveillance software and services often claim that their software protects student safety and supports academic achievement. School administrators go to them because they believe that such companies could help them comply with Children’s Internet Protection Act (CIPA) standards. CIPA requires that schools have an Internet safety polity that “…includes technology protection measures. The protection measures must block or filter Internet access to pictures that are: (a) obscene; (b) child pornography; or (c) harmful to minors…”.

The CDT believes, however, that school administrators’ belief are misplaced.

Elizabeth Laird, who co-authored the CDT report, has expressed concern that such surveillance in schools could particularly impact youth of color and those in low-income households whose only way of getting and staying connected to the internet is by using school-issued devices. The more they are online using such devices outside of school, the more likely their activities are being monitored. The security and privacy that come with owning a personal device are things of luxury to them.

In a February 2020 article, the Electronic Frontier Foundation’s (EFF) Mona Wang and Gennie Gebhart wrote that “schools are experimenting with the very same surveillance technologies that totalitarian governments use to surveil and abuse the rights of their citizens everywhere: online, offline, and on their phones. What does that mean? We are surveilling our students as if they were dissidents under an authoritarian regime.”

“Schools refer to these technologies as ‘student safety’ measures, but this label doesn’t change the fact that these are surveillance technologies. Surveillance is surveillance is surveillance.”

To help bring the growing problem of school surveillance to light, the CDT—along with other organizations like the American Civil Liberties Union and the Center for Learner Equity (to name a few)—submitted a letter urging federal lawmakers to protect students’ rights to privacy, expression, and safety by amending CIPA to include a clarification clause that it does not require schools or districts to constantly, broadly, and invasively monitor students lives online.

“Systemic monitoring of online activity can reveal sensitive information about students’ personal lives, such as their sexual orientation, or cause a chilling effect on their free expression, political organizing, or discussion of sensitive issues such as mental health,” the letter states. “These harms likely fall disproportionately on already vulnerable, over-policed, and over-disciplined communities and may be exacerbated when monitoring occurs on devices and services used off-campus, including in students’ homes.”

The post Parents and teachers believe digital surveillance of kids outweighs risks appeared first on Malwarebytes Labs.

The term “cache” refers to a storage container. If you’re familiar with the outdoor recreational activity geocaching, you may be familiar with the term outside of computing. But in website and computer terms, a cache is temporary storage that is used to speed up future requests and load things more quickly for the user.

Caches are used in several different ways in computing.

Your computer’s processor has its own cache called the CPU cache that links the main memory and the processor. There’s a disk cache, too, that links the CPU and storage. Computers also reserve a portion of their RAM to heighten processing speed. And then there’s the browser cache.

What is a browser cache?

In computing terms, and specifically for web browsers, websites use a browser cache to store some elements for faster future loading.

When you try to visit a website, by typing in the URL, or clicking through from Google or another website, you make a request in the web browser. The website you asked for replies to your request by loading the website.

For websites that you visit often, some elements like images or fonts are stored in your browser’s cache. This way, the browser already has some parts of the website so it can load faster on your future visits.

Is it a good idea to clear your cache?

Your browser cache helps websites load faster and more efficiently. Clearing your cache regularly can be counterproductive—it will slow down websites that you visit often, because you have to load all elements just like it’s your very first visit to that site. But clearing your browser cache periodically can be helpful for performance and other reasons.

Why should I clear my browser cache?

Website owners typically update their websites regularly, and so cached website elements become outdated over time. A website that’s not working correctly because the files stored in your browser cache don’t match the files loading from the Internet may perform better after clearing your browser cache. That’s because your browser loads the latest version of the website rather than older cached elements. Think of it like a reset for the website.

Is it time to clear your cache? Here’s how to do so in major web browsers:

How to clear the cache in Google Chrome

1. Start the Chrome browser
2. Click the three vertical dots on the top right.
3. Click More tools.
4. Click Clear browsing data.
5. Select a time range.
6. Check all the boxes.
7. Click Clear data to delete the Chrome cache.

How to clear the cache in Mozilla Firefox

1. Start Mozilla Firefox.
2. Click the three vertical lines on the top right.
3. Click Settings.
4. Select Privacy & Security.
5. Under Cookies and Site Data, click Clear Data.
6. Check the content you wish to clear.
7. Click Clear to delete your Firefox cache.

How to clear the cache in Microsoft Edge

1. Start Microsoft Edge.
2. Click the three horizontal dots on the top right.
3. Click Settings.
4. Click Privacy, search, and services.
5. Under Clear browsing data, click Choose what to clear.
6. Tick all the boxes if you want to delete all the cache.
7. Click Clear now to delete the Edge cache.

How to clear the cache in Internet Explorer

1. Start Internet Explorer.
2. Click the gears icon on the top right.
3. Pick Internet options in the drop-down menu.
4. Find Browsing history in General.
5. Click Delete…
6. Tick all the boxes.
7. Click Delete to delete the cache in Internet Explorer

How to clear the cache on Safari

1. Start Safari
2. Select Preferences from the drop-down menu.
3. Click the Advanced tab.
4. In the menu bar pick Show Develop menu
5. Select Develop from the drop-down menu and click Empty Cache to delete the Safari cache.

How to clear the cache on your iPhone or iPad

1. Go to Settings
2. Tap Safari.
3. Scroll down until you see Clear History and Website Data.
4. Tap Clear History and Website Data.
5. Tap Clear History and Data to clear your browsing history, cookies, location data, etc., and delete the cache on iPhone.

The post How to clear your cache appeared first on Malwarebytes Labs.

Researchers have been able to get hold of 372,072 Windows domain credentials, including 96,671 unique credentials, in slightly over 4 months by setting up a Microsoft Exchange server and using Autodiscover domains.

The credentials that are being leaked are valid Windows domain credentials used to authenticate to Microsoft Exchange servers.

What is Autodiscover?

From Microsoft’s site we learn that “the Autodiscover service minimizes user configuration and deployment steps by providing clients access to Exchange features. For Exchange Web Services (EWS) clients, Autodiscover is typically used to find the EWS endpoint URL. However, Autodiscover can also provide information to configure clients that use other protocols. Autodiscover works for client applications that are inside or outside firewalls and in resource forest and multiple forest scenarios”.

Which boils down to a feature of Exchange email servers that allows email clients to automatically discover email servers, provide credentials, and then receive proper configurations. Designed to make the user’s life easier while forgetting that such designs need to be done with security in mind. Because cybercriminals love such features and use them for their own purposes.

How can it be abused?

The protocol’s goal is to make an end-user be able to completely configure their Outlook client solely by providing their username and password and leave the rest of the configuration to Microsoft Exchange’s Autodiscover protocol.

To accomplish this the Autodiscover protocol looks for a valid Autodiscover URL in these formats, where the example.com is replaced by the domain name (the part after the @) in the users’s email address:

https://autodiscover.example.com/Autodiscover/Autodiscover.xml
http://autodiscover.example.com/Autodiscover/Autodiscover.xml
https://example.com/Autodiscover/Autodiscover.xml
http://example.com/Autodiscover/Autodiscover.xml

This means that to start with, Autodiscover is looking for a URL at a domain or subdomain that is owned by the organization the user belongs to, so mistakes are contained and unlikely to cause problems. But, and here it comes, if none of the above send a valid response the process gets wonky, where it should probably have given up.

If those attempts fail, the next attempt to build an Autodiscover URL drops the example.com part that confines lookups to the user’s organization and looks here:

http://autodiscover.com/Autodiscover/Autodiscover.xml

This gives whoever owns the domain autodiscover.com a huge opportunity.

And the same is true for other Autodiscover top-level domains (TLDs) too, such as autodiscover.es, which will receive requests from all unresponsive .es domains.

To complete the mess, there is no login procedure required on the server side. The unsuspecting user trying to set up their Exchange account is just sending their credentials to an unknown server. There is also no attempt on the client’s side to check if the resource is available, or even exists on the server, before sending an authenticated request.

How bad is it?

It is important to understand that since Microsoft Exchange is part of the Microsoft domain suite of solutions, the credentials that are necessary to login to an Exchange-based inbox are in most cases the same as their domain credentials. The possible consequences of a domain credential leak at such a scale are enormous, and can put entire organizations in danger. Especially in the light of the ongoing ransomware attacks that are daily news. What easier way could an attacker ask for than to gain entry into an organization by using legitimate and valid credentials?

A quick search on my part learned that in most of the big TLDs the autodiscover domains have already been picked up.

Some of the most dangerous ones have been registered by the researchers to do their testing.

Detection and mitigation

Organizations can protect themselves by establishing their own Autodiscover domains, and blocking Autodiscover.TLD domains at the firewall or in their local DNS. Users can block Autodiscover.TLD domains in their hosts file.

Software vendors and developers who are implementing the Autodiscover protocol in their products should make sure that they are not letting it “fail upwards”, meaning that domains such as autodiscover. should never be constructed by the “back-off” algorithm.

When deploying or configuring Exchange server setups, organizations should also make sure that support for basic authentication is disabled. Using HTTP basic authentication sends credentials in clear text, making them easy to intercept.

When a user is being redirected to an Autodiscover.TLD server trying to make use of the leak, a security alert might pop up if it doesn’t have a security certificate, or if it has one that is self-signed. This could easily be avoided by the attacker if they deploy a valid TLS certificate though.

Microsoft was not informed of the problem before the credential harvesting was set in motion and the results were already published, so they are still investigating and promised to take appropriate steps to protect customers.

Stay safe, everyone!

The post Microsoft Exchange Autodiscover flaw reveals users’ passwords appeared first on Malwarebytes Labs.