IT NEWS

Tor vs VPN—What is the difference?

Our data is a precious commodity and there are plenty of people who would like to get their hands on it, from spouses and marketing teams to crooks and state-sponsored spies. Because of that, tools like Tor and Virtual Private Networks (VPNs) are growing in popularity. But while both tools can enhance your online anonymity, they’re as different as apples and orang… onions.

What is Tor?

The Tor (The Onion Router) network protects users from tracking, surveillance, and censorship. It is based on free and open-source software and uses computers run by volunteers. Onion routing was created in the 1990s by US Naval Research Laboratory employees to shield national intelligence communications. Later, it was enhanced further by the Defense Advanced Research Projects Agency (DARPA) and patented by the Navy. Since 2006, development of Tor has been conducted by a nonprofit organization called The Tor Project.

The Tor network can be used to access the regular Internet, where it hides your IP address from everyone, including the people operating the Tor network itself, or the Dark Web, where everyone’s IP address is hidden from everyone else.

How does Tor work?

When you use Tor, your traffic connects to the Internet through a “Circuit”, a collection of three computers, or Tor “nodes” that is changed every ten minutes. Your traffic is protected by multiple layers of encryption. This prevents anyone from snooping on your it, including most of the Tor network itself. Each computer in a Circuit peels back one layer of encryption, to reveal information that only it can see. They work like this:

  1. The Entry Guard is where your traffic enters the Circuit. It can see your IP address and the IP address of the middle node.
  2. The middle node can see the IP addresses of the Entry Guard and Exit Node.
  3. The Exit Node is where your traffic leaves the Circuit. It can see the IP address of the middle node and your traffic’s destination. The Exit Node behaves a bit like a VPN, so any service you use on the Internet will see the Exit Node’s IP address as the source of your traffic.
  4. If you are using the Dark Web, both you and the service you are connecting to have their own circuits, which meet at a Rendezvous Point.

How do I use Tor?

The most uncomplicated way to use the Tor network is through the Tor Browser. All you have to do is download and install the latest version from the official website and use it like a regular web browser. There is no learning curve; the Tor browser is based on Firefox and is as easy to use as any browser.

Is Tor illegal?

Tor is not illegal in most countries, including the United States. No one in America has been charged by law enforcement purely for using the network. However, Tor use may raise some eyebrows because it’s one of the most popular ways to access the Dark Web.

What is the difference between Tor and a VPN?

To understand the difference between Tor and a VPN, you must answer questions like, what is a VPN? A VPN routes traffic from your device to a VPN provider, through an encrypted tunnel. The encrypted tunnel prevents your ISP, rogue WiFi access points, or any other interlopers, from spying on your traffic before it reaches your VPN provider.

Your traffic joins the Internet from the VPN provider and uses your VPN provider’s IP address, so it appears to originate there.

Here are some important differences between the two technologies:

  • There are many VPN services to pick from, there is only one Tor network.
  • A VPN assumes you trust your VPN provider.
  • Tor assumes you do not trust the operators of the Tor network.
  • Your VPN provider aims to provide a connection that is fast and stable.
  • Tor aims to provide a connection that is resistant to advanced attacks.
  • VPN service providers are usually run by businesses answerable to local laws.
  • Tor is run by volunteers who can’t see what is passing through their servers.

Should I use a VPN with Tor?

The Tor Project discourages the use of both technologies together:

Generally speaking, we don’t recommend using a VPN with Tor unless you’re an advanced user who knows how to configure both in a way that doesn’t compromise your privacy

What is better, VPN or Tor?

The choice of which technology is better is determined by your threat model, which is will vary from one person to another. Broadly speaking, you can expect Tor to be slower than a VPN, but more secure against a wider range of threats, including threats that many Internet users are unlikely to encounter.

A good VPN service that uses the latest VPN protocol and provides multiple servers can offer speeds that are fast enough for gaming or video streaming, while bypassing geo-blocks, masking your IP address, and protecting you from rogue WiFi hotspots, ISP logging and other similar threats.

The post Tor vs VPN—What is the difference? appeared first on Malwarebytes Labs.

ProtonMail hands user’s IP address and device info to police, showing the limits of private email

They say there’s two sides to every story. Depending on your point of view, you may have heard a recent story that’s either about overreaching law enforcement and protestors exposed by organisations happy to hand over revealing data despite saying they won’t.

Or:

What happened?

ProtonMail offers end-to-end encrypted mail services. It’s one of those mail services people turn to should they require reassurance that what they do is kept private. 

There is a niche out there for privacy-focused people who’ve always wanted mail services. This is why services such as ProtonMail, Hushmail, PrivateMail and others are always in demand.

You may have run into Hushmail in the olden times (1998 onwards). They offered a similar service with the expectation of security and privacy for communications. At least some of their popularity at the time was based on geographical location. If they’re in Canada, legal demands for data would take time, so the theory went. At a bare minimum, anything handed over to law enforcement would surely be in encrypted form.

That was the theory, anyway.

Back in the day…

In 2007, reality came knocking at the door in the form of articles with titles like “Encrypted e-mail company Hushmail spills to feds”. US Law Enforcement made use of a US / Canada mutual assistance treaty and had a Canadian court serve up the necessary court order.

“12 CDs worth of e-mails from three Hushmail accounts” related to alleged steroid dealer antics were turned over to law enforcement. The bottom line from Hushmail’s then CTO was essentially that if you were engaged in illegal activity? Forget it. Not only are you breaking the Hushmail T&Cs, but you’re also breaking the law. Though they fight and resist many requests for information, the knock at the door for bad antics will happen eventually.

This seems to be a reasonable stance, unless you expected Hushmail to operate on the moon or some sort of abandoned platform in international waters. Privacy and avoiding snooping? Sure. Using our services for something illegal? Sorry, out you go.

Now we come to the present day.

Stop me if you’ve heard this one.

The ProtonMail situation: Nothing new under the sun

A lot of people are quite angry with ProtonMail at the moment. The reason? It handed a user’s IP address and device information to the police. This has, as expected, caused a bit of a privacy backlash. “Why are you storing things” seems to be the most common complaint. However, as the company pointed out, it doesn’t collect information on accounts by default. This is something that has to be enabled after a legal order:

In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case).

Sometimes things have the inevitability of a runaway freight train, and this sounds like it fits the bill.

Of transparency and privacy policies

ProtonMail’s statements goes on to say:

As detailed in our transparency report, our published threat model, and also our privacy policy, under Swiss law, Proton can be forced to collect info on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account. Under no circumstances however, can our encryption be bypassed, meaning emails, attachments, calendars, files, etc, cannot be compromised by legal orders.

Remember what I said about Hushmail and abandoned platforms in international waters? Here’s ProtonMail on this very subject:

Third, no matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law. This case does illustrate one benefit of ProtonMail’s Swiss jurisdiction, as no less than 3 authorities in 2 countries were required to approve the request, which is a much higher bar than most other jurisdictions. Under Swiss law, it is also obligatory for the suspect to be notified that their data was requested.

One more incident for the road?

ProtonMail has a full run-down of the current situation here, which links to their Transparency Report, which has been published since 2015.

I think realistically, we’d be hard pressed to lay blame at ProtonMail’s feet here. It’s called the long arm of the law for a very good reason, and it sounds as though no other options were available. Unlike the now ancient Hushmail case in 2007, email contents were also unavailable to investigators. I don’t remember if organisations in similar situations were publishing transparency reports back then, but I suspect it wasn’t common.

In many ways, this is a small improvement on what things used to be like. However you stack it up though, if you’re breaking the ToS of a service and breaking the law, you can probably only fend them off for so long. A third party encrypted mail service complying with local laws in the region they’re based in isn’t going to be your salvation. This situation will occur again, it’s inevitable. The only real surprise, is that we appear to have been taken by surprise.

If you’re wanting to lock things down yourself, this article may be a good place to start. Just don’t get up to anything illegal, because if you do then all bets are most definitely off.

The post ProtonMail hands user’s IP address and device info to police, showing the limits of private email appeared first on Malwarebytes Labs.

Apple delays plans to search devices for child abuse imagery

After the uproar from users and privacy advocates about Apple’s controversial plans to scan users’ devices for photos and messages containing child abuse and exploitation media, the company has decided to put the brakes on the plan.

If you may recall, Apple announced in early August that it would introduce the new capability in iOS 15, iPadOS 15, watchOS 8, and macOS Monterey. These features, per Apple, are “intended to help protect children from predators who use communication tools to recruit and exploit them and the help limit the spread of Child Sexual Abuse Material (CSAM)”.

These child safety features, which the company claims were developed with the help of child safety experts, feature, firstly, an updated iMessage app, that will alert parents and their children when sexually explicit images are either sent from or received by their devices. If, for example, the child receives such an image, they will be presented an option to view it or not. And if they do, their parents would be notified that they have viewed it. Something similar happens when the child sends sexually explicit photos.

Secondly, iPhones and iPads would allow Apple to detect CSAM material in photos that are being uploaded to iCloud. If an i-device finds photos that match, or resemble, photos in a database of known CSAM material, the material is flagged as such. To reduce the chance of false positive matches (where a user is wrongfully accused), users have to exceed a threshold number of flags before Apple is actually alerted.

Thirdly, Siri and Search will be updated to provide additional resources for children and parents to stay safe online. These two also intervene when a user searches for CSAM material.

We don’t doubt Apple’s good intentions, nor the seriousness of the child abuse problem it is attempting to tackle. And there is no question that it has gone to great lengths to engineer a solution that attempts to preserve users’ privacy without creating a haven for CSAM distribution.

The issue is that the technology also opens a door for some serious issues.

Many have expressed concern that Apple could be coerced into using this on-device scanning infrastructure to scan for other things, and doubts have been raised about Apple’s assessment of the false positive rate.

There are other concerns too, that this one-size-fits-all technology could put some vulnerable users in danger. “This can be a serious violation of a child’s privacy, and the behavior of this feature is predicated on an assumption that may not be true: That a child’s relationship with their parents is a healthy one. This is not always the case,” writes Thomas Reed, Malwarebytes’ Director of Mac & Mobile, in a thoughtful blog post on the matter.

Reed’s article is well worth a read: It delves into other potential problems with these new changes, and covers how and why the technology works the way it does.

Since they were announced, organizations like the Electronic Frontier Foundation (EFF), Fight for the Future, and OpenMedia have all conducted petitions to pressure Apple into backpedaling from implementing its plans.

Apple listened:

Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.

For the EFF, delaying plans is not good enough though. It insists that Apple must “drop its plans to put a backdoor into its encryption entirely.”

The post Apple delays plans to search devices for child abuse imagery appeared first on Malwarebytes Labs.

A week in security (August 30 – September 5)

Last week on Malwarebytes Labs

Other Cybersecurity news

Stay safe, everyone!

The post A week in security (August 30 – September 5) appeared first on Malwarebytes Labs.

Watch what you send on anonymous SMS websites

It’s a good idea to try and keep certain things private.

For example, people have been using anonymous email services for years. These either hide your real email address, or replace it entirely for specific tasks. Folks will go one step further, setting aliases for each service they sign up to. If the mail ends up in the wild? They know there’s a good chance which service has suddenly experienced a breach.

You may well be aware of these methods for anonymising emails. But did you know similar services exist in the SMS space?

Keeping your number safe

Nobody wants to have their mobile number leaked in a database dump, or placed onto dozens of marketing lists. It’s also a lot easier to switch out an email than a number tied to a device in your pocket. Changing numbers is quite often a pain, especially when updating all of your contacts.

There are other security concerns too. Some folks may want to keep their real number away from marketers and spammers. Others may want a little added security in the form of 2FA, despite not actually having a phone. How would they go about this? 

Let’s look at one of the possible solutions, and the problems that come along with them.

How temporary number services work

This is where online anonymous SMS services come in. These are websites which offer SMS services sending messages to you, as opposed to someone else. How does this play out?

  1. You visit a “free temporary number” site, and select one of a dozen or so temporary numbers on offer. They usually offer regional numbers, so if it’s easier to use a French number, you can do that. Need one for Germany, or the UK, or even Australia? There’s likely one in there somewhere.
  2. You then use that number for whichever online service you need it for. Some examples would be confirmation codes, authentication codes, appointment confirmations, banking codes, verifying social media accounts, web logins, and more.
  3. At this point, you’re wondering “How do I actually receive messages to this number? I don’t own it and it’s not tied to my phone. I might not even own a phone. There’s also no registration or login on the site to keep track of messages sent my way. What’s the deal here?”

The deal here

Each temporary mobile number has its own page on the site you obtain it from. All of the messages sent to that number will be people wanting a code, or a pass, or a login, or a confirmation.

Those messages, for all of those people, display publicly on the number’s page.

Some services are so popular they have their own subpage on the temporary number service site. For example, there might be an Amazon page for all the Amazon messages, a Tinder page for Tinder messages etc. Whether service-specific or a more general page, they work the same way: a whole bunch of SMS messages appear, and you have to figure out which one is relevant to you and you alone.

Most services claim messages are sent as good as instantly. What this means in practice is sitting on the page for the number / service combination you’ve used. Then you wait until your desired SMS shows up.

If half a dozen generic looking messages for an Instagram verification code arrive in the space of 5 minutes, all for the same number: which one is yours? Instagram verification messages use different codes for verification, so one assumes all you can do is start punching them all in and hope for the best. This seems less than optimal.

Is this dangerous?

We must be clear: The websites we’ve seen at least reference the fact that messages sent are not private. However, the way it’s mentioned varies. It could well be buried in generic descriptions of what the site is all about. It also feels a little dissonant when some of them claim you can “keep your privacy with our free services”. The “privacy” simply extends to how careful you are in making use of the service. If you’re expecting your messages to be somehow hidden from the view of others, you’re sadly mistaken.

Anonymous SMS warning
A warning message displayed at the top of an anonymous SMS site

There are other SMS sites which do mention it prominently in red text. They also mention services should “not be used for any sensitive transactions”. Unfortunately those mentions are on FAQ or privacy pages, and seem likely to go unnoticed by many. If you don’t read those awful cookie preference popups, you likely don’t read the privacy blurbs either.

SMS codes made public

So, what are people sending? Here’s a sample:

do not share it with anyone
A selection of messages that include secret codes—and text clearly urging users to keep the codes secret secret—on an anonymous SMS site

It’s certainly making me say “yikes” to see these online, but by the same token, there’s no practical way to do anything bad with these. The account(s) could belong to anyone, and with nothing else identifiable in the message, it’s just a random code with nothing to tie it to. It’s the same as me sending you a text and saying the login code for my account is 123456. Which account? What email address? Username? And so on.

do not tell anyone
A selection of messages on an anonymous SMS service page.

So it’s disconcerting, but not a disaster outside of perhaps making people behave too casually about security messages sent to their phone. It’s quite peculiar to see dozens of text messages posted online which include the line “keep this code safe and do not share it with anyone”.

Perhaps that’s the rub: They are supposed to be secrets, and if you put them on a public website they aren’t.

How revealing is too revealing?

Elsewhere though, things become slightly more personal. We’ve modified the text of the messages a little so people can’t simply pull them up in Google but their essence is unchanged. These are all based on genuine missives we’ve seen on the various SMS sites:

“Your appointment with [clinical service] on [date and time] has been confirmed.”

“Click to get back into your [account]”, with a one time click password reset link.

“You’ve requested a new password. Click here to reset it”, with a reset password link.

“Follow this link to complete your survey for the (medical) test [link] and call if you have questions”

“To complete registration, click here” with a registration link.

“I liked your profile on [site]. Please visit my profile at [link]”

“Your payment plan identity number is [number] for [x] amount. Your next payment of [y] is due [date].”

Some of these raise a few warning flags. They’re just that little bit on the side of potentially identifying.

The dating site conversation with link could be perfect for a social engineer or phisher to move into the conversation. The medical survey could potentially prefill with details of the recipient before they complete the form. This means someone clicking the link who it’s not intended for could see things they’re not supposed to. The clinical service appointment gives a clear location and time / date. This specific data is no doubt worthless for almost everybody bar the patient. It’s still a bit alarming to see it floating around online.

What’s clear in all of them is that, like the security codes, they are supposed to be private and the sender is clearly assuming they are engaged in a one-to-one conversation.

Of people problems and technical mishaps

At least some folks using these temporary number services mustn’t be reading the warnings highlighting that everything is posted publicly. Or perhaps more worryingly, they are and…simply don’t care? Neither possibility is great. The latter viewpoint can slide into a gradual “who cares” feeling in relation to their theoretically private dealings.

It’s also worth noting a lot of the mobile number pages are filled with various kinds of 2FA / authentication codes. The problem with that is many of the sites rotate their numbers. Some vanish after just a few days.

Imagine setting up text based 2FA on your Outlook account, then losing your phone. With the phone, and more specifically your number gone, you no longer have a number to send the verification codes to. That would be bad.

Now imagine you’ve set up text based 2FA on your Outlook account. You’ve done this using a site which removes said number from circulation 3 days ago.

This would also be bad.

Even so, it appears people are doing it anyway.

Be smart with your SMS messages

These sites encourage you to use them to make yourself a bit more secure and private. That’s how they sell it, anyway. If you use disposable mobile services for anything sensitive, you may well be causing the reverse to happen. Using them for generic services you don’t want spamming you? Occasional (non-identifiable) passcodes for logins? Probably okay on an occasional basis. However, it feels easy to accidentally divulge more than you bargained for in the dusty pages of their logged SMS messages.

There’s no guarantee some sites won’t simply keep messages online forever. Once you hit send it’s too late to fix a problem. This type of service has been around for some years now, but they seem to be growing in popularity. If you need to use one? Weigh up if what’s being sent is definitely okay to end up on the big wide web. Once the SMS genie is out of the bottle, its not going back in.

The post Watch what you send on anonymous SMS websites appeared first on Malwarebytes Labs.

FBI warns of ransomware threat to food and agriculture

The FBI has issued a Private Industry Notification (PIN) about cybercriminal actors targeting the food and agriculture sector with ransomware attacks.

Farms are literally the first step in one of the most important, if not the most important, supply chain in our economy: The food supply chain. As always, cybercriminals love the extra leverage that is provided by how important a target is.

Ransomware attacks targeting the food and agriculture sector disrupt operations, cause financial loss, and negatively impact the food supply chain. Food and agriculture businesses victimized by ransomware suffer significant financial loss from ransom payments, loss of productivity, and the (often neglected) cost of remediation. And, as the FBI points out, no operation is too big, or too small, to be a target:

Larger businesses are targeted based on their perceived ability to pay higher ransom demands, while smaller entities may be seen as soft targets, particularly those in the earlier stages of digitizing their processes…

The FBI also warns that ransomware can carry a cost in lost data: “Companies may also experience the loss of proprietary information and personally identifiable information (PII) and may suffer reputational damage resulting from a ransomware attack.”

Internet of Things

Agriculture may not be the first industry you associate with cybersecurity problems, but we all need to be aware of the risks created by connecting this ancient part of our food supply chain to the Internet. As farms have grown in scale they have increased their level of automation, making farms and farm equipment Internet-connected cogs in the of the Internet of Things “machine”. This comes at the cost of a significant increase of their attack surface.

The state of IoT is poor enough as it is, security wise. But manufacturers of agricultural equipment have spent the last few years locked in an automation arms race, and the side effects of this race are starting to show. In any industry that is developing and adopting new technology at pace you can expect growing pains and security is often the last thing on the developers’ minds. So it is with agriculture.

In our most recent Lock and Code podcast, Malwarebytes Labs’ David Ruiz spoke to hacker Sick Codes, whose research into cybersecurity in agriculture has been instrumental in raising its profile this year.

In it, he told us that the industry is starting to take security seriously, but it is still grappling with the basics, leaving it dangerously exposed. Speaking about his research into John Deere and another agricultural equipment manufacturers, he gave us an example of what he found, in plain terms:

A group of less than 10 people were able to pretty much get root [the highest level of access] on John Deere’s Operations Center, which connects to every other third party connectivity service that they have. You know, you can get every farms’ data, every farms’ water, I’m talking everything. We had like the keys to the kingdom. And that was just a few people in two days.

Rise in malware

Sick Codes and the FBI aren’t the only ones to notice that something is up in agriculture. As we pointed out in our State of Malware report, published earlier this year, Malwarebytes recorded an eye-watering 607% increase in malware detections in the agriculture sector in 2020.

rise in attacks against agriculture
Malwarebytes recorded a 607% increase in agriculture sector attacks in 2020

As the manufacturing and automotive sectors contracted in 2020, under the weight of pandemic shutdowns, attackers simply turned their faces to other industries, with agriculture by far the biggest loser.

Critical infrastructure

While the FBI’s warning focusses on the threat to individual operators, the rapid computerization of agriculture also carries potential risks for the system of food production itself.

Connectivity and centralization could create opportunities for threat actors—state sponsored or otherwise—to throw a wrench in the workings of our critical infrastructure. Attackers could potentially provide false data to farming equipment, change the temperature in greenhouses, alter the composition of fertilizers, or bring businesses to a crashing halt by deploying ransomware. All of which could lead to shortages and increased food costs.

Recommended mitigations

The agriculture sector needs to be as prepared as any other sector to withstand attacks by cybercriminals. But the sector is only as secure as the technology it relies on, so our food supply requires secure IoT devices and Cloud services for food and agriculture too.

The FBI notice includes the following recommendations:

  • Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Implement network segmentation.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multi-factor authentication with strong pass phrases where possible.
  • Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Require administrator credentials to install software.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.

To learn more about the current state of cybersecurity in the Internet-connected world of agriculture, you can listen to our Lock and Code podcast below:

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post FBI warns of ransomware threat to food and agriculture appeared first on Malwarebytes Labs.

Vulnerable WordPress plugin leaves online shoppers vulnerable

The most popular web content management system (CMS) is WordPress, which is used by more than 30% of all websites. By extension, the most popular ecommerce platform in the world is WooCommerce, a plugin that turns a WordPress website into an online shop. In fact, WooCommerce is so popular that it isn’t just part of WordPress’s software ecosystem, it also has a software ecosystem of its very own too.

There are hundreds of WordPress plugins that are designed to work with or extend the WooCommerce plugin in some way, and many of them are mature commercial software products in their own right. One such product is a popular extension called WooCommerce Dynamic Pricing and Discounts, which sells for a little less than $70 and has been purchased almost 20,000 times.

If your site is running that plugin, you need to update it to version 2.4.2 immediately.

Researchers recently discovered multiple security vulnerabilities affecting version 2.4.1 and below. These vulnerabilities have been fixed in version 2.4.2, which was released on August 22, 2021.

The vulnerabilities

The first vulnerability is a high-severity stored cross-site scripting (XSS) bug. Cross-site scripting (XSS) is a type of security vulnerability that lets attackers inject client-side scripts into web pages viewed by other users.

The researchers found that the vulnerable code missed two important checks: A capability check that ensures a user is authorized to do a particular thing, and a security nonce (short for “number once”) that tries to ensure a web request is asked and answered by the same site, and that the request didn’t come from an imposter running a cross-site request forgery (CSRF) attack.

Without a capability check the vulnerable function—which allowed users to import plugin settings—was available to anyone, including an attacker. Because some of the setting fields weren’t sanitized, an attacker could use the vulnerability to inject JavaScript code into the imported JSON-encoded file.

The second vulnerability exists in the plugin’s settings export functionality, which was also missing a capability check. In this case an unauthenticated attacker can export the plugin’s settings, inject JavaSript code into the resulting JSON file and then reimport the settings, including the malicious JavaScript, using the first vulnerability.

The possible consequences

JavaScript code can be used to perform all kinds of malicious activity, from stealing cookies to spreading malware. In this case it’s also possible to replace the JavaScript code with HTML tags, such as a Meta Refresh tag that could be used to redirect visitors to a malicious website for instance.

Because the code injected via the settings import into WooCommerce Dynamic Pricing and Discounts is run on every product page of a WooCommerce shop, it looks like an ideal vulnerability for credit card skimmers (malicious code that reads your credit card details when they are entered them into the checkout form).

As we reported last year, WooCommerce is increasingly being targeted by criminals, because of its large market share. We asked Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, and an avid follower of skimmers, how groups that use them would react to vulnerabilities like these.

“Two common mistakes website owners often make is to leave their Content Management System (CMS) unpatched and believe they are not an interesting target. In many cases, users may choose not to apply security updates as they fear that it may introduce bugs or even break a website from loading properly. While this is true, it creates the perfect opportunity for online criminals to exploit known vulnerabilities on a large scale.

Magento, WooCommerce and several other CMSes are constantly being abused for a number of reasons. If your website does e-commerce, it becomes even more interesting as threat actors can not only target you but also your customers and their financial data in attacks such as Magecart.

Applying updates promptly is a necessity, and if for one reason of another it’s not possible, other solutions such as Web Application Firewalls exist to block known and unknown automated attacks.”

Mitigation

When using a CMS, and especially a popular one, you will have to keep an eye out for updates—for both the CMS itself and any plugins you have installed. Speed is important. Attackers are always aware of the latest vulnerabilities and will scan the Internet for unpatched sites to hijack, sometimes within hours of a patch being made available.

To do your online shopping safely it is advisable to take as many precautions as possible. There are browsers and browser configurations that will help you against falling victim to skimmers, malicious redirects, and other unwelcome code on a site you are visiting.

Stay safe, everyone!

The post Vulnerable WordPress plugin leaves online shoppers vulnerable appeared first on Malwarebytes Labs.

WhatsApp hit with €225 million fine for GDPR violations

WhatsApp was hit with a €225 million fine for violating the General Data Protection Regulation (GDPR), the European Union’s sweeping data protection law that has been in effect for more than three years.

The fine represents the highest ever penalty levied by the Irish Data Protection Commission, which serves as the primary data protection authority for WhatsApp and the messaging app company’s parent Facebook, which has its EU headquarters based in Ireland. It is also the second-highest penalty ever issued under GDPR violations. That higher penalty, sent to Amazon by Luxembourg’s National Commission for Data Protection, was for a massive $886 million.

WhatsApp said it disagreed with the Irish Data Protection Commission’s (DPC) findings, which were based on an investigation which began in December 2018, into whether WhatsApp failed to transparently tell both users and non-users about how their data was handled.

“We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” WhatsApp said in response to the penalty. “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”

Interestingly, the Irish DPC said that, when it shared its findings with other EU member-states’ own data regulators, eight of those regulators disagreed. During a follow-on dispute resolution process, the Irish DPC was told that it should actually increase its initial penalty amount.

Max Schrems, the legal activist who has proven himself to possibly be the largest thorn in Facebook’s side, welcomed the Irish DPC’s decision, but warned about the likely prolonged legal battle ahead, as WhatsApp will probably fight the penalty in court.

“In the Irish court system this means that years will pass before any fine is actually paid. In our cases we often had the feeling that the DPC is more concerned with headlines than with actually doing the hard groundwork,” Schrems wrote. “I can imagine that the DPC will simply not put many resources on the case or ‘settle’ with WhatsApp in Ireland. We will monitor this case closely to ensure that the DPC is actually following through with this decision.”

The Irish DPC said its investigation into WhatsApp began after it received several complaints from users and non-users after the passage of GDPR. In its final decision, the Irish DPC said it found that WhatsApp had failed to comply with several components of Articles 12, 13, and 14 of GDPR, which relate to how a company transparently tells its users and non-users about how their data is handled. In particular, the Irish DPC investigated whether WhatsApp was transparent about how it shared personal data with its parent company Facebook, and it slammed WhatsApp for keeping information either vague or behind too many separate FAQ and privacy policy pages.

“[T]he information that has been provided, regarding WhatsApp’s relationship with the Facebook Companies and the data sharing that occurs in the context of that relationship, is spread out across a wide range of texts and a significant amount of the information provided is so high level as to be meaningless,” the Irish DPC said. In a similar set of findings regarding WhatsApp’s data-sharing relationship with Facebook, the Irish DPC said “it is unsatisfactory that the user has to access information as to the identity of the Facebook Companies on Facebook’s website and for the information to be broken up over three or four different ‘articles’ that each link back to one another in a circular fashion. There is no reason why this information could not be hosted, in a concise piece of text, on WhatsApp’s website.”

Though WhatsApp disagreed with the Irish DPC’s findings overall, the data regulator’s claims of lacking transparency are not, by any means, new allegations. Just this year, WhatsApp walked itself into a firestorm when it scared users into thinking that their accounts would be deactivated if they refused to agree to a new privacy policy. The problem? It was two-fold, actually—user accounts would not be deactivated (they’d simply be egregiously stymied) and most of the privacy policy changes that users were upset about had actually already been put into place.

WhatsApp eventually walked back its threat to disable key features for users who refused to accept the new privacy policy—which it messaged as not-a-deactivation—but a great deal of damage had already been done. Users had already flocked to competitors in January, and there has been little indication that they’ve returned.  

The post WhatsApp hit with €225 million fine for GDPR violations appeared first on Malwarebytes Labs.

BrakTooth Bluetooth vulnerabilities, crash all the devices!

Security researchers have revealed details about a set of 16 vulnerabilities that impact the Bluetooth software stack that ships with System-on-Chip (SoC) boards from several popular vendors. The same group of researchers disclosed the SweynTooth vulnerabilities in February 2020. They decided to dub this set of vulnerabilities BrakTooth.

BrakTooth affects major SoC providers such as Intel, Qualcomm, Texas Instruments, Infineon (Cypress), Silicon Labs and others. Vulnerable chips are used by Microsoft Surface laptops, Dell desktops, and several Qualcomm-based smartphone models.

However, the researchers say they only examined the Bluetooth software libraries for 13 SoC boards from 11 vendors. However, looking further, they found that the same Bluetooth firmware was most likely used inside more than 1,400 chipsets, used as the base for a wide range of devices, such as laptops, smartphones, industrial equipment, and many types of smart “Internet of Things” devices.

It needs to be said that the impact is not the same for every type of device. Some can be crashed  by sending specially crafted LMP packets, which can be cured with a simple restart. Others can allow a remote attacker to run malicious code on vulnerable devices via Bluetooth Link Manager Protocol (LMP) packets—the protocol Bluetooth uses to set up and configure links to other devices.

Researchers believe the number of affected devices could be in the billions.

All the vulnerabilities

Full technical details and explanations for all 16 vulnerabilities can be found on the dedicated BrakTooth website where they are numbered V1 – V16 along with the associated CVEs. The researchers claim that all 11 vendors were notified about these security issues months ago (more than 90 days), well before they published their findings.

Expressif (pdf), Infineon, and Bluetrum have released patches. Despite having received the necessary information, the other vendors acknowledged the researchers’ findings but could not confirm a definite release date for a security patch, citing internal investigations into how each of the BrakTooth bugs impacted their software stacks and product portfolios. Texas Instruments said they would not be addressing the flaws impacting their chipsets.

CVE-2021-28139

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The most serious vulnerability in BrakTooth has been listed under CVE-2021-28139, which allows attackers in radio range to trigger arbitrary code execution with a specially crafted payload.

While CVE-2021-28139 was tested and found to affect smart devices and industrial equipment built on Espressif Systems’ ESP32 SoC boards, the issue may impact many of the other 1,400 commercial products that are likely to have reused the same Bluetooth software stack.

Mitigation

The researchers emphasize the lack of basic tests in Bluetooth certification to validate the security of Bluetooth Low Energy (BLE) devices. The BrakTooth family of vulnerabilities revisits and reasserts this issue in the case of the older, but yet heavily used Bluetooth classic (BR/EDR) protocol implementations.

The advice to install patches and query your vendor about patches that are not (yet) available will not come as a surprise. We would also advise users to disable Bluetooth on devices that do not need it. This way you can prevent attackers from sending you malformed LMP packets. Since BrakTooth is based on the Bluetooth Classic protocol, an adversary would have to be in the radio range of the target to execute the attacks. So, in a safe environment Bluetooth can be enabled.

Stay safe, everyone!

The post BrakTooth Bluetooth vulnerabilities, crash all the devices! appeared first on Malwarebytes Labs.

Macs turn on apps signed by Symantec, treat them as malware

On August 23, following an update to Apple’s XProtect system—one of the security features built into macOS—some Mac users began to see security alerts about some of their apps, claiming that they “will damage your computer,” and offering users the option to “report malware to Apple.” This has led to much confusion online, and to an influx of requests in our support system asking about this malware. The most common so far has been from an app named ReceiverHelper.

"ReceiverHelper" will damage your computer.Report malware to Apple to protect other users
An Apple XProtect alert about ReceiverHelper

Is ReceiverHelper malware?

If you’re one of the affected folks, the good news is that this isn’t malicious at all. It is a component of Citrix, which is legitimate software made by the company of the same name. Not all Citrix software is being flagged as malicious, fortunately. Only some older versions of the software are causing problems.

Of course, if you thought that this was malware, we’d have to forgive you. Not only is macOS apparently saying that it is, but the name is highly suspicious. There has been a fair bit of Mac adware going around lately with odd two-word names, like StandardBoost or ActivityInput. All of these adware names are pretty generic, revealing nothing about what they’re actually supposed to be doing. Unfortunately, the name “ReceiverHelper” fits right in.

ReceiverHelper is not alone. There are a few other apps acting up. Among them are two other Citrix apps, ServiceRecords and AuthManager_Mac. (It’s almost like Citrix is trying to make its apps sound shady!) Other companies are also seeing an impact to older apps, such as AnyConnect’s vpnagentd.

What’s causing the warnings?

As was the case with a similar issue affecting HP printers last year, it’s all about code signing. What is code signing, you ask? In short, it’s a cryptographic way to validate that an app has not been tampered with. If an app is signed by the company that created it then you can be sure you’re using an unadulterated version of the software. Code signing is a really important security feature, and all apps really ought to be signed. If they’re not, they can’t be considered 100% safe. (For a primer in code signatures and certificates, see our previous coverage of the HP incident.)

In simple terms, code signing relies on a chain of trust: Signing is performed using a secret key. An organization proves its ownership of that secret key using a digital certificate, and that certificate’s authenticity is vouched for by a certificate authority (CA).

In the HP incident, HP revoked the certificate it used to sign a lot of its printer software. The HP software on people’s Macs didn’t change but the chain of trust that vouched for it was broken, so it began to trigger alerts as if it was malware.

This time around the chain of trust has been broken again, but the problem isn’t the certificates, it’s the CA that vouches for the certificates.

A CA is an trusted organization that issues certificates. In the case of Mac apps, you’re really supposed to get your certificates directly from Apple. However, not everyone does, and some companies will use certificates obtained from third parties to sign their apps.

Citrix did exactly this, and the decision has come back to haunt them. It turns out, they made a really poor choose of CA to obtain their certificate from: Symantec.

What’s wrong with Symantec?

A few years ago, Symantec offered CA services. However, Symantec CA played a bit fast and loose with the rules, which is never good for a CA. An important part of being a certification authority is trust, and Symantec made some big mistakes as a CA. Those mistakes led to an investigation, and what was found was highly concerning.

As a result, it was widely agreed that trust for Symantec certificates should be gradually phased out. The slow process of distrusting Symantec certificates began in 2018.

On August 23, 2021, Apple pushed out an update for XProtect that, among other things, rejects any code signed with certificates issued by Symantec. The Gatekeeper process in macOS will reject any apps signed with such a certificate, showing the infamous “will damage your computer” message.

For those technically inclined and in possession of one of the affected apps, you can verify this yourself with the codesign and spctl commands in the Terminal:

% codesign --verify --verbose /usr/local/libexec/ReceiverHelper.app
/usr/local/libexec/ReceiverHelper.app: valid on disk
/usr/local/libexec/ReceiverHelper.app: satisfies its Designated Requirement

% spctl -a /usr/local/libexec/ReceiverHelper.app
/usr/local/libexec/ReceiverHelper.app: rejected

The codesign command shows that the code signature is still valid—meaning that the app hasn’t been tampered with and the certificate hasn’t been revoked. However, the spctl command, which checks the file with Gatekeeper, shows that it is rejected, and thus will not be allowed to run.

How do I fix these issues?

The best fix is to simply remove or update the affected software. Unfortunately, we can’t help you with that. We’re good at removing malware here at Malwarebytes, but that’s not what this is. You’ll need to find out from the vendor of the affected software how to remove or replace it. For Citrix software, we recommend contacting Citrix support. (Unfortunately, we’ve gotten some reports that Citrix support is turning folks away if they don’t have active accounts, so you may need to be persistent.)

We do know that the affected Citrix apps (that we know about) are located at the following path:

/usr/local/libexec/

Why there? Excellent question… I have no idea. It’s not the right place for these things on macOS. Deleting ReceiverHelper, ServiceRecords, and AuthManager_Mac from this location may solve your problem. It also may cause other problems, as that wouldn’t be a complete uninstallation. You do this at your own risk and we suggest that you treat it as a method of last resort.

Avoid scams!

Unfortunately, if you type something like “remove ReceiverHelper” into Google right now, you’re going to get a bunch of scam sites in the results. These sites purport to help you remove the software, but in reality the instructions are automatically generated. The goal of these sites is to rank high on search results, call whatever the user was searching for malware (ReceiverHelper, et al, in this case), then promote some junk software to folks who visit and find they’re having trouble with the (nonsensical) instructions.

When you’re having a problem like this, Google and other search engines can be your worst enemy. Instead, consider asking on the Malwarebytes forums, Apple’s forums, or similar places, to get better advice.

The post Macs turn on apps signed by Symantec, treat them as malware appeared first on Malwarebytes Labs.