IT News

Microsoft offers to help you with patching Exchange servers, CISA offers an insider threat tool, and together with the NSA they offer advice on how to choose and harden your VPN.

These initiatives from major parties aim to help organizations assess and manage their security needs. But will they make an impact with their intended audience?

Microsoft Exchange Emergency Mitigation service

Microsoft will tomorrow roll out a new security feature for its Exchange email servers, which have been at the center of several hacking campaigns over the past two years.

In the September 2021 Cumulative Update (CU), Microsoft has added a new feature called the Microsoft Exchange Emergency Mitigation (EM) service. This service is not intended to be a replacement for installing Exchange Server Security Updates (SUs), but as a quick and effortless way to mitigate the latest threats against internet-connected, on-premises Exchange servers.

The basic idea is that once Microsoft detects a new attack being used in the wild, it will push out temporary mitigations to all Exchange servers around the world that are running the EM services. And that’ll happen even before they start working on a software patch to thwart the vulnerability. EM runs as a Windows service on Exchange Server, but if an organization doesn’t want to use EM, an admin can disable the service.

Microsoft introduced the EM service after it learned that many of its customers weren’t ready to install SUs because they were not running a supported CU.

CISA Insider Risk Mitigation Self-Assessment tool

The Cybersecurity and Infrastructure Security Agency (CISA) released an Insider Risk Mitigation Self-Assessment Tool, which assists public and private sector organizations in assessing their vulnerability to insider threats.

Insider threats are a serious risk to any organization because of the institutional knowledge and trust placed in the hands of the perpetrator. Insider threats can come from current or former employees, contractors, suppliers, or others with inside knowledge. The tool is designed to raise awareness and help measure the level of risk, and users receive feedback based on their answers to a series of questions.

CISA urges all its partners, especially small and medium businesses who may have limited resources, to use this new tool to develop a plan to guard against insider threats. It states that making some small steps today can make a big difference in preventing or mitigating the consequences of an insider threat in the future.

NSA and CISA advise on VPNs

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Information Sheet today detailing factors to consider when choosing a virtual private network (VPN) and top configurations for deploying it securely. The Information Sheet details considerations for selecting a remote access VPN, as well as actions to harden the VPN from compromise.

Remote access VPNs are entryways into corporate networks and all the sensitive data and services they have. This direct access makes them prized targets for malicious actors. Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices.

NSA is releasing the VPN guidance as part of its mission to help secure the Department of Defense, National Security Systems, and the Defense Industrial Base. Basically the advice comes down to selecting a secure, standards-based VPN and hardening its attack surface.

You may say “duh” but organizations running National Security Systems are required to use the algorithms in the NSA-Approved Commercial National Security Algorithm (CNSA) and government systems are required to use the algorithms as specified by the National Institute of Standards and Technology (NIST), which includes the algorithms approved to protect NSS.

What is the main problem?

At Malwarebytes Labs, we’ve reported about many vulnerable VPNs, and networking devices that have patchable vulnerabilities. The same is true for Microsoft Exchange vulnerabilities. We’ve also written about the importance of recognizing the danger of insider threats.

But one thing we have learned over the years is that education and raising awareness helps, but it is not picked up by everyone. Knowing that a problem exists and that a patch is available is an important step. But it is useless without the logical next step, patching. Unfortunately, patching cycles are troubled by a few main factors:

• People not knowing a patch was available or even that the problem existed
• Fear that something might stop working, so that needs to be tested first, and all that takes too much time
• No patch being available because the product has reached end-of-life (EOL)
• Not enough staff to keep up with the necessary patching
• Remote and hybrid workforces make patch management more complicated

As a result, critical patches are delayed, often leaving a windows of opportunity for attackers between reverse-engineering the patch and when the patch is widely applied. What that means for all the help provided is that those that need it the most will probably not use it, unless they are compelled to do so.

Microsoft Exchange users that did not have the necessary CUs are unlikely to install the EM service.

Small and medium businesses with limited resources will probably lack the time and staff to use the insider risk mitigation self-assessment tool.

Choosing and hardening an approved VPN may be useful for new customers, but those that already have a working system in place are often content to leave it as is, for all the reasons listed above.

Risks involved in remote mitigation

While some experts applaud the effort by Microsoft to offer a service that can be used as kind of a first aid kit for Exchange, since it can mitigate risks before a patch is available, others see some dark clouds on that horizon.

“Automatically installing temporary mitigations that block active exploitation of security flaws until Microsoft is ready to release official patches.” This will translate in many a system administrator’s mind to Microsoft making changes on my server that I know nothing about. Will we be able to find the source if these changes cause problems?

Having a first aid kit can give users a false sense of security. But you should still apply that patch as soon as it is made available and not rely on the band aid to hold.

Supply chain attacks have become a big thing and taking over the EM service sounds like an attacker’s dream come true. Imagine having the tool in hand to disable security on every Exchange server running that service. This has to be one of the most secure services in Microsoft’s history to avoid that scenario.

Stay safe, everyone!

The post Microsoft, CISA and NSA offer security tools and advice, but will you take it? appeared first on Malwarebytes Labs.

Security and privacy advocates may have cause to worry after all: Portpass, a vaccine passport app in Canada, has been found to have been exposing the personal data of its users for an unknown length of time.

On Monday, Canadian Broadcasting Corporation (CBC) received a tip that “the user profiles on the app’s website could be accessed by members of the public.”

CBC won’t say how or where the data was found but does say it was unencrypted and could be viewed in plain text.

The data it found included email addresses, names, blood types, phone numbers, birthdays, as well as photos of identification like driver’s licences and passports.

Portpass has a registered user base of 650,000 across Canada. CBC says that Portpass CEO Zakir Hussein denied the app had security issues and “accused those who raised concerns about it of breaking the law.”

CBC said Hussein repeatedly claimed the breach only lasted for minutes, even when CBC pointed out to him that it was able view the data for more than an hour. It’s unclear how long the data was exposed to the public.

“Someone that’s out there is trying to destroy us here, and we’re trying to build something good for people,” said Hussein, who seemed generally unsure of what to say. He was quoted as saying, “There’s holes, and what I’m realizing is I think there are some things that we need to fix here. And you know, we’re trying to play catch-up, I guess, and trying to figure out where these holes are.”

Portpass is easy to manipulate

Days before Portpass was notified of the breach, web developer Conrad Yeung tried Portpass out of curiosity. He said he quickly found an issue when he tried to upload not his photo ID but a photo of a random mayoral candidate in Calgary, Canada “just to see if the app would let me”.

Sure enough, Portpass allowed the upload. “It let me upload a random photo for my driver’s licence,” Yeung said.

He was able to create a fake vaccination record using an actor’s name, and Portpass verified this record to be legitimate.

Looking deeper, Yeung found that the website didn’t appear to validate security certificates, with a backend that the public can access. He also found discrepancies in Portpass’s marketing statements from what he was seeing. For example, the app claimed that it uses artificial intelligence (AI) and blockchain to verify records and keep them safe. However, Yeung said he didn’t see any traces of these at the site’s backend.

What worried Yeung more, he said, was that companies endorse the use of apps like Portpass without exercising due diligence. “You have somebody in a place of authority promoting something that is potentially unsafe and has privacy issues,” he said.

There is hesitancy in using vaccine passports

Vaccine passports—sometimes called COVID passports—are mobile apps that have been created to confirm the phone owner has received their COVID-19 vaccine. This, of course, opens doors for them to attend public events and visit other countries. While many think that this could lead to social problems like discrimination, there are also security and privacy risks, such as getting one’s data exposed. Such apps must be secure by design.

In the US, there is no government mandate on whether one should be using a vaccine app or not. But many private companies and airlines have started encouraging people to use these apps.

However, many users, especially in the US, have expressed concerns over the security of their health data when using such third-party apps. According to a survey conducted by cybersecuity firm, Panda Security, 56 percent of Americans do not trust vaccine passports. Those concerned question what type of information these apps would likely collect from them.

“Based on our survey results, we can clearly see the hesitancy many Americans have to make those records accessible to private companies, airlines and other corporations.” the report says.

I’m one of those afraid of using apps. What should I do?

Hold on to your vaccine cards and keep them safe all the time. Right now, this is your only true proof to let establishments know of your vaccine status. Don’t bring them with you every time you go out, as you would a credit card, especially when there is no need to verify your status.

A paper pass may not be the coolest thing to whip out as its not on your phone, but unless the government has endorsed an app everyone can use, you might want to rethink your plans of trying out one.

Stay safe!

The post Vaccine passport app leaks users’ personal data appeared first on Malwarebytes Labs.

Instagram has announced it is pausing the development of its newest brainchild, Instagram Kids—a version of Instagram aimed at 10-12-year-olds, or “tweens”.

Adam Mosseri, who heads up Instagram, wrote in a blog post about the idea behind Instagram Kids:

“We started this project to address an important problem seen across our industry: kids are getting phones younger and younger, misrepresenting their age, and downloading apps that are meant for those 13 or older.”

“We firmly believe that it’s better for parents to have the option to give their children access to a version of Instagram that is designed for them—where parents can supervise and control their experience—than relying on an app’s ability to verify the age of kids who are too young to have an ID.”

Mosseri also made a similar announcement, via video, on Instagram and Twitter.

Since the revelation of the kid version of Instagram in March 2021, parents, privacy advocates, and US lawmakers have been up in arms against the purported kid-friendly app. The Guardian even called it “the social media site no one asked for,” and one might think they have a point there.

The decision to freeze the development of Instagram Kids after the Wall Street Journal’s exposé regarding an internal survey within Facebook about the harmful effects of Instagram on its teen users.

While many would prefer for Instagram Kids to be scrapped entirely, Mosseri has made it clear that the project will be moving forward at some point in the future. He stresses that this kid-friendly version “was never meant for younger kids, but for tweens (aged 10-12)”, and promised parental permission would be a requirement to join. The social network will also show no ads, and only kid-friendly content will be present on the platform.

Mosseri said that while the project is put on hold the company will continue to focus on building parental supervision tools and teen safety.

Mosseri said Instagram isn’t the first company to offer a “kid” version of its app—Facebook Messenger, YouTube, and TikTok have these, too.

However, let us not forget that some content or users could still end up in places that we’re led to believe are walled gardens. Take, for example, some videos in YouTube Kids. In one incident, a mother was able to spot a section of a cartoon on YT Kids wherein a man is instructing the viewer on how to properly slit their wrists. It turns out that this section of the video had been spliced inside a cartoon, which is pretty easy to miss unless you watch the full clip.

Indeed, this is worse than those knock-off, disturbing Peppa Pig videos.

This is a stark reminder of potentially serious problems that Instagram—and Facebook—should be expecting while they build the app. It’s good that the company says it is going to take the time to make Instagram Kids as safe a place as it can be.

The post Instagram Kids put on hold appeared first on Malwarebytes Labs.

pcTattleTale hasn’t been very careful about securing the screenshots it sneakily takes from its victims’ phones.

pcTattleTale markets itself as “employee and child monitoring software” that is undetectable by the device user, but it can also be used to spy on spouses and partners. It allows its clients to view real-time screenshots of phones of people they’re monitoring by visiting a certain URL.

The website proudly boasts:

pcTattletale is the only solution that makes “YouTube” like videos of their every tap or click. Just watch the recordings from your phone or computer using your secure pcTattletale account as they live their secret online lives.

Unfortunately, everyone else can view the images, too, if they know where to look.

According to Jo Coscia, the security researcher who discovered the issue while using a trial version of pcTattleTale, the company uploads the screenshots to an unsecured AWS bucket.

This means that anyone can view what’s inside the bucket as it doesn’t require any form of authentication—such as a user name and password.

Motherboard breaks down how anyone can access these screenshots:

The URL for images that pcTattleTale captures is constructed with the device ID—a code given by pcTattleTale to the infected device that appears to be sequentially generated—the date, and a timestamp. Theoretically, an attacker may be able to churn through different URL combinations to discover images uploaded by other infected devices.

This is, essentially, brute forcing the discovery of new devices and images linked to them. The lack of authentication makes it possible for a threat actor, or anyone who can write up a simple script really, to be able to get most if not all images from the AWS bucket.

In pcTattleTale’s promotional emails, Coscia notes, the company says it will delete users’ data after the trial period expires. However, screenshots that Coscia’s software took were still accessible after the trial period had ended.

Not only that, pcTattleTale clients who have already deleted their accounts, can still access the screenshots their app took of their victim’s phones, according to Android malware researcher Lukas Stefanko.

Bryan Fleming, owner of pcTattleTale, claims that it does delete data. In an interview with Motherboard, Fleming said: “Yes it does delete the data. I keep it there a little longer. A lot of people accidentally delete their devices and let the trial expire…Then of course they need the screen shots back.”

The stalkerware market is good. How about your relationship?

Companies that market stalkerware-type products and/or services unfortunately have track records of poor security practices. Take a look: the trainwreck is real.

pcTattleTale is one of those companies who explicitly and clearly tells potential users that, by using its software, they will be violating someone’s privacy, essentially putting the onus on users to operate at their own risk.

And, still, the market continues to thrive.

“The market’s good, you know,” Fleming says in the Motherboard piece.

Given that online stalking and stalkerware are largely accepted by Americans, we’d say that current attitudes about online stalking and stalkerware in general will remain unchanged. This is one reason why Malwarebytes continues to raise awareness about invasive monitoring apps, and (if you have kids under your care) promotes open and healthy communication between parties.

The post Phone screenshots accidentally leaked online by stalkerware-type company appeared first on Malwarebytes Labs.

Microsoft’s Threat Intelligence Center has been analyzing a custom-built backdoor that has been used by the Nobelium group since April 2021.

Nobelium is the name given to the threat actor behind the attacks against SolarWinds, the Sunburst backdoor, TEARDROP malware, GoldMax malware, and other related components.

The backdoor that aims to steal the configuration database of a server has been dubbed FoggyWeb by Microsoft.

Attack surface

As we’ve seen in previous cases, Nobelium uses various methods to steal credentials with the objective of gaining administrator level access to Active Directory Federation Services (AD FS) servers. Once this level of access has been accomplished, FoggyWeb is one of the tools that allows the attackers to gain persistence and deploy further malware.

FoggyWeb is a very targeted backdoor that is capable of exfiltrating information from an affected Active Directory Federation Services (AD FS) server. To establish persistence and enable further compromise it drops two files on the server. That action requires administrator privileges in the first place, so this backdoor builds on an earlier established compromise or stolen credentials.

DLL search order hijacking method

One of the two files that are initially dropped uses the DLL search order hijacking technique to gain persistence. All Windows systems use a common method to look for required dynamic-link libraries (DLLs) to load into a program. They all use the same search order to find a DLL. The first two locations in an environment that use the SafeDllSearchMode are:

• The directory from which the application loaded
• The system directory

So, the file %WinDir%ADFSversion.dll is dropped in the ADFS directory to make sure it gets loaded before the legitimate version.dll located in %WinDir%System32.

To avoid any error messages, the backdoor version.dll behaves as a proxy for all legitimate version.dll export function calls. It exports the same 17 function names as the legitimate version of version.dll.

What it actually does for all the 17 functions is exactly the same:

• Calling a function that loads a backdoor file from the file system, and then decrypting and executing the file in memory
• Transferring execution to the initially called target function from the legitimate version of version.dll

Basically, it adds one extra step to the original execution process, which is designed to run the second file that was dropped on the affected server: C:WindowsSystemResourcesWindows.Data.TimeZonesprisWindows.Data.TimeZones.zh-PH.pri. This file is the encrypted backdoor that gets decrypted and executed by the malicious version.dll.

When loaded, this acts as the actual backdoor. It starts an HTTP listener that listens for specific HTTP GET and POST requests. In this way it can be used to communicate with a C2 server and to retrieve the token-signing certificate of the compromised AD FS server and other files and information. For a much more detailed analysis of the decrypted backdoor we advise reading the full Microsoft blog.

Mitigation and detection

Microsoft provided some advice to server administrators that could help harden and secure AD FS deployments:

• Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system
• Reduce local Administrators’ group membership on all AD FS servers.
• Require all cloud admins to use multi-factor authentication (MFA)
• Ensure minimal administration capability via agents
• Limit on-network access via host firewall
• Ensure AD FS Admins use Admin Workstations to protect their credentials. Secure admin workstations are limited-use client machines that are built to substantially reduce the risk of compromise from malware, phishing attacks, bogus websites, and pass-the-hash (PtH) attacks, among other security risks
• Place AD FS server computer objects in a top-level Organizational Unit (OU) that doesn’t also host other servers
• Ensure that all Group Policy Objects (GPOs) that apply to AD FS servers apply only to them and not to any other servers. This limits potential privilege escalation through GPO modification
• Ensure that the installed certificates are protected against theft. This is one of the targets the backdoor is after
• Set logging to the highest level and send the AD FS and security logs to a SIEM to correlate with AD authentication as well as Azure AD (or similar)
• Remove unnecessary protocols and Windows features
• Use a long (>25 characters) and complex password for the AD FS service account
• Update to the latest AD FS version for security and logging improvements (as always, test first)

IOCs

Please read the Microsoft blog for a full list of IOCs.

Stay safe, everyone!

The post FoggyWeb, analysis of a Nobelium backdoor appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs

• Freedom Hosting operator gets 27 years for hosting dark web abuse sites
• Microsoft makes a bold move towards a password-less future
• New Mac malware masquerades as iTerm2, remote desktop and other apps
• Internet safety tips for kids and teens: a comprehensive guide for the modern parent
• Google, geofence warrants, and you
• No, Colonel Gaddafi’s daughter isn’t emailing to give you untold riches
• Patch vCenter Server “right now”, VMWare expects CVE-2021-22005 exploitation within minutes of disclosure
• Patch now! Insecure Hikvision security cameras can be taken over remotely
• MSHTML attack targets Russian state rocket centre and interior ministry
• Italian mafia cybercrime sting leads to 100+ arrests
• How to clear your cache
• Microsoft exchange autodiscover flaw reveals users’ passwords
• Parents and teachers believe digital surveillance of kids outweighs risks
• SonicWall warns users to patch critical vulnerability “as soon as possible”
• Beware! Uber scam lures victims with alert from a real Uber number
• Teaching cybersecurity skills to special needs children with Alana Robinson: Lock and Code S02E18

Other cybersecurity news

• UK ministry of defence apologises – again – after another major email blunder in Afghanistan (Source: The Register)
• Database containing personal info of 106 million international visitors to Thailand exposed online (Source: Comparitech)
• Fake WhatsApp backup message delivers malware to Spanish speakers’ devices (Source: The Daily Swig)
  Mobile phones of 5 French cabinet ministers infected by Pegasus malware (Source: France 24)
• Ransomware dropping malware swaps phishing for sneaky new attack route (Source: ZDNet)
• Phishing attacks more sophisticated, malicious emails time to coincide with periods of low energy and inattentiveness (Source: CPO magazine)
• Keeping your data secure at work (Source: Minute Hack)

Stay safe, everyone!

The post A week in security (Sept 20 – Sept 26) appeared first on Malwarebytes Labs.

School is fully back in session for kids all across the world, and for many students, that means logging back online to learn, do homework, submit assignments, and maybe even continue some distance learning, depending on their school’s pandemic precautions.

But with more Internet activity comes likely more stress for families who, understandably, worry about how to keep their children safe online. Thankfully, there are countless guides for children’s Internet safety—not to mention Malwarebytes Labs’ own comprehensive guide—but many of those guides, through no malicious intent, assume a similar skill level for all children.

But what about children with special needs?

How do you teach strong password creation for children with learning disabilities? How do you teach children how to separate fact from fiction when they have a different grasp of social cues? And how do you make sure these lessons are not only remembered for years to come, but also rewarding for the children themselves?

Today, on the Lock and Code podcast with host David Ruiz, we speak with Alana Robinson, a special education technology and computer science teacher for K – 8, about cybersecurity trainings for children with special needs, and about how, for some lessons, her students are better at remembering the rules of online safety than some adults.

“I teach 100 students, 10 classes, [and] I used not a very strong password for every student in this one class … and I said ‘By the way, everyone has this [password],’ and they’re like, when I said everyone has this same password, they’re like ‘Oh no no! That’s not a strong password, oooh’ and they literally let me have it.”

Alana Robinson

Tune in to hear all this and more on this week’s Lock and Code podcast, by Malwarebytes labs.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Teaching cybersecurity skills to special needs children with Alana Robinson: Lock and Code S02E18 appeared first on Malwarebytes Labs.

If the Internet was as safe and as private as it is essential for everyday life—increasingly required for job applications, bank transfers, doctor’s appointments, and filing taxes—then we’d likely have fewer online scams, better privacy protections, smaller data breaches, and a lower overall risk of individual cybercrimes that can wreak havoc on a person’s life.

Importantly, if the Internet were to achieve such a promise, then everyone, no matter their gender, race, income level, education, or age, could feel as safe and as private online as they deserve.

But according to the latest research by Malwarebytes, this is far from the case. Not only do a large number of people feel neither safe or private on the Internet, but many groups, including women, teenagers, and those who are Black, Indigenous, or People of Color (BIPOC), feel less private and safe than their counterparts. Some of these populations said they suffered more frequent cyberattacks, more recent cyberattacks, and were more substantially stressed by the cyberattacks themselves.

In comparison, those who felt safer and sometimes more private online had higher incomes, higher levels of education, and higher familiarity with cybersecurity tools, such as antivirus products, VPNs, and password managers.

These are the latest findings in our “Demographics of Cybercrime” report, presented in partnership with Digitunity, a nationally recognized non-profit dedicated to eliminating the technology gap, and Cybercrime Support Network, whose non-profit mission is to serve individuals and small businesses impacted by cybercrime throughout the country.

In our report, we discovered that a collection of discrepancies—higher rates of social media hacking against younger generations, higher rates of identity theft against BIPOC consumers, lower rates of cybersecurity familiarity by women—coalesced into one, unfortunate truth: The Internet is not equal for everyone online, and because of it, not everyone trusts the Internet the same way.

A full 50 percent of all respondents said they do not feel private online, and 31 percent do not feel safe online. Women feel the least private (53 percent compared to 47 percent of men) and the least safe (35 percent compared to 27 percent of men), while teenagers do not feel particularly private and BIPOC respondents do not feel very safe.

These feelings could sometimes be traced to the data itself. Women were twice as likely as men to say their identity was stolen because of earlier, physical theft of their wallet or purse. Teenagers were, perhaps understandably, twice as likely as those aged 65 and up to have their social media accounts hacked. And BIPOC consumers were the least likely of all groups to avoid any financial damage due to a cybercrime attack. Making matters worse, when BIPOC consumers did lose money, they lost more money on average than White consumers ($1,709 compared to $1,578).

In trying to better understand why these communities felt differently about the Internet, we also looked to external data on real-life experiences. We know that women are more likely to be targets of non-consensual pornography (sometimes called “revenge porn”) and cyberstalking; that those in BIPOC communities—including Asian Americans, Black people, and Hispanics—suffer increased rates of online harassment; and that younger generations, surrounded by constant privacy scandals affecting the most popular social media platforms, likely never remember a day in which the Internet was ever “private.”

The good news is that we can collectively improve the Internet experiences of everyone.

In our research, we found a clear trend between cybersecurity familiarity and feelings of safety online. As familiarity increased, so, too, did feelings of safety. But for the single tool that can most likely help consumers handle online threats like malware and malicious websites—which is antivirus protection—respondents showed a concerning lack of comfort. A full 21 percent of respondents—a little more than one in five—were neither “familiar” or “very familiar” with antivirus tools, and just 67 percent of all respondents said they used antivirus products themselves. Those trends are even worse for women, teenagers, and BIPOC individuals.

Clearly, the cybersecurity community can help. We have the tools and the expertise. With the findings from our report, we also have the knowledge that not every community is comfortable enough with our products to use them. It is on us to increase awareness and to build and deliver products that are accessible to every population.

The Internet can be a better place. It’s up to us to help make that happen.

Read the full report here.

The post Malwarebytes research shows an unequal, unsafe Internet appeared first on Malwarebytes Labs.

Schools in the US have been using surveillance software to keep an eye on their students, and such software has grown significantly in popularity since the COVD-19 pandemic closed campuses nationwide. And this is fine—at least according to new research released by the Center for Democracy & Technology (CDT) as a majority of parents (62 percent) and teachers (66 percent) believe that the benefits of digital surveillance outweighs the risks.

Monitoring software in schools have a range of capabilities that allow school administrators and districts to remotely:

• Block obscene material
• Track student logins to applications, including school and non-school related apps
• View the student’s screen in real-time
• Block non-educational material (e.g. YouTube)
• Close browser tabs
• Take control of student input capability
• Look at student browsing history
• Open and close applications
• Scan student conversations

Half of students surveyed also reveal that are “very or somewhat comfortable with the use of monitoring software”.

This, however, doesn’t mean that parents, teachers, and even students aren’t worried at all. In fact, they worry that such surveillance could backfire.

Both groups report they are aware of the privacy implications of using surveillance tech and how it would affect their behavior. Six in ten agreed to the statement: “I do not share my true thoughts or ideas because I know what I do online is being monitored”. The CDT also noted that 80 percent of these students are “more careful about what I search online when I know what I do online is being monitored.”

The 7-page report further states: “While a potential goal of student activity monitoring software is to prohibit access to obscene materials, these findings raise questions about whether tracking students may cause them to hesitate before accessing important resources (related to mental health, for instance).”

“Additionally, parents and teachers also express privacy concerns around the use of these tools, which include concerns about disciplinary applications as well as potential impacts on LGBTQ+ students and other unintended consequences.”

Data from the survey suggests that student monitoring software is largely used in K-12 schools. Such software is used more on school-issued devices than on personal devices. There are cases wherein schools don’t reveal that they use such software, and for those who are transparent in this regard, it’s not made clear how the software is being used or how long the software is active.

In some cases, security flaws in these monitoring software have allowed schools and districts to access students’ cameras and microphones without their knowledge or consent.

Companies that sell surveillance software and services often claim that their software protects student safety and supports academic achievement. School administrators go to them because they believe that such companies could help them comply with Children’s Internet Protection Act (CIPA) standards. CIPA requires that schools have an Internet safety polity that “…includes technology protection measures. The protection measures must block or filter Internet access to pictures that are: (a) obscene; (b) child pornography; or (c) harmful to minors…”.

The CDT believes, however, that school administrators’ belief are misplaced.

Elizabeth Laird, who co-authored the CDT report, has expressed concern that such surveillance in schools could particularly impact youth of color and those in low-income households whose only way of getting and staying connected to the internet is by using school-issued devices. The more they are online using such devices outside of school, the more likely their activities are being monitored. The security and privacy that come with owning a personal device are things of luxury to them.

In a February 2020 article, the Electronic Frontier Foundation’s (EFF) Mona Wang and Gennie Gebhart wrote that “schools are experimenting with the very same surveillance technologies that totalitarian governments use to surveil and abuse the rights of their citizens everywhere: online, offline, and on their phones. What does that mean? We are surveilling our students as if they were dissidents under an authoritarian regime.”

“Schools refer to these technologies as ‘student safety’ measures, but this label doesn’t change the fact that these are surveillance technologies. Surveillance is surveillance is surveillance.”

To help bring the growing problem of school surveillance to light, the CDT—along with other organizations like the American Civil Liberties Union and the Center for Learner Equity (to name a few)—submitted a letter urging federal lawmakers to protect students’ rights to privacy, expression, and safety by amending CIPA to include a clarification clause that it does not require schools or districts to constantly, broadly, and invasively monitor students lives online.

“Systemic monitoring of online activity can reveal sensitive information about students’ personal lives, such as their sexual orientation, or cause a chilling effect on their free expression, political organizing, or discussion of sensitive issues such as mental health,” the letter states. “These harms likely fall disproportionately on already vulnerable, over-policed, and over-disciplined communities and may be exacerbated when monitoring occurs on devices and services used off-campus, including in students’ homes.”

The post Parents and teachers believe digital surveillance of kids outweighs risks appeared first on Malwarebytes Labs.

SonicWall has issued a security notice about its SMA 100 series of appliances. The vulnerability could potentially allow a remote unauthenticated attacker the ability to delete arbitrary files from a SMA 100 series appliance and gain administrator access to the device.

SonicWall

SonicWall is a company that specializes in securing networks. It sells a range of Internet appliances primarily directed at content control and network security, including devices providing services for network firewalls, unified threat management (UTM), virtual private networks (VPNs), and anti-spam for email.

In June of 2021 we wrote about another vulnerability in the same Secure Mobile Access (SMA) 100 series. Back then SonicWall had been made aware of an imminent ransomware campaign using stolen credentials.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed under CVE-2021-20034 and is due to an improper limitation of a file path to a restricted directory, potentially leading to arbitrary file deletion without any authentication, which can result in a remote attacker obtaining administrator access on the underlying host.

The critical bug has received a score of 9.1 out of 10 on the CVSS scale of severity. At the moment there is no evidence that this vulnerability is being exploited in the wild.

Basically the vulnerability is an improper access control vulnerability in SMA-100 allows a remote unauthenticated attacker to bypass path traversal checks and delete an arbitrary file. Which, if the attacker knows what they are doing, can potentially result in a reboot to factory default settings. With the default settings in place the attacker can gain administrator privileges by using the factory default credentials.

Affected devices

The appliances that are affected are SMA 100, 200, 210, 400, 410, and 500v. Since there are no temporary mitigations, SonicWall urges impacted customers to implement applicable patches as soon as possible. A detailed list with impacted platforms and versions can be found here.

Mitigation

SonicWall customers can log in to its MySonicWall.com website to get updated firmware for their appliances. (The update also fixes a local privilege escalation weakness, and a denial-of-service vulnerability.)

In context of the previous vulnerability, we want to add the advice to change the administrator password on the appliances, especially if they are still set to the default. Threat actors my be inclined to scan for Internet-facing devices and try to gain access by using the default or leaked credentials.

Stay safe, everyone!

The post SonicWall warns users to patch critical vulnerability “as soon as possible” appeared first on Malwarebytes Labs.