Mail Bombs, DirtyCOW, and Ford – Hack Naked News #197
November 20, 2018
Mailing bombs, Gmail glitch Phishing Attacks, Stopping the Infiltration of Things, Make-A-Wish website serves a Cryptojacking Script, Instagram exposes user passwords, and DirtyCOW is back in backdoor attack targeting Drupal Web Servers! Jason Wood from Paladin Security joins us for expert commentary to discuss how Ford is Eyeing the Use of Customers Personal Data to Boost Profits!
Gmail Glitch Offers Stealthy Trick for Phishing Attacks - Get out of my sent folder: The Gmail issue, discovered and outlined by software developer Tim Cotten this week, stems from the way that Gmail organizes its folders. It files an email into the Sent folder based on the address in the “from” field. So, if an attacker sends an email to a target, which has been specially crafted to also have that target’s email address in the “from” field, the mail will automatically go to the person’s inbox and Sent folder at the same time. This gives the false impression to the unwitting user that it was an email they themselves sent, said Cotten.
Stopping the Infiltration of Things - The article says the same thing all of the IoT security articles state: Legislation, overcoming weak/default/backdoor passwords and addressing vulnerabilities. What really needs to change is the architecture and design of every IoT device on the market, and this will take time, but realize it is the only way to make progress on IoT security.
New security feature to prevent Amazon S3 bucket misconfiguration and data leaks - Help Net Security - S3 buckets are not public by default, and Amazon has made it easier to identify public S3 buckets. But, thats not enough. Check out this new feature: This new feature allows account owners/administrators to centrally block existing public access (whether made possible via an ACL or a policy) and to make sure that newly created items aren’t inadvertently granted public access. They allow account users to protect against future attempts to use ACLs to make buckets or objects public, to override current or future public access settings for current and future objects in the bucket, to disallow the use of new public bucket policies, and to limit access to publicly accessible buckets to the bucket owner and to AWS services.
Make-A-Wish website compromised to serve cryptojacking script - Help Net Security - Thanks to a Drupal remote code execution bug, website visitors are turned into cryptomining machines: The cryptojacking CoinIMP script (check.js) injected into the website was being loaded from the drupalupdates.tk domain, which has been associated with a known campaign that has been exploiting a critical Drupal vulnerability (CVE-2018-7600, aka Drupalgeddon 2) to compromise websites since May 2018.
Popular AMP Plugin for WordPress Patches Critical Flaw Update Now - A security researcher has disclosed details of a critical vulnerability in one of the popular and widely active plugins for WordPress that could allow a low-privileged attacker to inject malicious code on AMP pages of the targeted website....The affected plugin was recently removed temporarily from the WordPress plugins library due to vulnerable code, but neither its developer nor the WordPress team revealed the exact issue in the plugin.
Instagram flaw exposes user passwords | SC Media - A security flaw in Instagram’s recently released “Download Your Data” tool could have exposed some user passwords, the company reportedly told users. The tool, revealed by Instagram right before the GDPR regulation went into effect, is designed to let users see and download the personal data that the social media platform had collected on them.
DirtyCOW is back in backdoor attack targeting Drupal Web Servers | SC Media - Impreva researcher Nadav Avital spotted the attack on Oct. 31 exploiting the Drupalgeddon2 and DirtyCOW, bugs as well as system misconfigurations to persistently infect vulnerable Drupal web servers and take over user machines...The attacker downloads three different implementations of DirtyCOW and runs them one after the other,” Avital said. “One of the implementations is downloaded in its raw format (C source code file) and is compiled at runtime. Once the attacker switches to the root user and gains permission to install new services they install and configure SSH, add their key to the list of authorized keys used by the service and as long as the machine is running, have the ability to remotely transmit any command as the user root
Every day is Black Friday - Funny: There are no precautions you should take on Black Friday and Cyber Monday that you shouldn’t also be taking on Shrove Tuesday, dress down Friday, any given Sunday, National Cookie Day, March Madness, Black History Month, the second fiscal quarter, the lunar phase cycle or at any other time Recommendations, both from me and the article are to use a password manager, ad blocking plugin, and a DNS service that blocks malicious activity.
Ford Eyes Use of Customers’ Personal Data to Boost Profits
This article posted on Threatpost startled me a bit. I think most listeners of the Security Weekly podcasts are used to the idea of tech companies that collect and monetize data. However, the idea of buying a car and then having the data I provide to the dealer to buy the vehicle being monetized was unexpected. And that’s what Ford Motor Company’s CEO Jim Hackett is talking about now.
In an interview on the Freakonomics podcast Hackett stated, “We have 100 million people in vehicles today that are sitting in Ford blue-oval vehicles. The issue in the vehicle, see, is: We already know and have data on our customers. By the way, we protect this securely; they trust us. We know what people make. How do we know that? It’s because they borrow money from us. And when you ask somebody what they make, we know where they work, you know. We know if they’re married. We know how long they’ve lived in their house because these are all on the credit applications. We’ve never ever been challenged on how we use that. And that’s the leverage we got here with the data.”
The here are a few important bits: 100 million people, we know how much they make, their marital status, where they live and haw long they’ve lived there. “We’ve never been challenged on how we use that.” So the gist of it is, we know a ton about people and no one’s given us a hard time about how we use that data. So let’s use it.
Hackett is speaking more about the value of data that they collect. He has cited it in their acquisition of Spin, an electric scooter company in San Francisco, CA. “The opportunity is not bikes. That’s not why Ford’s in it. The opportunity is data, and the data is super valuable because it tells us these invisible paths that people are taking in this complex city in terms of how they want to get around. And there’s something else cool about it because we can take that data and we can connect it in ways that our new shuttle is going to connect to the cloud as well.”
So maybe they aren’t looking at reselling data directly to increase their revenues, but they are definitely looking at how to leverage it to increase their bottom line. You don’t want to take the scooter somewhere, then get a suggestion on an app to take a Ford related shuttle service. Perhaps you are driving down the freeway at lunch time and your infotainment system starts offering suggestions on where to find places you like to eat. Maybe the food providers are paying to opt into this system so that their locations will be part of those suggestions or receive a more prominent place on the list.
I doubt Ford is alone in this thought process. I haven’t spent much time researching what plans related companies have, but the point is that companies across industries are looking at data about us as a source of revenue. It’s possible that consumers will become less trusting of companies when they realize their car, appliance, or other purchases put them in the cross hairs of marketing for services in new, unexpected ways. The noise level of marketing messages is getting more and more pervasive and invasive. This sounds like Ford would like to up that game.
Visit http://hacknaked.tv to get all the latest episodes!
The CIO of Artesia General Hospital in rural Southeast New Mexico shares the ongoing staffing and resource challenges he faces on a daily basis, and how his IT team tackles risk and workforce training.
The Federal Energy Regulatory Commission is asking input on information collection regulations for how energy companies secure bulk electric systems while its CIO speculated earlier this month that regulated energy utilities will likely need to follow recent government actions around implementing zero trust architectures.