Eliana Willis

Researchers say that BrewDog exposed the personally identifiable information (PII) of roughly 200,000 shareholders for the best part of 18 months. 

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

According to PenTestPartners, BrewDog “declined to inform their shareholders and asked not to be named” in the research revealing the security flaw. On October 8, the cybersecurity firm said that the Scottish brewery implemented a hard-coded Bearer authentication token associated with API endpoints designed for BrewDog’s mobile applications.  The tokens were returned, but rather than being triggered once a user has submitted their credentials — therefore, allowing access to an endpoint — as they were hardcoded, this verification step was missed.  PenTestPartners members, who happened to be BrewDog shareholders, appended each other’s customer IDs at the end of API endpoint URLs. During tests, they found they were able to access the PII of Equity for Punks shareholders without a suitable authentication challenge. Names, dates of birth, email addresses, genders, telephone numbers, previously used delivery addresses, shareholder numbers, shares held, referrals, and more were accessible.  However, the customer IDs were not considered “sequential.”  “An attacker could brute force the customer IDs and download the entire database of customers,” the researchers said. “Not only could this identify shareholders with the largest holdings along with their home address, but it could also be used to generate a lifetimes supply of discount QR codes!”

PenTestPartners noted that some of the PII exposed would fall under the GDPR protection banner, and hard-coding authentication tokens is a failure to meet these standards.  Based on an analysis of older versions of the BrewDog app, the researchers say that the security issue was introduced in version 2.5.5, released in March 2020, and was not resolved for roughly 18 months.  After PenTestPartners reached out with its findings, researcher Alan Monie tested a total of six different builds. It took four fix attempts before the issue was resolved in version 2.5.13, released on September 27. 
PenTestPartners
However, the changelog for this version does not appear to mention the vulnerability fix.  “The vulnerability is fixed,” the researcher says. “As far as I know, BrewDog has not alerted their customers and shareholders that their personal details were left unprotected on the internet. I worked with BrewDog for a month and tested six different versions of their app for free. I’m left a bit disappointed by BrewDog both as a customer, a shareholder, and the way they responded to the security disclosure.” Speaking to ZDNet, a BrewDog spokesperson provided the following statement: “We were recently informed of a vulnerability in one of our apps by a third party technical security services firm, following which we immediately took the app down and resolved the issue. We have not identified any other instances of access via this route or personal data having been impacted in any way. There was, therefore, no requirement to notify users. We are grateful to the third-party technical security services firm for alerting us to this vulnerability. We are totally committed to ensuring the security of our user’s privacy. Our security protocols and vulnerability assessments are always under review and always being refined in order that we can ensure that the risk of a cyber security incident is minimized.” BrewDog also told us:”BrewDog was notified of a vulnerability and the potential for data to be compromised. Investigations found no evidence that it was. Therefore there is no requirement to inform the ICO. An independent party documented the case as is required by the ICO.” Previous and related coverage:Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Beijing-backed hackers caused a crisis after hacking Exchange email servers this year with flaws Microsoft didn’t know about, but Microsoft says Russian hackers are far more prolific than those from China, or any other nation.  “During the past year, 58% of all cyberattacks observed by Microsoft from nation-states have come from Russia,” Tom Burt, Microsoft corporate vice president said in a blogpost detailing government-backed hacking over the past year. The US and UK blamed the Russian Foreign Intelligence Service (SVR) for the huge software supply chain attack on US enterprise software vendor, SolarWinds, which affected 18,000 customers including top tech firms and US government agencies. Microsoft, which was also compromised by the hack, calls this group of hackers Nobelium; others call it APT28.Microsoft’s Burt warned that the past year showed Kremlin-backed hackers are becoming “increasingly effective”, with their attacks becoming more successful and driven by spying and intelligence campaigns. Many Russian-attributed attacks targeted enterprise virtual private network (VPN) software.  “Russian nation-state actors are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% — largely agencies involved in foreign policy, national security or defense,” he explained. Russia’s hacking is primarily motivated by the nation’s politics, with the top targets being the United States, Ukraine and the UK, according to Microsoft. But other usual suspects also feature in Microsoft’s 2021 Digital Defense Report, including Iran and North Korea. A new entrant is Turkey, which has a developed taste for trojans. Notably absent from Microsoft’s report is work carried about by Israeli cyber teams. Israel is home to NSO Group, infamous for exploits targeting iPhones.

Russian state-based hacking was mostly focused on Ukraine. Meanwhile, Israel was targeted increasingly by Iranian hackers. “Russia-based NOBELIUM raised the number of Ukrainian customers impacted from six last fiscal year to more than 1,200 this year by heavily targeting Ukrainian government interests involved in rallying support against a build-up of Russian troops along Ukraine’s border,” Microsoft notes in its Digital Defense Report.”This year marked a near quadrupling in targeting of Israeli entities, a result exclusively of Iranian actors, who focused on Israel as tensions sharply escalated between the adversaries.”Public sector agencies under fire from hackers are mostly “ministries of foreign affairs and other global government entities involved in international affairs”, according to Microsoft, while phishing attacks seeking to capture credentials affect consumer and enterprise accounts.Russian hackers have evolved supply chain attacks over the past decade. The biggest supply chain attack before SolarWinds was NotPetya in 2017, which spread through a little-known Ukrainian accounting software package and cost industrial giants billions in losses.Software supply chain attacks work because they’re carried out via updates from trusted software vendors, including security companies. SolarWinds may not be a household name, but it’s big in enterprise IT.Now, nearly every major US cybersecurity company is rallying behind US president Jo Biden’s cybersecurity order, which attempts to push the idea that even trusted networks can’t be trusted.However, critical infrastructure is the real change in the targets selected by Russian hackers. Biden reportedly told Russian president Vladimir Putin that critical infrastructure should be “off limits”, although this is a tricky position for the US when it’s widely known that the world’s most capable hackers work at the National Security Agency, which developed Stuxnet to target Iran’s uranium enrichment equipment. Microsoft’s top execs have previously criticised the NSA for hoarding zero-day exploits.”From July 2020 to June 2021, critical infrastructures were not the focal point according to the NSN information that was tracked. China-based threat actors displayed the most interest and Russia-based threat actors accounted for the least in targeting entities in the critical infrastructure sector,” Microsoft notes in its report.”Russian NOBELIUM’s cyber operations are a perfect example of displaying Russia’s interest in conducting operation for access and intelligence collection versus targeting a critical infrastructure for potential disruption operations.” More

Google announced on Friday that it would be delivering a slate of new cybersecurity protection features for high-risk users one day after telling about 14,000 Gmail users that they had been targets of Russian-government group APT28.

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

In a blog post, Google said an increasing number of cyberattacks targeted high profile individuals and groups, forcing them to take extra measures and create a team “dedicated to detecting and stopping the world’s most sophisticated cybercriminals.””We’re excited to be working with these leading organizations to protect high-risk user groups and earn more about the needs of at-risk users and organizations. These collaborations help us make the world’s most advanced security even stronger, more inclusive and easier to use — helping everyone stay safer with Google,” the company explained. In addition to touting the Advanced Protection Program (APP) that users can turn on to beef up their protection from certain attacks, Google said it was partnering with organizations across the globe to provide free security keys to over 10,000 high-risk users throughout 2021. “APP brings Google’s strongest security protections together into a holistic program that is constantly upgraded in response to emerging threats. APP is available to all users but is specifically designed for individuals and organizations at higher risk of targeted online attacks, such as elected officials, political campaigns, human rights activists and journalists,” Google explained. “Users who enroll in APP are protected against a wide variety of online threats, including sophisticated phishing attacks (through the use of security keys), malware and other malicious downloads on Chrome and Android, and unauthorized access to their personal account data (such as Gmail, Drive or Photos).  As new threats are discovered, APP evolves to provide the latest protections.”Google also announced new partnerships with the International Foundation for Electoral Systems (IFES), UN Women and nonprofit Defending Digital Campaigns (DDC). 

Google is working with IFES on global educational security programming for human rights workers and groups online, providing free security keys for attendees of the group’s global cyber hygiene trainings. The group has provided specific support to journalists in the Middle East and women activists in Asia through their virtual “She Leads” series.By next year, Google said it plans to expand its work with the group “through a continued contribution of Titan Security keys and educational materials for their high-risk user trainings.””Equipping our participants with Google Titan Keys alongside the Advanced Protection Program Team has allowed us to improve our participant’s cyber hygiene with a more secure method for protecting and authenticating their accounts,” said Dr. Stephen Boyce, senior global advisory for election technology and cybersecurity at IFES.  Google said it will continue offering consultations on online safety and security workshops to UN Women and the many chapters worldwide that support women who are at higher risk of online attacks, including journalists, activists, politicians and executives. According to the blog, workshop attendees are trained on tools to protect better their organizations and the high-risk women they support.Titan Security Keys were also provided by Google to more than 180 eligible federal campaigns during the 2020 US election season through DDC. They are now working with DDC to provide further protection for state-level campaigns and political parties, committees, and related organizations, including workshops and training on protecting against cyberattacks. By the 2022 US midterm elections, Google said the DDC will have already worked on cybersecurity trainings for members of both political parties in every state in the country. Michael Kaiser, CEO of DDC, said candidates, their family members and close associates, campaign staffers and volunteers, state party staff, vendors to campaigns and virtually anyone who works in the political space are at greater risk for being attacked than most computer users.”DDC’s collaboration with Google around the provision of Titan Keys and training is designed to address the most significant and likely vector of compromise: people’s accounts,” Kaiser said. “The number one recommendation DDC has for any campaign is to use security keys. We know that when a campaign uses security keys and turns on Google’s Advanced Protection Program, they have greatly enhanced their cybersecurity and at the same time  protecting our Democracy.”The DDC has already trained hundreds of local campaign workers, state party staff members, and people who work at related political organizations across 21 states. Google also noted that it partnered with the DDC to deploy a publicly available cybersecurity Knowledge Base to help campaigns and political organizations with cybersecurity information.”The Knowledge Base includes step-by-step instructions for turning on better security protections including APP. Through the Knowledge Base and direct work with eligible campaigns, DDC provides hands-on assistance for getting cybersecurity tools implemented,” Google explained.The announcements come hours after Shane Huntley, director of Google’s Threat Analysis Group, wrote a thread on Twitter warning that it blocked attempts by Russian-government backed groups to attack thousands of high-profile people. “The warning really mostly tells people you are a potential target for the next attack so, now may be a good time to take some security actions. If you are an activist/journalist/government official or work in NatSec, this warning honestly shouldn’t be a surprise. At some point, some govt backed entity probably will try to send you something,” Huntley said. “What we see over and over again is that much of the initial targeting of government-backed threats is blockable with good security basics like security keys, patching and awareness, so that’s why we warn.” More

Keith Alexander before the US Senate Intelligence Committee in 2017
Image: Getty Images
Russian ransomware operators need to be called out and suffer real consequences, according to retired general Keith Alexander, former head of the US National Security Agency (NSA) and US Cyber Command. “Right now, the ransomware guys, in Russia predominantly, get off pretty much free. There is very limited downside for them,” Alexander told a seminar at the Australian Strategic Policy Institute’s International Cyber Policy Centre last week. “We have to attribute who’s doing it and make them pay a price.” We call out cybercrime groups like REvil and DarkSide, but we need to do more, he said. “Imagine if we indicted and put their picture up, and said, ‘That’s the guy, and if we can, we will arrest you. You can’t move out of Russia. You’re gonna have to stay there for the rest of your life’.” Alexander has always sat at the hawkish end of the cyber spectrum. In 2013 he echoed then-McAfee vice-president Dmitri Alperovitch’s description of cybercrime and cyber espionage as the greatest transfer of wealth in history — perhaps forgetting for a moment the vast empires of the European colonial powers.

Now he notes the importance of international cooperation against the cyber forces of nation-states and their puppets. “All the attacks that are going on there [in Australia], here [in the US], in Europe, the theft of intellectual property, this is something that we need to collectively get out in front of,” he said. Alexander described the July 1 speech by China’s president Xi Jinping as “a gauntlet being laid down that said there would be bloodshed and bashing of heads”. If the West pushes China over Taiwan or the South China Sea, “there’s no limit to where they will go”. “I think we have to set that red line, and we have to work together to do it.” That cooperation has to extend into the private sector, he said. Incident response is not a defensive measure “I think the biggest problem that I faced in government, and that we face today, is governments — not just ours but yours as well — can’t see attacks on the private sector. Yet the government is responsible for defending the private sector,” Alexander said. “How are you going to defend that which you can’t see? Incident response is not a defensive measure. That’s after everything bad has happened.” The SolarWinds supply chain attack is a prime example. The government didn’t find out about it until after the fact. “Now people push on the government, ‘Hey, why didn’t you know?’ And the answer is because the government doesn’t have the authority, nor the capability, to see all the attacks on critical infrastructure,” Alexander said. “We need … I’ll call it an event generator, that shows events that are hitting companies at network speed, that can be anonymized, pushed up to the cloud, and create a radar picture, so you can now see all the companies where these types of events are hitting.” Needless to say, the conversation was peppered with words such as “behavioural analytics”, “expert system”, “machine learning” and “artificial intelligence”. Overcoming fears of sharing data with governments This need for cooperation, partnerships, and information sharing has been cited at every conference since the cybers were all in Roman numerals. But if everyone agrees that it’s a good thing, why doesn’t it just happen? “The real key issue is what are we talking about sharing?” Alexander said. If you’re talking about sharing the details of cyber events as we know them today, that is, things that you’re blocking, then that sharing is “almost useless”, because you’re already blocking it. Alexander says we have to share “all the things you don’t know”. To your correspondent, that sounds like private sector organisations having to share a lot more raw data with government agencies. Data about things they don’t yet know are a threat. Data which they might prefer, for whatever reasons, to keep out of government hands. The head of the Australian Cyber Security Centre (ACSC), Abigail Bradshaw, has noted a reluctance for organisations to share data with the agency. Sometimes they even lawyer up to prevent ACSC involvement in a breach investigation. “Perhaps there’s a commercial stigma or reputational stigma about reporting and alerting the public, and therefore shareholders, about a weakness,” Bradshaw said. “We’ve made it super, super clear that the ACSC is not a regulator,” she said. “The consequence of that is I become very boring in media interviews, because I refuse to talk about the juiciest case that’s come along. And apologies to all journalists, but it’s something that I will continue to defend.” It’s no accident that IronNet, the company Alexander founded when he left the NSA in 2014, has developed a “collective defense platform” which “leverages advanced AI-driven network detection and response capabilities to detect and prioritize anomalous activity inside individual enterprise network environments”. The obvious pitch is that governments could engage such a private sector system to correlate both government and non-government data, perhaps allaying some of the fears that would surround a purely government-owned platform. Bradshaw said that one of “the best parts” of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and its architecture is that there’s a “clear separation” between the regulators and the ACSC in its cyber assistance and response function. The Department of Home Affairs has repeatedly requested for that the Bill be rushed through Parliament. However, the Parliamentary Joint Committee on Intelligence and Security has recommended it be split in two so it’s more controversial aspects can be discussed in more depth. AUKUS and The Quad: not a modern jazz combo Alexander also praised the recently announced AUKUS defence technology agreement between Australia, the US, and the UK. At the heart of AUKUS is an intention for Australia to obtain a fleet of eight nuclear-powered submarines, but other technologies will be shared as well. “Cyber is going to be hugely important for our future,” Alexander said. “It’s the one area where adversaries can attack Australia, and the United States, without trying to cross the oceans. They can do it in cyber, and we have tremendous vulnerability. So getting out in front of that, I think is hugely important.” Alexander envisages a cyber radar picture that covers not just the AUKUS nations but other allies such as the Quadrilateral Security Dialogue (the Quad) of Australia, India, Japan, and the US. “Imagine if we could build, and we built, a radar picture for cyber that covered not only what impacts Australia, but what impacts other countries. And we could share in real time threats that are hitting our countries, and protect from that,” he said. “I think when you start thinking about the Quad and other things, that’s the type of thing I would say, as we move forward, that’s where our partnership has to go.” Related Coverage More

The Japanese Fair Trade Commission (JFTC) is reportedly commencing a new antitrust investigation into Apple and Google-parent Alphabet’s conduct across various technology areas. According to Nikkei, the Japanese competition watchdog will conduct interviews and surveys with OS operators, app developers, and smartphone users to assess whether Apple and Google have created anti-competitive market conditions in the smartphones, smartwatches, and other wearables sectors. The JFTC will reportedly work with the government-run Digital Market Competition Council during the probe. The new investigation comes just over a month after the JFTC closed an investigation into Apple’s in-app purchasing system. In that investigation, the Japanese competition watchdog found Apple acted anti-competitively in requiring developers to pay Apple’s commission on in-app purchases, and that it should allow them to point users to external payment options, like their own websites. To close that investigation, Apple made a deal with JFTC to allow developers of “reader” apps to link to external websites for setting up and managing accounts. The update will take effect sometime next year, Apple said in September. Reader apps are those that provide previously purchased content or content subscriptions for digital magazines, newspapers, books, audio, music, and video, such as Spotify and Netflix. Around the world, regulators have set their eyes on the market dominance of Apple and Google. In Australia, the government is undertaking various probes on the two companies focusing on a wide range of areas, spanning from ad tech to browsers to mobile OS systems. In the US, various states have issued a lawsuit against Google for its alleged anti-competitive control over the app store market. A US probe that wrapped up last October found Amazon, Facebook, Apple, and Google all had an “alarming pattern” of using innovation-stifling practices. In light of those findings, the government in August introduced a Bill into Congress that is aimed at curbing “big tech bullying”.

The European Union, meanwhile, has doled out billions of dollars worth of fines to both Google and Apple for alleged anti-competitive behaviour. Related Coverage More

Apache released additional fixes for CVE-2021-41773 on Thursday as government agencies like CISA warned that one vulnerability related to the Apache HTTP Server issue had been exploited in the wild. As ZDNet reported on Wednesday, developers behind the Apache HTTP Server Project urged users to apply a fix immediately to resolve a zero-day vulnerability. The Apache Software Foundation released Apache HTTP Server version 2.4.50 to address two vulnerabilities that would allow an attacker to take control of an affected system. In a notice on Wednesday, CISA said one of the vulnerabilities, CVE-2021-41773, has already been exploited in the wild.”It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution,” Apache said in a notice.”This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.”CISA said that “active scanning of Apache HTTP Server CVE-2021-41773 & CVE-2021-42013 is ongoing and expected to accelerate, likely leading to exploitation.” “These vulnerabilities have been exploited in the wild. Please patch immediately if you haven’t already — this cannot wait until after the weekend,” the government agency added. 

According to Bleeping Computer, about 25% of websites worldwide are backed by the open-source, cross-platform Apache HTTP Server. Sonatype researchers said that approximately 112,000 Apache servers are running the vulnerable version, with roughly 40% located in the United States. Rapid7 Labs said it identified about 65,000 potentially vulnerable versions of Apache httpd exposed to the public internet on Wednesday. Researchers say the issue is actively being scanned for in the wild.
Censys
“The vulnerability itself is not exploitable in normal or default conditions. The biggest impact this issue will have will be on applications that have packaged Apache 2.4.49 and a configuration that enables the vulnerability. One such application is Control Webpanel (also known as CentOS Webpanel), which is used by hosting providers to administer websites, similar to cPanel,” said Derek Abdine, CTO at Censys. “There are currently just over 21,000 of these that are Internet-facing and appear vulnerable.”  Censys senior security researcher Mark Ellzey added that he expects there to be some fallout for this but that it may not be widespread. Compared to recent vulnerabilities related to Confluence or VMware, he said the urgency and effectiveness of exploits for this issue don’t rise to a similar level. “Anything outside of the bad config is probably going to be a targeted attack on specific applications. I’d wager that we might see some code leaks,” Ellzey said. The vulnerabilities were first discovered by Ash Daulton of the cPanel security team and the latest issues were found by Shungo Kumasaka, Dreamlab Technologies’ Juan Escobar and NULL Life CTF’s Fernando Muñoz. Exploits were quickly created and released once the vulnerability was publicized.  More

Security researchers at JFrog worked with biotechnology company 23andMe to address a vulnerability with Yamale, a tool written by the company and used by over 200 repositories.CVE-2021-38305 allows attackers to bypass existing protections and run arbitrary Python code by manipulating the schema file provided as input to Yamale, according to the JFrog security research team. A 23andMe spokesperson told ZDNet that 23andMe Security was notified of a workaround to a patch made to Yamale, the open-source library created by the company to verify that YAML files are in the right format and have all the correct fields. In a blog post and in interviews with ZDNet, JFrog’s senior director of security research Shachar Menashe said the vulnerability is “extremely severe if the prerequisites for the attack exist, due to the fact that the impact is the highest (remote code execution) and exploitation is trivial and stable (command injection).” The blog highlights the cases where the team believes the vulnerability would be most exploitable. “The JFrog security research team is currently conducting a scan of the entire PyPI database in order to improve the landscape of open source Python code. By automatically detecting vulnerabilities and disclosing them, our goal is to help mitigate vulnerabilities that threaten customer systems and national infrastructure,” Menashe said. “The finding was discovered using our automated vulnerability detection technology; these are the same types of code scanners that found the malicious PyPI packages that we disclosed in July. We are running our scanners on the entire PyPI database and performing responsible disclosures on all found vulnerabilities, after we verify them. Since Yamale is available through PyPI, it was scanned as part of this effort. 23andMe actually wrote Yamale for use as an internal tool.”

Yamale is a popular schema validator for YAML that’s used widely. An attacker that can control the contents of the schema file that’s supplied to Yamale can provide a seemingly valid schema file that will cause arbitrary Python code to run, Menashe explained. Menashe noted the underlying issue is that through Python reflection, an attacker can “claw back” any needed builtin and run arbitrary code.In the blog post, JFrog researchers said an attacker needs to be able to specify the contents of the schema file in order to inject Python code, but noted that this can be exploited remotely if some piece of vendor code allows an attacker to do that. The most likely exploitation, the security company said, would involve vulnerabilities triggered through command line parameters via a separate parameter injection issue. JFrog Security CTO Asaf Karas added that because YAML is so popular, compatible, and widely used, it’s often the target of attacks. “This gap allows attackers that can provide an input schema file to perform Python code injection that leads to code execution with the privileges of the Yamale process. We recommend sanitizing any input going to eval() extensively and – preferably – replacing eval() calls with more specific APIs required for your task,” Karas said.The company lauded Yamale’s maintainers for validating and fixing the issue “in record time” and for “responsibly creating a CVE for the issue after the fixed version was available.”The 23andMe spokesperson said the original patch was intended to cover a vulnerability for users parsing untrusted YAML schema. “YAML files have remained unaffected and are parsed with a safe loader. 23andMe is actively working on a solution. In the meantime, we will add a note on the project readme that more explicitly states that YAML schemas should always come from a trusted source,” the spokesperson said. “This tool is not implemented in any 23andMe company processes and doesn’t affect the customer experience or customer data in any way. We are grateful for the white hat hackers who alerted our team and invite others to join our recently established Bug Bounty Program,” the company added.  More