Information Technology

The good news is the seven-year-old security bug in Linux systemd’s polkit, used in many Linux distros, has been patched. The bad news is that it was ever there in the first place. Polkit, which systemd uses in place of sudo, enables unauthorized users to run privileged processes they’d otherwise couldn’t run. It turned out that you could also abuse polkit to get root access to a system. 

Open Source

Can you say, “Ow!”?  The power to grab root privileges is the ultimate evil in Unix and Linux systems. Kevin Backhouse, a member of the GitHub Security Lab, found the polkit security hole in the course of his duties. He revealed it to the polkit maintainers and Red Hat’s security team. Then, when a fix was released on June 3, 2021, it was publicly disclosed as CVE-2021-3560. Backhouse found an unauthorized local user could easily get a root shell on a system using a few standard shell tools such as bash, kill, and dbus-send. Oddly enough, while the bug is quite old, it only recently started shipping in the most popular Linux distributions. For example, if you’re running Red Hat Enterprise Linux (RHEL) 7; Debian 10; or Ubuntu 18.04; you’re invulnerable to this security hole. But, if you’re running the newer RHEL 8, Debian testing; or Ubuntu 20.04, you can be attacked with it. Why? Because this buggy code hadn’t been used in most Linux distros. Recently, however, the vulnerable code was backported into shipping versions of polkit. An old security hole was given a new lease on life.  That’s not the only reason this bug hid in plain sight for so long. Backhouse explained the security hole isn’t triggered every time you run programs that can call it. Why? It turns out that polkit asks dbus-daemon for the UID [User ID] of the requesting process multiple times, on different codepaths. Most of those codepaths handle the error correctly, but one of them doesn’t. If you kill the dbus-send command early, it’s handled by one of the correct codepaths and the request is rejected. To trigger the vulnerable codepath, you have to disconnect at just the right moment. And because there are multiple processes involved, the timing of that “right moment” varies from one run to the next. That’s why it usually takes a few tries for the exploit to succeed. I’d guess it’s also the reason why the bug wasn’t previously discovered. It’s a sneaky little thing. 

But, when Backhouse said it can’t always be exploited, that’s no reason not to worry about it. You can easily write a script that’s sure to activate it after a few minutes of trying. Red Hat warns “The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.”  Therefore, as Backhouse points out, since it’s “very simple and quick to exploit … it’s important that you update your Linux installations as soon as possible.” So, you know what to do now right? Get to work patching: You’ll want to upgrade polkit to version 0.119 or later.

Related Stories: More

The increase in the use of cloud services as a result of organisations and their employees shifting to remote work because of the COVID-19 pandemic is leaving corporate networks exposed to cyberattacks.Many businesses had to swiftly introduce working from home at the start of the pandemic, with employees becoming reliant on cloud services including Remote Desktop Protocols (RDP), Virtual Private Networks (VPN) and application suites like Microsoft Office 365 or Google Workspace.

ZDNet Recommends

While this allowed employees to continue doing their jobs outside the traditional corporate network, it has also increased the potential attack surface for cyber criminals. Malicious hackers are able to exploit the reduced level of monitoring activity, while successfully compromising credentials – that are used to remotely login to cloud services – provides a stealthy route into corporate environments.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  Cybersecurity researchers at security company Zscaler analysed the networks of 1,500 companies and found hundreds of thousands of vulnerabilities in the form of 392,298 exposed servers, 214,230 exposed ports and 60,572 exposed cloud instances – all of which can be discovered on the internet. It claimed the biggest companies have an average of 468 servers exposed, while large companies have 209 at risk.The researchers defined ‘exposed’ as something that anyone can connect to if they discover the services – including remote and cloud services. Organisations are likely to be unaware that these services are exposed to the internet in the first place. In addition to this, researchers discovered unpatched systems with 202,000 Common Vulnerabilities and Exposures (CVEs), an average of 135 per organisation, with almost half classified as ‘Critical’ or ‘High’ severity.

It’s possible that cyber criminals will be able to discover and exploit these vulnerabilities in order to enter corporate networks and lay the foundations for cyberattacks including data theft, ransomware and other malware campaigns.”The sheer amount of information that is being shared today is concerning because it is all essentially an attack surface. Anything that can be accessed can be exploited by unauthorised or malicious users, creating new risks for businesses that don’t have complete awareness and control of their network exposure,” said Nathan Howe, vice president for emerging technology at Zscaler.While an increased attack surface can impact organisations of all sizes, international and large employers are the most at risk, due to their number of employees and a distributed workforce. A global workforce may also make it more difficult to detect anomalous activity because the company is used to employees accessing the network from around the world, so a malicious intruder may not be immediately obvious.But it’s possible to take steps to reduce the attack surface – and the potential risk to the organisation as a result. Zscaler recommends three steps for minimising corporate network risk.SEE: GDPR: Fines increased by 40% last year, and they’re about to get a lot biggerThe first is to know your network – by being aware of what applications and services are in use, it’s easier to mitigate risk. The second is to know your potential vulnerabilities – researchers recommend that information security teams stay informed about the latest vulnerabilities and the patches that can be applied to counter them. The third thing organisations should do is adopt practices that minimise risk and act as a deterrent to cyber criminals. For example, secure login credentials for cloud services with multi-factor authentication, so in the event of a username and password being breached, it isn’t as simple for criminals to actually access accounts and services. “By understanding their individual attack surfaces and deploying appropriate security measures, including zero trust architecture, companies can better protect their application infrastructure from recurring vulnerabilities that allow attackers to steal data, sabotage systems, or hold networks hostage for ransom,” said Howe.MORE ON CYBERSECURITY More

Apple is getting pretty committed to the idea of pushing out security updates to older iPhones and iPads. Not only will the company continue to support iOS 14 come the release of iOS 15, we are also seeing a trickle of patches for older versions of iOS. If you have an iPhone or iPad that’s still running iOS 12 — because that was the end of the line for your device — then Apple has released an emergency update that you need to download and install as soon as possible.

Why? Because of the three security fixes contained in this update, two “may have been actively exploited.” In other words, the bad guys might already be using the vulnerabilities to compromise smartphones and tablets. Must read: iOS 14 could become Apple’s Windows XP iOS 12.5.4 is available for the following devices: iPhone 5siPhone 6iPhone 6 PlusiPad AiriPad mini 2iPad mini 3iPod touch (6th generation)To check what version your device is running, tap on Settings > General, then on Software Update. Here you will see what version your iPhone of iPad is running along with any updates.

Note that if you have stayed on iOS 12 but the device is compatible with later versions, then this update will not be available to you. Your path is to upgrade to the latest release of iOS 14 or iPadOS 14. There have been several high-profile security issuers plaguing iPhone and iPads over the past few months, and while for some there’s a hesitancy to install updates, it is the first and best line of defense against attack. And iOS 12 and later will do it for you. Tap on Settings > General > Software Update > Customize Automatic Updates and then turn on Install iOS Updates.

Apple WWDC 2021 More

Bret Arsenault, Microsoft’s chief information security officer (CISO), who’s been at Microsoft for 31 years, says he’s only ever been publicly cheered once at the company: that was when he killed off Microsoft’s internal policy of changing passwords every 71 days. “That’s the first time I’ve been applauded as a security person and executive,” Arsenault tells ZDNet. “We said we’re turning off password rotation within Microsoft, because we had eliminated that part of it.” 

As Microsoft’s CISO, Arsenault is responsible for protecting both Microsoft products and its internal networks used by its 160,000 employees. After adding vendors into the mix, he’s responsible for about 240,000 accounts globally. And getting rid of passwords and replacing them with better options like multi-factor authentication (MFA) is high on his to-do list.SEE: Network security policy (TechRepublic Premium)Microsoft updated its password policy in stages. In January 2019, it moved to one-year expiry, using telemetry to validate effectiveness. In January, 2020 it moved to unlimited expiry based on the results.  Microsoft also stopped recommending to customers to implement a 60-day password expiration policy in 2019 because people tend to make small alterations to existing passwords or forget new good ones. For Arsenault, rather than make the conversation about putting MFA everywhere, he framed the change as being about eliminating passwords.

“Because nobody likes passwords. You hate them, users hate them, IT departments hate them. The only people who like passwords are criminals – they love them,” he says. “I remember we had a motto to get MFA everywhere, in hindsight that was the right security goal but the wrong approach. Make this about the user outcome, so transition to “we want to eliminate passwords”. But the words you use matter. It turned out that simple language shift changed the culture and the view of what we were trying to accomplish. More importantly, it changed our design and what we built, like Windows Hello for business,” he says. “If I eliminate passwords and use any form of biometrics, it’s much faster and the experience is so much better.”On Windows 10 PCs, that biometric security experience is handled by Windows Hello. On iOS and Android, access to Office apps is done through Microsoft Authenticator, which provides a smooth experience when logging into Microsoft Office apps. It taps into biometrics available on iPhones and Android phones.   “Today, 99.9% of our users don’t enter passwords in their environment. That said – progress over perfection – there are still legacy apps that will still prompt [for a password],” he says.However, that’s not the end of the battle. Just 18% of Microsoft’s customers have enabled MFA. This figure seems absurdly low given that enabling MFA is free for Microsoft customers, yet as ransomware shows, there can be mult-imillion dollar consequences when just one key internal account is compromised. Protecting accounts with MFA won’t stop attackers completely, but it does make their lives harder by shielding an organization from the inherent weaknesses in usernames and passwords to protect accounts, which can be phished or compromised through password-spraying attacks. The latter technique, which relies on password re-use, was one way the SolarWinds attackers breached targets besides breaking into the firm’s software build systems to spread a tainted software update.    Microsoft is moving towards a hybrid mode of work and, to support that shift, it’s making a push towards a Zero Trust network design, which assumes the network has been breached, that the network extends beyond the corporate firewall, and caters to BYOD devices that could be used at home for work or at work for personal communications. But how do we get more organizations to enable MFA in critical enterprise products from Microsoft, Google, Oracle, SAP and other crucial software vendors? For organizations looking to enable MFA, Arsenault recommends targeting high-risk accounts first and to work on progress rather than perfection. The biggest problem is legacy applications, but seeking perfection risks getting bogged down. “Everyone has brownfield apps that can’t support modern authentication, such as biometrics, and so I think what a lot of people should and need to do is take a risk-based approach: first get MFA enforced for high-risk/value groups like admins, HR, legal group and so on, and then move to all users. It can be a multi-year journey, depending how quickly you want to do something,” he says.Then there’s the difficult question about SolarWinds and how Microsoft, which has a $10 billion cybersecurity business, got caught out by Russian government hackers. Microsoft in February claimed it was only minimally harmed by the incident, but it was nonetheless breached. Microsoft president Brad Smith called the hack a “moment of reckoning” because customers, including Microsoft itself, can no longer trust the software they get from trusted vendors. “Certainly, we used SolarWinds Software in our environment and we identified and remediated the impacted versions and we’ve been public about that there was access. We continue to modify how we do supply chain programs and how we evaluate what’s in supply chain and how quickly we can go do those things,” says Arsenault. SEE: Cloud computing: Microsoft sets out new data storage options for European customers According to Arsenault, Microsoft had seen the supply chain threat coming for a long time. “You see a lot of people doing stuff to protect their front doors, but then their backdoors are wide open,” he says.  “The part we’ve seen coming along is that the supply chain is the weak point, right. You have limited visibility into your suppliers. I think [US president Joe Biden’s] executive order will help in this space. But getting to the view of how we think about suppliers, we need a way to get that visibility in a scalable way.”I want to take the Zero Trust concept for information workers and apply that to the software supply chain, which is no line of code that was ever written wasn’t from an attested identity, from a healthy device,” he says.   More

Facebook has awarded $30,000 to a researcher for reporting vulnerabilities in Instagram’s privacy features. 

According to a Medium blog post penned by bug bounty hunter Mayur Fartade on Tuesday, a set of vulnerable endpoints in the Instagram app could have allowed attackers to view private media on the platform without following a target account. This included private and archived posts, stories, and reels. If an attacker obtains a target user’s Media ID, via brute-force or through other means, they could then send a POST request to Instagram’s GraphQL endpoint, which exposed display URLs and image URLs, alongside records including like and save counts.   A further vulnerable endpoint was also found that exposed the same information.  In both cases, an attacker could extract sensitive data concerning a private account without being accepted as a follower, a feature of Instagram designed to protect the privacy of users. In addition, the endpoints could be used to extract the addresses of Facebook pages linked to Instagram accounts.  Fartade reported his findings for the first endpoint through the Facebook Bug bounty program on April 16. Facebook’s security team then responded on April 19 with a request for further information including steps for reproduction. 

By April 22, the bug bounty hunter’s report had been triaged, and a day later, Fartade found and informed Facebook of the second leaky endpoint. Facebook patched up the vulnerable endpoints on April 29, however, Fartade says that a further fix was required to fully resolve the security issue.  A financial reward worth $30,000 was awarded by June 15, the bug bounty hunter’s first through Facebook’s program. The social media giant thanked the researcher for his report.ZDNet has reached out to Facebook and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The majority of businesses that choose to pay to regain access to their encrypted systems experience a subsequent ransomware attack. And almost half of those that pay up say some or all their data retrieved were corrupted.Some 80% of organisations that paid ransom demands experienced a second attack, of which 46% believed the subsequent ransomware to be caused by the same hackers. Amongst those that paid to regain access to their systems, 46% said at least some of their data was corrupted, according to a Cybereason survey released Wednesday. Conducted by Censuswide, the study polled 1,263 security professionals in seven markets worldwide, including 100 in Singapore, as well as respondents in Germany, France, the US, and UK. Globally, 51% retrieved their encrypted systems without any data loss, while 3% said they did not regain access to any encrypted data. The report revealed that one particular organisation reportedly paid up a ransomware amount in the millions of dollars, only to be targeted for a second attack by the same attackers within a fortnight. 

In Singapore, 90% experienced a second ransomware attack after paying up for the first ransom, with 28% regaining access to data that were corrupted. Some 73% admitted they lost revenue as a result of the attack, compared to the global average of 66%, while 40% saw their brand or reputation adversely affected, compared to 53% globally.Some 37% of Singapore organisations that paid a ransomware forked out $140,000 to $1.4 million, and 5% paid ransom amounts of at least $1.4 million. Another 13% acknowledged having to lay off employees due to financial losses following an attack, while 20% were forced to close down. Cybereason’s Asia-Pacific vice president Leslie Wong said: “Singapore businesses must understand that paying a ransom demand does not guarantee a successful recovery, does not prevent the attackers from hitting the victim organisation again, and in the end only exacerbates the problem by encouraging more attacks. Getting in front of the threat by adopting a prevention-first strategy for early detection will allow organisations to stop disruptive ransomware before they can hurt the business.”Globally, the survey found that 81% of respondents were highly concerned about risks posed by such attacks, with 73% saying they had policies or plans in place to specifically manage ransomware attacks. 

Ransomware attacks were projected to cost $265 billion worldwide by 2031, with one attack impacting businesses and consumers every few seconds, according to Cybersecurity Ventures. This year, such attacks were estimated to cost $20 billion, up 57-fold from 2015. Check Point Research also revealed Wednesday that the average number of ransomware attacks worldwide climbed 20% in the last two months, 41% over the last six months, and 93% in the past year. In Singapore, such attacks grew 40% over the last couple of months, 99% in the last half a year, and 147% over the past year, said the security vendor. It added that Latin America and Europe clocked the highest spikes in ransomware attacks since the start of 2021, at 62% and 59%, respectively. A Veritas survey last November revealed that 78% of businesses in Singapore and 88% in Australia had paid up ransoms in full or in part, after falling to victim to such attacks. In addition, 45% in Singapore took between five and 10 days to recover fully from a ransomware attack, compared to 11% in India and 35% in China.Cybersecurity vendors typically advise organisations against paying up after experiencing ransomware attacks, advocating instead that businesses adopt a data protection and recovery strategy. Cybereason, though, noted that data backup plans would not work as effectively when cybercriminals launched “double extortion” malware attacks, in which hackers went beyond encrypting data to exfiltrate sensitive data and intellectual property. They then would threaten to expose or peddle the stolen data if their ransom demands were not met. RELATED COVERAGE More

The Securities and Exchange Commission (SEC) has agreed to a settlement with First American over the leak of millions of financial records and subsequent disclosure. 

Announced on Tuesday, the settlement will see the case closed in return for a $487,616 penalty and adherence to a cease-and-desist order. The SEC’s complaints relate to the disclosure of roughly 885 million financial records associated with mortgage deals as far back as 2003 and until 2019.  Cybersecurity expert Brian Krebs reported the issue to the US real estate giant on May 24, 2019, noting that the leak contained bank account numbers, mortgage records, tax data, Social Security numbers, and driver’s license scans, among other information.  The leak was contained to First American’s website and was secured once the company was alerted. First American blamed the extensive security breach on a “design defect,” issued a press statement on May 24, and informed the commission of the exposure on May 28.   However, the SEC says that First American’s actions were not enough to adhere to disclosure rules, as “senior executives responsible for public statements” were not informed of the “magnitude” of the breach.  “In particular, the order finds that First American’s senior executives were not informed that the company’s information security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company’s policies,” the agency says. 

As a result, SEC alleged that the company failed to disclose all pertinent and relevant information concerning the breach to regulators, and charged First American with breaking disclosure controls and procedures under Rule 13a-15(a) of the Exchange Act (.PDF).  First American has neither confirmed nor denied the SEC’s charges.  ZDNet has reached out to First American and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australian Greens co-deputy leader Senator Nick McKim has told the Senate his party wants the pending Online Safety Act withdrawn, asking for it to be re-drafted to take into account a number of concerns that were raised but not addressed during the Bill’s short consultation and scrutiny period.Among other things, the Online Safety Bill 2021 extends the eSafety Commissioner’s cyber takedown function to adults, giving the power to issue takedown notices directly to the services hosting the content and end users responsible for the abusive content. The Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021, meanwhile, repeals the Enhancing Online Safety Act 2015 upon commencement of the new Online Safety Act.McKim, like many others, said the government has been “ramming these Bills through this Parliament without adequate consideration and without adequate scrutiny”.The Bill was introduced to Parliament on February 24, eight business days after consultation on the draft legislation closed and before the 400-something submissions to the consultation were published. It was handed to a Senate committee on February 25 and after holding one public hearing, the committee scrutinising its contents handed down its report.The government, McKim added, then sought to have the Bills “quickly and quietly waved through” and moved to exempt the Bills from the usual requirements that regulate how quickly Bills can be brought on for debate in the Senate.”And as an example of the indecent haste with which the government has operated, these Bills were so rushed that the government is needing to use amendments to fix typos in the original Bill,” he said, addressing the Senate on Wednesday.

“So these Bills which are intended to protect people from cyber bullies, from cyber abuse, from the non-consensual sharing of intimate images, and from violent and extremist materials — commendable objectives — are being rushed through this place.”The typo McKim referred to was the incorrect spelling of “bullying”.In the original Bill, there was no complaints mechanism; that has since been rectified somewhat, with the directive given to the eSafety Commissioner to stand one up.”In a way, the Parliament is being asked to sign a blank cheque in regards to the creation of that process. Because we have no possibility, as we stand here and debate this Bill today, to know what kind of process the eSafety Commissioner will establish,” he said.He also said that just because the incumbent commissioner might be trusted to not misuse her forthcoming sweeping powers, her successor may not behave the same.”It should be incumbent on Parliament to make sure that we legislate not just with one particular person in one particular position in mind, but with a clear-eyed focus on the need to make sure that protections will exist past the incumbency of any one person in any one particular position,” he said.It isn’t just the rushed nature of the Bills the Greens have taken issue with, as they’ve also raised concerns about the bias that may arise from algorithms that have been conjured up to tackle the requirements of the Bill too.”The Bills will also inevitably lead to online platforms resorting to automated processes based on algorithms and artificial intelligence to identify and remove content that could attract penalties,” he said.”The use of AI and algorithms in in similar circumstances in places like the US has been extremely controversial, to say the least, and we are concerned that the use of those technologies could lead to disproportionate outcomes like blanket bans, even if that is not the intent of the commissioner.”McKim said the use of algorithms and AI would also risk importing racial bias into the regulation of Australia’s online content ecosystem. “We know that that is a risk, because that is exactly what has happened in the US under similar controversial laws,” he said.Discrimination, he said, would also be faced by workers in the adult industry.”We are concerned about the unintended consequences that could be both harmful to sex workers and adult businesses and to the broader community,” he said. “Under the Bills, as argued by Scarlet Alliance, sex workers will become more vulnerable as they potentially lose access to income safety tools and strategies and to vital peer connections. We’re also concerned that the Bills failed to provide to promote the maximum safety and privacy protections that they could. “The Greens absolutely commend the stated objectives of these Bills to keep women children and the broader Australian community safe in online environments …. but we need to make sure that we don’t protect one set of rights by trampling over other rights.”He said Bills this significant and targeted at problems so complex should receive full and proper scrutiny.”And that is what the government, unfortunately, is seeking to deny.”MORE ON THE BILLProtecting women in the cloud: eSafety hopes the Online Safety Act will do just thatThe commissioner said a lot of online abuse is rooted in misogyny and intended to silence women’s voices. She hopes the new Online Safety Act will go some way to prevent such abuse.Australia’s eSafety and the uphill battle of regulating the ever-changing online realmThe eSafety Commissioner has defended the Online Safety Act, saying it’s about protecting the vulnerable and holding the social media platforms accountable for offering a safe product, much the same way as car manufacturers and food producers are in the offline world.eSafety prepares for Online Safety Act with AU$3m software pilot and 20 new staffThe eSafety Commissioner has only been able to action 72 of the 3,600 adult cyber abuse complaints it has received, and it’s hopeful the new Online Safety Act will allow it to do more. More