Information Technology

A very popular NPM package called ‘pac-resolver’ for the JavaScript programming language has been fixed to address a remote code execution flaw that could affect a lot of Node.js applications. The flaw in the pac-resolver dependency was found by developer Tim Perry who notes it could have allowed an attacker on a local network to remotely run malicious code inside a Node.js process whenever an operator tried to send an HTTP request. Note.js is the popular JavaScript runtime for running JavaScript web applications. 

see also

Best VPN services

Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

“This package is used for PAC file support in Pac-Proxy-Agent, which is used in turn in Proxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy autodetection & configuration in Node.js,” explains Perry. SEE: Developers, DevOps, or cybersecurity? Which is the top tech talent employers are looking for now?PAC or “Proxy-Auto Config” refers to PAC files written in JavaScript to distribute complex proxy rules that instruct an HTTP client which proxy to use for a given hostname, notes Perry, adding these are widely used in enterprise systems. They’re distributed from local network servers and from remote servers, often insecurely over HTTP rather than HTTPs.  It’s a widespread issue as Proxy-Agent is used in Amazon Web Services Cloud Development Kit (CDK), the Mailgun SDK and Google’s Firebase CLI. The package gets three million downloads per week and has 285,000 public dependent repos on GitHub, Perry notes in a blogpost. 

The vulnerability was fixed in v5.0.0 of all those packages recently and was marked as CVE-2021-23406 after it was disclosed last week.It will mean a lot of developers with Node.js applications are potentially affected and will need to update to version 5.0. It affects anyone who depends on Pac-Resolver prior to version 5.0 in a Node.js application. It affects these applications if developers have done any of three configurations: Explicitly use PAC files for proxy configurationRead and use the operating system proxy configuration in Node.js, on systems with WPAD enabledUse proxy configuration (env vars, config files, remote config endpoints, command-line arguments) from any other source that you wouldn’t 100% trust to freely run code on your computer”In any of those cases, an attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely run arbitrary code on your computer any time you send an HTTP request using this proxy configuration,” notes Perry.  More

Researchers have explored what the perfect victim looks like to today’s ransomware groups.

On Monday, KELA published a report on listings made by ransomware operators in the underground, including access requests — the way to gain an initial foothold into a target system — revealing that many want to buy a way into US companies with a minimum revenue of over $100 million. Initial access is now big business. Ransomware groups such as Blackmatter and Lockbit may cut out some of the legwork involved in a cyberattack by purchasing access, including working credentials or the knowledge of a vulnerability in a corporate system.  When you consider a successful ransomware campaign can result in payments worth millions of dollars, this cost becomes inconsequential — and can mean that cybercriminals can free up time to strike more targets.  The cybersecurity company’s findings, based on observations in dark web forums during July 2021, suggest that threat actors are seeking large US firms, but Canadian, Australian, and European targets are also considered.  Russian targets are usually rejected immediately, and others are considered “unwanted” — including those located in developing countries — likely because potential payouts are low.  Roughly half of ransomware operators will, however, reject offers for access into organizations in the healthcare and education sector, no matter the country. In some cases, government entities and non-profits are also off the table.

In addition, there are preferred methods of access. Remote Desktop Protocol (RDP), Virtual Private Network (VPN)-based access prove popular. Specifically, access to products developed by companies including Citrix, Palo Alto Networks, VMWare, Cisco, and Fortinet.   “As for the level of privileges, some attackers stated they prefer domain admin rights, though it does not seem to be critical,” the report states.
KELA
KELA also found offerings for e-commerce panels, unsecured databases, and Microsoft Exchange servers — although these may be more appealing for data stealers and criminals attempting to implant spyware and cryptocurrency miners.   “All these types of access are undoubtedly dangerous and can enable threat actors to perform various malicious actions, but they rarely provide access to a corporate network,” the researchers noted. Roughly 40% of listings were created by players in the Ransomware-as-a-Service (RaaS) space. 
KELA
Ransomware operators are willing to pay, on average, up to $100,000 for valuable initial access services. In a past study, KELA observed another trend of note in the ransomware space: increasing demand for negotiators. RaaS operators are attempting to better monetize the stage of an attack when a victim will contact ransomware operators to negotiate a payment, but as language barriers can cause miscommunication, ransomware groups are trying to secure new team members able to manage conversational English.  Intel 471 has also found that cybercriminals involved in Business Email Compromise (BEC) scams are trying to recruit native English speakers. As phishing email red flags include poor grammar and spelling mistakes, scam artists are trying to avoid being detected at the first hurdle by paying English speakers to write convincing copy.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Working in cybersecurity can be challenging, but it’s important for information security professionals to maintain a healthy work/life balance – otherwise they risk burnout.All parts of the technology industry have their own pressures, but the demand on security staff has certainly increased recently. Businesses of all sizes need a cybersecurity team to help keep users secure and the organisation safe from phishing, malware, ransomware, and other cyber threats. Defending the network against data breaches and cyber criminals was already tricky, but things have only got tougher in the past 18 months as many cybersecurity teams have needed to adapt to the rise of remote working, which has made keeping users safe from online threats even more difficult. 

On top of that, many cybersecurity staff are doing this activity while working from home themselves, an environment that can make it difficult to separate working life from home life. It’s become common for people to work extra hours now their day isn’t being broken up by travelling to and from an office, and research has identified increasing hours and workloads in cybersecurity – already a high intensity environment for people to work in.SEE: A winning strategy for cybersecurity (ZDNet special report) While many security professionals feel as if working those extra hours is necessary to help keep the business secure and safe from cyberattacks, it could be coming at the cost of their own wellbeing.Cybersecurity workers get a real buzz out of solving problems, John Donovan, chief information security officer at Malwarebytes, told the ZDNet Security Update video series. “But I think we’ve got to balance that – there are definitely some folks on the team who do handle it well, but even they need to remember to take a break and to deal with their stress,” he said. 

In order to help this process along, human resources teams or senior managers need to get involved in the activity to encourage people to take breaks and make sure that they’re not working overly long hours. “If you have a people or human resources team, it’s really important to take in the human element, not just for cybersecurity training and awareness, but making sure that people are taking care of their mental health, making sure that people do take time off, and when you take time off, to actually really take time off,” said Donovan. SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attackSmall tweaks can help, like for staff working remotely, it could be useful to mark holidays, breaks and lunchtime in the calendar, so there’s actually an alert reminding them that they should step away from the screen for a bit. Doing this can help staff better divide up their work time and their personal time. Not only is this good for the mental wellbeing of people in cybersecurity, being well rested and in a good place will help if they do need to react to a cybersecurity incident. “It’s important to make sure that you figure out how to have that work/life balance, because you’re not going to be any good if you’re stressed out when that big incident happens. You need to be ready and prepared to take it on,” said Donovan. MORE ON CYBERSECURITY More

Apple has paused plans to scan devices for child abuse and exploitation material after the tool prompted concern among users and privacy groups.  

Announced last month, the new safety features were intended for inclusion in iOS 15, iPadOS 15, watchOS 8, and macOS Monterey. The first was a feature for monitoring the Messages application, with client-side machine learning implemented to scan and alert when sexually explicit images are sent, requiring input from the user of whether or not they want to view the material. “As an additional precaution, the child can also be told that, to make sure they are safe, their parents will get a message if they do view it,” the company explained. The second batch of changes impacted Siri and Search, with updates included to provide additional information for parents and children to warn them when they stumbled into “unsafe” situations, as well as to “intervene” if a search for Child Sexual Abuse Material (CSAM) was performed by a user. The third was a CSAM-scanning tool, touted as a means to “protect children from predators who use communication tools to recruit and exploit them.” According to the iPhone and iPad maker, the tool would use cryptography “to help limit the spread of CSAM online” while also catering to user privacy. Images would not be scanned in the cloud, rather, on-device matching would be performed in which images would be compared against hashes linked to known CSAM images. “CSAM detection will help Apple provide valuable information to law enforcement on collections of CSAM in iCloud Photos,” the company said. “This program is ambitious, and protecting children is an important responsibility. These efforts will evolve and expand over time.”

In a technical paper (.PDF) describing the tool, Apple said: “CSAM Detection enables Apple to accurately identify and report iCloud users who store known CSAM in their iCloud Photos accounts. Apple servers flag accounts exceeding a threshold number of images that match a known database of CSAM image hashes so that Apple can provide relevant information to the National Center for Missing and Exploited Children (NCMEC). This process is secure, and is expressly designed to preserve user privacy.”However, the scanner gained controversy online, prompting criticism from privacy advocates and cryptography experts.Associate Professor at the Johns Hopkins Information Security Institute and cryptography expert Matthew Green said the implementation of cryptography to scan for images containing specific hashes could become “a key ingredient in adding surveillance to encrypted messaging systems.” While created with good intentions, such a tool could become a powerful weapon in the wrong hands, such as those of authoritarian governments and dictatorships.  The Electronic Frontier Foundation also slammed the plans and launched a petition to put pressure on Apple to backtrack. At the time of writing, the plea has over 27,000 signatures. Fight for the Future and OpenMedia also launched similar petitions.  On September 3, Apple said the rollout has been halted in order to take “additional time” to analyze the tools and their potential future impact.  “Previously we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them and to help limit the spread of Child Sexual Abuse Material,” Apple said. “Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.” Green said it was a positive move on Apple’s part to take the time to consider the rollout. The EFF said it was “pleased” with Apple’s decision, but added that listening is not enough — the tech giant should “drop its plans to put a backdoor into its encryption entirely.” “The features Apple announced a month ago, intending to help protect children, would create an infrastructure that is all too easy to redirect to greater surveillance and censorship,” the digital rights group says. “These features would create an enormous danger to iPhone users’ privacy and security, offering authoritarian governments a new mass surveillance system to spy on citizens.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Dallas Independent School District — one of the biggest school districts in the United States — has released an advisory saying the personal data of students and employees was accessed and downloaded during a “data security incident.”The school district serves more than 150,000 students and said in a notice that any student, employee, parent or contractor with the school district since 2010 is affected by the incident. When asked by ZDNet whether this was a cyberattack, the school district would not say. The district received notice of the data security incident on August 8 and said federal law enforcement agencies are now involved in the effort to address what happened. Although the investigation is still ongoing, they believe someone accessed the school district’s network, downloaded data and temporarily stored it on an encrypted cloud storage site. The notice claims the data has been “removed from the site” but does not explain how this was done, whether the data was put somewhere else or sent to someone else. Data that the school district is allegedly “required by law to maintain” was exposed during the attack, including the first and last names, addresses, phone numbers, social security numbers and dates of birth for current and former students, employees and parents. Some students even had information about their custody status and/or medical condition exposed during the attack. 

For employees and contractors, the hackers also gained access to their dates of employment, salary information and reason for ending employment.”Despite our efforts, the district is now one of a growing number of public and private organizations experiencing cyberattacks,” the school district said.”The district’s IT team, assisted by forensic consultants, has addressed specific vulnerabilities that were exploited during this event and will continue efforts to augment security going forward. We regret any inconvenience this incident may have caused and believe it is our responsibility to inform the public that we are taking steps to notify individuals whose records have been impacted.” The district will be updating a website with information about the attack and said anyone who would like to sign up for free credit monitoring should call (855) 651-2605. The hotline is being run by identity protection technology company Kroll, which the Dallas Independent School District hired to manage the aftermath of the attack. The school district said it would be providing more specific information about what data from each person was accessed and would be sending it to Kroll, which could then let people know if they call the hotline. Kroll is offering victims just 12 months of credit monitoring and ID theft recovery services. The school district is creating a website that allows victims to enter their information to access credit monitoring. Victims can also call to activate the monitoring. The credit monitoring website will be available to victims on September 10. “We continue to investigate and remediate this incident. The district is conducting a comprehensive review of its systems and implementing additional security measures. We are confident these changes will decrease the possibility of a future incident,” the district statement explained.  More

CISA released a note this week urging IT teams to update a Cisco system that has a critical vulnerability. The vulnerability affects Cisco Enterprise Network Function Virtualization Infrastructure Software Release (NFVIS) 4.5.1 and Cisco released software updates that address the vulnerability on Wednesday.The vulnerability “could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator,” according to Cisco. The vulnerability is in the TACACS+ authentication, authorization and accounting (AAA) feature of NFVIS. “This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device,” Cisco said.”There are no workarounds that address this vulnerability. To determine if a TACACS external authentication feature is enabled on a device, use the show running-config tacacs-server command.” Cisco urged IT teams to contact the Cisco Technical Assistance Center or their contracted maintenance providers if they face any problems. 

“The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory,” Cisco added, thanking Cyrille Chatras of Orange Group for reporting the vulnerability.John Bambenek, threat intelligence advisor at Netenrich, said it is a “pretty major problem for Cisco NFV devices that highlights software engineers still struggle with input validation vulnerabilities that have plagued us for almost three decades.” “Easy acquisition of administrative rights on any device should be concerning and organizations should take immediate steps to patch their devices,” Bambenek added. More

US Cybercom has sent out a public notice warning IT teams that CVE-2021-26084 — related to Atlassian Confluence — is actively being exploited.”Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend,” US Cybercom sent out in a tweet on Friday ahead of the Labor Day weekend holiday. A number of IT leaders took to social media to confirm that it was indeed being exploited.Atlassian released an advisory about the vulnerability on August 25, explaining that the “critical severity security vulnerability” was found in Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.”An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability,” the company said in its advisory. They urged IT teams to upgrade to the latest Long Term Support release and said if that is not possible, there is a temporary workaround. “You can mitigate the issue by running the script below for the Operating System that Confluence is hosted on,” the notice said. 

The vulnerability only affects on-premise servers, not those hosted in the cloud.Multiple researchers have illustrated how the vulnerability can be exploited and released proof-of-concepts showing how it works. Bad Packets said they “detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the US targeting Atlassian Confluence servers vulnerable to remote code execution.”Censys explained in a blog post that over the last few days, their team has “seen a small shift in the number of vulnerable servers still running on the public internet.” “On August 31st, Censys identified 13,596 vulnerable Confluence instances, while on September 02, that number has decreased to 11,689 vulnerable instances,” Censys said. The company explained that Confluence is a “widely deployed Wiki service used primarily in collaborative corporate environments” and that in recent years it “has become the defacto standard for enterprise documentation over the last decade.” “While the majority of users run the managed service, many companies opt to deploy the software on-prem. On August 25th, a vulnerability in Atlassian’s Confluence software was made public. A security researcher named SnowyOwl (Benny Jacob) found that an unauthenticated user could run arbitrary code by targeting HTML fields interpreted and rendered by the Object-Graph Navigation Language (OGNL),” the blog said. “Yes, that is the same class of vulnerability used in the Equifax breach back in 2017. Just days before this vulnerability was made public, our historical data showed that the internet had over 14,637 exposed and vulnerable Confluence servers. Compare that to the current day, September 1st, where Censys identified 14,701 services that self-identified as a Confluence server, and of those, 13,596 ports and 12,876 individual IPv4 hosts are running an exploitable version of the software.”A Censys chart showing how many servers are still vulnerable. 
Censys
“There is no way to put this lightly: this is bad. Initially, Atlassian stated this was only exploitable if a user had a valid account on the system; this was found to be incorrect and the advisory was updated today to reflect the new information. It’s only a matter of time before we start seeing active exploitation in the wild as there have already been working exploits found scattered about,” Censys added. Yaniv Bar-Dayan, CEO of Vulcan Cyber, told ZDNet that security teams need to fight fire with fire as they work to prioritize and remediate this Confluence flaw. Attackers shouldn’t be the first to automate scans for this exploit and hopefully IT security teams are ahead of their adversaries in proactively identifying the presence of this vulnerability and are taking steps to mitigate, Bar-Dayan said. “Given the nature of Atlassian Confluence, there is a very real chance components of the platform are Internet exposed,” Bar-Dayan added. “This means that attackers won’t need internal network access to exploit the RCE vulnerability. A patch is available and administrators should deploy it with extra haste while also considering other mitigating actions such as ensuring no public access is available to the Confluence Server and services.”BleepingComputer confirmed on Thursday that some threat actors are installing cryptominers on both Windows and Linux Confluence servers using the vulnerability.   More

Amazon’s researcher put together Rigetti’s and IonQ’s quantum processors to generate random numbers that are the basis of cryptography keys.    
Shutterstock / Rawpixel.com
Combining the capabilities of two quantum computers, a researcher from Amazon’s quantum unit Braket has come up with a new way to create truly random numbers that are necessary to protect sensitive data online, ranging from blockchain ledgers to government secrets. Amazon’s research scientist Mario Berta put together Rigetti’s and IonQ’s quantum processors, which are both available through the company’s cloud-based quantum computing services, to generate random numbers that are the basis of cryptography keys.  These keys can in turn be used to encrypt critical data, by encoding information into an unreadable mush for anyone but those who are equipped with the appropriate key to decode the message. Randomness has a fundamental role to play in cryptography: the more random the key is, the harder it is to crack by a malicious actor trying to get their hands on the data. 

There are many ways to generate random numbers, with the most straightforward method simply consisting of flipping a coin and assigning values of zero or one to the two possible outcomes. Repeat the procedure many times, and you’ll find yourself with a totally random string of bits, which you can turn into a secure cryptography key. Manually flipping coins, however, isn’t enough to keep up with the scale of demand for data security. This is why modern cryptography relies on new technologies known as random number generators, which create streams of bits that are used to produce strong cryptography keys.  This is what Berta has now achieved thanks to quantum processors. “Quantum random number generators (QRNGs) hold promise to enhance security for certain use cases,” said Berta in a blog post. 

Of course, security experts have not waited for quantum computers to come along to start working on random number generation for cryptography keys.  For years, classical systems have been used, in which coin flipping is replaced with ring oscillators that create a seed of randomness in the form of a few bits. This seed value is then processed by pseudo-random number generators (PRNGs), which use software algorithms to generate longer sequences of numbers with similar statistical properties than those of the original random numbers. But the method has its shortcomings. Ring oscillators, for example, behave in a way that an attacker equipped with lots of compute power could predict; and PRNGs, which are based on computational assumptions, are also at risk of being second-guessed by hackers. In other words, the randomness generated by classical means is only partial, meaning that it is in principle possible to mathematically solve the cryptography key that is created on top of the numbers. Not so much with quantum-generated numbers. “These potential vulnerabilities of classical technologies for generating randomness can be addressed with quantum technologies that make use of the inherent unpredictability of the physics of microscopically small systems,” said Berta. Berta leveraged a property that is intrinsic to quantum physics by which quantum particles exist in a special quantum state called superposition. In a quantum computer, this means that quantum bits (or qubits) can be a value of zero and one at the same time – but that they collapse to either value as soon as they are measured. Whether qubits collapse to zero or one, however, is random. This means that, even equipped with complete information about the quantum state, it is impossible to know in advance to which value the qubit will collapse when measured.  A given number of qubits, therefore, can provide a string of bits with an equal number of completely random values. “Unique quantum features thereby allow the creation of freshly generated randomness that provably cannot be known by anyone else in advance,” said Berta. The catch is that today’s quantum computers are unreliable and noisy, which can alter the randomness of the quantum effect and defeat the whole point of the experiment. What’s more: information about the noise can leak into the environment, meaning that a potential hacker could find the data they need to figure out the measurement outcomes obtained in the quantum processor. To tackle this issue, Berta used two quantum processors to produce two independent strings of bits which he described as “weakly”. The strings are then processed by a classical algorithm called a randomness extractor (RE), which can combine multiple sources of weakly random bits into one output string that is nearly perfectly random.  Unlike with classical means, the post-processing doesn’t involve any computational assumptions, which could be cracked by hackers. Rather, REs condense physical randomness from the different sources. “So, two independent sources that are only weakly random get condensed by these algorithms to one output that is (nearly) perfectly random,” said Berta. “Importantly, the output becomes truly physically random with no computational assumptions introduced.” Berta predicted that as QRNGs become cheaper and more accessible, they could play an important role in high-security applications, especially as the flaws of classical methods become more apparent.  Earlier this year, for example, researchers from security firm Bishop Fox discovered that up to 35 billion Internet-of-Things devices were at risk due to a classical generator failing to create numbers that were random enough to protect sensitive data. And as compute power increases, random number generator attacks are certain to multiply, rendering existing cryptographic schemes insecure. The prospect of current encryption protocols becoming obsolete, however, is still far off. It would require hackers to gain access to huge amounts of compute power to crack today’s cryptography keys – the kind of power that is expected to be unleashed by quantum computers one day, but not before at least a decade. “State-of-the-art implementations of this classical technology for generating randomness sufficiently address nearly all of today’s needs,” said Berta. It remains that a growing number of companies are thinking further ahead and already starting to strengthen their security protocols by increasing the randomness of their cryptography keys. Verizon, for example, recently trialed a “quantum-safe” VPN between London and Ashburn in Virginia; and quantum software company Cambridge Quantum is working on a method to future-proof critical information stored in blockchains. Berta, for his part, encouraged Braket users to get started themselves, by trying their hand at random number generation directly within AWS’s quantum cloud service. More information can be found in the Braket Github repository. 

Quantum Computing More