Information Technology

Image: Proofpoint
In a short press conference held today by the US Department of Justice, high-ranking officials with the US government claimed that Iran was behind a wave of emails sent to US voters earlier this week.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Spoofing the identity of violent extremist group Proud Boys, the emails threatened registered Democrat voters with repercussions if they didn’t vote for Donald Trump in the upcoming US Presidential Election.
The senders claimed to have “gained access into the entire [US] voting infrastructure,” but appeared to use public voter registration databases to target Democrat voters in Alaska, Arizona, and Florida.
Two waves of emails were sent this week, the first on Tuesday (October 20), and the second on Wednesday (October 21), according to a report from email security firm Proofpoint, which has been tracking the spam campaigns.
The second wave of emails, besides the original message threatening Democrat voters, also included a link to a video claiming to show an individual print out a voting ballot with another person’s information (a copy of the video is embedded in the Proofpoint report). The video was debunked by several US news media publications.
Responding to intense media coverage surrounding the emails, in a short press conference earlier today, FBI Director Christopher Wray and Director of National Intelligence John Ratcliffe attributed the spam campaigns to Iran.
Addressing the video shared in the emails, Ratcliffe added that “the information in the video is not true.”
Ratcliffe also added that besides Iran, Russia has also also “taken specific actions to influence public opinion relating to our election.”
“Although we have not seen the same actions from Russia, we are aware that they have obtained some voter registration information,” Ratcliffe added.
The two officials urged the US public to remain calm and not spread any similar messages they receive in the future.
Neither of the two officials presented any evidence during the press conference but only made short statements.
Spokespersons for several cyber-security firms could not confirm the Iranian attribution, when inquired by ZDNet today. However, they didn’t dismiss it either.
“Iranian information operations date back at least eight years and they have grown beyond fake news sites and social network activity to elaborate tactics, such as impersonating journalists to solicit video interviews and placing op-eds. They have even impersonated American politicians,” John Hultquist, Senior Director of Analysis, Mandiant Threat Intelligence, told ZDNet.
“The information operations we have seen from Iran to date have been about amplifying pro-Iranian messages and pushing a desired narrative out into the world that’s anti-Saudi or ant-Israeli or pro-JCPOA,” he added.
“This is different. This is deliberate interference in our democracy and it crosses a major red line. I think the Intel community scored a win here against Iran today,” Hultquist said.

This is assuming that Iran’s ultimate objective is to promote a candidate or a party. That’s not the case. Iran’s goal (much like Russia and China) is to sow chaos and undermine trust in democratic institutions and in our elections.
— Ariane Tabatabai (@ArianeTabatabai) October 22, 2020 More

Image: Mastercard
Mastercard has teamed up with identity solutions firm Idemia and Singapore-based fintech MatchMove to pilot a biometric fingerprint card to authorise in-store payment transactions in Asia.
The card, called F.Code Easy, is embedded with a sensor to allow customers to authorise a payment using their fingerprint, instead of a PIN number or signature. The fingerprint sensor will be powered by the energy from payment terminals.
The payments giant said all biometric credentials will be stored on the card chip, rather than a central database, touting it would “enhance security and safety of contactless payments”. 
“As people make a permanent move to contactless transactions, the biometric card promises more choice and greater security for consumers,” Mastercard Asia Pacific executive president Matthew Driver said.
“With Mastercard’s focus on digital commerce, this solution is a testament to the innovative partnerships Mastercard cultivates and its mission to provide fast, frictionless payment experiences that are protected at every point.”
The pilot biometric card will be developed by Idemia and issued by MatchMove in Q4 to employees of all three companies involved in the project. Mastercard said participating employees could then use their cards for transactions and live demonstrations for customers.  
Read also: Amazon One will let you pay for purchases with nothing but a palm scan (TechRepublic)
Mastercard debuted its fingerprint sensor-embedded credit card back in 2017. Trials were initially underway in South Africa at the time, with the payments giant touting it had planned for a global rollout by the end of that year.
Credit card chips and SIM cards maker Gemalto then followed in Mastercard’s footsteps the year after, launching a contactless credit card with a fingerprint reader to Bank of Cyprus customers. 
Meanwhile, over in Australia, Mastercard has partnered with EML Payments Ltd, the Commonwealth Bank of Australia, and Transport for New South Wales to trial the Opal digital card before the end of the year.
According to a Transport for NSW spokesperson, the trial will enable customers to access the Opal digital card via their digital wallet on their smartphone or watch, and use it to tap on and off each time they travel on the Opal transport network, in place of a physical Opal card.
As part of the trial, up to 10,000 Adult Opal customers will have access to the digital version of the Opal card.
“The Opal digital card will also have the ability to be used on private modes of transport, making it even easier for customers to use Opal for their transport needs,” the Transport for NSW spokesperson said.
“Mastercard demonstrated that with its global experience in developing digital payment technology, they are well-placed to offer the best solution and most competitive price to support Transport for NSW’s requirements.”  
In other banking news, Macquarie said it is now allowing customers to personalise their digital security settings, including choosing to approve or deny when a login attempt is being made to their account.
Available through the bank’s verification app, Macquarie Authenticator, the new security features allow customers to choose between three levels of digital banking authentication.
This includes standard security where additional verification is only required on changes to sensitive account details and certain financial transactions, enhanced security when verification is required on all attempted logins except trusted devices, and ultimate security where all attempted logins from trusted and unknown devices require additional verification.
“We’re empowering our customers to choose enhanced security options, giving them extra peace of mind with an intuitive push alert from the Macquarie Authenticator app, whenever a login is attempted to their accounts,” Macquarie’s banking and financial services group head of personal banking Ben Perham said.
Mastercard takes a stance against climate change
Earlier this week, Mastercard announced the launch of its Priceless Planet Coalition in Australia that is designed to bring together local organisations — together with forestry experts Conservation International (CI) and World Resources Institute (WRI) — to collectively plant 100 million trees over five years.
Members of the coalition include Barclays Bank US, Berkshire Bank, BMO Financial Group, Hawaiian Airlines, Scotiabank, to name a few, as well as Australia’s Archa and 1derful. 
Mastercard has named Australia, Brazil, and Kenya as the selected locations for its forest restoration project. Beyond these initial locations, the project portfolio will be expanded to include other locations that meet “established criteria”, the company said.
“In Australia, through the Priceless Planet Coalition, Mastercard is empowering its network of partners and consumers who share its commitment to being a force for good in the world to unite in action and create exponential impact for the environment. Mastercard welcomes all Australian organisations, big or small, to get involved,” Mastercard Australasia division president Richard Wormald said.  
Related Coverage
Adelaide trials contactless payment across tram network
It’s a partnership between Adelaide Metro, Conduent, Mastercard, and Visa.
Academics bypass PINs for Visa contactless payments
Researchers: “In other words, the PIN is useless in Visa contactless transactions.”
Mastercard keeping humans in the loop of AI fraud and risk-related decisions
The company’s APAC head of services has said humans will continue to play an integral role in keeping fraud and risk at a minimum.
Mastercard CEO explains why Facebook’s Libra project was abandoned
The lofty goals of the cryptocurrency scheme were not enough to convince financial giants of its potential. More

The WordPress security team has taken a rare step last week and used a lesser-known internal capability to forcibly push a security update for a popular plugin.

WordPress sites running the Loginizer plugin were forcibly updated this week to Loginizer version 1.6.4.
This version contained a security fix for a dangerous SQL injection bug that could have allowed hackers to take over WordPress sites running older versions of the Loginizer plugin.
Loginizer is one of today’s most popular WordPress plugins, with an installbase of over one million sites.
The plugin provides security enhancements for the WordPress login page. According to its official description, Loginizer can blacklist or whitelist IP address from accessing the WordPress login page, can add support for two-factor authentication, or can add simple CAPTCHAs to block automated login attempts, among many other features.
SQL injection discovered in Loginizer
This week, security researcher Slavco Mihajloski disclosed a severe vulnerability in the Loginizer plugin.
According to a description provided by the WPScan WordPress vulnerability database, the security bug resides in Loginizer’s brute-force protection mechanism, enabled by default for all sites where Loginizer is installed.
To exploit this bug, an attacker can try to log into a WordPress site using a malformed WordPress username in which they can include SQL statements.
When the authentication fails, the Loginizer plugin will record this failed attempt in the WordPress site’s database, along with the failed username.
But as Slavco and WPScan explain, the plugin doesn’t sanitize the username and leaves the SQL statements intact, allowing remote attackers to run code against the WordPress database — in what security researchers refer to as an unauthenticated SQL injection attack.
“It allows any unauthenticated attacker to completely compromise a WordPress website,” Ryan Dewhurst, Founder & CEO of WPScan, told ZDNet in an email today.
Dewhurst also pointed out that Mihajloski provided a simple proof-of-concept script in a detailed write-up published earlier today.
“This allows anyone with some basic command-line skills to completely compromise a WordPress website,” Dewhurst said.
Forced plugin update receives public backlash
The bug is one of the worst security issues discovered in WordPress plugins in recent years, and it’s why the WordPress security team appears to have decided to forcibly push the Loginizer 1.6.4 patch to all affected sites.
Dewhurst told ZDNet that this “forced plugin update” feature has been present in the WordPress codebase since v3.7, released in 2013; however, it has used very rarely.
“A vulnerability I myself discovered in the popular Yoast SEO WordPress plugin back in 2015 was forcibly updated. Although, the one I discovered was not nearly as dangerous as the one discovered within the Loginizer WordPress plugin,” Dewhurst said.
“I’m not aware of any other [cases of forced plugin updates], but it is very likely that there have been others,” the WPScan founder added.
But there’s a reason why the WordPress security team doesn’t use this feature for all plugin vulnerabilities and uses this only for the bad bugs.
As soon as the Loginizer 1.6.4 patch started reaching WordPress sites last week, users started complaining on the plugin’s forum on the WordPress.org repository.
“Loginizer has been updated from 1.6.3 to 1.6.4 automatically although I had NOT activated this new WordPress option. How is it possible?,” asked one disgruntled user.
“I have the same question too. It has happened on 3 websites I look after of which none of them have been set to auto update,” said another.
Similar negative feedback was also seen back in 2015 when Dewhurst first saw the plugin forced update feature being deployed by the WordPress team.

The more I think about it, the more infuriating the auto-update of WP SEO gets.
— My name is Doug, I have just met you, & I LOVE YOU (@zamoose) March 12, 2015

Dewhurst believes the feature isn’t more broadly used because the WordPress team fears the “risks of pushing a broken patch to so many users.”
WordPress core developer Samuel Wood said this week the feature was used “many times” but did not provide details about other instances where it was used. In 2015, another WordPress developer said the plugin forced update feature was used only five times since it launched in 2013, confirming that this feature is only used for the critical bugs only, those impacting millions of sites, and not just any plugin vulnerability. More

Retailers face the potential threats of ransomware, malware, phishing attacks and more from cyber criminals and a new guide developed with the aid of the National Cyber Security Centre (NCSC) aims to stop retailers falling victim to attacks.
The Cyber Resilience Toolkit for Retail has been developed by the British Retail Consortium (BRC) and the NCSC and attempts to provide a ‘plain English’ guide to cybersecurity for management and boards of retailers.

More on privacy

The nature of retailers, and the way they deal with not only financial data but personal information, has always made them a tempting target for cyber criminals. During the course of 2020, the BRC says there’s been a rise in the number of online purchases, potentially providing cyber criminals with a richer spoils if they conduct a successful cyberattack against an e-commerce site.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
“We want to keep shoppers’ data, identity and privacy safe, and to ensure that the retail sector is well equipped to face the cyber challenges associated with an ever-more digital world,” said Dr Ian Levy, technical director at the NCSC.
“Cybersecurity need not be daunting. There are a number of straightforward best-practice measures you can put in place to ensure you are protecting yourself and your customers,” he added.
Those best-practice measures include using strong passwords, having good cybersecurity awareness training for staff and backing up data regularly, so if a successful ransomware attack occurs, the organisation is able to restore from backups.
It’s also recommended that management knows what procedures are in place and know what to do if a cyberattack happens – and who to call if they need help.
“Last year, retailers spent over £186 million on cybersecurity, but the growth in online selling means there is an increasing threat of new cyber breaches and sophisticated hacking techniques. As a result, retailers need to ensure their systems are watertight and up to date,” said Helen Dickinson, chief executive of the British Retail Consortium.
SEE: 10 tech predictions that could mean huge changes ahead
The toolkit also contains advice on areas that potential threats could come from that retailers might not have considered. These include people working from home, malicious insiders, the supply chain and legacy systems that have been forgotten about.
The guide also urges retailers to to take advantage of the NCSC’s Exercise in a Box – a free tool that allows organisations to test their cyber defences based on common hacking scenarios and real-life cyber incidents.
MORE ON CYBERSECURITY More

Adobe has released a second out-of-band security update to patch critical vulnerabilities across numerous software products. 

The patch, released outside of the tech giant’s typical monthly security cycle, impacts Adobe Illustrator, Dreamweaver, Marketo, Animate, After Effects, Photoshop, Premiere Pro, Media Encoder, InDesign, and the Creative Cloud desktop application on Windows and macOS machines. 
See also: Everything announced at Adobe Max 2020: Creative Cloud gets collaborative, Illustrator for iPad, and more
Published on October 20, the first app tackled is Illustrator, which received a fix for seven critical vulnerabilities. The memory corruption and out of bounds read/write issues, when exploited, can lead to arbitrary code execution. 
Adobe Dreamweaver was subject to an “important” uncontrolled search path element security flaw which could be exploited for the purpose of privilege escalation, and another “important” issue impacting the Marketo Sales Insight Salesforce package, a cross-site scripting (XSS) bug, could have been weaponized to deploy malicious JavaScript in a browser session. 
Adobe’s next batch of fixes focused on Animate, in which four critical vulnerabilities — out-of-bounds read, stack overflow, and double-free problems — all resulting in arbitrary code execution were resolved.  
CNET: What’s the best cheap VPN? We found three good options
After Effects, too, contained critical issues that have since been patched. A single out-of-bounds read and an uncontrolled search path problem leading to the execution of malicious code are now patched. 
Critical uncontrolled search path problems were also found and fixed in Photoshop, Premiere Pro, Media Encoder, and Creative Cloud installer for desktop.
Finally, a single, critical memory corruption bug has been patched in InDesign that could also be abused to execute arbitrary code. 
TechRepublic: Homebrew: How to install reconnaissance tools on macOS
Adobe thanked researchers working with the Trend Micro Zero Day Initiative and from Fortinet’s FortiGuard Labs, Qihoo 360 CERT, Root Fix, and Decathlon, among others, for their disclosures.
Last week, Adobe released a separate set of out-of-band security fixes impacting the Magento platform. On October 15, Adobe said the patch resolved nine vulnerabilities, eight of which are critical — including a bug that could be abused to tamper with Magento customer lists.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Orange Tsai
A month after details were published about three severe vulnerabilities in a type of server used to manage fleets of mobile devices, multiple threat actors are now exploiting these bugs to take over crucial enterprise servers and even orchestrate intrusions inside company networks.
The targets of these attacks are MDM servers from software maker MobileIron.
MDM stands for Mobile Device Management. MDM systems are used inside enterprises to allow companies to manage employees’ mobile devices, by allowing system administrators to deploy certificates, apps, access-control lists, and wipe stolen phones from a central server.
In order to enforce these features, MDM servers need to be online all the time and reachable over the internet, so remote employees’ phones can report back to the company and get the latest updates.
Three major bugs discovered in MobileIron MDMs
Earlier this summer, a security researcher named Orange Tsai discovered three major vulnerabilities in MobileIron’s MDM solutions, which he reported to the vendor, and which the company patched in July.

But Tsai never released in-depth details about any of the three bugs, allowing companies to update their systems.
However, many did not. Tsai eventually published a detailed write-up about the three bugs in September, after he used one of the bugs to hack into Facebook’s MDM server and pivot to the company’s internal network as part of Facebook’s bug bounty program.
Exploitation begins after PoC is published on GitHub
But Tsai’s blog post also had some unintended consequences. Other security researchers used the details in his blog to create public proof-of-concept (PoC) exploits for CVE-2020-15505, the most dangerous of the three bugs that Tsai discovered over the summer.
This PoC exploit was later released on GitHub and made available to other security researchers and penetration testers, but also to attackers.
And just like all the times before when someone released a PoC for a dangerous bug on GitHub, attacks followed within days.
The first wave took place at the start of October and was detected by RiskIQ researchers.
Not that much is known about these attacks, as RiskIQ never went into details, but a report from BlackArrow, published on October 13, breaks down a threat actor’s attempts to hack into MobileIron MDM systems and install the Kaiten DDoS malware.
But if companies thought that getting their MDM server infected with DDoS malware was the worst thing that could happen, they thought wrong.
Today, the US National Security Agency (NSA) listed the MobileIron CVE-2020-15505 as one of the top 25 vulnerabilities exploited by Chinese state-sponsored hackers in recent months.
The NSA said Chinese threat actors have been using the MobileIron bug, along with many others, to gain an initial foothold on internet-connected systems, and then pivot to internal networks.
Companies urged to patch
With MobileIron boasting that more than 20,000 companies use its MDM solutions, including many Fortune 500 companies, this vulnerability is shaping to be one of the most dangerous security flaws disclosed this year.
With such a huge installbase, MobileIron MDM servers are likely to remain under attack for the foreseeable future.
But at this point in time, patching is only half of the job. Companies must also perform security audits of their MobileIron MDM servers, their mobile devices, and internal networks.
This is because CVE-2020-15505 can be considered a gateway bug. Once exploited, intruders can use this bug to take over the entire MDM server and then deploy malware on mobile devices connected to the MDM server or access the company’s internal network, to which the MDM server is likely to be connected. More

Adobe has begun testing a method to securely watermark digital assets such as photos in its applications to ensure proper attribution of digital media, it said in a blog post Tuesday afternoon.
The watermarking function is part of a broader industry effort to use authentication of authorship as a means to combat deep fakes and other misleading materials on the Internet.
Adobe’s Photoshop image editing tool, and its Behance marketplace for digital media, have gained a feature to add authorship data, via a palette of meta-data that can be turned on and off, according to an essay posted Tuesday by the Adobe executive in charge of the software Will Allen.
“The tool is built using an early version of the open standard that will provide a secure layer of tamper-evident attribution data to photos, including the author’s name, location and edit history,” wrote Allen. 
In a YouTube video, a walk-through is shown of what’s called the Content Credentials panel, a palette that pops up in the Adobe UI just like brushes and other palettes. 
The Credentials panel lets a user turn on or off the meta-data on the image. The meta-data contains information such as the author of the image. As the image is manipulated in Photoshop, the Credentials panel keeps track of the actions and adds those changes to the meta-data of the image.
The Credentials panel is working off of a proposed open standard for credentials that is being promoted by the Content Authenticity Initiative, a group formed a year ago by Adobe at its MAX user conference, in conjunction with The New York Times and Twitter. The CAI is promoting the adoption of meta-data across software platforms as a universal, secure means of enforcing authorship data.
A white paper posted by CAI describes various workflows. In the case of image data, a photojournalist would use a CAI-compliant device to capture the photo, and the device would automatically attach the authorship meta-data to the photo file, which would then be important to Photoshop and other CAI-compliant software tools.  More

Google has released Chrome version 86.0.4240.111 earlier today to deploy security fixes, including a patch for an actively exploited zero-day vulnerability.
The zero-day is tracked as CVE-2020-15999 and is described as a memory corruption bug in the FreeType font rendering library that’s included with standard Chrome distributions.
In-the-wild attacks leveraging this FreeType bug were discovered by security researchers from Project Zero, one of Google’s internal security teams.
According to Project Zero team lead Ben Hawkes, a threat actor was spotted abusing this FreeType bug to mount attacks against Chrome users.
Hawkes now urged other app vendors who use the same FreeType library to update their software as well, in case the threat actor decides to shift attacks against other apps.
A patch for this bug has been included in FreeType 2.10.4, released earlier today.
Chrome users can updated to v86.0.4240.111 via the browser’s built-in update function (see Chrome menu, Help option, and About Google Chrome section).

The finer details about CVE-2020-15999 active exploitation attempts have not been made public. Google usually sits on technical details for months to give users enough time to update and keep even the smallest clues from falling into attackers’ hands.
However, since the patch for this zero-day is visible in the source code of FreeType, an open source project, it’s expected that threat actors will be able to reverse-engineer the zero-day and come up with their own exploits within days or weeks.
CVE-2020-15999 is the third Chrome zero-day exploited in the wild in the past twelve months. The first two were CVE-2019-13720 (October 2019) and CVE-2020-6418 (February 2020). More