SAP bug beatdowns, Apple gets nasty with Mac repairs, Struts woe, and more from infosec

Including: US Marines are looking for a few good bugs

USMC

roundup This week we all worried about bugged servers, North Korean APTs, and GRU hacking groups.

But those were far from the only security stories to hit the wires. Here are a handful of other pieces that may have slipped under the radar.

Marketing firm parts with massive trove of customer data

The last time an Apollo effort went this badly, Tom Hanks made a movie about it.

Marketing intelligence (read: data broker) startup Apollo fessed up to being the victim of a massive theft that saw it reveal something in the neighborhood of nine billion points of data and contact information of 212 million people. As per usual, the massive trove was discovered online in a misconfigured database that had mistakenly been set to be accessible by anyone.

Those "data points" include things like addresses and contact information, as well as contacts and connections on services like LinkedIn. Not particularly sensitive information, but a fairly valuable cache of data for marketers or, in the worst case, potential attackers looking to build spear-phishing emails.

FireEye beefs up Helix, reaches out to community

Security intelligence company FireEye has unveiled a new version of Helix security information and event management (SIEM) platform.

This version of the cloud-based service focuses on streamlining the process of detecting malware infections and network intrusions and getting responses in place, whether automated or ordered by an admin.

FireEye says the aim here is to allow companies to be able to actively respond to attacks, not just analyze them after the fact.

"We’re on the frontlines of the cyberwar and to keep pace with the adversaries, we have to automate as much as possible and give analysts the intel to make smarter decisions at key points in the response," said FireEye VP of product management and strategy Paul Nguyen.

"These insights and capabilities are built into Helix to close the gap from detection to resolution and mitigate the impact of an attack."

FireEye is also looking for partners in an effort to create an ecosystem for Helix. The FireEye Market lets customers browse and install plug-ins, add-ons, and services for their Helix installations. Think Salesforce AppExchange, but for incident response.

The idea with the store is to let its partners and developer community come in and do all of the small, specialized tasks that customers want for their specific needs while also letting FireEye focus on developing Helix as a whole rather than creating smaller, specialized versions. In the process, partners get a new market for their services and customers get better tuned software.

Don't be a SAP, patch these bugs from Positive Technologies

Researchers with Positive Technologies have laid claim to six recently-patched vulnerabilities in SAP products.

The flaws range from arbitrary JavaScript code injection to the theft of session IDs and users passwords and elevation of privilege flaws. Fortunately, all of the bugs have been reported directly to SAP and have been patched with recent updates.

This would be a good time for admins to go through their SAP apps and services to make sure everything is up to date.

1-2-3-4, I just hacked the Marine Corps!

From the Halls of Montezuma, to a brand new CVE. The United States Marine Corps has just paid out more than $150k in bug bounties to hackers who participated in a 20-day research project that resulted in the discovery of more than 150 vulnerabilities in public facing sites that made up the Marine Corps Enterprise Network.

The project, known as Hack the Marine Corps, launched at this year's DefCon, is an offshoot of the DoD's "Hack the Pentagon" campaign, where white hats are offered bounties to come in and pwn the hell out of government sites in hopes of hardening defenses before a hostile nation can get to them.

The Corps estimates that around 100 hackers participated in this year's event, including the Def Con kick-off where 75 of the bugs and $80,000 of the bounties were awarded.

Apple tells DIY to DIE

A few years back, iFixit CEO Kyle Wiens told El Reg that Apple had done "everything it can" to kill off third-party repair businesses. Turns out Wiens was wrong; Apple could do even more.

iFixit has now found that the new Mac Pro laptops contain dormant lockouts that, if activated by Apple, would render machines repaired by third-party shops inoperable. Specifically, if the lockout mechanism is enabled, repairs to most major hardware components in the notebooks would need to be validated by a special secret software kit only available to Apple and a handful of authorized repair shops, or the machine won't work.

Fortunately, iFixit said that though these strict controls are in place, they're not yet being enforced. Its lab techs were able to get a new MacBook Pro and swap out a number of the hardware components in question without much of an issue. This has led them to believe that, so far, the lockout defense is a passive system.

"Our guess is that this software tracks serial numbers and other parts data so Apple can verify Apple Authorized Service Providers (AASPs) are correctly completing repairs. It may also perform calibration, or it could simply be a way of keeping their authorized network in line," iFixit said. "Basically it means Apple owns your device, not you, and could conceivably disable it remotely if they detect unauthorized repairs going on."

On the one hand, this lockout system will stop dodgy repair shops from swapping out parts for backdoored versions – such as keyboards that phone home your typed-in passwords to crooks. On the other hand, it's a neat way to shut out legit third-party repair shops that do a better or cheaper job of fixing up busted MacBook Pros than Apple's "geniuses" can.

Meet the new bots, same as the old bots

Thought the Russian bot deluge that erupted prior to the 2016 election had come and gone?

You would be very wrong.

A report from the Knight Foundation tracking the millions of troll accounts since 2016 and concluded that most of them aren't going anywhere.

"The problem persisted in the aftermath of the election with four million tweets to fake and conspiracy news publishers found from mid-March to mid-April 2017," the report reads.

"A large majority of these accounts are still active today."

This is particularly depressing as, with a crucial round of mid-term elections just a few weeks away, we probably shouldn't expect the climate to differ much from what we saw two years ago as far as trolls and disinformation are concerned.

Swat swats swatters with swatting swat

The Seattle police are trying out a new program that would let people create profiles that would flag their residences and places of business as possible targets for "swatting" crimes.

The page would then appear to the emergency dispatcher when a call is made and, if the resident has warned police they might be a swatting victim, a notification would be sent. The idea isn't to cancel any potential emergency responses, but to at least warn the police and, hopefully, avoid any further loss of life

"Nothing about this solution is designed to minimize or slow emergency services," Seattle PD says.

"At the same time, if information is available, it is more useful for responding officers to have it than to not."

Struts, you're stuffed

A newly discovered class of vulnerabilities, dubbed double evaluation, can be potentially exploited to hack websites that rely on Apache Struts. Essentially, it appears to be all too easy for a developer to accidentally execute data supplied by a user as code – if that submitted data is malicious, it can attempt to compromise the system running the web app.

Apache Struts' programmers don’t consider the vulnerability critical enough to merit patching, though, because it's on coders to sanitize user-submitted data.

Man Yue Mo, a researcher at Semmle with a back-catalogue of Apache Struts bug finds, disagrees that the vuln can be so easily dismissed, mainly because it's too easy for web app coders to introduce double evaluation vulnerabilities into their software.

"As the behaviour of double evaluation is fairly counter-intuitive, developers can easily get caught out and expose their Struts applications to RCE [remote code execution]," Man argued.

In a blog post, Man explains the class of flaws in depth alongside suggested remediations. If you're using Apache Struts, audit your code to make sure you're not falling foul of these double evaluation holes. ®




Biting the hand that feeds IT © 1998–2018