Insecure Direct Object Reference, también llamado IDOR. Se refiere a cuando una referencia a un objeto de implementación interna, tal como un archivo o llave de base de datos, se expone a los usuarios sin ningún otro control de acceso. Según el curso de protección de datos personales, el atacante puede manipular esas referencias para obtener acceso a los datos no autorizados.
No hay buenos números para basar la estimación en él. Sin embargo, al observar eventos conocidos, así como los informes de bug bounty públicas se puede afirmar que se trata de una vulnerabilidad muy común que afecta protección de datos personales. Esto es también lo que hemos descubierto durante nuestra propia investigación sobre protección de datos personales.
Es imposible decir cuál es el impacto potencial de IDOR, ya que varía mucho dependiendo de qué tipo de datos o archivos que el atacante puede conseguir. Podría ser cualquier cosa desde información inocente hasta estados de cuenta, y mucho más según profesores de curso de protección de datos personales.
Debido a que es tan fácil para un atacante aprovecharlo sin algún sistema de protección de datos personales, IDOR es muy probable que sea abuse. Por supuesto, esto también varía, ya que no siempre puede ser obvio cómo enumerar los enlaces para los archivos.
ACONTECIMIENTOS BIEN CONOCIDOS
De regreso en 2010, cuando el iPad era el gadget más cool para los primeros usuarios, AT & T sufrio de una insegura referencia de objeto directo que expuso los datos perosnales de al menos más de 100.000 propietarios. Se expuso la dirección de correo electrónico de los propietarios, así como las ICC-IDs (el ID de la tarjeta SIM). A medida que Apple proporcionó los datos a AT & T, a menudo recibió la culpa de esta vulnerabilidad que afecto protección de datos personales.
Mediante el envío de una solicitud a AT & T, junto con un ICC-ID, el servidor respondería con la dirección de correo electrónico correspondiente. A medida que el ICC-IDs se puede enumerar examinado sólo unos identificadores, este ataque pudo ser totalmente automatizado permitiendo una fuga de datos personales considerable.
Según el curso de protección de datos personales, el análisis de código es adecuado para este tipo de vulnerabilidad. Cada lugar que presenta los datos restringidos debe ser investigado, para asegurarse de que hay controles en el lugar, lo que garantiza que el usuario está autorizado para la información solicitada.
Esto puede por supuesto ser automatizado, en cierta medida, sin acceso al código fuente del sitio, y tenerlo es una gran ventaja. Con la fuente en la mano, la vulnerabilidad de este tipo es a menudo bastante fácil de descubrir.
UN EJEMPLO MUY BASICO DE APLICACIÓN VULNERABLE
Cuando un usuario accede al panel de control en la dirección del banco, el usuario se redirige a la siguiente dirección:
En este caso, 123 es el ID de la cuenta del usuario, por lo que el usuario verá el saldo. Si el usuario quisiera abusar de esto, sería posible simplemente cambiar la URL de parámetros de identificación de otra persona y en lugar de tener acceso a la cuenta de ese ID.
Según el curso de protección de datos personales, la única solución real a este problema es la implementación de un control de acceso. El usuario tiene que ser autorizado por la información solicitada antes de que el servidor proporcione la misma.
También se recomienda a menudo usar algo menos obvio que sea más difícil de enumerar como referencia. Ej., Una cadena aleatoria en lugar de un número entero. Esto puede ser una buena idea por varias razones, pero no debe confiar absolutamente en esto como la única prevención contra este tipo de ataque según expertos de protección de datos personales. Además deben capacitar sus equipos de TI con curso de protección de datos personales para que entiendan como arreglarlo.
The organization has worked for three years to improve its ability to catch fraudulent software. The Tor Project is fortifying its software so that it can quickly detect if its network is tampered with for surveillance purposes, a top developer for the volunteer project wrote on Monday.
There are worries that Tor could either be technically subverted or subject to court orders, which could force the project to turn over critical information that would undermine its security, similar to the standoff between Apple and the U.S. Department of Justice.
Tor developers are now designing the system in such a way that many people can verify if code has been changed and “eliminate single points of failure,”wrote Mike Perry, lead developer of the Tor Browser, on Monday.
Over the last few years, Tor has concentrated on enabling users to take its source code and create their “deterministic builds” of Tor that can be verified using the organization’s public cryptographic keys and other public copies of the application.
“Even if a government or a criminal obtains our cryptographic keys, our distributed network and its users would be able to detect this fact and report it to us as a security issue,” Perry wrote. “From an engineering perspective, our code review and open source development processes make it likely that such a backdoor would be quickly discovered.”
Two cryptographic keys would be required for a tampered version of the Tor Browser to be distributed without at least initially tripping security checks: the SSL/TLS key that secures the connection between a user and Tor Project servers plus the key used to sign a software update.
“Right now, two keys are required, and those keys are not accessible by the same people,” Perry wrote in a Q&A near the end of the post. “They are also secured in different ways.”
Even if an attacker obtained the keys, in theory people would be able to check the software’s hash and figure out if it may have been tampered with.
Apple is fighting a federal court’s order to create a special version of iOS 9 that would remove security protections on an iPhone 5c used by Syed Rizwan Farook, one of the San Bernardino mass shooters.
A ruling against Apple is widely feared by technology companies, as it could give the government wider leverage to order companies to undermine encryption systems in their products.
On Monday, the Justice Department indicated it is investigating an alternative method to crack Farook’s iPhone, which if successful would not require Apple’s assistance.
Perry wrote that the Tor Project stands “with Apple to defend strong encryption and to oppose government pressure to weaken it. We will never backdoor our software.”
Tor, short for The Onion Router, is a network that provides more anonymous browsing across the Internet using a customized Firefox Web browser. The project was started by the U.S. Naval Research Laboratory but is now maintained by the nonprofit Tor Project.
Web browsing traffic is encrypted and routed through random proxy servers, making it harder to figure out the true IP address of a computer. Tor is a critical tool for activists and dissidents, as it provides a stronger layer of privacy and anonymity.
But some functions of Tor have also been embraced by cybercriminals, which has prompted interest from law enforcement. Thousands of websites run as Tor “hidden” services, which have a special “.onion” URL and are only accessible using the customized browser.
The Silk Road, the underground market shut down by the FBI in October 2013, is one of the most infamous sites to use the hidden services feature.
Analyst reveals that Windows 10 is amassing huge amount user data despite of user disabling the three tracking options.
We all know that Windows 10 spies on users. We had reported spying issues associated with Windows 10 even as Microsoft had released theWindows 10 Technical Preview Version in August, 2014. After almost a year after when Windows 10 Final Build was released, Microsoft had confirmed that Windows 10 spied on users in November 2015. It had added at that time that even it cant stop Windows 10’s telemetry program from spying on users.
However, till this week the extent of Windows 10’s nefarious spying activities were not known. So a Voat user CheesusCrust decided to research the amount of data that Windows 10 reports back to the Redmond based servers. CheesusCrust’s published his research on Voat under the title of Windows 10 telemetry network traffic analysis, part 1.
According to his research, he found that Windows 10 sends data back to Microsoft servers thousands of times per day. The surprising thing about his research is that he found that it was spying on him even after choosing a custom Windows 10 installation and disabling the all three pages of tracking options which are all enabled by default.
Here is the list of things ChessusCrust used for this analysis
- I have installed DD-WRT on a router connected to the internet and configured remote logging to the Linux Mint laptop in #2.
- I have installed Linux Mint on a laptop, and setup rsyslog to accept remote logging from the DD-WRT router.
- I have installed Virtualbox on the Linux Mint laptop, and installed Windows 10 Enterprise on Virtualbox. I have chosen the customized installation option where I disabled three pages of tracking options.
- I have configured the DD-WRT router to drop and log all connection attempts via iptables through the DD-WRT router by Windows 10 Enterprise.
- Aside from installing Windows 10 Enterprise, and verifying the internet connection through ipconfig and ping yahoo.com, I have not used the Windows 10 installation at all (the basis for the first part of this analysis)
- Let Windows 10 Enterprise run overnight for about 8 hours (while I slept).
- I use perl to parse the data out of syslog files and insert said data into a Mysql database.
- I use perl to obtain route data from whois.radb.net, as well as nslookup PTR data, and insert that into the Mysql database.
- Lastly, I query and format the data for analyzing.
Here is what he found. In an eight hour period Windows 10 tried to send data back to 51 different Microsoft IP addresses over 5500 times. After 30 hours of use, Windows 10 sent his user data to a whopping 113 IP addresses which he has listed in the thread.
CheesusCrust has more surprises for us. He then repeated his test on another Windows 10 clean installation with all data tracking options disabled. Only this time he installed a third party tool called DisableWinTracking (available on GitHub), which is supposed to stop Windows 10 spying attempts including the hidden ones.
On this DisableWinTracking installed PC, CheesusCrust found that at the end of the 30 hour period Windows 10 had still managed report back his data to Redmond based servers a whopping 2758 times to 30 different IP addresses.
This means that even after disabling the telemetry options offered by Microsoft and installing anti spying software available in the market, Windows 10 goes on its merry ways of tracking user data. It would also seem that the ‘disable telemetry options’ provided by Microsoft after a huge outcry against Windows 10 spying, are actually doing nothing and only a showpiece installed to pacify the users.
CheesusCrust has plenty more surprises in store for Windows 10 users when he will publish part 2 of his analysis.
Files show agency just moved surveillance offshore.
Newly revealed documents (not from Snowden this time) show that the NSA has continued to collect Americans’ email traffic en masse using overseas offices to get around curbs introduced domestically.
Shortly after the September 11 attacks, President Bush authorized the NSA to collect bulk metadata on emails sent by Americans (although not the content) to help The War Against Terror (TWAT). The surveillance was authorized by the US Foreign Intelligence Surveillance Court, which mostly rubberstamped such requests.
But the collection was stopped in 2011, the NSA said, although it still monitored emails from Americans to people outside the nation’s borders. However, a Freedom of Information Act lawsuit started by The New York Times against the NSA’s Inspector General has uncovered documents showing that the NSA carried on collecting domestic data.
To get around the restrictions on operating in the USA, the NSA simply started using its overseas offices to do the collection. Stations like RAF Menwith Hill in Yorkshire were tasked with collecting the metadata and feeding it back to the NSA headquarters in Maryland.
There’s no evidence that the content of emails was being examined by NSA analysts. Instead the metadata was used to try and divine linkages between individuals the agency was looking to monitor. But that metadata is very useful.
“We have known for some time that traffic analysis is more powerful than content analysis,” said Dan Geer, chief information security officer of the CIA’s venture capital firm In-Q-Tel.
“If I know everything about you, about who you communicate with, when, where, with what frequency, what length, and at what location, I know you. The soothing mendacity of proxies from the president that claim that it is only metadata, is to rely on the profound ignorance of the listener.”
Cisco Talos, in conjunction with Apple’s security advisory issued on June 30th, is disclosing the discovery of a remote code execution vulnerability within Apple Quicktime. This vulnerability was initially discovered by the Talos Vulnerability Research & Development Team and reported in accordance with responsible disclosure policies to Apple.
There is a remote code execution vulnerability in Apple Quicktime (TALOS-CAN-0018, CVE-2015-3667). An attacker who can control the data inside an stbl atom in a .MOV file can cause an undersized allocation which can lead to an out-of-bounds read. An attacker can use this to create a use-after-free scenario that could lead to remote code execution.
There is a function within QuickTime (QuickTimeMPEG4!0x147f0) which is responsible for processing the data in an hdlr atom. There is a 16-byte memory region, allocated near the beginning of the function, if the hdlr subtype field in an mdia atom is set to ‘vide’, this reference is passed to a set of two functions.
The first function swaps out the reference in object_ref for a bigger object, one of size 0xb0 bytes, and the second function operates on this new object.
At some point up the call stack, for the first of these two functions, the reference in question is passed to the function QuickTime!0x73e0f0. However, when the stbl atom is missing from the file, or the 4CC is corrupted, the object at eax does not get populated. When this happens the check at line 15 will pass and an error code (0xfffff809) will be passed back down the call stack.
This series of calls would normally lead to the replacement of the object reference lie in the functionQuickTime!0x748a40. However, because the error code returned down the stack isn’t zero, the branch below is taken and the code path skipped.
Eventually, the calls return and the function at line 57 of QuickTimeMPEG4!0x147f0 is called.
Code execution makes its way up to the function QuickTime!0x21ab00.
A read of 2 bytes is attempted at an offset of 84 bytes into the 16-byte object, resulting in an out-of-bounds read.
Cisco Talos’ research and discovery of programmatic ways to find 0-days helps secure the platforms and software that our customers depend on. The disclosure of this and other vulnerabilities helps the entire online community by identifying security issues that otherwise could be exploited by threat actors. Uncovering new 0-days not only helps improve the overall security of the software that our customers use, but it also enables us to directly improve the procedures in our own security development lifecycle, which improves the security of all of the products that Cisco produces.
Related Snort rules: 35022-35023
For the most up to date list, please refer to Defense Center or FireSIGHT Management Center.
For further zero day or vulnerability reports and information visit:
2015-05-08 – Reported
2015-06-30 – Patched
2015-06-30 – Released
A company offering software that allows people to spy on others has admitted it has been hacked and had thousands of customer records leaked online. The admission comes a day after mSpy told BBC News it had not been hacked and no data had been stolen.
It has also emerged that the UK’s Information Commissioner is investigating the company. It told the BBC it was “aware of the breach and is trying to find out where the company is based”.
MSpy offers software it says is aimed at parents worried about what their children are up to online and employers who want to legitimately track their employees.
But it is also used for more nefarious purposes, such as spouses spying on their partners.
Security expert Brian Krebs broke the news that a vast vault of highly personal data from mSpy customers had been dumped on the so-called dark web – an area of the internet that cannot be reached by traditional search engines.
He had been contacted by an anonymous source who had sent him a link to the data on a Tor-based site – technology that allows people to mask the identity of their websites.
BBC News has now also been sent links to the data, which it is currently analysing.
After insisting that the data was fake and no breach had taken place, mSpy has now admitted that data had been stolen.
“Much to our regret, we must inform you that data leakage has actually taken place,” spokeswoman Amelie Ross told BBC News.
“However, the scope and format of the aforesaid information is way too exaggerated.”
She said that 80,000 customers had been affected. Initial reports suggested up to 400,000 customer details had been exposed.
“Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption,” she added.
Mr Krebs said that he had also contacted “multiple customers of mSpy” via the link he had been sent.
“I spent the better part of the day today pulling customer records from the hundreds of gigabytes of data leaked from mSpy. I spoke with multiple customers whose payment and personal data — and that of their kids, employees and significant others — were included in the huge cache. All confirmed they are or were recently paying customers of mSpy,” he wrote in his blog.
Katherine Till, one of the customers contacted by Mr Krebs, confirmed to him that she and her husband had paid mSpy to monitor the mobile device of their 14-year-old daughter.
She told the security expert that she was unaware of any breach.
“This is disturbing, because who knows what someone could do with all that data from her phone,” she told Mr Krebs.
Another user whose financial and personal data was in the cache asked not to be identified but told the security expert that he had paid mSpy to secretly monitor the mobile device of a “friend.”
The Information Commissioner’s Office advised customers worried that their data might have been exposed to contact mSpy in the first instance.
“If they get no joy with the company, they can get in touch with us,” a spokesman said.
Its initial investigation is aimed at finding out whether the company, which has a London office, is based in the UK.
The BBC has been told the company is based in California.
The company is also under fire in the US, with Minnesota senator Al Franken describing the software as “nothing short of terrifying” and likening it to “stalking apps”.
He wants the government to investigate the company and has written to the Department of Justice and the Federal Trade Commission.
He writes: “I believe every American has a fundamental right to privacy, which includes the right to control whether and with whom personal, sensitive information – including location data – is being shared.”
Nearly 7 million Dropbox usernames and passwords have been hacked, apparently via third-party services that hackers were able to strip the login information from.
The Next Web was the first to notice the leak on a site called Pastebin, where hackers have already leaked about 400 accounts. The hackers promise to release more accounts in return for Bitcoin donations. The hackers claim to have over 6.9 million email addresses and passwords belonging to Dropbox users.
In a statement, Dropbox denied it was hacked:
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have expired as well.
That means Dropbox has already expired the 400 logins that have been leaked so far. But it’s unclear if the logins of the nearly 7 million other Dropbox users the hackers claim to have are still safe. A Dropbox spokesperson told Business Insider that Dropbox consistently expires passwords for accounts that are being attacked, but could not provide a number of accounts expired recently. That means it’s possible that there are nearly 7 million other Dropbox accounts still vulnerable.
It’s a similar response to the one Snapchat had when hackers were able to obtain about 100,000 photos from the service through a third-party app. Snapchat claimed its servers weren’t hacked, but the servers of a third-party app designed to save Snapchat photos were.
The real problem in both cases appears to be the way popular services allow users to log in. Even though Dropbox’s own servers weren’t hacked, the service still allows third parties access. It’s also possible for hackers to hack other sites and cross reference the login information with services like Dropbox since many people use the same logins for multiples services. Those third parties have become the target for hackers to obtain personal information. Assuming the hackers do have the login information for 7 million Dropbox accounts, it’s unclear how they were able to associate that information from a third-party service and apply it to Dropbox. A Dropbox spokesperson couldn’t elaborate.
This is an alarming trend. Services like Dropbox, Snapchat, and Apple have pushed blame on users and other third parties following recent hacks when it’s clear they’re not doing enough to scrutinize the kinds of apps that have access to their platforms or guarantee users their logins won’t be “expired” of their information is compromised.