Adobe, Microsoft Plug Critical Security Holes

Adobe and Microsoft both on Tuesday released patches to plug critical security vulnerabilities in their products. Microsoft’s patch bundles fix close to 80 separate security problems in various versions of its Windows operating system and related software — including two vulnerabilities that already are being exploited in active attacks. Adobe’s new version of its Flash Player software tackles two flaws that malware or attackers could use to seize remote control over vulnerable computers with no help from users.

brokenwindows

Of the two zero-day flaws being fixed this week, the one in Microsoft’s ubiquitous .NET Framework (CVE-2017-8759) is perhaps the most concerning. Despite this flaw being actively exploited, it is somehow labeled by Microsoft as “important” rather than “critical” — the latter being the most dire designation.

More than two dozen flaws Microsoft remedied with this patch batch come with a “critical” warning, which means they could be exploited without any assistance from Windows users — save for perhaps browsing to a hacked or malicious Web site.

Regular readers here probably recall that I’ve often recommended installing .NET updates separately from any remaining Windows updates, mainly because in past instances in which I’ve experienced problems installing Windows updates, a .NET patch was usually involved.

For the most part, Microsoft now bundles all security updates together in one big patch ball for regular home users — no longer letting people choose which patches to install. One exception is patches for the .NET Framework, and I stand by my recommendation to install the patch roll-ups separately, reboot, and then tackle the .NET updates. Your mileage may vary.

Another vulnerability Microsoft fixed addresses “BlueBorne” (CVE-2017-8628), which is a flaw in the Bluetooth wireless data transmission standard that attackers could use to snarf data from Bluetooth-enabled devices that are physically nearby and with Bluetooth turned on.

For more on this month’s Patch Tuesday from Microsoft, check out Microsoft’s security update guide, as well as this blog from Ivanti (formerly Shavlik).

brokenflash-aAdobe’s newest Flash version — v. 27.0.0.130 for Windows, Mac and Linx systems — corrects two critical bugs in Flash. For those of you who still have and want Adobe Flash Player installed in a browser, it’s time to update and/or restart your browser.

Windows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are ready to install).

Better yet, consider removing or at least hobbling Flash Player, which is a perennial target of malware attacks. Most sites have moved away from requiring Flash, and Adobe itself is sunsetting this product (albeit not for another long two more years).

Windows users can get rid of Flash through the Add/Remove Programs menu, unless they’re using Chrome, which bundles its own version of Flash Player. To get to the Flash settings page, type or cut and paste “chrome://settings/content” into the address bar, and click on the Flash result.

Tags: , , , , ,

Posted in Security | Leave a comment

Hacking Voice Assistant Systems with Inaudible Voice Commands

Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.

Posted in Security | Leave a comment

Ayuda! (Help!) Equifax Has My Data!

Equifax last week disclosed a historic breach involving Social Security numbers and other sensitive data on as many as 143 million Americans. The company said the breach also impacted an undisclosed number of people in Canada and the United Kingdom. But the official list of victim countries may not yet be complete: According to information obtained by KrebsOnSecurity, Equifax can safely add Argentina — if not also other Latin American nations where it does business — to the list as well.

equihaxEquifax is one of the world’s three-largest consumer credit reporting bureaus, and a big part of what it does is maintain records on consumers that businesses can use to learn how risky it might be to loan someone money or to extend them new lines of credit. On the flip side, Equifax is somewhat answerable to those consumers, who have a legal right to dispute any information in their credit report which may be inaccurate.

Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

We’ll speak about this Equifax Argentina employee portal — known as Veraz or “truthful” in Spanish — in the past tense because the credit bureau took the whole thing offline shortly after being contacted by KrebsOnSecurity this afternoon. The specific Veraz application being described in this post was dubbed Ayuda or “help” in Spanish on internal documentation.

The landing page for the internal administration page of Equifax’s Veraz portal. Click to enlarge.

Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. The “list of users” page also featured a clickable button that anyone authenticated with the “admin/admin” username and password could use to add, modify or delete user accounts on the system. A search on “Equifax Veraz” at Linkedin indicates the unit currently has approximately 111 employees in Argentina.

A partial list of active and inactive Equifax employees in Argentina. This page also let anyone add or remove users at will, or modify existing user accounts.

Each employee record included a company username in plain text, and a corresponding password that was obfuscated by a series of dots.

The “edit users” page obscured the Veraz employee’s password, but the same password was exposed by sloppy coding on the Web page.

However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.

A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily.

But wait, it gets worse. From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records.

750 pages worth of consumer complaints — more than 14,000 in all — complete with the Argentinian equivalent of the SSN (the DNI) in plain text. This page was auto-translated by Google Chrome into English.

Jorge Speranza, manager of information technology at Hold Security, was born in Argentina and lived there for 40 years before moving to the United States. Speranza said he was aghast at seeing the personal data of so many Argentinians protected by virtually non-existent security.

Speranza explained that — unlike the United States — Argentina is traditionally a cash-based society that only recently saw citizens gaining access to credit.

“People there have put a lot of effort into getting a loan, and for them to have a situation like this would be a disaster,” he said. “In a country that has gone through so much — where there once was no credit, no mortgages or whatever — and now having the ability to get loans and lines of credit, this is potentially very damaging.”

Shortly after receiving details about this epic security weakness from Hold Security, I reached out to Equifax and soon after heard from a Washington, D.C.-based law firm that represents the credit bureau.

I briefly described what I’d been shown by Hold Security, and attorneys for Equifax said they’d get back to me after they validated the claims. They later confirmed that the Veraz portal was disabled and that Equifax is investigating how this may have happened. Here’s hoping it will stay offline until it is fortified with even the most basic of security protections.

According to Equifax’s own literature, the company has operations and consumer “customers” in several other South American nations, including Brazil, Chile, Ecuador, Paraguay, Peru and Uruguay. It is unclear whether the complete lack of security at Equifax’s Veraz unit in Argentina was indicative of a larger problem for the company’s online employee portals across the region, but it’s difficult to imagine they could be any worse.

“To me, this is just negligence,” Holden said. “In this case, their approach to security was just abysmal, and it’s hard to believe the rest of their operations are much better.”

I don’t have much advice for Argentinians whose data may have been exposed by sloppy security at Equifax. But I have urged my fellow Americans to assume their SSN and other personal data was compromised in the breach and to act accordingly. On Monday, KrebsOnSecurity published a Q&A about the breach, which includes all the information you need to know about this incident, as well as detailed advice for how to protect your credit file from identity thieves.

[Author’s note: I am listed as an adviser to Hold Security on the company’s Web site. However this is not a role for which I have been compensated in any way now or in the past.]

Tags: , , , , ,

Posted in Security | Leave a comment

September 11, 2017: Owner of O.C. Pet Products Company Pleads Guilty to Selling Pet Meds without Prescriptions, Some of Which Were Not Approved for U.S. Sale

OCI Small Clear Seal 

 

Food and Drug Administration 
Office of Criminal Investigations

 

LOS ANGELES – A Laguna Hills man pleaded guilty today to charges of selling misbranded veterinary medications without a prescription, some of which were not approved for use in the United States.

 

Sean Gerson, 49, the owner Vaccination Services, Inc. in Lake Forest, pleaded guilty in a scheme that netted him at least $2.5 million over the past 15 years.

 

Gerson pleaded guilty to smuggling, introduction into interstate commerce misbranded animal prescription drugs with the intent to defraud and mislead the United States Food and Drug Administration, and a misdemeanor charge of distribution and sale of an unregistered pesticide. Vaccination Services also pleaded guilty today to the same federal charges.

 

The misbranded drugs – meaning they were sold without a valid prescription from a veterinarian – were Comfortis, an anti-flea medication, and Ciprofloxacin, a powerful antibiotic commonly called “Cipro” that can be used in dogs and cats to treat skin, respiratory and urinary tract infections.

 

According to court documents, Gerson sold Comfortis that was designed for the South African market and was not approved for distribution in the United States. Federal law prohibits the importation and sale of veterinary medicines that have not been approved by the FDA and Environmental Protection Agency for use in this country.

 

Gerson used several websites – including fleastuff.com, mydoghasfleas.xyz and fleaandtickstuff.com – to market prescription animal products to buyers without valid prescriptions.

 

In a plea agreement filed in United States District Court, Gerson admitted that he “knowingly distributed, transported and sold the prescription animal drugs Comfortis and Ciprofloxacin in interstate commerce” to an undercover law enforcement officer in Missouri in August 2016. Gerson at the time knew that the drug had been smuggled into the United States “because the drugs were foreign-market branded and not approved by the U.S. FDA for entry into the United States.”

 

Gerson also admitted that he sold foreign market pesticides – animal flea and tick products not approved for sale and distribution in the United States – to an undercover law enforcement officer in Washington in June 2012.

 

Gerson pleaded guilty today before United States District Judge R. Gary Klausner, who is scheduled to sentence Gerson and his company on December 11.

 

In the plea agreement, prosecutors and Gerson have agreed that the appropriate sentence in this case is 30 months in federal prison and a fine of $200,000. The final sentence will be determined by Judge Klausner, and if the judge decides to deviate from the agreed-upon sentence both parties have the right to withdraw from the plea agreement and proceed to trial.

 

In addition to the prison sentence and criminal fine, Gerson has agreed to the entry of a $2.5 million forfeiture judgment which will require Gerson to forfeit the proceeds of his long-running scheme.

 

In its plea agreement, Vaccination Services has agreed to pay a $300,000 fine and to be placed on probation for a period of five years. This stipulated sentence is also subject to the approval of Judge Klausner.

 

Gerson was previously convicted of charges related to the illegal sale of pet medications and products. According to documents previously filed in the federal case in Los Angeles, Gerson pleaded guilty in Texas in 2014 to state charges of delivery of a dangerous drug, specifically a prescription drug called Clenbuterol.

 

In a related case, Judge Klausner in June ordered a South African veterinarian to pay a fine of $5,000 and forfeit to the United States $145,000 after pleading guilty to a charge of making false statements in relation to unapproved pet medications he shipped to Gerson. Craig Mostert sent the foreign-market drugs to Gerson, and significantly understated the value of the products in a series of shipments between 2008 and 2017.

 

The case against Gerson and Vaccination Services is the product of an investigation by U.S. Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations, the Food and Drug Administration’s Office of Criminal Investigations, and the Environmental Protection Agency.

 

This case is being prosecuted by Assistant United States Attorney Joseph O. Johns, Chief of the Environmental and Community Safety Crimes Section.

 

Component(s): 

USAO – California, Central

 

Contact: 

Thom Mrozek Spokesperson/Public Affairs Officer United States Attorney’s Office Central District of California (Los Angeles) 213-894-6947

 

Press Release Number: 

17-159

 

Posted in Security | Leave a comment

September 11, 2017: Knoxville Man Pleads Guilty to Conspiring to Defraud the FDA

OCI Small Clear Seal 

 

Food and Drug Administration 
Office of Criminal Investigations

 

 Billy Groce Shipped Illegal Drugs to Carroll County Cooperative for Illegal Resale

Abingdon, VIRGINIA – A Tennessee man, who operated a business that created illegal drugs for the purpose of evading existing Food and Drug Administration laws, pleaded guilty last week in the United States District Court for the Western District of Virginia in Abingdon to a federal conspiracy charge, Acting United States Attorney Rick A. Mountcastle announced. 

Billy K. Groce, 65, of Knoxville, waived his right to be indicted and pleaded guilty last week to a one count Information that charged him with conspiracy to defraud the United States by impeding, impairing obstructing and defeating the lawful functions of the Food and Drug Administration.

According to evidence presented by Assistant United States Attorney Randy Ramseyer, Groce operated a business that was created for the purpose of illegally circumventing the FDA’s regulation of the interstate shipment and labeling of veterinary drugs. Groce’s business illegally obtained, stored, sold and caused to be shipped, drugs from veterinary drug manufacturers and distributers. Groce’s business was not a licensed wholesale, a licensed pharmacy or a veterinary clinic.

 

Groce shipped drugs to co-conspirator Marlin Webb, who was the store manager at the Carroll County Cooperative. Webb then illegally sold the veterinary prescription drugs through the cooperative. Webb previously pleaded guilty to one count of conspiracy to defraud the FDA and was sentenced to one year of probation and paid $125,000 in forfeiture and other payments at the time of his guilty plea.

 

The investigation of the case was conducted by the U.S. Food and Drug Administration – Office of Criminal Investigations and the Virginia Department of Health Professions. Assistant United States Attorney Randy Ramseyer prosecuted the case for the United States.

 

Component(s): 

USAO – Virginia, Western

 

Posted in Security | Leave a comment