This week on Lock and Code, we discuss the various laws that can be violated when good-faith hacking reveals security flaws. 
The post When good-faith hacking gets people arrested, with Harley Geiger: Lock and Code S03E14 appeared first on Malwarebytes Labs.

When Lock and Code host David Ruiz talks to hackers—especially good-faith hackers who want to dutifully report any vulnerabilities they uncover in their day-to-day work—he often hears about one specific law in hushed tones of fear: the Computer Fraud and Abuse Act.

The Computer Fraud and Abuse Act, or CFAA, is a decades-old hacking law in the United States whose reputation in the hacker community is dim. To hear hackers tell it, the CFAA is responsible not only for equipping law enforcement to imprison good-faith hackers, but it also for many of the legal threats that hackers face from big companies that want to squash their research.

The fears are not entirely unfounded.

In 2017, a security researcher named Kevin Finisterre discovered that he could access sensitive information about the Chinese drone manufacturer DJI by utilizing data that the company had inadvertently left public on GitHub. Conducting research within rules set forth by DJI’s recently announced bug bounty program, Finisterre took his findings directly to the drone maker. But, after informing DJI about the issues he found, he was faced not with a bug bounty reward, but with a lawsuit threat alleging that he violated the CFAA.

Though DJI dropped its interest, as Harley Geiger, senior director for public policy at Rapid7, explained on today’s episode of Lock and Code, even the threat itself can destabilize a security researcher.

> “\[It\] is really indicative of how questions of authorization can be unclear and how CFAA threats can be thrown about when researchers don’t play ball, and the pressure that a large company like that can bring to bear on an independent researcher.”
> 
> Harley Geiger

Today, on the Lock and Code podcast, we speak with Geiger about other hacking laws can be violated when conducting security researcher, how hackers can document their good-faith intentions, and the Department of Justice’s recent decision to not prosecute hackers who are only hacking for the benefits of security.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

When good-faith hacking gets people arrested, with Harley Geiger: Lock and Code S03E14

British software engineer also talks HTTP/3, zero trust, and lava lamp-powered cryptography

British software engineer also talks HTTP/3, zero trust, and lava lamp-powered cryptography

INTERVIEW The hegemony of CAPTCHAs, the reliably infuriating means by which websites distinguish human users from bots, is – mercifully – in peril.

John Graham-Cumming, chief technology officer (CTO) at web security and performance specialist Cloudflare, tells The Daily Swig that an alternative technology developed by Cloudflare, Apple, Google, and others eliminates the friction and privacy infringements involved in clicking squares that contain bicycles, vans, or traffic lights.

RELATED WWDC 2022: Apple showcases next-gen security tech at annual developer event

Incidentally, CAPTCHAs – or ‘Completely Automated Public Turing Tests to tell Computers and Humans Apart’ – reference the legendary computer scientist Alan Turing, who received a posthumous apology from the UK government in 2009 following an online campaign by Graham-Cumming.

Graham-Cumming, the POPFile architect who shares with fellow Brit Turing a remarkable mathematical acuity, also talks HTTP/3, ‘zero trust’ architecture, the distributed denial-of-service (DDoS) landscape, and novel ways to generate random, cryptographic numbers.

Daily Swig: Last month Cloudflare announced Private Access Tokens, a technology that leverages ‘private attestation’ to offer an alternative to CAPTCHAs. What drove the decision to focus on this area of authentication?

John Graham-Cumming: Does anybody like CAPTCHAs? They're the most frustrating thing ever, and are often used across websites, so can potentially be used for tracking.

We’ve driven down our use of CAPTCHAs over time by replacing them with other methods.

Private attestation demonstrates that you are essentially coming from a known device. Apple knows who I am, what I use my device for, and they are able to say to a website, ‘This is a legit human, the device hasn't been hacked’.

And private attestation uses a bunch of clever cryptography to prove that you are legit without Apple saying who you are. We think this is going to remove CAPTCHAs in a way that preserves people’s privacy.

Unveiled at WWDC 2022, will Private Access Tokens become the CAPTCHA-killer?

DS: Cloudflare has also just added new capabilities to its network-as-a-service zero trust platform, Cloudflare One. How important is the move to zero trust architecture and is it happening quickly enough?

JGC: Businesses used to keep their employees, servers, and applications inside heavily guarded walls. If you needed to travel, there were VPNs.

But the castle walls got stormed from the inside out when applications started moving out of the business with SaaS, the cloud, and mobile devices. Suddenly the castle walls didn’t make sense.

‘Zero trust’ provides a much more flexible and less expensive \[alternative\] and Cloudflare has been a player in this space for a long time.

Before the pandemic we announced Cloudflare for Teams, which allows teams to work remotely, and we launched zerotrustroadmap.org to help businesses plan out which applications are going to be outside and inside the firewall, how you connect, \[and\] who you connect \[with\].

I think that businesses are, by and large, on a journey towards zero trust. Some are more advanced, some are less advanced. The US federal government has talked about zero trust as the right architecture.

RELATED US government’s ‘zero trust’ roadmap calls time on perimeter-based paradigm

It reflects how we work, and Covid just accelerated this trend because suddenly everybody was at home and needed access.

How significant was the recent news that the HTTP/3 protocol received RFC 9114 standardization?

JGC: About 25% of traffic on Cloudflare already uses HTTP/3, and major browsers are implementing it very quickly, so it’s clearly getting taken up very quickly.

It’s fantastic to see this level of innovation because we depend on HTTP for pretty much everything we do online.

There was a very long standardization process between HTTP/1.1 and HTTP/2, so the fact HTTP/3 was able to follow on quite quickly is a sign that we really are continuing to innovate at fundamental levels on the internet.

What important trends are you seeing when it comes to defending your clients against DDoS attacks?

JGC: Attackers don’t just go after the front door anymore – knocking your website offline. Now attackers are more business-like, especially in ransom-related DDoS where they might go after your DNS, email server, or VPN servers.

Read more cybersecurity interviews

Second, although there are still very large attacks at the network level, there has been a rise at the application level. And I think this is partly because we’ve got very good at defending against network-level attacks.

We’ve also seen more use of cloud providers as the source of attacks. I think this is partly to get the request-per-second up really high, because you get more compute power, and because everything on the web is becoming HTTPS, then attacks are also running over HTTPS and that’s more expensive for the attacker.

Cloudflare’s John Graham-Cumming: ‘We really are continuing to innovate at fundamental levels on the internet’

What inspired Cloudflare’s use of lava lamps to generate random numbers for SSL encryption?

JGC: It’s part \[practically useful\] and part art project. You can generate random numbers in all sorts of ways using different physical processes. Radioactivity is a classic one \[as ripening bananas can demonstrate\] and there are interesting quantum things.

Catch up with the latest encryption security news

In London we have a wall of double pendulums, because it turns out that a pendulum attached to a pendulum moves in a very unpredictable way.

We wanted to make the point that randomness is fundamental to keeping things secure online, but computers are not fantastic at creating random numbers. You, me, and everybody else have been told over and over again not to pick easy-to-guess passwords – which is a way of saying ‘pick random passwords’.

Cloudflare has evolved considerably since its foundation in 2009 as an email spam protection platform. How might it continue to evolve in the coming months or years?

JGC: Fundamentally, Cloudflare makes things that are connected to the internet faster, more available, more secure, and more private.

Our product roadmap is really about bringing those attributes to internet-connected things across our application services, CDN \[content delivery network\], DDoS, network services, and our compute platform, Cloudflare Workers.

We recently acquired an email protection company called Area 1, so email is becoming a big area for us.

Don't forget email – it’s old, but it’s still important. Something like 80-90% of security problems at companies start with email, through phishing and stuff like that.

What are you most proud of in your career and why?

JGC: Having built Cloudflare up from having 20-something people to making a real impact on everybody’s use of the internet in terms of security and performance is probably the most satisfying thing.

And doing that with a curious, empathic, open culture is very satisfying.

Everybody always asks me about the Alan Turing thing. I’m glad I did it, but it feels like a long time ago now!

RECOMMENDED HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges

‘Does anybody like CAPTCHAs?’ – Cloudflare CTO John Graham-Cumming envisages a frictionless future for website Turing tests

DouPHP version 1.2 Release 20141027 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : DouPHP v1.2 Release 20141027 SQL Injection Vulnerability                                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0(32-bit)                                              | | # Vendor    : https://www.douphp.com/                                                                                            |  | # Dork      : "Powered by DouPHP"                                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] http://127.0.0.1/products_in.php?id=33 <====| inject here[+] http://127.0.0.1/admin/ <====| LoginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

DouPHP 1.2 Release 20141027 SQL Injection

Gardeners know that worms are good. Cybersecurity professionals know that worms are bad. Very bad. In fact, worms are literally the most devasting force for evil known to the computing world. The MyDoom worm holds the dubious position of most costly computer malware ever – responsible for some $52 billion in damage. In second place… Sobig, another worm.
It turns out, however, that there are

Gardeners know that worms are good. Cybersecurity professionals know that worms are _bad_. Very bad. In fact, worms are literally the most devasting force for evil known to the computing world. The MyDoom worm holds the dubious position of most costly computer malware _ever_ – responsible for some $52 billion in damage. In second place… Sobig, another worm.

It turns out, however, that there are exceptions to every rule. Some biological worms are actually not welcome in most gardens. And some cyber worms, it seems, can use their powers for good …

****Meet Hopper, The Good Worm****

Detection tools are not good at catching non-exploit-based propagation, which is what worms do best. Most cybersecurity solutions are less resilient to worm attack methods like token impersonation and others that take advantage of deficient internal configurations - PAM, segmentation, insecure credential storage, and more.

So, what better way to beat a stealthy worm than with … another stealthy worm?

And thus was born Hopper! Hopper is a real worm, with command and control, built-in privilege escalation, and many more of wormkind's most devious capabilities. But contrary to most worms, _Hopper was built to do good_. Instead of causing harm, Hopper tells its White Hat operators where and how it succeeded in infiltrating a network. It reports how far it got in, what it found along the way, and how to improve defenses.

****Up Close and Personal with Hopper****

The development team at Cymulate based Hopper on a common malware stager – a small executable that serves as an initial payload, with its primary objective being to prepare a larger payload. Our stager also serves as a PE packer, a program that loads and executes programs indirectly, usually from a package.

Hopper's stager was written in such a way that the initial payload doesn't have to be changed if we make an update to Hopper. This means that excluding hashes on every update turned into history, and Hopper users only need to exclude the stager's hash once. Writing the stager in this way also opened up the path for executing other tools that Hopper needs.

To maximize Hopper's flexibility, our team added different initial execution methods, additional communication methods, various ways to fetch the first stage payload, different injection methods, and more. And, to create a very stealthy worm, we need to allow for maximum customization of stealthy features, so we made configurations almost entirely operator-controlled:

*   **Initial payload configuration** – fully configurable execution methods including executables, libraries, python scripts, shellcodes, PowerShell scripts, and more
*   **First stage payload configuration** – customizable package fetching methods and package injection methods (for example, reflective injection)
*   **Second stage beacon configuration** - tailored communication channels, keep alive timing and timeout, and jitter
*   **API** – over the air addition of new capabilities to allow easier future expansion of capabilities, including communication methods, spread methods, and exploits

****Execution, Credential Management, and Spreading****

Hopper's initial execution is in-mem and in stages. The first stage is a small stub with limited capability. This stub knows how to run a more significant piece of code instead of containing the code within itself - making it harder to flag this as a malicious file. For privilege escalation, we chose different UAC bypass methods, exploiting vulnerable services such as Spooler and using misconfigured services or autoruns to gain privilege elevation or persistency. The idea here is for Hopper to use the minimum privileges needed to achieve its goals. For example, if a machine provides user access to our target machine, Hopper might not need to elevate privileges to spread to that target machine.

Hopper features centralized credentials management, which enables it to distribute credentials between Hopper instances by necessity - meaning that all Hoppers have access to credentials collected, eliminating the need to duplicate the sensitive credentials database across other machines.

To spread, Hopper prefers misconfigurations over exploits. The reason? Exploits can potentially crash systems, they stand out more and are easily identified by IPS/network monitoring products and EDR products. Misconfigurations, on the other hand, are not easily detected as malicious activity. For example, Active Directory misconfigurations may lead a user to gain access to a resource that he or she should not have had access to, and therefore lead to spreading. Similarly, software misconfigurations may allow a user to execute code remotely and therefore lead to spreading.

****Stealth and C&C Communications****

The Cymulate team chose in-memory execution for Hopper, since encrypting malware code in-memory once no longer in use can disrupt EDR products' ability to fingerprint in-memory content. Moreover, in-memory execution uses direct system calls instead of API calls, which may be monitored by EDR products. If Hopper does need to use API functions, it detects and unloads EDR hooks before doing so.

To maintain stealth, Hopper communicates with Command and Control during working hours by masking the activity with normal working hour activity in random timing patterns. It also communicates only with allow-listed servers or servers that aren't considered malicious, like Slack channels, Google Sheets, or other public services.

****The Bottom Line****

To preempt worm attacks, a White Hat worm-like Hopper is an ideal solution. By seeing the network from a worm's perspective, so to speak, Hopper turns the worm's greatest advantage to the _defender's greatest advantage_.

Note: This article is written and contributed by Yoni Oren, Team Leader, Senior Security Researcher and Developer at Cymulate.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Some Worms Use Their Powers for Good

To celebrate Independence Day we're drawing attention to five technologies that could improve life, liberty and the pursuit of happiness on the Internet. 
The post 5 pro-freedom technologies that could change the Internet appeared first on Malwarebytes Labs.

In the digital era, freedom is inextricably linked to privacy. After a good start, the Internet-enabled, technological revolution we are living through has hit some bumps in the road. We have already lost a lot of control over who and what has access to our data, and there are further threats to our freedom on the horizon.

It doesn’t have to be that way though, and it is not inevitable that the trend will continue. To celebrate Independence Day we want to draw your attention to five technologies that could improve life, liberty and the pursuit of happiness on the Internet.

The technologies are listed in a rough order of simplest, soonest, and most likely to happen, to most complex, furthest out, and least likely to happen.

**DNS encryption**

DNS encryption plugs a gap that makes it easy to track the websites you visit.

The domain name system (DNS) is a distributed address book that lists domain names and their corresponding IP addresses. When you visit a website, your browser sends a request to a DNS resolver, which responds with the IP address of the domain you’re visiting. The request is sent in plain text, which is the computer networking equivalent of yelling the names of all the websites you’re visiting out loud.

Anyone, or anything, on the same local network as you can see your DNS lookups, as can your ISP, which will happily sell your browsing history to the highest bidder. And any machine-in-the-middle (MitM) attackers between you and the DNS resolver—such as rogue Wi-Fi access points—can also silently change your plain text DNS requests and use them to direct you to malicious websites.

DNS encryption restores your privacy by making it impossible for anything other than the DNS resolver to read and respond to your queries. You still have to trust the resolver you send your requests to, but the eavesdroppers are out in the cold.

DNS encryption is new, and still relatively rare, but it is supported natively by modern versions of Windows, macOS, Android, and iOS, as well as a number of different DNS clients, proxies and applications, including the DNS Filtering module for the Malwarebytes Nebula platform. It’s ascendancy seems assured.

**Passwordless authentication**

Passwordless authentication could usher in a world where we no longer rely on passwords, and that could be an enormous, unabashed win for security and peace of mind. The trouble is, that has been true for a _very long time indeed_, and it hasn’t happened yet.

There is reason to hope that things are finally about change though.

Passwords are a great idea in theory that fail horribly in practice. Humans are poorly equipped to create and remember them, and demonstrably poor at building systems that handle them securely. And yet almost every Internet account requires one. The inevitable result is an epidemic of poor passwords and an entire criminal industry preying on them with relentless automated attacks.

For a long time, the successor to the password was widely presumed to be some form of biometric authentication—such as face or fingerprint recognition—but nobody could agree which one. With multiple novel, competing, costly, and incompatible alternatives, passwords remained the clear winner.

The solution to that gridlock was FIDO2.

FIDO2 is a specification that uses public key encryption for authentication. This allows users to log in to websites without sharing a secret that needs to be secured like a password. There is nothing for a programmer to secure, nothing for an attacker to guess, and nothing that can be stolen in a data breach.

The sensitive encrpytion work all happens on a device owned by the user, which can be a specialist hardware key, a phone, a laptop, or any other compatible device. FIDO2 doesn’t specify what the device is, or how it should be secured, only that a user must make a “gesture” to approve the authentication. This leaves device manufacturers free to use whatever “gesture” works best for them: PIN numbers, swipe patterns, and any and all forms of biometrics. The end result is a technology that allows you to log in to a website securely using Windows Hello, Apple’s Touch ID, and any number of other methods that exist now or could be created in the future.

Passwordless authentication is possible today but still extremely rare. However, it took a big step forward in May this year when Google, Microsoft, and Apple made simultaneous, coordinated pledges to increase their adoption of the FIDO2 standard.

**Onion networking**

Onion networking, the technology behind Tor and the “dark web”, has been around for twenty years, so it might seem an odd candidate for an emerging technology that could change everything—but what if that’s just because we’ve been thinking about it the wrong way?

Tor is a network of servers that allows software clients (like web browsers) and services (like websites) to communicate securely and anonymously. Although the software is extremely good at what it does, today it services a narrow niche of users who put privacy and security above all, and it has become strongly associated with ransomware, illegal drug markets, and other forms of unsavoury criminal activity.

According to security evangelist Alec Muffett, we are overlooking a very important aspect of this technology though. Muffett was previously a security engineer at Facebook, where he was responsible for putting the social network on Tor. Speaking to David Ruiz on a recent Malwarebytes Lock and Code podcast, he explained how he sees Tor as “a brand new networking stack for the Internet” that can “guarantee integrity, and privacy, and unblockability of communication.”

Every Tor address is also the cryptographic public key of the service you want to talk to. For example, the Facebook address is:

www.facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion

Having the public key act as the address provides cryptographic assurance that you are talking to the service you want to talk to, bypassing several layers of the OSI model, and cutting out fundamental Internet vulnerabilities, such as BGP hijacking.

We should stop thinking about Tor as just an anonymity tool, says Muffet. It should be attractive to anyone who cares about the integrity of their brand and what it has to say:

> If you are in the position of providing a forum, a messenger service, or news to a mass public … where your brand name is a really important part of your value proposition, then onion networking is for you, because you can make sure that no one can mess with your traffic.
> 
> Alec Muffet speaking to Lock and Code.

Although mainstream organizations like The New York Times, Pro Publica, Facebook, and Twitter have already embraced Tor, having a .onion site is still very much the exception. In all likelihood, it will take something quite dramatic to change that, but that doesn’t mean it can’t happen.

In 2013, Edward Snowden’s revelations about pervasive Internet surveillance triggered a huge gobal effort to make encrypted web traffic the norm, rather than the exception.

A similar stimulus today could tip onion networking from its niche into the mainstream.

**Cryptocurrencies**

People may be surprised to see cryptocurrencies appearing in our list. If cryptotrading sites are naming stadia and buying superbowl ads then cryptocurrencies are already mainstream and hardly a technology for the future, surely.

Its presence near the bottom of our list tells you that isn’t how we see it.

Cryptocurrencies face a number of cyclone-force headwinds, starting with the current, across-the-board, price crash. The market cap of the biggest currencies, Bitcoin and Ether, is shrinking fast, and some cryptocurrencies have already disappeared completely; the free flow of venture capital money is likely to dry up; there are issues with scalability, scams, rug pulls, thefts from exchanges, and environmental damage; and the pseudo-anonymity blockchains provide is challenged by our ever-improving capacity to identify patterns in payments.

More importantly, from the perspective of _life, liberty, and the pursuit of happiness_, almost nobody is using these currencies as actual currencies—nobody is paid in Bitcoin, and nobody is using Ether to buy groceries. Remember, Bitcoin was supposed to be a peer-to-peer electronic cash system not a vehicle for speculative trading.

So why is it on our list at all?

For all the reasons to dislike them or write them off, cryptocurrencies are hard to ignore. At its core, the original cryptocurrency, Bitcoin, was supposed to be a trustless, borderless payment system that was built on top of the Internet.

> What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party.
> 
> “Satoshi Nakamoto”, from Bitcoin: A Peer-to-Peer Electronic Cash System

It was a vision of what freedom might look like in the digital age.

That desire for freedom propelled Bitcoin it in its early days, and the attractiveness of a private, peer-to-peer currency is undimmed, even if nobody has managed to actually build one that works yet.

The current crash will pass and the strongest ideas and technology will survive. We suspect that Satoshi’s original vision will be one of them, even if Bitcoin isn’t.

**Homomorphic encryption**

The cornerstone of digital privacy, security, and freedom is encryption, and the last item in our list is one of its holy grails: Encryption that never needs to be undone.

Encryption protects your data if your phone is stolen, and it makes your emails, credit card details, and WhatsApp messages tamper proof as they whizz around the Internet. And it’s what underpins all of the other things in our list.

And all of the examples above have something in common: They are either examples of encryption that’s used to protect data at rest, or data that’s in transit. Moving or storing data only gets you so far though, sooner or later it has to be used. It can’t be used unless it’s decrypted, and you need to trust whatever system has access to that decrypted data.

Homomorphic encryption algorithms allow mathematical operations to be performed on encrypted data, so that it doesn’t need to be decrypted at all, ever, even when it’s being used.

The result of performing a mathematical operation on the encrypted data is the same as if the data was decrypted, subject to a mathematical operation, and the answer encrypted.

This incredible act of needle threading needs to ensure that you can’t learn anything about the data from the ciphertext (the encrypted version of the data), and that you can’t learn anything at all about it by observing the mathematical operations performed on it.

If you had access to homomorphic encryption you wouldn’t have to trust anyone you share your data with, whether they are the vendors in your organization’s supply chain, or your favorite, data-hungry social network.

Almost unbelievably, homomorphic encryption algorithms already exist. The reason you don’t have access to their almost magical properties though is that they are prohibitively slow. It currently takes days for them to perform actions that we expect to take seconds.

Although slow, these algorithms are already millions of times quicker than they were just a few years ago. And while that rate of improvement will surely decelerate, the processing power of computers is still doubling every few years.

At some point in the not-too-distant future, when these two trends meet, it could change how we think about trust and freedom in the digital age completely.

5 pro-freedom technologies that could change the Internet

A new bill proposes the strongest Federal data privacy protections yet for reproductive and sexual health data.
The post My Body, My Data Act would lock down reproductive and sexual health data appeared first on Malwarebytes Labs.

A new bill entered into both the House of Representatives and the Senate proposes the strongest Federal data privacy protections yet for an increasingly scrutinized form of data in the United States—reproductive and sexual health data.

The “My Body, My Data Act of 2022” was announced in early June in response to a leaked draft of a Supreme Court opinion that reported to show the Court’s intentions to overturn a seminal decision from 1973 that guaranteed a Constitutional right to have a choice to an abortion. Congresswoman Sara Jacobs (D-CA), sponsor of the bill in the House of Representatives, said in a press release that she was focused on protecting reproductive health data in light of the new,  judicial threat.

“Since the Supreme Court leak, I’ve heard from so many people who are panicked about their personal reproductive health data falling into the wrong hands,” Jacobs said. “The My Body, My Data Act will protect that information, protect our privacy, and reaffirm our rights to make our own decisions about our bodies.”

The bill, which has 46 cosponsors in the House and 11 cosponsors in the Senate, would stop companies from collecting, using, retaining, and disclosing “personal reproductive or sexual health information” unless a company first receives express consent from a user or if a company is using such information to specifically deliver a service that a user has requested. The bill’s definition of “personal reproductive or sexual health information” is broad, including any information that could reveal a person’s attempts to “research or obtain” reproductive health services, any reproductive or sexual health conditions, such as pregnancy, menstruation, and whether a person is sexually active, and any information about procedures that a person has undergone related to reproductive or sexual health.

If passed, the bill would also extend new rights to consumers to access and delete personal reproductive or sexual health information from the companies that collect it.

Since the bill’s announcement last month, it has only gained more attention.

On June 24, the Supreme Court decided in the case _Dobbs v. Jackson Women’s Health Organization_ that the right to an abortion, which was guaranteed under a right to privacy as decided in 1973, was not “deeply rooted in this Nation’s history or tradition.” Voting 6 – 3, the Court overturned _Roe v. Wade_.

With the Court’s decision, immediate fear arose that reproductive health data could be requested by law enforcement only to be used as evidence to prosecute individuals seeking abortions—or even those who miscarried. The Digital Defense Fund responded to the Court’s decision by updating its resources on how individuals can keep their reproductive health decisions both private and secure. The group’s resources include a section on keeping reproductive health data out of the hands of “Big Tech.”

Further, several period-tracking apps independently announced efforts to anonymize user data so that even if law enforcement requested data about certain users, those companies could not respond in a meaningful way. Users have reportedly flocked to period-tracking apps that are making these promises, but as TechCrunch recently uncovered, one such company that announced new, pro-user plans last week—Stardust—was still sharing users’ phone numbers with third parties.

> “TechCrunch ran a network traffic analysis of Stardust’s iPhone app on Monday to understand what data was flowing in and out of the app. The network traffic showed that if a user logs into the app using their phone number (rather than through a login service provided by Apple or Google), Stardust will periodically share the user’s phone number with a third-party analytics service called Mixpanel.”

TechCrunch also reported that Stardust’s efforts to bring “end-to-end encryption” were potentially faulty, as the company’s founder described a data transfer process that may only provide encryption for data in transit and for data that is stored on Amazon’s web servers.  

The period-tracking app morass is familiar, then: Once again, users in America of any number of services are left to independently manage their interactions with companies that could be sharing their data with an immeasurable number of third parties which, to most consumers, are entirely unknown.

The My Body, My Data Act could change that, requiring new restrictions not on how data is technologically stored, but on whether such data is ever collected in the first place.

The bill also includes what is called a “private right of action,” meaning that consumers who have had their privacy rights violated under the law could be able to sue individual companies for those violations. The inclusion of a private right of action is exceedingly rare in nearly any data privacy law that has been introduced in both statewide legislation and before the Federal government.

The bill is currently supported by Planned Parenthood, NARAL, National Abortion Federation, URGE, National Partnership for Women & Families, and Feminist Majority.

My Body, My Data Act would lock down reproductive and sexual health data

Plus: Indian hacker-for-hire groups, Chinese student espionage efforts, and more.

Your car is a data gold mine. Each trip you make produces a lot of data—from your location to your use of infotainment systems—and car manufacturers are getting better at using this information. One 2019 analysis found cars could generate up to 25 gigabytes of data per hour. As companies refine their ability to mine this data, your car could prove to be the next national security threat. This week, the Chinese town of Beidaihe banned Teslas from its streets as the country’s Communist party leaders gather in the area. One possible reason for the ban is that the cars could reveal sensitive details about China’s most senior figures.

Elsewhere, German mobile providers are testing “digital tokens” as a way to serve up personalized advertising on people’s phones. The trial of TrustPid by Vodafone and Deutsche Telekom generates pseudo-anonymous tokens based on people’s IP addresses and uses them to show personalized product recommendations. The move has been likened to “supercookies,” which have previously been used to track people without their permission. While Vodafone denies the system is akin to supercookies, privacy advocates say it is a step too far. “Companies that operate communication networks should neither track their customers nor should they help others to track them,” privacy researcher Wolfie Christl told WIRED.

In other stories this week, we’ve rounded up the critical updates from Android, Chrome, Microsoft, and others that emerged in June—you should make those updates now. We also looked at how the new ZuoRAT router malware has infected at least 80 targets worldwide. And we detailed how to use Microsoft Defender on all your Apple, Android, and Windows devices.

But that’s not all. We have a rundown of the week’s big security news that we haven’t been able to cover ourselves. Click on the headlines to read the full stories. And stay safe out there.

California’s gun database, dubbed the Firearms Dashboard Portal, was meant to improve transparency around the sale of weapons. Instead, when new data was added to it on June 27, the update proved to be a calamity. During the planned publication of new information, the California Department of Justice made a spreadsheet publicly accessible online and exposed more than 10 years of gun owner information. Included in the data breach were the names, dates of birth, genders, races, driver’s license numbers, addresses, and criminal histories of people who were granted or denied permits for concealed and carry weapons between 2011 and 2021. More than 40,000 CCW permits were issued in 2021; however, California’s justice department said financial information and Social Security numbers weren’t included in the data breach.

While the spreadsheet was online for under 24 hours, an initial investigation appears to indicate that the breach was more widespread than initially thought. In a press release issued on June 29, the Californian DOJ said other parts of its gun databases were also “impacted.” Information contained in the Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate, and Gun Violence Restraining Order dashboards may have been exposed in the breach, the department said, adding that it is investigating what information could have been revealed. Responding to the data breach, the Fresno County Sheriff’s Office said it was “worse than previously expected” and that some of the potentially impacted information “came as a surprise to us.”

Indian hacker-for-hire groups have been targeting lawyers and their clients across the globe for the better part of a decade, a Reuters investigation revealed this week. Hacking groups have used phishing attacks to gain access to confidential legal documents in more than 35 cases since 2013 and targeted at least 75 US and European companies, according to the report, which is partly based on a trove of 80,000 emails sent by Indian hackers over the past seven years. The investigation details how hack-for-hire groups operate and how private investigators take advantage of their ruthless nature. As Reuters published its investigation, Google’s Threat Analysis Group made public dozens of domains belonging to alleged hack-for-hire groups in India, Russia, and the United Arab Emirates.

Since 2009, the Chinese hacking group APT40 has targeted companies, government bodies, and universities around the world. APT40 has hit countries including the United States, United Kingdom, Germany, Cambodia, Malaysia, Norway, and more, according to security firm Mandiant. This week, a _Financial Times_ investigation found that Chinese university students have been tricked into working for a front company linked to APT40 and been involved in researching its hacking targets. The newspaper identified 140 potential translators who had applied to job ads at Hainan Xiandun, a company allegedly linked to APT40 and named in a US Department of Justice indictment in July 2021. Those applying for jobs at Hainan Xiandun were asked to translate sensitive US government documents and appear to have been “unwittingly drawn into a life of espionage,” according to the story.

In 2021, North Korean hackers stole around $400 million in crypto as part of the country’s efforts to evade international sanctions and bolster its nuclear weapons program. This week, investigators started linking the theft of around $100 million in cryptocurrency from Horizon Bridge, on June 23, to North Korean actors. Blockchain analysis firm Elliptic says it has uncovered “strong indications” that North Korea’s Lazarus Group may be linked to the Horizon Bridge hacking incident—and Ellipictic is not the only group to have made the connection. The attack is the latest in a string against blockchain bridges, which have become increasingly common targets in recent years. However, investigators say the ongoing crypto crash has wiped millions in value from North Korea’s crypto heists.

Gun Database Breach Leaks Details on Thousands of Owners

LockBit remained the most active threat in June, and “the costliest strain of ransomware ever documented” went dark while others surged.
The post Ransomware review: June 2022 appeared first on Malwarebytes Labs.

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

In June, LockBit was the most active ransomware, just as it has been all year. The month was also notable for the disappearance of Conti, and the large number of attacks by groups alleged to have links with the disbanded group.

The service industry remained the hardest hit industry sector, and the USA the most attacked country. The number of attacks in the USA continued to dwarf other countries, with more known victims than Canada and all the European countries in our list combined.

Known ransomware attacks by group, June 2022

Known ransomware attacks by country, June 2022

Known ransomware attacks by industry sector, June 2022

**LockBit**

Without fanfare, LockBit has become the dominant force in ransomware this year. Although there were fewer victims on its leak site in June than in May, it was still far ahead of its competition.

While Conti—“the costliest strain of ransomware ever documented,” according to the FBI—has spent 2022 making noisy pronouncements and digging itself out of a hole of its own making with a hair-brained scheme to fake its own death, LockBit has been all business.

Like all the ransomware in our review, LockBit is offered in the form of ransomware-as-a-service (RaaS). Attacks are carried out by affiliates (“pen testers”) who pay the LockBit organization 20 percent of the ransoms they receive in return for using its software and services.

And while some ransomware gangs seem to want to tell the world what they think, and how great they are, LockBit seems to care more about what its users think. Its affiliate page begins with a statement that seems designed to contrast it with its nosiy Russian rival:

> We are located in the Netherlands, completely apolitical and only interested in money.

Thereafter the page is peppered with people-pleasing language designed to signal the gang’s trustworthiness and willingness to listen. Affiliates are asked “if you do not find one of your favorite features, please inform us,” and told that “it is very important for us to know about all our strengths and weaknesses.” It says “we have never cheated anyone and always fulfill our agreements. Decrypter work, stolen data is deleted”

It is this combination of attractiveness to affiliates and an ability to avoid costly mistakes that seems to be behind its success this year.

This risk averse approach is nothing new. Out of an abundance of self interest, ransomware has always conspicuously avoided attacking targets in Russia and the Commonwealth of Indpednent States, for example. Attracting the attention of the three-letter agencies in Russia and the USA is simply bad for business.

Unusually, LockBit hit the headlines in June with some obvious publicity seeking. The gang launched LockBit 3.0, along with a new dark web site, and a bug bounty program promising rewards of up to $1 million for finding bugs in its website and software, submitting brilliant ideas, or successfully doxing the head of the gang’s affiliate program.

The LockBit 3.0 bug bounty page

> We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1000 to $1 million.

Whether the group seriously intends to pay out these sums remains to be seen. If all it wanted from the announcement was to drum up some publicity, it has already succeeded. However, if it does intend to use bug bounties it improve its software and sharpen its approach then it could deprive law enforcement and security researchers of valuable tools and information.

**Conti**

As expected, the last public vestige of the Conti ransomware gang, its leak site, disappeared in June, after a few weeks of inactivity. As we reported in last month’s ransomware review, detailed research by Advintel in May suggested that the gang’s alignment with the Russian state in February had caused victims’ lawyers to warn against paying it ransoms, for fear of breaking sanctions.

When the group’s revenue dried up its leaders allegedly hatched a plot to retire the brand by dispersing its members into other ransomware gangs like BlackBasta, BlackByte, KaraKurt, Hive and ALPHV, and then faking its own death.

Malwarebytes Threat Intelligence was able to independently confirm that Conti sent an internal announcement about its retirement to affiliates at the end of May, and that its internal chat servers stopped working around the same time.

The leak site disappeared on June 22, 2022, and remains down.

The Conti leak site on June 22, 2022

The Conti shutdown has overlapped with the overnight arrival of BlackBasta in April and a big increase in activity (and the appearance of a new leak site) by KaraKurt in June. It may be a coincidence, but we note that last month the combined activity of BlackBasta, BlackByte, and KaraKurt reached Conti-like levels.

Known attacks involving Conti compared to known attacks involving alleged Conti “brands” BlackBasta, BlackByte, and KaraKurt

The resurgent KaraKurt extortion group has a new leak site

**Trends**

Most software, even malware, trends towards “feature completeness”—a point where adding new features adds little, if anything, to its usefulness. Ransomware has been more-or-less feature complete for a number of years, and most RaaS offerings have very similar capabilities.

Similarly, the way that ransomware is packaged and sold, and the ways that different affiliates break into networks and deploy ransomware vary little from one ransomware group to another, and evolve slowly.

The most active area of innovation in the last few years appears to be how gangs operate as a business, and in how they put pressure on victims to pay a ransom.

In June we saw some things we haven’t seen before: The LockBit gang offering bug bounties, and a leak site by the ALPHV group aimed at the staff and customers of a victim.

At least one ransomware gang has tried targeting executives at the top of companies in an effort to ramp up the pressure, but ALPHV’s targeting of employees and customers with a dedicated website is new. The site allowed guests and employees to explore the personal data ALPHV had stolen from them in the attack and, very unusually, the leak site was _not_ on the dark web.

A leak site dedicated to one victim, a hotelier, allowed guests and employees to explore the data about them that had been stolen

By putting the site on the regular web the gang made the infrmation much more accessible to non-technical users, but without the protection of Tor it only lasted a few days before being taken down. The gang would certainly have known this would happen, but presumably it only had to last long enough to gather the attention it needed in order to impact negotiations.

The experimental ALPHV leak site appeared on the regular world wide web and was even indexed by Google

Such innovation is nothing new—ransomware gangs experiment with new ideas all the time. The experiments that don’t work are forgotten and those that do are quickly copied by other gangs.

In this case the experiment appears to have been unsuccessful. The victim has since appeared on the main ALPHV dark web leak site, which normally indicates they have resisted the pressure to pay a ransom.

**Malwarebytes protection**

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

Ransomware review: June 2022

By Deeba Ahmed
Tech Inquiry’s Jack Paulson has shared startling details about a 3-year contract between the US Department of Homeland…
This is a post from HackRead.com Read the original post: Report Claims Coinbase Selling User Geolocation Data to ICE

According to the contract details accessed by Tech Inquiry’s researcher, under this $1.36 million contract, Coinbase’s Coinbase Tracer (previously Coinbase Analytics) will provide crypto users’ data to the US Immigrations and Customs Enforcement agency (ICE), DHS’s law enforcement wing.

Coinbase Tracer is an intelligence collecting tool with numerous forensic data monitoring features.

**Details of Contract between ICE and Coinbase**

As per the **report** of watchdog group Tech Inquiry, Coinbase Tracer shares sensitive data of crypto users with the ICE, including transaction history and geolocation. This contract was previously known as a three-year deal between Coinbase and ICE.

Tech Inquiry managed to access this contract and identified that the crypto exchange offers the ICE a “suite of features” that allow the department to track its customers. For your information, this deal was signed in September 2021.

ICE needs Coinbase Tracer to track fraudulent and malicious blockchain transactions. This tool allows the agency to “connect addresses to real-world entities,” The Intercept **explained**. Now, ICE can track transactions made via over a dozen different cryptocurrencies, including Bitcoin, Tether, and Ether.

It is worth noting that under the Freedom of Information Act, the ICE doesn’t need to enter an End User License Agreement with Coinbase, which means that the agency has broad discretion over how they utilize the data tracking tool.

**Coinbase Response**

In an email, Hackread.com was presented with the following statement from CoinBase:

> As explained on our website, Coinbase Analytics, now Coinbase Tracer, is a compliance solution that Coinbase offers to governments, financial institutions, and crypto businesses. It enables them to investigate financial crimes including money laundering and terrorist financing**.** All Coinbase Tracer features use data that is fully sourced from online, publicly available data, and does not make use of Coinbase user data.”

Furthermore, on Twitter, the crypto exchange denied selling “proprietary customer data” and stated that its Coinbase Tracer tool helps authorities investigate financial crimes including terror financing and money laundering with the help of publically available sources rather than using its customers’ data.

> 2/ Our Coinbase Tracer tools are designed to support compliance and help investigate financial crimes like money laundering and terrorist financing. Coinbase Tracer sources its information from public sources, and does not make use of Coinbase user data. Ever.
> 
> — Coinbase (@coinbase) June 30, 2022

**More Location Sharing Topics**

*   US Secret Service used ‘Locate X’ to track user location
*   Apple, Google to ban X-Mode’s location tracking apps from stores
*   Google collects Android location data even if the location service is off
*   Norwegian researcher exposes how a US firm collected his location data
*   Generation Z least likely to share their location data with the government

Report Claims Coinbase Selling User Geolocation Data to ICE

The package link-preview-js before 2.1.16 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.



New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

keworr opened this issue

May 25, 2022

· 17 comments · Fixed by #117

Closed

**SSRF #115**

keworr opened this issue

May 25, 2022

· 17 comments · Fixed by #117

**Comments**

**Describe**  
There is a way to bypass your regex to validate private & local networks.

If we use http://127.0.0.1/ or http://localhost/ to link preview, we don't see it (Error: link-preview-js did not receive a valid a url or text), but if we use a domain that resolved to 127.0.0.1, we can. For example: localtest.me resolved to 127.0.0.1 (localhost), i.e. If you 'curl localtest.me', you'll see your localhost.

Similarly we can read any other private & local address, any port.

**To Reproduce**  
Steps to reproduce:

1.  Find domain that resolved to private address with reverse ip lookup or use localtest.me (127.0.0.1) or devhead.net (127.0.0.1 + 192.168.1.1 + 192.168.0.1).
2.  Write it to getLinkPreview.
3.  Done. You see your local domain.

**Screenshots**  

Which version are you using? At some point, someone submitted a PR to patch redirections, by default it should not follow any.

I don't quite get what is the issue though... these sites seem to register the loopback address on DNS level. Even curl returns the data of the directory, then it also means that curl has an SSRF vulnerability?

The regex is not a security feature, it's only a way to detect links in the text. As stated, the library does not follow redirections by default.

#105

But you accepted same SSRF here - #105?

I really don't understand what you mean. In that issue, the author submitted a PR not to follow redirects, which is now the default behavior. The same author complained that it is possible to pass the regex with a localhost url, like I said, the regex is not meant to be a security feature, it is only there for link detection. Once the url is passed to the fetch library, there is no way to re-validate the url (even if the regex was meant to do that, which it is not) . On the other hand, I already showed you that curl also has this same behavior, because the domains you send use the localhost address on a DNS level, so that means (as far as I can see) that there is no SSRF vulnerability, this is just the expected behavior.

Copy link

Author

** **keworr** commented May 25, 2022 •**

Redirects were disabled in that issue because it allows to read local hosts, right?  
And my way also allows to read local hosts?  
idk what is different

Yes, curl by default allow same, also curl allow requests as curl file:///etc/passwd by default, SMB requests, FTP, etc. Also e.g. any browsers allow redirects by default, but you disabled it.

I just saw that issue and thought that SSRF is sensitive here, if not - ok.

redirects were disallowed not because localhost, but because redirections are by default insecure. Your way allows to reach localhost, not because the library is doing something wrong, but because the domains you provided loopback to localhost **on the DNS level**, they are not intercepting the request and redirecting, they are straight up returning 127.0.0.1 when their DNS address is resolved. There is nothing I can do about that.

@ospfranco first of all i install lastest version of package for testing my local machine and cant see followRedirects option in source could there be a problem with npm? can you check please

Second of all i agree with @keworr this vulnerability is called DNS pinning (or DNS rebinding) and it allow to bypass all control mechanism on DNS level but library has proxy option and the purpose of proxy is to fix such DNS level problems and vulnerabilities. But if we want the library to prevent such DNS level attacks as well we can fix this by dns lookup before make request

hi @AbdurrahmanA, you are right I published a new version of the package, probably some cache was left on my machine when I published one of the newer versions. Thanks a lot!

Thanks a lot for the explanation, that was what I needed. This StackOverflow answer seems to suggest there is no way to resolve the DNS address from JavaScript, seems like the solution is to self-host a proxy?

Actually if we added that kind of option to library it would be great i would love have that option. We can easily do nslookup for server side, for client side we can use https://dns.google/resolve?name=localtest.me or that option wont be available for client side. By the way this library should not be in client side it wil get lots of CORS error 😁

If you mean hardcoding a DNS service, not a fan (and especially google's), but maybe an option to pass a DNS resolver if one chooses to do so.

The library will face CORS errors on websites, on React Native, Cordova, etc it works just fine

We can easily set DNS resolver for Node js side, but if we do this using native dns library, will it be a problem for client-side users? otherwise we should make an online dns resolver option right?

I'm still not sure if the DNS resolver should always be there, just from a latency point of view, it might affect people who have already deployed this. But just passing a function that resolves the host might be enough for us to check against common attacks?

    getLinkPreview('some text with a link', {
      // Must resolve the url host, internally checks for loopbacks and common SSRF attacks
      resolveDNSHost: (url: string) => Promise<string>
    })
    

On the other hand, I don't think this would be an issue on mobiles. Almost nobody has a server running on the phone for the loopback address to be considered dangerous. Maybe conditionally importing/requiring the DNS resolver on node is enough...

Sorry for late response, Yes we just need the DNS resolver on node can we do that and also, we need to warn people about common SSRF vulnerabilities and make sure people understand what this library does.

Most people won't care 🤷‍♂️ they barely read the CORS warning. But I'll try to find some time in the coming weeks to add the option, otherwise PRs are welcome

Great to hear that, i could also do it if i have time, i will inform you 👌

Tag

#google