Mozilla Adds Opportunistic Encryption for HTTP in Firefox 37

Mozilla has released Firefox 37, and along with the promised addition of the OneCRL certificate revocation list, the company has included a feature that enables opportunistic encryption on connections for servers that don’t support HTTPS.

The new feature gives users a new defense against some forms of monitoring and doesn’t require any setup from users. When Web servers are configured correctly to provide a specific response header, Firefox will begin sending requests to the indicated encrypted port rather than in cleartext to port 80. Opportunistic encryption isn’t a replacement for SSL, as it’s not authenticated, but it can provide a alternative for organizations that can’t migrate fully to HTTPS for one reason or another.

“OE provides unauthenticated encryption over TLS for data that would otherwise be carried via clear text. This creates some confidentiality in the face of passive eavesdropping, and also provides you much better integrity protection for your data than raw TCP does when dealing with random network noise. The server setup for it is trivial,” Patrick McManus of Mozilla wrote in a post explaining the new feature.

“When the browser consumes that response header it will start to verify the fact that there is a HTTP/2 service on port 443. When a session with that port is established it will start routing the requests it would normally send in cleartext to port 80 onto port 443 with encryption instead. There will be no delay in responsiveness because the new connection is fully established in the background before being used. If the alternative service (port 443) becomes unavailable or cannot be verified Firefox will automatically return to using cleartext on port 80.”

Mozilla announced last month that Firefox 37 would include the OneCRL feature, a consolidated certificate-revocation list that is designed to simplify the process of revoking bad or otherwise problematic certificates. Mis-issued, expired and malicious certificates have become a serious problem for both users and browser vendors, especially in the last few years as attackers have been targeting certificate authorities and stealing legitimate certificates from organizations. Having the ability to revoke bad certificates quickly is essential for protecting users, and Mozilla officials say the OneCRL feature will improve that process for Firefox users.

“Firefox already has a mechanism for periodically checking for things that may harm users called blocklisting. OneCRL extends the blocklist to include certificates which should be revoked in addition to the errant add-ons, plugins and buggy graphics drivers currently included. This lets users get the benefit of fresh revocation information without having to update or restart their browser,” Mark Goodwin of Mozilla said.

Along with OneCRL and opportunistic encryption, Firefox 37 also includes patches for a number of security vulnerabilities, four of which are critical. Two of the critical vulnerabilities are use-after-free bugs, one is the result of some memory corruption crashes and the last is a batch of memory safety issues. There also is a patch for a same-origin bypass in Firefox that’s related to an older, similar bug.

“Mozilla developer Olli Pettay reported that while investigating Mozilla Foundation Security Advisory 2015-28, he and Mozilla developer Boris Zbarsky found an alternate way to trigger a similar vulnerability. The previously reported flaw used an issue with SVG content navigation to bypass same-origin policy protections to run scripts in a privileged context. This newer variant found that the same flaw could be used during anchor navigation of a page, allowing bypassing of same-origin policy protections,” the Mozilla advisory says.

Article source: https://threatpost.com/mozilla-adds-opportunistic-encryption-for-http-in-firefox-37/111935

No Comments

Multicast DNS Vulnerability Could Lead to DDOS Amplification Attacks

The Department of Homeland Security sponsored CERT at Carnegie Mellon University on Tuesday released an advisory warning infrastructure providers of a vulnerability in Multicast DNS, or mDNS, that could leak device information that could be leveraged in high volume DDoS amplification attacks.

“I would say the most serious concern with a vulnerability like this is abuse for DDoS campaigns, since it’s using UDP (easily spoofable) and the amplification in most cases is well over 100 percent,” said security researcher Chad Seaman, who reported the vulnerability. “We’ve seen a huge surge in the abuse of SSDP devices being used in reflection attacks, this is along the same lines and offers greater amplification, but luckily there aren’t nearly as many vulnerable mDNS devices in the wild.”

The advisory lists a number of vendors whose devices are affected, including Canon, HP and IBM among others. Cisco, D-Link and Microsoft devices are in the clear, while whether Apple, a number of Linux distributions, and Dell devices are affected. Mostly, mDNS is used in consumer devices to simplify configuration and integration of services and networking, Seaman said.

The issue is that mDNS devices could respond to unicast queries from outside a local link network and those responses could include network and device data that would facilitate a large-scale DDoS attack. According to the advisory, mDNS enables devices on a local link network to discover other services and devices. The fact that some devices would respond to unicast queries from outside goes against the implementation recommendations in RFC 6762.

“It’s very easy to abuse. It’s little more than running a standard DNS query for a specific string/service name on port 5353. If you get a reply to the most generic query, the machine is accepting input over the WAN interface that it shouldn’t be,” Seaman said.

The leaked information depends on the particular device and how the service it supports is configured. The useful information includes device names, model numbers, serial numbers, network configuration information, and more.

“These could be used for social engineering attacks, targeting purposes, reconnaissance purposes, etc.,” Seaman said.

The CERT advisory recommends either blocking inbound and outbound mDNS on the WAN, or disabling mDNS services. As with other noteworthy amplification attacks, large amounts of bad traffic is pointed at a specific online service, in most cases, over-running it in short order.

“As a reflector it would just be a high number of incoming DNS queries targeted at port 5353, likely from a spoofed source to achieve reflection.  As a victim you would see a wide array of replies coming back from various devices,” said Seaman, who has posted sample traffic signatures that would be similar to those used in such an attack. “However because of mDNS explicitly stating it should only operate on port 5353 in the RFC, all requests will be sourced from port 5353 during the reflection.  Meaning mitigation should be as simple as blocking port 5353 to protect vulnerable internal devices and drop incoming traffic sourced from port 5353 to help mitigate an attack.”

Article source: https://threatpost.com/multicast-dns-vulnerability-could-lead-to-ddos-amplification-attacks/111936

No Comments

You Are What You Keep: Data Breach

You are responsible for reading, understanding and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review – National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.

Article source: http://www.natlawreview.com/article/you-are-what-you-keep-data-breach

,

No Comments

More people join class action lawsuits against Premera

The fallout from Premera’s massive data breach continues as more people join the class action lawsuit against the largest insurer in our state.

A Tacoma woman believes she’s already dealing with the impact of that data breach. Maria Sullivan is one of hundreds of people who have signed on with a law firm handling a class action lawsuit against Premera.

“That’s very angering,’ said Sullivan. “Working like I do in the healthcare field I have to be so careful with what I even leave on my desk. That every paper is turned over. So they should be that careful.”

Sullivan works as an account representative for a local hospital. So she is well aware of the kind of private information that may have been exposed in Premera’s data breach.

Sullivan signed up with Pfau, Cochran, Vertetis, Amala to join the class action lawsuit against Premera Tuesday. She believes thieves obtained her private information through the insurer’s cyber attack. Someone already filed a false tax return in her name.

“Stressed! Stressed! And on top of my tax returns now I’m starting to receive stuff from China,” said Sullivan.

She showed us one of several small packages that started arriving in the mail, items she never ordered from companies she’s never heard of.

According to her attorney Darrell Cochran, the information hackers got their hands on has the potential to do a lifetime of damage.

“Premera was warned it didn’t have security safeguards in place, and that there were steps they could have taken to prevent this level of a cyber attack,” said Cochran.

Three weeks before the data breach in May of 2014, auditors from the federal Office of Personnel Management informed the insurer that network security patches were not being implemented in a timely manner, and that when it came to access control, Premera’s data center did not contain controls they typically observe at similar facilities.

According to the insurer, the breach went undetected until this past January, and Premera didn’t tell its customers until mid-March when the problem was fixed.

A spokesperson for Premera said he couldn’t comment on pending litigation, but said their security consultant “…found no evidence that the cyber attack was related to issues in the federal audit.”

Cyber-security expert Brian Seely says Premera’s offer for 2 years of free credit monitoring is twice as long than most data breach cases. But with birth dates and social security numbers stolen, it’s likely not long enough.

“Your information isn’t just magically not going to be stolen,” said Seely. “It’s always going to be stolen and out there and someone has it, who is going to be even more irresponsible than Premera.”

At the time this article was written, about 166,000 customers had signed up for the free credit monitoring.

Article source: http://www.king5.com/story/news/local/2015/03/31/premera-cyber-security-data-breach-class-action-lawsuit/70748850/

,

No Comments

Scott Morrison says G20 world leaders’ data breach ‘highly regrettable’

Former immigration minister Scott Morrison says a damaging privacy breach surrounding the G20 world leaders’ personal information was “highly regrettable”.

Morrison was Australia’s immigration minister at the time the world leaders’ passport and visa details were accidentally disclosed when an employee inadvertently sent an email containing the information to a member of the Asian Cup local organising committee.

In emails obtained by Guardian Australia, the immigration department recommended the world leaders not be informed of the breach.

On Wednesday Morrison – who is now the minister for social services – was pressed on the G20 breach, and said: “It was an individual act of human error and it is highly regrettable as I know that the secretary at the time was keen to point out to me when I was the minster in that area.”

Morrison also suggested some action may have been taken at the time to inform the world leaders of the breach, saying that “appropriate steps were taken to deal with all the relevant, other national governments at the time”.

The comment appears to be at odds with comments from world leaders affected by the breach. German chancellor Angela Merkel’s office said she only learned about what happened from the press, while the White House said they were also examining the reports.

When asked to clarify his comment Morrison said it was “a sensitive issue and it’s not one that I think is assisted by public discussion”.

“The action was taken by departmental officials at the time and it was a regrettable action involving an individual act of human error and human beings are not infallible and the appropriate action was taken both within the department and whatever other advices were necessary,” he said.

The New Zealand prime minister John Key told the New Zealand Herald on Tuesday he was not “overly concerned” with the breach.

“I really don’t have any details on that but I wouldn’t be overly concerned. I’ve changed my mobile phone [number] about three or four times since in the time I’ve been prime minister because unfortunately it gets shared quite regularly on the internet,” he said.

The shadow attorney general, Mark Dreyfus, has asked the commonwealth ombudsman to launch an investigation into the immigration department after a series of data breaches raised concerns about its handling of sensitive data.

Article source: http://www.theguardian.com/world/2015/apr/01/scott-morrison-says-g20-world-leaders-data-breach-highly-regrettable

,

No Comments

Why Data Breaches Don’t Hurt Stock Prices

Recent high-profile data breaches like those at Target and Home Depot have exposed the private sensitive information of millions of employees and consumers. While consumers are rightfully worried that their personal information may be compromised, shareholders and companies’ management have a wider set of concerns, including loss of intellectual property, operational disruption, decreased customer trust, tarnished brand, and loss of investor commitment. Companies are spending millions in litigation costs, efforts to restore brand loyalty, and refunds.

However, even the most significant recent breaches had very little impact on the company’s stock price. Industry analysts have inferred that shareholders are numb to news of data breaches. A widely accepted notion goes that there are only two types of companies: those that have been breached and those that don’t know they have. It is true that that breaches are expected and have become a regular cost of doing business, but there are deeper reasons for the market’s failure to respond to these incidents.

Today, shareholders have neither enough information about security incidents nor sufficient tools to measure their impact. As every company is becoming a digital company, every leader (who is also becoming a digital leader) is realizing that breaches may negatively affect profitability and the company’s long-term ability to do business. The long and mid-term effects of lost intellectual property, disclosure of sensitive data, and loss of customer confidence may result in loss of market share, but these effects are difficult to quantify. Therefore, shareholders only react to breach news when it has direct impact on business operations, such as litigation charges (for example, in the case of Target) or results in immediate changes to a company’s expected profitability.

Delays in disclosing information security incidents often contribute to shareholders’ hesitation and uncertainty with regard to how to factor in the effects of the breaches. For instance, current SEC regulation leaves leeway for public companies as to when to disclose cyber incidents: “To the extent a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, registrants should consider whether disclosure of a recognized or nonrecognized subsequent event is necessary”.

Overall, stock prices during and following the high profile security data breaches for the in the past several years have decreased slightly or quickly recovered following the breach. Let’s look in some more detail at a few cases.

Home Depot’s hack, compromised 65 million customer credit and debit card accounts. Breach-related costs are estimated to be around $62 million. The company’s stock price decreased slightly one week after the announcement. In the third quarter of 2014, Home Depot showed a 21% increase in earnings per share .

During the 2013 holiday season shopping period, Target was the object of then the biggest cyber attack on a retailer. Credit and debit card data of 40 million customers and personal information of about 70 million were said to be affected by the breach. The stock experienced a 10% drop in price in the aftermath of the security breach, but by the end February, Target had experienced the highest percentage stock price regain in five years.

Three years after the 2011 hack that compromised payment data of millions of Sony gaming users, Sony had to deal with a massive data breach targeting its pictures industry. The personal data of producers, actors, and current and former employees dating back to 2000 was compromised. Attackers have collected over a Terabyte of data and records of 47,000 employees. The stock price kept growing following the announcement, decreased slightly three weeks after the breach. By now, it has long surpassed its one-year maximum.

Sears announced in October 2014 that one of its companies, Kmart, was the target of a data security breach and that credit/debit cards and personal information were compromised by hackers. The company did not reveal how many cards were affected. In the midst of the announcement, stock prices increased. The Sears stock price steadily rose during the month after the announcement. The company later announced loss in sales, but this has been tied more to a pattern of low profits in the last few years since the company’s merging with Kmart, than to the October data breach.

In the beginning of October, 2014, the largest U.S. bank in assets, JP Morgan Chase, announced that in August, hackers had accessed its security system and that approximately seven million small businesses and 76 million households had been affected by a data breach. The company unveiled that data that was compromised included contact information such as names, addresses, telephone numbers, and email addresses, but account numbers, passwords, dates of birth, and social security numbers were protected. While no unlawful transactions were made in the aftermath of the data breach, JP Morgan Chase warned its customers of potential phishing attacks. Stock prices for JP Morgan Chase were stable following the announcement and then rose by the beginning of November.

While companies’ stock prices were largely not affected, security breaches had other consequences. Target, for example, pledged to spend $100 million upgrading its security. The company lost a total of about $236 million in breach-related costs, $90 million of which were offset by insurance. A judge recently ruled that Target will have to defend itself against accusations of negligence by banks, credit unions and consumers when it came to preventing the 2013 security breach. The stock price declined 0.3% after the judge stated Target would have to face civil suits. Several banks are suing the company claiming that its negligence cost them tens of millions. At Sony the aftermath of the revelation of sensitive employee information included a management shake-up and box office losses. And while customers and shareholders might forgive the first wave of data breaches and might be too apathetic to change brands or loyalty to their stores, they might be less tolerant of future attacks.

This mismatch between the stock price and the medium and long-term impact on companies’ profitability should be addressed through better data. Shareholders still don’t have good metrics, tools, and approaches to measure the impact of cyber attacks on businesses and translate that into a dollar value. In most cases, at the time a security breach is disclosed, it is almost impossible for shareholders to assess its full implications. Shareholders should look beyond short-term effects and examine the impact on other factors, such as overall security plans, profitability, cash flow, cost of capital, legal fees associated with the breach, and potential changes in management. .

Now that major security breaches have become an inevitability in doing business, companies should put strong data security systems in place, just as they protect against other types of business and operational risks. However, companies whose assets are primarily non-digital have less incentive to invest in prevention if they know their stock price will survive — and that takes a toll on the overall economy and consumer privacy.

Article source: https://hbr.org/2015/03/why-data-breaches-dont-hurt-stock-prices

,

No Comments

FBI, IRS and Bradley University investigating data breach leaving thousands …

By
WEEK Reporter

FBI, IRS and Bradley University investigating data breach leaving thousands vulnerable

March 31, 2015

Updated Mar 31, 2015 at 6:58 PM CDT

PEORIA, Ill. — A cyber data breach at Bradley University means thousands of people are vulnerable to identity theft. An investigation by the FBI and IRS is on-going at Bradley University. The data of thousands of employees and their families are at risk.

Bradley University officials say investigators found malware on two university computers. Those computers had access to personal information for about 4700 current and former employees and potentially their families.

“That information may have been accessible to unauthorized users. Those computers have been taken offline. They have been removed from the system and are being analyzed by computer experts,” said Bradley University spokesperson Renee Charles.

The kinds of information that may be been leaked including social security numbers, birthdays and more. Experts say this kind of theft is happening all the time and it is important to stay vigilant and aware of how to surf the internet safely.

“”It happens every second of every day,” said cyber security expert at Cian Inc. Eric English. “Hackers are getting more advanced…anything from email addressing to a name–a social security number — they don’t need very much.”

He says your computer can get malware from opening an email attachment, downloading infected software and even clicking on misleading pop-ups. English suggests to protect yourself from cyber theft stay away from unknown website, avoid downloading attachments from email addresses you’re not familiar with, and if you don’t know–ask your employer or IT department if the site or link is safe. As for organizations, English suggests training for all employees on how to browse the web safely.

“Education is the biggest thing,” said English. “Little things like changing your passwords and keeping your programs up to date can prevent some really bad things from happening.”

As for the breach –Bradley University is taking action. the university has set up a call center for those who have questions.

“We do take this very seriously. We have also set up a free identity and credit monitoring alert system for one year. Bradley has set that up for employees and former employees to help them protect themselves, because this is a very serious issue,” said Charles.

Website: www.bradley.com/databreach

All it takes is a click and your information could end up in the wrong hands.

To submit a comment on this article, your email address is required. We respect your privacy and your email will not be visible to others nor will it be added to any email lists.

Article source: http://www.cinewsnow.com/news/local/FBI-IRS-and-Bradley-University-investigating-data-breach-leaving-thousands-vulnerable-298230711.html

,

No Comments

Target data-breach settlement: A lot and a little, all at once



Quantcast




‘);
}
document.write(‘

  • ‘);
    document.write(‘

  • ‘);
    jQuery(‘.navTab’ + ad_AdvertiserArray.data[adt].advertiserID).click(ad_AdvertiserArray.data[adt], function(eventObj){
    window.location.href = “http://” + hostEnv + “www.startribune.com/weekly-ads/?dppAID=” + eventObj.data.advertiserID;
    });
    jQuery(‘.navTabWa’ + ad_AdvertiserArray.data[adt].advertiserID).click(ad_AdvertiserArray.data[adt], function(eventObj){
    window.location.href = “http://” + hostEnv + “www.startribune.com/weekly-ads/?dppAID=” + eventObj.data.advertiserID;
    });
    }

    ‘);
    }
    dppNavTab.start();






    hide

    Photo: Rick Bowmer • Associated Press,

    CameraStar Tribune photo galleries

    Cameraview larger

    ul > li > a > img {
    margin-left: 4px;
    }
    ]]>

    Despite the several dozen class-action-styled lawsuits filed against retailer Target following the discovery in late 2013 that hackers had stolen millions of customers’ credit- and debit-card numbers and contact information, it was a certainty that one line was never going to be spoken in any courtroom: “Ladies and gentlemen of the jury … .” That the Target class actions would be resolved by settlement was as predictable as the outcome of an NCAA basketball tournament game between a No. 1 and a No. 16 seed.

    So it could not have come as a surprise to anyone when, on March 19, just a little more than a year after the first data-breach lawsuits were filed, the announcement came from a Minnesota federal court: Target would be filling up a shopping cart with cash to put the matter behind it. The settlement, albeit subject to final approval in November, looks like this: Target will put $10 million into a fund to be used to pay its affected customers — or “guests,” as it prefers to call them. The court will be asked to approve $6.75 million in attorney’s fees on top of that. Target will also be saddled with several million dollars in administrative costs. In an Associated Press story, Vincent Esades, the lead counsel for the plaintiffs, said Target’s total settlement costs could reach $25 million.

    The settlement calls for two types of recoveries. Those able to prove that they actually suffered financial losses, on account of their personal or financial information being compromised, can recover up to $10,000. Such losses could be for, among other things, unauthorized credit- or debit-card charges that were unreimbursed (for example, if a bank somehow did not remove an unauthorized charge); the time spent addressing such charges (up to two hours at $10 per hour); hiring someone to help correct credit reports; higher interest rates; purchasing credit monitor services, and so on. Surely, there are people out there in this category — but not many (especially if the claims are carefully scrutinized).

    However, the vast majority of those eligible to make a claim will not have documentation that they suffered any of these types of losses. Because they didn’t. The good news is that, despite how serious the data-breach issue is portrayed, most people suffer no quantifiable losses on account of one. With no evidence of losses, those in this group will be able to sign a form stating that they used a credit or debit card at Target during the three-week data-breach period, then will be entitled to a recovery. Presto!

    Payments from the $10 million fund will first be made to those who can prove that they actually suffered financial losses. Then, all of those people in the just-sign-your-name category will share equally what’s left. The more people who make claims, the less each claimant will receive. So don’t tell your friends.

    One hundred million people could be eligible for the settlement. If 100 million people make claims, then each one will receive 10 cents. Bazooka Joe will be happy about that. In reality, based on statistics in other cases, just a few percent of the class members will make claims. Although, perhaps in this case, more will do so than usual, given how high profile it has been. In any event, each claimant with a nondocumented loss probably will receive about enough for somewhere between a latte and a pepperoni pizza. That’s more than they deserve, but there is only so much that can be done to prevent such an unjustified payment in a settlement like this.

    The real problem with the Target settlement is not that it achieved no benefit. It did. People who can prove that they actually suffered financial losses, on account of their personal or financial information being compromised, have been provided with a simple means to recover up to $10,000. That seems fair. It’s hard to begrudge them. But achieving this worthwhile objective — for so few — will come at an enormous price: two years of litigation and the payment of nearly $7 million in legal fees, not to mention millions spent by Target on lawyers, millions of dollars in administrative costs and a boatload of money doled out to people who unquestionably suffered no losses whatsoever. Surely there was an easier and less expensive way to arrive at this outcome. This data suffers from a breach — one of common sense.

     

    Randy Maniloff is an insurance lawyer at White and Williams LLP in Philadelphia. He runs the website www.CoverageOpinions.info.

    • get related content delivered to your inbox

    ‘);
    }

  • manage my email subscriptions
  • ‘);
    }

    ul > li > a > img {
    margin-left: 4px;
    }
    ]]>


    ADVERTISEMENT

    Connect with twitterConnect with facebookConnect with Google+Connect with PinterestConnect with PinterestConnect with RssfeedConnect with email newsletters

    • Most read
    • Most Emailed
    • Most Watched

    ADVERTISEMENT

    ADVERTISEMENT

    ADVERTISEMENT



    inside the StarTribune


    home

    Pedaling America: A cross-country biking adventure


    lifestyle

    New Blog: Rands on the Run


    lifestyle

    2015 Minnesota Summer Camp Guide


    local

    Minnesota History with Curt Brown


    local

    Viking stadium construction cam


    lifestyle

    State of Wonders: Beauty is in the details


    • 650 3rd Ave S., Suite 1300

      Minneapolis, MN 55488

      (612) 673-4000

    StarTribune.com is powered by Limelight Networks



    Close


    Article source: http://www.startribune.com/opinion/commentaries/298224511.html

    ,

    No Comments

    MongoDB Patches Remote Denial-of-Service Vulnerability

    MongoDB, a popular NoSQL database used in big data and heavy analytics environments, has patched a serious denial-of-service vulnerability that is remotely exploitable.

    Companies using the default installation of MongoDB, which does not require authentication to access the database, are urged to update immediately to a patched version, and set up authentication. Hackers using a Shodan query or scanning the Internet for vulnerable installations, can easily find MongoDB servers online. According to the MongoDB website, large organizations such as MetLife, Bosch, Expedia, and The Weather Channel have the database in production for a variety of uses.

    Researchers at Fortinet’s FortiGuard Labs discovered the vulnerability in separate areas of MongoDB on Feb. 20 and 23 respectively, and disclosed privately immediately to MongoDB, which made updates available on March 17.

    “A potential attacker doesn’t have to be authenticated or have rights to the database to exploit the vulnerability,” said Aamir Lakhani, security strategist, FortiGuard Labs. “All they have to do is send a crafted packet, a particular regex query, to crash the database.”

    According to an advisory on the Fortinet website, the vulnerability is in an old PCRE library (8.30) of regular expressions used in MongoDB querying. MongoDB patched the library in version 3.0.1 and 2.6.9, the last two major releases in production. Up-to-date versions of MongoDB ship with a patched version of PCRE (8.36 and beyond).

    “I would say a skilled attacker who understands regex wouldn’t have too much of a difficult time with this attack, especially after examining the code,” Lakhani said. “Some things would stand out with a skilled attacker. And at some point as usually happens with these things, someone will automate it or develop a Metasploit plugin that will make an exploit easy to execute.”

    Cutting into that simplicity would be the enablement of authentication.

    “You can set up Mongo to ensure authentication is required. It’s the recommended best practice,” Lakhani said. “If Mongo is set up in a way that does not allow for anonymous access, at that point, an anonymous user cannot run an attack. But if a user has legitimate credentials, they can execute the same attack.”

    The Fortinet exploit is basically a regular expression that meets a number of conditions that would cause the database to crash. Variants of the crafted regex work, Fortinet said, but it did not disclose the details.

    “There are several ways to carry out an attack against this vulnerability,” Lakhani said. “The most common is to connect to the MongoDB server through a website query or using a MongoDB client tool to connect to the server. The attacker puts in a regex string with an input field where MongoDB reads it and processes the input. As soon as it looks at the packet, the server is taken down.

    “The risk is that system is down until services are restarted, and sometimes that requires manual intervention from an administrator,” Lakhani said.

    Article source: https://threatpost.com/mongodb-patches-remote-denial-of-service-vulnerability/111921

    No Comments

    Google to Publish Research on Browser Ad Injectors

    Article source: https://threatpost.com/google-to-publish-research-on-browser-ad-injectors/111926

    No Comments