Security Newsletter

The latest news from the sector sees two major flaws highlighted by cyber security professionals with major implications for enterprise-level IT patch management cycles, BioStar 2 users face uncertainty over flaw and more …

South Korean Biometrics Firm Under Fire For Cyber Security Flaw

Suprema, the manufacturers of Biostar 2, a biometric on-site physical security system, have responded to researchers who claimed to have accessed data from the company’s online systems.

Researchers found that large swathes of cyber security data were obtained online and the leak could have impacted physical on-site security systems. However, the Suprema argues that their own research found “significantly less” exposure online.

Researchers had noted that the company’s downloadable data was “significant” and posed a major threat to physical onsite Suprema customers data security.

According to Suprema:

“Last week, we were made aware that some BioStar 2 customer user data was accessed by third-party security researchers without authorisation for a limited period of time,” the company said in a statement.

There are no indications that the data was downloaded during the incident based on the investigation to date.

We have also engaged a leading global forensics firm to conduct an in-depth investigation into the incident.”

How Microbusinesses Are Big Targets For Cyber Criminals

Microbusinesses, companies employing less than nine employees, make up a large part of the British economy. Cyber Criminals are starting to realise the potential for cyber criminality within this sector. The BBC reported on a story of a young entrepreneur whose business was nearly destroyed when their social media accounts got hacked.

According to the BBC:

Ms Kotomah, whose business Boresa Kotomah is based in London. Interested customers would send her a direct message on Instagram enquiring about prices, and commission her to make the dresses. Ms Kotomah would invoice her customers using PayPal and mobile app Invoice2go, and her reputation grew by word of mouth and through shares of her outfits on Instagram and Twitter.

But then it all stuttered to a halt.

“I woke up one morning and my account was deleted. I received an email from Instagram saying I had violated some terms and I had done certain things that I know I didn’t do,” she said. My business at that time was my livelihood. That was what I was doing full-time. I’m self-employed. So if I’m not making money from working, I’m not making money at all so I was just thinking like, ‘What am I going to do?'”

Ms Kotomah was lucky enough to regain access and rebuild her company – winning a top freelance award for her pains.

If you want more advice about cyber security and password management, the National Cyber Security Centre, part of GCHQ, can help. To access their support tools, click here.

How Internet-of-Things Technology Could Be Maliciously Turned Into Cyber Weapons

As more and more people invest in Internet-of-Things technologies, with the sales of Apple, Amazon and Google speakers growing fast; there is a growing concern from cyber security researchers that these devices can be hacked and turned into cyber weapons.

Cyber researcher at PwC, Matt Wixley, has publicly stated that a range of devices he has investigates could be turned into “offensive low-grade cyber weapons”. These include IoT speakers and even wireless headphones and laptops.

According to the research, these devices and the technological weaknesses therein could cause real human harm and cause major organisational disruption if used by cyber criminals.

According to the BBC:

“Mr Wixey, who is a head of research at PwC’s cyber-security practice, said he conducted the experiments as part of PhD work into the ways that malware can directly cause physical harm.

He sought to find out if the volume and speaker controls of the devices could be manipulated to make them produce harmful high and low frequency sounds.

Custom-made viruses, known vulnerabilities and other exploits were used to subvert the devices and make them emit the dangerous sounds for long periods of time.

“Some attacks leveraged known vulnerabilities in a particular device, which could be done locally or remotely in some cases,” he told the BBC. “Other attacks would either require proximity to the device, or physical access to it.”

Lenovo Solution Center Software In Trouble Again As Researchers Find Vulnerability Flaws

Cyber security research firm, Pen Test Partners, have announced key findings from their research into a “privilege escalation flaw” in Lenovo’s Solution Center Software platform.

The now de-commissioned LSC technology has once again fallen foul of researchers. Lenovo’s software is installed on nearly a million legacy computer systems worldwide. The flaw can be used to execute code on a targeted system which would give criminals access to system or admin level privileges

According to ThreatPost:

“Research come from Pen Test Partners, who found the flaw (CVE-2019-6177) and said the vulnerability is tied to its much-maligned Lenovo Solution Center (LSC) software.

“The bug itself is a DACL (discretionary access control list) overwrite, which means that a high-privileged Lenovo process indiscriminately overwrites the privileges of a file that a low-privileged user is able to control,” wrote researchers at Pen Test Partners in a technical description of the bug posted Thursday.

Lenovo issued a security bulletin regarding this bug and recommended users upgrade to a similar utility called Lenovo Vantage.

Researchers describe the bug as giving hackers with low-privilege access to a PC the ability to write a “hardlink” file to a controllable location. This “hardlink” file would be a low-privilege “pseudo file” that could be used to point to a second privileged file.

“When the Lenovo process runs, it overwrites the privileges of the hardlinked file with permissive privileges, which lets the low-privileged user take full control of a file they shouldn’t normally be allowed to,” researchers wrote. “This can, if you’re clever, be used to execute arbitrary code on the system with Administrator or SYSTEM privileges.”

Legacy Bug in Windows Protocols Could Lead to Privilege-Escalation Attacks In The Future

An old vulnerability, which is nearly 20 years in the making, has been identified in nearly all editions of Microsoft Windows. This flaw could allow a non-privileged user to run some nefarious code that could give them system or user privileges on any Windows machine with this flaw.

Google’s Project Zero identified the flaw. Microsoft have been tracking this flaw and have been releasing patches but GPZ are still worried about the potential threat.

According to ThreatPost:

“First reported by Tavis Ormandy at Google Project Zero, the bug (CVE-2019-1162) is tracked by Microsoft as an APLC flaw with a severity level of “important.” Ormandy responsibly reported his findings to Microsoft in mid-May, and he released the details to the public this week, prior to the software giant’s Patch Tuesday update, after Microsoft failed to address the issue within 90 days of being notified.

The bug does have a patch now, as of late afternoon Tuesday.

CTF is problematic because it communicates with other Windows services without proper authentication.

“The issue is with an obscure piece of functionality called CTF which is part of the Windows Text Services Framework,” explained Richard Gold, head of security engineering at Digital Shadows, speaking to Threatpost. “Programs running on a Windows machine connect to this CTF service, which manages things like input methods, keyboard layouts, text processing, etc.”Until next time …