The Hacker News — Cyber Security, Hacking, Technology News

A security researcher has discovered a critical vulnerability in some of the world's most popular and widely used email encryption clients that use OpenPGP standard and rely on GnuPG for encrypting and digitally signing messages.

The disclosure comes almost a month after researchers revealed a series of flaws, dubbed eFail, in PGP and S/Mime encryption tools that could allow attackers to reveal encrypted emails in plaintext, affecting a variety of email programs, including Thunderbird, Apple Mail, and Outlook.

Software developer Marcus Brinkmann discovered that an input sanitization vulnerability, which he dubbed SigSpoof, makes it possible for attackers to fake digital signatures with someone's public key or key ID, without requiring any of the private or public keys involved.

The vulnerability, tracked as CVE-2018-12020, affects popular email applications including GnuPG, Enigmail, GPGTools and python-gnupg, and have now been patched in their latest available software updates.

As explained by the researcher, the OpenPGP protocol allows to include the "filename" parameter of the original input file into the signed or encrypted messages, combining it with the GnuPG status messages (including signature information) in a single data pipe (literal data packets) by adding a predefined keyword to separate them.

"These status messages are parsed by programs to get information from gpg about the validity of a signature and other parameters," GnuPG maintainer Werner Koch said in an advisory published today.

During the decryption of the message at recipient's end, the client application splits up the information using that keyword and displays the message with a valid signature, if the user has the verbose option enabled in their gpg.conf file.
However, the researcher finds that the included file name, which can be up to 255 characters, does not properly get sanitized by the affected tools, potentially allowing an attacker to "include line feeds or other control characters in it."

Brinkmann demonstrates how this loophole can be used to inject arbitrary (fake) GnuPG status messages into the application parser in an attempt to spoof signature verification and message decryption results.

"The attack is very powerful, and the message does not even need to be encrypted at all. A single literal data (aka 'plaintext') packet is a perfectly valid OpenPGP message, and already contains the 'name of the encrypted file' used in the attack, even though there is no encryption," Brinkmann says.

The researcher also believes that the flaw has the potential to affect "a large part of our core infrastructure" that went well beyond encrypted email, since "GnuPG is not only used for email security but also to secure backups, software updates in distributions, and source code in version control systems like Git."

Brinkmann also shared three proofs-of-concept showing how signatures can be spoofed in Enigmail and GPGTools, how the signature and encryption can be spoofed in Enigmail, as well as how a signature can be spoofed on the command line.

Since maintainers of three popular email clients have patched the issue, users are advised to upgrade their software to the latest versions.

• Upgrade to GnuPG 2.2.8 or GnuPG 1.4.23
• Upgrade to Enigmail 2.0.7
• Upgrade to GPGTools 2018.3

If you are a developer, you are recommended to add --no-verbose" to all invocations of GPG and upgrade to python-gnupg 0.4.3.

Applications using GPGME as the crypto engine are safe. Also, GnuPG with --status-fd compilation flag set and --verbose flag not set are safe.

Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks.

The campaign is believed to be active covertly since fall 2017 but was spotted in March by security researchers from Kaspersky Labs, who have attributed these attacks to a Chinese-speaking threat actor group called LuckyMouse.

LuckyMouse, also known as Iron Tiger, EmissaryPanda, APT 27 and Threat Group-3390, is the same group of Chinese hackers who was found targeting Asian countries with Bitcoin mining malware early this year.

The group has been active since at least 2010 and was behind many previous attack campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors.

This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain "access to a wide range of government resources at one fell swoop."

According to the researchers, the group injected malicious JavaScript code into the official government websites associated with the data center in order to conduct watering hole attacks.
Although LuckyMouse has been spotted using a widely used Microsoft Office vulnerability (CVE-2017-11882) to weaponize Office documents in the past, researchers have no proofs of this technique being used in this particular attack against the data center.

The initial attack vector used in the attack against the data center is unclear, but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center.

The attack against the data center eventually infected the targeted system with a piece of malware called HyperBro, a Remote Access Trojan (RAT) deployed to maintain persistence in the targeted system and for remote administration.

"There were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that different users in the country started being redirected to the malicious domain update.iaacstudio[.]com as a result of the waterholing of government websites," the researchers said in a blog post published today.

"These events suggest that the data center infected with HyperBro and the waterholing campaign are connected."

As a result of the waterholing attack, the compromised government websites redirected the country's visitors to either penetration testing suite Browser Exploitation Framework (BeEF) that focuses on the web browser, or the ScanBox reconnaissance framework, which perform the same tasks as a keylogger.

The main command and control (C&C) server used in this attack is hosted on an IP address which belongs to a Ukrainian ISP, specifically to a MikroTik router running a firmware version released in March 2016.

Researchers believe the Mikrotik router was explicitly hacked for the campaign in order to process the HyperBro malware's HTTP requests without detection.

Hell Yeah! Another security vulnerability has been discovered in Intel chips that affects the processor's speculative execution technology—like Specter and Meltdown—and could potentially be exploited to access sensitive information, including encryption related data.

Dubbed Lazy FP State Restore, the vulnerability (CVE-2018-3665) within Intel Core and Xeon processors has just been confirmed by Intel, and vendors are now rushing to roll out security updates in order to fix the flaw and keep their customers protected.

The company has not yet released technical details about the vulnerability, but since the vulnerability resides in the CPU, the flaw affects all devices running Intel Core-based microprocessors regardless of the installed operating systems, except some modern versions of Windows and Linux distributions.

As the name suggests, the flaw leverages a system performance optimization feature, called Lazy FP state restore, embedded in modern processors, which is responsible for saving or restoring the FPU state of each running application 'lazily' when switching from one application to another, instead of doing it 'eagerly.'

"System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch," Intel says while describing the flaw. 

"Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value."

According to the Red Hat advisory, the numbers held in FPU registers could potentially be used to access sensitive information about the activity of other applications, including parts of cryptographic keys being used to secure data in the system.

All microprocessors starting with Sandy Bridge are affected by this designing blunder, which means lots of people again should gear them up to fix this vulnerability as soon as the patches are rolled out.

However, it should be noted that, unlike Spectre and Meltdown, the latest vulnerability does not reside in the hardware. So, the flaw can be fixed by pushing patches for various operating systems without requiring new CPU microcodes from Intel.

According to Intel, since the flaw is similar to Spectre Variant 3A (Rogue System Register Read), many operating systems and hypervisor software have already addressed it.

Red Hat is already working with its industry partners on a patch, which will be rolled out via its standard software release mechanism.

AMD processors are not affected by this issue.

Also, modern versions of Linux—from kernel version 4.9, released in 2016, and later are not affected by this flaw. Only if you are using an older Kernel, you are vulnerable to this vulnerability.

Moreover, modern versions of Windows, including Server 2016, and latest spins of OpenBSD and DragonflyBSD are not affected by this flaw.

Microsoft has also published a security advisory, offering guidance for the Lazy FP State Restore vulnerability and explaining that the company is already working on security updates, but they will not be released until the next Patch Tuesday in July.

Microsoft says that Lazy restore is enabled by default in Windows and cannot be disabled, adding that virtual machines, kernel, and processes are affected by this vulnerability. However, customers running virtual machines in Azure are not at risk.

Cortana, an artificial intelligence-based smart assistant that Microsoft has built into every version of Windows 10, could help attackers unlock your system password.

With its latest patch Tuesday release, Microsoft has pushed an important update to address an easily exploitable vulnerability in Cortana that could allow hackers to break into a locked Windows 10 system and execute malicious commands with the user's privileges.

In worst case scenario, hackers could also compromise the system completely if the user has elevated privileges on the targeted system.
The elevation of privilege vulnerability, tracked as CVE-2018-8140 and reported by McAfee security researchers, resides due to Cortana's failure to adequately check command inputs, which eventually leads to code execution with elevated permissions.

"An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status," Microsoft explains. "An attacker who successfully exploited the vulnerability could execute commands with elevated permissions."

Microsoft has classified the flaw as "important" because exploitation of this vulnerability requires an attacker to have physical or console access to the targeted system and the targeted system also needs to have Cortana enabled.

Cedric Cochin of McAfee's Advanced Threat Research (ATR) team has published technical details of the flaw, and also provided a step-by-step proof-of-concept video tutorial, showing how he hijacked a locked Windows 10 computer by carrying out a full password reset using Cortana.

"Cochin discovered that by simply typing while Cortana starts to listen to a request or question on a locked device, he could bring up a search menu. Cochin didn’t even have to say anything to Cortana, but simply clicked on the "tap and say" button and started typing in words," a blog post on McAfee explained.

Cochin represents three different attack vectors, demonstrating how the Cortana flaw could be used for various nefarious purposes, such as retrieving confidential information, logging into a locked device and even run malicious code from the locked screen.
McAfee recommends users to turn off Cortana on the lock screen in order to prevent such attacks. Although Microsoft has patched the vulnerability with its latest security updates released yesterday, many PCs will not be running the latest updates just yet.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

PRIVACY – a bit of an Internet buzzword nowadays, because the business model of the Internet has now shifted towards data collection.

Today, most users surf the web unaware of the fact that websites and online services collect their personal information, including search histories, location, and buying habits and make millions by sharing your data with advertisers and marketers.

If this is not enough, then there are governments across the world conducting mass surveillance, and hackers and cyber criminals who can easily steal sensitive data from the ill-equipped networks, websites, and PCs.

So, what's the solution and how can you protect your privacy, defend against government surveillance and prevent malware attacks?

No matter which Internet connection you are using to go online, one of the most efficient solutions to maximize your privacy is to use a secure VPN service.

In this article, we have introduced two popular VPN services, TigerVPN and VPNSecure, which help you in many ways. But before talking about them, let's dig deeper into what is a VPN, importance of VPN and why you should use one.

What is a VPN & Why You Should Use It?

A VPN, or Virtual Private Network, is nothing but an encrypted tunnel between you and the Internet.

Once you connect directly to your VPN service, every Internet browsing activity of yours will go through the VPNs servers and blocks third parties, including government and your ISP, from snooping on your connection.

• Secure and Encrypted Web Browsing: VPNs enhance online security by keeping your data secured and encrypted.
• Online Anonymity: VPNs help you browse the Internet in complete anonymity so that no one can track the origin of your Internet connection back to you.
• Prevent Data & Identity Theft: VPNs encrypt all data transferred between your computer and the Internet, allowing you to keep your sensitive information safe from prying eyes and significantly reducing the risk of security breaches and cyber attacks.
• Unblock Websites & Bypass Internet Restrictions: VPN essentially hides your IP address, so your visits to any restricted sites do not register with the third-party, including your government or ISP, trying to block you, ensuring you enjoy the online freedom of speech.
• Hide Your Browsing History From ISP: VPNs stop your ISP from logging your web visit, as the spying ISP will not be able to see what you are visiting on the Internet.
• Multiple Device Supported: Many VPN services usually support multiple devices and work on all operating systems, such as Windows, Mac, Linux, Android, and iOS. With multiple device support, you can set up your PC, work computer and smartphone to access one VPN at the same time.

Get Best VPN Service — Lifetime Subscription

Dozens of companies today sell VPN services, and you can find plenty of reviews that can help you choose one.

But make sure to look for a VPN service that includes a large number of servers distributed worldwide, type of encryption, their privacy policies, speed and price.

If you are looking for an excellent and secure VPN service to start with, below we have introduced two best deals from THN Store, offering popular VPNs at highly discounted prices with lifetime access.

VPNSecure: Lifetime Subscription

If you're searching for an affordable and cross-platform VPN service without any bandwidth limits, VPNSecure is the one you can trust on.

This premium VPN service is compatible with all operating systems, easy to use and setup offers lightning-fast connection and provides ultimate safeguards against hackers and cyber-thieves.

With strict no-log record policy, VPNSecure has many servers located in more than 46 countries and counting.

The VPNSecure Lifetime Subscription is available for just $34.99 at THN Deals Store—isn't this excellent deal, a one-time flat fee for a lifetime VPN subscription.

TigerVPN: Lifetime Subscription

TigerVPN comes with a right mix of security, usability, and features, and supports Windows, Mac, Android, and iOS. It provides military grade encryption to make sure your entire communication on the Internet is end-to-end secure and protected.

The service doesn’t allow anyone, including your ISP or the government, to monitor, target or even sell your internet activity. With TigerVPN, you can enjoy the benefits of unlocking geo-restrictions from content providers like Netflix, Youtube, and many others with unlimited access to 15 VPN nodes across 11 countries.

The TigerVPN Lifetime Subscription is also available for just $25.99 at THN Deals Store—that's 95% off on its real value.

So, what you are waiting for? Grab your VPN Now!

You probably have come across many websites that let you install browser extensions without ever going to the official Chrome web store.

It's a great way for users to install an extension, but now Google has decided to remove the ability for websites to offer "inline installation" of Chrome extensions on all platforms.

Google announced today in its Chromium blog that by the end of this year, its Chrome browser will no longer support the installation of extensions from outside the Web Store in an effort to protect its users from shady browser extensions.

"We continue to receive large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly — and the majority of these complaints are attributed to confusing or deceptive uses of inline installation on websites," says ​James Wagner, Google's extensions platform product manager.

Google's browser extensions crackdown will take place in three phases:

Starting today, the inline installation will no longer work for newly published extensions.

Starting September 12th, the company will disable the inline installation feature for all existing extensions and automatically redirect users to the Chrome Web Store to complete the installation.

By December 2018, Google will also completely remove the inline install API method from Chrome 71. Developers using one-click install buttons on their websites are advised to update their links to point to the Web Store.

Since users' comments, reviews, and ratings for a specific extension on the official app store play an essential role in giving other users an actual overview about its functionalities and issues, forcing users to land on the app store would definitely improve the Chrome experience for all.

"The information displayed alongside extensions in the Chrome Web Store plays a critical role in ensuring that users can make informed decisions about whether to install an extension," Wagner explains.

"When installed through the Chrome Web Store, extensions are significantly less likely to be uninstalled or cause user complaints, compared to extensions installed through inline installation."

It should be noted that you will still be able to run the extensions you use today, whether downloaded from third-party or the official web store.