Security Week 14: a dangerous vulnerability in Adobe Flash, WhatsApp includes encryption, the Pentagon pays for bugs

The story of the dispute between Apple and the FBI has shown us how politics can affect technology. This week everyone is discussing a reverse example - a topic about data leakage from the Panamanian law firm Mossack Fonseca. Without mentioning the political side of this event, I cannot help but note an important point: the high-profile history most likely began with a cyber attack and data theft. This is indicated in the company itself and there is indirect evidence that it was not that difficult to hack the infrastructure of the company. In particular, external access to client documents worked on a three-year-old Drupal version with at least two critical vulnerabilities (however, this one was enough).

As in fact everything happened, we hardly ever know. In the information security industry, it’s very difficult to learn from the mistakes of others: for obvious reasons, they don’t like to share negative company experience. But general conclusions can be made, namely:

- There is no unimportant corporate data. It is possible that Mossack Fonseca did not even suspect what kind of resonance the documents stored in them could cause. This leads to underestimation of risks and inadequate protection costs.
- Data encryption is an effective measure. This is evidenced by another part of this story: dozens of journalists all over the world analyzed the received documents for over a year, using cloud systems and various forms of data transfer in encrypted form (starting with VeraCrypt, TrueCrypt fork to encrypt hard drives). During this time, not a single leak occurred, despite the huge number of project participants and the absence of serious obligations between them.
- The leakage volume exceeds 2.5 terabytes. We need a system that will help companies record such events. It doesn't matter for what reason a huge amount of data is leaking from the company's servers - a security specialist should be aware of this.
')
And now for the traditional news. All editions of the digest are available by tag .

Adobe closes a critical vulnerability in Flash, which is already used to distribute crypto-fiber
News Advisory .

There have been so many recent, extraordinary and other patches for Adobe Flash that a regular update would hardly have received attention if it weren't for the active use of critical vulnerabilities. Before the update was released. Not so often, cybercriminals get information about fresh vulnerabilities before they close. This, however, does not prevent them from infecting users of unprotected PCs even after the patch, since the software is not always and not always updated on time. As it turned out on Thursday, a critical vulnerability of Adobe Flash affected versions for all platforms, caused a plug-in malfunction and could lead to the execution of arbitrary code. The vulnerability was used in Magnitude and Nuclear exploit packs for the distribution of Cerber and Locky crypto-fiber.

Locky is the same cipher trojan that has recently made noise after an incident with the infection of medical institutions. I am sure that this event will serve as another argument in favor of a complete and final rejection of Flash - after all, it turns out that even installing the latest updates, you cannot be sure of the security of the system. But it turns out timely update still helps in this case. After analyzing the exploit pack, an expert at Proofpoint noticed that he targets users of very old Flash versions. The new exploit, which for some time (at least 3 days before the patch) could successfully attack even the most recent releases of the plugin, was for some reason used only for outdated versions. Apparently, the creators of the exploit pack did not fully understand what exactly fell into their hands.

Whatsapp has implemented end-to-end message encryption for all users.
News A post on the Whatsapp blog.

The creators of the Whatsapp messenger in the latest version of the client for all mobile platforms have included full end-to-end message encryption. And this applies to all types of transmitted data: in personal and group chats, text and pictures, for voice messages and calls. For encryption using the open protocol Signal . If encryption is implemented correctly, and it is really cross-cutting, then, in theory, only you and your interlocutor (or interlocutors) can read messages. That is what Whatsapp promises. That is why this event is called far more important than the dispute between Apple and the FBI: hundreds of millions of users this week received a free, reliable and secure communication channel.



Or not? We have collected expert comments in this news . In particular, the protocol may be ideal, but ultimately the owner of the system, that is, in this case Facebook, is responsible for the real data protection. According to independent expert Jonathan Zdjarski, privacy and Facebook itself are incompatible. I am sure that not only he thinks so. A more reasoned argument: even if it is impossible to decrypt the messages, the metadata (IP addresses and other information) still reveals too much to speak of complete privacy or anonymity. Finally, encrypted data transmission does not eliminate the vulnerability of information on the end device. However, we already did this recently, with a case about hacking an Apple phone. I am sure that quite soon the debate on the conflict between privacy and the need to monitor communication, of course, with a good goal (but not only) will be continued. And they will discuss both devices and protocols and networks: two key points of interception of information.

About the absolute privacy recently spoke head of the FBI, read this news . In short, he is against.

The Pentagon opens its own bug bounty program Hack The Pentagon
News

How to hack the Pentagon and get paid for it. OK, not exactly. Bug Bounty programs are primarily aimed at formalizing communication between researchers and vendors, enabling the first to receive rewards for their work, and the second to provide timely information about vulnerabilities in software, hardware or infrastructure. Over the past six months, we have repeatedly discussed examples when something goes wrong in this communication: both vulnerabilities are revealed before the appearance of patches, and vendors are trying to run into researchers. Nevertheless, the organization of its own program is not enough that the state structure, as well as the military department, is a serious progress, and very positive news.



The program is implemented on the platform of the company HackerOne, which provides companies with the infrastructure to work with researchers. However, the progress of progress, but without any features not done. To present certain requirements to the found vulnerabilities is quite normal, but the Pentagon filters the researchers themselves quite seriously. You need to have US citizenship, and special lucky ones will still have to pass a security check, including a check for criminal record. You can refuse to check, but then the premium will not be paid, even if the study complies with all the rules.

What else happened:
In the Philippines , a database of voters was stolen , 55 million records.

The FBI in the framework of the trial asked to tell exactly how they are breaking into communication on the Tor network. The FBI politely refused.

Dangerous vulnerability in Cisco firewalls.

Antiquities:
Family "Protect"

Dangerous resident viruses, standardly infect COM and EXE files when they are launched for execution. Intercept int 21h and int 1Ch or int 33h depending on the version. They contain the text: “File protection”. Protect-1157 removes file attributes and blocks mouse operation. "Protect-1355" appears on EGA and VGA monitors with a fine and very nasty screen shake.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 44.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.