157 Views

Patch Android! July 2019 update fixes 9 critical flaws

Depending on when users receive it, this week?s Android July 2019 patch update will fix 33 security vulnerabilities, including 9 marked critical, and 24 marked high.

If you own a Google Pixel device, that will be within a day or two, leaving everybody else on the 2019-07-01 and 2019-07-05 patch levels (what these dates mean is explained here) running Android 7, 8 or 9 to wait anything from weeks to months to catch up.

As usual, July?s batch of fixes covers flaws in significant parts of Android, including system, framework, library, and Qualcomm?s numerous components, including closed-source software.

However, as has been the case for some months, it?s the media framework that provides a disproportionate amount of the patching action in the form of three remote code execution (RCE) bugs marked critical.

These are CVE-2019-2107, CVE-2019-2106 (affecting Android 7 and 8), and CVE-2019-2109 (which only affects Android 9).

Another RCE critical is CVE-2019-2111 in the Android system, with the remaining critical flaws all connected to Qualcomm?s closed-source components.

In contrast to Microsoft?s Patch Tuesday, Google rarely offers much detail on individual flaws during the initial patch release, restricting itself to the following generalisation:

The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

Google is able to be this vague primarily because:

We have had no reports of active customer exploitation or abuse of these newly reported issues.

Anyone interested in knowing a bit more about these should check the flaw CVEs on the US National Vulnerability Database (NVD) in a week or two when more information is added on each vulnerability.

Alternatively, vendors publish their own advisories which often feature more device-specific information ? see the July 2019 update advisories for Samsung, Nokia, Motorola, LG, and Huawei.

Huawei

If you own a Huawei device, these should receive this month?s update without issue. As for updates after August?s, the company is due to make an announcement soon (users can find more information on Huawei?s website).

Depending on the version of Android, a device?s patch level (2019-07-01 or 2019-07-05) can be determined in Settings > About phone > Android security patch level. For Android 9 it?s Settings > System > Advanced > System updates.

143 Views

Miami police body cam videos up for sale on the darkweb

This can?t be a good day for Miami police.

We?ve known for a while that many webcams are a security train wreck, and that doesn?t change just because a police officer straps one on.

Now, unsurprisingly, police body cam footage has been found sloshing around online.

It?s not just that about a terabyte of videos from Miami Police Department body cams was leaked and stored in unprotected, internet-facing databases, according to the security outfit that found them. It?s that they were leaked and then sold, according to Jason Tate, CEO of Black Alchemy Solutions Group, who told The Register that his team had found the footage listed for sale on the darkweb.

Tate first tweeted about the discovery on Saturday, including a sample video, which has since been removed.

Tate said that the data is coming from five different cloud service providers. Besides Miami Police, there?s video leaking from city police departments ?all over the US?, he said.

It seems these 5 providers have city contracts all over.

Known security SNAFUs

Last August, a security researcher ? Josh Mitchell, a consultant at security firm Nuix ? analyzed bodycams from five vendors that sell to US law enforcement agencies. He spotted vulnerabilities in several popular brands that could place an attacker in control of a camera and tamper with its video.

Mitchell found that the lack of security in the police bodycams included broadcasting of unencrypted, sensitive information about the device that could enable an attacker with a high-powered directional antenna to snoop on devices and gather information including their make, model, and unique ID. That information could lead to police getting stalked, since an attacker could track an officer?s location or to even suss out when multiple police officers are coordinating a raid, Mitchell told a DefCon audience at the time.

Mitchell also found that some cameras include their own Wi-Fi access points but don?t secure them properly. An intruder could connect to one of these devices, view its files and even download them, he warned. In many cases, the cameras relied on default login credentials that an attacker could easily bypass. This could lead to attackers tampering with evidence by replacing it with convincing deepfake footage. (That?s just one example of why the US Defense Advanced Research Projects Agency (DARPA) has been studying the problem of detecting deepfakes.)

Tate is well aware of the potential for evidence tampering. When somebody on Twitter pointed out that the footage and its associated metadata are ?largely public records,? he said he knows that. That doesn?t mean it won?t lead to problems in evidence integrity, though, he said:

Miami Police Department must have felt the same way, since it looks like the department?s admins removed the videos from public access after Tate notified them about his findings. But it was publicly accessible for at least a number of days, he told The Register. That gave ample opportunity for hackers to copy videos from the databases and potentially sell them.

A spokesperson for Miami PD told The Register that the department is still looking into the claims and wouldn?t comment until it completed its review.

165 Views

Georgia’s court system hit by ransomware NEWS JULY 5, 2019

Georgia?s court system has been hit with may be the fourth Ryuk ransomware strike against state and local agencies in the past month and a half.

At the time of publishing this article, the site was still down.

According to Atlanta?s Channel 11 News, officials confirmed on Monday that at least part of the court system?s network had been knocked offline by a ransomware attack.

Details about the extent of the damage haven?t been publicly disclosed, but officials say it?s much less severe than the attack against Atlanta that destroyed years of police dashcam video last year, as well as freezing systems. Six days after it was hit, Atlanta was still rescheduling court dates, police and other employees were still writing out reports by hand, and residents couldn?t go online to pay their water bills or parking tickets.

The earlier attack against Atlanta involved SamSam ransomware ? a high-profile ransomware that was typically used in targeted attacks where cybercriminals break into a victim?s network and launch ransomware manually, to cause maximum damage and disruption.

The crooks demanded what was then roughly $52,000 worth of bitcoin. That paled in comparison to the $2.6 million worth of emergency contracts the city initiated to claw back its systems, and to the six figure ransoms demanded in similar targeted attacks by other gangs.

The nature of this latest attack on Georgia?s court system hasn?t yet been determined. Authorities said the extortionists? note didn?t specify a specific ransom amount or demands. Although the attack doesn?t appear to be as crippling as the SamSam one from last year, they took the court network offline to stay on the safe side, authorities said.

While little details were available as of Tuesday afternoon, there?s a hint that the Georgia assault might involve Ryuk ransomware.

On Tuesday afternoon, Ars Technica?s Sean Gallagher tweeted a followup to his writeup of the Georgia attack, saying that he?d heard back from the Georgia Administrative Office of Courts. He was told that while the malware hasn?t yet been identified, it left a message with contact information for ransom operators, which is ?consistent with Ryuk and other targeted ransomware,? Gallagher said.

As Naked Security?s Mark Stockley detailed back in December, Ryuk ? a relatively new strain of targeted ransomware ? ascended just as SamSam?s influence began to diminish in August 2018.

If so, it might be the fourth Ryuk attack against state and local agencies since May. The first three were against Florida cities, though it?s not entirely clear whether Ryuk was involved in the attack against Riviera Beach. At any rate, the cities that have fallen prey to some sort of ransomware in the past few weeks are:

  • Riviera Beach, Florida, which agreed to pay attackers over $600,000 three weeks after its systems were crippled.
  • Lake City, Florida, which was hit on 10 June by Ryuk ransomware, apparently delivered via Emotet. Lake City officials agreed to pay a ransom of about $490,000 in Bitcoin.
  • Key Biscayne, Florida, which last week also got clobbered by an Emotet-delivered Ryuk attack. The city reportedly hasn?t yet decided if it?s going to pay the ransom.

On Monday, after its insurer had agreed to pay most of that $490K ransom, Lake City?s Joe Helfenberg confirmed that the city had fired its IT director, Brian Hawkins.

What to do?

For information about how targeted ransomware attacks work and how to defeat them, check out the SophosLabs 2019 Threat Report.

The bottom line is: if all else fails, you?ll wish you had comprehensive backups, and that they aren?t accessible to attackers who?ve compromised your network. Modern ransomware attacks don?t just encrypt data, they encrypt parts of the computer operating system too, so your backup plan needs to account for how you will restore entire machines, not just data.