Read up on more Node.Js Vulnerabilities!

It’s that time of the week again folks. Meterian has two new Node.Js vulnerabilities to inform you on. Both are ranked a severity score of 7.5 and therefore considered to be of urgent attention. The first vulnerability concerns the bson-objectid package and the second the csv-parse module. Act fast and don’t let these vulnerabilities sit within your software/networks, or you could be at serious risk of a cyber attack. 

  • CVE-2019-19729: There is an issue discovered in the bson-objectid package version 1.3.0 for Node.js. Hackers could generate a malformed objectid, resulting in objects in arbitrary forms to bypass formatting if they have a valid bsontype.
  • CVE-2019-17592: The csv-parse module before version 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. An attacker can cause a program to spend an unnecessary amount of time processing.

CVE-2019-19729

Vulnerability Score: 7.5 /HIGH

Platform: Node.js

Component: bson-objectid

Affected Versions: up to 1.3.0

Read up Node.js users you’ll want to know about this vulnerability! This was discovered on the 12th December 2019 by user Xiaofen9 on Github who noticed that ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to his user-input.

What is bson-objectid? This component allows you to create and parse ObjectIDs without using bigger components, such as other fully-fledged bson libraries.

The problem is that in certain conditions the input object will not be checked and will be returned early. This means that objects in arbitrary (potentially malicious) forms can completely bypass formatting and validation.

https://github.com/williamkapke/bson-objectid/issues/30

So what can hackers do? The manipulation with an unknown input leads to a privilege escalation vulnerability and could lead to an impact on confidentiality, integrity, and availability.

But what does a privilege escalation vulnerability actually entail? It is when a malicious user gains access to the privileges of another user account in a target system. This allows hackers to use these privileges to steal confidential data, run administrative demands or deploy malware.

What can you do to fix this? Unfortunately, at this time of writing there is still no remedy to this vulnerability. However, we recommend to cease using this component or switch to a full bson library like bson.

CVE-2019-17592

Vulnerability Score: 7.5/ HIGH

Platform: Node.js

Component: csv-parse module

Affected Versions: up to 4.4.5

Oh yes…we are not done yet. Here is another Node.js vulnerability for you all! This was discovered on the 14th of October and given a high score of 7.5 by NVD. The affected module is csv-parse which is a CSV module. This project is a parser which converts CSV text inputs into objects. It uses the Node.js stream.Transform API and provides a simple callback-based API. Released for the first time in 2010, it is very easy to use and helps the big community that uses it with large data sets. 

The problem is that before version 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. A cast option is available in the module, it defines multiple functions to transform values based on their type. When such option is active and an integer cast is required, the corresponding __isInt() function uses a malformed regular expression that processes large inputs extremely slowly.

Why is Regular Expression Denial Service a backdoor for hackers? The attacker will insert in the file a malicious string which they know would take a very long time to evaluate. This means the attacker can make the user spend an excessive amount of time processing, resulting in the user’s executed commands to slow down or become unresponsive. Thus,  the availability of the system degrades. To make things worse, the exploit can be easily and remotely executed depicting clearly why this vulnerability is classified as problematic.

An image of a coffee shop. A barista making coffee with a speech bubble saying '*making coffee slowly*' and a woman at the till looking impatient with a speech bubble saying "My coffee is taking forever".

The best thing to do to avoid getting caught out by such exploit, is to upgrade to version 4.4.6 and above. 

That is it from us…for now! Make sure to spread the word on these critically-rated Node.js vulnerabilities in order to help protect your apps/the apps you develop. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Read up on more Node.Js Vulnerabilities!

The Healthcare Sector: A Major Target for Cyber Attacks

An image of a doctor with his hands crossed.
https://unsplash.com/photos/hIgeoQjS_iE

The healthcare sector is seeing a progressiveness when innovating its medical practices. Forbes estimated digital health tech catering to out-of-hospital settings would grow by 30% to exceed $25 billion market globally by the end of 2019.

Alas, with the growth of innovation in this sector, there also comes the risk of cyber attacks. The healthcare sector in particular seems to be a major target for cyber criminals. Why is this? What is the financial impact? And most importantly what can be done?

Why do cyber criminals target the healthcare sector?

There are many reasons why the healthcare sector is a target:

  • One of the main reasons has to do with the financial worth of the masses of patient information hospitals store. With the introduction of GDPR (May 2018) it has never been so crucial for hospitals and businesses to keep patient data secure.
  • Medical devices tend to be easy entry points for cyber attackers. Due to these devices only being used for medical practices, cyber security is not within the design of the product. Although these devices will not store patient data, hackers can launch an attack on the server which holds important information. For example, a vulnerability was discovered in the work of insulin pumps of Johnson & Johnson. This vulnerability could have allowed attackers to get control of the device via Wi-Fi and provoke an overdose of insulin in the patient’s blood.
  • Medical staff are accessing data remotely on different devices and networks, which provides another entry point for attackers. The problem is that if one device is hacked, this might leave the rest of the organisation vulnerable.
  • Despite the healthcare sector progressively innovating its practices, staff are still reluctant to disrupt working practices with the introduction of new technology. This creates weaknesses in the healthcare organisation’s IT systems because it produces outdated software that allows entry points for cyber criminals.
  • The result of costly budgets, lack of resources and time constraints make it hard for healthcare staff to be fully educated in cybersecurity practices.
  • The vast amount of devices used in a hospital makes it hard for IT specialists to protect the entire hardware network against attacks.
  • A very serious reason why the healthcare sector is targeted is also to do with international espionage. For example:
  • John Riggi, a former ex-FBI cyber specialist: Hospitals are “being targeted by hostile nation-states for theft of intellectual property related to medical research, innovations, cancer studies, population health studies, research of medicine and clinical trials, and also potentially for conversion for military use such as biological weapons”
  • They might target hospitals to acquire the medical details of business leaders, politicians or military figures. An example is seen when the Singaporean government health database was hacked in 2018. Prime Minister Lee Hsien Loong was amongst the 1.5 million whose personal data was stolen from the database.
  • Another problem is if hackers target hospitals near military installations this could give sensitive records of military personnel and worse, insight into where troops might be deployed.

Popular cyber attacks within the healthcare sector

The most popular attacks to the healthcare sector have shown to be: 

  1. Ransomware attacks

Ransomware is a type of malware that will infect systems and files, making them inaccessible until someone pays a ransom. For the healthcare system, this slows down processes and often forces hospitals to turn to pen and paper. A recent example of this was seen last November with the ransomware attack on French hospitals in Rouen. More worryingly, the 2017 Healthcare Cybersecurity Report suggested ransomware attacks on the healthcare sector will quadruple by 2020 and ransom-takers are using more sophisticated tactics to hack into systems, as 350 different variants of ransomware were observed in 2018 compared to 241 in previous years.

Often these attacks will affect machines through: phishing emails with malicious attachments, a user clicking on a malicious link, or viewing an advertisement containing malware. But an entry point that is often disregarded is ransomware via an outdated component or software. For example Hollywood Presbyterian Hospital in California suffered a ransomware attack due to an outdated JBoss server software. The attacker uploaded malware to the out-of-date server without any interaction with a victim. This resulted in delayed patient care and the hospital had to pay $17,000 to recover access to files and the network. What was interesting was that the attackers had used an open source tool, JexBoss, to search the internet for a vulnerable JBoss server and networks which had been infected. Organisations that handle healthcare data have to make sure to update their systems as the majority of healthcare ransomware attacks are malware related.

A picture of a computer with some code on the screen.
https://unsplash.com/photos/OqtafYT5kTw

What is a JBoss Server? This is an open source application server program used for developing and deploying enterprise java applications, services and web portals. JBoss released its last version (7.1.1) in 2012, as it then switched its name to Wildfly in its next release. So if you are running an application server with the name JBoss, it is out of date and has been for a very long time.

  1. Data breaches

Data breaches can occur for many different types of reasons, from credential stealing malware to insider threats to lost devices. The reason why data breaches are so common within the healthcare sector is because Personal Health Information (PHI) is more valuable on the black market than financial or Personally Identifiable Information (PII). 

But why is PHI more valuable that PII? The average cost of a data breach for a non-healthcare related agency is $158 per stolen record. Yet, for the healthcare sector the average cost is $355. According to Infosec Institute, PII can sell on the black market for $1-2 but PHI has been said to be worth up to $363

This shows the value of patient data financially. However, PHI can be valuable also to target victims with fraud scams by taking advantage of their medical conditions. Cyber criminals have also been known to use stolen patient data to access prescriptions for their own use or resale. 

With the enforcement of GDPR since May 2018, securing patient and medical records has never been so important.

  1. Insider Threats

Did you know the healthcare sector is the only industry for which the biggest threat to data breaches come from internal sources? According to the 2019 Verizon Insider Threat Report, 46% of healthcare organisations were affected by insider threats

Insider threats have shown to stem from a lack of cybersecurity training amongst staff or employees maliciously giving away access codes or them purposefully selling PHI or PII for profit. For example, Anthem a Medical Insurance company learned in 2017 that an employee had been misusing and stealing Medicaid member data — up to 18,000 of PHI — as early as July 2016. This demonstrates the cautiousness there needs to be within the staffing of the healthcare sector to ensure people are not misusing PHI. 

  1. Business email compromise

Business email compromise is when hackers use spoof emails to compromise an account by tricking the employee to transfer money to a fake account. Normally, the fraudsters pretend to be a person of authority within the company to seem as if they might be asking a legitimate request. This has been successful because fraudsters tend to do a lot of research on their targets and will make sure to convincingly impersonate the individual whilst only sending the email to select few people. 

For example, in 2015 a local medical center reported that they had received a call from a pharmacy to confirm a large order of prescription drugs amounting to over $50,000. After a thorough investigation they discovered that the medical center had not placed that order. The pharmacy had called to check because the shipping address of the medical center didn’t match their records, yet all of the other credentials provided had been correct, such as:

  • The Drug Enforcement Agency ID number
  • Doctor licences
  • Pharmaceutical certificates

This clearly demonstrates how cyber crime is becoming more sophisticated.

The Financial Impact

Data breaches are particularly strenuous on the healthcare sector because they take longer to deal with an attack due to a lack of financial resources or trained personnel. To make matters worse, by 2020 security breaches are said to cost the healthcare sector 6 trillion dollars. A study conducted by Mid-Horizon found that hackers can very easily access domain level administrative privileges of most healthcare applications. 

The financial damage the WannaCry attack placed on the NHS in 2017 was significant. The Department of Health said the attack cost the NHS £92 million due to a third of hospital trusts and 8% of GP practices had affected computers. The hack forced 200,000 computers to lock out their users with red-lettered error messages demanding a ransom in Bitcoins. 

This is all the more reason the healthcare sector need to prioritise their cybersecurity as these sorts of attacks could have crippling consequences. 

A picture of some doctors/nurses walking down a white corridor.
https://unsplash.com/photos/Pd4lRfKo16U

What can be done? 

On a national level, there are some countries that set a good example. After the cyber siege in 2007, the Estonian government created a cybersecurity strategy built into their law enforcement. After one of their reports found that 11,000 cybersecurity incidents happened in 2018, Estonia introduced a blockchain technology to have more control over electronic patient records. This meant there was a time-stamped record of anyone in contact with/adding/omitting information. Conversely, patients use electronic identification cards to access their health information and can decide who they share the information with.

Although many security executives think that their programs are providing sufficient protection, these programs might not be securing the actual patient or member data. There needs to be an understanding between compliance-driven strategy which is when programs do not stand up to the test of the attackers and security-driven strategy when programs are designed to deal with attackers and the threats they create. This means a refocus on the actual risks of the healthcare infrastructure:

  • Where is the patient data?
  • Where does it live? 
  • How is it stored?
  • How is it protected?
  • Are these protections sufficient?

Therefore when new technologies are in place there can also be a focus on:

  • If the technologies are fully supported 
  • If the technologies are deployed across the organisation’s entire enterprise
  • That the technologies have no limited capacities
  • That the technologies are never unmonitored

Both patient care and business continuity are important to healthcare organisations.  As hospitals and caregivers rely on technology to deliver greater gains for more timely care and more efficient business processes, they must ensure their systems are secure and stable for everyday operations. This requires a cyber resilient approach that addresses people and processes, as well as the technology used. Read Meterian’s blog post on how your organization  can become more cyber resilient.

The Healthcare Sector: A Major Target for Cyber Attacks

New Python Vulnerabilities!

Image of thief climbing out of laptop shining flashlight on Python icon, titled Vulnerability Focus: Python.

In honour of Meterian introducing Python into their beta production, here are two Python vulnerabilities which you should look out for. We don’t like it when systems or computers behave in unexpected ways. It’s worse when such outcomes result in a cyber security incident. This month’s Python vulnerabilities can cause unexpected behaviours which hackers could exploit to compromise the integrity of your system in unpredictable ways. Don’t waste any time as you could be affected, so read on and learn how to avoid these risks.

  • CVE-2019-18874: through python-psutil versions 5.6.5 there are risks of double free consequences. Attackers could use this issue to cause psutil to crash, therefore a denial of service, and possibly execute arbitrary code.
  • CVE-2019-17626: ReportLab through 3.5.31 allows remote code execution because of toColor(eval(arg)) in colors.py. This vulnerability could affect confidentiality, integrity, and availability within your software/network.

CVE-2019-18874

Vulnerability Score: 7.5 / HIGH

Platform: Python

Component: python-psutil

Affected Versions: up to 5.6.5 inclusive

Indeed…Python has a vulnerability within the package python-psutil. This was discovered on the 11th November 2019 by Riccardo Schirone who noticed that the psutil incorrectly handled certain reference counting operations. 

Python-psutil, is a Python package which provides convenient functions for accessing system process data. It is a cross-platform library for retrieving information on running processes and system utilization in Python. It is mainly used for system monitoring, profiling and limiting process resources and management of running processes. Psutil supports a range of platforms: Linux, Windows, macOS, FreeBSD, OpenBSD, NetBSD, Sun Solaris and AIX.

How does this vulnerability happen? It was caused by incorrect reference counting handling within for/while loops that convert system data into said Python objects. If an error occurred, the reference counter would be dropped twice.   In this case, the computer system’s memory storage is mishandled. Essentially, a double free releases the same area of memory twice.  

How can hackers take advantage of the system? They could use this vulnerability to cause the psutil program to crash which could lead to a denial of service and potentially the execution of arbitrary code. This execution of arbitrary code will provide the attacker with the ability to execute any command of their choice in a target machine or process. Like landmines, this vulnerability is unpredictable and hard to spot. The idea is that the hacker is waiting for the system to trip up in order for the “landmine” (malicious code) to set off and infect the users’ system.

Image of an area with signs saying 'Danger!!!Mines!!!'
https://flickr.com/photos/anzclusters/3404799066/

To remedy this vulnerability, please upgrade to version 5.6.6 or higher of python-psutil. Upgrade fast Python users, you don’t want to be at risk of a cyber attack.

CVE-2019-17626

Vulnerability Score: 9.8 / CRITICAL

Platform: Python

Component: reportlab 

Affected Versions: up to 3.5.31 inclusive

Yes that’s right! We have one more Python vulnerability to inform you on. This one is found within ReportLab up to 3.5.31 and it has allowed remote code execution because of toColor(eval(arg)) in colors.py. This vulnerability was found on the 10th October 2019 and has been classified as critical. The issue is affecting the function toColor of the file colors.py. 

An image displaying the lines of code which show where the vulnerability was found.
https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code

ReportLab is an open source engine for creating data-driven PDF documents and custom vector graphics. So it is free, hence open-source and widely used to generate reports in Python. The package sees more than 50,000 downloads per month, it is embedded in many products and was even selected to power the print/export feature for Wikipedia. So you can understand now why this vulnerability is critical and urgently needed to be fixed by users.

The issue with this vulnerability is that the manipulation of the input value to <span color=” can lead to a privilege escalation vulnerability. Not only can this attack be initiated remotely but it will impact a user’s confidentiality, integrity and availability. To make matters worse, it has been said that the price of this exploit be around USD $0-$5k since last stated on 16/10/19.

An image of 3 eggs, 2 white one brown. The first egg has a bubble which says in remarks to the brown egg 'Hey how'd you get in here?' and the brown egg has another bubble which says "Oh no they found me". This image represents the vulnerability discussed.
https://www.pexels.com/photo/eggs-in-tray-on-white-surface-1556707/

To remedy this vulnerability, please upgrade to version 3.5.32 or higher.  This is different from the recommendation of NVD which suggests to upgrade to version 3.5.26 or higher.  NVD also references the incorrect CWE, which should be corrected to CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’).  Based on Meterian’s analysis, we only see the remediation implemented in versions 3.5.32 or later.  You can verify the code here

Spread the word on these critically-rated, easy-to-exploit Python vulnerabilities in order to help the app sec community defend against unwanted exploits. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

New Python Vulnerabilities!

TOP 10 HOLIDAY HACKS

Beware: ‘Tis the season to be scamming’

Busy area of people with a Christmas tree in the centre. A thought bubble coming out of a parent saying "How was it seeing Santa?". Another thought bubble coming out of the child next to the parent saying "He asked me lots of questions...I think he might be a cyber criminal...".

Why is the Holiday season so popular for cyber criminals?

Organizations and individuals are at a much higher risk of suffering a cyber attack during this festive season. TAU’s 2018 Carbon Black Holiday Threat Report showed how during the winter holidays, there was a significant increase in cyber attacks. A survey conducted by Tufin Technologies similarly stated that 81% of hackers said they operated more intensely during the winter vacation. But why is this the case?

The total value of global retail e-commerce sales will reach $3.54 trillion by the end of 2019, up 20% over 2018. To top that off, nearly $142 billion (£106.5 billion) will be spent online in the UK during the holiday season this year. With so many people spending online, this becomes a goldmine for hackers to target those of us who shop online.

Additionally, with offices empty during the festive season this is an ideal opportunity for criminals to start causing havoc to your business. Even the lead up to the christmas break can be a vulnerable period, as your staff become more and more distracted. The lack of vigilance will allow hackers to attack and get away with it, supported by Tufin Technologies whose survey found 56% of hackers said Christmas was the best time to hack corporate computers.

The rise of emails sent during the holiday season means phishing emails are harder to spot. According to Responsys’ Retail Email Guide to the Holiday Season, 89% of top retailers increased their number of promotional emails sent in November and December by 47% compared to January and October. 

10 hacks to fight back: Don’t let hackers ruin your festive fun!

  1. Missing parcel fraud 

Have you ever received a card saying a parcel has been left on your porch but there is nothing there? You could be a victim of a scam. One of your shopping accounts might have been hacked allowing the hacker to spend freely using your credit card details.

What to do?

To tackle this scenario, make sure to call your bank so that they can freeze any more movement coming out of your account. Unfortunately, you might have not done anything wrong for your debit card details to be stolen, but in this instance acting fast is the best thing you can do when noticing something suspicious. 

  1. Fake ‘missed you’ delivery card

Most likely, a lot of us have received a ‘missed you’ delivery card when we weren’t at home to sign it off from the postman. However beware! Fraudsters have been known to print out a similar card and make it look like it came from the Royal Mail. They will use a fake number asking you to call to ensure the parcel is redelivered. On the other end of the phone will be the cyber criminal, waiting to collect your personal information so that they can then pretend to be you. 

What to do?

Never give your personal information over the phone, regardless of whether it might seem like a reliable source. Always look up the Royal Mail number online to double check if they match the number on the card you have received.  

  1. ‘Trojan horse’ malware attack

Malware attacks occur when people click on pop-up windows that appear on their computers offering free security software. The pop-up will most likely be a hacker. Malware will harvest your personal and financial information, send phishing emails to your contacts and provide remote access to your device.

What to do?

If you are unfortunate enough to install malware you should: 

  • Disconnect from the internet, as this will prevent anymore data from reaching the malware server.
  • Entering safe mode, allows your computer to run checks with the minimum required software and programs to load. This will prevent the malware from loading automatically.
  • Avoid logging into accounts during malware removal, to avoid sharing personal information.
  • Check your activity monitor to manage how your processes are running your computer and how it is affecting its performance.
  1. Man-in-the-middle harvesting

Using public Wi-Fi is a risk. This involves hackers sending out their own copy-cat Wi-Fi signal which you might latch onto by accident. If you do this, it could allow a hacker to spy on what you are doing and then be able to take your personal information.

What to do?

The main advice is not to use public Wifi when making money transactions or logging into personal accounts, otherwise you could be at risk of identity or card theft.

  1. ‘Phishing’ emails

According to NTT Security’s quarterly Threat Intelligence Report, phishing emails are up 74% with over 1.4 million new phishing sites created each month. Phishing emails leverage messages with malware attachments. TAU’s report says that the majority of cyber attacks during the holidays use phishing campaigns or spear-phishing campaigns to deliver malware to their victim’s computer systems. 

What to do?

If you have clicked on an attachment within a phishing email, this is what you should do:

  • Disconnect from the internet
  • Back-up your data 
  • Scan your device for malware using an anti-malware software 
  • Change all your login credentials as once cyber criminals have them they can access all your accounts
  • Set up a fraud alert
  1. Charity donation cheats

Fraudsters also take advantage of the goodwill of many people by pretending to be charity organizations. 

What to do?

Make sure to check any emailed details with the Charity Commission’s list to ensure your donations are going to the right place.

  1. Password theft

Many people don’t know that once a hacker has access to one of your passwords they can unlock many accounts online. Over Christmas fewer people are keeping tabs on where their money is coming and going, so make sure to be cautious for any suspicious activity.

What to do?

To avoid password theft you should try to :

  • Create strong passwords – use letters, numbers and symbols
  • Use multi-factor authentication 
  • Have different passwords for different accounts 
  • Use a password manager
  • Avoid sharing your password with anyone

If your password is stolen take the appropriate action in regards to the account affected and make sure you change your account passwords immediately. 

  1. Copy-cat websites

Don’t be fooled by bogus websites. They might seem legitimate but you might fall in the trap of paying for services or gifts you will never receive. 

What to do?

You can spot these fake websites by the final suffix letters. Fraudsters in the past have used suffixes such as ‘.co.com’ instead of ‘.co.uk’. Moreover, an ‘https’ prefix is more reliable than a ‘http’ address. Website address with ‘https’ indicate the site has an extra layer of security.  It uses the Secure Sockets Layer (SSL) to maximize security of data & transactions on the web with an encrypted channel between your device and the website you’re shopping on.

This way, your account login, credit card, and any other sensitive information details are encrypted to prevent eavesdropping. In short, avoid ‘Not Secure’ warning in browsers.

  1. Dark web targets

Over this festive season people often send seasonal greetings via email rather than cards in the post. Occasionally, there will be attachments with holiday messages. However, beware of opening these attachments even if you recognise the name of the sender. Hackers have used personal details of people off the dark web to find targets. 

What to do?

Sometimes it is better to be safe than sorry. Due to the high risk of email attachments with malware, it might be best to abstain from clicking. Thanking the sender of the email for the seasonal greetings (before you have opened any attachment) could also make it clear whether they were the true sender or not, giving you more of an indication if the attachment is safe to open.

  1. Rip-off Goods

Although you might think you have used a reputable website to do your Christmas shopping, this still does not mean you have escaped the cyber criminals. There is still a chance you could be sent counterfeit goods. This is a problem, especially when the European Union Intellectual Property Office (EUIPO) reported that international trade in counterfeit products is now worth up £300 billion and in 2017, 15,000 online shoppers lost £11 million to scams.

There are many risks when buying counterfeit goods:

  • Not only are the products of bad quality but they are most likely unsafe (especially with electrical or medical products; they could be fatal)
  • Consumers need to be careful, as the websites which they might use for the purchase might then gain access to personal sensitive information (credit credentials), as well as expose their computer to malware/viruses.

What to do?

There are a couple ways you can avoid this:

  • If the price online looks really low you could be buying a ripped-off good. What might seem like a good deal, might be a waste of your time and money. 
  • Check the spelling and grammar of the website and the URL
  • Only use sites that are reputable: always make comparisons on different sites/forums that might say the website is fake
  • Watch out for pop-ups appearing asking you to confirm your card details before you are on the payment stage. 
  • Make sure you’ve installed the latest software & app updates

To wrap it all up

There are a lot of ways which you can avoid being hacked this Christmas. But if you are one of the unlucky ones, we hope our tips have helped you deal with the situation or informed you more on the matter.

TOP 10 HOLIDAY HACKS

Cyber Due Diligence: Why is this so important for M&A?

5 min read

4 people holding up signs. The first two have a sign with a tick covering their face. The third has a sign with an X showing her face. The last with a tick sign covering their face.
https://www.pexels.com/photo/four-people-holding-signage-1656594/

Cyber due diligence is increasingly taking the spotlight when considering M&A transactions. With the rise of cyber attacks across organizations, acquirers are now having to address the impact of a target company’s incidents to determine the deals they make. According to EY Global Information Security Survey 2018-19, 77% of organizations have limited cybersecurity. Cyber due diligence is important to avoid the devaluation of your organization!

What is cyber due diligence?

The official definition of cyber due diligence is ‘the review of governance, processes and controls that are used to secure information assets’. Essentially, cyber due diligence teams will gather a target’s risk profile and make recommendations to the purchaser.  

Would you buy a home without having it inspected by a surveyor? Many people wouldn’t. In the past, the lack of inspection has proven to cause traumatic consequences. Take the Grenfell Tower fire of 2017. The lack of inspection in the build, design, and maintenance of this residential building (and many others discovered after the tragedy) has made building due diligence a crucial aspect to many organizations. The same can be said when applying cyber due diligence. Proper attention to issues within a target company will allow more informed decisions and safer outcomes.

A picture of an architectural map with a hand holding a pen over it.
https://www.pexels.com/photo/adult-architect-blueprint-business-416405/

The importance of cyber due diligence is seen through the example of Yahoo! In late 2004, senior offices and legal staff learned that unauthorized access to its computer network had been gained by what Yahoo! had identified as ‘state-sponsored actor’. However, the board had not received a report. In 2016, Yahoo! and Verizon Communications entered a stock purchase agreement. Yet, around the same time, a hacker claimed to have obtained Yahoo! user data. Shockingly, after doing checks they found that up to 500 million user accounts had been stolen from Yahoo!’s network in 2014. Not surprisingly, this meant Yahoo! had to modify their terms with Verizon.

This proves how cyber due diligence is essential when making M&A transactions as it strongly influences the decision of the acquirer in regards to their target company. 

Financial, Legal and Technical Due Diligence

Although cyber due diligence does not provide an accurate picture, it still allows the acquirer to have a good approximation of the condition of a target’s digital assets. An acquirer will have a process in their assessment of a target company and will examine:

  • How much money does the company have, spend and earn? 
  • What are the margins of the target’s competitors?
  • Is the company in any debt?

This is financial due diligence. Every investment has a level of risk. There needs to be in-depth research to understand the risk well, and to avoid any harm to either party in the transaction. Avoiding financial due diligence can result in misunderstandings from the investor and cause them to be responsible for financial loss after the deal is closed.  If you’re a business owner, ask yourself:

  • Does your company own the software?
  • What is the IP ownership of the software your company has created?
  • Is your company in compliance with its legal obligations with respect to software licences, software updates, data protection and processing laws?
  • What are the risks if compliance fails?

Here we have legal due diligence. This helps both entities work together to push forward a deal by addressing any legal problems that might be obstructing a decision. So this is when an M&A document will be produced. Legal due diligence is very important: the general law does not, in the absence of fraud or misrepresentation, protect the acquirer if they later see the business is not what they understood it to be. So buyer beware! Understanding the target’s liabilities is crucial. Make sure your legal team knows what they are doing, as they have the important role of communicating to external advisers.

A picture of a skyscraper.
https://www.pexels.com/photo/apartment-apartment-building-architecture-building-323705/
  • Assess the infrastructure of the company 
  • Assess and network of the company
  • Assess the security and intellectual property risks of a company’s software products by reviewing its software bill of materials (SBoM).  Are all the software’s dependent components used according to their respective licences and rightfully owned?  Are the third party and open source software free of security vulnerabilities?
  • Evaluate the cybersecurity program protecting the high-value digital assets: is it appropriate?
  • Look at the target company’s previous breaches and how they responded to the incident?
  • Assess the target’s resilience and ability to resist cyber attacks on their digital assets in the future

Be a technical due diligence wiz and know what your technical assets are. Technical due diligence allows to identify any vulnerabilities within the software or network of the target company. Look at the product, the infrastructure and its processes. Many software applications rely on open-source software components. If left unsecured (or used at whim without due diligence assessing its risk to the business), this creates a potential weakness for organisations from two aspects. Firstly, vulnerable open source components are popular attack vectors for cyber attackers. Secondly, having components with a licence that’s not compatible with your company’s policy could harm your business. Companies should make sure their software is being used in compliance with its licence so they can avoid being sued for improper use of intellectual property.

As seen with the example of Yahoo!, the lack of technical due diligence allowed Verizon to make an uninformed decision. Although this was also a problem with Yahoo! not disclosing the issue, it shows how legally the deal had to be adapted and both companies suffered financial loss. This shows the integrated importance of financial, legal and technical due diligence, and the areas that need to be addressed by the acquirer during M&A transactions and considerations. 

How can Meterian help with due diligence process?

With Meterian, you can automate the due diligence of identifying and patching open source risks in minutes. Immediately see if open source components used in your team’s project code bases are free of security, stability and licensing risks. So that you don’t run into any surprises down the line in your code’s software supply chain. 

Although open source applications are built to a very high standard, open source software does not come with any guarantees of quality.  It is the user of the open source software that is responsible for assuring its quality (and therefore data processing security). There are still licence agreements one must comply with.  Since anyone can download and use open source software, without payment, it’s difficult for organisations to know what’s used in their code bases. Meterian helps companies ensure their software is audit ready and all open source licences are compliant and business friendly. Our software scanner runs and checks as developers build the software, so why not put your mind at rest and strengthen your business? See sample reports and analyse 1 free codebase by signing up on our website today.

Cyber Due Diligence: Why is this so important for M&A?

New Java Vulnerabilities!

4min read

Attention to all Java users! Yes, we are back with a brand new set of Java vulnerabilities that I know you would like to get some juicy info on. During September 2019, two Java vulnerabilities have been discovered within the Apereo CAS versions before 6.1.0-RC5 and the Apache Tapestry versions between 5.4.0 to 5.4.3. The former open source vulnerability has been given a score of 8.1 whilst the later a higher score of 9.8 in regards to severity. So hurry, read up and don’t waste any time. You could be affected!

  • CVE-2019-10754 Apereo CAS (org.apereo.cas:*) components could allow a remote authenticated malicious user to obtain sensitive information, caused by the use of weak RandomStringUtils PRNG algorithm. 
  • CVE-2019-0195 Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded.

CVE-2019-10754 

Vulnerability Score: 8.1 / HIGH

Platform: Java

Component: org.apereo.cas (Apereo CAS) 

Affected Versions: versions before 6.1.0-RC5

That’s right folks! Java has another vulnerability. Due to multiple classes using Apereo CAS (before the release of 6.1.0-RC5) and making use of apache commons-lang3 RandomStringUtils for token and ID generation, this has made them predictable and resulted in a cryptography weakness.

Apereo CAS is an open well-documented protocol, as well as an open-source Java server component. It provides support for multiple protocols (CAS, SAML, OAuth, OpenID) and is a library for clients such as Java, .NET, PHP, Perl, Apache, uPortal and more! Apereo’s mission is to help educational organizations ‘collaborate to foster, develop, and sustain open technologies and innovation to support learning, teaching and research’.

For example, org.apereo.cas:cas-server-support-simple-mfa is a package that allows Apereo CAS to act as a multifactor authentication provider by itself. This generates tokens and allows them to be sent to end-users via pre-defined communication channels such as email or text message. Please also note that this vulnerability affects multiple components of the Apereo CAS framework. 

So what is the threat? Well, the affected versions of this package are vulnerable to Insecure Randomness, as it relies on apache commons-lang3 RandomStringUtil  which can produce predictable results. So, this could allow an attacker to generate their own unique Ticket ID due to insufficient randomness. In other words, the attacker could guess the encryptionSecret used within GenerateJwtCommand and allow them to impersonate a user. This also means the attacker will have access to sensitive information caused by the use of the weak RandomStringUtils PRNG algorithm. 

Image showing user communicating with the server, and the hacker impersonating the user.

But don’t fret. There is a solution. It has been recommended to upgrade org.apereo.cas to version 6.1.0-RC5 or higher.

Java users, don’t give cyber criminals the chance to access your data. Act fast and upgrade org.apereo.cas! 

CVE-2019-0195

Vulnerability Score: 9.8 / CRITICAL

Platform: Java

Component: org.apache.tapestry (Apache Tapestry)

Affected Versions: versions 5.4.0 to 5.4.3.

We are not done yet folks! We have one more Java vulnerability to inform you guys on. Within the Apache Tapestry versions 5.4.0 to 5.4.3, the manipulating classpath asset file URLs allow an attacker to guess the path of a known file in the classpath and, as a result, download it. This was discovered on the 16/09/19 by Thiago H. de Paula Figueiredo.

The Apache Tapestry is an open-source framework for creating web applications in Java or other JVM languages. It also complements and builds upon standard Java Servlet API and works in any application server. Apache Tapestry has a long history. It has the oldest code, dating all the way back to 2000. This has resulted in many releases; developers now concentrate on Tapestry 5 as opposed to 3 and 4. 

What is tapestry.hmac-passphrase you say? This symbol is used to configure hash-based message authentication of Tapestry data stored in forms, or in the URL. In other words, your application is less secure and therefore more vulnerable to denial-of-service attacks. Especially when this symbol is not configured.

With various techniques, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the  tapestry.hmac-passphrase configuration symbol, then they could use it to craft a Java deserialization attack, thus running a malicious injected Java code. 

Image showing a hacker guessing a file location, downloading the pass phrase and a computer showing it is has been hacked.

The recommended mitigation for this vulnerability has been suggested to upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x version. 

That is it from us…for now! Make sure to spread the word on these critically-rated Java vulnerabilities in order to help the app sec community defend against unwanted exploits. But as you all know, open-source vulnerabilities are discovered daily, so we recommend you regularly scan your code repositories for new known vulnerabilities. Don’t get caught off guard!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

New Java Vulnerabilities!

Why do I need Meterian? My code is secure.

This is really a good question, that many potential prospects are asking us. For most of the time the answer is easy: we can point them to hacks to the likes of Equifax, British Airways, Carphone Warehouse and so on. But what if someone believes they’re already protected?

We are already checking our code!

Yes, some of us already have a SAST solution in place, like SonarCube or Fortify, and we think we are fully protected. Some of us instead use opensource alternatives, like Spotbugs or PMD, and we also feel okay. These tools will continuously scan your developers’ source code and make sure that it’s not including any pattern that could be exploited by a malicious hacker.

On top of that, we have already secure coding in place: we use peer reviews and pair programming, so that all our code is severely scrutinized. We use a set of agreed secure coding practices, we follow detailed checklists, and we have developers trained continuously on these matters. And yes, that’s good!

But not everything is written from scratch…

When developers code, they do not write everything from scratch. Have you ever been surprised at how little time it took a piece to be delivered? Maybe, just once. And you ask how did that happen? Your developers, rightly so, dipped into the big pool of opensource and pulled a component that was able to accelerate their development, providing ready to use building blocks so that they could concentrate only on the business logic.

Those opensource components are so widely used, that in your final packaged product, up to 80% of the code is made of those components. Only a mere 20% is the carefully crafted code by your developers, where your internal practices and existing tools make a difference. But who’s checking the security of those opensource components? Well, it so happens that many people across the world checks them. This allows the components to evolve quickly. When a problem is found, either a bug or a security problem, it’s rapidly fixed and a new version of the component is released. When this becomes a security problem, often the issue is publicly reported in specific mailing lists or newsrooms dedicated to security.

How do you know an opensource component needs to be updated?

The core problem is, how do you know about all this? How does your team become aware that a certain component they use is now vulnerable, and that they need to update to a new version? How do they make sure that the code they do not write, which could account for 80% of your product, is also secure? Do you maintain a team the does these things? A team that painfully scrutinises multiple news sources, makes sure that your application does not contain a vulnerable or out of date component, alerting your developers accordingly?

This is where SCA (Software Composition Analysis) like Meterian enters the scene. These products are a natural complement to tools like SonarQube or PMD, as they check the code your team did not write. Typically running along with your build system, they will prevent your product to go live if a vulnerable component is discovered and will provide your developers the information they need to fix the problem immediately (and, in some occasions automatically). You will be able to secure 80% of the code your development teams produce without investing a fortune, without further head count, and with a minimal integration effort.

So, if you do not have a solution for your opensource components in place, it won’t hurt taking a look at Meterian: it’s an all round affordable system that will give you peace of mind about the code that developers do not write. And, by the way, it also checks component licences, but this is for another blog post 🙂

Why do I need Meterian? My code is secure.

How can your organization become more Cyber Resilient? 

Image of skyscrapers in the city with people on the top of each building. Represents the infrastructure of a company and the need to keep it cyber resilient.
Image from Free Vectors via Vecteezy.com

Cyber Resilience is demonstrating to be a very important concept within organizations’ strategies. Keeping up with the increasing investment in security is demanding investment in new technologies that can defend organizations faster. Meterian is one of them. But what really is Cyber Resilience? What does it entail? And why is it so important?

What is Cyber Resilience?

Cyber Resilience is the ability to prepare for, respond to, and recover from cyber attacks. It involves a strategic view, addressing the life cycle of data when it is created, dispersed and stored. More importantly, a cyber resilient approach will incorporate the collaboration of people, processes and technology. Careful not to confuse this concept with cyber security, which is the action of preventing an attack from happening. On the other hand, Cyber resilience is more about being persistent in your defensive strategies, to produce a preventive and reactive defense against threats and vulnerabilities.

Cyber attacks are only on the rise! According to Forbes Insights survey more than 50% of surveyed organizations have experienced at least one cyber incident in the last three years and only 27% believe that their top management understands the difference between mitigating cyber risk and working towards a more organised cyber resilient strategy. Normally, hacked victims have a better idea of how to prevent attacks as they have learnt from previous incidents. But this is no excuse for organizations to wait until the worst! Here are some steps which can boost your cyber resilience!

Identify, Protect, Detect, Respond, Recovery 


1. Identify

The first stage in adopting a cyber resilient strategy begins with the preparation and identification of the potential security risks within the framework of your organization. This involves spotting vital information and conducting assessments on vulnerabilities. Prioritising your most urgent issues will make you less appealing to attackers! Urgent issues might include securing your customers’ data such as financial credentials, passwords or emails.  Also, check how well do you understand the risks of each of the devices and digital assets identified in my company. 

What is sometimes overlooked, is the diversity needed within a team when understanding your organizations’ potential vulnerabilities. Accenture made a study which demonstrates how the immediate cybersecurity team only identified 64% of the breaches.  So involving groups beyond the cybersecurity team is vital to create a united front between IT and business. This will increase an organization’s resilience at all levels. Industry research supports this, highlighting how due to the variety of software services and devices used by users or staff, users must take responsibility to identify and act on risks. We need to make sure strong defence is across all user levels. After all, ‘Many Eyes Make All Bugs Shallow’

With identification, comes attention to detail. It is not enough to list ‘hacking’ as a risk, for this action could range from phishing to exploited databases. Without this attention to detail, organizations are vulnerable to more acute attacks. Checklists are useful practical tools to help identify the people, processes and technology within the organization needed to form an effective defense.  If you can identify these entities, then it’s easier to talk about the risks and do something about them. Review the NCSC Cloud Security Guidance which provides a framework of 14 cloud security principles for enterprises to evaluate the security of any cloud service.  The UK ICO provides a useful self-assessment checklist for SMEs to evaluate their data protection assurance. Discuss these lists with your teams to get visibility on what could be vulnerable to attacks and what the team can do to build an effective defense. 

2. Protect

Protection will help minimise chances of breaches succeeding. It will contain the impact of the attack. Develop safeguards for critical infrastructure and make sure to enforce regular checks to understand the strength of the organization’s cyber resilience. This will help keep good cyber hygiene within your organization.

People, process and technology are essential for this step. In particular, new technology solutions are important to protect infrastructure and assets. Continuously investing in upgrading and refining protective systems should become a normal cost of business. However, experts feel that these technologies are not being bought or implemented to the fullest extent. Maybe this is because cybersecurity technologies need to make business sense; they cannot work in isolation. Yet, there are many tools in place to help with the five NIST framework categories, meaning you don’t have to waste time with a platform that has things you don’t need. You can simply choose cyber security products customized to your business needs. 

Protection of the mobile workforce is also a crucial factor within cyber resilience. By controlling mobile access to the network, employees are restricted to sensitive corporate information. This ties in with monitoring and enforcing policy adherence, seeming as malicious insiders are one of the most frequent sources of cyber security breaches! There should also be regular staff training to avoid any human factors leading to an attack.

3.  Detect 

A rapid response to a cyber attack is crucial! The longer it takes the more cyber criminals can exploit your organization. For example, according to the 2019 Verizon Data Breach Investigations Report, the time of discovery tends to be months. Of course, it does depend on the type of attack in question. There is a difference between payment card compromises where discovery is based on the fraudulent use of the stolen data (taking weeks or months), and a stolen laptop. So be aware, slower detection will only make your systems more vulnerable. 

To avoid this time lag, there needs to be detection and response policies in place. These must be evaluated and updated frequently. New technologies and software are essential as we have to adapt to attackers becoming more advanced. Surprisingly, only 40% of companies are investing in areas such as AI, machine learning and automation to become more cyber resilient. Yet, we understand adopting new technology takes time. An organization will have to make sure new technology is implemented, setup and allocated accordingly to their employees. Then they can use it through training and the adoption of new policy definitions.

It might seem daunting, but if you find tools that are easy to use and set up, this will increase your organization’s agility to detect and mitigate risks faster.

4. Respond 

Create a response plan. This will help contain the impact of the attack once it has been detected. There should be a specific focus on: 

  • Who will be the single point of contact that takes on responsibility for the plan and for integrating incident-response efforts? This may be required across teams, business units and geographies, depending on the organization size and structure as well as the nature and consequence of the attack.
  • What will the incident response team look like? Which individuals are critical to involve and are there reasonable backup plans if an individual is unavailable?
  • How will relationships with key external stakeholders, such as law enforcement be maintained?
  • How will the organization work with external breach-remediation providers and experts?

These are all questions which should be coordinated amongst a Response Team, where roles should be assigned to competent members of your organization.

5. Recover 

Returning your organization back to normal after an attack can be tough. However, thinking ahead to these what-if incidents can make it easier to recover and get back to business as usual.  This is a good planning exercise for both organizations who have and haven’t suffered a cyber attack.

If your organization has suffered an attack: Was there anything missing that could have prevented the attack? What did you learn from the breach? What will you do differently next time? Or what is the organization in need of to resist a future attack? 

Having pre-defined strategies in place can help the recovery process.  For example, developing and implementing systems and plans to restore any lost data or disrupted services affected by the attack would help organizations recover systems as quickly as possible. This can be done through the use of backups, cloud storage and off-site archives. It is worrying that while most organizations perform regular backups, very few know exactly what it is they are backing up. Again, there is a need for prioritisation. What information being backed up is of most importance? And if a cyber attack occurs what information and services need to be restored first in order to return to normalcy? More importantly, this recovery plan needs to be re-evaluated and updated regularly. This will help meet any risk related aspects of an attack that an organization might encounter in the future. 

Image of work colleagues giving themselves a high five. Represents team work.
Image from Pexels.com

Put into Practice

Following these steps will help boost your cyber resilience. The combination of people, systems and technology collaborating together is vital to emphasize, as it shows a united IT and business front against cyber attacks. Yet, cyber resilience requires adaptability, so make sure complacency does not get in the way. 

  • Develop easily accessible quick-response guides for likely scenarios.
  • Establish processes for making major decisions, such as when to isolate compromised areas of the network.
  • Document response plans, update them regularly and make them available to the entire organization. 
  • Make sure all staff members understand their roles and responsibilities in the event of a cyber incident.
  • Train, practice, and run simulated breaches to develop response “muscle memory”, increase individuals’ awareness and fine-tune the organization’s response capabilities.

Be flexible, be proactive and cultivate cyber resilience.

How can your organization become more Cyber Resilient? 

Treasure your Ruby apps? Protect from unauthorised access immediately

5min read

Image of thief climbing out of laptop shining flashlight on Ruby icon, titled Vulnerability Focus: Ruby.

It’s that time of the week people. Meterian is back with information on a brand new set of vulnerabilities! We once again turn our heads to focus on two Ruby vulnerabilities. The first being found within the Ruby makandra consul gem, and the second being located within the Airbrake Ruby notifier 4.2.3. Both these open-source vulnerabilities are given a 9.8 severity score on NVD, so don’t waste any time –  read up, you could be affected!

  • CVE-2019-16377 The Ruby makandra consul gem for all versions prior to and including 1.0.2 has an Incorrect Access Control vulnerability. This can lead to unauthenticated access to certain controller actions.
  • CVE-2019-16060 The Airbrake Ruby notifier version 4.2.3 mishandles the blacklist_keys configuration option and may therefore may therefore disclose passwords to unauthorized actors.

CVE-2019-16377

Vulnerability Score: 9.8

Platform: Ruby

Component: consul gem

Affected Versions: <= 1.0.2

Yes, you heard right. A vulnerability has indeed been detected within the Ruby makandra consul gem for all versions prior to and including 1.0.2. It was discovered by Toby Craze (github id:kratob) on 23/09/19. We are afraid to be the bearer of bad news, but this serious security flaw will affect an unknown function of the component Access Control.

A little context: makandra has been working exclusively with Ruby on Rails since 2007. They are a team of Ruby developers and Linux system engineers based in Germany. Makandra are constantly using open-source software and security patches are applied to the systems they use on a weekly basis. During this time, it has successfully delivered more than 100 Rails projects on more than 90 servers, indicating the amount of users that are at risk of this security flaw. This security issue is located within the consul. For those who don’t know, the consul gem is an authorisation solution for Ruby on Rails and it uses scopes to control what a user can see or edit.

So what is the problem? When a controller has multiple power directives, the ‘:only’ and ‘:except’ of the last directive is applied to all directives. By sending a specially-crafted request, this can lead to an attacker gaining unauthorized access to certain controller actions. With the manipulation of an unknown input, comes a privilege escalation vulnerability. Unfortunately, the impact is negative on confidentiality, integrity and availability. Below is what the affected code would look like.

https://github.com/makandra/consul/issues/49

In this example of code, the powers ‘:foo’ and ‘:bar’ are only checked for the #index action. The other actions were left unprotected by powers checks.

The solution is simple. Upgrade to the latest version of the makandra consul gem (1.0.3. or later), which is available from the consul GIT Repository. or via rubygems. Act fast to get rid of this security bug from your codebases and apps! You could be affected!

CVE-2019-16060

Vulnerability Score: 9.8

Platform: Ruby

Component: airbrake-ruby gem

Affected Versions: 4.2.3

Attention Ruby users! The Airbrake Ruby notifier 4.2.3 has mishandled the blacklist_keys configuration option which could result in a very real threat of sensitive data being disclosed to unauthorized actors (e.g password or credentials dumping). What are blacklist_keys? This specifies which keys in the payload should be filtered. Before sending an error, filtered keys will be substituted with the [Filtered] label.

Image of computer, displaying a undisclosed User Name and Password credentials. They are being fished with by a hook. This symbolises the access to sensitive data.
Image from https://www.howtogeek.com/343947/how-to-check-if-your-password-has-been-stolen/

Airbrake is a plain Ruby notifier gem that is used for integrating apps with Airbrake; it is the leading exception reporting service which provides minimalist API, enabling the notifier to send any Ruby exception to the Airbrake dashboard.  An exception is an event occurring during the execution of a program that disrupts the normal flow of the program’s instructions.  When an uncaught exception occurs, Airbrake could potentially release data to the Airbrake server.

The Airbrake dashboard provides easy categorization, searching, and prioritization of exceptions so that when errors occur, your team can quickly determine the root cause – this allows users to easily review errors, tie an error to an individual piece of code, and trace the cause back to recent changes.

So, what is the problem you say? A data-breach vulnerability–this is due to the mishandling of the blacklist_keys configuration option–within Airbrake Ruby 4.2.3 prevents user data from being filtered prior to sending to Airbrake. In other words, the vulnerability allows a remote attacker to access sensitive information on a targeted system. This compromised data could be user passwords or card payment details, which means an app could leak them  unknowingly; if left untreated, this could very well be the fatal zero-day vulnerability for a business or organization. 

To fix this vulnerability, users must upgrade to 4.2.4 or after. But hurry, as you might be at risk of attackers leaking important confidential data!

That is it for this round folks! Make sure to spread the word on these critically-rated Ruby vulnerabilities in order to help the app sec community defend against unwanted exploits. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously. Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Treasure your Ruby apps? Protect from unauthorised access immediately

Vulnerability Focus: PHP

5min read

Image of thief climbing out of laptop shining flashlight on PHP icon, titled Vulnerability Focus: PHP.

Listen up, app sec community – Meterian has an exciting update! We have a new addition to our family of languages for which our vulnerability scanning solution operates on. Drumroll please… it’s PHP. This means another layer of defense for your apps’ open-source dependencies to  shield them against malicious exploits. To commemorate this special day, we have written on 2 high-priority PHP vulnerabilities which will undoubtedly make an interesting read!

  • CVE-2019-9081 A vulnerability in the Illuminate component of Laravel Framework 5.7.x. could result in a remote cyber attack impacting confidentiality, integrity and availability in the process of web development.
  • CVE-2019-14933 A CSRF vulnerability in the Bagisto framework v0.1.5 could lead to attackers removing or manipulating important functionalities which will cause mass denial of services within an application.

CVE-2019-9081 

Vulnerability Score: Critical––9.8 (CVSS v3.0)

Platform: PHP

Component: laravel/laravel

Affected versions: 5.7.0 – 5.7.27

Attention to all PHP programmers! Read up, this is important stuff. On the 24/02/19, a vulnerability was found in the Illuminate component of Laravel Framework 5.7.x., a PHP development framework based on PHP 7.1.3. The severity of the threat is understood when seeing that 107,933 live websites use Laravel. It is also said to be the most popular web app category in the United Kingdom. This demonstrates the scale of potentially affected users, and why action needs to be taken quickly to avoid security flaws. 

A graph depicting the rise in Laravel Usage Statistics. The statistics range from the years 2013-2019.
Laravel Usage Statistics: https://trends.builtwith.com/framework/Laravel

The vulnerability is related to the __destruct method of the PendingCommand class in PendingCommand.php. It is a deserialization RCE (Remote Code Execution) vulnerability originating from a laravel core package and has shown to be triggered as long as the deserialized content is controllable. The access vector was through the network.

So what is the threat? In regards to CWE-502, when developers place restrictions on ‘gadget chains’ and method invocations that can self-execute during the deserialization process, this can allow attackers to leverage them to make unauthorized actions. For example, generating a shell. Manipulation with an unknown input leads to a privilege escalation vulnerability (code execution). Therefore, this vulnerability could have a negative impact on confidentiality, integrity and availability. Even worse, an attack can be initiated remotely with no form of authentication needed for exploitation. 

It is suggested to upgrade the laravel framework to version 5.7.27 or higher as soon as possible. So don’t waste any time! Or risk being vulnerable to potential cyber attacks!

CVE-2019-14933

Vulnerability Score: High — 8.8 (CVSS v3.0)

Platform: PHP

Component: bagisto

Affected versions: 0.1.5

Bagisto is a tailored e-commerce framework designed on some of the hottest open-source technologies such as Laravel, a PHP framework.  It cuts down on the resources needed to deploy an e-commerce platform (i.e. building online stores or migrating from physical stores). 

Alas, we regret to be the bearer of bad news. Version 0.1.5 of Bagisto has been found to contain a cross-site request forgery (CSRF) vulnerability which could result in client side manipulation that forces end users to execute unwarranted commands on a web application for which they are currently authenticated.  It should be noted that this compromised version allows for CSRF attacks under certain conditions, such as admin Uniform Resource Identifiers (URIs).  This CSRF vulnerability manipulates authenticated users’ browsers to send forged HTTP requests, including cookie sessions to exposed web applications. 

Here is some background information on the nature of CSRF attacks. Unlike remote code execution or command injection attacks, CSRF attacks specifically target state-changing requests as opposed to misappropriation of restricted data. Nonetheless, unauthorised state-changing requests can be equally bad; with the help of social engineering tactics (i.e. sending unwarranted links via email or chat support), attackers may trick end users into executing unsanctioned commands of the attackers’ choice. A successful CSRF attack could lead to vexing situations whereby attackers coerce end users into performing fund transfers, email address changes, and so forth. Furthermore, CSRF attacks can go as far as compromising entire web application systems upon gaining access to an administrator account.

In this context, hackers can trick end users by sending requests (i.e phishing emails) to lure them to open and display some apparently innocuous content in a new tab on the browser, which in turn, prompts it to execute the hidden malicious script, than can operate on behalf of the user.

This is a graphic illustrating the play-by-plat on how attackers can exploit the vulnerability to perform CSRF and remove important functionalities, which could lead to denial of services and loss of data on an e-commerce platform.
How attackers can exploit Bagisto open-source vulnerability

 The graphic above illustrates the play-by-play on how attackers can exploit this vulnerability to perform CSRF and remove important functionalities, which could lead to denial of services and loss of data on an e-commerce platform. 

In Step 1, the user first logs into the Bagisto admin page panel and subsequently  accesses a seemingly innocuous website on another tab in the user’s browser. This website contains a malignant script (placed by the hacker), and the action of accessing this tab will lead to Step 3 where the script will be executed; the browser is instructed by said script to perform any possible harmful action on behalf of the user in Step 3. This course of user action culminates in Step 4 with the server executing the requested malicious actions, such as deleting data on the admin panel.

Nonetheless, affected users will be glad to know that all versions of Bagisto following v0.1.5 are untouched by this CSRF vulnerability. So, there you have it – update your application to the latest version of the Bagisto framework at the soonest to avoid further exposure!

Spread the word on these vulnerabilities and their fixes to help us improve application security all-around. In any case, you can certainly expect more engaging reads on PHP in the near future. Until then!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: PHP