Connect with us

Biz & IT

Slack pledges update to “Connect DM” after realizing harassment exists

Published

on

Enlarge / Shadowy Slack usage.

Ubiquitous work-chat platform Slack this morning rolled out a new feature, Connect DM, that allows users to send direct messages to people they don’t work with. Hours later, the company is already saying “our bad” and promising an update after users demonstrated almost immediately how easy it is to use Connect DM to abuse or harass others.

Slack first rolled out Slack Connect last year, which allowed for companies to create channels shared between multiple Slack servers to facilitate business operations. Basically, if you work for Widget Film Production Inc. and you are collaborating on a project with Venue Studio Corp., Widget employees and Venue employees can both join a shared Slack channel to discuss location scouting for their upcoming project.

Today, however, Slack added a feature that allows anyone in the world with a paid account to send a direct message request to any other Slack user in the world (even if they do not have a paid account). Ilan Frank, Slack’s VP of product, told tech news site Protocol that Slack is deliberately positioning itself to become the chat platform of choice for the business world. “When someone opens up their phone, if they’re connecting with their friends, they click on Facebook or WhatsApp,” Frank said. “If they’re connecting with someone they work with, regardless of where that person works, they should be clicking on Slack.”

Slack appears to have considered the possibility that some bad actors might use its platform for harassment—but it doesn’t appear to have thought about that potential very hard or for very long. Connect DMs are indeed opt-in, in that you have to accept a request from someone before you can interact with them. There’s a giant loophole there, however: the user making the “invitation” gets to send a message of up to 560 characters to their targeted recipient, and Slack emails the recipient the full body of that message.

I used the Ars Technica Slack server to send a dummy invitation to my personal email address to demonstrate:

As others have noted, recipients who receive abusive, harassing, or threatening messages also cannot easily block a specific sender, because Slack sends the notifications from a generalized master inbox.

Following the widespread Twitter and media attention, Slack this afternoon acknowledged the gaping flaw in its process—the customizable invitation text—and promised to amend it.

“After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages,” the company said in a statement. “We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs. Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organizations. We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue.”

Continue Reading

Biz & IT

Verizon overrides users’ opt-out preferences in push to collect browsing history

Published

on

Verizon is automatically enrolling customers in a new version of a program that scans mobile users’ browser histories—even when those same users previously opted out of the program when it had a different name.

The carrier announced changes to its “Verizon Selects” program along with a new name a few days ago. “Verizon Custom Experience Plus is the new name of our Verizon Selects program,” Verizon said in an FAQ. Verizon is ignoring the previous opt-out preferences for at least some customers by enrolling them in “Custom Experience,” which collects browser and app-usage history but doesn’t use device location data and other personal information collected in “Custom Experience Plus.”

Verizon says it does not sell the information collected in either version of Custom Experience and that the program “no longer supports third party advertising.” But Verizon does share the data with “service providers who work for us” and says it uses the data to “personalize our communications with you, give you more relevant product and service recommendations, and develop plans, services, and offers that are more appealing to you. For example, if we think you like music, we could present you with a Verizon offer that includes music content or provide you with a choice related to a concert in our Verizon Up reward program.”

How to opt out (again)

Privacy-conscious users will likely want to opt out using the instructions provided by Verizon or in this article. To opt out, go to your Verizon account privacy preferences page. Scroll down a bit and you’ll see options to “Manage Settings” for both Custom Experience and Custom Experience Plus. You can also try this link to go directly to the Custom Experience settings, or you can select “Manage privacy settings” in the “My Verizon” mobile app.

In either the website or the mobile app, the options to manage settings will let you opt into or out of the two versions of the Custom Experience program. You can also delete any browsing and location data history that Verizon previously collected by clicking “Reset.” Additionally, account owners can use the Verizon website to block Custom Experience enrollment for specific phone lines.

Verizon customers have good reason to be wary of the carrier’s privacy practices. The Federal Communications Commission last year found that “Verizon apparently disclosed its customers’ location information, without their consent, to a third party who was not authorized to receive it.” The commission proposed a fine of $48 million. In 2016, Verizon agreed to pay a $1.35 million fine for inserting “supercookie” identifiers into customers’ mobile Internet traffic without users’ knowledge or consent.

In 2017, then-President Donald Trump and the Republican-controlled Congress blocked implementation of FCC privacy rules that would have required home-Internet and mobile broadband providers to get consumers’ opt-in consent before using, sharing, or selling browser history, app-usage history, and other private information.

Opted out? “You will still be included”

Verizon has been sending emails to customers notifying them about the program changes. There are different versions of the email, one of which states that Verizon is ignoring previous opt-out preferences in cases where people “recently opted out.” That email, which was forwarded to Ars by a Verizon customer named Jordan Hirsch, says:

As a Verizon Selects participant, you will automatically be included in the Custom Experience Plus and Custom Experience programs.

If you recently opted out of participating in Verizon Selects, you will still be included in the Custom Experience program unless you opt out.

Hirsch also tweeted a screenshot of the email he received from Verizon. The Verizon email Hirsch received did not state a specific time frame for the “recently opted out” phrase. We contacted Verizon today and asked for that detail and asked why Verizon is enrolling people who previously opted out of the same program before the program’s name was changed. We’ll update this article if we get any answers.

The Verizon FAQ does not include the “recently opted out” language and instead makes it sound like all customers may be enrolled in Custom Experience (the non-Plus version) regardless of previous opt-out status:

You will be part of the Custom Experience program unless you opt out. You can opt out using the privacy preferences page on the My Verizon site or the privacy setting page within the My Verizon app.

You must opt in to the Custom Experience Plus program to be a part of it unless you are already participating in Verizon Selects. Verizon Selects participants will automatically be included in the renamed program.

I am also a Verizon customer and got a notification email from the company today. Although I am 99.9 percent sure I opted out of Verizon Selects years ago, the email I received said, “You’re in control: You will be part of Custom Experience unless you opt out.”

Continue Reading

Biz & IT

Microsoft seizes domains used by “highly sophisticated” hackers in China

Published

on

Enlarge / Computer chip with Chinese flag, 3d conceptual illustration.

Microsoft said it has seized control of servers that a China-based hacking group was using to compromise targets that align with that country’s geopolitical interests.

The hacking group, which Microsoft has dubbed Nickel, has been in Microsoft’s sights since at least 2016, and the software company has been tracking the now-disrupted intelligence-gathering campaign since 2019. The attacks—against government agencies, think tanks, and human rights organizations in the US and 28 other countries—were “highly sophisticated,” Microsoft said, and used a variety of techniques, including exploiting vulnerabilities in software that targets had yet to patch

Down but not out

Late last week, Microsoft sought a court order to seize websites Nickel was using to compromise targets. The court, in the US District of Court for the Eastern District of Virginia, granted the motion and unsealed the order on Monday. With control of Nickel’s infrastructure, Microsoft will now “sinkhole” the traffic, meaning it’s diverted away from Nickel’s servers and to Microsoft-operated servers, which can neutralize the threat and obtain intelligence about how the group and its software work.

“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” Tom Burt, the company’s corporate vice president of Customer Security & Trust wrote in a blog post. “Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”

Targeted organizations included those in both the private and public sectors, including diplomatic entities and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa. Often, there was a correlation between the targets and geopolitical interests in China.

Targeted organizations were located in other countries including Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the United Kingdom, and Venezuela.

Names other security researchers use for Nickel include “KE3CHANG,” “APT15,” “Vixen Panda,” “Royal APT,” and “Playful Dragon.”

More than 10,000 sites taken down

Microsoft’s legal action last week was the 24th lawsuit the company has filed against threat actors, five of which were nation-sponsored. The lawsuits have resulted in the takedown of 10,000 malicious websites used by financially motivated hackers and almost 600 sites used by nation-state hackers. Microsoft has also blocked the registration of 600,000 sites that hackers had planned to use in attacks.

In these suits, Microsoft has invoked various federal laws—including the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and US trademark law—as a way to seize domain names used for command-and-control servers. Legal actions led to the seizure in 2012 of infrastructure used by the Kremlin-backed Fancy Bear hacking group as well as nation-sponsored attack groups in Iran, China, and North Korea. The software maker has also used lawsuits to disrupt botnets with names such as Zeus, Nitol, ZeroAccess, Bamatal, and TrickBot.
A legal action Microsoft took in 2014 led to the takedown of more than a million legitimate servers that rely on No-IP.com, resulting in large numbers of law-abiding people being unable to reach benign websites. Microsoft was bitterly castigated for the move.

VPNs, stolen credentials, and unpatched servers

In some cases, Nickel hacked targets using compromised third-party VPN suppliers or stolen credentials obtained through spear-phishing. In other cases, the group exploited vulnerabilities Microsoft had patched but victims had yet to install in on-premises Exchange Server or SharePoint systems. A separate blog post published by Microsoft’s Threat Intelligence Center explained:

MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. NICKEL actors created and deployed custom malware that allowed them to maintain persistence on victim networks over extended periods of time. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks.

NICKEL successfully compromises networks using attacks on internet-facing web applications running on unpatched Microsoft Exchange and SharePoint. They also attack remote access infrastructure, such as unpatched VPN appliances, as referenced in the FireEye April 2021 blog detailing a 0-day vulnerability in Pulse Secure VPN that has since been patched.

After gaining an initial foothold on a compromised system, the NICKEL actors routinely performed reconnaissance on the network, working to gain access to additional accounts or higher-value systems. NICKEL typically deployed a keylogger to capture credentials from users on compromised systems. We’ve observed NICKEL using Mimikatz, WDigest (an older authentication method that allows the attacker access to credentials in clear text), NTDSDump, and other password dumping tools to gather credentials on a targeted system and from target browsers.

Nickel hackers have also used compromised credentials to sign into targets’ Microsoft 365 accounts through normal logins with a browser and the legacy Exchange Web Services protocol. The activity allowed the hackers to review and collect sensitive emails. Microsoft has also observed Nickel successfully signing in to compromised accounts through commercial VPN providers and actor-controlled infrastructure alike.

The latter blog post provides suggestions for warding off attacks from Nickel as well as indicators admins can use to determine if they have been targeted or compromised by the hacking group.

Continue Reading

Biz & IT

SolarWinds hackers have a whole bag of new tricks for mass compromise attacks

Published

on

Getty Images

Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies.

Nobelium—the name Microsoft gave to the intruders—was eventually expelled, but the group never gave up and arguably has only become more brazen and adept at hacking large numbers of targets in a single stroke. The latest reminder of the group’s proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium’s numerous feats—and a few mistakes—as it continued to breach the networks of some of its highest-value targets.

Abusing trust

One of the things that made Nobelium so formidable was the creativity of its TTPs, hacker lingo for tactics, techniques, and procedures. Rather than breaking into each target one by one, the group hacked into the network of SolarWinds and used the access, and the trust customers had in the company, to push a malicious update to roughly 18,000 of its customers.

Almost instantly, the hackers could intrude into the networks of all of those entities. It would be similar to a burglar breaking into a locksmith’s premises and obtaining a master-key that opened the doors of every building in the neighborhood, sparing the hassle of having to jimmy open each lock. Not only was Nobelium’s method scalable and efficient, it also made the mass compromises much easier to conceal.

Mandiant’s report shows that Nobelium’s ingenuity hasn’t wavered. Since last year, company researchers say the two hacking groups linked to the SolarWinds hack—one called UNC3004 and the other UNC2652—have continued to devise new ways to compromise large numbers of targets in an efficient manner.

Instead of poisoning the supply chain of SolarWinds, the groups compromised the networks of cloud solution providers and managed service providers, or CSPs, which are outsourced third-party companies that many large companies rely on for a wide range of IT services. The hackers then found clever ways to use those compromised providers to intrude upon their customers.

“This intrusion activity reflects a well-resourced threat actor set operating with a high level of concern for operational security,” Monday’s report said. “The abuse of a third party, in this case a CSP, can facilitate access to a wide scope of potential victims through a single compromise.”

Advanced tradecraft

The advanced tradecraft didn’t stop there. According to Mandiant, other advanced tactics and ingenuities included:

  • Use of credentials stolen by financially motivated hackers using malware such as Cryptbot, an information stealer that harvests system and web browser credentials and cryptocurrency wallets. The assistance from these hackers allowed the UNC3004 and UNC2652 to compromise targets even when they didn’t use a hacked service provider.
  • Once the hacker groups were inside a network, they compromised enterprise spam filters or other software with “application impersonation privileges,” which have the ability to access email or other types of data from any other account in the compromised network. Hacking this single account saved the hassle of having to break into each account individually.
  • The abuse of legitimate residential proxy services or geo-located cloud providers such as Azure to connect to end targets. When admins of the hacked companies reviewed access logs, they saw connections coming from local ISPs with good reputations or cloud providers that were in the same geography as the companies. This helped disguise the intrusions, since nation-sponsored hackers frequently use dedicated IP addresses that arouse suspicions.
  • Clever ways to bypass security restrictions, such as extracting virtual machines to determine internal routing configurations of the networks they wanted to hack.
  • Gaining access to an active directory stored in a target’s Azure account and using this all-powerful administration tool to steal cryptographic keys that would generate tokens that could bypass two-factor authentication protections. This technique gave the intruders what’s known as a Golden SAML, which is akin to a skeleton key that unlocks every service that uses the Security Assertion Markup Language, which is the protocol that makes single sign-on, 2FA, and other security mechanisms work.
  • Use of a custom downloader dubbed Ceeloader.
Continue Reading

Trending