TV Equipment Used To Eavesdrop On Sensitive Satellite Communications – Disposable mail news

With just £270 ($300) of home television equipment an Oxford University-based security researcher caught terabytes of real-world satellite traffic including sensitive information from “some of the world’s largest organizations.”

The news comes as the number of satellites in the orbit is said to have an increment from around 2,000 today to more than 15,000 by 2030.

James Pavur, a Rhodes Scholar and DPhil student at Oxford will detail the attack in a session at the Black Hat security conference toward the beginning of August.

Alongside it Pavur will demonstrate that, “under the right conditions” attackers can easily hijack active meetings by means of the satellite link, a session overview revealed.

While full details of the attack won’t be uncovered until the Black Hat conference, a 2019 conference paper published by Pavur gives a ‘sneak peek’ into a small part of the challenges of security in the satellite communications space.

It seems to all come down into the absence of encryption-in-transit for satellite-based broadband communications.

The May 2019 paper (“Secrets in the Sky: On Privacy and Infrastructure Security in DVB-S Satellite Broadband“) notes:

“Satellite transmissions cover vast distances and are subject to speed-of-light latency effects and packet loss which can impair the function of encryption schemes designed for high-reliability terrestrial environments (e.g. by requiring re-transmission of corrupted key materials). Moreover, satellites themselves are limited in terms of computing capabilities, and any on-board cryptographic operation risks trading off with other mission functionality.”

It additionally uncovers how a small portion of the eavesdropping in was led utilizing a “75 cm, flat-panel satellite receiver dish and a TBS-6983 DVB-S receiver….configured to receive Ku-band transmissions between 10,700 MHz and 12,750 MHz”

Pavur grabbed sensitive communications using tools costing less than $300, including a Selfsat H30D Satellite Dish, a TBS 6983 Satellite PCI-E, and a three-meter coaxial cable.

Pavur even focuses on the Digital Video Broadcasting-Satellite (DVB-S) and DVB-S rendition 2 protocols, which transmit information in MPEG-TS format.

The paper includes: “A collection of Python utilities… was used to analyze each of these transponders for signs of DVB-based internet transmissions.”

The 2018 experiment takes note of that through manual review of the intercepted traffic, the security researchers distinguished “[traffic] flows associated with electrical power generation facilities”

“Vulnerable systems administration pages and FTP servers were publicly routable from the open internet. This means that an attacker could sniff a session token from a satellite connection, open a web browser, and log in to the plant’s control panel…”

Alongside further details on the attack, Pavur will at Black Hat present an “open-source tool which individual customers can use to encrypt their traffic without requiring ISP involvement.”


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How encryption can help protect your sensitive data – 10 minute mail

Here’s how encryption can help keep your data safe from prying eyes – even if your device is stolen or your cloud account is hacked

You probably store all kinds of sensitive information on your personal computer – or your smartphone, for that matter. For good measure, you may even store your data in the cloud. And like the responsible netizen that you are, you’ve probably secured access to your devices with a passphrase, a biometric lock or even a combination of both. That’s all well and good, but what if you lose your device or it is stolen? That’s where encryption comes in, adding an extra safeguard.

To be sure, encryption isn’t just limited to storing your data; you can also encrypt your communications and your web traffic, as well as your passwords. All of these can be considered best practices to secure your private data, and we’ll walk you through some of the choices you have.

Disk encryption

Most computers still have removable hard disks that aren’t soldered onto the motherboard; alternatively, as extra storage, people use external disks. That’s why having full-disk encryption is a great extra security layer; if you misplace your disk or it is stolen, then no one can access any of the information on it. The disk is fully encrypted, including all your data, your software and the operating system you’re running. Unless you can enter the key at boot-up, your whole computer essentially becomes quite an expensive paperweight. There are several commercial options with advanced features, open source projects and built-in options in most major operating systems.

When it comes to smartphones and tablets, the equivalent functionality to look for is device encryption, which is built into, and commonly enabled by default, on contemporary devices. There are many easily found online guides that explain checking for and, if necessary, enabling device encryption for Android or iOS devices.

Cloud encryption

Most of us use cloud storage for its ease of access – you can do it from anywhere at any time so long as you have an internet connection. Unfortunately, that accessibility introduces its own set of challenges. Over the years, cloud storage services have experienced security breaches, either due to human error or targeted attack by ne’er-do-wells. Therefore, encrypting your files before uploading them to the cloud should be a no-brainer.

Even if there is a breach or the cloud provider’s system is compromised, the data bad actors may obtain will be useless to them without the decryption key. You can choose from a variety of products based on your needs and the offered encryption features. Look at those that offer AES encryption at the very least. There are a number of free and commercial options, all with various limitations and a range of price options among the paid-for products and services.

Encrypt your web traffic

One of the easiest ways you start with is by setting up a Virtual Private Network (VPN), which works as an encrypted tunnel for internet traffic. Let’s say you’re working from a coffee shop and you are going to share some sensitive data with a client, a VPN will allow you to share that data over an encrypted network without anyone intercepting it. Another example is that you can securely access data stored on your home network even if you are physically on the other side of the globe. There are multiple types of VPNs to choose from and, if you’re not sure which one will suit your needs the best, you can check out our article on types of VPNs.

RELATED READING: Encryption 101: What is it? When should I use it?

Another way to protect your privacy involves using an anonymity network, such as Tor. The Tor network directs your traffic through a volunteer overlay network of relays and wraps it in multiple layers of encryption. The idea is, of course, to protect your identity and your browsing habits from anyone snooping around.

Another thing you should also always watch out for is that the website you’re accessing uses the HTTPS protocol. The S stands for secure and means that all the communication taking place between the visitor (you) and the webserver is encrypted. Most of the world’s top websites now use HTTPS by default.

Encrypt your messages

When it comes to messaging apps, you have a variety to choose from and while the most popular do offer end-to-end encryption, not all of them have it turned on by default. For example, to turn on end-to-end encryption in Facebook Messenger you have to start a secret conversation by clicking on the profile picture of the user and choosing “Go to secret conversation”; only after that do your messages with that specific recipient become encrypted. WhatsApp, for one, has the option turned on by default; so does Telegram, but it also provides an extra layer of security with its Secret Chat feature, which allows you to set self-destruct on the messages and files you send.

Signal remains one of the most highly rated options by cryptographers, due to its open-source code allowing extensive examination and easy auditing by area specialists. You can also encrypt your email communications as well, with the sender needing your public key to encrypt a message, so that only you can decrypt and read it using your private key, and you needing their public key so they can decrypt encrypted messages you send to them. Again, there are several options, with the most common being PGP or GPG, and S/MIME. There are several plug-ins for, or built-in options in, popular email apps. For example, Microsoft provides a handy guide on how to enable S/MIME in its Outlook email client.

Also worth considering is using a secure email platform, such as ProtonMail and others, that provides end-to-end email encryption. Some are “closed shop” in that you can only send encrypted emails to others using the service and “ordinary” emails to those with other providers, while some provide mechanisms to exchange encrypted messages regardless of the mail service of your interlocutors.

Encrypt your passwords

Password managers are a popular choice for people who don’t want to (or can’t) memorize all their passwords while refraining from recycling them. A password manager functions as a vault that stores all of your passwords: it is secured like a bank vault is, but in this case, it uses fiendish mathematics instead of steel-reinforced concrete.

Most of the cloud-based services keep a copy of your vault on their servers protected with heavy-duty encryption, and, for an extra layer of security, allow their users to use multi-factor authentication (MFA). It is a much more secure way to store your passwords than on sticky notes or docs in your computer or even using a one-password-fits-all solution.

Final thoughts

Although at first glance you may think that the number of things you can do to secure your digital existence is a bit overwhelming, but you should never underestimate the value of good cybersecurity measures securing your digital existence. As the old saying goes, an ounce of prevention is worth a pound of cure, and in the digital world that goes double. A responsible approach to securing your data today can save you from a huge migraine in the future.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Gehaxelt – How WordPress Plugins Leak Sensitive Information Without You Noticing – 10 minute mail

Sebastian Neef (@gehaxelt) is a IT security freelancer and a top contributor from the Disposable mail Crowdsource community. In this guest blog, he looks at ways WordPress plugins leak sensitive data in the wild:

Guest blog post from Crowdsource hacker gehaxelt

The OWASP Top 10 puts Sensitive Data Exposure on the 3rd place of the most common web security issues. In this blog post we will have a look at sensitive data exposure that you might not be aware of. 

WordPress is probably one of the most used Content Management Systems out there. The vast amount of available WordPress plugins certainly plays a huge role, as it allows your WordPress blog to become a full-fledged online shop (i.e link: woocommerce). But relying on 3rd-party plugins to customize your blog or shop comes with certain security risks. There are no restrictions on who can publish a plugin on wordpress.org, so the code quality and therefore security can vary a lot. 

I have analyzed how the most popular WordPress plugins leak information with remediation tips so you can continue using WordPress in a more secure way. 

This research was part of my attempt to get some more valid submissions to the Disposable mail Crowdsource platform, so my focus was only on the top-ranking WordPress plugins. To qualify as a valid submission for Disposable mail Crowdsource, the vulnerable plugin needs to have at least 300,000 active installations and the issue needs to be exploitable remotely without any form of authentication. At least for the information disclosure the criteria was met for the following plugins: 

* A module for this plugin was not implemented due to an increased request complexity.

Taking all installation counts from the above list together and assuming that one installation equals one website, we end up with about 19 million websites that are potentially affected by an information leak issue.  

Let’s first have a look on what kind of information is leaked by those plugins. I think there are three categories of leaked data, which also seem to match with certain CWE (Common Weakness Enumeration Database) categories:

    • Credentials (CWE-200: Information Exposure)
    • Personal Identifiable Information (PII) (CWE-359: Exposure of Private Information (‘Privacy Violation’))
    • System Information (CWE-215: Information Exposure Through Debug Information)

Credentials

From the attacker’s perspective, gaining access to credentials is the jackpot. It might allow them to obtain usernames, passwords or API keys that could be used to escalate their privileges. A WordPress administrator account is allowed to edit themes or plugins, thus gaining remote code execution is trivial. Leaked API keys are no better, because they might allow the attackers to abuse them, gain unauthorized access or just create huge financial damage.

Here’s a list of things that fall into this category and that I’ve seen leaked:

    • Passwords to protected posts
    • Backup files or zips
    • SMTP credentials

Personal Identifiable Information (PII)

The next level in the hierarchy is, in my opinion at least, personal identifiable information. Especially in 2020 with the new digital information processing laws and GDPR, it might become a company’s nightmare if customers’ PII become public due to hefty fines. For that reason, I was even more surprised to find several plugins to leak the following customers’ or users’ data:

    • Names
    • Email addresses
    • Usernames

System Information

The third category comes down to the remainder of information about the system running WordPress or its configuration. Most of the following types might not have direct, critical security implications, but could still give the attacker useful information for more sophisticated exploitation chains. Most of the WordPress plugins were leaking the following information:

    • Internal host names 
    • Database tables, SQL queries
    • Security logs
    • Full path disclosures
    • File names
    • Software versions (OS, PHP, MySQL, WordPress)
    • PHP Configuration (safe_mode, memory limits, execution limits, etc)

So far we have discussed what plugins leak information and what kind of information is leaked, but we haven’t looked at how this information is potentially exposed to the attackers. 

At the core, the issue lies within WordPress’ file permission scheme which mentions that the wp-content/ folder should be writable, because some plugins might need write permissions there. Depending on how secure you or your WordPress administrator is, the whole wp-content/ might have full rwx permissions, and therefore most plugins choose to create directories and files there. 

This is not a problem by itself, but becomes one as soon as some plugins begin to create log files with the above discussed information that the web administrator does not know about. Plugin developers are not guaranteed a writable “data” folder outside the document root, where they could securely store such log files containing sensitive information in a non-volatile way. PHP’s sys_get_temp_dir could be an option, because it is system agnostic (not everyone runs Linux), but it might not offer persistence. The latter is pretty important for log files. Therefore, most plugin developers opt for a folder that they can assume to be writable on most WordPress installations as this stackoverflow thread suggests:

    • wp-content/uploads/
    • wp-content/*

The former works in most cases, because files uploaded through WordPress’ media library end up there, so it is writable to not break core functionality. The latter includes all subfolders, such as wp-content/plugins/ or wp-content/themes, if the administrator wants to easily install new plugins or edit themes.  

If you are a security-minded person and you are running a WordPress instance, now is the time to ask yourself if you have reviewed the source code of all active plugins, or did you simply install a plugin, because someone needed it to change the website’s functionality? You should review your plugins, but first continue reading to know what you should look for.

I have noticed two different patterns that developers use to create log files, and only one of them has basic security principals in mind. However, both approaches become ineffective security-wise once the administrator forgets to properly configure the web server. Therefore, we cannot just put all blame onto the WordPress plugin developers for leaks, but we need to reinforce basic security principles at any time.  

Static file paths

Developers are not naturally security experts, and often they focus on building solutions that work. There is nothing easier than using WordPress’ wp_upload_dir() or WP_CONTENT_DIR to obtain the path a writable folder and appending a plugin specific suffix. 

Here is a list of example paths:

/wp-content/all-in-one-seo-pack.log
/wp-content/uploads/mc4wp-debug.log
/wp-content/uploads/wp-google-maps/error_log.txt
/wp-content/plugins/ewww-image-optimizer/debug.log
/wp-content/plugins/all-in-one-wp-migration/storage/error.log
/wp-content/plugins/all-in-one-wp-migration/storage/import.log
/wp-content/plugins/all-in-one-wp-migration/storage/export.log
….

Let’s recall that the wp-content/ folder lives in the DocumentRoot is accessible from the internet, thus all the files within it are usually accessible, too. This makes it trivial for an attacker to access those log files and their content by navigating to the well-known paths.

Random file names

A good portion of the plugins implemented their logging functionality with more security in mind. By adding a random portion to the file name, it cannot be requested directly without knowing the random part.

Depending on the implementation, the portion’s randomness varied greatly:

  • an incremented 6-digit number (not really random)
  • a randomly generated string
  • a cryptographic hash (MD5 or SHA)
/wp-content/cache/log/000000/dbcache.log
/wp-content/logs/newsletter/antibot-2018-09-87agc333.txt
/wp-content/uploads/wc-logs/geoip-2019-03-17-57e9aab19e941762b0e731c2f65dc325.log
….

To a developer, this approach might look pretty robust and secure, but it disregards the fact administrators also play a role. Given that WordPress is an entry-level CMS, it might be set up and operated by novice administrators, who just followed a tutorial “to make things work”.

The file name randomization is instantly defeated if the administrator (accidentally) forgets to turn off “directory listing” on their web server. In such a case, an attacker just needs to browse to the respective folders to get a list of the random file names. 

index of /wp-content/uploads/wc-logs

While working on this topic, I have found several examples of such misconfigured web servers on the internet. It is not just a hypothetical scenario. 

If you have made it this far, you might be asking yourself how I discovered all those log file disclosures. I will happily answer this question in this section, so that you can review your own plugins.  There were basically three approaches to this topic: 

    • Find existing files
    • Review the plugins’ source code
    • Use a search engine

While the first method did not show anything interesting in particular, the second one was the most fruitful, but also the most time-intensive. There were over 115 plugins to review, so naturally I could not invest the time to do a thorough in-depth source code review, but rather took some shortcuts and educated guesses. Last but not least, I used search engines to discover files that I might not have seen with the two methods before. 

Let’s have a look at them in detail. 

Find-ing existing files

find is a small linux command line tool to quickly find files or directories in a file system hierarchy. After installing some plugins, I ran it on my test WordPress instances like this:

$> cd path-to-wordpress/wp-content/
$> find . -type f -name ‘*log*’ -ls 
$> find . -type f -name ‘*txt*’ -ls
987828	4 -rw-r--r--   1 gehaxelt gehaxelt  	229 Feb  9  2018 ./sc_cache.txt 

This showed me a few files containing log or txt, thus matching either of the two regular expressions. It is by far the most efficient method to check if such files exist on your web server. If you are administering any WordPress instances, take a note and check your web servers  after you have finished reading.

Source Code Review

Most of the work done was source code review using a few lines of bash, grep and less. 

As the first step, I downloaded all plugins with more than 300k installation from the wordpress.org website and extracted them into separate folders. A few lines of python helped with that task. 

The next step was to look for and identify paths where log entries are written to. PHP offers a few methods such as file_put_contents or fopen to create files. By having access to the source code, using the command line text searching tool “grep” was a suitable choice. Keywords such as “file_put_contents”, “file_get_contents”, “fopen”, “log”, gave a good idea where to look for. 

From there, it became going bottom-up through the code and deducing where the file would be written and if it is randomized or not. 

Google Dorks

(Ab-)using search engines and their specific search keywords for security purposes is often referred to as “dorking”. No sophisticated hacking tools are required for such an attack, just a web browser, a search engine such as google and a query like inurl:"/wp-content/uploads/wp-google-maps/error_log.txt" would be enough to find a whole lot of affected websites.

I took the route of searching for a plugin’s directory name while adding keywords like log or txt etc. It gave mediocre results, but that was better than nothing and also helped to verify the findings from the previous step. 

Overall the results using this method are limited to web sites that usually have DirectoryListing enabled and make their contents indexable by certain search engines. 

We all know that breaking things is much easier than fixing it. I tried to come up with ideas for how to prevent such information leaks to make the ecosystem more secure.  

Rule #1: Use randomized file names

Static file paths make it insignificant for an attacker to check the existence of a file and download it. Using randomized file names might take a bit more time for a developer to implement, but boosts the security immensely. Especially since the majority of web servers should have directory listing disabled, so that an attacker cannot guess the correct file name. 

Rule #2: Prevent directory listing

Even the scenario of a directory-listing enabled web server can be mitigated by the plugin developer: For every folder that is created and where plugin-specific log files are written, an empty index.php file should be created. On literally every web server the index.php file is configured as the DirectoryIndex, meaning instead of showing all contents of a directory, this file will be executed. As an empty file has no content, the attacker won’t see a list of file names, but an empty page. 

Rule #3: Workaround

If Rule #1 and Rule #2 are not followed by a plugin, then one could try to move the created folder outside the “DocumentRoot” (i.e. using a symlink). Alternatively, explicit rules must be created to prevent access to static or randomized log files. Depending on the used web server, simple “.htaccess” files could be used. 

Rule #4: WordPress hardening

The WordPress developers have a lengthy article on WordPress security and hardening. At the time of writing it contained a neat statement which fits this topic perfectly: 

If a plugin wants write access to your WordPress files and directories, please read the code to make sure it is legit or check with someone you trust. 

It is always a good idea to go over this article and check if oneself has considered and implemented the given hardening tips.

To round this section up, I firmly believe that most plugins should be able to implement and follow Rule #1 and Rule #2. The other two rules, Rule #3 and #4, lean more towards the side of the system administrators, but we cannot take them out of the equation. If a WordPress instance is provided for you, don’t forget to ask the responsible administrator to go over the issues mentioned in this article.  

All of the initially listed WordPress plugins and their potentially leaked log files have been implemented into Disposable mail’s automated security and asset monitoring since September – November 2019. The security modules will give you insight into which log files on your web server are discoverable by an attacker. That means, the modules can:

    • easily identify the “static file path” log files 
    • detect the “randomized file path” log files, too, as long as the randomization can be circumvented with the method discussed earlier

My research doesn’t stop here. I am continuously pursuing this topic in order to bring more log file disclosures to users to secure more websites through the Disposable mail and the Crowdsource platform.

 

Written by:
Sebastian Neef
IT Security Freelancer and Disposable mail Crowdsource hacker

Sebastian Neef (@gehaxelt) is a security researcher at heart and has been interested in IT security since the age of 15. He became an IT security freelancer and consultant during his A-Levels back in 2012 when bug bounty and responsible disclosure programs were just starting out. Sebastian enjoys sharing his knowledge on conferences or his blog 0day.work, breaking things, playing CTFs with ENOFLAG and helping companies to improve their security. 


How can Disposable mail help?
Disposable mail works with highly skilled ethical hackers like Gehaxelt to crowdsource the most up-to-date security research. Check for the latest WordPress vulnerabilities and 1500+ other known vulnerabilities with a start of a Disposable mail scan. Begin your 14-day free trial today.

Additional reading:
Improving WordPress plugin security from both attack and defense sides

How to Improve Your WordPress Security: Plugins and Themes


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Hackers Gain Access to Sensitive Data; Release Veterans’ Stolen Data Related To PTSD Claims – Disposable mail news

Hackers become increasingly serious in their game as they begin targeting sensitive data that incorporates pain diary entries from veterans’ very own physical injury cases.

Breaching a few law firms, the local government databases and other organizations, demanding payments for data recuperation and deletion Maze, a hacking and ransomware group, as a major element of a ransomware attack against U.S. law firms released V.A documents, patient care records, legal fee agreements, and privacy consent forms. 

Screenshot of a VA claims document released in a data dump by hacking group Maze as part of a ransomware attack against U.S. law firms. (Screenshot/Brett Callow)

Two of those hacks focused explicitly on Texas-based law firm Baker Wotring in November and Woods and Woods LLC in Evansville, Indiana, this month. As per Brett Callow, a threat analyst with Emsisoft, Maze hacks an organization’s servers, informs them of the breach and demands ransom payments to prevent data dumps and if the group doesn’t receive what it demanded, it proceeds to publish small quantities of compromised information — “proofs” — online, open to anybody with internet access. 

And the group has actually done it. After previously demanding payments ranging from $1 million to a few million dollars, if the payment isn’t received, Maze has released additional sensitive information on a ‘staggered basis’. 

Screenshot of a pain diary document released in a data dump by hacking group Maze as part of a ransomware attack against U.S. law firms. The image has been redacted by Military Times. (Screenshot/Brett Callow)


According to Callow, the Ransomware group has already released a part of individual archives from Woods and Woods, and the group professes to have more data. Aside from this, it has likewise posted the compromised information on a Russian hacker forum.

While other hackers utilize the stolen data to target and demand ransom from individual patients or clients, Maze doesn’t do that. 

The hacking group works a bit differently here as they themselves write on their site, “Use this information in any nefarious way that you want.” 

Nonetheless as per Bleeping Computer, keeping in mind the current developments from the group the Federal Bureau of Investigation (FBI) has issued a Flash Alert just a month ago to privately owned businesses in order to advise them of expanded Maze ransomware exercises, as a prudent step.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Sensitive plastic surgery photos exposed online – 10 minute mail

Other leaked records include videos, facial and body scans, as well as a range of patients’ personal data

Hundreds of thousands of records belonging to plastic surgery patients have been discovered sitting on an unprotected server and accessible for anyone to view. The records were stored on an Amazon Web Services (AWS) S3 bucket database belonging to NextMotion, a plastic surgery technology company that provides imaging solutions to clinics around the world.

Researchers at vpnMentor, who uncovered the leak, were able to access some 900,000 individual records. These ranged from before-and-after images and videos of cosmetic procedures to records of a highly sensitive nature, including graphic photos of the patients’ private body parts. The origin of the records in the database is not clear but it can be assumed that the leak affected NextMotion clients.

Besides patient facial and body photos, the trove of information included invoices, outlines of proposed treatments, and video files including 360-degree face and body scans. The invoices detailed the medical procedures, their costs, dates when they were performed, and personal information that could help identify patients.

All things considered; the data could allow hackers with malicious intent to create a comprehensive portrait of their potential victims. The patients could then easily become targets of identity theft, phishing, financial fraud or even sextortion, where criminals use intimate material to demand a ransom.

NextMotion CEO Dr. Emmanuel Elard apologized, adding that the issue has been addressed: “Amazon Web Service warned us on the 30th of January. After internal discussions with Amazon’s support, we immediately took corrective steps on the 4th February. The cybersecurity company formally guaranteed that the security flaw had completely disappeared.”

As NextMotion is headquartered in France, it is subject to the European Union’s General Data Protection Regulation (GDPR). Although the company’s website states that its technology is GDPR certified, the failure to secure patients’ sensitive data may carry stiff penalties and legal actions.

Misconfigured and unsecured public-facing data repositories have become a common occurrence. In one recent case, thousands of birth certificate applications were stored unprotected on an AWS cloud platform, while another data leak affected almost all of Ecuador’s citizens. These leaks were unintentional, but there have been cases where cosmetic surgery clinics, such as a well-known clinic in London, were targeted by cybercriminals.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

OWASP TOP 10: Sensitive Data Exposure – 10 minute mail

Sensitive Data Exposure, an OWASP Top 10 vulnerability that often affects smaller players, can put critical sensitive data at risk. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their list of the ten most common vulnerabilities one by one in our OWASP Top 10 blog series. 

Description

Sensitive Data Exposure occurs when an application does not adequately protect sensitive information. The data can vary and anything from passwords, session tokens, credit card data to private health data and more can be exposed.

A few examples would be exposed data that someone mistakenly uploaded somewhere, weak crypto that means an attacker would be able to read the data if they successfully compromised the target and the lack of headers that prevent browser caching. In short, every possible way where it would have been possible to better protect the sensitive data.

Prevalence

When building an application, many are going to down-prioritise protection of sensitive data, and even if the developer is aware of the fact that they should, for example, hash passwords, it is common to plan to do this afterwards. A workable application is the top priority and once the application is working, the planned protection is forgotten, or simply skipped.

Dealing with crypto is also one of the most difficult things to do. It is therefore common to make mistakes when implementing a self-built solution, which will result in insufficient protection of data.

Sensitive Data Exposure is therefore a typical vulnerability that is worst for small players, like hobby projects and smaller companies. However, as can be seen by looking at some well-known events, big players are affected by these vulnerabilities as well, but not as often.

Potential impact

As the finding only applies to sensitive data, the potential impact is always considered high. What the data consists of varies and so does the impact. The danger lies in the data being exposed, and the potential impact reflects the data’s sensitivity.

For example, if credit card data is stolen, the attacker can empty the victim’s bank account. If passwords are exposed, the attacker can abuse these credentials. If certificates are stolen, the attacker can pretend to be the target. It all depends on what kind of data is at risk of being exposed.

Exploitability

Most crypto-related vulnerabilities are considered hard to exploit, especially on a larger scale. With that said, some of the vulnerabilities that fall into this category are really easy to “exploit”. If an attacker were to get hold of a database that had been left unencrypted, they would not need to do anything special at all to access sensitive data. With a layer of protection removed from the attack process, exploiting the vulnerability can be considered easy.

In general, with the exception of strictly crypto-focused ones, the vulnerabilities within this category are likely to get exploited.

Well-known events

100 million passwords in plain text from VK.com have recently been leaked. That means that the attacker could, after getting access to the database, login as any user of choice. It also means that if a user were to use the same password on VK.com as on another site, anyone (as the leak is public) would be able to use these credentials to logon to that service and cause great harm.

Another example of a different vulnerability still within this category are exposed tokens in public source code. Many companies have mistakenly exposed private sensitive tokens on Github, which we have written about before. By searching for publicly available code, an attacker could get full access to internal communication.

How to discover

This is not a vulnerability that you can look for in the same sense as other more traditional vulnerabilities. Most vulnerabilities within this category cannot be scanned for due to two main reasons:

  • To determine risk, it must be decided what information is considered sensitive, which can be a hard task to carry out automatically.
  • An external pentester cannot know whether internal data is encrypted or not as that is not exposed.

To assess whether you are vulnerable to Sensitive Data Exposure, read the steps under Prevention and establish if any of the steps have not yet been taken. In most cases, this is the only way to identify this vulnerability type.

However, some of the findings can be automatically scanned for, such as lack of sufficient headers to prevent caching behind pages that require authentication or lack of HTTPS on logins.

How Disposable mail can help

We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable » 

Example of vulnerable application

As the finding includes every case where sensitive data is exposed or insufficiently protected, the examples are many. To get an idea, here are a few of the most common ones:

  • Data stored in plain text, such as passwords or credit card data (see the first well-known event)
  • Lack of HTTPS on authenticated pages
  • Hashed passwords with lack of salt, making the password easily cracked
  • Tokens disclosed in public source code (see the second well-known event)

Prevention

The first step is to figure out what data can be considered sensitive and therefore important to protect.

When that is done, go over each of these data points and make sure that:

  • The data is never stored in clear text.
  • The data is never transmitted in clear text. Example between database and server, or over the internet.
  • The algorithms used to encrypt the data are considered strong enough.
  • The generation of the keys is secure.
  • Browser headers are set to not cache when the sensitive data is presented to end-user.

There are more things to look for when securing data, but what matters most is understanding what data is considered sensitive, and make sure it is treated as such in every instance.

Read more

OWASP:
https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.