Monash Uni infosec staff find gaping security hole in Palo Alto Networks gear – Security- Tempemail – Blog – 10 minute

Palo Alto Networks has issued patches for a critical authentication bypass in several of its enterprise security products that was reported to the security vendor by two Monash University infosec staff.
The flaw, discovered by cybersecurity systems analyst Salman Khan and systems engineer Cameron Duck at Monash University, rates 10 out of 10 on the Common Vulnerabilities Scoring System (CVSS) version 3, and is easy to exploit with no user interaction required.
“When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources,” the security vendor wrote in its advisory.
Multiple versions of the Palo Alto’s PAN-OS running on the company’s firewall, gateway, virtual private networking and access products are affected by the flaw.
Upgrading to PAN-OS versions 8.1.15, 9.0.9 and 9.1.3 fixes the authentication bypass vulnerability.
The United States government cyber command advised users to patch all their Palo Alto Networks devices immediately, warning that overseas nation-state sponsored hackers would likely try to exploit the vulnerability.

Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.
https://t.co/WwJdil5X0F
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
If it’s not possible to immediately patch against the vulnerability, Palo Alto Networks said configuring the SAML authentication with a Certificate Authority (CA) Identity Provider Certificate, along with enabling validation of the credential, can be used as a complete mitigation for the vulnerability.
If SAML is not used for authentication, the bypass bug can’t be exploited, Palo Alto Networks said.
For now, the security vendor is not aware of any attempts at exploiting the vulnerability.
Attempts at exploiting the vulnerability can be logged by systems, but Palo Alto Networks said it can be difficult to distinguish between valid and malicious logins or sessions.
Unusual user names or source internet protocol addresses found in system logs are indicators of compromise, Palo Alto Networks warned.

Tempemail , Tempmail Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!

Govt to set infosec standards industry-by-industry: report – Security- Tempemail – Blog – 10 minute

The government is reportedly crafting minimum cybersecurity standards for industries that manage critical infrastructure following a highly-publicised attack warning late last week.
Citing “industry sources”, The Australian Financial Review said standards could be set “industry-by-industry”, with banks, healthcare and utilities high on the list.
The prospect of tighter regulation of cybersecurity protections and practices for critical infrastructure was also raised to iTnews by several industry sources.
Any new regulations are expected to be laid out in the government’s forthcoming cyber security strategy, due to be released “in the coming months”.
The mechanics of how such regulations would work, and how enforceable the standards might be, were unclear at the time of writing. 
A Home Affairs spokesperson was contacted by iTnews for comment, but did not address specific questions.
“The government is continuing to develop the 2020 cyber security strategy and will consider advice from the industry advisory panel prior to finalisation,” the spokesperson said.
“The 2020 cyber security strategy will build on the strong foundations established by its predecessor and will take into account the rapidly evolving cyber security landscape, including the impact of COVID-19.”
The advisory panel’s make-up is heavily weighted towards telecommunications, leading to some concerns about how representative it is of broader business interests.
Technical details examined
Debate over the purpose of Prime Minister Scott Morrison’s cyber security warning last Friday continued into this week, as did analysis of the indicators of compromise (IOCs) released by the Australian Cyber Security Centre (ACSC) in support of the government warning.
Though much talk has centred on attribution, Mercury Information Security Services cast doubt that a Chinese APT [advanced persistent threat] – “at the very least one from within the government” – was behind the campaign described by the ACSC.
“Whilst the ACSC report and artefacts suggest operational sophistication, the lack of technical sophistication and operational security indicate that this may have been more of a ‘hit and run’ style event that is more consistent with criminal elements,” Mercury ISS said.
“Having stated this, the absence of disruptive or destructive activities may suggest the usual criminal action of ransoming networks was not the intent, and this could be an information grab over an extended period of time, albeit from a low tier government, or a third party in support of a government.”
Security vendor Mimecast also said separately that its threat intelligence team “conducted a grid signal and trend analysis that did not reveal any of the email-related IOCs published by the ACSC.” 
“Our assessment … is that there wasn’t a specific attack campaign – but rather that the frequency of broad attacks from a particular state-based actor has increased,” it said in a statement.
“This is an acknowledgement of what we have been raising awareness about for some time.”
Long-running infrastructure focus
The government, together with the ACSC, has been warning about the threat to critical infrastructure for some time.
Last month, the ACSC issued advice to critical infrastructure providers following a jump in cyber activity that had hit corporates and government entities alike.
It urged the operators of Australia’s mission-critical electricity, water and telco infrastructure to double check security controls for staff accessing control systems remotely during COVID-19.
Last year, the government ran a cybersecurity exercise with the electricity sector aimed at strengthening end-to-end security protections in the sector.
Operators of Australia’s electricity, water, gas and port infrastructure must also detail their IT environments to the government under legislation passed in 2018.
Justin Hendry contributed to this report.

Tempemail , Tempmail Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!

Infosec researchers at loggerheads as new Zoom zero-day goes public – Security – Networking – Software- Tempemail – Blog – 10 minute

Information security experts are arguing over whether or not a researcher did the right thing in going public with two new serious “zero day” flaws in the Zoom video conferencing app, which has become increasingly popular as people and students work from home in COVID-19 lockdowns.
Earlier this week, security researcher Felix Seele first noticed Zoom’s dubious installation technique for its Apple macOS client, which doesn’t require users to click on install.
“Turns out they (ab)use pre-installation scripts, manually unpack the app using a bundled 7zip [an archiving utility] and install it to /Applications if the current user is in the admin group (no root needed),” Seele said.
Zoom founder and chief executive Eric Yuan thanked Seele and said the installer was designed that way to make video conferencing easier for Mac users.

Thank you for your feedback! We implemented to balance the number of clicks given the limitations of the standard technology. To join a meeting from a Mac is not easy, that is why this method is used by Zoom and others. Your point is well taken and we will continue to improve.
— Eric S. Yuan (@ericsyuan) March 31, 2020
Security researcher and former Tempemail Security Agency staffer Patrick Wardle took up the cudgel and published technical details on the installer, in a manner that Seele said was used by macOS malware.
Wardle found that Zoom achieved the consent-less installation by using an application programming interface that is deprecated by Apple meaning it should not be used by developers.
The API is considered dangerous as it performs no validation of what it executes as the macOS root superuser that has full access to all parts of the system.
With the installer, Zoom had created a serious privilege escalation vulnerability that Wardle labelled a zero-day that could be exploited by local, non-admin users to gain root access which is problematic in enterprise settings.
A second zero-day that Wardle documented allows malicious code to be injected into the process space that handles Zoom’s access to the microphone and camera on Macs.
Zoom’s programming choices here could allow malicious code to record users’ video conferences, and surreptitously access microphones and cameras with people receiving no warning prompts.
Wardle’s findings were reported in United States technology media, but he did not alert Zoom to them prior to publishing technical details on the vulnerabilities.
It is customary for security researchers to hold back publication of vulnerabilities until the vendor in question has had a chance to verify them and to develop and issue patches for users.
The decision by Wardle to not follow infosec industry responsible disclosure practice has led to criticism from his peers.
Google’s director of security and privacy Heather Adkins were among those who in public questioned Wardle going public, followed by former Facebook chief information security officer  and Stanford University Internet Observatory researcher Alex Stamos.
Surprisingly, Wardle found support from Google Project Zero researcher Tavis Ormandy who said the flaws had to be fixed now and not later.

Disagree, it’s a problem with the installation, and installations are spiking *now*, not in six months. Now is the time to make sure people are aware of the risks, good work @patrickwardle. This is what real responsible disclosure looks like.
— Tavis Ormandy (@taviso) April 1, 2020
Ormandy said that holding off with publication until Zoom had patched the installer would only help future users, and not the massive amount of people who are downloading the video conferencing app onto their systems currently.
In Ormandy’s opinion, Wardle had done nothing wrong and instad protected users from danger rather corporate reputations at any cost.
“The media can be a tool to inform; nobody promised it will only ever be flattering to business interests,” Ormandy said.
Zoom told iTnews that it will take care of both vulnerabilties, but didn’t provide a time frame for fixes.
“We are actively investigating and working to address these issues.
We are in the process of updating our installer to address one issue and will be updating our client to mitigate the microphone and camera issue,” a Zoom spokesperson said. 

Tempemail , Tempmail Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!