Critical Flaw Reported in Popular Evernote Extension for Chrome Users

evernote chrome extension hacking

Cybersecurity researchers discover a critical flaw in the popular Evernote Chrome extension that could have allowed hackers to hijack your browser and steal sensitive information from any website you accessed.

Evernote is a popular service that helps people taking notes and organize their to-do task lists, and over 4,610,000 users have been using its Evernote Web Clipper Extension for Chrome browser.

Discovered by Guardio, the vulnerability (CVE-2019-12592) resided in the ways Evernote Web Clipper extension interacts with websites, iframes and inject scripts, eventually breaking the browser’s same-origin policy (SOP) and domain-isolation mechanisms.

According to researchers, the vulnerability could allow an attacker-controlled website to execute arbitrary code on the browser in the context of other domains on behalf of users, leading to a Universal Cross-site Scripting (UXSS or Universal XSS) issue.

“A full exploit that would allow loading a remote hacker controlled script into the context of other websites can be achieved via a single, simple window.postMessage command,” the researchers said.

“By abusing Evernote’s intended injection infrastructure, the malicious script will be injected into all target frames in the page regardless of cross-origin constraints.”

[embedded content]

As shown in the video demonstration, the researchers also developed a Proof-of-Concept (PoC) exploit that can inject a customized payload on targeted websites, and steal cookies, credentials, and other private information from an unsuspecting user.

No doubt extensions add a lot of useful features to your web browser, but at the same time, the idea of trusting 3rd-party code is much more dangerous than most people realize.

Since extensions run in your web browser, they often require the ability to make network requests, access and change the content of web pages you visit, which poses a massive threat to your privacy and security, doesn’t matter if you have installed it from the official Firefox or Chrome stores.

“While the app author intends to provide better user experience, extensions usually have permissions to access a trove of sensitive resources and pose a much greater security risk than traditional websites,” the researchers warned.

Guardio team responsibly reported this issue to Evernote late last month, who then released an updated, patched version of its Evernote Web Clipper extension for Chrome users.

Since Chrome Browser periodically, usually after every 5 hours, checks for new versions of installed extensions and updates them without requiring user intervention, you need to make sure your browser is running the latest Evernote version 7.11.1 or later.

Let’s block ads! (Why?)

Link to original source

Telegram Suffers 'Powerful DDoS Attack' From China During Hong Kong Protests

hong kong protest telegram ddos attack

Telegram, one of the most popular encrypted messaging app, briefly went offline yesterday for hundreds of thousands of users worldwide after a powerful distributed denial-of-service (DDoS) attack hit its servers.

Telegram founder Pavel Durov later revealed that the attack was mainly coming from the IP addresses located in China, suggesting the Chinese government could be behind it to sabotage Hong Kong protesters.

Since last week, millions of people in Hong Kong are fighting their political leaders over the proposed amendments to an extradition law that would allow a person arrested in Hong Kong to face trial elsewhere, including in mainland China.

Many people see it as a fundamental threat to the territory’s civic freedoms and the rule of law.

hong kong protest china extradition

Many people in Hong Kong are currently using Telegram’s encrypted messaging service to communicate without being spied on, organize the protest, and alert each other about activities on the ground.

According to Telegram, the company received “GADZILLIONS of garbage requests” which stop its servers from processing legitimate requests, and the ‘state-actor sized’ attack has been traced back to IP addresses in China.

“IP addresses coming mostly from China. Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram ). This case was not an exception,” Telegram founder Pavel Durov tweeted.

Though it is evident that a DDoS attack doesn’t have anything to do with the security of data stored on the targeted servers; instead, aims to take a service offline, the company still assured the user data is safe.

However, it’s not the first time when the Telegram service was taken forcefully down using a DDoS attack during the political unrest to disrupt activists.

Let’s block ads! (Why?)

Link to original source

Cynet Free Visibility Experience – Unmatched Insight into IT Assets and Activities

Cynet Free Visibility Experience

Real-time visibility into IT assets and activities introduces speed and efficiency to many critical productivity and security tasks organizations are struggling with—from conventional asset inventory reporting to proactive elimination of exposed attack surfaces.

However, gaining such visibility is often highly resource consuming and entails manual integration of various feeds.

Cynet is now offering end-users and service providers free access to its end-to-end visibility capabilities.

The offering consists of 14 days access to the Cynet 360 platform, during which users can gain full visibility into their IT environment—host configurations, installed software, user account activities, password hygiene, and network traffic.

“When we built the Cynet 360 platform we identified a critical need for a single-source-of-truth interface where you get all the knowledge regarding what exists in the environment and what activities take place there,” said Eyal Gruner, Cynet founder, and CEO.

“Both the operational and security implications of having all this data available in a click of a button are dramatic.”

In today’s IT security landscape, there are two groups in which the lack of visibility plays a role.

The first one is found within organizations that acknowledge the necessity of certain tasks – common examples can be maintaining a patched application, applying change management procedure, and tracking software. Performing these without the ability to retrieve the required data easily is hard and error-prone.

The second is security service providers that cater to a multitude of customers. This group is subject to the same pains of the first one but on a much higher scale.

Cynet 360 visibility capabilities can boost the efficiency of security monitoring workflows, enabling MSSPs/MSPs to address their customer needs with significantly less effort better.

With Cynet 360, operators can easily perform and automate tasks such as:

  • Check if there are systems and apps with missing security patches.
  • Know the accurate number of all hosts, their operating system version, and installed software.
  • Customize and create asset inventory reports.
  • Discover risky user accounts and network connections.

Cynet Vulnerability Assessment
Cynet Vulnerability Assessment

Cynet Network Topology View
Cynet Network Topology View

Cynet Activity Context View
Cynet Activity Context View

Cynet Installed Software Display
Cynet Installed Software Display

The Cynet Free Visibility offering targets IT/security decision makers who acknowledge that the lack of visibility acts for them as an inhibitor in accomplishing critical tasks, whether as end-users or as service providers.

Using this offering, they can experiment with Cynet 360’s end-to-end visibility capabilities by applying them to either optimize existing tasks or perform new ones.

“It’s a rather worn-out phrase: you can’t secure what you don’t know,” says Gruner, ‘but it’s true all the same, and we are able to boost organizations in that direction. Available, high-res knowledge of your environment is the equivalent of a good opening move in chess – it narrows down the risks you face and enables you to focus on what really matters.”

Let’s block ads! (Why?)

Link to original source

When Time is of the Essence – Testing Controls Against the Latest Threats Faster

Breach Attack Simulation

A new threat has hit head the headlines (Robinhood anyone?), and you need to know if you’re protected right now. What do you do?

Traditionally, you would have to go with one of the options below.

Option 1 – Manually check that IoCs have been updated across your security controls.

This would require checking that security controls such as your email gateway, web gateway, and endpoint security have all been updated with the latest threats’ indicators of compromise (IoCs) usually published by AV companies who detect the malware binaries first.

Option 2 – Create a ‘carbon copy’ of your network and run the threat’s binary on that copy.

While safe, IT and security teams may be unaware of certain variations from the real deal. So while the attack simulation is running against an ‘ideal’ copy, your real network may have undergone inadvertent changes, such as a firewall running in monitoring mode, a patch not being installed on time, and other unintentional variations. The resulting mirror image has inadvertently become a ‘filtered’ one.

Option 3 – Build a homegrown simulation.

While effective, developing your own malware simulation is a time- and resource-intensive effort that usually requires a dedicated threats or vulnerability assessment team.

Moreover, even if you have the resources, the turnaround time for getting a live and safe simulation to work may not be ideal.

Option 4 – Run an automated simulation of the threat in your production environment.

What if you could challenge your controls with a threat on the day that it hits the headlines? This is where automated security effectiveness testing can help.

By running simulations of the latest cyber attacks against the controls required to detect them correctly, you can make sure your current security arsenal is catching risky IoCs, and close any gaps faster.

Testing Security Control Effectiveness Faster

Using a dedicated golden image of a standard workstation (or server), attack simulations can be run continually on a designated system in a production network. This way, a real user’s data is not jeopardized, while enabling you to check the latest threat’s ability to bypass your security controls.

By running ongoing or daily simulations of the newest menaces across your network, you can determine if your controls are catching IoCs such as command & control (C2) URLs and malicious file hashes.

cymulate
Immediate Threats Available for Simulation One Day After Their Discovery [click the image to view full size]

Real vs. Simulated Cyber Attacks – What’s the Difference?

So what is the difference between a real attack and a simulated one? First and foremost, simulations usually run on a dedicated system to avoid compromising a real user’s system.

For C2 communications, a simulation will attempt to establish a connection over HTTP/S, with an agent installed on the endpoint serving as a proxy to block any malicious requests sent and dropping the connection at the end of the test.

When testing endpoint security controls, rather than executing a real payload, one simulation technique involves dropping a malware sample to see if security controls can detect and remove it.

To test the effectiveness of an email gateway, a simulated attack will send emails with weaponized attachments that contain different malicious behaviors but are harmless to the target system. An agent sitting on top of the email client handles incoming emails and deletes them immediately thereafter.

Immediate Insights against Immediate Threats

What kind of insights can simulations uncover? Challenging email security controls can reveal whether your email gateway is blocking multi-layer nested files, whether a policy is set up to filter out spoofed email addresses or rarely-used file formats, or whether archive files (e.g., ZIP) are scanned to prevent executables from landing in a user’s mailbox.

To prevent drive-by-downloads, it may alert that your web gateway is not blocking downloads associated with the newest threat’s URLs. And vis-à-vis endpoint security, you may learn that your current solution is failing to block or detect dropped payloads on disk.

Immediate Threats Simulation Results – Blocked or Penetrated [click the image to view full size]

Ready to test the effectiveness of your security controls against the very latest threats?

Get started here, or learn more about SaaS-based breach and attack simulation.

Let’s block ads! (Why?)

Link to original source