Fitness apps, by their very nature, have access to a wealth of personal data, especially data that tracks outdoor activities — primarily running. During tracking, they collect a ton of data — heart rate and other physical activity metrics, step count, distance covered, elevation changes, and, of course, geolocation — to give you a detailed analysis of your workout.

And people rarely jog in random locations; their routes usually repeat and are often close to home, work, school, military base… Essentially, places they go to often and, most likely, at regular times. What happens if this information falls into the wrong hands?

The consequences can be catastrophic. For instance, a few years ago, a map published by a certain running app revealed the locations of several secret military facilities. And in the summer of 2023, a hitman allegedly used this data to shoot to death Russian submarine commander Stanislav Rzhitsky during his run.

Of course, the leakage of geolocation data can be dangerous not only for military personnel. It’s easy to imagine scenarios where it could lead to trouble not only for obvious targets — such as celebrities, political figures, or top company executives — but for ordinary people too.

Once they’ve got their hands on your movement data, attackers can readily use it for blackmail and intimidation. If the victim hears that the criminal knows all their movements and where they live, they’re significantly more likely to get scared and comply with any demands.

In addition to direct threats, geolocation info complements perfectly data leaked from other apps, or collected through doxing — making targeted attacks much more potent. Don’t think that you’re not important enough for scammers to prepare a complex attack: anyone can become a victim, and the criminals’ end goal isn’t always financial gain.

But it’s not just geolocation data that running apps collect and analyze. Like all fitness apps, they monitor activity and physical condition, which can reveal a lot about a person’s health. This information can also be used in a social engineering attack — because the more an attacker knows about their victim, the more sophisticated and effective their actions can be.

So, it’s essential to take due care when choosing your running app and setting up its privacy — and our tips will help you do just that.

General tips for choosing a running app and configuring its privacy

The first thing you absolutely shouldn’t do is install every running tracker in existence and then choose the one you like best. This way, you’ll hand over your personal data to everyone, significantly increasing the risk of it falling into the wrong hands. The fewer apps you use, the lower the risk of a data leak — but remember, no company can guarantee 100% data security.

Some companies invest more in the security of their users than others, and preference should be given to those who take data protection and anonymization seriously. To ensure this, carefully read the privacy policy of your chosen app: responsible developers will specify what data the app collects, for what purpose, which data might be shared with third parties, and what rights users have regarding their personal data. It’s also worth searching online or asking an AI assistant if the app you’re interested in has been involved in any data leaks — simply type the app’s name plus “data breaches” or “data leak” into a search engine. And, of course, checking user reviews is also a must.

Once you’ve chosen and installed an app, the next thing to do is configure its privacy settings. Unfortunately, many running apps share collected data — including your geolocation — with the entire internet by default. You’ll find links to detailed instructions on how to set up privacy for the most popular running apps — Strava, Nike Run Club, MapMyRun, adidas Running, and ASICS Runkeeper — at the end of this post.

As with any other app, it’s a good idea to use your smartphone’s operating system features to minimize tracking. For example, on iOS, when you first launch the app, you can block it from tracking your activity in other apps. Don’t ignore this option.

In addition, don’t grant the running app access to data that it doesn’t need to function — such as photos, calls, messages, or contacts. To reduce the amount of location data collected, don’t allow fitness trackers (or most other apps, for that matter) to monitor your geolocation continuously — choose the “Only while using the app” option, available on iOS and the latest versions of Android. You can set this when you first launch the app, or later by reviewing all the app’s permissions in your smartphone’s settings or, for Android devices, in Kaspersky for Android.

In general, it’s a good idea to regularly check your smartphone’s privacy and security settings to see which apps have access to which data.

Keep in mind that privacy settings won’t protect you from being tracked if someone guesses your account password. Unfortunately, none of the most popular running apps currently support two-factor authentication — although they really should. Therefore, the best thing you can do to protect your account is to create a long and complex password — preferably at least 16 characters long. Of course, it should be unique. To ensure you don’t forget this combination of characters, save it in a password manager — which, by the way, can also generate a highly secure random password for you.

Privacy settings for popular running apps

We’ve selected the most popular jogging apps and prepared recommendations on how to set up privacy in each of them. Subscribe to our blog to make sure you don’t miss the instructions for your running tracker. As we publish the privacy setup guides, we’ll be updating this post with the relevant links. The following apps will be covered:

Strava
Nike Run Club
MapMyRun
adidas Running (formerly Runtastic)
ASICS Runkeeper

To learn how to set up privacy for other apps — from browsers and social networks to operating systems — visit our website Privacy Checker.

Kaspersky official blog – ​Read More

Say goodbye to the days of using the “@” symbol to mean “a” in your password or replacing an “S” with a “$.” 

The U.S. National Institute of Standards and Technology (NIST) recently announced new guidelines for the ways website and organizations should handle password creation and management that will do away with many of the “common sense” things we’ve thought about passwords for years now.  

Here is a tl;dr version of what these proposed guidelines say: 

Passwords need to be at least eight characters long, and sites should have an additional recommendation to make them at least 15 characters long. Credential service providers (CSPs) should allow users to make their passwords as long as 64 characters. CSPs should allow ASCII and Unicode characters to be included in passwords. Rather than setting a regular cadence for changing passwords, users only need to change their passwords if there is evidence of a breach. There should not be requirements to implement a certain number of numbers or special characters into passwords. (Ex., “Password12345!”) Do away with knowledge-based authentication or security questions when selecting passwords. (Think: “What was the name of your college roommate?”) 

Now, we should make a few things here clear. Just because NIST is proposing these doesn’t mean anyone *has* to abide by them, these are merely guidelines that some of the larger tech companies in the U.S. can choose to adopt. And these are proposed rules for the time being, meaning the public and tech companies have time to weigh in on the matter before they are codified in any way. 

While these proposals may seem counterintuitive, it should make traditional text-based login credentials more manageable for users and admins. Studies have shown that requiring a mixture of special characters and numbers has led users to create easier-to-guess passwords like “$ummer2024!” or “P@ssword”.  

And policies that require users to change their passwords often have led them to create passwords that are neigh-impossible to remember, so users end up storing these passwords in easy-to-locate places near their computers, like on a physical piece of paper or saved to a .txt file on their desktop.  

The hope from NIST is that enforcing longer passwords will make it harder for adversaries to guess and less intimidating for users to manage their passwords. 

Of course, using a third-party password manager is usually the most secure option for anyone. But what NIST is proposing is still a step in the right direction, and if nothing else will make those of us who are more security-minded have a better time when creating a new account.  

The one big thing 

The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings. October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities. The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.   

Why do I care? 

CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine. Microsoft’s security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect users against adversaries trying to exploit this vulnerability. The other vulnerability that was exploited in the wild in this week’s security update is CVE-2024-43573, a platform spoofing vulnerability in Windows MSHTML. Platform spoofing vulnerabilities usually allow an adversary to gain unauthorized access to an environment by disguising themselves as a trusted source.   

So now what? 

Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64083 – 64086, 64089, 64090, 64111 and 64112. There are also Snort 3 rules 301034 – 301036 and 301041. 

Top security headlines of the week  

Chinese state-sponsored actors are suspected to have breached several U.S. telecommunications providers to spy on U.S. government phone calls. AT&T, Verizon and Lumen may have all been victims of the alleged counter-spying operation from the newly named APT Salt Typhoon. The actor potentially accessed information from systems that the U.S. government uses for court-authorized network wiretapping requests, all in the name of trying to steal government secrets. Though it’s still unclear how long Salt Typhoon had access to these networks, it’s clear they at least spent a few months on these networks, commonly used to cooperate with lawful U.S. requests for communication data. The attackers may have also accessed large amounts of other generic internet traffic through this operation. A separate Chinese APT known as Volt Typhoon became a major topic of conversation earlier this year for allegedly trying to infiltrate networks at U.S. military bases and other critical infrastructure sites. (Wall Street Journal, Washington Post) 

Microsoft and the U.S. Department of Justice announced they had deactivated more than 60 domains and other attacker infrastructure associated with the Russian state-sponsored ColdRiver group. ColdRiver is believed to be connected to Russia’s Federal Security Bureau (FSB) and recently has targeted non-governmental organizations, think tanks, military officials and intelligence officials in Ukraine and NATO countries. “The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials,” U.S. Deputy Attorney General Lisa Monaco stated during the announcement of the disruption. ColdRiver (aka Callisto Group, Seaborgium and Star Blizzard) has been active since at least 2017. The U.S. State Department is now also offering up to a $10 million reward for any information that could help locate or identify any individual members of ColdRiver. (Security Magazine, Bleeping Computer) 

With genetic testing company 23AndMe floundering, customers are left wondering what could happen to their personal information if the company goes bankrupt or goes out of business altogether. 23AndMe, known for collecting DNA samples from customers and then providing them with a report about their ancestry, has lost millions of dollars in its valuation and stock price over the past few years.  However more than 15 million individuals have submitted their DNA to the company since it was founded in 2006, and privacy advocates are warning them to manually delete their data now before anything happens to the company. The company also has several data-sharing agreements with other private companies, which use 23AndMe data to conduct other studies and research. And because 23AndMe’s services do not fall under health care in the U.S., the company does not have to adhere to traditional HIPAA rules. Last year, the company was hit with a massive data breach that it said affected 6.9 million customer accounts, including 14,000 people who had their passwords stolen. U.S. law enforcement has also tried to access the company’s data in the past (requests that have been declined), and it is unclear if those requests would be allowed should the company no longer exist. (NPR, Business Insider) 

Can’t get enough Talos? 

Cisco Talos: Advanced intelligence for global cyberthreats New MedusaLocker Ransomware Variant Deployed by Threat Actor MedusaLocker ransomware variant paired with ‘paid_memes’ toolkit Vulnerability in popular PDF reader could lead to arbitrary code execution; Multiple issues in GNOME project 

Upcoming events where you can find Talos

MITRE ATT&CKcon 5.0 (Oct. 22 – 23) 

McLean, Virginia and Virtual

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

it-sa Expo & Congress (Oct. 22 – 24) 

Nuremberg, Germany

White Hat Desert Con (Nov. 14) 

Doha, Qatar

misecCON (Nov. 22) 

Lansing, Michigan

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
MD5: 71fea034b422e4a17ebb06022532fdde 
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: RF.Talos.80 

SHA 256: 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8 
MD5: b209df2951e29ab5eab4009579b10b8d
Typical Filename: FileZilla_3.67.1_win64_sponsored2-setup.exe 
Claimed Product: FileZilla 
Detection Name: W32.76491DF69A-95.SBX.TG

SHA 256: c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a 
MD5: 3bc6d86fc4b3262137d8d33713ed6082 
Typical Filename: 8c556f0a.dll 
Claimed Product: N/A 
Detection Name: Gen:Variant.Lazy.605353 

SHA 256: f0d7a2bb0c5db162332418747ba4987027b8a746b24c919a24235ff3b70d25e3 
MD5: 0d849044612667362bc88780baa1c1b7 
Typical Filename: CryptX.dll 
Claimed Product: N/A  
Detection Name: Gen:Variant.Lazy.605353 

SHA 256: 331fdf5f1f5679a6f6bb0baee8518058aba8081ef8f96e57fa3b74291fcbb814 
MD5: f23b90fc9bc301baf3e399e189b6d2dc 
Typical Filename: B.dll 
Claimed Product: N/A   
Detection Name: Gen:Variant.Lazy.605353 

Cisco Talos Blog – ​Read More

While reverse-engineering Windows drivers with Ghidra, it is common to encounter a function or data type that is not recognized during disassembly.

This is because Ghidra does not natively include the majority of the definitions for data types and functions used by Windows drivers.

Thankfully, these problems can usually be solved by importing Ghidra data type archive files (.gdt) that contain the relevant definitions.

However, it is not uncommon that the definitions in question aren’t available in a preexisting .gdt file, meaning a new definition must be created manually. Additionally, in some cases, the function or data type may be undocumented by Microsoft, making the process of creating a new definition a more tedious process.

To aid analysts in reverse engineering Windows drivers, Cisco Talos is releasing a GDT file on GitHub that contains various definitions for functions and data types that have been created as needed during our analysis of malicious drivers, as they were not present in the commonly used data type archives.

It is important to note that this archive is not intended to contain all undocumented Windows functions or serve as a replacement for other available data type archives, but as a supplement to them. This is a long-term project that will continue to grow when new definitions are created by our analysts and added to the public release.

The archive can be found here on our GitHub repository.

Cisco Talos Blog – ​Read More

Cisco Talos’ Vulnerability Research team recently disclosed six new security vulnerabilities across a range of software, including one in a popular PDF reader that could lead to arbitrary code execution. 

Foxit PDF Reader, one of the most popular alternatives to Adobe Acrobat, contains a memory corruption vulnerability that could allow an adversary to execute code on the targeted machine. 

Talos also discovered three vulnerabilities in Veertu’s Anka Build, a suite of software designed to test macOS or iOS applications in CI/CD environments.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

Use-after-free vulnerability in Foxit PDF Reader

Discovered by KPC.

A use-after-free vulnerability in Foxit PDF Reader could lead to memory corruption and eventually arbitrary code execution on the targeted machine.

TALOS-2024-1967 (CVE-2024-28888) can be triggered if an adversary tricks a user into opening a specially crafted PDF that contains malicious JavaScript. Exploitation could also occur if the targeted user visits an attacker-controlled website with the Foxit PDF Reader browser extension enabled.

Multiple vulnerabilities in GNOME project library could lead to code execution

Two vulnerabilities in the G Structured File Library (libgsf) could lead to arbitrary code execution. 

This GNOME project supports an abstraction layer around different structure file formats such as .tar and .zip. 

TALOS-2024-2068 (CVE-2024-36474) is an integer overflow vulnerability that could allow an out-of-bounds index to be used when reading and writing to an array. This could lead to arbitrary code execution if an adversary exploited it appropriately. 

TALOS-2024-2069 (CVE-2024-42415) works similarly, but in this case, it arises when the software processes the sector allocation table.

An adversary could exploit both these vulnerabilities by tricking the targeted user into opening a malicious, specially crafted file. 

Three vulnerabilities in Veertu Anka Build

Discovered by KPC.

Veertu’s Anka Build software contains three vulnerabilities, two of which are directory traversal issues. 

Anka Build is a suite of software designed to test macOS and iOS applications in CI/CD environments. The suite is a centralized dashboard for managing nodes, VM instances, templates, tags and logs. 

This software contains two directory traversal vulnerabilities — TALOS-2024-2059 (CVE-2024-41163) and TALOS-2024-2061 (CVE-2024-41922) — that could lead to the disclosure of arbitrary files. An adversary could exploit these vulnerabilities by sending the target a specially crafted HTTP request. 

Another vulnerability, TALOS-2024-2060 (CVE-2024-39755), is a privilege escalation issue that could allow a low-privileged user to force the software to update, potentially raising their access to that of a root user. 

Cisco Talos Blog – ​Read More

Overview

Adobe has released new updates across several of its products, including Adobe FrameMaker, Adobe Substance 3D Printer, Adobe Commerce and Magento Open Source, Adobe Dimension, Adobe Animate, Adobe Lightroom, Adobe InCopy, Adobe InDesign, and Adobe Substance 3D Stager. The primary reason for these updates is the swarm of vulnerabilities across Adobe products, as covered by the Cybersecurity and Infrastructure Security Agency (CISA), as these updates address critical vulnerabilities that could allow malicious actors to execute arbitrary codes on affected systems. Although Adobe has stated that it is not aware of any exploits in the wild targeting these vulnerabilities, the potential risks necessitate immediate action from users to secure their installations.

The vulnerabilities identified impact various versions of Adobe products, specifically those running on Windows platforms. For Adobe FrameMaker, the affected versions include FrameMaker 2020 Release: Update 6 and earlier, as well as FrameMaker 2022 Release: Update 4 and earlier. Adobe Substance 3D Printer is also affected, with versions 1.0.3 and earlier being vulnerable.

Additionally, Adobe Commerce and Magento Open Source have vulnerabilities in Magento Open Source 2.4.6-p1 and earlier, as well as Magento Open Source 2.4.5-p2 and earlier. For Adobe Dimension, versions 3.4.2 and earlier are impacted. Adobe Animate has vulnerabilities in version 23.0.0 and earlier, while Adobe Lightroom users should be aware that Lightroom Classic 12.3 and earlier are also affected. Furthermore, Adobe InCopy and Adobe InDesign have vulnerabilities in their 2023 Release: Update 4 and earlier versions. Finally, Adobe Substance 3D Stager users should note that version 2.2 and earlier are at risk.

Adobe has classified these updates with a priority rating of 3, highlighting the need for users to take action. For mitigation against potential attacks, users are encouraged to update their installations to the latest versions. For Adobe FrameMaker, users should upgrade to FrameMaker 2020 Update 7 or FrameMaker 2022 Update 5. The recommended version for Adobe Substance 3D Printer is 1.0.4 or later. Users of Adobe Commerce and Magento Open Source should update to Magento Open Source 2.4.6-p2 or later.

For those using Adobe Dimension, the update to version 3.4.3 or later is recommended. Adobe Animate users should upgrade to version 23.0.1 or later. Adobe Lightroom Classic users need to move to version 12.4 or later. InCopy users should update to the 2023 Release: Update 5, and InDesign users are advised to upgrade to the 2023 Release: Update 5 as well. Finally, for Adobe Substance 3D Stager, users should update to version 2.3 or later.

Vulnerability Details and Acknowledgments

In Adobe FrameMaker, the first vulnerability is categorized as an Out-of-Bounds Read (CWE-125), which could lead to arbitrary code execution. This vulnerability has been assigned a critical severity rating with a CVSS base score of 7.8, identified as CVE-2024-47421. Another critical issue is the Untrusted Search Path vulnerability (CWE-426), which also allows for arbitrary code execution and sharing the same CVSS base score and severity, noted as CVE-2024-47422.

The third vulnerability involves the Unrestricted Upload of Files with Dangerous Type (CWE-434), which again could allow for arbitrary code execution, rated as critical with a CVSS base score of 7.8 (CVE-2024-47423). Another critical risk is associated with Integer Overflow or Wraparound (CWE-190), which can also lead to arbitrary code execution, rated with the same CVSS score (CVE-2024-47424). Lastly, Integer Underflow (Wrap or Wraparound) (CWE-191) is another critical vulnerability allowing arbitrary code execution, also carrying a CVSS base score of 7.8 (CVE-2024-47425).

The presence of these vulnerabilities across widely used Adobe products poses risks for users. Arbitrary code execution could allow attackers to gain control of affected systems, leading to unauthorized access to sensitive data, data breaches, or other forms of exploitation. Prompt updates to the latest software versions are essential in protecting user systems from such threats.

Adobe has expressed gratitude to the security researchers and organizations that have collaborated to identify and analyze these vulnerabilities. The individuals who have been instrumental in reporting the relevant issues include yjdfy, who reported CVE-2024-47424 and CVE-2024-47425; Sidhu (someonealt-86), who reported CVE-2024-47423; jony_juice, who reported CVE-2024-47422; and Francis Provencher (prl), who reported CVE-2024-47421. 

Conclusion

The vulnerabilities addressed in the recent updates highlight the collective effort required to create a more secure environment. By remaining vigilant and proactive in applying updates and adhering to best practices, users can contribute to protecting their systems and data from online threats.

Recommendations and Mitigations

To mitigate against these vulnerabilities, Cyble recommends these recommendations and mitigation strategies:

Regularly monitor security bulletins and subscribe to newsletters for timely information on vulnerabilities and updates.

Promptly applying patches can mitigate risks associated with known vulnerabilities.

Users are encouraged to engage with manufacturers for clarification on updates and security measures.

Organizations utilizing Adobe products should educate employees about cybersecurity best practices.

Continuously monitor systems for unusual activity to identify potential exploits before they escalate.

Implement additional security measures, such as firewalls and antivirus software, to further safeguard sensitive information.

The post Security Updates for Adobe FrameMaker: Addressing Critical Vulnerabilities appeared first on Cyble.

Blog – Cyble – ​Read More