Tag Archive for: Unauthorized

iTunes on Windows security flaw allows unauthorized access

/in


iTunes on Windows has a security flaw

Researchers have found a vulnerability in iTunes for Windows that lets users escalate system privileges, and Windows users should update the app.

In late 2022, the Synopsys Cybersecurity Research Center (CyRC) discovered a security vulnerability within the Windows version of the iTunes app. Exploiting it can lead to local privilege escalation to achieve system-level privileges.

User privileges, also known as permissions, define what a user account can do on a computer system. They are an essential part of the system’s security, ensuring that users can perform tasks without compromising the system’s security.

Privileges can include the ability to open files, change or delete data, or modify system settings. Users with administrative privileges can do more, such as installing new apps and managing user accounts.

With this vulnerability, someone with limited user privileges on a Windows computer, specifically running specific versions of iTunes, could exploit the system to acquire elevated privileges. That could allow a malicious person to gain unauthorized access to sensitive data, change or delete data they aren’t supposed to, or launch attacks on other computers within the same network.

The iTunes software creates a folder (“SC Info”) on the Windows system. Only the system should use this folder, but iTunes gives all users complete control over it.

If a user deletes this folder and then creates a link from where the folder was to the Windows system folder, this forces a system repair process that recreates the folder.

That new folder, linked to the system folder, gives assailants high-level access to the Windows system.

How to protect yourself from the iTunes bug

The Synopsys team already reported the vulnerability to Apple, tracked as CVE-2023-32353 in the database of publicly-disclosed computer security flaws known as Common Vulnerabilities and Exposures. As a result, Apple issued a patch on May 23.

It affects versions of iTunes on Windows before 12.12.9, and users are advised to install the update…

Source…

Video shows ‘unauthorized access’ to Ga. election equipment

/in


A former Republican Party official in Georgia who was a fake elector in 2020 misrepresented her role in an alleged breach of voting equipment at a rural elections office two months after the last presidential election, a court filing says.

The filing late Monday is part of a broader lawsuit challenging the security of the state’s voting machines that has been drawn into a separate investigation of former President Donald Trump’s efforts to overturn his loss in Georgia.

Interior security camera video from the Coffee County elections office shows Cathy Latham, the county Republican Party chair at the time, welcomed a computer forensics team when it arrived on Jan. 7, 2021, introduced the team to local election officials and spent nearly all day there. She also instructed the team what to copy, which turned out to be “virtually every component of the voting system,” the filing says. The video directly refutes Latham’s testimony in a sworn deposition and her representations in filings with the court, the document states.

The filing comes in response to Latham’s attorneys’ attempt to quash subpoenas for her personal electronic devices, including any cellphones, computers and storage devices.

Robert Cheeley, an attorney for Latham, did not respond to an email seeking comment. He previously said his client doesn’t remember all the details of that day. But he said she “would not and has not knowingly been involved in any impropriety in any election” and “has not acted improperly or illegally.”

Latham said in a deposition last month that she moved to Texas over the summer. In January 2021, she was chair of the Coffee County Republican Party and was the state party caucus chair for more than 125 of Georgia’s smaller counties. Latham also was one of 16 Georgia Republicans who signed a certificate in December 2020 falsely stating that Trump had won the state and declaring that they were the state’s “duly elected and qualified” electors.

Trump in fact lost Georgia by nearly 12,000 votes to Democrat Joe Biden. The investigation into Trump’s efforts to change the results includes a phone call he made to the Georgia secretary of state, a…

Source…

NAF, Inc. Reports Data Breach Following Unauthorized Access to the Organization’s Computer Systems | Console and Associates, P.C.

/in


On August 10, 2022, NAF, Inc. reported a data breach with the various state attorney generals’ offices. While these filings do not indicate which type of information was compromised as a result of the incident, based on state data breach reporting requirements, it is likely that the incident affected one or more of the following: Social Security numbers, protected health information, or financial account information. After confirming the breach and identifying all affected parties, NAF began sending out data breach letters to all affected parties.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the NAF data breach, please see our recent piece on the topic here.

What We Know About the NAF Data Breach

The information about the NAF, Inc. data breach comes from an official filing with the office of the Vermont Attorney General. According to the most current information, on March 30, 2022, NAF detected unusual activity within its computer network. In response, the organization secured its systems and contacted outside cybersecurity professionals to assist with the company’s investigation.

The NAF investigation confirmed that an unauthorized party gained access to the company’s computer network on March 19, 2022, which lasted until the company discovered the breach on March 30, 2022. The investigation also revealed that the unauthorized party had access to files on the NAF system that potentially contained sensitive consumer information.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, NAF began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. In the organization’s most recent filings, it does not disclose the data elements that were compromised as a result of the breach. However, because organizations only need to report incidents that affect highly sensitive and personal information, there is a reasonable probability that the NAF data…

Source…

Privacy International and the Electronic Frontier Foundation’s Statement on Unauthorized Access to Data

/in


Statement to the second session of the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communication Technologies for Criminal Purposes on Agenda Item 4: [illegal/unlawful/unauthorized] access

Addressing some of the first group of questions, we believe that any future Treaty should ensure that [illegal/unlawful/unauthorized] access does not criminalize security research, whistleblowers, and other novel and interoperable uses of technology that ultimately benefit all of usIn particular, the [unauthorized] access to a computer system provision should explicitly require the intention to access a computer system and the person’s intent to cause damage or defraud (malicious intent or mens rea). Without malicious intent, this future treaty risks harshly criminalizing “breaking security,” potentially without any need for harm or damage and seemingly without regard to whether the purpose was beneficial.

Some States have also interpreted unauthorized access laws so broadly as to put computer security researchers at risk of prosecution for engaging in socially beneficial security testing through standard security research practices. “Without authorization” should be defined more clearly to require the circumvention of a technical barrier like a password or other authentication stage. 

When it comes to whistleblowing, the 2015 report of the UN Special Rapporteur of freedom of expression noted that prosecution of whistleblowers generally deters whistle-blowing and recommended that States avoid it, reserving it, if at all, only for exceptional cases of the most serious demonstrable harm to a specific legitimate interest. 

The report states that “in such situations, the State should bear the burden of proving an intent to cause harm, and defendants should be granted (a) the ability to present a defense of an overriding public interest in the information, and (b) access to all information necessary to mount a full defense… Penalties should take into account the intent of the whistle-blower to disclose information of public interest and meet international standards of legality, due process, and proportionality.”…

Source…