Weekly podcast: HSBC, Evernote and Apache Struts

This week, we discuss a data breach affecting HSBC’s US customers, an XSS vulnerability in Evernote and a critical RCE vulnerability in Apache Struts

Hello and welcome to the IT Governance podcast for Friday, 9 November. Here are this week’s stories.

HSBC’s US division has reported that it suffered a data breach last month, in which customer accounts were accessed by “unauthorized users”.

Customers’ names, postal addresses, phone numbers, email addresses, dates of birth, account numbers, balances, transaction histories, payee account information and statement histories were all compromised.

According to the BBC, less than 1% of HSBC’s 1.4 million American customers were affected by the incident, which occurred between 4 and 14 October. Online access to the affected accounts was suspended and customers were forced to change their login credentials to prevent further unauthorised access.

However, the compromise of payee account information potentially affects far more individuals and organisations. If you’ve been paid by the owner of a compromised account, your account details will have been automatically saved – so unless the account holder made the effort to delete them, they will have been compromised too.

Official information is limited so far, but the FT, among others, reports that credential stuffing was to blame: in other words, criminals used personal information that had been compromised in other data breaches to gain access – once again reinforcing the inadvisability of reusing login credentials across different sites and services.

The bank said: “HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously. We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts. We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identify theft protection service.”

Needless to say, it did so out of an abundance of caution.

The note-sharing app Evernote has patched a persistent XSS (cross-site scripting) vulnerability that let attackers compromise victims’ computers by sharing infected notes.

The vulnerability (CVE-2018-18524) was discovered by TongQing Zhu, a security researcher for the Chinese company Knownsec 404.

Having learned that Evernote for Windows permitted code to be embedded in the filenames of pictures, which would be executed when the note was opened, Zhu searched Evernote’s installation folders and found NodeWebKit – an application runtime program that Evernote uses in its presentation mode.

Danny Bradbury of Sophos’s Naked Security blog explains it better than I could.

“After some trial and error with different commands,” he writes, “[Zhu] was able to use Node.js to execute system commands and read system files. If he could get a Node.js script into a note in presentation mode, he figured he could get the NodeWebKit runtime to run it on the victim’s machine” – which he managed to do by renaming a file to include a reference to his Node.js file.

You can find a couple of proof-of-concept videos on Zhu’s blog.

If you’re one of Evernote’s millions of users, you’re strongly advised to install the latest version.

Finally, the Apache Software Foundation has issued an advisory warning developers to upgrade their Apache Struts installations to address a critical remote execution vulnerability affecting versions of the commons fileupload component prior to 1.3.3. The bug was first disclosed in 2016.

“Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload,” Apache said. “The updated commons-fileupload library is a drop-in replacement for the vulnerable version.”

Versions 2.5.12 of Struts and newer, which include a patched commons-fileupload component, are unaffected.

The SANS Institute’s Johannes Ullrich explains: “There is no simple ‘new Struts version’ to fix this. You will have to swap out the commons-fileupload library manually. Download version 1.3.3 and [replace] the old version. For Maven-based projects, you will also need to update your dependencies (see the advisory for details).”

He also goes on to warn users to “double check that you don’t have any other copies of the vulnerable library sitting on your systems. Struts isn’t the only one using it, and others may have neglected to update it as well.”

If you’ve heard of Struts – an open-source framework for developing Java web apps – but don’t know why, the Equifax breach, which saw some 147.9 million customers’ personal information compromised in 2017, started when criminals exploited an unpatched Struts vulnerability.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.