a set of severe vulnerabilities which could lead to remote code execution in the Cisco Webex Network Recording Player for Advanced Recording Format ( ARF ) . The security flaws , CVE-2018-15414 , CVE-2018-15421 , and CVE-2018-15422 , have been issuedVulnerability-related.DiscoverVulnerabilitya base score of 7.8 . According to the Cisco Product Security Incident Response Team ( PSIRT ) , the flaws could lead to `` an unauthenticated , remote attacker to execute arbitrary code on a targeted system . '' The Cisco Webex Network Recording Player for Advanced Recording Format ( ARF ) , available for Windows , Mac , and Linux machines is a component for recording meetings taking place in the Cisco Webex Meetings Suite sites , Cisco Webex Meetings Online sites , and Cisco Webex Meetings Server . In a security advisory posted this week , Cisco says that the following software is affected : Cisco Webex Meetings Suite ( WBS32 ) : Webex Network Recording Player versions prior to WBS32.15.10 ; Cisco Webex Meetings Suite ( WBS33 ) : Webex Network Recording Player versions prior to WBS33.3 ; Cisco Webex Meetings Online : Webex Network Recording Player versions prior to 1.3.37 ; Cisco Webex Meetings Server : Webex Network Recording Player versions prior to 3.0MR2 . According to Cisco , each operating system is vulnerableVulnerability-related.DiscoverVulnerabilityto at least one of the security flaws . The vulnerabilities are due to the improper invalidation of Webex recording files . If a victim opens a crafted , malicious file in the Cisco Webex Player -- potentially sent overAttack.Phishingemail as part of a spear phishing campaignAttack.Phishing-- the bugs are triggered , leading to exploit . TechRepublic : Cisco switch flaw led to attacks on critical infrastructure in several countries There are no workarounds to addressVulnerability-related.PatchVulnerabilitythese vulnerabilities . However , Cisco has developedVulnerability-related.PatchVulnerabilitypatches to automatically updateVulnerability-related.PatchVulnerabilityvulnerable software . It is recommended that users accept these updates as quickly as possible . The tech giant notes that some Cisco Webex Meetings builds might be at the end of their support cycles and wo n't receive these updates . In these cases , users should contact the company directly . CNET : Kansas City gets smarter thanks to Cisco and Sprint Alternatively , the ARF component is an add-on and can simply be uninstalled manually . A removal tool is has been made available . Cisco is not awareVulnerability-related.DiscoverVulnerabilityof any reports of any active exploits in the wild . Steven Seeley from Source Incite and Ziad Badawi , working together with the Trend Micro Zero Day Initiative , have been credited with finding and reportingVulnerability-related.DiscoverVulnerabilitythe bugs . In related news this week , Trend Micro 's Zero Day Initiative disclosedVulnerability-related.DiscoverVulnerabilitya Microsoft Jet zero-day vulnerability which was unpatchedVulnerability-related.PatchVulnerabilityat the point of public disclosureVulnerability-related.DiscoverVulnerability. If exploitedVulnerability-related.DiscoverVulnerability, the vulnerability permits attackers to remotely execute code on infected machines .
A security lapse at content distribution network provider Cloudflare that resulted in customer data being leakedAttack.Databreachpublicly for several months was bad - but had the potential to be much worse . That 's Cloudflare 's initial postmortem conclusion after a twelve-day review of log data related to the breachAttack.Databreach. The review showed no evidence that attackers had exploitedVulnerability-related.DiscoverVulnerabilitythe flaw prior to it being discoveredVulnerability-related.DiscoverVulnerabilityand patchedVulnerability-related.PatchVulnerability, Cloudflare CEO and founder Matthew Prince said in a blog Wednesday . A `` vast majority '' of Cloudflare 's customers also did not appear to have had any of their data leakedAttack.Databreach. Cloudflare ’ s inspection of tens of thousands of pages that were leakedAttack.Databreachfrom its reverse-proxy servers and cached by search engines revealed a `` large number '' of instances of internal Cloudflare cookies and headers . But so far , according to Prince , there ’ s no evidence that passwords , credit card numbers , and other personal data were compromised as was initially feared . The Cloudflare security snafu stemmed from the manner in which a stream parser application that the company uses to modify content passing through its edge servers handled HTTP requests . The bug caused the parser to read memory not only from the HTML page that was being actually parsed , but also from adjacent memory that contained data in response to HTTP requests made by other customers . The flaw was triggered only when pages with certain specific attributes were requested through Cloudflare ’ s CDN . `` If you had accessed one of the pages that triggered the bug you would have seen what likely looked like random text at the end of the page , '' Prince said . A lot of the leaked data ended up getting cached by search engines and Web scrapers . A security researcher from Google ’ s Project Zero threat hunting team alertedVulnerability-related.DiscoverVulnerabilityCloudfare to the bug last month . The company claimed it fixedVulnerability-related.PatchVulnerabilitythe problem in a matter of hours after being notifiedVulnerability-related.DiscoverVulnerabilityof the problem . Some have compared the breach to Heartbleed and have even called it Cloudbleed . In his blog , Prince compared the threat posed by the bug to that posed by a stranger eavesdropping on a random conversation between two employees . Most of the time , the stranger would likely hear nothing of value , but occasionally might pick upAttack.Databreachsomething confidential . The same would have been true for a malicious attacker , who had somehow known aboutVulnerability-related.DiscoverVulnerabilitythe bug and exploitedVulnerability-related.DiscoverVulnerabilityit before Cloudflare ’ s fixVulnerability-related.PatchVulnerability, he said . The customers most at risk of having their data exposedAttack.Databreachwere those that sent the most requests through Cloudflare ’ s CDN . Cloudflare ’ s detailed postmortem and mea culpa evoked a mixed response from security experts . Ilia Kolochenko , CEO of Web security firm High-Tech Bridge praised Prince ’ s effort to be transparent about what went down . `` Even if we can not verify the accuracy of all the numbers inside – for the moment , I don ’ t have a valid reason to question either its content , or conclusion , '' Kolochenko says . In fact , until someone can come up with a credible rebuttal of Cloudflare ’ s internal investigation , it ’ s inappropriate to compare what happened at the company to Heartbleed . `` I ’ d say it ’ s inappropriate even to call this particular incident a 'Cloudbleed , ' '' he says . `` In the Heartbleed case , almost every company in the world , many software vendors including cybersecurity companies , were seriously impacted by the vulnerability . '' Heartbleed also resulted in multiple breachesAttack.Databreachand many organizations continue to be exposedAttack.Databreachto the threat . Neither of those situations applies to the Cloudflare security lapse . `` All avenues of Cloudflare ’ s vulnerability exploitation seems to be mitigatedVulnerability-related.PatchVulnerabilityby now , '' he says . But Kunal Anand , CTO of application security vendor Prevoty , says the details Cloudflare has shared are n't exactly reassuring . If no sensitive information like credit numbers and Social Security Numbers were leakedAttack.Databreachand the leaked dataset itself was relatively small , there is no reason why Cloudflare should n't share it with a third-party for an unbiased review , he says . `` CloudFlare needs to realize that HTTP headers , including cookies , contain sensitive information like session identifiers , authorization tokens and IP addresses , '' Anand says . `` All of these data points should count as private data . '' CloudFlare has been working with various search engines to purge their caches , but in the process , any evidence of the data that was leakedAttack.Databreachis being deleted as well . That makes it hard to quantify the scope of the data breachAttack.Databreachoutside of CloudFlare 's own logs . `` There 's a lot of speculation if nation-state sponsored engines will actually purge the data or copy it for further analysis , '' Anand says .
SAN FRANCISCO — Hackers took advantage of an Equifax security vulnerability two months after an industry group discoveredVulnerability-related.DiscoverVulnerabilitythe coding flaw and sharedVulnerability-related.PatchVulnerabilitya fix for it , raising questions about why Equifax did n't updateVulnerability-related.PatchVulnerabilityits software successfully when the danger became known . A week after Equifax revealed one of the largest breachesAttack.Databreachof consumers ' private financial data in history — 143 million consumers and accessAttack.Databreachto the credit-card data of 209,000 — the industry group that manages the open source software in which the hack occurred blamed Equifax . `` The Equifax data compromiseAttack.Databreachwas due to ( Equifax 's ) failure to install the security updates providedVulnerability-related.PatchVulnerabilityin a timely manner , '' The Apache Foundation , which oversees the widely-used open source software , said in a statement Thursday . Equifax told USA TODAY late Wednesday the criminals who gained accessAttack.Databreachto its customer data exploitedVulnerability-related.DiscoverVulnerabilitya website application vulnerability known asVulnerability-related.DiscoverVulnerabilityApache Struts CVE-2017-5638 . The vulnerability was patchedVulnerability-related.PatchVulnerabilityon March 7 , the same day it was announcedVulnerability-related.DiscoverVulnerability, The Apache Foundation said . Cybersecurity professionals who lend their free services to the project of open-source software — code that 's shared by major corporations and that 's tested and modified by developers working at hundreds of firms — had shared their discovery with the industry group , making the risk and fix known to any company using the software . Modifications were made on March 10 , according to the National Vulnerability Database . But two months later , hackers took advantage of the vulnerability to enter the credit reporting agency 's systems : Equifax said the unauthorized access began in mid-May . Equifax did not respond to a question Wednesday about whether the patches were appliedVulnerability-related.PatchVulnerability, and if not , why not . `` We continue to work with law enforcement as part of our criminal investigation and have shared indicators of compromise with law enforcement , '' it said . It should have have acted faster to successfully deal with the problem , other cybersecurity professionals said . `` They should have patchedVulnerability-related.PatchVulnerabilityit as soon as possible , not to exceed a week . A typical bank would have patchedVulnerability-related.PatchVulnerabilitythis critical vulnerability within a few days , ” said Pravin Kothari , CEO of CipherCloud , a cloud security company . Federal regulators are now investigating whether Equifax is at fault . The Federal Trade Commission and the Consumer Financial Protection Bureau have said they 've opened probes into the hack . So far dozens of state attorneys general are investigating the breach , and on Tuesday Massachusetts Attorney General Maura Healey said she plans to sue the company for violating state consumer protection laws . More than 23 class-action lawsuits against the company have also been proposed . Proof that Equifax failed to protect customers , particularly when it had the tools and information to do so , is likely to further damage Equifax 's financial outlook . Shares fell 2.5 % Thursday after news of the FTC probe and are down 33 % since it revealed the link .
The hacker leakedAttack.Databreachthe FBI.GOV accounts that he found in several backup files ( acc_102016.bck , acc_112016.bck , old_acc16.bck , etc ) . Leaked records contain accounts data , including names , SHA1 Encrypted Passwords , SHA1 salts , and emails . The intrusion occurred on December 22 , 2016 , the hacker revealedVulnerability-related.DiscoverVulnerabilityto have exploitedVulnerability-related.DiscoverVulnerabilitya zero-day vulnerability in the Plone Content Management System Going back to 22nd December 2016 , I tweeted aboutVulnerability-related.DiscoverVulnerabilitya 0day vulnerability in Plone CMS which is considered as the most secure CMS till date . The vulnerability resides inVulnerability-related.DiscoverVulnerabilitysome python modules of the CMS . The hacker noticed that while media from Germany and Russia published the news about the hack , but US based publishers ignored it . According to CyberZeist , the FBI contacted him to pass on the leaks . `` I was contacted by various sources to pass on the leaks to them that I obtained after hacking FBI.GOV but I denied all of them . just because I was waiting for FBI to react on time . They didn ’ t directly react and I don ’ t know yet what are they up to , but at the time I was extracting my finds after hacking FBI.GOV , '' he wrote . The expert added further info on the attack , while experts at the FBI were working to fixVulnerability-related.PatchVulnerabilitythe issue , he noticedVulnerability-related.DiscoverVulnerabilitythat the Plone 0day exploit was still working against the CMS backend . ) , but I was able to recon that they were runningVulnerability-related.PatchVulnerabilityFreeBSD ver 6.2-RELEASE that dates back to 2007 with their own custom configurations . Their last reboot time was 15th December 2016 at 6:32 PM in the evening . `` While exploiting FBI.GOV , it was clearly evident that their webmaster had a very lazy attitude as he/she had kept the backup files ( .bck extension ) on that same folder where the site root was placed ( Thank you Webmaster ! ) , but still I didn ’ t leak outAttack.Databreachthe whole contents of the backup files , instead I tweeted outVulnerability-related.DiscoverVulnerabilitymy findings and thought to wait for FBI ’ s response '' Now let ’ s sit and wait for the FBI ’ s response . I obviously can not publishVulnerability-related.DiscoverVulnerabilitythe 0day attack vector myself . The hacker confirmedVulnerability-related.DiscoverVulnerabilitythat the 0-day is offered for sale on Tor by a hacker that goes by the moniker “ lo4fer ” . Once this 0day is no longer being sold , I will tweet outVulnerability-related.DiscoverVulnerabilitythe Plone CMS 0day attack vector myself . Let ’ s close with a curiosity … CyberZeist is asking you to chose the next target . The hacker is very popular , among his victims , there are Barclays , Tesco Bank and the MI5 .
With a bunch of security fixes releasedVulnerability-related.PatchVulnerabilityand more on the way , details have been made publicVulnerability-related.DiscoverVulnerabilityof a Bluetooth bug that potentially allows miscreants to commandeer nearby devices . This Carnegie-Mellon CERT vulnerability advisory on Monday laid outVulnerability-related.DiscoverVulnerabilitythe cryptographic flaw : firmware or operating system drivers skip a vital check during a Diffie-Hellman key exchange between devices . The impact : a nearby eavesdropper could “ intercept and decrypt and/or forge and inject device messages ” carried over Bluetooth Low Energy and Bluetooth Basic Rate/Enhanced Data Rate ( BR/EDR ) wireless connections between gizmos . In other words , you can potentially snoop on supposedly encrypted communications between two devices to stealAttack.Databreachtheir info going over the air , and inject malicious commands . To pull this off , you must have been within radio range and transmitting while the gadgets were initially pairing . The bug 's status in Android is confusing : while it does n't appear in the operating system project 's July monthly bulletin , phone and tablet manufacturers like LG and Huawei list the bug as being patchedVulnerability-related.PatchVulnerabilityin the , er , July security update . Microsoft has declared itself in the clear . The CERT note says fixes are needed both in software and firmware , which should be obtained from manufacturers and developers , and installed – if at all possible . We 're guessing for random small-time Bluetooth gizmos , it wo n't be very easy to prise an update out of the vendors , although you should have better luck with bigger brand gear . So , make sure you 're patched via the usual software update mechanisms , or just look out for nearby snoops , and be ready to thwart them , when pairing devices . Manufacturers were warned in January , it appears , so have had plenty of time to work on solutions . Indeed , silicon vendor patches for CVE-2018-5383 are already rolling outVulnerability-related.PatchVulnerabilityamong larger gadget and device makers , with Lenovo and Dell posting updatesVulnerability-related.PatchVulnerabilityin the past month or so . Linux versions prior to 3.19 do n't support Bluetooth LE Secure Connections and are therefore not vulnerable , we 're told .
To understand why it is so difficult to defend computers from even moderately capable hackers , consider the case of the security flaw officially known asVulnerability-related.DiscoverVulnerabilityCVE-2017-0199 . The bug was unusually dangerous but of a common genre : it was in Microsoft software , could allow a hacker to seize control of a personal computer with little trace , and was fixedVulnerability-related.PatchVulnerabilityApril 11 in Microsoft ’ s regular monthly security update . But it had traveled a rocky , nine-month journey from discovery to resolution , which cyber security experts say is an unusually long time . Google ’ s security researchers , for example , give vendors just 90 days’ warningVulnerability-related.DiscoverVulnerabilitybefore publishingVulnerability-related.DiscoverVulnerabilityflaws they findVulnerability-related.DiscoverVulnerability. Microsoft Corp ( MSFT.O ) declined to say how long it usually takes to patchVulnerability-related.PatchVulnerabilitya flaw . While Microsoft investigated , hackers foundVulnerability-related.DiscoverVulnerabilitythe flaw and manipulated the software to spy on unknown Russian speakers , possibly in Ukraine . And a group of thieves used it to bolster their efforts to stealAttack.Databreachfrom millions of online bank accounts in Australia and other countries . Those conclusions and other details emerged from interviews with researchers at cyber security firms who studied the events and analyzed versions of the attack code . Microsoft confirmed the sequence of events . The tale began last July , when Ryan Hanson , a 2010 Idaho State University graduate and consultant at boutique security firm Optiv Inc in Boise , foundVulnerability-related.DiscoverVulnerabilitya weakness in the way that Microsoft Word processes documents from another format . That allowed him to insert a link to a malicious program that would take control of a computer . The company often pays a modest bounty of a few thousands dollars for the identification of security risks . Soon after that point six months ago , Microsoft could have fixedVulnerability-related.PatchVulnerabilitythe problem , the company acknowledgedVulnerability-related.DiscoverVulnerability. But it was not that simple . A quick change in the settings on Word by customers would do the trick , but if Microsoft notifiedVulnerability-related.DiscoverVulnerabilitycustomers about the bug and the recommended changesVulnerability-related.PatchVulnerability, it would also be telling hackers about how to break in . Alternatively , Microsoft could have createdVulnerability-related.PatchVulnerabilitya patch that would be distributedVulnerability-related.PatchVulnerabilityas part of its monthly software updates . But the company did not patch immediatelyVulnerability-related.PatchVulnerabilityand instead dug deeper . It was not aware that anyone was using Hanson ’ s method , and it wanted to be sure it had a comprehensive solution . “ We performedVulnerability-related.PatchVulnerabilityan investigation to identify other potentially similar methods and ensure that our fix addresses [ sic ] more than just the issue reported , ” Microsoft said through a spokesman , who answered emailed questions on the condition of anonymity . “ This was a complex investigation. ” Hanson declined interview requests . The saga shows that Microsoft ’ s progress on security issues , as well as that of the software industry as a whole , remains uneven in an era when the stakes are growing dramatically . Finally , on the Tuesday , about six months after hearing from Hanson , Microsoft madeVulnerability-related.PatchVulnerabilitythe patch availableVulnerability-related.PatchVulnerability. As always , some computer owners are lagging behind and have not installed it . Ben-Gurion University employees in Israel were hacked , after the patch , by attackers linked to Iran who took over their email accounts and sent infected documents to their contacts at technology companies and medical professionals , said Michael Gorelik , vice president of cyber security firm Morphisec . When Microsoft patchedVulnerability-related.PatchVulnerability, it thanked Hanson , a FireEye researcher and its own staff . A six-month delay is bad but not unheard of , said Marten Mickos , chief executive of HackerOne , which coordinates patching efforts between researchers and vendors . “ Normal fixing times are a matter of weeks , ” Mickos said . Privately-held Optiv said through a spokeswoman that it usually gives vendors 45 days to makeVulnerability-related.PatchVulnerabilityfixes before publishing researchVulnerability-related.DiscoverVulnerabilitywhen appropriate , and that it “ materially followed ” that practice in this case . If the patchingVulnerability-related.PatchVulnerabilitytook time , others who learned of the flaw moved quickly . On the final weekend before the patch , the criminals could have sold it along to the Dridex hackers , or the original makers could have cashed in a third time , Hultquist said , effectively staging a last clearance sale before it lost peak effectiveness . It is unclear how many people were ultimately infected or how much money was stolen .
CIsco has issuedVulnerability-related.PatchVulnerabilitya critical patch of a patch for a Cisco Prime License Manager SQL fix . Cisco this week said it patchedVulnerability-related.PatchVulnerabilitya “ critical ” patch for its Prime License Manager ( PLM ) software that would let attackers execute random SQL queries . The Cisco Prime License Manager offers enterprise-wide management of user-based licensing , including license fulfillment . ReleasedVulnerability-related.PatchVulnerabilityin November , the first version of the Prime License Manager patch caused its own “ functional ” problems that Cisco was then forced to fixVulnerability-related.PatchVulnerability. That patch , called ciscocm.CSCvk30822_v1.0.k3.cop.sgn addressedVulnerability-related.PatchVulnerabilitythe SQL vulnerability but caused backup , upgrade and restore problems , and should no longer be used Cisco said . Cisco wrote that “ customers who have previously installedVulnerability-related.PatchVulnerabilitythe ciscocm.CSCvk30822_v1.0.k3.cop.sgn patch should upgradeVulnerability-related.PatchVulnerabilityto the ciscocm.CSCvk30822_v2.0.k3.cop.sgn patch to remediate the functional issues . InstallingVulnerability-related.PatchVulnerabilitythe v2.0 patch will first rollback the v1.0 patch and then installVulnerability-related.PatchVulnerabilitythe v2.0 patch. ” As for the vulnerability that started this process , Cisco says it “ is due to a lack of proper validation of user-supplied input in SQL queries . An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application . A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres [ SQL ] user. ” The vulnerability impactsVulnerability-related.DiscoverVulnerabilityCisco Prime License Manager Releases 11.0.1 and later .
Microsoft is aware of the zero-day , but it 's highly unlikely it will be able to deliverVulnerability-related.PatchVulnerabilitya patch until its next Patch Tuesday , which is scheduled in three days . McAfee researchers , who disclosedVulnerability-related.DiscoverVulnerabilitythe zero-day 's presence , sayVulnerability-related.DiscoverVulnerabilitythey 've detectedVulnerability-related.DiscoverVulnerabilityattacks leveraging this unpatched vulnerability going back to January this year . Attacks with this zero-day follow a simple scenario , and start with an adversary emailing a victim a Microsoft Word document . The Word document contains a booby-trapped OLE2link object . If the victim uses Office Protected View when opening files , the exploit is disabled and wo n't execute . If the user has disabled Protected View , the exploit executes automatically , making an HTTP request to the attacker 's server , from where it downloads an HTA ( HTML application ) file , disguised asAttack.Phishingan RTF . The HTA file is executed automatically , launching exploit code to take over the user 's machine , closing the weaponized Word file , and displaying a decoy document instead . According to FireEye , `` the original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link . '' While the attack uses Word documents , OLE2link objects can also be embedded in other Office suite applications , such as Excel and PowerPoint . McAfee experts sayVulnerability-related.DiscoverVulnerabilitythe vulnerability affectsVulnerability-related.DiscoverVulnerabilityall current Office versions on all Windows operating systems . The attack routine does not rely on enabling macros , so if you do n't see a warning for macro-laced documents , that does n't mean the document is safe .
A flaw in certificate pinning exposed customers of a number of high-profile banks to man-in-the-middle attacks on both iOS and Android devices . A vulnerability in the mobile apps of major banks could have allowed attackers to stealAttack.Databreachcustomers ' credentials including usernames , passwords , and pin codes , according to researchers . The flaw was foundVulnerability-related.DiscoverVulnerabilityin apps by HSBC , NatWest , Co-op , Santander , and Allied Irish bank . The banks in question have now all updatedVulnerability-related.PatchVulnerabilitytheir apps to protect against the flaw . UncoveredVulnerability-related.DiscoverVulnerabilityby researchers in the Security and Privacy Group at the University of Birmingham , the vulnerability allows an attacker who is on the same network as the victim to perform a man-in-the-middle attack and steal information . The vulnerability lay inVulnerability-related.DiscoverVulnerabilitythe certificate pinning technology , a security mechanism used to prevent impersonation attacks and use of fraudulent certificates by only accepting certificates signed by a single pinned CA root certificate . While certificate pinning usually improves security , a tool developed by the researchers to perform semi-automated security-testing of mobile apps found that a flaw in the technology meant standard tests failed to detect attackers trying to take control of a victim 's online banking . As a result , certificate pinning can hide the lack of proper hostname verification , enabling man-in-the-middle attacks . The findings have been outlinedVulnerability-related.DiscoverVulnerabilityin a research paper and presentedVulnerability-related.DiscoverVulnerabilityat the Annual Computer Security Applications Conference in Orlando , Florida . The tool was run on 400 security critical apps in total , leading to the discoveryVulnerability-related.DiscoverVulnerabilityof the flaw . Tests foundVulnerability-related.DiscoverVulnerabilityapps from some of the largest banks contained the flaw which , if exploitedVulnerability-related.DiscoverVulnerability, could have enabled attackers to decrypt , view , and even modify network traffic from users of the app . That could allow them to view information entered and perform any operation that app can usually perform -- such as making payments or transferring of funds . Other attacks allowed hackers to perform in-app phishing attacksAttack.Phishingagainst Santander and Allied Irish bank users , allowing attackers to take over part of the screen while the app was running and stealAttack.Databreachthe entered credentials . The researchers have worked with the National Cyber Security Centre and all the banks involved to fixVulnerability-related.PatchVulnerabilitythe vulnerabilities , noting that the current version of all the apps affectedVulnerability-related.DiscoverVulnerabilityby the pinning vulnerability are now secure . A University of Birmingham spokesperson told ZDNet all the banks were highly cooperative : `` once this was flagged to them they did work with the team to amend it swiftly . ''
Security researchers from Pen Test Partners have discoveredVulnerability-related.DiscoverVulnerabilitypretty glaring security flaws in Aga 's line of smart ovens . According to researchers , these flaws can be exploitedVulnerability-related.DiscoverVulnerabilityvia SMS messages . The reason appears to be that Aga management opted to use a GSM SIM module to control its devices , instead of the classic option of using a Wi-Fi module . This SMS-based management feature allows Aga users to turn ovens on or off from remote locations by sending an SMS to their device . In this scenario , an attacker would need a victim 's oven SMS number , but Pen Test Partners researchers sayVulnerability-related.DiscoverVulnerabilitythe web-based administration panel containsVulnerability-related.DiscoverVulnerabilityflaws that allow attackers to scrape for all active SIM card numbers assigned to Aga ovens . There 's no authentication involved with the SMS management commands , meaning anyone could send them , and mess around with people 's `` smart '' ovens . Professional cooking ovens , like the Aga iTotal Control , need hours of warming before reaching optimal cooking temperatures . While attackers could annoy oven owners by turning their ovens off , Pen Test Partners say that an ill-intent miscreant could also turn all known Aga ovens on , and cause a spike in electric energy consumption within an area , albeit this could be an exaggerated claim , as there would need to be thousands of these devices laying around . Besides the non-authenticated SMS-based remote management feature , the research team also discoveredVulnerability-related.DiscoverVulnerabilityother major problems with Aga 's smart ovens . For starters , the Aga web administration panel does n't use HTTPS and forces users to use a five-digit password , one that 's incredibly easy to brute-force . Second , the Aga mobile app also works via HTTP , but even if developers used HTTPS , the app disables certificate validation on purpose , meaning attackers could use any SSL certificate to intercept traffic coming in and to the app . After spending two weeks attempting to alert the UK-based IoT manufacturer , Pen Test Researchers decided to go publicVulnerability-related.DiscoverVulnerabilitywith their findings yesterday . Furthermore , Pent Test Partners say that the GSM SIM remote management module used for Aga 's iTotal Control smart oven was created by a company called Tekelek , which also ships similar SMS management components for oil storage tanks , heating systems , process control and medical devices . `` These appear to be monitored using SMS , so I wonder where else this bizarre unauthenticated text messaging process might lead , '' said Ken Munro , Pen Test Partners expert . At the time of writing , and following the public disclosureVulnerability-related.DiscoverVulnerabilityof the iTotal Control issues , Aga appears to have taken down its web-based administration portal , as Pen Test Partners initially suggested .
If you ’ re a BMW owner , prepare to patch ! Chinese researchers have foundVulnerability-related.DiscoverVulnerability14 security vulnerabilities affectingVulnerability-related.DiscoverVulnerabilitymany models . The ranges affectedVulnerability-related.DiscoverVulnerability( some as far back as 2012 ) are the BMW i Series , X Series , 3 Series , 5 Series and 7 Series , with a total of seven rated serious enough to be assigned CVEVulnerability-related.DiscoverVulnerabilitynumbers . The vulnerabilities are in in the Telematics Control Unit ( TCU ) , the Central Gateway Module , and Head Unit , across a range of interfaces including via GSM , BMW Remote Service , BMW ConnectedDrive , Remote Diagnosis , NGTP , Bluetooth , and the USB/OBD-II interfaces . Some require local access ( e.g . via USB ) to exploit but six including the Bluetooth flaw were accessible remotely , making them the most serious . Should owners worry that the flaws could be exploitedVulnerability-related.DiscoverVulnerability, endangering drivers and vehicles ? On the basis of the technical description , that seems unlikely , although Keen Lab won ’ t release the full proof-of-concept code until 2019 . Keen Lab described the effect of its hacking as allowing it to carry out : The execution of arbitrary , unauthorized diagnostic requests of BMW in-car systems remotely . To which BMW responded : BMW Group has already implemented security measures , which are currently being rolled out via over-the-air configuration updates . Additional security enhancements for the affected infotainment systems are being developedVulnerability-related.PatchVulnerabilityand will be availableVulnerability-related.PatchVulnerabilityas software updates for customers . In other words , some fixes have already been madeVulnerability-related.PatchVulnerability, while others will be madeVulnerability-related.PatchVulnerabilitybetween now and early 2019 , potentially requiring a trip to a service centre . Full marks to BMW for promptly responding to the research but the press release issuedVulnerability-related.PatchVulnerabilityin its wake reads like PR spin . To most outsiders , this is a case of Chinese white hats findingVulnerability-related.DiscoverVulnerabilityvulnerabilities in BMW ’ s in-car systems . To BMW , judging by the triumphant language of its press release , it ’ s as if this was the plan all along , right down to awarding Keen Lab the “ first-ever BMW Group Digitalization and IT Research Award. ” More likely , car makers are being caught out by the attention their in-car systems are getting from researchers , with Volkswagen Audi Group experiencing some of the same discomfort a couple of weeks ago at the hands of Dutch researchers . BMW has experienced this before too – three years ago it sufferedVulnerability-related.DiscoverVulnerabilityan embarrassing security flaw in its car ConnectedDrive software door-locking systems . Let ’ s not feel too sorry for the car makers because it ’ s the owners who face the biggest adjustment to their expectations – software flaws and patchingVulnerability-related.PatchVulnerabilityare no longer just for computers .
Adobe has posted an update to addressVulnerability-related.PatchVulnerability85 CVE-listed security vulnerabilities in Acrobat and Reader for both Windows and macOS . The PDF apps have receivedVulnerability-related.PatchVulnerabilitya major update that includes dozens of fixes for flaws that would allow for remote code execution attacks if exploitedVulnerability-related.DiscoverVulnerability. Other possible attacks include elevation of privilege flaws and information disclosure vulnerabilities . Fortunately , Adobe said that none of the bugs was currently being targeted in the wild - yet . For Mac and Windows Acrobat/Reader DC users , the fixes will be presentVulnerability-related.PatchVulnerabilityin versions 2019.008.20071 . For those using the older Acrobat and Reader 2017 versions , the fix will be labeledVulnerability-related.PatchVulnerability2017.011.30105 . Because PDF readers have become such a popular target for email and web-based malware attacks , users and admins alike would do well to test and install the updates as soon as possible . Exploit-laden PDFs have for more than a decade proven to be one of the most reliable ways to put malware on someone 's machine . In total , Adobe credited 19 different researchers with discoveringVulnerability-related.DiscoverVulnerabilityand reportingVulnerability-related.DiscoverVulnerabilitythe vulnerabilities . Among the more prolific bug hunters were Omri Herscovici of CheckPoint Software , who was credited for findingVulnerability-related.DiscoverVulnerabilityand reportingVulnerability-related.DiscoverVulnerability35 CVE-listed bugs , and Ke Liu and Tencent Security Xuanwu Lab , who was credited with findingVulnerability-related.DiscoverVulnerability11 of the patched Adobe vulnerabilities . Beihang University 's Lin Wang was given credit for nine vulnerabilities . While we 're on the subject of massive security updates , both users and admins will want to mark their calendars for a week from Tuesday . October 9 is slated to be this month 's edition of the scheduled 'Patch Tuesday ' monthly security update .
A hacker that goes by the nickname of Cipher0007 has hacked the Sanctuary Dark Web marketplace . The hacker announced the breach a few hours ago and also posted proof of his intrusion . According to Cipher0007 , the hack took place after he foundVulnerability-related.DiscoverVulnerabilityan SQL injection flaw in the market 's database . The hacker claimsVulnerability-related.DiscoverVulnerabilityhe used the SQL injection flaw to upload a shell on the market 's server . He then used this backdoor to accessAttack.Databreachvarious parts of the backend and dumpedAttack.Databreachthe private key used to generate the market 's .onion URL . Cipher0007 also says he used the market 's phpMyAdmin installation to dumpAttack.Databreachdetails on the database configuration and other login information . At the time of writing , the market 's phpMyAdmin login page was still exposed to external connections . To prove his claims , the hacker posted online a screengrab while uploading the shell to the Sanctuary market 's server , the market 's 1024 bit RSA private key , and the market 's root account database login information . The Sanctuary market is a small Dark Web market , and one of the few places where digital products such as data dumps , malware , and others , are far more prevalent than drugs and weapons . The admin of the Sanctuary market did not respond to a request for comment from Bleeping Computer in time for this article 's publication . Cipher0007 has a reputation in the hacking underground already . In January , the hacker collected an unspecified Bitcoin reward for reportingVulnerability-related.DiscoverVulnerabilitya bug to the AlphaBay staff that would have allowed an attacker access to over 218,000 private messages . AlphaBay is today 's biggest Dark Web market , and access to those PMs would have allowed an attacker insight into the operations of many sellers and vendors .
Logitech Options is an app that controls all of Logitech ’ s mice and keyboards . It offers several different configurations like Changing function key shortcuts , Customizing mouse buttons , Adjusting point and scroll behavior and etc . This app containedVulnerability-related.DiscoverVulnerabilitya huge security flaw that was discoveredVulnerability-related.DiscoverVulnerabilityby Tavis Ormandy who is a Google security researcher . It was foundVulnerability-related.DiscoverVulnerabilitythat Logitech Options was opening a WebSocket server on each individual computer Logitech Options was run on . This WebSocket server would open on port 10134 on which any website could connect and send several various commands which would be JSON-encoded . PID Exploit Through this any attacker can get in and run commands just by setting up a web page . The attacker only needs the Process Identifier ( PID ) . However the PID can be guessed as the software has no limit on the amount of try ’ s conducted . Once the attacker has obtained the PID and is in , consequently he can then completely control the Computer and run it remotely . This can also be used for keystroke injection or Rubber Ducky attacks which have been used to take over PC ’ s in the past . After Ormandy got a hold of Logitech ’ s engineers , he reportedVulnerability-related.DiscoverVulnerabilitythe vulnerability privately to them in a meeting between the Logitech ’ s engineering team and Ormandy on the 18th of September . After waiting a total of 90 days , Ormandy saw the company ’ s failure in addressingVulnerability-related.PatchVulnerabilitythe issue publicly or through a patch for the app , Thus Ormandy himself posted his findingVulnerability-related.DiscoverVulnerabilityon the 11th of December making the issue public . As the story gained attention Accordingly Logitech responded with an update for Logitech Options . Logitech releasedVulnerability-related.PatchVulnerabilityOptions version 7.00.564 on the 13th of December . They claim to have fixedVulnerability-related.PatchVulnerabilitythe origin and type checking bugs along with a patch for the security vulnerability . However they have not mentionedVulnerability-related.PatchVulnerabilitythe Security Vulnerability patch on their own website . They told German magazine heise.de that the new version does indeed fixVulnerability-related.PatchVulnerabilitythe vulnerability Travis Ormandy and his team are currently checking the new version of Logitech Options for any signs of Security Vulnerabilities . Everyone with the old version of Logitech Options are advised to upgradeVulnerability-related.PatchVulnerabilityto the new 7.00.564 .
On March 25 , security researcher Kevin Beaumont discoveredVulnerability-related.DiscoverVulnerabilitysomething very unfortunate on Docs.com , Microsoft 's free document-sharing site tied to the company 's Office 365 service : its homepage had a search bar . That in itself would not have been a problem if Office 2016 and Office 365 users were aware that the documents they were posting were being shared publicly . As described in a Microsoft support document , `` with Docs.com , you can create an online portfolio of your expertise , discover , download , or bookmark works from other authors , and build your brand with built-in SEO , analytics , and email and social sharing . '' But many users used Docs.com to either share documents within their organizations or to pass them to people outside their organizations—unaware that the data was being indexed by search engines . And many of the documents are still discoverable on the Google or Bing search engines , as they had been publicly indexed . That means that until the documents are unpublished from Docs.com , they will continue to be accessible to anyone who searches against the site . Microsoft had previously published a notice on security fixesVulnerability-related.PatchVulnerabilityto Docs.com for Office 365 administrators , advising them on how to control access by users to the service . `` Because Docs.com does not yet meet all of Office 365 compliance framework requirements , Office 365 and Azure Tenant administrators must 'opt-in ' to enable users with organizational accounts to use the service , '' the Microsoft Support document states . It 's not clear how recently that change was made ; Ars has reached out to Microsoft for further comment . Update 10:30 AM ET : This morning , Microsoft disabled some searched on Docs.com , and is blocking some incoming links to searches from Google . But additional documents were discoverable via Google search , including documents with health benefits information filled in
Back in August we wrote about a security bugfix for Mikrotik routers that was reverse engineered and turned into a working exploit . Indeed , patches that fixVulnerability-related.PatchVulnerabilitysecurity vulnerabilities often end up giving away enough about the vulnerability that both good guys and bad guys alike can weaponise it from first principles – all without having to figure out the vulnerability in the first place . In the August 2018 case , dubbed CVE-2018-14847 , a crook could trick an unpatched Microtik router into coughing up the contents of any file on the device , including the password file . Worse still , the password file included plaintext passwords , with no salting , hashing or stretching , meaning that a security bypass bug could be parlayed into a credential compromise . The perils of late patching What we didn ’ t know back then was that security researchers at Tenable had responsibly disclosedVulnerability-related.DiscoverVulnerabilityanother bunch of Mikrotik router bugs at about the same time . These bugs were serious – indeed , one of them allows a attacker to run any program of their choosing , just by making a web request to the router . This sort of hole is known , for rather obvious reasons , as an RCE , short for Remote Code Execution . Tenable ’ s bugs , however , were what ’ s known as “ authenticated vulnerabilities ” , meaning that you had to be logged in first in order to be able to exploit them . Security holes that require pre-authentication may seem harmless at first sight – after all , if you already have a username and password , or some other access token , that gives you access to a system… …well , you ’ re already in , so it sounds as though breaking in again can be dismissed as an irrelevancy . The good news is that Mikrotik has already patchedVulnerability-related.PatchVulnerabilityTenable ’ s now-disclosed bugs , dubbed CVE-2018-1156 , -1157 , -1158 and -1159 . Make sure you have the latest Mikrotik firmware updates , which are : 6.40.9 , 6.42.7 or 6.43 , depending on whether you ’ re using the current , previous or pre-previous version . If you ’ re a Mikrotik user , skipping the latest patch leaves you at risk , but if you still haven ’ t applied the previous patch , you ’ re in double trouble . With both patches missing , you ’ re open to an unauthenticated password disclosure bug that could then be chained with the newer authenticated remote code execution bug . In other words , instead of anyone being able to get some access , or some people being able to get full access , anyone could get full access by pivoting from CVE-2018-14847 to CVE-2018-1156 , the RCE flaw .
For years , researchers , hackers , and even some politicians h ave warned Vulnerability-related.DiscoverVulnerabilityabout stark vulnerabilities in a mobile data network called SS7 . These flaws allow attackers to listen to calls , i ntercept Attack.Databreachtext messages , and pinpoint a device 's location armed with just the target 's phone number . Taking advantage of these issues has typically been reserved for governments or surveillance contractors . But on Wednesday , German newspaper The Süddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help d rain Attack.Databreachbank accounts . This is much bigger than a series of bank accounts though : it cements the fact that the SS7 network poses a threat to all of us , the general public . And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts . `` I 'm not surprised that hackers take money that is 'lying on the table ' . I 'm just surprised that online bank thieves took so long in joining spying contractors in abusing the global SS7 network , '' Karsten Nohl , a cybersecurity researcher who h as highlighted Vulnerability-related.DiscoverVulnerabilityvulnerabilities in SS7 , told Motherboard in an email . In short , the issue with SS7 is that the network believes whatever you tell it . SS7 is especially used for data-roaming : when a phone user goes outside their own provider 's coverage , messages still need to get routed to them . But anyone with SS7 access , which can be purchased for around 1000 Euros according to The Süddeutsche Zeitung , can send a routing request , and the network may not authenticate where the message is coming from . That allows the attacker to direct a target 's text messages to another device , and , in the case of the bank accounts , s teal Attack.Databreachany codes needed to login or greenlight money transfers ( after the hackers o btained Attack.Databreachvictim passwords ) . Although some telcos have taken steps to m itigate Vulnerability-related.PatchVulnerabilitythe issue , there are clearly still huge gaps for hackers to exploit . `` Everyone 's accounts protected by text-based two-factor authentication , such as bank accounts , are potentially at risk until the FCC and telecom industry f ix Vulnerability-related.PatchVulnerabilitythe devastating SS7 security flaw , '' Lieu said in a statement published Wednesday . `` I urge the Republican-controlled Congress to hold immediate hearings on this issue . '' In the meantime , and maybe irrespective of whether SS7 problems are ever f ixed,Vulnerability-related.PatchVulnerabilitysocial media companies , banks , and other online services need to stop using SMS-based two-factor authentication . Last year the National Institute of Standards and Technology said it was no longer recommending solutions that used SMS . Twitter does let users sign in with a code from Google Authenticator , an app on your smartphone that provides a more robust form of two-factor authentication , but the site apparently still sends those logging in an SMS code , which , in light of these recent SS7 attacks , totally undermines the extra security protections . Twitter did not immediately respond to a request for comment . Motherboard even recently published a piece telling general readers that they were likely fine with only SMS-based two-factor authentication , which focused on another type of attack and was based on the premise that non-state hackers were not widely using SS7 . That piece , clearly , is out of date . `` It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security , '' Lieu 's statement added .
Researchers at cybersecurity company Check Point have today shared detailsVulnerability-related.DiscoverVulnerabilityof a vulnerability in DJI ’ s infrastructure that could have given hackers access to consumer and corporate user accounts , personal data , flight logs , photos , videos , and – if the user was flying with DJI ’ s FlightHub application – a live camera feed and map during missions . Check Point submitted a reportVulnerability-related.DiscoverVulnerabilityto DJI ’ s Bug Bounty Program , highlighting a process in which an attacker could have gained access to a user ’ s account through a vulnerability discoveredVulnerability-related.DiscoverVulnerabilityin the user identification process within DJI Forum . Check Point ’ s researchers foundVulnerability-related.DiscoverVulnerabilitythat DJI ’ s various platforms used a token to identify registered users across different aspects of the customer experience . Hackers could plant malicious links that would compromise accounts within that framework . In a blog post outlining their investigation , Check Point explained the process of a possible exploit : The vulnerability was accessed through DJI Forum , an online forum DJI runs for discussions about its products . A user who logged into DJI Forum , then clicked a specially-planted malicious link , could have had his or her login credentials stolenAttack.Databreachto allow access to other DJI online assets : DJI ’ s web platform ( account , store , forum ) Cloud server data synced from DJI ’ s GO or GO 4 pilot apps DJI ’ s FlightHub ( centralized drone operations management platform ) We notifiedVulnerability-related.DiscoverVulnerabilityDJI about this vulnerability in March 2018 and DJI respondedVulnerability-related.DiscoverVulnerabilityresponsibly . The vulnerability has since been patchedVulnerability-related.PatchVulnerability. DJI classifiedVulnerability-related.DiscoverVulnerabilitythis vulnerability as high risk but low probability , and indicated there is no evidence this vulnerability was ever exploitedVulnerability-related.DiscoverVulnerabilityby anyone other than Check Point researchers . Check Point even made a Mission Impossible-style trailer for their findings , which is… interesting .
Security biz Qualys has revealedVulnerability-related.DiscoverVulnerabilitythree vulnerabilities in a component of systemd , a system and service manager used in most major Linux distributions . Patches for the three flaws – CVE-2018-16864 , CVE-2018-16865 , and CVE-2018-16866 – should appear inVulnerability-related.PatchVulnerabilitydistro repos soon as a result of coordinated disclosure . However , Linux distributions such as Debian remain vulnerableVulnerability-related.DiscoverVulnerabilityat the moment , depending on the version you have installed . `` They 're awareVulnerability-related.DiscoverVulnerabilityof the issues and they 're releasingVulnerability-related.PatchVulnerabilitypatches , '' said Jimmy Graham , director of product management at Qualys , in a phone interview with The Register . `` I do n't believe Red Hat has releasedVulnerability-related.PatchVulnerabilityone but it should be coming shortly . '' The bugs were foundVulnerability-related.DiscoverVulnerabilityin systemd-journald , a part of systemd that handles the collection and storage of log data . The first two CVEs refer to memory corruption flaws while the third involves an out of bounds error that can leak data . CVE-2018-16864 can be exploitedVulnerability-related.DiscoverVulnerabilityby malware running on a Linux box , or a malicious logged-in user , to crash and potentially hijack the systemd-journald system service , elevating access from user to root . CVE-2018-16865 and CVE-2018-16866 can be exploitedVulnerability-related.DiscoverVulnerabilitytogether by a local attacker to crash or hijack the root-privileged journal service . While systemd is n't universally beloved in the Linux community , Graham sees nothing unusual about the presence of the three flaws in the software . `` The noteworthiness to me is that it is very commonly found in most major distributions , '' he said . Qualys contends all systemd-based Linux distros are vulnerableVulnerability-related.DiscoverVulnerability, though the vulnerabilities can not be exploitedVulnerability-related.DiscoverVulnerabilityin SUSE Linux Enterprise 15 , openSUSE Leap 15.0 , and Fedora 28 and 29 because their user-land code is compiled with GCC 's -fstack-clash-protection option . The security biz calls it a simplified stack clash – where the size of the stack gets changed to overlap with other memory areas – because it only requires the last two steps in a four step process : Clashing the stack with another memory region , moving the stack-pointer to the stack start , jumping over the stack guard-page into another memory region , and smashing the stack or memory space . The third bug , CVE-2018-16866 , appeared inVulnerability-related.DiscoverVulnerabilityJune 2015 ( systemd v221 ) and , Qualys says , was fixedVulnerability-related.PatchVulnerabilityinadvertently in August 2018 . In code where the flaw still existsVulnerability-related.DiscoverVulnerability, it could allow an attacker to read out of bounds information , resulting in information leakage . `` The risk [ of these issues ] is a local privilege escalation to root , '' said Graham . `` It 's something that should still be a concern because usually attackers do n't just use one vulnerability to comprise a system . They often chain vulnerabilities together . ''
Businesses that failed to update Windows-based computer systems that were hit by a massive cyber attack over the weekend could be sued over their lax cyber security , but Microsoft itself enjoys strong protection from lawsuits , legal experts said . The WannaCry worm has affected more than 200,000 Windows computers around the world since Friday , disruptingAttack.Ransomcar factories , global shipper FedEx Corp and Britain 's National Health Service , among others . The hacking tool spreads silently between computers , shutting them down by encrypting data and then demanding a ransomAttack.Ransomof US $ 300 to unlock them . According to Microsoft , computers affected by the ransomware did not have security patches for various Windows versions installed or were running Windows XP , which the company no longer supports . `` Using outdated versions of Windows that are no longer supported raises a lot of questions , '' said Christopher Dore , a lawyer specializing in digital privacy law at Edelson PC . `` It would arguably be knowingly negligent to let those systems stay in place. ” Businesses could face legal claims if they failed to deliver services because of the attack , said Edward McAndrew , a data privacy lawyer at Ballard Spahr . `` There is this stream of liability that flows from the ransomware attackAttack.Ransom, '' he said `` That 's liability to individuals , consumers and patients , '' WannaCry exploitsVulnerability-related.DiscoverVulnerabilitya vulnerability in older versions of Windows , including Windows 7 and Windows XP . Microsoft issuedVulnerability-related.PatchVulnerabilitya security update in March that stops WannaCry and other malware in Windows 7 . Over the weekend the company took the unusual step of releasingVulnerability-related.PatchVulnerabilitya similar patch for Windows XP , which the company announced in 2014 it would no longer support . Dore said companies that faced disruptions because they did not run the Microsoft update or because they were using older versions of Windows could face lawsuits if they publicly touted their cyber security . His law firm sued LinkedIn after a 2012 data breachAttack.Databreach, alleging individuals paid for premium accounts because the company falsely stated it had top-quality cyber security measures . LinkedIn settled for US $ 1.25 million in 2014 . But Scott Vernick , a data security lawyer at Fox Rothschild that represents companies , said he was sceptical that WannaCry would produce a flood of consumer lawsuits . He noted there was no indication the cyber attack had resulted in widespread disclosure of personal data . `` It isn ’ t clear that there has been a harm to consumers , '' he said . Vernick said businesses that failed to update their software could face scrutiny from the US Federal Trade Commission , which has previously sued companies for misrepresenting their data privacy measures . Microsoft itself is unlikely to face legal trouble over the flaw in Windows being exploitedVulnerability-related.DiscoverVulnerabilityby WannaCry , according to legal experts . When Microsoft sells software it does so through a licensing agreement that states the company is not liable for any security breaches , said Michael Scott , a professor at Southwestern Law School . Courts have consistently upheld those agreements , he said . Alex Abdo , a staff attorney at the Knight First Amendment Institute at Columbia University , said Microsoft and other software companies have strategically settled lawsuits that could lead to court rulings weakening their licensing agreements . `` This area of law has been stunted in its growth , '' he said . `` It is very difficult to hold software manufacturers accountable for flaws in their products . '' Also enjoying strong protection from liability over the cyber attack is the US National Security Agency , whose stolen hacking tool is believed to be the basis for WannaCry . The NSA did not immediately return a request for comment . Jonathan Zittrain , a professor specializing in internet law at Harvard Law School , said courts have frequently dismissed lawsuits against the agency on the grounds they might result in the disclosure of top secret information . On top of that , the NSA would likely be able to claim that it is shielded from liability under the doctrine of sovereign immunity , which says that the government can not be sued over carrying out its official duties . `` I doubt there can be any liability that stems back to the NSA , '' Dore said .
A longtime Debian developer has recommendedVulnerability-related.DiscoverVulnerabilitythat the Cryptkeeper Linux encryption app be removed from the distribution . The advice came after the disclosureVulnerability-related.DiscoverVulnerabilityof a bug where the app sets the universal password “ p ” to decrypt any directory created with the program . Simon McVittie , a programmer at Collabora , confirmed the findingsVulnerability-related.DiscoverVulnerabilityof researcher Kirill Tkhai , who disclosedVulnerability-related.DiscoverVulnerabilitythe bug Jan. 26 . McVittie saidVulnerability-related.DiscoverVulnerabilityhe was able to reproduce the bug in the Stretch version ( Debian 9 , in testing ) , but not in the Jessie version ( Debian 8 ) . “ I have recommended that the release team remove this package from stretch : it currently gives a false sense of security that is worse than not encrypting at all , ” McVittie said in responseVulnerability-related.DiscoverVulnerabilityto the original bug report . Francesco Namuri , another Debian developer , agreed the Cryptkeeper packages should be yanked from Debian . Tkhai ’ s advisory said Cryptkeeper version 0.9.5-5.1 is affected . The problem appears when Cryptkeeper calls encfs , a command line interface for the encrypted file system . Encfs simulates a ‘ p ’ keystroke but the uses it instead as a universal password .
The FDA confirmedVulnerability-related.DiscoverVulnerabilitythat St.Jude Medical 's implantable cardiac devices have vulnerabilities that could allow a hacker to access a device . Once in , they could deplete the battery or administer incorrect pacing or shocks , the FDA said on Monday . The devices , like pacemakers and defibrillators , are used to monitor and control patients ' heart functions and prevent heart attacks . St. Jude has developedVulnerability-related.PatchVulnerabilitya software patch to fixVulnerability-related.PatchVulnerabilitythe vulnerabilities , and it will automatically be appliedVulnerability-related.PatchVulnerabilityto affected devices beginning Monday . To receive the patch , the Merlin @ home Transmitter must be plugged in and connected to the Merlin.net network . The FDA said patients can continue to use the devices , and no patients were harmed as a result of the vulnerabilities . Abbott Laboratories ( ABT ) , which recently acquired St. Jude in a deal worth $ 25 billion , said it has worked with the FDA and DHS to update and improve the security of the affected devices . `` Cybersecurity , including device security , is an industry-wide challenge and all implanted devices with remote monitoring haveVulnerability-related.DiscoverVulnerabilitypotential vulnerabilities , '' Candace Steele Flippin , a spokeswoman for Abbott , toldVulnerability-related.DiscoverVulnerabilityCNNMoney in an email . `` As we 've been doing for years , we will continue to actively address cybersecurity risks and potential vulnerabilities and enhance our systems . '' The FDA said hackers could control a device by accessing its transmitter . In August 2016 , Muddy Waters founder Carson Block published a report claiming St. Jude 's devices could be hacked and said he was shorting the stock . St. Jude said the claims were `` absolutely untrue , '' and in September , it filed a lawsuit against the firm . In a statement , Block said Monday 's announcement `` vindicates '' the firm 's research . `` It also reaffirms our belief that had we not gone public , St. Jude would not have remediated the vulnerabilities , '' Block said . `` Regardless , the announced fixesVulnerability-related.PatchVulnerabilitydo not appear to addressVulnerability-related.PatchVulnerabilitymany of the larger problems , including the existence of a universal code that could allow hackers to control the implants . '' The confirmation of St. Jude 's vulnerabilities is the latest reminder of how internet-connected devices can put health at risk . In December , the FDA published guidance for manufacturers on how to proactively address cybersecurity risks .
Sensitive information related to the United States Air Force has been found exposed publiclyAttack.Databreachon the internet , allowing anyone with a web connection to peruse them without authorisation and no need for a password . The discoveryVulnerability-related.DiscoverVulnerabilitywas made by security researchers at MacKeeper who said that they had foundVulnerability-related.DiscoverVulnerabilitygigabytes of files on an internet-connected backup drive that was not password-protected : The most shocking document was a spreadsheet of open investigations that included the name , rank , location , and a detailed description of the accusations . The investigations range from discrimination and sexual harassment to more serious claims . One example is an investigation into a Major General who is accused of accepting $ 50k a year from a sports commission that was supposedly funneled into the National Guard . As ZDNet reports , the names and addresses , ranks , and social security numbers of more than 4000 US Air Force officers were included in the stash of personal information . Further documents included phone numbers and contact information for workers and their spouses . Clearly some of the details exposedAttack.Databreachthrough the security lapse would be of value to foreign intelligence agencies and criminal gangs , and could lead to blackmail attempts or identity theft . What we don ’ t know is how long the information has been accessibleAttack.Databreachonline , and we also do not know if anyone other than the security researchers had managed to stumble acrossAttack.Databreachthe exposed information . But the truth of the matter is that we shouldn ’ t ever have to find ourselves in a question to ask such questions . Whenever you decide to store information on the internet , particularly sensitive data , you should be doing your utmost to ensure that you have minimised the risk of it falling into the wrong hands . That means always keeping your computer patchedVulnerability-related.PatchVulnerabilityand running an up-to-date anti-virus , using encryption , enabling passwords and ensuring that the password chosen is a strong one , turning on additional authentication checks such as two-step verification and restricting the range of trusted IP addresses from where users can login from
A critical vulnerability in Moodle , an open source PHP-based learning management system deployed across scores of schools and universities , could expose the server its running on to compromise . Tens of thousands of universities worldwide , including the California State University system , the University of Oxford , and Stanford University , use the service to provide students with course outlines , grades , and other personal data . The issue–at its root a SQL injection vulnerability–could be used by an attacker to execute PHP code on a university ’ s server according to Netanel Rubin , the researcher who foundVulnerability-related.DiscoverVulnerabilitythe bug . Rubin , who has previously dug upVulnerability-related.DiscoverVulnerabilityvulnerabilities in Mozilla ’ s Bugzilla bug tracking system , e-commerce platform Magento , and WordPress , describedVulnerability-related.DiscoverVulnerabilitythe bug in depth in a blog post on Monday . “ Similar scenarios could be used in previous versions of Moodle but only by managers/admins and only via web services , ” the advisory reads . School IT administrators are being encouraged to apply a patch that maintainers of the system pushed 10 days ago . Rubin discovered that he could exploit the feature however and get an unserialize call by leaving a preference in a block mechanism empty . That could open the door to an object injection attack . While the attack had its limitations , Rubin discovered a way to pivot from it to a series of method calls . From there , he found he could use the system ’ s “ update ” method to update any row in an affected database . This gave him the ability to tweak administrator accounts , passwords , the site configuration , “ basically whatever we want , ” he wrote . Rubin used a double SQL injection to top off his exploit , helping him gain full administrator privileges on any server running Moodle . “ After gaining full administrator privileges executing code is as simple as uploading a new plugin or template to the server , ” Rubin writes .
Microsoft has publishedVulnerability-related.PatchVulnerabilitya patch for an Outlook vulnerability first reportedVulnerability-related.DiscoverVulnerabilityin late 2016 , but the patch has been deemedVulnerability-related.PatchVulnerabilityincomplete and additional workarounds are needed , according to the security researcher who discoveredVulnerability-related.DiscoverVulnerabilityit . Yesterday 's April 2018 Patch Tuesday updates train included a fix for CVE-2018-0950 , a vulnerability in Microsoft Outlook discoveredVulnerability-related.DiscoverVulnerabilityby Will Dormann , a vulnerability analyst at the CERT Coordination Center ( CERT/CC ) . Outlook retrieves remote OLE content without prompting According to Dormann , the main problem with CVE-2018-0950 is that Microsoft Outlook will automatically render the content of remote OLE objects embedded inside rich formatted emails without prompting the user , something that Microsoft does in other Office apps such as Word , Excel , and PowerPoint . This leads to a slew of problems that come from automatically rendering OLE objects , a common attack vector for malware authors . Microsoft patches SMB attack vector only In a CERT/CC vulnerability note , Dormann says he notified Microsoft of Outlook 's propensity for loading OLE objects without alerting users in November 2016 . After almost 18 months , the company finally issuedVulnerability-related.PatchVulnerabilitya patch for the reported issue , but Dormann says the patch does not addressVulnerability-related.PatchVulnerabilitythe problem at the core of the issue . According to Microsoft , the CVE-2018-0950 patch deliveredVulnerability-related.PatchVulnerabilityyesterday only blocks Outlook from initiating SMB connections when previewing rich formatted emails . Dormann points out that Outlook still does not prompt user for permission to render OLE objects for email previews . Furthermore , the researcher also highlights that there are other ways of obtaining the NTLM hashes , such as embedding UNC links to SMB servers inside the email , links that Outlook will automatically make clickable . `` If a user clicks such a link , the impact will be the same as with this vulnerability , '' Dormann says . But even this incomplete patch is good news . This means that while Outlook will continue to render OLE objects inside email previews , at least these objects ca n't be used to steal NTLM hashes via SMB anymore . To avoid attackers from getting their hands on NTLM hashes via SMB altogether , the expert recommends that system administrators apply additional OS-level workarounds ,
According to web security firm Sucuri , who detectedVulnerability-related.DiscoverVulnerabilitythe attacks after details of the vulnerability became publicVulnerability-related.DiscoverVulnerabilitylast Monday , the attacks have been slowly growing , reaching almost 3,000 defacements per day . Attackers are exploiting a vulnerability in the WordPress REST API , which the WordPress team fixedVulnerability-related.PatchVulnerabilityalmost two weeks ago , but for which they published public detailsVulnerability-related.DiscoverVulnerabilitylast Monday . Exploiting the flaw is trivial , and according to Sucuri , a few public exploits have been published online since last week . Based on data collected from Sucuri 's honeypot test servers , four attackers have been busy in the past week trying to exploit the flaw . Since the attacks have been going on for some days , Google has already started to index some of these defacements . Sucuri 's CTO , Daniel Cid , expects to see professional defacers enter the fold , such as SEO spam groups that will utilize the vulnerability to post more complex content , such as links and images .
Award-winning cooking tools company OXO revealed that it has suffered data breachesAttack.Databreachover the last two years that may have compromisedAttack.Databreachcustomer and credit card information . In a breach disclosure letter filed with the State of California , OXO said that the data security incident involved “ sophisticated criminal activity that may have exposedAttack.Databreachsome of your personal information. ” The attacker is believed to have accessedAttack.Databreachcredit card information , along with names and billing and shipping addresses , though the letter does not state the scope of impact . “ On December 17 , 2018 , OXO confirmed through our forensic investigators that the security of certain personal information that you entered into our e-commerce website ( https : //www.oxo.com ) may have been compromisedAttack.Databreach. We currently believe that information entered in the customer order form between June 9 , 2017 – November 28 , 2017 , June 8 , 2018 – June 9 , 2018 , July 20 , 2018 – October 16 , 2018 may have been compromisedAttack.Databreach. While we believe the attempt to compromiseAttack.Databreachyour payment information may have been ineffective , we are notifying you out of an abundance of caution. ” OXO is currently working with security consultants and forensic investigators , who are lookingVulnerability-related.DiscoverVulnerabilityat past vulnerabilities in the website as part of an ongoing investigation of the incident . Additionally , the company has taken measures to secure its site to prevent future incidents . “ This latest breach underscores the importance of 24/7 security monitoring , ” said Matan Or-El , CEO of Panorays . “ With the new year upon us , companies should perform an in-depth review of all their digital assets to ensure that they and their third parties have not been compromised . We expect that future hacks will be targeted towards entire industries so as to maximize the payout for cyber-criminals. ” OXO has also secured the services of risk mitigation and response firm Kroll in order to extend identify monitoring services to its customers .