A security researcher has published Vulnerability-related.DiscoverVulnerability details of a vulnerability in a popular cloud storage drive after the company failed to issue Vulnerability-related.PatchVulnerability security patches for over a year . Remco Vermeulen found Vulnerability-related.DiscoverVulnerability a privilege escalation bug in Western Digital ’ s My Cloud devices , which he said Vulnerability-related.DiscoverVulnerability allows an attacker to bypass the admin password on the drive , gaining “ complete control ” over the user ’ s data . The exploit works because drive ’ s web-based dashboard doesn ’ t properly check a user ’ s credentials before giving a possible attacker access to tools that should require higher levels of access . The bug was “ easy ” to exploit , Vermeulen told TechCrunch in an email , and was remotely exploitable if a My Cloud device allows remote access over the internet — which thousands of devices do . He posted a proof-of-concept video on Twitter . Details of the bug were also independently found Vulnerability-related.DiscoverVulnerability by another security team , which released its own exploit code . Vermeulen reported Vulnerability-related.DiscoverVulnerability the bug over a year ago , in April 2017 , but said the company stopped responding . Normally , security researchers give 90 days for a company to respond , in line with industry-accepted responsible disclosure guidelines . After he found Vulnerability-related.DiscoverVulnerability that WD updated Vulnerability-related.PatchVulnerability the My Cloud firmware in the meanwhile without fixing Vulnerability-related.PatchVulnerability the vulnerability he found Vulnerability-related.DiscoverVulnerability , he decided to post Vulnerability-related.DiscoverVulnerability his findings . A year later , WD still hasn’t released Vulnerability-related.PatchVulnerability a patch . The company confirmed Vulnerability-related.DiscoverVulnerability that it knows Vulnerability-related.DiscoverVulnerability of the vulnerability but did not say why it took more than a year to issue Vulnerability-related.PatchVulnerability a fix . “ We are in the process of finalizing a scheduled firmware update that will resolve Vulnerability-related.PatchVulnerability the reported issue , ” a spokesperson said , which will arrive Vulnerability-related.PatchVulnerability “ within a few weeks. ” WD said Vulnerability-related.DiscoverVulnerability that several of its My Cloud products are vulnerable Vulnerability-related.DiscoverVulnerability — including the EX2 , EX4 and Mirror , but not My Cloud Home . In the meantime , Vermeulen said that there ’ s no fix and that users have to “ just disconnect ” the drive altogether if they want to keep their data safe .

A Windows zero-day bug has made the news . By zero-day , it means that a vulnerability has been exposed Vulnerability-related.DiscoverVulnerability but it is not yet patched Vulnerability-related.PatchVulnerability . Darren Allan in TechRadar was one of the tech watchers reporting Vulnerability-related.DiscoverVulnerability on the vulnerability , which could occur through a privilege escalation bug . `` The user linked to a page on GitHub which appears to contain a proof-of-concept ( PoC ) for the vulnerability , '' said Charlie Osborne in ZDNet . `` CERT/CC ( the US cybersecurity organization which looks to counter emerging threats ) has confirmed Vulnerability-related.DiscoverVulnerability that this vulnerability can be leveraged against a 64-bit Windows 10 PC which has been fully patched Vulnerability-related.PatchVulnerability up to date , `` said TechRadar , in turn referring to a story in The Register , Richard Chergwin , The Register , had reported Vulnerability-related.DiscoverVulnerability that `` CERT/CC vulnerability analyst Will Dormann quickly verified Vulnerability-related.DiscoverVulnerability the bug . '' CERT/CC did a formal investigation , and posted an advisory . `` 'Microsoft Windows task scheduler contains Vulnerability-related.DiscoverVulnerability a vulnerability in the handling of ALPC , which can allow a local user to gain SYSTEM privileges , ' the alert stated . '' This can be leveraged to gain SYSTEM privileges . We have confirmed Vulnerability-related.DiscoverVulnerability that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems . We have also confirmed Vulnerability-related.DiscoverVulnerability compatibility with 32-bit Windows 10 with minor modifications to the public exploit code . Compatibility with other Windows versions is possible with further modifications . '' Should we worry ? Allan said it is a local bug . The attacker would have to be already logged into the PC to exploit it , or be running code on the machine . But wait . Though local , Ars Technica 's Peter Bright let its readers know what the flaw allows one to do . Not pretty . Bright wrote that `` The flaw allows anyone with the ability to run code on a system to elevate their privileges to 'SYSTEM ' level , the level used by most parts of the operating system and the nearest thing that Windows has to an all-powerful superuser . '' Osborne in ZDNet said that while the impact was limited , `` the public disclosure of a zero-day is still likely a headache for the Redmond giant . ''

A Windows zero-day bug has made the news . By zero-day , it means that a vulnerability has been exposed Vulnerability-related.DiscoverVulnerability but it is not yet patched Vulnerability-related.PatchVulnerability . Darren Allan in TechRadar was one of the tech watchers reporting Vulnerability-related.DiscoverVulnerability on the vulnerability , which could occur through a privilege escalation bug . `` The user linked to a page on GitHub which appears to contain a proof-of-concept ( PoC ) for the vulnerability , '' said Charlie Osborne in ZDNet . `` CERT/CC ( the US cybersecurity organization which looks to counter emerging threats ) has confirmed Vulnerability-related.DiscoverVulnerability that this vulnerability can be leveraged against a 64-bit Windows 10 PC which has been fully patched Vulnerability-related.PatchVulnerability up to date , `` said TechRadar , in turn referring to a story in The Register , Richard Chergwin , The Register , had reported Vulnerability-related.DiscoverVulnerability that `` CERT/CC vulnerability analyst Will Dormann quickly verified Vulnerability-related.DiscoverVulnerability the bug . '' CERT/CC did a formal investigation , and posted an advisory . `` 'Microsoft Windows task scheduler contains Vulnerability-related.DiscoverVulnerability a vulnerability in the handling of ALPC , which can allow a local user to gain SYSTEM privileges , ' the alert stated . '' This can be leveraged to gain SYSTEM privileges . We have confirmed Vulnerability-related.DiscoverVulnerability that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems . We have also confirmed Vulnerability-related.DiscoverVulnerability compatibility with 32-bit Windows 10 with minor modifications to the public exploit code . Compatibility with other Windows versions is possible with further modifications . '' Should we worry ? Allan said it is a local bug . The attacker would have to be already logged into the PC to exploit it , or be running code on the machine . But wait . Though local , Ars Technica 's Peter Bright let its readers know what the flaw allows one to do . Not pretty . Bright wrote that `` The flaw allows anyone with the ability to run code on a system to elevate their privileges to 'SYSTEM ' level , the level used by most parts of the operating system and the nearest thing that Windows has to an all-powerful superuser . '' Osborne in ZDNet said that while the impact was limited , `` the public disclosure of a zero-day is still likely a headache for the Redmond giant . ''

Cisco Systems yesterday issued 17 security advisories , disclosing Vulnerability-related.DiscoverVulnerability vulnerabilities in multiple products , including at least three critical flaws . One of them , a privileged access bug found in Vulnerability-related.DiscoverVulnerability seven models of its Small Business Switches , has not yet been patched Vulnerability-related.PatchVulnerability , but the company has recommended a workaround to limit its potential for damage . Designated CVE-2018-15439 with a CVSS score of 9.8 , the unsolved privileged access vulnerability could allow a remote attacker to bypass an affected device ’ s user authentication mechanism and obtain full admin rights without the proper administrators being notified . Although there is currently no software fix , a Cisco advisory says users can implement a workaround by “ adding at least one user account with access privilege set to level 15 in the device configuration. ” Affected device models are the Cisco Small Business 200 Series Smart Switches , Small Business 300 Series Managed Switches , Small Business 500 Series Stackable Managed Switches , 250 Series Smart Switches , 350 Series Managed Switches , 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches . The other critical flaws confirmed Vulnerability-related.DiscoverVulnerability in Cisco products were an authentication bypass vulnerability in the Stealthwatch Management Console of Cisco Stealthwatch Enterprise and a remote shell command execution bug in Unity Express . These also carry CVSS scores of 9.8 . Cisco published a fourth critical advisory warning Vulnerability-related.DiscoverVulnerability of a remote code execution bug in the Apache Struts Commons FileUpload Library ; however , it is unknown at this time if any Cisco products and services are affected . Additional vulnerabilities were found Vulnerability-related.DiscoverVulnerability in the Cisco ’ s Meraki networking devices , Video Surveillance Media Server , Content Security Management Appliance , Registered Envelope Service , Price Service Catalog , Prime Collaboration Assurance , Meeting Server , Immunet and AMP for Endpoints , Firepower System Software , Energy Management Suite and Integrated Management Controller Supervisor . And in one final , odd advisory , Cisco acknowledged that a flub in its QA practices allowed dormant exploit code for the Dirty Cow vulnerability to be included in shipping software images for its Expressway Series and Cisco TelePresence Video Communication Server ( VCS ) software . “ The presence of the sample , dormant exploit code does not represent nor allow an exploitable vulnerability on the product , nor does it present a risk to the product itself as all of the required patches for this vulnerability have been integrated Vulnerability-related.PatchVulnerability into all shipping software images , ” said the advisory . “ The affected software images have proactively been removed from the Cisco Software Center and will soon be replaced Vulnerability-related.PatchVulnerability with fixed software images . ”

The FDA confirmed Vulnerability-related.DiscoverVulnerability that St.Jude Medical 's implantable cardiac devices have vulnerabilities that could allow a hacker to access a device . Once in , they could deplete the battery or administer incorrect pacing or shocks , the FDA said on Monday . The devices , like pacemakers and defibrillators , are used to monitor and control patients ' heart functions and prevent heart attacks . St. Jude has developed Vulnerability-related.PatchVulnerability a software patch to fix Vulnerability-related.PatchVulnerability the vulnerabilities , and it will automatically be applied Vulnerability-related.PatchVulnerability to affected devices beginning Monday . To receive the patch , the Merlin @ home Transmitter must be plugged in and connected to the Merlin.net network . The FDA said patients can continue to use the devices , and no patients were harmed as a result of the vulnerabilities . Abbott Laboratories ( ABT ) , which recently acquired St. Jude in a deal worth $ 25 billion , said it has worked with the FDA and DHS to update and improve the security of the affected devices . `` Cybersecurity , including device security , is an industry-wide challenge and all implanted devices with remote monitoring have Vulnerability-related.DiscoverVulnerability potential vulnerabilities , '' Candace Steele Flippin , a spokeswoman for Abbott , told Vulnerability-related.DiscoverVulnerability CNNMoney in an email . `` As we 've been doing for years , we will continue to actively address cybersecurity risks and potential vulnerabilities and enhance our systems . '' The FDA said hackers could control a device by accessing its transmitter . In August 2016 , Muddy Waters founder Carson Block published a report claiming St. Jude 's devices could be hacked and said he was shorting the stock . St. Jude said the claims were `` absolutely untrue , '' and in September , it filed a lawsuit against the firm . In a statement , Block said Monday 's announcement `` vindicates '' the firm 's research . `` It also reaffirms our belief that had we not gone public , St. Jude would not have remediated the vulnerabilities , '' Block said . `` Regardless , the announced fixes Vulnerability-related.PatchVulnerability do not appear to address Vulnerability-related.PatchVulnerability many of the larger problems , including the existence of a universal code that could allow hackers to control the implants . '' The confirmation of St. Jude 's vulnerabilities is the latest reminder of how internet-connected devices can put health at risk . In December , the FDA published guidance for manufacturers on how to proactively address cybersecurity risks .

Researchers from Positive Technologies have unearthed Vulnerability-related.DiscoverVulnerability a critical vulnerability ( CVE-2017-6968 ) in Checker ATM Security by Spanish corporate group GMV Innovating Solutions . Checker ATM Security is a specialized security solution aimed at keeping ATMs safe from logical attacks . It does so by enforcing application whitelisting , full hard disk encryption , providing ACL-based control of process execution and resource access , enforcing security policies , restricting attempts to connect peripheral devices , and so on . The found flaw can be exploited Vulnerability-related.DiscoverVulnerability to remotely run code on a targeted ATM , increase the attacker ’ s privileges in the system , and compromise the machine completely . “ To exploit the vulnerability , a criminal would need to pose as Attack.Phishing the control server , which is possible via ARP spoofing Attack.Phishing , or by simply connecting the ATM to a criminal-controlled network connection , ” researcher Georgy Zaytsev explained . “ During the process of generating the public key for traffic encryption , the rogue server can cause a buffer overflow on the ATM due to failure on the client side to limit the length of response parameters and send a command for remote code execution . This can give an attacker full control over the ATM and allow a variety of manipulations , including unauthorized money withdrawal ” . ” When informed Vulnerability-related.DiscoverVulnerability of the vulnerability and provided with test exploits , GMV confirmed Vulnerability-related.DiscoverVulnerability its existence and that it affects Vulnerability-related.DiscoverVulnerability versions 4.x and 5.x of the software , and ultimately pushed Vulnerability-related.PatchVulnerability out a patch , which users are urged to install Vulnerability-related.PatchVulnerability as soon as possible . Exploitation not detected in the wild A company spokesperson has made sure to point out that there is no indication that the vulnerability has been exploited Vulnerability-related.DiscoverVulnerability in attacks in the wild . Also , that exploitation is not that easy , as the attacker must first gain access to the ATM network and log into the target system . “ Secondly , the attack is difficult to be systematically exploited in an ATM network . In order to exploit it , the attacker needs some memory address that are strongly dependent on Windows kernel version , while in Windows XP systems could be theoretically possible to take advantage of the vulnerability , in Windows 7 is almost impossible because those memory address are different in every windows installation , ” the spokesperson told The Register . Like any software , security software is not immune to vulnerabilities and can open systems to exploitation . While antivirus and other security solutions for personal computers are often scrutinized and tested for flaws by third-party researchers , specialized security software has not , so far , received that amount of attention . So , it ’ s good to hear that some researchers have decided to focus on them , and that vendors are positively responding to vulnerability disclosures Vulnerability-related.DiscoverVulnerability .

Vanilla Forums open source software suffers Vulnerability-related.DiscoverVulnerability from vulnerabilities that could let an attacker gain access to user accounts , carry out web-cache poisoning attacks , and in some instances , execute arbitrary code . Popular open source forum software suffers Vulnerability-related.DiscoverVulnerability from vulnerabilities that could let an attacker gain access to user accounts , carry out web-cache poisoning attacks , and in some instances , execute arbitrary code . Legal Hackers ‘ Dawid Golunski found Vulnerability-related.DiscoverVulnerability the vulnerabilities , a host header injection and an unauthorized remote code execution vulnerability–in software which is developed by Vanilla Forums . Golunski reported Vulnerability-related.DiscoverVulnerability the issues to Vanilla Forums in January and while a support team acknowledged his reports Vulnerability-related.DiscoverVulnerability , he ’ s experienced five months of silence from the company since , something that prompted him to finally disclose Vulnerability-related.DiscoverVulnerability the vulnerabilities Thursday via his ExploitBox.io service . The researcher confirmed Vulnerability-related.DiscoverVulnerability the vulnerabilities exist in Vulnerability-related.DiscoverVulnerability the most recent , stable version ( 2.3 ) of Vanilla Forums . He presumes Vulnerability-related.DiscoverVulnerability older versions of the forum software are also vulnerable Vulnerability-related.DiscoverVulnerability . When reached Thursday , Lincoln Russell , a senior developer at Vanilla Forums stressed the vulnerabilities , which are in the middle of being fixed Vulnerability-related.PatchVulnerability , only affect Vulnerability-related.DiscoverVulnerability the company ’ s free and open source product . Golunski says Vulnerability-related.DiscoverVulnerability the most concerning vulnerability , the RCE ( CVE-2016-10033 ) stems from a PHPMailer vulnerability he disclosed Vulnerability-related.DiscoverVulnerability last December . An attacker could remotely exploit Vulnerability-related.DiscoverVulnerability the same vulnerability in Vanilla Forums by sending a web request in which a payload is passed within the HOST header . Until a fix is pushed Vulnerability-related.PatchVulnerability Golunski is encouraging users to preset the sender ’ s support email address to a static value to prevent the dynamic creation of an email address , or the use of the HOST header , as a temporary mitigation . Golunski says Vulnerability-related.DiscoverVulnerability the second issue , the host header injection vulnerability ( CVE-2016-10073 ) also affects Vulnerability-related.DiscoverVulnerability version 2.3 of the software . The issue stems from the fact that the forum software uses user-supplied HTTP HOST header when sending emails from the host on which the forum was installed . That means an attacker could use HTTP HOST header to set the email domain to an arbitrary host . It would require user interaction but if exploited Vulnerability-related.DiscoverVulnerability , it ’ s possible the bug could help an attacker intercept Attack.Databreach a password reset hash and gain access Attack.Databreach to a victim ’ s account . An attacker would have send Attack.Phishing the victim an email tricking Attack.Phishing them into clicking through a password reset link , he says . “ The resulting email will have the sender ’ s address set to noreply @ attackers_server . The password reset link will also contain the attacker ’ s server which could allow the attacker to intercept the hash if the victim user clicked on the malicious link , ” Golunski wrote Thursday . It ’ s possible the vulnerability could also lead to web-cache poisoning if the HOST header is used to form links in web responses Golunski says Vulnerability-related.DiscoverVulnerability . According to Russell , when Vanilla Forums responded to Golunski in January it told him the issue would take some time to fix Vulnerability-related.PatchVulnerability due to the “ complexity of unwinding the use of this server variable without breaking the myriad scenarios it can be used for in open source environments. ” Golunski hinted Vulnerability-related.DiscoverVulnerability at the vulnerabilities in Vanilla Forums back in December but didn ’ t name the software . When he disclosed Vulnerability-related.DiscoverVulnerability the initial PHPMailer bug the researcher mentioned that he had developed an unauthenticated RCE exploit for “ a popular open-source application ( deployed on the Internet on more than a million servers ) as a PoC for real-world exploitation. ” Both the Vanilla Forums vulnerabilities and a similar RCE vulnerability in WordPress 4.6 Golunski disclosed Vulnerability-related.DiscoverVulnerability last week both relate to PHPMailer and PHP mail ( ) function injection . “ The exploits and techniques prove that these type of vulnerabilities could be exploited Vulnerability-related.DiscoverVulnerability by unauthenticated attackers via server headers such as HOST header that may be used internally by a vulnerable application to dynamically create a sender address , ” Golunski told Threatpost Thursday , “ This adds to the originally presented attack surface of contact forms that take user input including From/Sender address . ”

IP cameras manufactured by Chinese vendor Fosscam are riddled Vulnerability-related.DiscoverVulnerability with security flaws that allow an attacker to take over the device and penetrate your network . The issues came to light yesterday when Finnish cyber-security firm F-Secure published Vulnerability-related.DiscoverVulnerability its findings after Fosscam failed to answer bug reports Vulnerability-related.DiscoverVulnerability and patch Vulnerability-related.PatchVulnerability its firmware . Below is a list of 18 vulnerabilities researchers discovered Vulnerability-related.DiscoverVulnerability in Fosscam IP cameras : The variety of issues F-Secure researchers discovered Vulnerability-related.DiscoverVulnerability means there are multiple ways an attacker can hack one of these devices and use it for various operations . `` For example , an attacker can view the video feed , control the camera operation , and upload and download files from the built-in FTP server , '' F-Secure says. `` They can stop or freeze the video feed , and use the compromised device for further actions such as DDoS or other malicious activity . '' `` If the device is in a corporate local area network , and the attacker gains access to the network , they can compromise the device and infect it with a persistent remote access malware . The malware would then allow the attacker unfettered access to the corporate network and the associated resources , '' researchers added . F-Secure researchers say Vulnerability-related.DiscoverVulnerability all these vulnerabilities have been confirmed Vulnerability-related.DiscoverVulnerability in Fosscam C2 models , but also in Opticam i5 , an IP camera sold by another vendor , but based on a white-label Fosscam device . In fact , researchers suspect that Fosscam has sold the vulnerable IP camera model as a white-label product , which other companies bought , plastered their logo on top , and resold as their own devices . F-Secure says it identified 14 other vendors that sell Fosscam made cameras , but they have not tested their products as of yet . F-Secure recommends that network administrators remove any Fosscam made IP camera from their network until the Chinese company patches Vulnerability-related.PatchVulnerability its firmware .

A case involving software vulnerabilities in medical electronics reveals Vulnerability-related.DiscoverVulnerability the inability for both the health care sector and federal regulators to swiftly address cybersecurity problems . This past fall , an investment firm rattled the health care industry with unsubstantiated claims Vulnerability-related.DiscoverVulnerability of multiple software vulnerabilities in internet-connected pacemakers and cardiac defibrillators . But it took federal authorities who regulate medical devices four months to acknowledge Vulnerability-related.DiscoverVulnerability only one of the alleged defects , and for the company , St. Jude Medical , to patch Vulnerability-related.PatchVulnerability it . The delayed response to a problem that could potentially put patients at risk raises many questions about why it took so long for the government to act , and what it will take for the health care industry to respond more swiftly to bugs in medical equipment increasingly connected to the internet . `` Software is never perfect and all systems still will have these flaws , '' says Joshua Corman , director of the Cyber Statecraft Initiative at the Atlantic Council and an expert on medical device security . `` The question is how gracefully and collaboratively and quickly and safely can we respond to these flaws . '' In this particular case , legal action as well as the unusual way the St. Jude vulnerabilities came to light may have stifled the response . A cybersecurity firm called MedSec initially discovered Vulnerability-related.DiscoverVulnerability the problems in the St. Jude devices and tipped off the activist investment firm Muddy Waters , which publicized Vulnerability-related.DiscoverVulnerability the flaws and advised clients to bet against the health care firm 's stock . As a result , St. Jude lodged a defamation lawsuit against MedSec and Muddy Waters , denying many of the alleged glitches in its pacemaker and implantable defibrillator systems . `` In theory , most disclosures now should take about 60 days to get to some clarity or resolution , '' said Corman . `` In part , because of the contentious nature and the lawyers involved in this particular one , it took about five months . '' Last week , the Food and Drug Administration along with the Department of Homeland Security confirmed Vulnerability-related.DiscoverVulnerability at least some of MedSec's findings and reported Vulnerability-related.DiscoverVulnerability a flaw in the St. Jude @ Merlin transmitter , an at-home computer that sends data from cardiac implants to the patient 's medical team . The flaw could have allowed malicious hackers to remotely exhaust an implant 's battery power or potentially harm the patient . St. Jude spokeswoman Candace Steele Flippin said in an emailed statement that following the release of Muddy Waters ' claims Vulnerability-related.DiscoverVulnerability in August , the device manufacturer `` carefully reviewed the claims Vulnerability-related.DiscoverVulnerability in these reports along with our existing plans for our cyber ecosystem , '' evaluated them with FDA , DHS , and outside security researchers , and then identified the improvements announced on Jan. 9 and noted further enhancements `` we will be making in the coming months . '' But Muddy Waters said the problems may take as long as two years to fix . Carson Block , the firm 's founder , said this week the root causes of the vulnerabilities demand a change to firmware inside the St. Jude implants themselves . The firm said in a statement , `` these issues have just been given Vulnerability-related.PatchVulnerability a quick fix by St. Jude with the government 's blessing and cardiologists should go with other pacemaker manufacturers since they are much better on cybersecurity . '' It 's important to note that all the players in this medical legal drama , as well as the Veterans Affairs Department , which buys St. Jude devices , say there have been no reports of patient harm related to the cybersecurity vulnerabilities reported late August . In fact , the VA in recent months has continued paying for operations involving St. Jude devices , according to contract documents . Ever since the US government and St. Jude confirmed Vulnerability-related.DiscoverVulnerability the one flaw , the VA has been `` taking steps to be sure all our patients and providers are aware of this issue and take appropriate actions to be sure that all our patients get the update for their monitor , ” said Merritt Raitt , acting director of the VA National Cardiac Device Surveillance Program . The controversy could have been partly avoided , perhaps , if St. Jude and MedSec had followed new federal regulations for medical device security that encourage manufacturers to be more proactive about addressing potential vulnerabilities . A week before federal regulators publicized the one St. Jude glitch on Jan. 9 , they announced the completion of a 2016 draft policy that might have yielded multiple fixes in two months without anyone resorting to public shaming or legal action . On Jan. 4 , DHS circulated the final Food and Drug Administration ( FDA ) cybersecurity guidelines for monitoring networked medical devices on the market that threaten manufacturers with penalties such as a recall unless they cooperate with bug hunters to patch Vulnerability-related.PatchVulnerability vulnerabilities within 60 days . Corman recommends that providers , including VA , heed all the literature that 's been published on the St. Jude glitches , including a DHS technical advisory , FDA security communication , MedSec report , and guidance written by Bishop Fox , a cybersecurity consultancy Muddy Waters hired in response to the lawsuit . `` Just understand that the FDA and DHS do need to get the ground truth , that security researcher claims do need to be validated through the normal regulatory process , '' he says .

A case involving software vulnerabilities in medical electronics reveals Vulnerability-related.DiscoverVulnerability the inability for both the health care sector and federal regulators to swiftly address cybersecurity problems . This past fall , an investment firm rattled the health care industry with unsubstantiated claims Vulnerability-related.DiscoverVulnerability of multiple software vulnerabilities in internet-connected pacemakers and cardiac defibrillators . But it took federal authorities who regulate medical devices four months to acknowledge Vulnerability-related.DiscoverVulnerability only one of the alleged defects , and for the company , St. Jude Medical , to patch Vulnerability-related.PatchVulnerability it . The delayed response to a problem that could potentially put patients at risk raises many questions about why it took so long for the government to act , and what it will take for the health care industry to respond more swiftly to bugs in medical equipment increasingly connected to the internet . `` Software is never perfect and all systems still will have these flaws , '' says Joshua Corman , director of the Cyber Statecraft Initiative at the Atlantic Council and an expert on medical device security . `` The question is how gracefully and collaboratively and quickly and safely can we respond to these flaws . '' In this particular case , legal action as well as the unusual way the St. Jude vulnerabilities came to light may have stifled the response . A cybersecurity firm called MedSec initially discovered Vulnerability-related.DiscoverVulnerability the problems in the St. Jude devices and tipped off the activist investment firm Muddy Waters , which publicized Vulnerability-related.DiscoverVulnerability the flaws and advised clients to bet against the health care firm 's stock . As a result , St. Jude lodged a defamation lawsuit against MedSec and Muddy Waters , denying many of the alleged glitches in its pacemaker and implantable defibrillator systems . `` In theory , most disclosures now should take about 60 days to get to some clarity or resolution , '' said Corman . `` In part , because of the contentious nature and the lawyers involved in this particular one , it took about five months . '' Last week , the Food and Drug Administration along with the Department of Homeland Security confirmed Vulnerability-related.DiscoverVulnerability at least some of MedSec's findings and reported Vulnerability-related.DiscoverVulnerability a flaw in the St. Jude @ Merlin transmitter , an at-home computer that sends data from cardiac implants to the patient 's medical team . The flaw could have allowed malicious hackers to remotely exhaust an implant 's battery power or potentially harm the patient . St. Jude spokeswoman Candace Steele Flippin said in an emailed statement that following the release of Muddy Waters ' claims Vulnerability-related.DiscoverVulnerability in August , the device manufacturer `` carefully reviewed the claims Vulnerability-related.DiscoverVulnerability in these reports along with our existing plans for our cyber ecosystem , '' evaluated them with FDA , DHS , and outside security researchers , and then identified the improvements announced on Jan. 9 and noted further enhancements `` we will be making in the coming months . '' But Muddy Waters said the problems may take as long as two years to fix . Carson Block , the firm 's founder , said this week the root causes of the vulnerabilities demand a change to firmware inside the St. Jude implants themselves . The firm said in a statement , `` these issues have just been given Vulnerability-related.PatchVulnerability a quick fix by St. Jude with the government 's blessing and cardiologists should go with other pacemaker manufacturers since they are much better on cybersecurity . '' It 's important to note that all the players in this medical legal drama , as well as the Veterans Affairs Department , which buys St. Jude devices , say there have been no reports of patient harm related to the cybersecurity vulnerabilities reported late August . In fact , the VA in recent months has continued paying for operations involving St. Jude devices , according to contract documents . Ever since the US government and St. Jude confirmed Vulnerability-related.DiscoverVulnerability the one flaw , the VA has been `` taking steps to be sure all our patients and providers are aware of this issue and take appropriate actions to be sure that all our patients get the update for their monitor , ” said Merritt Raitt , acting director of the VA National Cardiac Device Surveillance Program . The controversy could have been partly avoided , perhaps , if St. Jude and MedSec had followed new federal regulations for medical device security that encourage manufacturers to be more proactive about addressing potential vulnerabilities . A week before federal regulators publicized the one St. Jude glitch on Jan. 9 , they announced the completion of a 2016 draft policy that might have yielded multiple fixes in two months without anyone resorting to public shaming or legal action . On Jan. 4 , DHS circulated the final Food and Drug Administration ( FDA ) cybersecurity guidelines for monitoring networked medical devices on the market that threaten manufacturers with penalties such as a recall unless they cooperate with bug hunters to patch Vulnerability-related.PatchVulnerability vulnerabilities within 60 days . Corman recommends that providers , including VA , heed all the literature that 's been published on the St. Jude glitches , including a DHS technical advisory , FDA security communication , MedSec report , and guidance written by Bishop Fox , a cybersecurity consultancy Muddy Waters hired in response to the lawsuit . `` Just understand that the FDA and DHS do need to get the ground truth , that security researcher claims do need to be validated through the normal regulatory process , '' he says .

One of the largest trading posts on the Dark Web , AlphaBay , has rewarded a researcher for disclosing Vulnerability-related.DiscoverVulnerability the existence of a vulnerability which allowed him to steal Attack.Databreach over 200,000 private messages exchanged between users and sellers . Earlier this week , the hacker , known only as Cipher0007 , disclosed Vulnerability-related.DiscoverVulnerability the existence of two `` high-risk '' bugs through Reddit . In a forum post , the hacker said Vulnerability-related.DiscoverVulnerability the two security flaws could be exploited Vulnerability-related.DiscoverVulnerability to snatch private messages . Cipher0007 was able to compromise Attack.Databreach AlphaBay and steal Attack.Databreach the first and last names of buyers and sellers , nicknames , addresses , and the tracking IDs of packages sent by traders when included in the messages and not protected by PGP keys . The hacker also issued a number of screenshots of private messages as proof , which revealed the messages were not encrypted by default . After disclosing Vulnerability-related.DiscoverVulnerability the vulnerabilities on Reddit , Cipher0007 opened a number of support tickets on AlphaBay , warning Vulnerability-related.DiscoverVulnerability the Dark Web trading post of the potentially devastating bugs which could compromise the privacy and identities of users . In a statement on PasteBin , AlphaBay confirmed Vulnerability-related.DiscoverVulnerability the validity of the vulnerabilities and said Vulnerability-related.DiscoverVulnerability the bugs allowed the hacker to slurp Attack.Databreach a total of 218,000 messages which were not older than 30 days . Older messages are automatically purged from the system . The attacker was paid for disclosing the flaws rather than selling them on or releasing the stolen information to the public . In return , Cipher0007 revealed his methods and several hours later AlphaBay developers were able to close the loopholes Vulnerability-related.PatchVulnerability . As Dark Web marketplaces must provide strong assurances that users will remain anonymous due to the nature of goods sold there , often illegally , these kinds of vulnerabilities have the potential to destroy such businesses . Alternatively , these security flaws would be of interest to law enforcement agencies attempting to close down such operations -- and may have been known Vulnerability-related.DiscoverVulnerability to them before the hacker discovered Vulnerability-related.DiscoverVulnerability the bugs . Unless users indulging in risky , illegal trading take responsibility for their own privacy by using PGP keys and personal encryption , they can not cry foul if their personal information is leaked Attack.Databreach

Hundreds of thousands–potentially more than one million–Netgear routers are susceptible Vulnerability-related.DiscoverVulnerability to a pair of vulnerabilities that can lead to password disclosure . Researchers said Vulnerability-related.DiscoverVulnerability that while anyone who has physical access to a router can exploit Vulnerability-related.DiscoverVulnerability the vulnerabilities locally , the real threat is that the flaw can also be exploited Vulnerability-related.DiscoverVulnerability remotely . According to Simon Kenin , a security researcher with Trustwave ’ s Spiderlabs team , who discovered Vulnerability-related.DiscoverVulnerability the flaw and disclosed Vulnerability-related.DiscoverVulnerability it Monday , the vulnerabilities can be remotely exploited Vulnerability-related.DiscoverVulnerability if the router ’ s remote management option is enabled . While Netgear claims remote management is turned off on routers by default , Kenin said there are “ hundreds of thousands , if not over a million ” devices left remotely accessible . Kenin claims that all he had to do was send a simple request to the router ’ s web management server to retrieve a router ’ s password . After determining a number that corresponds to a password recovery token , he found he could pair it with a call to the router ’ s passwordrecovered.cgi script . Kenin claims Vulnerability-related.DiscoverVulnerability he made his discovery by leveraging two exploits disclosed Vulnerability-related.DiscoverVulnerability in 2014 on some Netgear routers he had hanging around . It wasn ’ t until after Kenin pieced together a python script designed to diagnose the scope of the issue that he determined he could still retrieve the router ’ s credentials even if he didn ’ t send the correct password recovery token . “ After few trials and errors trying to reproduce the issue , I found Vulnerability-related.DiscoverVulnerability that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I haven’t seen Vulnerability-related.DiscoverVulnerability anywhere else . When I tested both bugs on different NETGEAR models , I found Vulnerability-related.DiscoverVulnerability that my second bug works on a much wider range of models , ” Kenin wrote Monday . Kenin ’ s employer , Trustwave , divulged Vulnerability-related.DiscoverVulnerability details around both vulnerabilities in a lengthy blog post Monday , putting the wraps on a nearly year-long odyssey with the vendor . The firm first disclosed Vulnerability-related.DiscoverVulnerability the vulnerability to Netgear in April 2016 , initially it listing 18 vulnerable models , before listing 25 vulnerable models in a subsequent advisory . After repeated requests for an update on a fix for the vulnerability , Netgear finally obliged in July and provided Vulnerability-related.PatchVulnerability firmware updates for a fraction of the affected routers . It wasn ’ t until this weekend that Netgear acknowledged Vulnerability-related.DiscoverVulnerability the issues again , posting Vulnerability-related.PatchVulnerability an updated version of the article on its support page , instructing users to find and download the appropriate firmware fixes . The most recent version of the advisory claims there are 31 vulnerable models , 18 of which are patched Vulnerability-related.PatchVulnerability . The company is encouraging users of some devices in which firmware is not available to implement a workaround . According to Netgear , users of 12 different models would be best served to manually enable password recovery and disable remote management on their devices . “ The potential for password exposure remains if you do not complete both steps . NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification , ” the company writes . It ’ s the first critical vulnerability to affect Vulnerability-related.DiscoverVulnerability Netgear routers this year but the second in the last two months . In December , it was discovered Vulnerability-related.DiscoverVulnerability that a handful of the company ’ s Nighthawk line of routers were vulnerable Vulnerability-related.DiscoverVulnerability to a flaw that could have given an attacker root access on the device and allowed them to run remote code . The company was quick to release Vulnerability-related.PatchVulnerability beta firmware updates to address Vulnerability-related.PatchVulnerability the vulnerability but simultaneously confirmed Vulnerability-related.DiscoverVulnerability that more routers than originally reported were vulnerable Vulnerability-related.DiscoverVulnerability . When reached Wednesday , a Netgear spokesperson said it was aware of the vulnerability and that it was appreciative of the research Trustwave carried out . Trustwave discloses Vulnerability-related.DiscoverVulnerability an unpatched vulnerability in Brother printers with the Debut embedded webserver after numerous attempts to contact the vendor failed .

Will Strafach , CEO of Sudo Security Group , said Vulnerability-related.DiscoverVulnerability he found Vulnerability-related.DiscoverVulnerability 76 iOS apps that are vulnerable Vulnerability-related.DiscoverVulnerability to an attack that can intercept protected data . TLS is used to secure an app ’ s communication over an internet connection . Without it , a hacker can essentially eavesdrop over a network to spy on whatever data the app sends , such as login information . “ This sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use , ” Strafach said . “ This can be anywhere in public , or even within your home if an attacker can get within close range ” . Strafach discovered Vulnerability-related.DiscoverVulnerability the vulnerability in the 76 apps by scanning them with his company-developed security service , verify.ly , which he 's promoting . It flagged “ hundreds of applications ” with a high likelihood of data interception . He ’ s so far confirmed Vulnerability-related.DiscoverVulnerability that these 76 apps possess the vulnerability . He did so by running them on an iPhone running iOS 10 and using a proxy to insert an invalid TLS certificate into the connection . Strafach declared Vulnerability-related.DiscoverVulnerability that 43 of the apps were either a high or medium risk , because they risked exposing login information and authentication tokens . Some of them are from “ banks , medical providers , and other developers of sensitive applications , ” he said . He 's not disclosing Vulnerability-related.DiscoverVulnerability their names , to give them time to patch Vulnerability-related.PatchVulnerability the problem . The remaining 33 apps were deemed low risks because they revealed only partially sensitive data , such as email addresses . They include the free messaging service ooVoo , video uploaders to Snapchat and lesser-known music streaming services , among many others . In all , the 76 apps have 18 million downloads , according to app market tracker Apptopia , Strafach said . It ’ ll be up to the app developers to fix Vulnerability-related.PatchVulnerability the problem , but it only involves changing a few lines of code , says Strafach , who ’ s been trying to contact the developers . He included some warnings for developers in the blog post . “ Be extremely careful when inserting network-related code and changing application behaviors , ” he wrote . “ Many issues like this arise from an application developer not fully understanding the code they ’ ve borrowed from the web ” . Users of affected apps can protect themselves by turning off the Wi-Fi when in a public location , Strafach says . That will force the phone to use a cellular connection to the internet , making it much harder for any hacker to eavesdrop unless they use expensive and illegal equipment , Strafach said

The hacker leaked Attack.Databreach the FBI.GOV accounts that he found in several backup files ( acc_102016.bck , acc_112016.bck , old_acc16.bck , etc ) . Leaked records contain accounts data , including names , SHA1 Encrypted Passwords , SHA1 salts , and emails . The intrusion occurred on December 22 , 2016 , the hacker revealed Vulnerability-related.DiscoverVulnerability to have exploited Vulnerability-related.DiscoverVulnerability a zero-day vulnerability in the Plone Content Management System Going back to 22nd December 2016 , I tweeted about Vulnerability-related.DiscoverVulnerability a 0day vulnerability in Plone CMS which is considered as the most secure CMS till date . The vulnerability resides in Vulnerability-related.DiscoverVulnerability some python modules of the CMS . The hacker noticed that while media from Germany and Russia published the news about the hack , but US based publishers ignored it . According to CyberZeist , the FBI contacted him to pass on the leaks . `` I was contacted by various sources to pass on the leaks to them that I obtained after hacking FBI.GOV but I denied all of them . just because I was waiting for FBI to react on time . They didn ’ t directly react and I don ’ t know yet what are they up to , but at the time I was extracting my finds after hacking FBI.GOV , '' he wrote . The expert added further info on the attack , while experts at the FBI were working to fix Vulnerability-related.PatchVulnerability the issue , he noticed Vulnerability-related.DiscoverVulnerability that the Plone 0day exploit was still working against the CMS backend . ) , but I was able to recon that they were running Vulnerability-related.PatchVulnerability FreeBSD ver 6.2-RELEASE that dates back to 2007 with their own custom configurations . Their last reboot time was 15th December 2016 at 6:32 PM in the evening . `` While exploiting FBI.GOV , it was clearly evident that their webmaster had a very lazy attitude as he/she had kept the backup files ( .bck extension ) on that same folder where the site root was placed ( Thank you Webmaster ! ) , but still I didn ’ t leak out Attack.Databreach the whole contents of the backup files , instead I tweeted out Vulnerability-related.DiscoverVulnerability my findings and thought to wait for FBI ’ s response '' Now let ’ s sit and wait for the FBI ’ s response . I obviously can not publish Vulnerability-related.DiscoverVulnerability the 0day attack vector myself . The hacker confirmed Vulnerability-related.DiscoverVulnerability that the 0-day is offered for sale on Tor by a hacker that goes by the moniker “ lo4fer ” . Once this 0day is no longer being sold , I will tweet out Vulnerability-related.DiscoverVulnerability the Plone CMS 0day attack vector myself . Let ’ s close with a curiosity … CyberZeist is asking you to chose the next target . The hacker is very popular , among his victims , there are Barclays , Tesco Bank and the MI5 .