Colorado investigators call in FBI , work through the night . Colorado Department of Transportation employees spent a second day offline Thursday as security officials investigated the damage done by a ransomware virus that hijacked computer files and demanded payment Attack.Ransom in bitcoin for their safe return . The state ’ s Office of Information Technology , which reached out to the FBI for assistance , are still investigating the attack Attack.Ransom and have not paid Attack.Ransom a cent to attackers — nor do they plan to , said Brandi Simmons , an OIT spokeswoman . “ No payments have been made or will be made . We are still investigating to see whether or not files were damaged or recovered Attack.Databreach , ” she said in an email Thursday . On Wednesday morning , CDOT shut down more than 2,000 employee computers while security officials investigated the attack . The malicious code was a variant of ransomware known as SamSam , Simmons said . McAfee , the security software used by CDOT computers , provided Vulnerability-related.PatchVulnerability a software patch on Wednesday to stop the execution of the ransomware . “ This ransomware virus was a variant and the state worked with its antivirus software provider to implement Vulnerability-related.PatchVulnerability a fix today . The state has robust backup and security tools and has no intention of paying ransomware Attack.Ransom . Teams will continue to monitor the situation closely and will be working into the night , ” said David McCurdy , chief technology officer , Governor ’ s Office of Information Technology , in a statement on Wednesday . He added : “ OIT , FBI and other security agencies are working together to determine a root cause analysis. ” SamSam last showed up in January after targeting the healthcare industry . It encrypted files and renamed them “ I ’ m sorry , ” according to a report with security firm TrendMicro . One hospital , Hancock Health in Indiana , paid Attack.Ransom $ 55,000 to get its files back . TrendMicro said the attack Attack.Ransom wasn ’ t due to an employee opening an infected email , but hackers gained access remotely using a vendor ’ s user name and password . “ No one is back online . What we ’ re doing is working offline . All our critical services are still online — cameras , variable message boards , CoTrip , alerts on traffic . They are running on separate systems , ” Ford said . “ The message I ’ m sharing ( with employees ) is CDOT operated for a long time without computers so we ’ ll use pen and paper. ” There ’ s only one Mac computer in the office and it wasn ’ t turned on , Ford said , because “ We ’ re not messing around today . ”

SAN FRANCISCO — Hackers took advantage of an Equifax security vulnerability two months after an industry group discovered Vulnerability-related.DiscoverVulnerability the coding flaw and shared Vulnerability-related.PatchVulnerability a fix for it , raising questions about why Equifax did n't update Vulnerability-related.PatchVulnerability its software successfully when the danger became known . A week after Equifax revealed one of the largest breaches Attack.Databreach of consumers ' private financial data in history — 143 million consumers and access Attack.Databreach to the credit-card data of 209,000 — the industry group that manages the open source software in which the hack occurred blamed Equifax . `` The Equifax data compromise Attack.Databreach was due to ( Equifax 's ) failure to install the security updates provided Vulnerability-related.PatchVulnerability in a timely manner , '' The Apache Foundation , which oversees the widely-used open source software , said in a statement Thursday . Equifax told USA TODAY late Wednesday the criminals who gained access Attack.Databreach to its customer data exploited Vulnerability-related.DiscoverVulnerability a website application vulnerability known as Vulnerability-related.DiscoverVulnerability Apache Struts CVE-2017-5638 . The vulnerability was patched Vulnerability-related.PatchVulnerability on March 7 , the same day it was announced Vulnerability-related.DiscoverVulnerability , The Apache Foundation said . Cybersecurity professionals who lend their free services to the project of open-source software — code that 's shared by major corporations and that 's tested and modified by developers working at hundreds of firms — had shared their discovery with the industry group , making the risk and fix known to any company using the software . Modifications were made on March 10 , according to the National Vulnerability Database . But two months later , hackers took advantage of the vulnerability to enter the credit reporting agency 's systems : Equifax said the unauthorized access began in mid-May . Equifax did not respond to a question Wednesday about whether the patches were applied Vulnerability-related.PatchVulnerability , and if not , why not . `` We continue to work with law enforcement as part of our criminal investigation and have shared indicators of compromise with law enforcement , '' it said . It should have have acted faster to successfully deal with the problem , other cybersecurity professionals said . `` They should have patched Vulnerability-related.PatchVulnerability it as soon as possible , not to exceed a week . A typical bank would have patched Vulnerability-related.PatchVulnerability this critical vulnerability within a few days , ” said Pravin Kothari , CEO of CipherCloud , a cloud security company . Federal regulators are now investigating whether Equifax is at fault . The Federal Trade Commission and the Consumer Financial Protection Bureau have said they 've opened probes into the hack . So far dozens of state attorneys general are investigating the breach , and on Tuesday Massachusetts Attorney General Maura Healey said she plans to sue the company for violating state consumer protection laws . More than 23 class-action lawsuits against the company have also been proposed . Proof that Equifax failed to protect customers , particularly when it had the tools and information to do so , is likely to further damage Equifax 's financial outlook . Shares fell 2.5 % Thursday after news of the FTC probe and are down 33 % since it revealed the link .

Oracle released Vulnerability-related.PatchVulnerability its latest Critical Patch Update on July 18 , fixing Vulnerability-related.PatchVulnerability 334 vulnerabilities across the company 's product portfolio . The company rated 61 of the vulnerabilities as having critical impact . Among the products patched Vulnerability-related.PatchVulnerability by Oracle are Oracle Database Server , Oracle Global Lifecycle Management , Oracle Fusion Middleware , Oracle E-Business Suite , Oracle PeopleSoft , Oracle Siebel CRM , Oracle Industry Applications , Oracle Java SE , Oracle Virtualization , Oracle MySQL and Oracle Sun Systems Products Suite . While there are issues of varying severity in the update , Oracle is blaming third-party components as being the cause of the majority of the critical issues . `` It is fair to note that bugs in third-party components make up a disproportionate amount of severe vulnerabilities in this Critical Patch Update , '' Eric Maurice , director of security assurance at Oracle , wrote in a blog post . `` 90 percent of the critical vulnerabilities addressed Vulnerability-related.PatchVulnerability in this Critical Patch Update are for non-Oracle CVEs . '' Of the 334 issues fixed Vulnerability-related.PatchVulnerability in the July Critical Patch Update , 37 percent were for third-party components included in Oracle product distributions . While many flaws were from third-party libraries , there were also flaws in Oracle 's own development efforts . Oracle 's namesake database was patched Vulnerability-related.PatchVulnerability for three issues , one of which is remotely exploitable without user authentication . Oracle 's Financial Services application received Vulnerability-related.PatchVulnerability the highest total number of patches at 56 , with 21 identified as being remotely exploitable without user authentication . Oracle 's Fusion Middleware , on the other hand , got Vulnerability-related.PatchVulnerability 44 new security fixes , with 38 of them rated as being critical . Oracle Enterprise Manager Products were patched Vulnerability-related.PatchVulnerability for 16 issues , all of which are remotely exploitable without authentication . Looking at flaws in Java , Oracle 's July CPU provides Vulnerability-related.PatchVulnerability eight security fixes , though organizations likely need to be cautious when applying Vulnerability-related.PatchVulnerability the patches , as certain functionality has been removed . `` Several actions taken to fix Vulnerability-related.PatchVulnerability Java SE vulnerabilities in the July CPU are likely to break the functionality of certain applications , '' security firm Waratek warned in an advisory . `` Application owners who apply Vulnerability-related.PatchVulnerability binary patches should be extremely cautious and thoroughly test their applications before putting Vulnerability-related.PatchVulnerability patches into production . '' The reason why the Oracle fixes could break application functionality is because Oracle has decided to remove multiple vulnerable components from its Java Development Kit ( JDK ) . At 334 fixed flaws , the July update is larger than last Critical Patch Update released Vulnerability-related.PatchVulnerability on Jan 15 , which provided Vulnerability-related.PatchVulnerability patches for 237 flaws . While the number of patches issues has grown , Matias Mevied , Oracle security researcher at Onapsis , commented that Oracle is working in the right way , fixing Vulnerability-related.PatchVulnerability the reported vulnerabilities and is getting faster every year . `` Unfortunately , based in our experience , the missing part is that the companies still do n't implement the patches as soon as they should be , '' Mevied told eWEEK .

Users of open source webmail software SquirrelMail are open to remote code execution due to a bug ( CVE-2017-7692 ) discovered Vulnerability-related.DiscoverVulnerability independently by two researchers . “ If the target server uses Sendmail and SquirrelMail is configured to use it as a command-line program , it ’ s possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command , ” the explanation provided by MITRE reads . “ For exploitation , the attacker must upload a sendmail.cf file as an email attachment , and inject the sendmail.cf filename with the -C option within the ‘ Options > Personal Informations > Email Address ’ setting. ” The bug was found Vulnerability-related.DiscoverVulnerability by researchers Filippo Cavallarin and Dawid Golunski , independently of one another , and affects SquirrelMail versions 1.4.22 and below . Golunski reported Vulnerability-related.DiscoverVulnerability it to SquirrelMail ( sole ) developer Paul Lesniewski , who asked for a delay of publication of the details until he could fix Vulnerability-related.PatchVulnerability the flaw . But as Cavallarin published Vulnerability-related.DiscoverVulnerability details about it last week ( after not receiving any reply by the SquirrelMail developer ) , Golunski did the same during the weekend . Both researchers provided Vulnerability-related.DiscoverVulnerability a proof-of-concept exploit for the flaw , and Cavallarin even offered Vulnerability-related.PatchVulnerability an unofficial patch for plugging Vulnerability-related.PatchVulnerability the hole . All this prompted Lesniewski to push out Vulnerability-related.PatchVulnerability a patch on Monday , and new , patched version snapshots of the software ( 1.4.23-svn and 1.5.2-svn ) . He also told The Register that exploitation of the bug is difficult to pull off . “ In order to exploit the bug , a malicious user would need to have already gained control over a mail account by other means , SquirrelMail would need to be configured to allow users to change their outgoing email address ( we recommend keeping this disabled ) , the user would need to determine the location of the attachments directory ( by gaining shell access or making guesses ) , the permissions on said directory and files would need to allow access by other processes ( by default this will usually be the case , but prudent admins will exert more stringent access controls ) and of course , SquirrelMail needs to be configured to send via Sendmail and not SMTP ( default is SMTP ) , ” he explained . Still , according to Golunski , the 1.4.23 version snapshot offered Vulnerability-related.PatchVulnerability on Monday was still vulnerable Vulnerability-related.DiscoverVulnerability . But another one was pushed out Vulnerability-related.PatchVulnerability today , so it ’ s possible that the issue was finally , definitely fixed Vulnerability-related.PatchVulnerability . Users can wait to update their installation until things become more clear , and in the meantime , they can protect themselves by configuring their systems not to use Sendmail .

There ’ s no question that Friday ’ s WannaCry ransomware attack Attack.Ransom , which spread like wildfire , was bad . Its ability to spread like a worm by exploiting a Microsoft vulnerability was certainly new ground for a ransomware campaign . But along the way , there ’ s been a lot of fear and hype . Perspective is in order . Here ’ s a look at the latest in Sophos ’ investigation , including a recap of how it is protecting customers . From there , we look at how this fits into overall attack trends and how , in the grand scheme of things , this doesn ’ t represent a falling sky . With the code behind Friday ’ s attack in the wild , we should expect copycats to cook up their own campaigns in the coming days to capitalize on the money-making opportunity in front of them . Over the weekend , accounts set up to collect ransom payments Attack.Ransom had received smaller amounts than expected for an attack of this size . But by Monday morning , the balances were on the rise , suggesting that more people were responding to the ransom message Monday . On Saturday , three ransomware-associated wallets had received 92 bitcoin payments Attack.Ransom totaling $ 26,407.85 USD . By Sunday , the number between the three wallets was up to $ 30,706.61 USD . By Monday morning , 181 payments Attack.Ransom had been made totaling 29.46564365 BTC ( $ 50,504.23 USD ) . Analysis seems to confirm that Friday ’ s attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers . It used a variant of the Shadow Brokers ’ APT EternalBlue Exploit ( CC-1353 ) , and used strong encryption on files such as documents , images , and videos . A perfect attack would self-propagate but would do so slowly , randomly and unpredictably . This one was full throttle , but hardly to its detriment . Here we had something that spread like wildfire , but the machines that were impacted Vulnerability-related.DiscoverVulnerability were probably still susceptible to secondary attacks because the underlying vulnerability probably hasn ’ t been patched Vulnerability-related.PatchVulnerability . The problem is that exploit and payload are separate . The payload went fast and got stopped , but that ’ s just one of an infinite number of possibilities that can spread through the unsolved exploit . Companies still using Windows XP are particularly susceptible to this sort of attack . First launched in 2001 , the operating system is now 16 years old and has been superseded by Windows Vista and Windows 7 , 8 and 10 upgrades . It remains to be seen who was behind this attack . Sophos is cooperating with law enforcement to provide any intelligence it can gather about the origins and attack vectors . The company believes initial infections may have arrived via an email with a malicious payload that a user was tricked Attack.Phishing into opening . Sophos continues to update protections against the threat . Sophos Customers using Intercept X and Sophos EXP products will also see this ransomware blocked by CryptoGuard . Please note that while Intercept X and EXP will block the underlying behavior and restore deleted or encrypted files in all cases we have seen , the offending ransomware splash screen and note may still appear . For updates on the specific strains being blocked , Sophos is continually updating a Knowledge-Base Article on the subject . Meanwhile , everyone is urged to update their Windows environments as described in Microsoft Security Bulletin MS17-010 – Critical . For those using older versions of Windows , Microsoft has provided Vulnerability-related.PatchVulnerability Customer Guidance for WannaCrypt attacks Attack.Ransom and has made the decision to make the Security Update for platforms in custom support only – Windows XP , Windows 8 , and Windows Server 2003 – broadly available for download Vulnerability-related.PatchVulnerability . As severe as this attack was , it ’ s important to note that we ’ re not looking at a shift in the overall attack trend . This attack represents a merging of old behaviors into a perfect storm . SophosLabs VP Simon Reed said : This attack demonstrates the opportunistic nature of commercial malware authors to re-use the most powerful of exploit techniques to further their aims , which is ultimately to make money . In the final analysis , the same advice as always applies for those who want to avoid such attacks . To guard against malware exploiting Microsoft vulnerabilities : To guard against ransomware in general : Finally , there ’ s the question of whether victims should pay the ransom Attack.Ransom or stand their ground . Sophos has mostly taken a neutral stance on the issue . In the case of this attack , paying the ransom Attack.Ransom doesn ’ t seem to be helping the victims so far . Therefore , Levy believes paying the WannaCry ransom Attack.Ransom is ill-advised : In general , paying Attack.Ransom is a bad idea unless the organization is truly desperate to get irreplaceable data back and when it is known that the ransom payment Attack.Ransom works . In this attack , it doesn ’ t appear to work . It ’ s been referred to as a ‘ kill switch ’ – that all the malware author had to do to throw the breaks on for some reason was to register some obscure domains . In the event a security researcher found the domains and registered them . He speculates that its not actually a kill switch but may be a form of sandbox detection ( malware wants to run in the real world and hide when it ’ s in a researcher ’ s sandbox . ) The thinking goes that in the kind of sandbox environment used by security researchers the domains might appear to be registered when in fact they are not . If the malware can get a response from the unregistered domains it thinks it ’ s in a sandbox and shuts down . If you blocklist the domains in your network then you ’ re turning off the “ kill switch ” . If you allowlist the domains you ’ re allowing access to the kill switch .

In a blog post , Leonov explained Vulnerability-related.DiscoverVulnerability that he reported Vulnerability-related.DiscoverVulnerability the issue to Facebook in October 2016 according to which the ImageMagick flaw was still active and impacted Vulnerability-related.DiscoverVulnerability Facebook . He also provided Vulnerability-related.DiscoverVulnerability Facebook security team with an in-depth proof of concept ( PoC ) who patched Vulnerability-related.PatchVulnerability the issue and awarded him a sum of $ 40,000 through the Bugcrowd payment system . “ Once upon a time on Saturday in October I was testing some big service ( not Facebook ) when some redirect followed me on Facebook . “ I am glad to be the one of those who broke the Facebook , ” said Leonov . To confirm the payment , The Register has contacted Facebook .

Home routers are the first and sometimes last line of defense for a network . Despite this fact , many manufacturers of home routers fail to properly audit their devices for security issues before releasing them to the market . As security researchers , we are often disappointed to rediscover that this is not always the case , and that sometimes these vulnerabilities simply fall into our hands during our day-to-day lives . Such is the story of the two NETGEAR vulnerabilities I want to share Vulnerability-related.DiscoverVulnerability with you today : It was a cold and rainy winter night , almost a year ago , when my lovely NETGEAR VEGN2610 modem/router lost connection to the Internet . I was tucked in bed , cozy and warm , there was no way I was going downstairs to reset the modem , `` I will just reboot it through the web panel '' I thought to myself . Unfortunately I could n't remember the password and it was too late at night to check whether my roommates had it . I considered my options : Needless to say , I chose the latter . I thought to myself , `` Well , it has a web interface and I need to bypass the authentication somehow , so the web server is a good start . '' I started manually fuzzing the web server with different parameters , I tried `` .. / .. '' classic directory traversal and such , and after about 1 minute of fuzzing , I tried `` … '' and I got this response : Fig 1 : unauth.cgi `` Hmm , what is that unauth.cgi thingy ? Luckily for me the Internet connection had come back on its own , but I was now a man on a mission , so I started to look around to see if there were any known vulnerabilities for my VEGN2610 . I started looking up what that `` unauth.cgi '' page could be , and I found 2 publicly disclosed Vulnerability-related.DiscoverVulnerability exploits from 2014 , for different models that manage to do unauthenticated password disclosure . Those two guys found out Vulnerability-related.DiscoverVulnerability that the number we get from unauth.cgi can be used with passwordrecovered.cgi to retrieve the credentials . I tested the method described in both , and voila - I have my password , now I can go to sleep happy and satisfied . I woke up the next morning excited by the discovery , I thought to myself : `` 3 routers with same issue… Coincidence ? Luckily , I had another , older NETGEAR router laying around ; I tested it and bam ! I started asking people I knew if they have NETGEAR equipment so I could test further to see the scope of the issue . In order to make life easier for non-technical people I wrote a python script called netgore , similar to wnroast , to test for this issue . I am aware of that and that is why I do n't work as a full time programmer . As it turned out , I had an error in my code where it did n't correctly take the number from unauth.cgi and passed gibberish to passwordrecovered.cgi instead , but somehow it still managed to get the credentials ! After few trials and errors trying to reproduce the issue , I found Vulnerability-related.DiscoverVulnerability that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I have n't seen anywhere else . When I tested both bugs on different NETGEAR models , I found Vulnerability-related.DiscoverVulnerability that my second bug works on a much wider range of models . A full description of both of these findings as well as the python script used for testing can be found here . The vulnerabilities have been assigned Vulnerability-related.DiscoverVulnerability CVE-2017-5521 and TWSL2017-003 . The Responsible Disclosure Process This is where the story of discovery ends and the story of disclosure begins . Following our Responsible Disclosure policy we sent both findings Vulnerability-related.DiscoverVulnerability to NETGEAR in the beginning of April 2016 . In our initial contact , the first advisory had 18 models listed as vulnerable Vulnerability-related.DiscoverVulnerability , although six of them did n't have the vulnerability in the latest firmware . Perhaps it was fixed Vulnerability-related.PatchVulnerability as part of a different patch cycle . The second advisory included 25 models , all of which were vulnerable Vulnerability-related.DiscoverVulnerability in their latest firmware version . In June NETGEAR published a notice that provided Vulnerability-related.PatchVulnerability a fix for a small subset of vulnerable routers and a workaround for the rest . They also made the commitment to working toward 100 % coverage for all affected routers . The notice has been updated several time since then and currently contains 31 vulnerable models , 18 of which are patched Vulnerability-related.PatchVulnerability now , and 2 models that they previously listed as vulnerable Vulnerability-related.DiscoverVulnerability , but are now listed as not vulnerable Vulnerability-related.DiscoverVulnerability . In fact , our tests show that one of the models listed as not vulnerable Vulnerability-related.DiscoverVulnerability ( DGN2200v4 ) is , in fact , vulnerable and this can easily be reproduced with the POC provided in our advisory . Over the past nine months we attempted to contact NETGEAR multiple times for clarification and to allow them time to patch Vulnerability-related.PatchVulnerability more models . Over that time we have found Vulnerability-related.DiscoverVulnerability more vulnerable models that were not listed in the initial notice , although they were added later . We also discovered Vulnerability-related.DiscoverVulnerability that the Lenovo R3220 router is powered by NETGEAR firmware and it was vulnerable Vulnerability-related.DiscoverVulnerability as well . Luckily NETGEAR did eventually get back to us right before we were set to disclose Vulnerability-related.DiscoverVulnerability these vulnerabilities publicly . We were a little skeptical since our experience to date matched that of other third-party vulnerability researchers that have tried to responsibly disclose Vulnerability-related.DiscoverVulnerability to NETGEAR only to be met with frustration . The first was that NETGEAR committed to pushing out firmware to the currently unpatched models on an aggressive timeline . The second change made us more confident that NETGEAR was not just serious about patching Vulnerability-related.PatchVulnerability these vulnerabilities , but serious about changing how they handle third-party disclosure in general . We fully expect this move will not only smooth the relationship between third-party researchers and NETGEAR , but , in the end , will result in a more secure line of products and services . For starters , it affects a large number of models . We have found Vulnerability-related.DiscoverVulnerability more than ten thousand vulnerable devices that are remotely accessible . The real number of affected devices is probably in the hundreds of thousands , if not over a million . The vulnerability can be used by a remote attacker if remote administration is set to be Internet facing .

Hundreds of thousands–potentially more than one million–Netgear routers are susceptible Vulnerability-related.DiscoverVulnerability to a pair of vulnerabilities that can lead to password disclosure . Researchers said Vulnerability-related.DiscoverVulnerability that while anyone who has physical access to a router can exploit Vulnerability-related.DiscoverVulnerability the vulnerabilities locally , the real threat is that the flaw can also be exploited Vulnerability-related.DiscoverVulnerability remotely . According to Simon Kenin , a security researcher with Trustwave ’ s Spiderlabs team , who discovered Vulnerability-related.DiscoverVulnerability the flaw and disclosed Vulnerability-related.DiscoverVulnerability it Monday , the vulnerabilities can be remotely exploited Vulnerability-related.DiscoverVulnerability if the router ’ s remote management option is enabled . While Netgear claims remote management is turned off on routers by default , Kenin said there are “ hundreds of thousands , if not over a million ” devices left remotely accessible . Kenin claims that all he had to do was send a simple request to the router ’ s web management server to retrieve a router ’ s password . After determining a number that corresponds to a password recovery token , he found he could pair it with a call to the router ’ s passwordrecovered.cgi script . Kenin claims Vulnerability-related.DiscoverVulnerability he made his discovery by leveraging two exploits disclosed Vulnerability-related.DiscoverVulnerability in 2014 on some Netgear routers he had hanging around . It wasn ’ t until after Kenin pieced together a python script designed to diagnose the scope of the issue that he determined he could still retrieve the router ’ s credentials even if he didn ’ t send the correct password recovery token . “ After few trials and errors trying to reproduce the issue , I found Vulnerability-related.DiscoverVulnerability that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I haven’t seen Vulnerability-related.DiscoverVulnerability anywhere else . When I tested both bugs on different NETGEAR models , I found Vulnerability-related.DiscoverVulnerability that my second bug works on a much wider range of models , ” Kenin wrote Monday . Kenin ’ s employer , Trustwave , divulged Vulnerability-related.DiscoverVulnerability details around both vulnerabilities in a lengthy blog post Monday , putting the wraps on a nearly year-long odyssey with the vendor . The firm first disclosed Vulnerability-related.DiscoverVulnerability the vulnerability to Netgear in April 2016 , initially it listing 18 vulnerable models , before listing 25 vulnerable models in a subsequent advisory . After repeated requests for an update on a fix for the vulnerability , Netgear finally obliged in July and provided Vulnerability-related.PatchVulnerability firmware updates for a fraction of the affected routers . It wasn ’ t until this weekend that Netgear acknowledged Vulnerability-related.DiscoverVulnerability the issues again , posting Vulnerability-related.PatchVulnerability an updated version of the article on its support page , instructing users to find and download the appropriate firmware fixes . The most recent version of the advisory claims there are 31 vulnerable models , 18 of which are patched Vulnerability-related.PatchVulnerability . The company is encouraging users of some devices in which firmware is not available to implement a workaround . According to Netgear , users of 12 different models would be best served to manually enable password recovery and disable remote management on their devices . “ The potential for password exposure remains if you do not complete both steps . NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification , ” the company writes . It ’ s the first critical vulnerability to affect Vulnerability-related.DiscoverVulnerability Netgear routers this year but the second in the last two months . In December , it was discovered Vulnerability-related.DiscoverVulnerability that a handful of the company ’ s Nighthawk line of routers were vulnerable Vulnerability-related.DiscoverVulnerability to a flaw that could have given an attacker root access on the device and allowed them to run remote code . The company was quick to release Vulnerability-related.PatchVulnerability beta firmware updates to address Vulnerability-related.PatchVulnerability the vulnerability but simultaneously confirmed Vulnerability-related.DiscoverVulnerability that more routers than originally reported were vulnerable Vulnerability-related.DiscoverVulnerability . When reached Wednesday , a Netgear spokesperson said it was aware of the vulnerability and that it was appreciative of the research Trustwave carried out . Trustwave discloses Vulnerability-related.DiscoverVulnerability an unpatched vulnerability in Brother printers with the Debut embedded webserver after numerous attempts to contact the vendor failed .

Yesterday , researcher Simon Kenin of Trustwave SpiderLabs released information Vulnerability-related.DiscoverVulnerability about an authentication bypass flaw affecting Vulnerability-related.DiscoverVulnerability a wide variety of Netgear routers , as well as PoC attack code for triggering it . The vulnerability ( CVE-2017-5521 ) can be exploited Vulnerability-related.DiscoverVulnerability by attackers to discover the password required to take over control of an affected device . “ The bug is exploitable remotely if the remote management option is set and can also be exploited Vulnerability-related.DiscoverVulnerability given access to the router over LAN or WLAN , ” he explained Vulnerability-related.DiscoverVulnerability . “ When trying to access the web panel a user is asked to authenticate , if the authentication is cancelled and password recovery is not enabled , the user is redirected to a page which exposes a password recovery token . If a user supplies the correct token to the page http : //router/passwordrecovered.cgi ? id=TOKEN ( and password recovery is not enabled ) , they will receive the admin password for the router ” . He discovered Vulnerability-related.DiscoverVulnerability the vulnerability almost a year ago , but revealed Vulnerability-related.DiscoverVulnerability it only now because Netgear has been slow to push out Vulnerability-related.PatchVulnerability fixed firmware for affected devices . “ In June [ 2016 ] Netgear published a notice that provided Vulnerability-related.PatchVulnerability a fix for a small subset of vulnerable routers and a workaround for the rest . They also made the commitment to working toward 100 % coverage for all affected routers , ” he noted . “ The notice has been updated several time since then and currently contains 31 vulnerable models , 18 of which are patched Vulnerability-related.PatchVulnerability now , and 2 models that they previously listed as vulnerable Vulnerability-related.DiscoverVulnerability , but are now listed as not vulnerable Vulnerability-related.DiscoverVulnerability . In fact , our tests show that one of the models listed as not vulnerable Vulnerability-related.DiscoverVulnerability ( DGN2200v4 ) is , in fact , vulnerable and this can easily be reproduced with the POC provided in our advisory ” . Trustwave found Vulnerability-related.DiscoverVulnerability over 10,000 remotely accessible vulnerable devices , and estimates that there are many more non-remotely accessible affected devices in use – possibly even a million .

WikiLeaks is posting Attack.Databreach thousands of files Tuesday the organization says detail the CIA ’ s efforts to surveil overseas targets by tapping otherwise ordinary devices that are connected to the Internet . The anti-secrecy group launched a “ new series of leaks , ” this time taking aim at the CIA ’ s Center for Cyber Intelligence , which falls under the agency ’ s Digital Innovation Directorate . The group maintains the CIA ’ s center lost control of its hacking arsenal , including malware , viruses , trojans , weaponized `` zero day '' exploits , malware remote control systems and associated documentation , and is posting what it calls the `` largest-ever publication of confidential documents on the agency . '' The dump Attack.Databreach comprises 8,761 documents and files from a network of the Center for Cyber Intelligence . A CIA spokeswoman declined to comment specifically . “ We do not comment on the authenticity or content of purported intelligence documents , ” says Heather Fritz Horniak . The authenticity of the posted documents in links from the WikiLeaks site could not be independently verified . Last year , WikiLeaks disseminated Attack.Databreach internal email communications following a hack Attack.Databreach —purportedly aided by the Russian government—of the Democratic National Committee and the Hillary Clinton campaign . The group says the Center for Cyber Intelligence's archive was circulated in an '' unauthorized manner '' among former U.S. government hackers and contractors , one of whom provided Attack.Databreach WikiLeaks with portions of the archive . “ This extraordinary collection , which amounts to more than several hundred million lines of code , gives its possessor the entire hacking capacity of the CIA , ” WikiLeaks states . “ Once a single cyber 'weapon ' is 'loose ' it can spread around the world in seconds , to be used by rival states , cyber mafia and teenage hackers alike ” . The violation highlights critical shortcomings in personnel practices , the realities of insider threats and the lack of adequate controls , even within the intelligence community . `` It ’ s too easy for data to be stolen Attack.Databreach , even—allegedly—within the CIA ’ s Center for Cyber Intelligence , '' says Brian Vecci , technical evangelist at Varonis , a software company focused on data protection against insider threats , data breaches Attack.Databreach and ransomware attacks Attack.Ransom '' The entire concept of a spook is to be covert and undetectable ; apparently that also applies to actions on their own network . The CIA is not immune to issues affecting many organizations : too much access with too little oversight and detective controls . '' A Forrester study noted that more 90 percent of data security professionals experience challenges with data security , and 59 percent of organizations do not restrict access to files on a need-to know-basis , Vecci points out . `` In performing forensics on the actual breach Attack.Databreach , the important examination is to determine how 8,761 files just walked out of Attack.Databreach one of the most secretive and confidential organizations in the world , '' he continues . `` Files that were once useful in their operations are suddenly lethal to those same operations . We call this toxic data , anything that is useful and valuable to an organization but once stolen Attack.Databreach and made public turns toxic to its bottom line and reputation . All you have to do is look at Sony , Mossack Fonseca and the DNC to see the effects of this toxic data conversion . `` Organizations need to get a grip on where their information assets are , who is using them , and who is responsible for them , '' Vecci concludes . They need to put all that data lying around in the right place , restrict access to it and monitor and analyze who is using it . '' Tuesday ’ s document dump Attack.Databreach mirrors the one WikiLeaks carried out when it exposed Attack.Databreach cyber toolkits used by the National Security Agency , and frankly , is not that surprising of revelation at all , offers Richard Forno , assistant director at the University of Maryland , Baltimore County Center for Cybersecurity and director of the Cybersecurity Graduate Program . “ The big takeaway Attack.Databreach is that it shows the CIA is just as capable of operating in the cyberspace as the NSA , ” Forno says . The CIA ’ s cyber focus reinforces the idea that security in this domain is just as important as others for national security and solidifies the U.S. government ’ s commitment in the area , Forno offers . WikiLeaks contends that the CIA and its contractors developed malware and hacking tools for targeted surveillance efforts , tapping otherwise ordinary devices such as cellphones , computers , televisions and automobiles to spy on targets . Some cases involved CIA collaboration with the United Kingdom ’ s intelligence MI5/BTSS , WikiLeaks states . It maintains the CIA ’ s Mobile Devices Branch developed malware to penetrate cellphone securities and could be tapped to send CIA users ’ geolocation information , audio and text files and covertly activate the phones ’ cameras and microphones . “ These techniques permit the CIA to bypass the encryption of WhatsApp , Signal , Telegram , Wiebo , Confide and Cloackman by hacking Attack.Databreach the ‘ smart ’ phones that they run on and collecting Attack.Databreach audio and message traffic before encryption is applied , ” the group states .