Archive for the ‘Random’ Category

Immediately Patch Microsoft 0 day vulnerabilities being used to spread SPYWARE!

Thursday, September 14th, 2017

 

Windows 0-Day Flaw

Get ready to install a fairly large batch of security patches onto your Windows computers.

As part of its September Patch Tuesday, Microsoft has released a large batch of security updates to patch a total of 81 CVE-listed vulnerabilities, on all supported versions of Windows and other MS products.

 The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE).

Affected Microsoft products include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • .NET Framework
  • Skype for Business and Lync
  • Microsoft Exchange Server
  • Microsoft Office, Services and Web Apps
  • Adobe Flash Player

.NET 0-Day Flaw Under Active Attack

According to the company, four of the patched vulnerabilities are publicly known, one of which has already been actively exploited by the attackers in the wild.

Here’s the list of publically known flaws and their impact:

Windows .NET Framework RCE (CVE-2017-8759)—A zero-day flaw, discovered by researchers at cybersecurity firm FireEye and privately reported it to Microsoft, resides in the way Microsoft .NET Framework processes untrusted input data.

Microsoft says the flaw could allow an attacker to take control of an affected system, install programs, view, change, or delete data by tricking victims into opening a specially crafted document or application sent over an email.

The flaw could even allow an attacker to create new accounts with full user rights. Therefore users with fewer user rights on the system are less impacted than users who operate with admin rights.

According to FireEye, this zero-day flaw has actively been exploited by a well-funded cyber espionage group to deliver FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July this year.

FinSpy is a highly secret surveillance software that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies.

Once infected, FinSpy can perform a large number of secret tasks on victims computer, including secretly monitoring computers by turning ON webcams, recording everything the user types with a keylogger, intercepting Skype calls, copying files, and much more.

“The [new variant of FINSPY]…leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult,” researchers at FireEye said.

“As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.”

Three Publicly Disclosed Vulnerabilities

The remaining three publicly known vulnerabilities affecting the Windows 10 platform include:

  • Device Guard Security Feature Bypass Vulnerability (CVE-2017-8746): This flaw could allow an attacker to inject malicious code into a Windows PowerShell session by bypassing the Device Guard Code Integrity policy.
  • Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8723): This flaw resides in Edge where the Content Security Policy (CSP) fails to properly validate certain specially crafted documents, allowing attackers to trick users into visiting a website hosting malware.
  • Broadcom BCM43xx Remote Code Execution Vulnerability (CVE-2017-9417): this flaw exists in the Broadcom chipset in HoloLens, which could be exploited by attackers to send a specially crafted WiFi packet, enabling them to install programs, view, change, or delete data, even create new accounts with full admin rights.

BlueBorne Attack: Another Reason to Install Patches Immediately

Also, the recently disclosed Bluetooth vulnerabilities known as “BlueBorne” (that affected more than 5 Million Bluetooth-enabled devices, including Windows, was silently patched by Microsoft in July, but details of this flaw have only been released now.

BlueBorne is a series of flaws in the implementation of Bluetooth that could allow attackers to take over Bluetooth-enabled devices, spread malware completely, or even establish a “man-in-the-middle” connection to gain access to devices’ critical data and networks without requiring any victim interaction.

So, users have another important reason to apply September security patches as soon as possible in order to keep hackers and cyber criminals away from taking control over their computers.

Other flaws patched this month include five information disclosure and one denial of service flaws in Windows Hyper-V, two cross-site scripting (XSS) flaws in SharePoint, as well as four memory corruption and two remote code execution vulnerabilities in MS Office.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Source:
Mohit Kumar - Hacking News
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

CenturyLink faces pile of lawsuits over fraudulent billing | FierceTelecom

Wednesday, July 19th, 2017

Arizona is one of the latest states to join the suit.

CenturyLink’s troubles over fraudulent billing practices continue to mount as a growing number of states have filed lawsuits against the telco.Trouble for the telco has mounted since a former employee, who claims she was fired for alerting company officials about charging customers out of millions of dollars for services they never ordered.Working for CenturyLink as a customer service and sales agent from August 2015 until October 2016, Heidi Heiser said in a lawsuit filed in Arizona State Superior Court, she was fired shortly after pointing the issue out to the service provider’s CEO Glen Post during a company Q&A session.RELATED: CenturyLink employee claims she was fired for accusing telco of fraudulent billing practicesAfter Heiser filed her initial suit, a number of states have also joined a growing class action suit. Each of these states has cited consumer stories of how CenturyLink has been overbilling customers.One of the latest states to join the suit was Arizona.Ben Meiselas, the lead attorney on the case from Los Angeles-based firm Geragos & Geragos, told FierceTelecom in an e-mail that besides Arizona, “we previously filed in California, Nevada, Oregon, Washington, Idaho and Colorado,” adding that “we intend to file in every state.”Meanwhile, other states like Minnesota are taking matters into their own hands.Minnesota’s attorney general (AG) Lori Swanson has filed a lawsuit against CenturyLink (PDF), saying her office has also found evidence of repeated and systemic billing fraud at the company. One of the practices the Minnesota AG cites is the telecom industry practice of advertising one rate, then using bogus fees to charge customers more.“I want [CenturyLink] to knock it off,” Swanson said. “It is not OK for a company to quote one price and then charge another for something as basic as cable television and internet service. We want an injunction so the company stops doing this to other people, and hopefully fixes the problem for these people as well.”The Minnesota lawsuit cites 37 examples of where customers were overbilled by CenturyLink, which the AG said the telco refused to remedy even when customers provided proof of the original advertised price. In addition to charging for services that consumers did not ask for, the company apparently used fees like its internet recovery fee) to further increase prices.”Shopping for internet and cable TV service isn’t easy if companies don’t give straight answers about the prices they will charge,” the Minnesota AG said.Interestingly, the mounting pile of lawsuits over the fraudulent billing issue comes as the telco simplifies its broadband pricing regime. In Nevada, the company is offering consumers a price for life guarantee on three of its common internet speed tiers in an apparent move to attract and retain broadband customers from churning to cable, for example.As part of this initiative, the service provider announced it was doing away with its broadband cost recovery fee (ICRF). CenturyLink began implement the fee in 2013. In April 2016, according to a DSLReports article, the service provider raised the fee to $4.

Source: CenturyLink faces pile of lawsuits over fraudulent billing | FierceTelecom

Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk

Wednesday, July 19th, 2017
internet-of-the-things-hacking

Security researchers have discovered a critical remotely exploitable vulnerability in an open-source software development library used by major manufacturers of the Internet-of-Thing devices that eventually left millions of devices vulnerable to hacking.

The vulnerability (CVE-2017-9765), discovered by researchers at the IoT-focused security firm Senrio, resides in the software development library called gSOAP toolkit (Simple Object Access Protocol) — an advanced C/C++ auto-coding tool for developing XML Web services and XML application.

Dubbed “Devil’s Ivy,” the stack buffer overflow vulnerability allows a remote attacker to crash the SOAP WebServices daemon and could be exploited to execute arbitrary code on the vulnerable devices.

The Devil’s Ivy vulnerability was discovered by researchers while analysing an Internet-connected security camera manufactured by Axis Communications.

“When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed,” researchers say.

“Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.”

Axis confirmed the vulnerability that exists in almost all of its 250 camera models (you can find the complete list of affected camera models here) and has quickly released patched firmware updates on July 6th to address the vulnerability, prompting partners and customers to upgrade as soon as possible.

However, researchers believe that their exploit would work on internet-connected devices from other vendors as well, as the affected software is used by Canon, Siemens, Cisco, Hitachi, and many others.

Axis immediately informed Genivia, the company that maintains gSOAP, about the vulnerability and Genivia released a patch on June 21, 2017.

The company also reached out to electronics industry consortium ONVIF to ensure all of its members, including Canon, Cisco, and Siemens, those who make use of gSOAP become aware of the issue and can develop patches to fix the security hole.

Internet of Things (IoT) devices has always been the weakest link and, therefore, an easy entry for hackers to get into secured networks. So it is always advisable to keep your Internet-connected devices updated and away from the public Internet.

Source: Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk

Understanding Open Source Agility – Watching revenue upside in SD-WAN, UCaaS services.

Thursday, July 13th, 2017
“A penny saved is a penny earned” –Wise Anonymous person’s words that I heard from my mother growing up.
R O I should be an initial checkpoint and a major focus of any technological investment.  What is the solution solving?  I can’t stop adding items to the list.  I found the article below rather interesting – The service and cloud scene is poppin right now.
–Aaron
business meeting

Corning’s Fiber Optic revenues jump 11%

Thursday, January 26th, 2017

Within the optical communications segment, carrier sales rose 12% to $619 million, while enterprise revenues were up 8% to $200 million.

Tripeny said Corning expects 2017 optical communications growth to be driven by three main factors: fiber market demand exceeding supply, industry leaders investing in optical solutions, and the consolidation of some of its largest service provider customers.

Source: Corning’s optical communications revenues jump 11% on North American FTTH sales | FierceTelecom

InfoSec – Critical Vulnerability in Cisco WebEx Chrome Plugin

Thursday, January 26th, 2017

Update: Version 1.0.5 of the Google Chrome WebEx plugin, released this morning, fixes this issue.

The Google 0-Day project announced a critical remote code execution vulnerability in Cisco’s WebEx plugin for Google Chrome. This vulnerability allows a remote attacker to execute arbitrary code on the victim’s system by delivering it to the WebEx plugin via a special “secret” URL.

The secret pattern:  cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html

Google set up a test page and published a detailed report about how this vulnerability can be used to execute code [1].

Note that version 1.0.3 of the plugin, which was released on Sunday (Jan 22nd), appears to be still vulnerable. At this point, it is probably best to uninstall the plugin and use a different browser for WebEx (of course, this issue may affect plugins for other browsers as well).

An attack would be invisible to the user if executed “right”. The user does not have to willingly join a WebEx meeting to exploit this vulnerability.

 

[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1096


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Source: InfoSec Handlers Diary Blog – Critical Vulnerability in Cisco WebEx Chrome Plugin

New wireless hack can unlock 100 million Volkswagens

Thursday, August 11th, 2016

Researchers found separate hacks for remote key fob codes to unlock cars. Most VW Group vehicles made since 1995 and millions of other cars are vulnerable.

Is your keyless remote safe? Connected cars face increasing threats as new technologies present hackers and thieves with additional ways to access vehicles. One vulnerability, though, involves older tech — remote key fobs used to unlock cars. Researchers at the Usenix security conference in Austin will soon present a paper outlining two remote unlocking vulnerabilities, one of which puts nearly every Volkswagen Group vehicle manufactured since 1995 in jeopardy, as reported in Wired.

The researchers said VW’s latest Golf 7 model and others that use the same locking system are immune to the hack because they use unique security keys. Most VWs, however, still use the older, vulnerable tech. Neither of the two hacks, which use different methods, do more than let thieves unlock and enter the cars, which of course would enable them to steal the contents. They’d have to use other tricks to start the engine and steal the car.

Related: LoJack reveals the high-tech tricks thieves use to steal connected cars

The research team, lead by Flavio Garcia of the University of Birmingham, discovered the ability to start millions of VW Group cars in 2013 but due to a lawsuit didn’t make that potential hack public until 2015. Now the team is back and, with the German engineering firm Kasper & Oswald, are reporting another hack to wirelessly unlock doors that affects nearly 100 million VWs.

A similar hack found by the team works with millions of other vehicles including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.

The researchers did not fully disclose in the public paper exactly how they broke into the systems, not wanting to give real thieves that edge. They did, however, say that after “tedious reverse engineering” of a single component of VW’s onboard vehicle network, they found a cryptographic key value used by millions of vehicles. With remote radio eavesdropping, they could then discover the second “secret” key used by an owner when locking and unlocking a car. The first cryptographic key, the one stored in an internal component, is one of four common keys used in most of nearly 100 million VWs. The four crypto keys are stored in different components, but Garcia and his team found them all.

The researchers didn’t use crazy complex technology to break the vehicle codes. Garcia said it can be done with a “software-defined radio” connected to a laptop. And an even smaller device could be constructed for about $40 using an Arduino board — a programmable circuit board — connected to a radio receiver.

For the second hack, the one that works with millions of vehicles from other manufacturers, Garcia’s team took advantage of an out-of-date cryptographic method called HiTag2. In this case, they didn’t need to find internal keys but were able to use the same radio scanning setup to find one of eight rolling codes to discover the codes used by a vehicle owner.

According to Wired, the researchers said VW acknowledged the vulnerability they discovered. The semiconductor company that sells chips with the HiTag2 legacy crypto system, NXP, said it has been recommending that customers use newer algorithms for years.

Commenting on the current state of vehicle locking system vulnerabilities, Garcia said, “It’s a bit worrying to see security techniques from the 1990s used in new vehicles. If we want to have secure, autonomous, interconnected vehicles, that has to change.”

For now, however, if you have one of the vulnerable vehicles, the researchers suggest people not assume their cars and trucks are “safeboxes” and avoid leaving valuables inside. Even greater security would involve leaving remote keyfobs at home and manually unlocking and locking cars with physical keys — a strategy that won’t work with newer cars that are totally keyless.

Source: New wireless hack can unlock 100 million Volkswagens

Facebook debuts terrestrial tech to deliver Internet

Wednesday, April 13th, 2016

Two new technologies aim to deliver the Internet to people who live in cities where networks are routinely jammed or live far away from cell towers.

SAN FRANCISCO — Facebook has taken to the skies with ambitious plans for a fleet of unmanned solar-powered aircraft that beam the Internet to the four billion or so people who don’t have it. Now it’s focused on terra firma.

The company which runs the world’s most popular social network and among the most popular messaging services said it has built two new ground-based technologies that aim to deliver the Internet to people who live in cities where networks are routinely jammed or who live far away from cell towers and fiber optic lines, using methods that cost less.

“The challenge is huge. More than half the world is not online,” Facebook’s chief technology officer Michael Schroepfer told USA TODAY.

Facebook’s connectivity plans try to bring the Internet where it’s not available and where it is available, “making it radically cheaper,” he said, “so that more people can use and use more of it.”

It’s all part of Facebook’s grand plan to connect every person on the planet. According to Facebook, fewer than half of the world’s population are online, and 1.6 billion people don’t live within range of a data network.

The earthbound experiment uses wireless antennas that can improve Internet in urban and rural areas through two projects called Terragraph and Project ARIES, executives said Wednesday at Facebook’s annual developers conference here.

Terragraph is designed to bring high-speed Internet to dense urban areas. It’s currently being tested at Facebook headquarters in Menlo Park, Calif., with plans for a bigger trial in San Jose. Rather than laying fiber optic lines, Terragraph places small nodes or boxes on lamp posts, buildings, bus stops and other “street furniture” up to 820 feet apart to stretch the 60 gigahertz signal to offer high-speed Internet.

Project ARIES is in its early stages. Its goal is to extend Internet access to rural communities by using the existing wireless spectrum more efficiently. Facebook says in 20 countries it studied, more than 90% of people live 25 miles from a major city. It plans to make the technology available to wireless communications researchers.

Facebook hopes to speed development of new technologies by making much of its own research available at no cost. The arrangement is inspired by the open-source software movement, in which anyone can have access the computer code but must share advances with the community at large.

“We take our mission to connect everyone seriously,” Jay Parikh, Facebook’s vice president of engineering, said on stage at the f8 conference.. “However, this is a really hard problem.”

The two latest initiatives work alongside a program to bring Internet to unconnected areas via solar-powered drones. These unmanned planes, dubbed Aquila (Latin for “eagle”), are the size of a Boeing 737 that fly miles above the Earth, providing broadband-level Internet for people in a 50-mile radius below.

“We are working on everything from state-of-the-art base stations that provide wireless Internet access in urban and suburban areas on a much higher performance and lower cost to Aquila which is our airplane designed to provide Internet access to remote regions of the world and use as a state of the art laser communication system to literally make an Internet backbone in the sky,” Schroepfer said.

Facebook is not alone in its quest to discover new technologies to deliver Internet access to billions of people in developing countries. Google parent company Alphabet is backing Project Loon, which uses high-altitude, wind-propelled balloons with the goal of blanketing Internet coverage across large swaths of the world. Loon beams the Internet from balloons circling the earth at altitudes twice as high as commercial aircraft, helping mobile operators extend wireless networks into more sparsely populated or remote terrains without running fiber optic cable or building cell towers.

Source: Facebook debuts terrestrial tech to deliver Internet

No Password Required! 135 Million Modems Open to Remote Factory Reset

Monday, April 11th, 2016
More than 135 Million modems around the world are vulnerable to a flaw that can be exploited remotely to knock them offline by cutting off the Internet access.
The simple and easily exploitable vulnerability has been uncovered in one of the most popular and widely-used cable modem, the Arris SURFboard SB6141, used in Millions of US households.
Security researcher David Longenecker discovered a loophole that made these modems vulnerable to unauthenticated reboot attacks. He also released his “exploit” after Arris (formerly Motorola) stopped responding to him despite a responsible disclosure.
The Bug is quite silly: No Username and Password Protection.
 
Arris does not provide any password authentication set up on the modem’s user interface, thus allowing any local attacker to access the administration web interface at 192.168.100.1 without the need to enter a username and password.
This issue allows a local attacker to ‘Restart Cable Modem‘ from the ‘Configuration page’ of the administrative interface at http://192.168.100.1/, as shown. This is nothing but a Denial of Service (DoS) attack.
Bingo! By clicking ‘Restart Cable Modem’ manually will disable victim’s modem for 2 to 3 minutes and every device on that network will lose access to the Internet.
However, three minutes of no Internet connectivity is bearable, but the same administrative panel provides an option to Factory Reset the modem as well i.e. wipe out modem’s configuration and settings.
If an attacker clicks this option, your modem will go offline for 30 minutes as re-configuration process takes as long as an hour to complete. Though, sometimes you need to call your Internet Service Provider (ISP) to reactivate the modem.

How to Perform DOS Attack Remotely?

David revealed that an attacker can also reset your modem remotely, as the application doesn’t verify whether the reboot or reset the modem command comes from the UI interface or an external source.
This remote attack is known as a Cross-Site Request Forgery (CSRF) attack that allows an attacker to use social engineering techniques to trick users into clicking on a specially crafted web page or email.
For example: A web page including <img src=”http://malicious_url/”>  tag could call any of the following URLs:
  • http://192.168.100.1/reset.htm (for restart)
  • http://192.168.100.1/cmConfigData.htm?BUTTON_INPUT1=Reset+All+Defaults (for factory reset)

“Did you know that a web browser does not care whether an ‘image’ file is really an image?,” Longenecker explains. “Causing a modem to reboot is as simple as including an ‘image’ in any other web page you might happen to open.”

“Of course, it is not a real image, but the web browser does not know that until it requests the file from the modem IP address – which of course causes the modem to reboot.”

Are the flaws easy to Patch?

However, these flaws are easily patchable that only requires Arris to create a firmware update such that:
  1. The UI requires authentication (username and password) before allowing someone to reboot or reset the modem.
  2. The UI validates that a request originated from the application and not from an external source.
However, the bad news is that there’s no practical fix for the flaws. Since cable modems are not consumer-upgradable, even if Arris releases a fix, you would need to wait for your ISPs to apply the fix and push the update to you.
Arris has recently addressed the flaws with a firmware update.

“We are in the process of working with our Service Provider customers to make this release available to subscribers,” said the company’s spokesperson.

“There is no risk of access to any user data, and we are unaware of any exploits. As a point of reference, the 135 million number is not an accurate representation of the units impacted. This issue affects a subset of the ARRIS SURFboard devices.”

 

Experts crack Petya ransomware, enable hard drive decryption for free | PCWorld

Monday, April 11th, 2016

Security experts have devised a method that allows users to recover data from computers infected with the Petya ransomware program without paying money to cybercriminals.

Security experts have devised a method that allows users to recover data from computers infected with the Petya ransomware program without paying money to cybercriminals.

Petya appeared on researchers’ radar last month when criminals distributed it to companies through spam emails that masqueraded as job applications. It stood out from other file-encrypting ransomware programs because it overwrites a hard disk drive’s master boot record (MBR), leaving infected computers unable to boot into the operating system.

ADVERTISING

The program replaces the drive’s legitimate MBR code, which normally starts the operating system, with code that encrypts the master file table (MFT) and shows a ransom note. The MFT is a special file on NTFS volumes that contains information about all other files: their name, size and mapping to hard disk sectors.

The actual contents of the user’s files are not encrypted, but without the MFT, the OS no longer knows where those files are located on disk. Using data recovery tools to reconstruct files might be possible, but it is not guaranteed to work perfectly and would be time-consuming.

Fortunately, resorting to that method is no longer necessary, and neither is paying Petya’s authors. Someone using the online handle leostone devised an algorithm to crack the key needed to restore the MFT and recover from a Petya infection.

Computer experts from the popular tech support forum BleepingComputer.com confirmed that the technique works, but it requires extracting some data from an affected hard drive: 512 bytes starting at sector 55 (0x37h) with an offset of 0 and an 8-byte nonce from sector 54 (0x36) offset 33 (0x21).

If that sounds complicated, no worries: Fabian Wosar from security firm Emsisoft created a simple and free tool that can do it for you. However, because the infected computer can no longer boot into Windows, using the tool requires taking out the affected hard drive and connecting it to a different computer where the tool can run. An external, USB-based hard drive docking station can be used.

The data extracted by the tool must be inputted into a Web application created by leostone that will use it to crack the key. The user must then put the affected hard drive back into the original computer, boot from it, and input the key on the ransom screen displayed by Petya.

“Once the hard drive is decrypted, the ransomware will prompt you to reboot your computer and it should now boot normally,” BleepingComputer.com founder Lawrence Abrams, wrote in a blog post.

Source: Experts crack Petya ransomware, enable hard drive decryption for free | PCWorld