feeds

by zer0x0ne — on

cover-image

some of my favourite websites: null byte the hackers news hackaday pen test partners cso online infosec writers security week xkcd



wonder how to - null byte

Retrieved title: Null Byte « WonderHowTo, 3 item(s)
How to Hack MacOS with Digispark Ducky Script Payloads

The USB Rubber Ducky and the Digispark board both suffer from the same issue when attacking macOS computers: a keyboard profiler pop-up which tries to identify any non-Apple USB keyboards. While it's an annoying setback, the solution is a simple modification that allows Mac computers to be targeted, which affects the ability to target Windows and Linux devices. Apple's profiler, called Keyboard Setup Assistant, is the window that opens whenever a non-Apple keyboard connects to a MacBook, Mac Pro, iMac, etc., which attempts to identify the newly attached keyboard. This secret security feature... more

How to Quickly Gather Target Information with Metasploit Post Modules

Post-exploitation information gathering can be a long and drawn-out process, but it is an essential step when trying to pivot or establish advanced persistence. Every hacker should know how to enumerate a target manually, but sometimes it is worth it to automate the process. Metasploit contains post modules that can quickly gather valuable information about a target, saving both time and effort. In the previous tutorial, we used Metasploit's local exploit suggester to get root on the target. To use post modules, we need to have a Meterpreter session running. These modules will run as any user... more

How to Get Root with Metasploit's Local Exploit Suggester

So you've managed to get a shell on the target, but you only have measly low-level privileges. Now what? Privilege escalation is a vast field and can be one of the most rewarding yet frustrating phases of an attack. We could go the manual route, but like always, Metasploit makes it easy to perform local privilege escalation and get root with its exploit suggester module. To run through the process, we're using Kali Linux as the attacking machine and Metasploitable 2 as the target. You can set up or use a similar pentesting lab — or the same one — to follow along with the guide below. Step 1:... more

the hackers news

Retrieved title: The Hacker News, 3 item(s)
Europol Shuts Down 'Imminent Monitor' RAT Operations With 13 Arrests

In a coordinated International law enforcement operation, Europol today announced to shut down the global organized cybercrime network behind Imminent Monitor RAT, yet another hacking tool that allows cybercriminals to gain complete control over a victim's computer remotely. The operation targeted both buyers and sellers of the IM-RAT (Imminent Monitor Remote Access Trojan), which was sold to

Magento Marketplace Suffers Data Breach Exposing Users' Account Info

If you have ever registered an account with the official Magento marketplace to bought or sold any extension, plugin, or e-commerce website theme, you must change your password immediately. Adobe—the company owning Magento e-commerce platform—today disclosed a new data breach incident that exposed account information of Magento marketplace users to an unknown group of hackers or individuals.

Over 12,000 Google Users Hit by Government Hackers in 3rd Quarter of 2019

As part of its active efforts to protect billions of online users, Google identified and warned over 12,000 of its users who were targeted by a government-backed hacking attempt in the third quarter of this year. According to a report published by Google's Threat Analysis Group (TAG), more than 90 percent of the targeted users were hit with "credential phishing emails" that tried to trick

hackaday

Retrieved title: Hackaday, 3 item(s)
DeepPCB Routes Your KiCAD PCBs

Computers can write poetry, even if they can’t necessarily write good poetry. The same can be said of routing PC boards. Computers can do it, but can they do it well? Of course, there are multiple tools each with pluses and minuses. However, a slick web page recently announced deeppcb.ai — a cloud-based AI router — and although details are sparse, there are a few interesting things about the product.

First, it supports KiCAD. You provide a DSN file, and within 24 hours you get a routed SES file. Maybe. You get three or four free boards –apparently each week — after which there is some undisclosed fee. Should you just want to try it out, create an account (which is quick and free — just verify your e-mail and create a password). Then in the “Your Boards” section there are a few examples already worked out.

We haven’t tried the service yet, but reading notes from people who have doesn’t give us a great feeling. Apparently, the router only wants two-layer boards with a limited number of wires, for the free version at least. One user reported they used up all three boards and only got error results back.

The real question is do we need AI routing? If you have parts well placed, routing isn’t that hard and there are other autorouters that can do a great job. Of course, many people won’t want to trust their designs to a cloud service. However, the technology could be interesting, especially if it could move things around and work towards different goals (e.g., low noise, minimum size, etc.).

There are others, of course. Then again, you can do it all on the cloud, if you like.

We couldn’t see a picture of an example PCB from the system, so our header image comes from a different source. c-g. [CC BY 2.0]

You’ve Got Mail?

Life is full of tough decisions, such as deciding whether you want to go to the end of the drive to check if the mail has arrived. These questions are made even more arduous in the winter months, but [Catpin] has a solution. The Mail Box Alert uses an Electric Imp, a solar panel and a proximity sensor to let you know if you’ve got mail.

It’s a neat build, with the brains provided by that Electric Imp which handles most of the heavy lifting. This wakes up every five minutes and checks whether the status of a small proximity sensor has changed. If it has, it pings a website. The unit sits at the bottom of the postbox, so if your friendly neighborhood post person has put in any letters, it will have changed. The Imp is powered by a small battery, which is in turn charged by a solar panel. That means that it doesn’t require any power cables or other wiring, as long as it is in the range of WiFi. With the addition of a 15-hours overnight deep sleep, [Catpin] found that the whole thing could be run from a couple of 18650 LiPo batteries.

Perhaps the most interesting part of the writeup was discussing the problems that he found with the build, such as the fact that a LiPo battery won’t perform that well in a Wisconsin winter. So, this was replaced with a Lithium Iron Phosphate battery that should be a bit more tolerant of the chill. There is also a writeup on how to create the same project using an ESP8266 if required.

An Efficient Homemade Wood furnace

For poor [workshop from scratch], winter brings the joy of a cold workshop. Since the building is structurally made from tin, warming up the room is difficult.

Naturally, the solution was to construct a homemade wood furnace. The build starts off with an angle grinder being taken to a compressed air tank. After sawing off the top and sanding down the edges, the builder slices out an opening and welds together some rods into a stand for the center. He then proceeds to weld some external frames for the furnace, as well as a chimney stack, some nifty covers joined by hinges, and a fan/temperature regulator to keep the fire going.

Most of the pieces seem to come from scrap metal lying around the workshop, although the degree to which the entire project comes together is quite smooth. Some filter and spray paint do the trick for cleaning up the furnace and making it look less scrappy. The last step? A stack of wooden logs and a blow torch to start the fun. Outside of the furnace, an LCD screen keeps track of the temperature, giving some feedback and control.

The result is perhaps a too effective at warming up the workshop, but the problem sure is solved!

pen test partners

Retrieved title: Pen Test Partners, 3 item(s)
Embedded device research. The tools you’ll need

Over the last couple of years, we’ve run many courses on embedded device security. The focus is often defensive, but all the courses have an aspect of offensive: hacking demonstration and real devices so that you can understand the mindset of an attacker. To hack devices, you need tools. And the proper tools are a massive help.

Here are some of the tools that you will need to get started with basic hardware testing. Some of the links below are to commercial sites, mainly because product pages are hard to find! We order a lot from Farnell – decent prices and next day delivery.

Multimeter

A multimeter is essential. Most of the time, you will be measuring DC voltage and using the continuity test. Current, capacitance, frequency, temperature etc. are all secondary.

In terms of accuracy and resolution, generally we aren’t worried if it’s 3.314V or 3.323V. Both are 3.3V logic.

The continuity tester should be loud, fast, and ideally latching. A lot of meters are quiet, scratchy, and slow. Unfortunately, there are no specifications to tell you if it’s good or not – you’ll need to check yourself or on YouTube reviews.

To put some meters in continuity mode, you need to press a button each time you turn them on. This is a minor annoyance but will result in you using it in the wrong mode.

Avoid meters that share the same port for voltage and current. Turning the dial from V to A will change the meter from an open circuit to a short circuit – it’s surprisingly easy to do.

In terms of safety, a lot of Amazon and eBay meters are poor. They may state they are safe to given standards, but don’t contain the required safety features. If you are going to be working with mains voltage, cars, or EVs, then buy a reputable brand such as Fluke, Amprobe or Brymen.

The meters that we use are Brymen BM235. They are around £80. They have been reliable, usable, and the batteries are lasting well.

Probes

The probes that come with multimeters are generally quite large and blunt. They are designed for big things, not reverse engineering PCBs.

One of the most helpful accessories you can buy are Pomona 6275 micro probes . These are needle-like probes that make working with microcontrollers and PCBs much easier.

Firstly, they are tiny. You can easily touch a single pin on a 0.5mm pitch package.

Secondly, they are sharp. You can push them clean through solder mask into traces.

On the downside, they are only rated to 70VDC and 3A, but this is fine for most work.

You can buy them with a range of interchangeable tips – I like the stainless-steel ones, but the sprung gold-plated ones are also good.

SOIC clips

A common task is sniffing or interacting with SOIC8 and SOIC16 SPI flash chips. To do this without soldering or removing the chip, you can use special clips.

We strongly recommend the use of the Pomona clips. There are cheaper knock-offs, but the small plastic hooks fail very quickly.

Test clips

When you need to monitor signals on a board, it’s common to use test clips.

There are a massive variety of these on the market, of varying size and quality.

The best ones – that are readily available – are EZ-Hooks XKM. The cheapest option is to buy black ones, but they also come in rainbow packs. The different colours make working with complex boards far easier.

There is a good comparison of the different options here. https://sigrok.org/wiki/Probe_comparison

Logic Analyser

You will need a logic analyser before long. They allow multiple digital signals to be monitored at the same time.

For reverse engineering work, USB logic analysers are ideal. They allow very long traces to be gathered, and the data can be easily navigated and post-processed.

For professional work, we use Saleae’s Logic Pro 16 . These aren’t perfect, but they have a lot of positives:

  • 16 channels is generally enough for the work we do
  • Sample rate is fast enough for SPI, serial, USB, CAN etc.
  • Safe to use for +/-25V – including automotive
  • Analog inputs can sometimes be useful

On the downside, they are almost £1k.

For hobbyists, the Hobby Components logic analysers cost around £10 and can do an awful lot. The low sample rate is prohibitive for professional work.

JTAG Adapters

Connecting to JTAG allows a deep level of access to the processor and flash memory on a device. Although JTAG is a standard protocol, the processor you are working with needs to be supported by the software.

We have found that Segger J-Link provides the widest range of support for ARM processors, including handling code readout protection. It’s just one of those tools that works.

The downside is the cost.

OpenOCD and a low-cost JTAG adapters are OK for hobbyist work, but there are too many quirks and unsupported chips for professional work.

USB Serial Adapters

Connecting to serial consoles is a bread-and-butter task. Nearly all of the time, a cheap 3.3V USB adapter will do the job. CP2102, FTDI, PL2303, whatever, they are all well supported. Buy them in bulk – you will lose and frazzle them.

USB Ethernet

It’s helpful to have dedicated Ethernet connections for testing. The best way to do this is with USB Ethernet adapters. This is especially helpful when using a virtual machine – you can pass the USB adapter through to the VM and have it handle the networking entirely.

Realtek 8153 adapters seem solid for USB3.0 and Gigabit.

It’s always worth having an older USB2.0 adapter with an old chipset. Why? A lot of embedded Linux devices have drivers for these. A new Ethernet interface is a new attack surface – you can often plug USB Ethernet into a car and get access to telnet and SSH!

ASIX AX88772 adapters have wide support and are still available.

USB Hubs

We’d always recommend using a USB hub when doing any testing. Modern laptops often only have a couple of ports, and you will always need more. A hub will also provide a degree of electrical protection to your laptop.

The Sabrent switched hubs are excellent – the little buttons allow you to power cycle the USB device without unplugging it.

Wire and Strippers

This is very much personal preference, but most of us use 30AWG insulated wire (get PVDF insulation, not EFTE – it’s cheaper and easier to strip). It’s great for tacking onto PCBs and chips and comes in many colours. You need to strip the ends, and most wire strippers don’t go this small. We use Knipex 12 80 040 https://uk.farnell.com/knipex/12-80-040-sb/mini-wire-stripper/dp/1779812  for this – they are expensive, but save a lot of time.

Some people prefer magnet wire. The insulation burns off as you solder.

Solder

As all our work is reverse engineering – and not production – we have the luxury of being able to use solder with lead. It is so much nicer to work with.

You want either 63/37 or 60/40 leaded solder. We’ve discussed soldering at length in another blog post. https://www.pentestpartners.com/security-blog/if-you-arent-soldering-you-probably-arent-testing-iot-thoroughly/

Chip Quik

You may need to desolder devices from time-to-time. A special low-melting point solder called Chip Quik makes this almost trivial. Melt Chip Quick all over the pins, mixing it with the existing solder. Keep the alloy molten, and lift the chip off.  Simple.

Conclusion

Hopefully some of the tips above are helpful. Making sure your basic tools are reliable and effective makes work so much quicker and easier. Sometimes these tools cost a bit more, but the time saving on paid work is huge.

Ships engines, a guide for pen testers

I spent several years as a ships engineer before straying in to pen testing. Ships used to be fairly secure; they were physically isolated at sea. Satcoms were scarily expensive, usually available only to the captain for business-critical communication. Even satphone use was heavily rationed.

All that has changed: big satellite data packages are offered in order to attract the best crews. Vessel efficiency is remotely monitored to ensure that fuel costs are kept as low as possible. Bear in mind that it can cost several million dollars to refuel a large container ship

So now you have a vessel full of industrial control systems, hooked up to the IT and crew networks. There’s probably remote access for engine monitoring by a third party, maybe remote access for IT support. Those networks are usually segregated, but I’ve never yet failed to bypass that segregation.

Engines the size of houses

It’s a not an exaggeration. What are the engines and other equipment like on a container ship?

This is a 66,000gt ship, approximately 280m long. Rated about 5500 TEU.

This is the top of the main engine.

It’s a Sulzer RTA96C – 96 means each piston is about 96cm across. It has 10 “units” or cylinders.

This bit you see at the top is just the exhaust valve and cylinder head. The large pipe is hydraulics to open the exhaust.

This is a spare piston and piston rod.

It’s a slow-speed two-stroke diesel, so it works a bit differently to the diesels you may be used to.

This is the spare cylinder liner.

The holes around the bottom let the air into the cylinder when the piston is at the bottom of it’s stroke.

To force that air in, you need turbochargers. These are big.

This is the exhaust side.

That little green tank lets you inject crush walnuts to clean the turbine.

This is the inlet side. It draws air direct from the engine room.

If you are stood here when the engine is running, it is deafening. Hearing loss territory.

A view up from the bottom plates up to the top. The middle plates contain the fuel and exhaust pumps, alongside doors to get into the scavenge space – where the air flows into the cylinders.

This is one of 5 fuel/exhaust pumps. They are actuated by a massive camshaft, largely hidden from view.

The hoses are covered in a second wall so that leaks can be detected.

How fast does one of these go?

Well, maximum 102rpm. We were going at around 40rpm at this point.

This is direct drive – the engine is direct onto the prop. You want to go backwards? Reverse the engine.

The prop shaft is also long.

We were doing about 65rpm when I took this, producing about 33.76MW of power.

How does it measure the power?

Two sensors on the prop shaft detect how much that massive lump of metal has twisted.

There is a massive flywheel. You turn the engine over very slowly using an electric motor on this to make sure everything is lubricated and moving. It’s called the turning gear.

You don’t start it with this though.

That’s done with 30 bar air from these two massive tanks. It lets air into the cylinder, using a distributor like on a car. Start air scares me.

There’s enough compressed air to do up 10 changes of engine direction.

All of this is normally electronically controlled, either direct from the bridge or from the engine control room

Manual Control

If the electronic controls fail, you fall back to local control.

On these, it is literally sticks.

Left stick adjusts the cam shaft for working in either direction, and admits the start air. Right is fuel. It is unregulated – you could easily overspeed an engine with these.

You still practice when you get a chance.

This is why I get frustrated when old-school captains state that ships can’t be hacked. ‘If we’re hacked we will go back to manual control’ they say

Which completely misses the point. 1: you need to know you’ve been hacked in order to take action. 2: manual control of a ships engine is difficult – manoeuvring often results in running out of start air, leaving you stranded

These massive doors on the bottom plates let you into the crankcase.

There is a lot of extra machinery to support these beasts. First off, they don’t work without power. So you have 4 generators.

These are much smaller – 5-6MW.

They work at 6.6kV – which you call HV on the ship.

This is a big, scary voltage.

That all feeds into the HV switchboard on the ship.

Opposite that is the motor control centre, or low voltage switchboard. This controls all the 440V loads, pumps, fans, etc.

There are tens of pumps. Seawater pumps, low-temperature cooling, high temperature cooling, lube oil, fuel oil, ballast, anti-heeling, bilge, fire-fighting. Some are 750kW.

You have to clean the fuel oil and lube oil. To do this, you use centrifugal purifiers. There are big ones for the main engines and baby ones for the generators (BLOPs – baby lube oil purifiers).

There are also automatic filters that use compressed air to clean themselves.

All that heat needs to go somewhere. Plate heat exchangers are common for this – around 60 plates of titanium carry alternating fluids for cooling.

You can undo the nuts and clean them one by one. It’s slow.

Air compressors – for filling those massive tanks for starting the engine.

The heavy fuel oil the engine runs on needs to be heated to be runny enough to use.

When you are in port, the engine isn’t producing heat to use. So you have a boiler to pipe heat to all the fuel tanks.

When you are down in the engine room, alarms will sound. Various bits of machinery need tending to.

If the cog lights up – it’s a machinery alarm. The others all signify different things. RED IS BAD.

The Red Button

On this ship, I had to hit this button once.

I got an alarm at lunch on my pager. Went down, and saw high-temp cooling water spraying from one of the exhaust valves.

The header tank was already at low and was soon going to alarm low-low. We had to shut down the main engine.

With no main engine, you can’t steer. Luckily the waters weren’t busy and nothing bad happened.

Fun times:

The poo tank

Never forget the poo tank!

This digests all the poo so you can pump it overboard as clean-ish effluent. This one had a bad belly and wasn’t doing a good job.

Conclusion

Most of the systems above are managed by industrial controllers. The same controllers that you’ll find in electricity substations, production lines and water purification plants.

They use serial communications, rarely encrypted, rarely authenticated. The hardware and software is often very out of date. We often find connections and systems that the crew know nothing about. Systems that aren’t even on the network diagrams that we’ve been given.

Ships used to be secure by virtue of their physical isolation. That isn’t the case any more. Everything is connected, often in ways that the installers and operators weren’t intending.

N.B. This isn’t a ship we have tested the security of.

These photos were taken in 2006/7, back in the day when my job was to keep ships operating.

Christmas socialising. Goodwill to all, and keep your devices safe

It’s that time of year again. Christmas parties, socialising, travelling, and time spent away from home.

Seasonal socialising generally involves eating, drinking, and making merry, and there’s nothing wrong with that. The downside is that a “goodwill to all” attitude and an excess of alcohol causes people to naturally let their defences down.

The problem is that with a lowered sense of risk people’s view of what is “safe” is skewed, and that can make it a field day for crooks. Christmas is a shopping ground for thieves in so many ways.

It can take seconds for your mobile, laptop, tablet etc. to be spirited away, even if it’s sat on the table right in front of you!

Of course we need to be wary of opportunistic theft as well as targeted attacks, but the simple human error of forgetting something or leaving something behind can cause as many problems. This is compounded if, like me, you lug a lot of kit around- things can easily be misplaced and lost.

Supply chain risk, security and validation are important parts of professional relationships, so looking after corporate devices containing corporate data is paramount. Knowing who to report a missing / stolen device to is essential.

You know the risks, now what should you do?

Bearing all that in mind it’s critical that we acknowledge the increased risk that simply having fun can bring, and be extra mindful of the devices that we are in charge of.

I prepare for journeys well in advance. Any device that contains sensitive information stays with me at all times. My mobile phone and laptop are far more critical than the big cases full of demo equipment, so I keep these to hand at all times. On the train and need the bathroom? They’re coming with me, no Ifs or Buts.

Also, I never leave the bag containing my phone / laptop unattended when snacking or having drinks. No matter which of my glamourous shoes I’m wearing that bag’s shoulder strap is either firmly underfoot, around my ankle, or snagged on a chair / table / secured fitting.

My advice

  • NEVER leave your laptop or mobile phone unattended in a public place. EVER
  • Try to pre-book train seats near a luggage rack so you can keep an eye on your bags
  • Make sure you / your people know who to contact in the event of a theft
  • Is your laptop best left in the office on the night of the Christmas party rather than coming home with you?
  • Use appropriate encryption and a strong password to protect your data from opportunistic thieves
  • Try to pack for journeys well in advance. Have one bag that you can easily stow sensitive devices in when you need to nip to the bar / toilet etc.
  • Pop your foot or a table leg through the strap of your carry bag when you’re sat down
  • Don’t trust strangers to watch your stuff. Looking trustworthy is not a thing
  • If a device is not in use, remember to power it off. This means that encryption protection will be fully effective
  • Don’t use untrusted charging ports / devices. If you have to charge, use  a USB condom
  • Enjoy yourself, safely

infosec writers

Retrieved title: InfoSecWriters.com, 3 item(s)
VXLAN EVPN Multi-Site Design and Implementation

Contributed by Vinay Sawant
VXLAN (Virtual Extensible Local Area Network) is the future of networking. Since the introduction of VXLAN from last three to four years into network infrastructure, almost all organizations are gradually migrating their network infrastructure to VXLAN.
 
This document is in PDF format. To view it click here.

Rate this article: 
No votes yet

Protecting Local Governments from Ransomware Attacks

Contributed by Kristy James
With the rise of global ransomware attacks, managing networks preventing those type of cyber-attacks in local governments can be challenging. Ransomware is defined as a type of malware that attackers use to infect computer networks. Malware is designed to gain unauthorized access to computers or networks and damage or disrupt systems. The ransomware attack can cripple an entire town’s network infrastructure without the proper protocols in place. When a ransomware attack occurs, its objective is to encrypt the files, stolen data, from a victim’s computer or server. The encrypted data will only be released by the attacker once the victim pays the requested ransom and a decryption key will then be provided. City council members across the country are looking for ways to come together in preparation of going against these attackers. The first big question that is to be answered when or if an attack occurs is whether or not to pay an attackers’ demand. Some entities have their own cyber insurance policies in place that would cover the cost of the release of encrypted data, while others have questions about whether or not to buy cyber insurance policies. When speaking to the FBI, they will promptly tell a company or business to never pay a ransom. One of their biggest reasons for this suggestion is seeing historically attackers will share with others in their slimy field of work which companies pay up and then you become a target yet again. Another reason also is the claim that there is never a guarantee the attackers will decrypt the stolen data as well as, the possibilities the attacker could increase their monetary demands. This paper will focus on ways leaders have handled these massive and coordinated attacks that have often been launched from overseas. The findings will be recommended for further review by the government to help protect other local governments from future attacks.
 
This document is in PDF format. To view it click here.

Rate this article: 
Average: 4 (3 votes)

Consumer and Industrial IoT Security

Contributed by Gregory Boykin
With the rapid expansion of internet access globally, Internet of Things (IoT) technologies have exploded onto the market, offering many connected and convenient devices to consumers and industry alike. With the proliferation of devices already connected and the increasing popularity of those devices, this trend in IoT growth will only continue to increase. The ongoing development and evolution of IoT devices has the potential to shape and benefit many industries, including agriculture, education, health care, automotive, and environmental. However, the improvement offered by these devices comes accompanied by potential security threats. These devices are a growing surface which cyber attackers can exploit, leading to exposure of business and consumer data. This risk is compounded by the interconnectedness and interaction between these new gadgets and often driven by a rush to market, which is itself a response to eager consumer and industrial buyers wanting more connected devices expanding convenience and automation. This paper will review the literature to look at the history and current state of the IoT in the marketplace. Possible emerging trends, benefits and concerns such as security will be addressed in relation to the growth of IoT. The paper will conclude with recommendations on how the developing IoT markets can thrive and garner increased device security, protecting the data being stored and accessed.
 
 
This document is in PDF format. To view it click here.

Rate this article: 
No votes yet

security week

Retrieved title: SecurityWeek RSS Feed, 3 item(s)
Bytedance: The Chinese Company Behind Global TikTok Craze

TikTok's Owner ByteDance Could be Forced to Share User Information With Chinese Intelligence

read more

Hackers Accessed Magento Marketplace User Data

Adobe-owned e-commerce platform Magento recently informed some Magento Marketplace users that an unauthorized third-party had gained access to their account information.

read more

Dexphot Malware Uses Randomization, Encryption, and Polymorphism to Evade Detection

Malware that Microsoft has been tracking for over a year has been leveraging numerous techniques for evasion, including random file names, fileless installation, and polymorphism. 

read more

tech-wreck infosec blog

Retrieved title: Tech-Wreck InfoSec Blog, 3 item(s)
ATT&CKing Threat Management

https://medium.com/@andy.c.piazza/att-cking-threat-management-d004f70cd24b

Security Flaws & Fixes - W/E - 11/22/19

Additional Vulnerable D-Link Routers Won't Receive Security Updates (11/20/2019)
D-Link updated an advisory to warn that additional routers may be vulnerable to critical remote code execution bugs. However, these devices will not receive patches as they have reached end-of-life/end-of-service, according to the vendor. DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L, and DIR-862 are all included within this advisory as being impacted.

Android Camera Bugs Enable Attackers to Stealthily Spy on Victims (11/19/2019)
Scientists at Checkmarx have observed likely abuse scenarios in Android cameras. The team uncovered multiple permission bypass bugs in the Google Pixel 2 XL and Pixel 3 and the same vulnerabilities were also detected in Samsung smartphones. The team stated, "After a detailed analysis of the Google Camera app, our team found that by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so. Additionally, we found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data. This same technique also applied to Samsung's Camera app."

Four Bugs in Flexera FlexNet Publisher Fixed Via Updates (11/20/2019)
The ICS-CERT posted an advisory in regards to four vulnerabilities affecting Flexera's FlexNet Publisher, a software license manager. These vulnerabilities could allow an attacker to deny the acquisition of a valid license for legal use of the product. The memory corruption vulnerability could allow remote code execution. Users have been instructed to update to Version 2018 R4 or newer as soon as possible.

Google Fixes Two Bluetooth Bugs with Chrome Update (11/20/2019)
Google rolled out version 78.0.3904.108 of Chrome for Windows, Mac, and Linux. The update includes five security fixes, including patches for a use-after free issue in Bluetooth and an out-of-bounds bug also in Bluetooth.

ISC's BIND Receives Security Update (11/21/2019)
The Internet Systems Consortium (ISCposted an advisory that addresses a vulnerability affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). According to the advisory, a client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache.

Long-Fixed Bugs Found Negatively Impacting Android Apps (11/21/2019)
Check Point Software's research shows that even fixed vulnerabilities can have a negative impact on newly created apps, as outdated code is reused. When an app is developed, it can use dozens of reusable components, or native libraries, which are often derived from open-source projects, or incorporate fragments of code. When a bug is found and fixed in an open-source project, its maintainers typically have no control over the native libraries which may be affected by the vulnerability, nor the apps using the native libraries. An app may continue to use the outdated code version. Check Point conducted a scan of apps on Google Play to assess vulnerable libraries and chose three specific bugs to review. Of those three, hundreds of popular apps were impacted, along with the millions of people who have downloaded them.

NSA Warns of Risks Involved with Transport Layer Security Inspection (11/19/2019)
The National Security Agency (NSA) posted an advisory to discuss and manage risks associated with Transport Layer Security Inspection (TLSI). The advisory defines TLSI, which is a security process that allows enterprises to decrypt traffic, inspect the decrypted content for threats, and then re-encrypt the traffic before it enters or leaves the network, along with the risks that are involved in it. Finally, the NSA offers mitigation techniques.

Patch Released for Outlook for Android Spoofing Vulnerability (11/21/2019)
A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim. Microsoft issued an update to plug this vulnerability.

Privilege Escalation in UAC Gives Miscreants Keys to Windows Kingdom (11/20/2019)
A bug in the Windows UAC (User Account Control) mechanism could result in the escalation of privileges, researchers at Zero-Day Initiative (ZDI) have warnedMicrosoft patched the issue on November 12.

RCE Condition Possible Due to Default Config Bug in Apache Solr (11/21/2019)
A configuration flaw in Apache Solr that was originally discovered in July has been upgraded from "low" to "severe" after it was determined that the vulnerability could result in a remote code execution. Tenable reported this change. The flaw is in the default configuration of the solr.in.sh file in Apache Solr. If this file is used in its default configuration in versions 8.1.1 and 8.2.0, unauthenticated access to the Java Management Extensions (JMX) monitoring on the RMI_PORT (default 18983) is allowed. Anyone with access to a vulnerable Solr server, and, in turn, JMX, could upload malicious code that could then be executed. Apache has issued an advisory.

Vulnerability in Philips IntelliBridge EC40, EC80 Getting Patched Soon (11/19/2019)
Philips has become aware of a potential issue with inadequate encryption strength associated with the IntelliBridge EC40 and EC80 Hub. Successful exploitation of this issue may allow an unauthorized user access to the hub and may allow access to execute software, modify system configuration, or view/update files, including unidentifiable patient data. Philips plans a new release to remediate this issue by the end of Q3 2020.

WhatsApp RCE, DoS Bug Gets Patched (11/19/2019)
Facebook booted a stack-based buffer overflow that could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a denial-of-service or remote code execution. This vulnerability affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.

Malware Watch - W/E - 11/22/19

Check Point Assesses Nuances of Phorphiex Botnet (11/19/2019)
Check Point Software analyzed the Phorpiex botnet and provided information on its latest features. Previously, the botnet operated using the IRC protocol (also known as Trik) but has switched to a modular architecture and removed the IRC communication. The malware is titled Tldr, which probably stands for TrikLoader, and has become the core component of the Phorpiex botnet. Tldr is a downloader that uses HTTP protocol for communication with command and control servers. Its main purpose is to load another malware on the infected machines. Tldr and its modules distribute the botnet as much as possible for monetization purposes. Phorpiex is monetized through sextortion spam, crypto-jacking, cryptocurrency clipping, and delivering services to load other types of malware.

Fake Windows Update Leads to Cyborg Ransomware (11/20/2019)
Cybercriminals are circulating fake Windows update messages that is an executable file containing a malicious .NET downloader that drops the Cyborg ransomware. The email, claiming to be from Microsoft, contains just one sentence in its email body which starts with two capital letters. It directs the recipient's attention to the attachment as the "latest critical update." Trustwave researchers spotted the malicious campaign and provided additional details in a blog post.
Lazarus Threat Group Abuses Koreans wit
h New Version of Mac Backdoor (11/20/2019)
The cybercriminal adversary Lazarus is using a new variant of a Mac backdoor with a macro-embedded Microsoft Excel spreadsheet to target Korean victims. Trend Micro's team of researchers spotted the campaign and observed the macro in the file running a PowerShell script that connects to three command and control servers set up by Lazarus. The backdoor is called Nukesped.

Monero Project Site Exploited to Serve Up Malware-Laced Binaries (11/20/2019)
The Monero cryptocurrency site had the binaries of the CLI (command line interface) wallet compromised to serve up malware, The issue was resolved on November 19 but the malware had been active for about 14 hours. The Monero Project stated in a post, "It's strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries. If they don't match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason."

Not Loving It: Mispadu Trojan Serves Up Unhappiness with McDonald's Malvertising (11/20/2019)
The Mispadu banking Trojan uses malicious ads for McDonald's to push its attack surface to Web browsers, the researchers at ESET say. Mispadu targets Brazil and Mexico, is written in Delphi, and displays fake pop-up windows to persuade victims to divulge sensitive information. For its backdoor functionality, Mispadu can take screenshots, simulate mouse and keyboard actions, and capture keystrokes. It can also update itself via a Visual Basic Script file that it downloads and executes.

Phoenix Rising: The Tale of a Keylogger Turned Info Stealer (11/21/2019)
Cybereason is tracking Phoenix, a keylogger that extends beyond that capability and is considered an information stealing malware. Analysis shows that Phoenix operates under a Malware-as-a-Service model and steals personal data from almost 20 different browsers, four different mail clients, FTP clients, and chat clients. The malware also has multiple mechanisms that try to kill the processes of over 80 different security products and analysis tools. Phoenix was released in July 2019 and has targetedvictims across North America, the United Kingdom, France, Germany, and other parts of Europe and the Middle East.


xkcd

Retrieved title: xkcd.com, 3 item(s)
Group Chat Rules

There's no group chat member more enigmatic than the cool person who you all assume has the chat on mute, but who then instantly chimes in with no delay the moment something relevant to them is mentioned.

How To Deliver Christmas Presents

Building codes in hurricane zones rely on studies of how easily flying debris can break residential windows. If you're looking for a science fair project idea and you hate your neighbors, I'm sure they could always use more data!

Aurora Meaning

The astro-ph.SR arXiv servers are simultaneously being overwhelmed by electronic requests and actual electricity.