wonder how to - null byteRetrieved title: Null Byte « WonderHowTo, 3 item(s)
With a simple social engineering trick, sudo passwords can be captured in seconds without the target's knowledge. The passwords can then be saved to a file or exfiltrated to another computer on the network. After exploiting a system, penetration tester's and hackers will often begin privilege escalation (privesc) attacks. Such attacks include kernel exploitation and password phishing. The featured attack here takes a social engineering approach by utilizing Bash functions to emulate the functionality of the sudo command. How Sudo Is Supposed to Work Let's use the following whoami and id... more
Router gateways are responsible for protecting every aspect of a network's configuration. With unfettered access to these privileged configurations, an attacker on a compromised Wi-Fi network can perform a wide variety of advanced attacks. Brute-Forcing Router Logins with Patator After hacking a Wi-Fi router with tools like Aircrack, Wifiphisher, and Wifite2, there are several avenues an attacker may explore to further compromise the network. Assuming the gateway isn't using default credentials, the attacker will try to exploit a vulnerability in the router or perform a brute-force attack... more
Using Hydra, Ncrack, and other brute-forcing tools to crack passwords for the first time can be frustrating and confusing. To ease into the process, let's discuss automating and optimizing brute-force attacks for potentially vulnerable services such as SMTP, SSH, IMAP, and FTP discovered by Nmap, a popular network scanning utility. BruteSpray, developed by Jacob Robles and Shane Young, is a Python script capable of processing an Nmap scan output and automating brute-force attacks against discovered services using Medusa, a popular brute-forcing tool. BruteSpray is the much-needed nexus that... more
the hackers newsRetrieved title: The Hacker News, 3 item(s)
Internet Explorer is dead, but not the mess it left behind. Microsoft earlier today issued an emergency security advisory warning millions of Windows users of a new zero-day vulnerability in Internet Explorer (IE) browser that attackers are actively exploiting in the wild — and there is no patch yet available for it. The vulnerability, tracked as CVE-2020-0674 and rated moderated, is a remote
Penetration tests have long been known as a critical security tool that exposes security weaknesses through simulated attacks on an organization's IT environments. These test results can help prioritize weaknesses, providing a road-map towards remediation. However, the results are also capable of doing even more. They identify and quantify security risk, and can be used as a keystone in
Great news for iOS users! You can now use your iPhone or iPad, running iOS 10 or later, as a physical security key for securely logging into your Google account as part of the Advanced Protection Program for two-factor authentication. Android users have had this feature on their smartphones since last year, but now Apple product owners can also use this advanced, phishing-resistant form of
hackadayRetrieved title: Hackaday, 3 item(s)
You may be familiar with origami, the Japanese art of paper folding, but chances are you haven’t come across smocking. This technique refers to the way fabric can be bunched by stitches, often made in a grid-like pattern to create more organized designs. Often, smocking is done with soft fabrics, and you may have even noticed it done on silk blouses and cotton shirts. There are plenty of examples of 18th and 19th century paintings depicting smocking in fashion.
[Madonna Yoder], an origami enthusiast, has documented her explorations in origami tessellations and smocking, including geometric shapes folded from a single sheet of paper and fabric smocked weave patterns. Apart from flat patterns, she has also made chain-linked smocked scarves stitched into a circular pattern and several examples of origami tessellations transferred to fabric smocking. Similar to folds in origami, the stitches used aren’t complex. Rather, the crease pattern defines the final shape once the stitches and fabric are properly gathered together.
What’s the similarity between the two art forms? On the surface, it seems as though they concern entirely different disciplines – one features designs folded from paper while the other deals with stitching fabric. However, when it comes to modular origami and creating tessellations, there’s plenty of overlap.
Both art forms rely on precision to create the exact angles that produce the patterns, but it’s a bit more noticeable on the puffy smocking piecess if precision has gone awry.
If you’re interested in creating some smocking patterns of your own, there are plenty of tutorials to follow such as this honeycomb smocking tutorial.
Before RadioShack decided the best business model for an electronics store was to harass its customers into buying overpriced batteries and cellphones, it was a great one-stop shop for most discrete components, knobs, resistors, radio equipment, and even a popular computer. That computer, the TRS-80, is a popular one in the retrocomputing world and if you can’t get original parts to restore one, you can always build your own clone.
This build comes to us from [Glen] aka [glenk] who is known for retrocomputing builds like this classic PET we featured a little over a year ago, and this TRS-80 is his latest project. He really gets into the weeds on the hardware, too. This isn’t an FPGA or Raspberry Pi running a TRS-80 on lookalike hardware. [Glen] has completely redesigned the computer from the ground up using modern CMOS components in order to make a modern, perfectly functional replica of the RadioShack classic.
Because of the level of detail [Glen] goes into, this one is a must-read for anyone interested in computing hardware (as opposed to the software, which you could learn about through a more simple emulator) and retrocomputing in general, and also brings most of us back to a more nostalgic, simpler time where a trip to RadioShack was fun and interesting.
CNC machines are an essential part of the hacker’s toolset. These computer-controlled cutters of wood, metal and other materials can translate a design into a prototype in short order, making the process of iterating a project much easier. However, the software to create these designs can be expensive, so [Franklin Wei] decided to write his own. In particular, he decided to write his own program to engrave images, converting a photo into a toolpath that can be cut. The result is RasterCarve, a web app that converts an image into a GCode that can be fed into a CNC machine.
The motivation for this project was to learn how to do it, but also frustration at the cost of software such as PhotoVCarve. Costing $149, this program does much the same as the one written by [Wei], albeit with a number of additional bells and whistles. He does an excellent job of describing how the conversion process works: his code creates a series of paths across the image, then converts the color of each pixel into a depth: The darker the image, the deeper the cut.
pen test partnersRetrieved title: Pen Test Partners, 3 item(s)
More and more organisations are moving their business to the cloud. This makes securing data and being able to respond effectively to incidents in cloud environments an important topic.
Having the skills on hand to properly collect digital forensics data in response to a legal dispute or during a cyber-attack or data breach incident is key to effective defence. So, what are the key factors to understand?
Understand your Cloud Architecture
There are three prominent service delivery models provided by a number of cloud service providers:
- Infrastructure as a Service (IaaS) which provides basic computer infrastructure such as virtual machines, storage and network functions.
- Platform as a Service (PaaS) allows for the delivery of an entire computing platform and solution stack as a service such as delivering web applications and services and the deployment of applications without the cost and complexity of managing the underlying hardware and software requirements yourself.
- Software as a Service (SaaS) which may be considered “on-demand software” where software and associated data may be accessed by users via a web browser.
Where is your Cloud Data
There are four basic Cloud types. Understanding how that effects the levels of data you can access to support a forensic investigation from each type cloud environment will assist in planning for incident response or cloud based forensics investigations:
- Public Cloud: Is the most common type of cloud offering and pretty much dominated by the likes of Microsoft (M365) Amazon Web Services (AWS) and Google Cloud Platform (GCP). Generally, you will be sharing resources with other businesses in this type of cloud.
- Private Cloud: This is infrastructure operated by and solely for a single organisation. They may be locally managed or managed as a service by a third party.
- Community Cloud: Is a cloud infrastructure shared by several organisations usually with a specific community purpose.
- Hybrid Cloud: This option combines two or more clouds (private, community, or public) that remain unique entities but are bound together to enable data and application portability for example load-balancing.
Where is Forensic Data Commonly Found in the Cloud?
The first step to understanding this is to know exactly where your data is, and how much direct access you have to it. Which cloud type you are working with will influence this, for example the lower down the cloud technology stack your provider sits , the more control you will have over the available data. Some examples:
- In a private cloud, you are more likely that you have direct access to your hardware infrastructure
- If using a SaaS model over a public cloud, direct evidence collection will be limited to whatever your provider allows access to in the way of logs or other audit reports.
If it is not clear what level of potentially useful forensics data your cloud service provider can make available in the event of an incident, you should approach them and find out. Also, ensure that you know where your data is physically stored. Legal, compliance and regulatory matters may differ depending on where your information is stored.
Incident response and digital forensics in the cloud can be complex. It necessarily demands a greater level of experience than on-premise investigations. You may be surprised by the lack of experienced professionals readily available on the market so do your research and be prepared. Knowledge is power and never more so than when faced with a cyber-attack or data breach.
By default the amount of forensic data on cloud platforms is limited, often only to high level logs with a short history. Enabling forensic auditing functions can significantly increase the amount and quality of forensic data retained by the system. In real world scenarios we encounter, cloud platforms often are misconfigured and forensic log information is limited to a short period (approx. 30 days in most instances) meaning that the period of interest is often missing or incomplete.
Due to the fragmentation it can be hard to direct a particular customer, let alone generically. However … :
Enabling forensic auditing can vary platform to platform and even from version to version, however there is a growing trend to grow and publicise these functions through the management dashboard. Many platforms now come with security setting auditing which scores the platform based on the current configuration and in some instances allows changes to be made in order to secure the system (including enabling forensic auditing). Common on all platforms will be the log retention period which should be set as high as the current platform license allows.
Data leakage is a worry. Holding lots of sensitive information about your employees and your customers means that if data is exposed it would be a catastrophe. No one wants to be the next Mossack Fonseca, or Equifax, or Marriott Hotel, or Facebook, or…
The majority of clients I speak to tell me data leakage is their biggest risk, so I thought I’d share my top 3 quick wins for you to roll out and put you on the front foot against attackers looking to cause embarrassment and consternation.
Attackers use the path of least resistance, and unless your employees have been trained to know the difference between a genuine and a fake email, then the least resistance is likely to be your colleagues. Your secure estate will count for nothing.
So, here’s those tips to get you going:
1. Staff security awareness training
The most common attack vector that we see in our Incident Response engagements is phishing – regardless of attacker sophistication. What this means is that even though companies are ensuring their estate is clean of vulnerabilities, and maybe your password hygiene is good and your policies are clever and efficient, attackers are taking a different route to reach their objectives.
What’s the best way of neutralising the threat of falling victim to this threat? Experience determines that one way is educating your employees so they have security at the forefront of their mind when undertaking their day-to-day business operations. Opening emails, logging onto applications, speaking on the phone, entering the building – all of these activities can introduce risk into your organisation.
Train your staff to be more secure in their day-to-day life and your organisational security posture is immediately improved.
2. Ensure your O365 security configuration is optimised for your use
Microsoft Office 365 is a great solution for companies. It enables document sharing, collaborative working, and is a great tool for communication with customers and partners.
Unfortunately the default security settings are not ideal for use by all organisations and can introduce significant risk.
A simple evaluation of the current settings mapped to operational use and performance will likely uncover areas of improvement so that O365 is secure. For example, turning on two factor authentication (2FA).
3. Regularly evaluate your SOC and IR processes
Investing in a Security Operations Centre (SOC) is a good way of being able to detect anomalous behaviour on a network, and your Cyber Security Incident Response Team (CSIRT) should know how to respond to breaches and incidents.
But, like O365, the solution needs to be tailored to the organisation. How do you know how good the visibility of the SOC is? Are there any blind spots? Is there any point in investing in expensive technology if the team operating that technology don’t know how to respond to an alert? Is the alert salient enough in a sea of alerts or will it just be ignored because of the sheer volume of alerts?
The best way to answer all of these questions is to simply evaluate the efficacy of the people, processes and technologies of the Blue Team by running a Purple Team exercise.
Purple Teaming is a collaborative exercise between an organisation’s Blue Team and a security provider’s Red Team, cross referencing Red attacks with Blue visibility and responses to give you an indication of the efficacy of the SOC, and areas of improvement to uplift your capabilities.
These 3 quick wins will immediately reduce your risk of data leakage!
Kids smart tracker watch security: everyone has missed the point. It’s not a few thousand here and there. It’s at least 47 million, probably around 150 million exposed tracking devices.
It all points back to two or three lazy device manufacturers, much like Mirai v1 did
There have been lots of smart tracker watch security stories. Probably the first was @skooooch who raised serious concerns at Kiwicon about 360,000 car trackers and engine immobilisers in 2015. Lachlan also flagged the connection to thinkrace and kids tracker watches.
Others all missed the point, including us:
- The Icelandic data protection authority banned Enox, missing the point
- AVAST missed the point, with about 230,000 watches
- Rapid 7 missed the point with the G36 and SmarTurtles watch
- AV-TEST missed the point with the SMA watch
- The Norwegian Consumer Council missed the point
- And yes, we also missed the point last year
And with ~47 Million devices exposed to compromise, one can do some really interesting things, including winning reality shows and other TV shows that rely on audience voting by telephone or SMS.
That’s in addition to retrieving or changing the real time GPS position of millions of kids, the ability to call and/or silently spy on them, or just discover audio recordings hosted in publicly available repositories:
The above image shows real-time tracking of a child (actually my own kid!) walking around London with a tracking watch on, without needing to authenticate to the correct API account.
Why did everyone miss the point? You just have to follow the breadcrumbs through the API:
White labelling is rife in IoT, particularly with products manufactured by Original Device Manufacturers (ODMs) in the Far East.
IoT platforms are also increasingly common, as it cuts down the time-to-market for a start-up, if they can simply ‘bolt on’ an API and cloud platform from a 3rd party.
Combine the above and you have a recipe for disaster:
One of the largest and worst tracker ODMs, in our opinion, is thinkrace. This Chinese watch and tracker manufacturer also provides an API and cloud platform to quickly deliver white labelled tracking devices and kids tracker watches to international market.
There is a complex ODM / distributor / importer / brand owner / white label operation which makes it very hard to determine a common point of failure…. unless you follow the API trail
Often the brand owner doesn’t even realise the devices they are selling are on a thinkrace platform.
The Icelandic Enox watch? A thinkrace API
The AVAST T8 watch research? A thinkrace API
The AV-TEST SMA watch research? A thinkrace API
Back in 2015 Mich Gruhn @0x6d696368 and our Vangelis @evstykas found a ton of flaws in around 370 different device types affecting upwards of 20 million devices around the world. The majority of the issues discovered were simple failures to authorise requests correctly: IDORs (Insecure Direct Object References) aka BOLA (Broken Object Level Authorization).
Put simply: the watch APIs were failing to check that the correct user was making the request to retrieve the kid’s data. This mean anyone could request any kid’s data
Their work showed some common points of failure, which we dug deeper in to this year.
Putting aside the default creds and permissions issues that researchers keep finding on individual watches, thinkrace really are a monstrosity of fail.
Most API calls don’t need authorisation, they are very well documented within the service itself – literally just browse to the Web Service Descriptions Language (WDSL) file.
All variables simply increment integers meaning you can brute force and also deduce numbers of devices with ease.
Add a new account, see the ID number, then add another new account and see the ID number increase by one.
In virtually all devices (including non-thinkrace) we have seen the default password is 123456!
Identifying thinkrace devices
There’s a Google Dork for that! These will find you some of the devices:
Some of the trackers have a web app too. If yours looks like this, it’s probably thinkrace also:
Searching for devices is trivial, just enter your device ID in to the GetDeviceDetail API operator and receive all the detail on your device. Given the lack of authorisation, one could retrieve any child’s data if one wanted. 20 million kids and trackers.
You can determine the location of the device of course through the Lat / Long of the device, but also the country from the phone number of the device and the ‘family number’:
thinkrace exposed the safety of disabled athletes
They sponsored the Special Olympics / Paralympics World Games earlier this year. Every athlete was given a tracking watch, thereby exposing vulnerable adults to privacy and stalking attacks. We found this very distasteful indeed.
Look closely at the athlete’s wrist on their homepage. There’s the offending watch:
The scale of the problem
thinkrace produce 367 different types of tracking watch and tracker, making device identification and attribution to thinkrace very difficult, unless you follow the API. Here are a few – some include camera functionality.
Here’s a list of some offending device part numbers. Unfortunately these are often changed by the importer or brand owner, so this rarely helps identify vulnerable devices in your region:
But then we find that they don’t connect to one, common API. Instead, multiple endpoints across apparently unrelated domains are used, depending on the product and importer/distributor. Here are a few of the >80 we found.
Dig deeper and we find that they’re nearly ALL thinkrace API endpoints. In some cases, we think thinkrace code may have been sold or ‘appropriated’ by other manufacturers, but it’s still just as vulnerable. It appears the code was written in 2012, as indicated by the ‘newgps2012’ name for the portal code
5gcity: It’s CloudPets all over again
Last week, we were looking at 5gcity.com – another one of the tracker domains associated with a thinkrace API. It has around 5 million users, mostly kids tracker watches.
One of their web servers is exposing thousands of .amr files:
We believe these are audio message recordings of messages sent from child to parent using the watch and from parent to child.
5gcity has the same vulnerabilities as we would expect to find in a thinkrace API:
Reset any users password and hijack account
Full access to source code
Full user enumeration, leading PII of kids and parents
Send commands to any device, reflash the firmware remotely
Track any device
…but the audio file leakage was a new one for us!
A few more thinkrace API devices
www.goicar.net – around 3 million active tracking devices
www.gps958.net – around a million devices active
And one that isn’t thinkrace
www.gpsui.net – around a million active devices
Each domain we enumerate devices on contains millions of tracking devices. So far, just looking at thinkrace we’ve hit over 20 million devices. Digging further, we’ve found another 27 million devices on other ODM APIs. We think we’ve only seen the tip of the iceberg though
Another Example: Gator / Caref Watch Company
We’ve covered this security train wreck of a firm in the past: it’s not that dissimilar to thinkrace, but on a much smaller scale.
Again, the complex ODM / distributor relationship makes identification of Gator watches harder. In one case, the Australian importer rebrands the watch as TicTocTrack. In the UK it’s known as TechSixtyFour.
There’s also another ODM platform that we’re investigating right now, with ~100 million devices.
Mich & Vangelis disclosed the API flaws to the various ODMs back in 2015 and 2017. Various other researchers attempted to contact thinkrace over the years, to no avail.
Indeed, the Icelandic data protection authority banned some thinkrace watches sold under the Enox brand. How did thinkrace not change their ways then?
The German telecommunications regulator, Bundesnetzagentur, banned many kids smart watches in 2017.
Various watch brand security issues have since drip-fed in to the press, also with no response to responsible disclosure attempts. There is now evidence of these issues being exploited by criminals (see below), so we have to act.
Some of the other vendors involved in Mich & Vangelis’s work fixed issues in some of their API endpoints, but not all. We’ve since found that some of the vendors have actually UNFIXED their APIs since.
Exploiting this: winning Eurovision and The X-Factor
Every GPS tracker also has a SIM card in it. The tracker needs the SIM in order to communicate with the API over mobile data:
So how can we abuse the SIM?
With the flaws in the API, it’s possible to make the tracker watch dial phone numbers or (in some cases) send SMS messages.
Phone voting in talent shows is a simple and effective way of abusing this. Many high profile shows use phone voting, e.g. Eurovision, X-Factor, Strictly Come Dancing etc and there is usually a short dial code for the act you want to win. Dial it once and your vote is counted.
Could votes be influenced and shows be won? Yes!
Could the UK win Eurovision through this? With a good song, watch SIM calling could be used to push the UK to the top of the ‘Televote’. To vote for the UK you would need to exploit SIMs in one of the other countries taking part. Bear in mind there’s a ‘Jury’ vote too, so maybe, just maybe.
Here’s Norway at the top of the Televote:
But only 18th in the Jury vote:
These combined together meant that the Netherlands came out on top.
Shows like X-Factor and the finals of Strictly Come Dancing that use 100% audience voting are much more easily manipulated:
X-Factor UK 2018 was won by a 12% swing. Actual voter numbers were not released in 2018. However, in 2010 X-Factor confirmed how many votes they had across the whole series: this was just 15.5 million votes. The show was broadcast for 10 weeks, with each week having a vote, with three on the final week. Assuming an even spread that’s roughly 1.2m votes each week. The final in 2010 was won by just 6%.
This means to win the final just 72,000 votes would have been needed. Although it is expected that more votes would be recorded in the final.
We’ve found 47 million devices that could be triggered to make calls. Each is likely to be able to make ~10-20 premium rate calls before the credit is exhausted. That means up to a billion votes could be injected!
Default settings on phone services
On the 4 main UK providers, excluding MVNOs, ALL of them have premium lines enabled by default on non-contract SIM cards As long as you have credit you can be charged to vote.
We think it would be very wise for premium numbers to be blocked by default, significantly mitigating this attack. For users, we strongly advise you to block premium calls on your SIMs if you haven’t already.
Detecting voting attacks
That’s where this gets difficult: the voting attack is distributed across millions of phones. How would one determine which call was legitimate and which wasn’t?
Is anyone else exploiting this?
Voice Kids Russia was subject to suspicious voting patterns in May this year, as covered by the BBC. It is not clear exactly how this happened, but bots were suspected.
The attack was detected due to the attackers using consecutive numbers to make phone calls and sending thousands of SMS messages from one area. This ultimately led to the result being cancelled.
Simply spread the calls or SMS over millions of phones and there is no pattern to spot.
What can I do?
Stop using trackers: we have rarely found any kids watch, pet or car trackers that does not have vulnerabilities. Power the device off. If you identify your device is from thinkrace (harder than it sounds) it may be prudent to simply request a refund.
The tracking market is exploding; the race to market has meant that security corners have been cut.
This is a new attack which is not yet being widely exploited, though we have seen evidence on online forums that exploitation is happening.
Manufacturers need to get better at building secure systems. There is no excuse for poor security now, given the vast quantity of good advice already on the public internet.
Regulators need to get better at regulating against devices that expose our children’s data.
Enforcement action needs to be taken; ensuring that bans cover the entire white-labelled ecosystem, not just individual brands.
infosec writersRetrieved title: InfoSecWriters.com, 3 item(s)
Contributed by Mark Heckle
Social Engineering is one of the most widely used methods by cybercriminals to penetrate many networks across the globe. This type of attack is an easy way for criminals to infiltrate the defenses of any organization. Social Engineering attacks seem to be increasing every year due to the lack of awareness and knowledge of end-users. This sensitive data is collected through mobile devices, SMS, emails, or direct contact with a user. While prevention is almost impossible, this paper will examine the definition of social engineering, examples of Social Engineering, methods used by the attacker, the motivators of the attacker, and understanding why humans are easy prey to such attacks. By learning and understanding more about social engineering, it will go a long way in reducing the success of these penetration efforts.
This document is in PDF format. To view it click here.
Contributed by Vinay Sawant
VXLAN (Virtual Extensible Local Area Network) is the future of networking. Since the introduction of VXLAN from last three to four years into network infrastructure, almost all organizations are gradually migrating their network infrastructure to VXLAN.
This document is in PDF format. To view it click here.
Contributed by Kristy James
With the rise of global ransomware attacks, managing networks preventing those type of cyber-attacks in local governments can be challenging. Ransomware is defined as a type of malware that attackers use to infect computer networks. Malware is designed to gain unauthorized access to computers or networks and damage or disrupt systems. The ransomware attack can cripple an entire town’s network infrastructure without the proper protocols in place. When a ransomware attack occurs, its objective is to encrypt the files, stolen data, from a victim’s computer or server. The encrypted data will only be released by the attacker once the victim pays the requested ransom and a decryption key will then be provided. City council members across the country are looking for ways to come together in preparation of going against these attackers. The first big question that is to be answered when or if an attack occurs is whether or not to pay an attackers’ demand. Some entities have their own cyber insurance policies in place that would cover the cost of the release of encrypted data, while others have questions about whether or not to buy cyber insurance policies. When speaking to the FBI, they will promptly tell a company or business to never pay a ransom. One of their biggest reasons for this suggestion is seeing historically attackers will share with others in their slimy field of work which companies pay up and then you become a target yet again. Another reason also is the claim that there is never a guarantee the attackers will decrypt the stolen data as well as, the possibilities the attacker could increase their monetary demands. This paper will focus on ways leaders have handled these massive and coordinated attacks that have often been launched from overseas. The findings will be recommended for further review by the government to help protect other local governments from future attacks.
This document is in PDF format. To view it click here.
security weekRetrieved title: SecurityWeek RSS Feed, 3 item(s)
Microsoft announced on Friday that it’s in the process of developing a patch for a zero-day vulnerability in Internet Explorer that has been exploited in targeted attacks, reportedly by a threat group tracked as DarkHotel. Until a fix becomes available, the company has shared some workarounds and mitigations.
Turkish hackers claimed Friday to have hijacked for more than 90 minutes the official websites of the Greek parliament, the foreign affairs and economy ministries, as well as the country's stock exchange.
WeLeakInfo Website Taken Down in International Law Enforcement Operation
tech-wreck infosec blogRetrieved title: Tech-Wreck InfoSec Blog, 3 item(s)
Researchers in Denmark uncovered a vulnerability in the firmware of Broadcom's modem firmware that can potentially impact millions of devices. The bug, called "Cable Haunt," is located in a component of the Broadcom chip - the spectrum analyzer - and causes a remote code execution. The researchers said, "The cable modems are vulnerable to remote code execution through a Web-socket connection, bypassing normal CORS and SOC rules, and then subsequently by overflowing the registers and executing malicious functionality. The exploit is possible due to lack of protection proper authorization of the Web-socket client, default credentials and a programming error in the spectrum analyzer." There are approximately 200 million cable modems in Europe that could be potentially affected by this bug and multiple vendors, including Netgear and Arris are impacted.
Adobe released security bulletins for Illustrator CC and Experience Manager. The Illustrator CC update resolves a memory corruption issue that can lead to an arbitrary code execution. The update for Experience Manager remedies multiple issues, including two reflected cross-site scripting flaws.
The Cybersecurity and Infrastructure Security Agency (CISA) has observed wide exploitation of Pulse Secure's VPN servers due to a remote code execution vulnerability. This bug was addressed by the vendor in April 2019 but many servers worldwide remain unpatched and vulnerable. Cybercriminals are targeting the bug to unleash the REvil (Sodinokibi) ransomware. CISA strongly recommends that users and administrators apply the patches immediately.
Citrix is planning to release fixes for a zero-day hole in its Application Delivery Controller and Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. The vendor warned of the flaw on December 17 but exploits have since been released. Updates for versions 11.1 and 12 are expected on January 20 while versions 12.1 and 13 will be made available on January 27, and version 10.5 will receive an update on January 31.
The ICS-CERT has warned that PACSystems RX3i (previously owned by GE and acquired by Emerson) are vulnerable to an improper input validation flaw. Multiple products and versions are impacted. Details about contacting Emerson are available from the ICS-CERT advisory.
Multiple caching service providers are vulnerable to HTTP cache poisoning, according to an advisory from the (CISA). Once an attacker has successfully injected malicious content, future visitors accessing the compromised site will collect and execute the attacker's injected scripts. The advisory offers suggestions to content delivery network providers to implement to prevent HTTP cache poisoning. Akamai, Amazon Web Services (AWS), and Cloudflare are all affected by this issue.
Intel released six security advisories on January 14 to address vulnerabilities in various product lines. Among the issues is an information disclosure bug in the Data Analytics Acceleration Library that has been patched in version 2020 Gold.
Juniper Networks issued multiple security bulletins to address vulnerabilities across the vendor's product lines. At least eight of the bulletins pertain to security issues within Junos OS. Juniper product users should review the advisories and apply all updates immediately.
Over 330 vulnerabilities have been eliminated following the release of Oracle's Critical Patch Update for January. Flaws have been patched across multiple Oracle families, including MySQL, Fusion Middleware, E-Business Suite, Java SE, and more. In total, 334 bugs have been patched and Oracle recommends that users immediately apply the updates.
Two WordPress plugins, InfiniteWP Client and WP Time Capsule, contain logical flaws in their code that can enable anyone to log into an administrator account without a password. This discovery was made by the research team at WebArx who noted that a combined 320,000 Web sites are vulnerable as a result.
SAP published six security notes and one advisory to cap its January batch of vulnerability patches. Among the most significant remediations is a fix for a cross-site scripting flaw in Rest Adapter of SAP Process Integration and a patch for a denial-of-service condition in NetWeaver Internet Communication Manager.
Two researchers have demonstrated a collision attack on the SHA-1 hash function which can enable criminals to create fraudulent digital certificates. This is similar to attacks that have been previously conducted on MD5. The scientists, Gaëtan Leurent and Thomas Peyrin, created their fake digital certificates using GNU Privacy Guard and a cluster of GPUs. They said, "This work shows once and for all that SHA-1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function."
Multiple Siemens products have received updates to mitigate vulnerabilities. Among the flaws discussed in its batch of advisories are authentication bypass, cross-site scripting, and mirror port isolation bugs in the SCALANCE X switches.
OSIsoft's PI Vision, a visualization tool, is vulnerable to several security issues, including improper access control, cross-site scripting, and cross-site request forgery. The vendor recommends users upgrade to PI Vision 2019 to resolve these issues. Further details are available from an ICS-CERT advisory.
VMware has released a security update to fix a bug in VMware Tools. The vulnerability affects VMware Tools for Windows version 10.x.y. Users are instructed to update to version 11.0 or later.
xkcdRetrieved title: xkcd.com, 3 item(s)