Some ethical hackers still get sued, even though they are following NL gov responsible disclosure guidelines. This was the criticism of the laws when they were introduced two years ago, glad someone is now taking the time to follow up.
Source: D66 wil bescherming ethische hackers – Emerce
Battered Ukrainian electricity utilities are being targeted with backdoors in attacks possibly linked to those fingered for recent blackouts.
The phishing attacks are attempting to get backdoors installed on utility company computers using techniques similar to those seen in the BlackEnergy attacks.
BlackEnergy ripped through Ukrainian utilities in what is largely considered the cause of mass power outages on 23 December in the Prykarpattya Oblenergo and Kyivoblenergo utilities.
Power was cut to some 80,000 customers for six hours and Ukraine’s nation’s security service has pointed the finger at the Kremlin.
Now the utilities are being served malicious Microsoft XLS files, which attempt to execute the open source GCat backdoor, a technique that has been used in many other attacks.
ESET threat man Robert Lipovsky says users are urged to execute macros and will be served with a Trojan downloaded from a remote server. “This backdoor is able to download executables and execute shell-commands,” Lipovsky says.
“Other GCat backdoor functionality, such as making screenshots, keylogging, or uploading files, was removed from the source code.
“The backdoor is controlled by attackers using a Gmail account, which makes it difficult to detect such traffic in the network.”
Source: Ukraine energy utilities attacked again with open source Trojan backdoor
Without trust, Microsoft thinks, nobody is going to use any cloud services, and the Snowden revelations put the trustworthiness of all technology suppliers in the spotlight. So when a warrant arrived at Microsoft’s Dublin data centre one day in 2013, a not uncommon occurrence for a cloud host, Microsoft was ready to kick back.
What Microsoft has done is refuse to comply, putting itself voluntarily in contempt of court. At issue is a piece of legislation called the 1986 Stored Communications Act, and the software firm is challenging two key things about it. Firstly, that the act covers private data that happens to be stored on your behalf by a third party (in this case Microsoft). Microsoft argues that the personal data is not its own, much as a UGC hosted YouTube argues that it doesn’t own material that is “stored at users’ direction”
[…]
“These are the private communications of our customers. They’re not ours. We don’t have access to them. We don’t want access to them,” he told an audience this week. “That’s a very different position to saying that any data stored with a cloud provider is a business record of that cloud provider, that can then be turned over to the government. That is a very dangerous precedent.”And an interview with The Register clarified that point further: “By design we tell customers it is yours, we’re not going to access your data.”
Source: Microsoft legal eagle explains why the Irish Warrant Fight covers your back
In the funniest disclosure I’ve read in some time (well, it would be if it wasn’t so terribly dangerous), it turns out that these teleconferencing units had a hardcoded admin account with extra permissions built in with username BlackWidow. In the first “fix”, AMX basically changed the user to Batman. Poor show.
SEC Consult: Deliberately hidden backdoor account in several AMX (HARMAN Professional) devices
And Google paid Apple $1bn to put its search into iPhones
An Oracle lawyer has blurted out in court how much money Google has made from Android – figures that the web giant has fiercely fought to keep secret.
And those numbers are: US$31bn in revenue, and US$22bn in profit, since 2008, when Android was launched. This money comes from Google’s cut from sales made via the Google Play store and adverts shown in apps.
Source: Oracle blurts Google’s Android secrets in court: You made $22bn using Java, punk
Scores of security bods registering for security outfit RSA’s Executive Security Action Forum (ESAF) have handed over their Twitter account passwords to the company’s website in what is seen something between bad practise and outright compromise.
The registration process for the February 29 event asks delegates to enter their Twitter credentials so that a prefab tweet about their attendance can be sent.
But the page asks for their direct plaintext password, and does not make use of OAUth-enabled single sign-on which is the standard means by which websites can allow Twitter logons without compromising security.
Source: RSA asks for plaintext Twitter passwords on conference reg page
I don’t know what is worse? RSA asking for this, or potential attendees (ie security “experts”) actually filling this in!
Basically the driver updater looks over HTTP and downloads an unencrypted, easily parsable XML file with URLs leading to the files to download and execute as admin. A man in the middle attack could easily exploit this.
Source: Intel Driver Update Utility MiTM
This is a lot like the Drupal update vulnerability.
Wrap web apps natively
Source: nativefier
Don’t have to alt tab through open tabs, but have an app for that site you use a lot…
Over in the multimedia business, users of the company’s D9036 multimedia encoding platform also need to pick up a firmware upgrade, because Cisco devs built the firmware with a static password for both the root account and the guest account.
Source: Cisco patch day fixes CGI script blunder, hard-coded credentials
oh dear
The simcards have an NFC element that belongs to the Rabobank. I guess that means that Rabobank must then get quite a lot of information from the telco provider that you wouldn’t necessarily want them to have. Worrying.
KPN geeft sinds begin dit jaar een nieuw type simkaart uit dat contactloos betalen per telefoon mogelijk maakt. Dat zijn simkaarten met een NFC-element erin. Rabobank huurt als het ware een veilig kluisje op KPN-telefoons. Er zijn geen plannen om vergelijkbare overeenkomsten te sluiten met telecomaanbieders. Omgekeerd staat KPN wel open voor andere banken om ruimte om zijn NFC-simkaarten te huren.
Source: Rabobank zet contactloos betalen op alle KPN-simkaarten – Emerce
Old sad dickless USMC leadership who can’t handle working with equally competent gay men or women are trying to get rid of mr Mabus who has not only insisted on using them in combat roles if they meet the standards but also (shock! horror!) insisted on exploring alternative fuels.
One is the integration of women into Marine infantry, Navy SEALs and other direct-combat jobs by April.
“If you can meet the standards, why should it matter if you are male or female? Why should it matter if you are straight or gay?” Mabus told reporters.
The other issue was the secretary’s push toward deploying ships and planes powered by alternative fuels, including biofuels made from mustard seed, algae or animal fat.
Mabus was in Coronado on Wednesday to preside over the deployment of an aircraft carrier group that included some ships burning a 90-10 blend of petroleum and animal fat fuels.
The secretary’s biofuels initiative became controversial when it became known that a 2011 buy of biofuel cost $15 a gallon for a 50-50 blend — four times the price of regular Navy ship fuel.
“Every single time there were naysayers,” Mabus said during a speech at the launch of his “great green fleet” Wednesday.
He was describing the Navy’s long history of embracing new power sources, including oil and later nuclear energy for ships.
“They were wrong again this time.”
The tenure of Mabus, a former Democratic governor of Mississippi, has included major social changes for the U.S. military — all of which he supported.
They included the end of the “don’t ask, don’t tell” ban on openly gay service members.
Source: Military.com
These old USMC dinosours will go extinct soon, no-one will know such retarded and scared mysogonists put up a fight in a few years time.
So should we expect a critical mass of consumers to walk away from organizations because their mobile health apps
do not have the level of security protection they expect? Based on these research findings, perhaps. When put to the
test, the majority of mobile health apps failed security tests and could easily be hacked. Among 71 popular mobile
health apps tested for security vulnerabilities, 86% were shown to have at least two OWASP Mobile Top 10 RisksSuch vulnerabilities could allow the apps to be tampered and reverse-engineered, put sensitive health information in the
wrong hands and, even worse, potentially force critical health apps to malfunction. Surprisingly, US Food and Drug
Administration (FDA)-approved apps and formerly UK National Health Service (NHS)-approved apps were among the
vulnerable mobile health apps tested, indicating that there is more work to be done by governing bodies to better
understand the cybersecurity threats to mobile apps and improve the minimum acceptable security standards or
regulations for mobile app development.
Source: State_of_Application_Security_2016_Healthcare_Report.pdf
(pdf)
The French government has rejected an amendment to its forthcoming Digital Republic law that required backdoors in encryption systems.
Axelle Lemaire, the Euro nation’s digital affairs minister, shot down the amendment during the committee stage of the forthcoming omnibus digital bill, saying it would be counterproductive and would leave personal data unprotected.
“Recent events show how the fact of introducing faults deliberately at the request – sometimes even without knowing – the intelligence agencies has an effect that is harming the whole community,” she said according to Numerama.
“Even if the intention [to empower the police] is laudable, it also opens the door to the players who have less laudable intentions, not to mention the potential for economic damage to the credibility of companies planning these flaws. You are right to fuel the debate, but this is not the right solution according to the Government’s opinion.”
Source: French say ‘Non, merci’ to encryption backdoors
Het virus sloeg als eerste toe op de afdeling pathologie en verspreidde zich razendsnel over het ziekenhuis-netwerk. Hierdoor moesten veel medewerkers een hoop handelingen handmatig uitvoeren.
Processen als bloed- en weefselverwerking konden niet meer worden uitgevoerd door de computers en ook de verpleegsters moesten samenwerken met de afdeling die het eten verzorgde om ervoor te zorgen dat alle patiënten de juiste maaltijd kregen aangezien de computers, die alle patiëntdossiers bevatte, ook waren besmet.
Source: Chaos en ellende in ziekenhuis dankzij Windows XP-virus
The information leak is exploitable in the default configuration of the OpenSSH client, and (depending on the client’s version, compiler, and operating system) allows a malicious SSH server to steal the client’s private keys,” Qualys said in its advisory. “This information leak may have already been exploited in the wild by sophisticated attackers, and high-profile sites or users may need to regenerate their SSH keys accordingly.” There was a second vulnerability patched as well, a buffer overflow in the
Source: OpenSSH Private Crypto Key Leak Patch | Threatpost | The first stop for security news
ffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file – for example, KDE Dolphin thumbnail generation is enough. Desktop search indexers (i.e. baloo) could be affected. ffprobe is affected, basically all operations with file that involve ffmpeg reading it are affected
Source: Zero-Day FFmpeg Vulnerability Lets Anyone Steal Files from Remote Machines – Updated
The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015. A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015.The malware was designed to collect payment card data – cardholder name, card number, expiration date and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems
Source: Protecting Customer Information
It’s 2016 and you may have thought we’d all be a little older and wiser than this time last year. But as you read this list of 2015’s most popular passwords, you will shake your head, mumble unmentionables and reach the firm conclusion that, no, we are in fact all still complete and utter morons.
1. 123456 (Unchanged)
2. password (Unchanged)
3. 12345678 (Up 1)
4. qwerty (Up 1)
5. 12345 (Down 2)
6. 123456789 (Unchanged)
7. football (Up 3)
8. 1234 (Down 1)
9. 1234567 (Up 2)
10. baseball (Down 2)
11. welcome (New)
12. 1234567890 (New)
13. abc123 (Up 1)
14. 111111 (Up 1)
15. 1qaz2wsx (New)
16. dragon (Down 7)
17. master (Up 2)
18. monkey (Down 6)
19. letmein (Down 6)
20. login (New)
21. princess (New)
22. qwertyuiop (New)
23. solo (New)
24. passw0rd (New)
25. starwars (New)
Source: The 25 Most Popular Passwords of 2015: We’re All Such Idiots
US spy chief James Clapper’s personal online accounts have been hacked, his office confirmed Tuesday, a few months after CIA director John Brennan suffered a similar attack.
Clapper’s Office of the Director of National Intelligence confirmed the hack but refused to provide details.
“We are aware of the matter and we reported it to the appropriate authorities,” spokesman Brian Hale told AFP.
A teen hacker who goes by “Cracka” claimed to have hacked Clapper’s home telephone and Internet accounts, his personal email, and his wife’s Yahoo email, online magazine Motherboard reported.
Source: US spy chief’s personal accounts hacked
Someone’s palm is digging a hole into their face at Cisco, which has just admitted it shipped a bunch of servers with the wrong default password.
“A number of C-Series servers have shipped to customers with a non-standard default password which prevents access to the Cisco Integrated Management Controller (CIMC) unless the configured password is provided,” the Borg says in a new Field Notice.
Kit made between between November 17, 2015 and January 6, 2016 was misconfigured. If you get one and try to get it working with Cisco’s default admin password – “password” – you’ll look like a very silly sysadmin indeed.
The fault is all Cisco’s: for reasons it’s not explaining, the firm instead set the default password to “Cisco1234”.
Source: Cisco forgot its own passwords for seven weeks
RedTeam Pentesting discovered that several models of the AVM FRITZ!Box are vulnerable to a stack-based buffer overflow, which allows attackers to execute arbitrary code on the device.
Source: RedTeam Pentesting GmbH – AVM FRITZ!Box: Remote Code Execution via Buffer Overflow
Anyone who uses this script against vulnerable firewalls will gain administrator-level command-line access to the equipment. After some outcry on Twitter and beyond, Fortinet responded by saying it has already killed off the dodgy login system.
“This issue was resolved and a patch was made available in July 2014 as part of Fortinet’s commitment to ensuring the quality and integrity of our codebase,” a spokeswoman told El Reg.
“This was not a ‘backdoor’ vulnerability issue but rather a management authentication issue. The issue was identified by our product security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external.”
In a security advisory dated today, Fortinet explained that the issue affects FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7. This covers FortiOS builds from between November 2012 and July 2014, and it’s certainly possible that some slack IT admins haven’t updated the software since then.
Source: Fortinet tries to explain weird SSH ‘backdoor’ discovered in firewalls
A rose by any other name!
A team of Northwestern University engineers has created a new way to print three-dimensional metallic objects using rust and metal powders.
While current methods rely on vast metal powder beds and expensive lasers or electron beams, Northwestern’s new technique uses liquid inks and common furnaces, resulting in a cheaper, faster, and more uniform process. The Northwestern team also demonstrated that the new method works for an extensive variety of metals, metal mixtures, alloys, and metal oxides and compounds.
Source: A new way to print 3-D metals and alloys
Ormandy, who has made something of a career of late discovering holes in popular security software, analyzed a component in Trend’s software dubbed Password Manager. He found that multiple HTTP RPC ports for handling API requests were accessible.
“It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(),” he wrote in a bug report to Trend.
This means that any webpage could run a script that uses Trend Micro’s AV to run commands on the machine – such as RD C:\ /S /Q to wipe the system drive, or commands to download and install malware. As another example, this code uninstalls Trend Micro’s security software on a PC without the owner’s knowledge or consent.
Then, as Ormandy looked deeper into Trend’s code, more problems were discovered.
Because the password manager was so badly written, Ormandy found that a malicious script could not only execute code remotely, it could also steal all passwords stored in the browser using the flaws in Trend’s software – even if they are encrypted.
Source: Trend Micro AV gave any website command-line access to Windows PCs
Antivirus companies are doing really really well lately. Not.
We integrate the elasticity and plasticity into a single polymer network. Rational molecular design allows these two opposite behaviors to be realized at different temperature ranges without any overlap
Source: Shape memory polymer network with thermally distinct elasticity and plasticity
Basically you can save different shapes and recover to those different shapes hundreds of times.