Daily Archives: September 4, 2016

Interno Routers given out by ISPs allow full administrative access

Posted on by
Reply

Several Inteno routers do not validate the Auto Configuration Server (ACS) certificate (CWE-295). An attacker in a privileged network position can Man-in-the-Middle the connection between the device and the Auto Configuration Server (ACS). If ACS has been preconfigured by the ISP (this is usually the case) no user actions are required for exploitation.

Impact
——

The attacker who can intercept the network traffic between the affected
device (CPE) and the Auto Configuration Server (ACS) gains full
administrative access to the device. The attacker can perform arbitrary
administrative operations on the device, such as flashing the device
firmware.

Interno refuses to fix the problem.

advisory here

​Australian government auditor slams Tiger attack helicopter

Posted on by
Reply

The 64-page report details a range of issues. It identifies 76 “capability deficiencies,” of which the Department of Defence (DoD) deems 60 to be “critical.”
[…]
On average, only 3.5 aircraft in the operational fleet of 16 helicopters were available on “any given day in 2015,” says ANAO. This is below targeted readiness of 12 aircraft.
[…]
Sustainment costs are also an issue. Initially, between 2004 and 2019 these were pegged at A$571 million ($431 million). This amount was eclipsed in 2014, and costs mounted to A$921 million in 2016. The cost per flight hour in June 2016 was A$30,335, compared with a target of A$20,000.
[…]
Weapons availability appears to be a challenge. In addition, there have been two incidents – one in Germany, one in Australia – where 70mm rocket pods were jettisoned with no command from the pilot. The cause of this problem has yet to be identified.

Source: ​Australian government auditor slams Tiger attack helicopter