The advertisment says: “Hello Google, what is the whopper burger?” and Google home reads out the first line of the wiki page.
So Google blocked Burger King. So BK re-recorded and Google Home devices recite the first

Absolutely brilliant and very funny! Alexa next! And even more funny: changing the wiki page just as the advert runs and getting Google Home to read out something completely different!

Source: Burger King thought it had a great idea. Instead, it ended up with a Whopper of a problem.

A partnership between computer scientists at the University of California San Diego and Google has allowed the search giant to reduce by 70 percent fraudulent business listings in Google Maps. The researchers worked together to analyze more than 100,000 fraudulent listings to determine how scammers had been able to avoid detection—albeit for a limited amount of time—and how they made money.

The team presented their findings at the 26th International Conference on the World Wide Web in Australia earlier this month.

The computer scientists identified what they describe as a “new form of blackhat search engine optimization that targets local listing services” such as Google Maps. They also describe how these scammers were able to make money.
[…]
For example, when people run a search on their mobile phone, the search engine uses their physical location as one of the inputs to decide which results to display, Snoeren explained.

The scammers take advantage of this by using fake locations to make it look like their business is in close proximity to the user doing the search.
[…]
Scammers are able to make money when they get called to help a user based on a fake listing. Scammers might quote a low price when called on the phone, only to charge a higher fee when they show up. They might not be licensed but get the business anyway.

In another scheme, scammers set up fake pins for real hotels or restaurants on Google Maps. They set up websites where customers make reservations, which are connected to the business’ real website or to a travel agency, which is not part of the scam. This allows scammers to make money either by getting a commission for each reservation or for referring traffic to the businesses’ real websites.

*D.Y. Huang, D. Grundman, K. Thomas, A. Kumar, E. Bursztein, K. Levchenko and A.C. Snoeren, “Pinning Down Abuse on Google Maps,” Proc. of the International Conference on World Wide Web (WWW), April 3-7, 2017, Perth, Australia.

The self-styled Shadow Brokers group has made a collection of NSA hacking tools and exploits publicly available.

The group released a password for their archive, making it available to all and sundry. They (unsuccessfully) attempted to auction off the trove last year.

In a (ranty) statement, Shadow Brokers said it was making the 2013 vintage hacking tools available as a protest against President Trump “abandoning” his base by bombing Syria in the wake of a chemical weapons attack on civilians, among other things.
[…]
Most of the exploits are old so it may be that the Shadow Brokers are either holding back on releasing the “good stuff” or never had them in the first place.

Snowden commented: “Quick review of the #ShadowBrokers leak of Top Secret NSA tools reveals it’s nowhere near the full library, but there’s still so much here that NSA should be able to instantly identify where this set came from and how they lost it. If they can’t, it’s a scandal.”

Source: Shadow Brokers crack open NSA hacking tool cache for world+dog

Source: 1046 – Broadcom: Heap overflow in TDLS Teardown Request while handling Fast Transition IE – project-zero – Monorail

Comes with proof of concept code

The Bricker Bot PDoS attack used Telnet brute force – the same exploit vector used by Mirai – to breach a victim’s devices. Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently ‘root’/’vizxv.’Corrupting a DeviceUpon successful access to the device, the PDoS bot performed a series of Linux commands that would ultimately lead to corrupted storage, followed by commands to disrupt Internet connectivity, device performance, and the wiping of all files on the device.

Source: “BrickerBot” Results In Permanent Denial-of-Service | ERT Threat Alert

The commands it runs are really really nasty…

A new attack on smart TVs allows a malicious actor to take over devices using rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals, get root access on the smart TV, and use the device for all sorts of nasty actions, ranging from DDoS attacks to spying on end users.
[…]
Scheel’s method, which he recently presented at a security conference, is different because the attacker can execute it from a remote location, without user interaction, and runs in the TV’s background processes, meaning users won’t notice when an attacker compromises their TVs.

The researcher told Bleeping Computer via email that he developed this technique without knowing about the CIA’s Weeping Angel toolkit, which makes his work even more impressing.

Furthermore, Scheel says that “about 90% of the TVs sold in the last years are potential victims of similar attacks,” highlighting a major flaw in the infrastructure surrounding smart TVs all over the globe.

At the center of Scheel’s attack is Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable providers and smart TV makers that “harmonizes” classic broadcast, IPTV, and broadband delivery systems. TV transmission signal technologies like DVB-T, DVB-C, or IPTV all support HbbTV.

Scheel says that anyone can set up a custom DVB-T transmitter with equipment priced between $50-$150, and start broadcasting a DVB-T signal.

Source: About 90% of Smart TVs Vulnerable to Remote Hacking via Rogue TV Signals

According to allegations in the indictment against Rimasauskas, which was unsealed this week, he had orchestrated his scheme between 2013 and 2015, targeting “a multinational technology company and a multinational online social media company” and tricking them into wiring funds to bank accounts under his control.

The bank accounts in question belonged to companies that Rimasauskas had himself set up and incorporated with the same name as an unspecified “Asian-based computer hardware manufacturer” with whom the victim companies were involved in legitimate business.

Rimasauskas’s phishing emails posed as if they represented the real hardware manufacturer, and requested that money which the victim companies owed to that manufacturer for legitimate good and services be paid into the accounts of the company he’d set up himself.

Source: Bloke, 48, accused of whaling two US tech leviathans out of $100m

Mark Vartanyan, who operated under the handle “Kolypto”, was arrested in Norway last year, and extradited to America in December. The 29-year-old was charged with one count of computer fraud. On Monday, he pleaded guilty [PDF] to a district court in Atlanta, US. He faces up to 10 years in the clink and a $250,000 fine – that’s slashed from a maximum of 25 years due to his guilty plea. He will be sentenced in June.
[…]
Citadel surfaced in 2011, infected Windows PCs, and silently slurped victims’ online banking credentials so their money could be siphoned into crooks’ pockets. It could also snoop on computer screens and hold files to ransom. It was a remarkable success. US prosecutors estimate that, at its height, the malware infected 11 million computers and was responsible for the theft of more than $500m from bank accounts.

Source: Russian mastermind of $500m bank-raiding Citadel coughs to crimes

We recently announced a new addition to Metasploit to help you do exactly that: the Hardware Bridge API. The Hardware Bridge API extends Metasploit’s capabilities into the physical world of hardware devices. Much in the same way that the Metasploit framework helped unify tools and exploits for networks and software, the Hardware Bridge looks to do the same for all types of hardware. From within Metasploit you can now branch out into a Metasploit compatible hardware device to remotely control and use it for your penetration testing needs.
[…]
If your device supports CAN, Metasploit will automatically provide several interactive vehicle-related commands. This will also mark your Hardware Bridge (HWBridge) session as an Automotive session that can be viewed in your session list or via modules that are designed to work only on automotive systems. This allows exploit developers to focus on writing automotive tools without having to worry about the attached hardware. It also provides internal Metasploit APIs to make common automotive calls easier, such as getting the vehicle speed or requesting a security access token from the Engine Control Unit (ECU).

Source: Exiting the Matrix: Introducing Metasploit’s Ha… | Rapid7 Community and Blog

If PostScript is the printer driver, the printer is vulnerable to what they call Cross-Site Printing attacks, documented in detail at Hacking Printers here.

The bugs range from attackers exfiltrating copies of what’s sent to printers, to denial-of-service, code execution, forced resets and even bricking the targets.

The work from the University Alliance Ruhr landed on Full Disclosure here (with five vendor-specific follow-ups), and as they note: “This vulnerability has presumably been present in every PostScript printer [for] 32 years as solely legitimate PostScript language constructs are abused.”

Source: We don’t want to alarm you, but PostScript makes your printer an attack vector • The Register

“Hmm, what is that unauth.cgi thingy? and what does that id number mean?”, I thought to myself.

Luckily for me the Internet connection had come back on its own, but I was now a man on a mission, so I started to look around to see if there were any known vulnerabilities for my VEGN2610. It turned out that there are none. :< I started looking up what that "unauth.cgi" page could be, and I found 2 publicly disclosed exploits from 2014, for different models that manage to do unauthenticated password disclosure. Booyah! Exactly what I need. (link 1 & link 2) Those two guys found out that the number we get from unauth.cgi can be used with passwordrecovered.cgi to retrieve the credentials. I tested the method described in both, and voila - I have my password, now I can go to sleep happy and satisfied. I woke up the next morning excited by the discovery, I thought to myself: "3 routers with same issue… Coincidence? I think not". Luckily, I had another, older NETGEAR router laying around; I tested it and bam! Exploited.

Source: CVE-2017-5521: Bypassing Authentication on NETGEAR Routers

Some 35,000 mostly Amazon Web Services ElasticSearch servers are open to the internet and to ransoming criminals, Shodan boss John Matherly says.

So far more than 360 instances have had data copied and erased, held to ransom using the same techniques that blitzed tens of thousands of MongoDB servers this week.

Affected ElasticSearch administrators are greeted in one actor’s attacks with a message reading:

“Send 0.2 bitcoins to this wallet: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r if you want recover (sic) your database! Send to this email your service IP after sending the bitcoins p14t0s@sigaint.org (sic).”

Source: MongoDB hackers now sacking ElasticSearch

Hackers have brewed up a strain of Android malware that uses compromised smartphones as conduits to attack routers.The Switcher trojan does not attack Android device users directly. Instead, the malware uses compromised smartphones and tablets as tools to attack any wireless networks they connect to.Switcher brute-forces access to the network’s router and then changes its DNS settings to redirect traffic from devices connected to the network to a rogue DNS server, security researchers at Kaspersky Lab report.This server fools the devices into communicating with websites controlled by the attackers, leaving users wide open to either phishing or further malware-based attacks.The attackers claim to have successfully infiltrated 1,280 wireless networks so far, mainly in China.

Source: New Android-infecting malware brew hijacks devices. Why, you ask? Your router • The Register

Why China especially? Because Google is forbidden there, so Chinese Android users are forced to use different app market places than the Play store.

Yahoo has discovered a 3-year-old security breach that enabled a hacker to compromise more than 1 billion user accounts, breaking the company’s own humiliating record for the biggest security breach in history.

The digital heist disclosed Wednesday occurred in August 2013, more than a year before a separate hack that Yahoo announced nearly three months ago . That breach affected at least 500 million users, which had been the most far-reaching hack until the latest revelation.
[…]
In both attacks, the stolen information included names, email addresses, phone numbers, birthdates and security questions and answers. The company says it believes bank-account information and payment-card data were not affected.

But hackers also apparently stole passwords in both attacks. Technically, those passwords should be secure; Yahoo said they were scrambled twice — once by encryption and once by another technique called hashing. But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases.

That could mean trouble for any users who reused their Yahoo password for other online accounts. Yahoo is requiring users to change their passwords and invalidating security questions so they can’t be used to hack into accounts. (You may get a reprieve if you’ve changed your password and questions since September.)

Source: Yahoo Suffers World’s Biggest Hack Affecting 1 Billion Users

Cyber attacks targeting the global bank transfer system have succeeded in stealing funds since February’s heist of $81 million from the Bangladesh central bank as hackers have become more sophisticated in their tactics, according to a SWIFT official and a previously undisclosed letter the organization sent to banks worldwide.

Source: Exclusive: SWIFT confirms new cyber thefts, hacking tactics

Robert Graham, CEO of Errata Security, on Friday documented his experience setting up a $55 JideTech security camera behind a Raspberry Pi router configured to isolate the camera from his home network.

According to Graham’s series of Twitter posts, his camera was taken over by the Mirai botnet in just 98 seconds. Note: it was infected by another botnet first and then after 98 seconds by Mirai

Mirai conducts a brute force password attack via telnet using 61 default credentials to gain access to the DVR software in video cameras and to other devices such as routers and CCTV cameras.

After the first stage of Mirai loads, “it then connects out to download the full virus,” Graham said in a Twitter post. “Once it downloads that, it runs it and starts spewing out SYN packets at a high rate of speed, looking for new victims.”

Graham said the defense recommended by the Christian Science Monitor – changing the default password of devices before connecting them to the Internet – doesn’t help because his Mirai-infected camera has a telnet password that cannot be changed.

“The correct mitigation is ‘put these devices behind your firewall’,” Graham said.

Source: Surveillance camera compromised in 98 seconds

hree has suffered a massive data breach in which the personal information and contact details of millions of customers could have been accessed. It is believed to one of the largest hacks of its kind to affect people living in Britain.

Here’s everything you need to know about the hack.
What happened?

UK-based cyber criminals managed to gain access to the upgrade database in Three’s computer system.

The database contains the personal information of those who are eligible for an upgrade, but it is not clear exactly how many customers this includes. The company has not outlined whether the system includes those who have previously upgraded or historic customers that have left the network.

Attackers allegedly accessed the database using stolen employee credentials, which allowed them to login to the system without Three noticing. Once in, they tricked it into sending high-end upgrade handsets to an address where they could intercept them.

Three has not said whether the accessed customer data was also stolen.
What customer details did they access?

Three has confirmed that the data accessed included names, phone numbers, addresses, dates of birth, and some email addresses.

Source: Three Mobile hack: how to protect yourself if you’ve been affected 

An attacker with access to the console of the computer and with the ability to reboot the computer can launch a shell (with root permissions) when he/she is prompted for the password to unlock the system partition. The shell is executed in the initrd environment. Obviously, the system partition is encrypted and it is not possible to decrypt it (AFAWK). But other partitions may be not encrypted, and so accessible. Just to mention some exploitation strategies:

Elevation of privilege: Since the boot partition is typically not encrypted: It can be used to store an executable file with the bit SetUID enabled. Which can later be used to escalate privileges by a local user. If the boot is not secured, then it would be possible to replace the kernel and the initrd image.

Information disclosure: It is possible to access all the disks. Although the system partition is encrypted it can be copied to an external device, where it can be later be brute forced. Obviously, it is possible to access to non-encrypted information in other devices.

Denial of service: The attacker can delete the information on all the disks.

The Exploit (PoC)

The attacker just have to press and keep pressing the [Enter] key at the LUKS password prompt until a shell appears, which occurs after 70 seconds approx.

Source: Enter 30 to shell: Cryptsetup Initram Shell [CVE-2016-4484]

Bangladesh’s central bank hopes to retrieve $30 million more of the $81 million stolen from its account at the New York Federal Reserve in February, two bank officials said on Monday.

Hackers used stolen Bangladesh Bank credentials to try to send three dozen SWIFT messages to transfer nearly $1 billion from its Fed account. They succeeded in transferring $81 million to four accounts at Rizal Commercial Banking Corp in Manila.

Most of the money was laundered through casinos in Manila.

On Friday, Philippine authorities began the process of handing over $15.25 million to Bangladesh.

“We are hoping to get back around $30 million which remains frozen,” Bangladesh Bank deputy governor Abu Hena Mohammad Razee Hassan, who heads its financial intelligence unit, told Reuters.

Source: Bangladesh hopes to recover $30 million more from cyber heist

Adultfriendfinder.com 339,774,493 users “World’s largest sex & swinger community”
Cams.com 62,668,630 users “Where adults meet models for sex chat live through webcams”
Penthouse.com 7,176,877 users Adult magazine akin to Playboy
Stripshow.com 1,423,192 users Another 18+ webcam site
iCams.com 1,135,731 users “Free Live Sex Cams”
Unknown domain 35,372 users

Total: 412,214,295 aff

Source: AdultFriendFinder was hacked – LeakedSource

Remember the days back in the 90s when you could cripple someones Internet connection simply by issuing a few PING command like “ping -t [target]”? This type of attack was only successful if the victim was on a dial-up modem connection. However, it turns out that a similar form of ICMP flooding can still be used to perform a denial of service attack; even when the victim is on a gigabit network.

Devices verified by TDC to be vulnerable to the BlackNurse attack:

Cisco ASA 5506, 5515, 5525, 5540 (default settings)
Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
Cisco Router 897 (unless rate-limited)
Palo Alto (unless ICMP Flood DoS protection is activated) – See advisory from Palo Alto.
SonicWall (if misconfigured)
Zyxel NWA3560-N (wireless attack from LAN Side)
Zyxel Zywall USG50

Source: BlackNurse Denial of Service Attack – NETRESEC Blog

With proof of concept. Of course, this requires “hacking” the originating bot back and only works if the bot is running over http, but still, better than nothing.

Source: Invincea Labs

An extraordinary, focused attack on DNS provider Dyn continues to disrupt internet services for hundreds of companies, including online giants Twitter, Amazon, AirBnB, Spotify and others.

The worldwide assault started at approximately 11am UTC on Friday. It was a massive denial-of-service blast that knocked Dyn’s DNS anycast servers offline, resulting in knock-on impacts across the internet. Folks immediately started reporting problems; millions of people are affected.

After two hours into the initial tidal wave of junk traffic, Dyn announced it had mitigated the assault and service was returning to normal. But the relief was short lived: just about an hour later, the attack resumed and at the time of writing (1800 UTC), not only is Dyn’s service still down but its website is too.

(Aptly, Dyn researcher Doug Madory had recently given a talk on DDoS attacks.)

By blasting Dyn offline, public DNS providers – such as Google and broadband ISPs – are unable to contact Dyn to lookup hostnames for netizens, preventing people from accessing sites using Dyn for DNS.

Source: DNS devastation: Top websites whacked offline as Dyn dies again

Avtech is the second most popular search term in Shodan. According to Shodan, more than 130.000 Avtech devices are exposed to the internet.

That’s because there are 14 serious unpatched vulnerabilities, the guide in the link goes through.

Ensure the admin interface is not exposed to the internet, change the default admin password if you own one of these cameras!

Source: Avtech devices multiple vulnerabilities