Viator.com | Viator News & Press Releases.

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix

via NVD – Detail.

Wonderful and funny story
Why this tiny Italian restaurant gives a discount for bad Yelp reviews | Ars Technica.

Security is een ambacht, hackers zijn vaak hun hele leven al bezig om systemen en applicaties te testen, maar evenals bij een goede ICT beheerder is een kenmerk van een hacker dat men liever routineuze taken zal automatiseren (scripten).
In de begindagen van het web hadden hackers veelal hun eigen collecties van scripts en werden deze scripts vaak via bulletin boards of forums onderling uitgewisseld.
Echter al snel bleek het veel efficienter om deze scripts te bundelen en daaruit ontstonden heuse hacking frameworks, een van de bekendste daarvan zijn Metasploit en OpenVAS.

De gereedschapskist van de hacker | Workshop Security en Privacy.

The software first brute forces an icloud username / password, then tricks icloud into thinking your device is the target device and finally performs a full restore to your device.
This software is supposed to be for law enforcement, but can be bought and downloaded by anyone. There are also illegal copies to be found.

The Police Tool That Pervs Use to Steal Nude Pics From Apple’s iCloud | Threat Level | WIRED.

In laboratory tests, the team was able to successfully conceal firearms and plastic explosive simulants from the Rapiscan Secure 1000 scanner. The team was also able to modify the scanner operating software so it presents an “all-clear” image to the operator even when contraband was detected

via Researchers find security flaws in backscatter X-ray scanners – ScienceBlog.com.

This was demonstrated on German TV in 2009, but better late than never guys!

The United Parcel Service announced Wednesday that customers’ credit and debit card information at 51 franchises in 24 states may have been compromised. There are 4,470 franchised center locations throughout the U.S., according to UPS.

via UPS: We’ve Been Hacked – TIME.

So you don’t know when UPS found out about the hack, but if it’s been fighting the fight since January 20, it’s been a bit long in handing over customer data to the hackers.

Turns out that huge amounts of them are apt to input validation and SSL hacks.
This is caused by poor programming practices, which the government does better at avoiding than private companies.

Banking apps: Handy, can grab all your money… and RIDDLED with coding flaws • The Register.

The lights use a wireless radio at 900MHz or 5.8GHz to transmit data to each other. They are all on the same subnet. Entering the network doesn’t require a password and the data is unencrypted. The controller for a network has a debug port opened by default. It’s thus easy to get into the controller and send your own commands. Then you can change lights and control cameras!

Researchers find it’s terrifyingly easy to hack traffic lights | Ars Technica.

Researchers at MIT, Microsoft, and Adobe have developed an algorithm that can reconstruct an audio signal by analyzing minute vibrations of objects depicted in video. In one set of experiments, they were able to recover intelligible speech from the vibrations of a potato-chip bag photographed from 15 feet away through soundproof glass.

via Extracting audio from visual information | MIT News Office.

Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic.

via Cisco Security Advisory: OSPF LSA Manipulation Vulnerability in Multiple Cisco Products.

A Russian group has hacked 1.2 billion usernames and passwords belonging to more than 500 million email addresses, according to Hold Security – a US firm specialising in discovering breaches.

Hold Security described the hack as the "largest data breach known to date".

It claimed the stolen information came from more than 420,000 websites, including "many leaders in virtually all industries across the world".

via BBC News – Russia gang hacks 1.2 billion usernames and passwords.

As the entry point, they exploit a vulnerability in Microsoft Word with the help of a crafted Word document they spread via email. The same approach would work with any other exploit.
After that, they make sure that the malicious activities survive system re-boot by creating an encoded autostart registry key. To remain undetected, this key is disguised/hidden.
Decoding this key shows two new aspects: Code which makes sure the affected system has Microsoft PowerShell installed and additional code.
The additional code is a Base64-encoded PowerShell script, which calls and executes the shellcode (assembly).
As a final step, this shellcode executes a Windows binary, the payload. In the case analyzed, the binary tried to connect to hard coded IP addresses to receive further commands, but the attackers could have triggered any other action at this point.
All activities are stored in the registry. No file is ever created.

Malware that resides in the registry only – a rare and rather new approach

via .

Once reprogrammed, benign devices can turn malicious in many ways, including:

A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.

The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.

A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.

via Turning USB peripherals into BadUSB | Security Research Labs.

Looks like Karsten Nohl has done it again!

In January 2013, a chap called Jonathan Moylan sent a single email that caused an AU$314m – £174m or $295m – dip in a coal company’s value.

The email was a fake press release stating that Whitehaven Coal’s bank, ANZ, had decided not to lend the mining firm the billion or so dollars needed to open a new pit.

Moylan’s message was sent from a domain that riffed on ANZ Bank’s name, used the bank’s logo and included the name of an ANZ Bank PR person and a phone number. That number was Moylan’s own, so when journalists called to confirm the details of the fake press release, Moylan simply told them it was all kosher.

ONE EMAIL costs mining company $300 MEEELION • The Register.

Think W3 Limited was hacked in December 2012 in an attack that relied on what the ICO described as "insecure" coding on the website of its subsidiary business, Essential Travel Ltd. The unidentified hacker behind the attack siphoned off a total of 1,163,996 credit and debit card records (431K current and 733K expired).

"Cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed," according to a subsequent investigation into the incident by data privacy watchdogs at the Information Commissioner’s Office (ICO). Think W3 was found guilty of a "serious" breach of the DPA.

via Who has your credit card data? 1 million HOLIDAY-MAKERS' RECORDS exposed • The Register.

The European Central Bank (ECB) said on Thursday there had been a breach of the security protecting a database serving its public website. This led to the theft of email addresses and other contact data left by people registering for events at the ECB.

via ECB: ECB announces theft of contact information.

In an unbelievably sane move, the UK has accepted that piracy exists and that cutting people from the internet won’t work very well.

Geoff Taylor, chief executive of music trade body the BPI, said VCAP was about “persuading the persuadable, such as parents who do not know what is going on with their net connection.”

He added: “VCAP is not about denying access to the internet. It’s about changing attitudes and raising awareness so people can make the right choice.”

Britain just decriminalised online game piracy | VG247.

the distributor (Source Interlink) decided to close its doors to magazine distribution after losing Time Inc.’s business. This caused us to scramble to find alternative methods of getting our magazine into stores around the world, a feat we accomplished without too much difficulty. But getting what was left of Source Interlink, now rebranded as “TEN: The Enthusiast Network,” to pay us for the two issues retailers paid them for, is proving much more difficult.

SOURCE INTERLINK CLOSURE AND REBRANDING PUTS 2600 IN LIMBO | 2600.

SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners.

SHODAN – Computer Search Engine.

Cupid is a pair of patches for hostapd-2.1 and wpa_supplicant-2.1 to exploit heartbleed on Wireless networks that use EAP Authentication methods based on TLS (specifically OpenSSL)

via lgrangeia/cupid · GitHub.

And yes, userdetails were stolen…

avast! blog » AVAST forum offline due to attack.

"NICE Recording eXpress is designed specifically for the audio recording needs of the small and medium sized Public Safety organisation. This advanced recording solution offers a comprehensive, advanced, easy-to-install and affordable platform built for the Public Safety environment and Command and Control operations delivering optimal recording functionality and quality management."

Source: http://www.nice.com/sites/default/files/nicerecordingexpress050112.pdf.pdf.pdf

Business recommendation: ========================

Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication. Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup.

via .

If you have an eBay account, it’s time to change your password. The company released a statement today saying their internal and customer databases were compromised earlier this year, and starting today they’ll prompt everyone to change their passwords.

Attackers made off with names, addresses, email addresses, phone numbers, birth dates, and of course, encrypted passwords. eBay explained that financial info like credit card numbers and other sensitive data (like PayPal accounts) are kept in a separate encrypted database which wasn’t compromised. They also said they’ve found no evidence of unauthorized access or activity by registered eBay users—which is code for "we don’t think anyone’s used these passwords yet." According to the statement, intruders compromised employee accounts first, and used their access to get the data they really wanted. They discovered the breach about two weeks ago, but the actual attack took place back in late February and early March.

via eBay Hacked, Change Your Passwords Now.