Millions of PCs made by Dell and other OEMs are vulnerable to a flaw stemming from a component in pre-installed SupportAssist software. The flaw could enable a remote attacker to completely takeover affected devices.
The high-severity vulnerability (CVE-2019-12280) stems from a component in SupportAssist, a proactive monitoring software pre-installed on PCs with automatic failure detection and notifications for Dell devices. That component is made by a company called PC-Doctor, which develops hardware-diagnostic software for various PC and laptop original equipment manufacturers (OEMs).
“According to Dell’s website, SupportAssist is preinstalled on most of Dell devices running Windows, which means that as long as the software is not patched, this vulnerability probably affects many Dell users,” Peleg Hadar, security researcher with SafeBreach Labs – who discovered the breach – said in a Friday analysis.
Google Calendar was down for users around the world for nearly three hours earlier today. Calendar users trying to access the service were met with a 404 error message through a browser from around 10AM ET until around 12:40PM ET. Google’s Calendar service dashboard now reveals that issues should be resolved for everyone within the next hour.
“We expect to resolve the problem affecting a majority of users of Google Calendar at 6/18/19, 1:40 PM,” the message reads. “Please note that this time frame is an estimate and may change.” Google Calendar appears to have returned for most users, though. Other Google services such as Gmail and Google Maps appeared to be unaffected during the calendar outage, although Hangouts Meet reportedly experiencing some difficulties.
Google Calendar is currently experiencing a service disruption. Please stay tuned for updates or follow here: https://t.co/2SGW3X1cQn
Google Calendar’s issues come in the same month as another massive Google outage which saw YouTube, Gmail, and Snapchat taken offline because of problems with the company’s overall Cloud service. At the time, Google blamed “high levels of network congestion in the eastern USA” for the issues.
The outage also came just over an hour after Google’s G Suite twitter account sent out a tweet promoting Google Calendar’s ability to making scheduling simpler.
As far back as 2015, major companies like Sony and Intel have sought to crowdsource efforts to secure their systems and applications through the San Francisco startup HackerOne. Through the “bug bounty” program offered by the company, hackers once viewed as a nuisance—or worse, as criminals—can identify security vulnerabilities and get paid for their work.
On Tuesday, HackerOne published a wealth of anonymized data to underscore not only the breadth of its own program but highlight the leading types of bugs discovered by its virtual army of hackers who’ve reaped financial rewards through the program. Some $29 million has been paid out so far with regards to the top 10 most rewarded types of security weakness alone, according to the company.
HackerOne markets the bounty program as a means to safely mimic an authentic kind of global threat. “It’s one of the best defenses you can have against what you’re actually protecting against,” said Miju Han, HackerOne’s director of product management. “There are a lot of security tools out there that have theoretically risks—and we definitely endorse those tools as well. But what we really have in bug bounty programs is a real-world security risk.”
The program, of course, has its own limitations. Participants have the ability to define the scope of engagement and in some cases—as with the U.S. Defense Department, a “hackable target”—place limits on which systems and methods are authorized under the program. Criminal hackers and foreign adversaries are, of course, not bound by such rules.
“Bug bounties can be a helpful tool if you’ve already invested in your own security prevention and detection,” said Katie Moussouris, CEO of Luta Security, “in terms of secure development if you publish code, or secure vulnerability management if your organization is mostly just trying to keep up with patching existing infrastructure.”
“It isn’t suitable to replace your own preventative measures, nor can it replace penetration testing,” she said.
Not surprisingly, HackerOne’s data shows that overwhelmingly cross-site scripting (XSS) attacks—in which malicious scripts are injected into otherwise trusted sites—remain the top vulnerability reported through the program. Of the top 10 types of bugs reported, XSS makes up 27 percent. No other type of bug comes close. Through HackerOne, some $7.7 million has been paid out to address XSS vulnerabilities alone.
Cloud migration has also led to a rise in exploits such as server-side request forgery (SSRF). “The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http-enabled databases or perform post requests towards internal services which are not intended to be exposed,” HackerOne said.
Currently, SSRF makes up only 5.9 percent of the top bugs reported. Nevertheless, the company says, these server-side exploits are trending upward as more and more companies find homes in the cloud.
Other top bounties include a range of code injection exploits or misconfigurations that allow improper access to systems that should be locked down. Companies have paid out over $1.5 million alone to address improper access control.
“Companies that pay more for bounties are definitely more attractive to hackers, especially more attractive to top hackers,” Han said. “But we know that bounties paid out are not the only motivation. Hackers like to hack companies that they like using, or that are located in their country.” In other words, even though a company is spending more money to pay hackers to find bugs, it doesn’t necessarily mean that they have more security.
“Another factor is how fast a company is changing,” she said. “If a company is developing very rapidly and expanding and growing, even if they pay a lot of bounties, if they’re changing up their code base a lot, then that means they are not necessary as secure.”
According to an article this year in TechRepublic, some 300,000 hackers are currently signed up with HackerOne; though only 1-in-10 have reportedly claimed a bounty. The best of them, a group of roughly 100 hackers, have earned over $100,000. Only a couple of elite hackers have attained the highest-paying ranks of the program, reaping rewards close to, or in excess of, $1 million.
View a full breakdown of HackerOne’s “most impactful and rewarded” vulnerability types here.
The well-known and respected data breach notification website “Have I Been Pwned” is up for sale.
Troy Hunt, its founder and sole operator, announced the sale on Tuesday in a blog post where he explained why the time has come for Have I Been Pwned to become part of something bigger and more organized.
“To date, every line of code, every configuration and every breached record has been handled by me alone. There is no ‘HIBP team’, there’s one guy keeping the whole thing afloat,” Hunt wrote. “it’s time for HIBP to grow up. It’s time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that’s able to do way more than what I ever could on my own.”
Over the years, Have I Been Pwned has become the repository for data breaches on the internet, a place where users can search for their email address and see whether they have been part of a data breach. It’s now also a service where people can sign up to get notified whenever their accounts get breached. It’s perhaps the most useful, free, cybersecurity service in the world.
On June 6, more than 70,000 BGP routes were leaked from Swiss colocation company Safe Host to China Telecom in Frankfurt, Germany, which then announced them on the global internet. This resulted in a massive rerouting of internet traffic via China Telecom systems in Europe, disrupting connectivity for netizens: a lot of data that should have gone to European cellular networks was instead piped to China Telecom-controlled boxes.
BGP leaks are common – they happen every hour of every day – though the size of this one and particularly the fact it lasted for two hours, rather than seconds or minutes, has prompted more calls for ISPs to join an industry program that adds security checks to the routing system.
The fact that China Telecom, which peers with Safe House, was again at the center of the problem – with traffic destined for European netizens routed through its network – has also made internet engineers suspicious, although they have been careful not to make any accusations without evidence.
“China Telecom, a major international carrier, has still implemented neither the basic routing safeguards necessary both to prevent propagation of routing leaks nor the processes and procedures necessary to detect and remediate them in a timely manner when they inevitably occur,” noted Oracle Internet Intelligence’s (OII) director of internet analysis Doug Madory in a report. “Two hours is a long time for a routing leak of this magnitude to stay in circulation, degrading global communications.”
A team at network security outfit vpnMentor was scanning cyber-space as part of a web-mapping project when they happened upon a Graylog management server belonging to Tech Data that had been left freely accessible to the public. Within that database, we’re told, was a 264GB cache of information including emails, payment and credit card details, and unencrypted usernames and passwords. Pretty much everything you need to ruin someone’s day (or year).
The exposure, vpnMentor told The Register today, is particularly bad due to the nature of Tech Data’s customers. The Fortune 500 distie provides everything from financing and marketing services to IT management and user training courses. Among the clients listed on its site are Apple, Symantec, and Cisco.
“This is a serious leak as far as we can see, so much so that all of the credentials needed to log in to customer accounts are available,” a spokesperson for vpnMentor told El Reg. “Because of the size of the database, we could not go through all of it and there may be more sensitive information available to the public than what we have disclosed here.”
In addition to the login credentials and card information, the researchers said they were able to find private API keys and logs in the database, as well as customer profiles that included full names, job titles, phone numbers, and email and postal addresses. All available to anyone who could find it.
vpnMentor says it discovered and reported the open database on June 2 to Tech Data, and by June 4 the distie had told the team it had secured the database and hidden it from public view. Tech Data did not respond to a request for comment from The Register. The US-based company did not mention the incident in its most recent SEC filings.
Google suffered major outages with its Cloud Platform on Sunday, causing widespread access issues with both its own services and third party apps ranging from Snapchat to Discord.
As of early Sunday evening, issues had persisted for hours; according to the Google Cloud Status Dashboard, the outages began at roughly 3:25 p.m. ET and were related to “high levels of network congestion in the eastern USA.” Outage-tracking service Down Detector indicated that access to YouTube was severely disrupted across the country, with the northeastern U.S. particularly having a rough go of it. Finally, the G Suite Status Dashboard listed virtually every one of its cloud-based productivity and collaboration tools—including Gmail, Drive, Docs, Hangouts, and Voice—as experiencing service outages. Amazingly enough, largely defunct social network Google+ was listed as experiencing no issues.
As the Verge noted, third-party services Discord, Snapchat, and Vimeo all use Google Cloud in their backends, with the outages preventing users from logging in. (However, issues were far from universal, with some users reporting no impact at all.)
All of the current versions of Docker have a vulnerability that can allow an attacker to get read-write access to any path on the host server. The weakness is the result of a race condition in the Docker software and while there’s a fix in the works, it has not yet been integrated.
The bug is the result of the way that the Docker software handles some symbolic links, which are files that have paths to other directories or files. Researcher Aleksa Sarai discovered that in some situations, an attacker can insert his own symlink into a path during a short time window between the time that the path has been resolved and the time it is operated on. This is a variant of the time of check to time of use (TOCTOU) problem, specifically with the “docker cp” command, which copies files to and from containers.
“The basic premise of this attack is that FollowSymlinkInScope suffers from a fairly fundamental TOCTOU attack. The purpose of FollowSymlinkInScope is to take a given path and safely resolve it as though the process was inside the container. After the full path has been resolved, the resolved path is passed around a bit and then operated on a bit later (in the case of ‘docker cp’ it is opened when creating the archive that is streamed to the client),” Sarai said in his advisory on the problem.
“If an attacker can add a symlink component to the path after the resolution but beforeit is operated on, then you could end up resolving the symlink path component on the host as root. In the case of ‘docker cp’ this gives you read and write access to any path on the host.”
Sarai notified the Docker security team about the vulnerability and, after talks with them, the two parties agreed that public disclosure of the issue was legitimate, even without a fix available, in order to make customers aware of the problem. Sarai said researchers were aware that this kind of attack might be possible against Docker for a couple of years. He developed exploit code for the vulnerability and said that a potential attack scenario could come through a cloud platform.
“The most likely case for this particular vector would be a managed cloud which let you (for instance) copy configuration files into a running container or read files from within the container (through “docker cp”),,” Sarai said via email.
“However it should be noted that while this vulnerability only has exploit code for “docker cp”, that’s because it’s the most obvious endpoint for me to exploit. There is a more fundamental issue here — it’s simply not safe to take a path, expand all the symlinks within it, and assume that path is safe to use.”
In a series of emails seen by ZDNet that the company sent out to impacted users, Flipboard said hackers gained access to databases the company was using to store customer information.
Most passwords are secure
Flipboard said these databases stored information such as Flipboard usernames, hashed and uniquely salted passwords, and in some cases, emails or digital tokens that linked Flipboard profiles to accounts on third-party services.
The good news appears to be that the vast majority of passwords were hashed with a strong password-hashing algorithm named bcrypt, currently considered very hard to crack.
The company said that some passwords were hashed with the weaker SHA-1 algorithm, but they were not many.
“If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1,” Flipboard said.
[…]
In its email, Flipboard said it is now resetting all customer passwords, regardless if users were impacted or not, out of an abundance of caution.
Furthermore, the company has already replaced all digital tokens that customers used to connect Flipboard with third-party services like Facebook, Twitter, Google, and Samsung.
“We have not found any evidence the unauthorized person accessed third-party account(s) connected to your Flipboard accounts,” the company said.
Extensive breach
But despite some good news for users, the breach appears to be quite extensive, at least for the company’s IT staff.
According to Flipboard, hackers had access to its internal systems for almost nine months, first between June 2, 2018, and March 23, 2019, and then for a second time between April 21 and April 22, 2019.
The company said it detected the breach the day after this second intrusion, on April 23, while investigating suspicious activity on its database network.
On May 25th I discovered a non password protected Elastic database that was clearly associated with dating apps based on the names of the folders. The IP address is located on a US server and a majority of the users appear to be Americans based on their user IP and geolocations. I also noticed Chinese text inside the database with commands such as:
模型更新完成事件已触发,同步用户到
according to Google Translate: The model update completion event has been triggered, syncing to the user.
The strange thing about this discovery was that there were multiple dating applications all storing data inside this database. Upon further investigation I was able to identify dating apps available online with the same names as those in the database. What really struck me as odd was that despite all of them using the same database, they claim to be developed by separate companies or individuals that do not seem to match up with each other. The Whois registration for one of the sites uses what appears to be a fake address and phone number. Several of the other sites are registered private and the only way to contact them is through the app (once it is installed on your device).
Finding several of the users’ real identity was easy and only took a few seconds to validate them. The dating applications logged and stored the user’s IP address, age, location, and user names. Like most people your online persona or user name is usually well crafted over time and serves as a unique cyber fingerprint. Just like a good password many people use it again and again across multiple platforms and services. This makes it extremely easy for someone to find and identify you with very little information. Nearly each unique username I checked appeared on multiple dating sites, forums, and other public places. The IP and geolocation stored in the database confirmed the location the user put in their other profiles using the same username or login ID.
The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. [NYSE:FAF] leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.
[…]
Earlier this week, KrebsOnSecurity was contacted by a real estate developer in Washington state who said he’d had little luck getting a response from the company about what he found, which was that a portion of its Web site (firstam.com) was leaking tens if not hundreds of millions of records. He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.
And this would potentially include anyone who’s ever been sent a document link via email by First American.
KrebsOnSecurity confirmed the real estate developer’s findings, which indicate that First American’s Web site exposed approximately 885 million files, the earliest dating back more than 16 years. No authentication was required to read the documents.
Many of the exposed files are records of wire transactions with bank account numbers and other information from home or property buyers and sellers.
[…]
“The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business. You give them all kinds of private information and you expect that to stay private.”
[…]
A database like this also would give fraudsters a constant feed of new information about upcoming real estate financial transactions — including the email addresses, names and phone numbers of the closing agents and buyers.
Google admitted Tuesday its paid-for G Suite of cloudy apps aimed at businesses stored some user passwords in plaintext albeit in an encrypted form.
Administrators of accounts affected by the security blunder were warned via email that, in certain circumstances, passwords had not been hashed. Hashing is a standard industry practice that protects credentials by scrambling them using a one-way encryption algorithm.
Google was at pains to stress it was the enterprise non-consumer version of G Suite affected, that there were no signs of misuse of the passwords, and that the passwords were encrypted at rest on disk – though, we note, hashing them would have fully secured the sensitive info.
Before we get to the threat model part of this, there are essentially two security cockups at play here. The first involves a G Suite feature available from 2005 that allowed organizations’ admins to set their G Suite users’ passwords via the Google account admin console. That feature, designed for IT staff to help new colleagues set their passwords and log in, did not hash these passwords.
The second involves recording some user passwords in plaintext on disk, as they logged in, and keeping these unhashed credentials around for 14 days at a time, again encrypted at rest. This practice started in January this year, during attempts by Googlers to troubleshoot their login system, and has been stopped.
A new device fingerprinting technique can track Android and iOS devices across the Internet by using factory-set sensor calibration details that any app or website can obtain without special permissions.
This new technique — called a calibration fingerprinting attack, or SensorID — works by using calibration details from gyroscope and magnetometer sensors on iOS; and calibration details from accelerometer, gyroscope, and magnetometer sensors on Android devices.
According to a team of academics from the University of Cambridge in the UK, SensorID impacts iOS devices more than Android smartphones. The reason is that Apple likes to calibrate iPhone and iPad sensors on its factory line, a process that only a few Android vendors are using to improve the accuracy of their smartphones’ sensors.
How does this technique work?
“Our approach works by carefully analysing the data from sensors which are accessible without any special permissions to both websites and apps,” the research team said in a research paper published yesterday.
“Our analysis infers the per-device factory calibration data which manufacturers embed into the firmware of the smartphone to compensate for systematic manufacturing errors [in their devices’ sensors],” researchers said.
This calibration data can then be used as a fingerprint, producing a unique identifier that advertising or analytics firms can use to track a user as they navigate across the internet.
Furthermore, because the calibration sensor fingerprint is the same when extracted using an app or via a website, this technique can also be used to track users as they switch between browsers and third-party apps, allowing analytics firms to get a full view of what users are doing on their devices.
Using data provided by BinaryEdge, our scans have found 25,617 Linksys Smart Wi-Fi routers are currently leaking sensitive information to the public internet, including:
MAC address of every device that’s ever connected to it (full historical record, not just active devices)
Device name (such as “TROY-PC” or “Mat’s MacBook Pro”)
Operating system (such as “Windows 7” or “Android”)
In some cases additional metadata is logged such as device type, manufacturer, model number, and description – as seen in the example below.
Other sensitive information about the router such as the WAN settings, firewall status, firmware update settings, and DDNS settings are also leaked publicly.
A massive database containing contact information of millions of Instagram influencers, celebrities and brand accounts has been found online.
The database, hosted by Amazon Web Services, was left exposed and without a password allowing anyone to look inside. At the time of writing, the database had over 49 million records — but was growing by the hour.
From a brief review of the data, each record contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they’re verified and their location by city and country, but also contained their private contact information, such as the Instagram account owner’s email address and phone number.
Security researcher Anurag Sen discovered the database and alerted TechCrunch in an effort to find the owner and get the database secured. We traced the database back to Mumbai-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts. Each record in the database contained a record that calculated the worth of each account, based off the number of followers, engagement, reach, likes and shares they had. This was used as a metric to determine how much the company could pay an Instagram celebrity or influencer to post an ad.
Last week, Adobe said that older versions of Creative Cloud apps—including Photoshop and Lightroom—would no longer be available to subscribers. This week, some users are getting messages from Adobe warning they could be at “risk of potential claims of infringement by third parties” should they continue to use outdated versions of their apps.
The new language on “third-party infringement” is an interesting development. In a blog, Adobe explained that Creative Cloud subscribers would only have access to the two most recent versions of its software. However, it didn’t really give a reason besides the boilerplate explanation that newer versions promised “optimal performance and benefits.”
In an email to Gizmodo, an Adobe spokesperson provided the following statement:
“Adobe recently discontinued certain older versions of Creative Cloud applications. Customers using those versions have been notified that they are no longer licensed to use them and were provided guidance on how to upgrade to the latest authorized versions. Unfortunately, customers who continue to use or deploy older, unauthorized versions of Creative Cloud may face potential claims of infringement by third parties. We cannot comment on claims of third-party infringement, as it concerns ongoing litigation.”
While Adobe won’t spill on which “third-party” might hold you liable for using old software, the company is currently being sued by Dolby for copyright infringement. Basically, a legal complaint from March details that Adobe licensed some technology from Dolby for its applications. Prior to Creative Cloud, the two companies struck a deal based on the number of discs sold for certain apps. However, the complaint alleges Adobe got cagey with its numbers once it switched over to the cloud.
Essentially, it was easy for Adobe to report sales when it was selling its software on physical discs. However, the way Creative Cloud works, creatives can pay one subscription fee to gain access to various programs. Meaning, one subscription gets you access to multiple programs with Dolby’s tech—except Dolby got paid only once. For example, the complaint details that Adobe’s Master Collection is advertised as one product, but actually contains “four products that each have a separate and independent copy of Dolby Technology” and that each requires its own royalty.
What this actually has to do with Creative Cloud subscribers is murky. After all, it’s not their fault if they were sold licenses for programs they didn’t actually have access to. It’s not abundantly clear if the Dolby case is the exact reason why Adobe has decided to stop allowing access to older versions of its software—but the infringement language makes it a distinct possibility. If it is the reason, however, it’s also some fuzzy logic to penalize creatives for some alleged corporate royalty dodging when many have been faithfully paying their subscription fees.
And before you think “Well, just update then?”, it’s important to note that there are lots of reasons why a creative may choose to use an older version of software. For instance, they may be operating on older computers that don’t have the specs to run increasingly bloated software. And while cloud-based services definitely have their benefits, it does highlight the issue that you essentially do not own the software you’re paying for—unlike with previous physical copies.
Still, there’s not much that creators can do aside from updating, finding alternative programs, or pulling out their favorite eyepatch and resorting to some good old fashioned piracy. Or, you could take to the internet to vent frustration in the form of someverygoodAdobememes.
A security flaw in WhatsApp can be, and has been, exploited to inject spyware into victims’ smartphones: all a snoop needs to do is make a booby-trapped voice call to a target’s number, and they’re in. The victim doesn’t need to do a thing other than leave their phone on.
The Facebook-owned software suffers from a classic buffer overflow weakness. This means a successful hacker can hijack the application to run malicious code that pores over encrypted chats, eavesdrops on calls, turns on the microphone and camera, accesses photos, contacts, and other information on a handheld, and potentially further compromises the device. Call logs can be altered, too, to hide the method of infection.
[…]
Engineers at Facebook scrambled over the weekend to patch the hole, designated CVE-2019-3568, and freshly secured versions of WhatsApp were pushed out to users on Monday. If your phone offers to update WhatsApp for you, do it, or check for new versions manually.
Researchers have found a new way to defeat the boot verification process for some Intel-based systems, but the technique can also impact other platforms and can be used to compromise machines in a stealthy and persistent way.
Researchers Peter Bosch and Trammell Hudson presented a time-of-check, time-of-use (TOCTOU) attack against the Boot Guard feature of Intel’s reference Unified Extensible Firmware Interface (UEFI) implementation at the Hack in the Box conference in Amsterdam this week.
Boot Guard is a technology that was added in Intel Core 4th generation microarchitecture — also known as Haswell — and is meant to provide assurance that the low-level firmware (UEFI) has not been maliciously modified. It does this by checking that the loaded firmware modules are digitally signed with trusted keys that belong to Intel or the PC manufacturer every time the computer starts.
[…
While the attack requires opening the laptop case to attach clip-on connectors to the chip, there are ways to make it permanent, such as replacing the SPI chip with a rogue one that emulates the UEFI and also serves malicious code. In fact, Hudson has already designed such an emulator chip that has the same dimensions as a real SPI flash chip and could easily pass as one upon visual inspection if some plastic coating is added to it.
[…]
The Intel Boot Guard and Secure Boot features were created to prevent attackers from injecting malware into the UEFI or other components loaded during the booting process such as the OS bootloader or the kernel. Such malware programs have existed for a long time and are called boot rootkits, or bootkits, and attackers have used them because they are very persistent and hard to remove. That’s because they re-infect the operating system after every reboot before any antivirus program has a chance to start and detect them.
In its chip-swapping variant, Hudson’s and Bosch’s attack acts like a persistent hardware-based bootkit. It can be used to steal disk encryption passwords and other sensitive information from the system and it’s very hard to detect without opening the device and closely inspecting its motherboard.
Even though such physical attacks require a targeted approach and will never be a widespread threat, they can pose a serious risk to businesses and users who have access to valuable information.
[…]
The problem is that distributing UEFI patches has never been an easy process. Intel shares its UEFI kit with UEFI/BIOS vendors who have contracts with various PC manufacturers. Those OEMs then make their own firmware customizations before they ship it inside their products. This means that any subsequent fixes require collaboration and coordination from all involved parties, not to mention end users who need to actually care enough to install those UEFI updates.
The patches for the critical Meltdown and Spectre vulnerabilities that affected Intel CPUs also required UEFI updates and it took months for some PC vendors to release them for their affected products. Many models never received the patches in the form of UEFI updates because their manufacturers no longer supported them.
The two researchers plan to release their proof-of-concept code in the following months as part of a tool called SPISpy that they hope will help other researchers and interested parties to check if their own machines are vulnerable and to investigate similar issues on other platforms.
“I would really like to see the industry move towards opening the source to their firmware, to make it more easy to verify its correctness and security,” says Bosch.
A huge MongoDB database exposing 275,265,298 records of Indian citizens containing detailed personally identifiable information (PII) was left unprotected on the Internet for more than two weeks.
Security Discovery researcher Bob Diachenko discovered the publicly accessible MongoDB database hosted on Amazon AWS using Shodan, and as historical data provided by the platform showed, the huge cache of PII data was first indexed on April 23, 2019.
As he found out after further investigation, the exposed data included information such as name, gender, date of birth, email, mobile phone number, education details, professional info (employer, employment history, skills, functional area), and current salary for each of the database records.
[…]
Additionally, the names of the data collections stored within the database suggested that the entire cache of resumes was collected “as part of a massive scraping operation” for unknown purposes.
Exposed database contents
The researcher “immediately notified Indian CERT team on the incident, however, database remained open and searchable until today, May 8th, when it got dropped by hackers known as ‘Unistellar’ group.”
After the database got dropped by the hackers, Diachenko discovered the following message left behind after deleting all the data:
The message left by the hackers
Diachenko found multiple other unsecured databases and servers, unearthing a publicly accessible 140+ GB MongoDB database containing a huge collection of 808,539,939 email records during Early-March and another one with over 200 million records with resumes from Chinese job seekers in January.
He was also the one who discovered the personal information of more than 66 million individuals left out in the open on the Internet during December and an extra 11 million records during September, with all of them being stored in misconfigured and passwordless MongoDB instances.
These data leaks are a thing because a lot of MongoDB databases are left publicly accessible by their owners and are not properly secured. This means that they can be blocked by securing the database instance.
The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines. On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices.
By reverse engineering ProTrack and iTrack’s Android apps, L&M said he realized that all customers are given a default password of 123456 when they sign up.
At that point, the hacker said he brute-forced “millions of usernames” via the apps’ API. Then, he said he wrote a script to attempt to login using those usernames and the default password.
This allowed him to automatically break into thousands of accounts that were using the default password and extract data from them.
According to a sample of user data L&M shared with Motherboard, the hacker has scraped a treasure trove of information from ProTrack and iTrack customers, including: name and model of the GPS tracking devices they use, the devices’ unique ID numbers (technically known as an IMEI number); usernames, real names, phone numbers, email addresses, and physical addresses. (According to L&M, he was not able to get all of this information for all users; for some users he was only able to get some of the above information.)
[…]
Though the hacker didn’t prove that he was able to turn off a car’s engine, a representative for Concox, the makers of one of the hardware GPS tracking devices used by some of the users of ProTrack GPS and iTrack, confirmed to Motherboard that customers can turn off the engines remotely if the vehicles are going under 20 kilometers per hour (around 12 miles per hour.)
[…]
Rahim Luqmaan, the owner of Probotik Systems, a South African company that uses ProTrack, said in a phone call with Motherboard that it’s possible to use ProTrack to stop engines if a technician enables that function when installing the tracking devices.
[…]
ProTrack is made by iTryBrand Technology, a company based in Shenzhen, China. iTrack is made by SEEWORLD, a company based in Guangzhou, China. Both iTryBrand and SEEWORLD sell hardware tracking devices and the cloud platforms to manage them directly to users, and to companies that then distribute the hardware and services to users. L&M claimed to have broken into the accounts of some distributors too, which allows him to monitor the vehicles and control the accounts of their customers.
[…]
On its Google Play app page, iTrack advertises a free demo account with the username “Demo,” and the password “123456.” ProTrack provides potential customers with a free demo on its website. This week, when Motherboard tried the demo, the site displayed a prompt to change password because “the default password is too simple.” Last week, when Motherboard first tried the demo, this message did not appear. ProTrack’s API, moreover, also mentions the default password of “123456” in its documentation.
[…]
L&M said that ProTrack has reached out to customers via the app and via email to ask them to change their password this week, but it’s not forcing password resets yet.
ProTrack denied the data breach via email, but confirmed that its prompting users to change passwords.
“Our system is working very well and change password is normal way for account security like other systems, any problem?” a company representative said. “What’s more, why you contact our customers for this thing which make them to receive this kind of boring mail. Why hacker contact you?”
the addresses and demographic details of more than 80 million US households were exposed on an unsecured database stored on the cloud, independent security researchers have found.
The details included names, ages and genders as well as income levels and marital status. The researchers, led by Noam Rotem and Ran Locar, were unable to identify the owner of the database, which until Monday was online and required no password to access. Some of the information was coded, like gender, marital status and income level. Names, ages and addresses were not coded.
The data didn’t include payment information or Social Security numbers. The 80 million households affected make up well over half of the households in the US, according to Statista.
“I wouldn’t like my data to be exposed like this,” Rotem said in an interview with CNET. “It should not be there.”
Rotem and his team verified the accuracy of some data in the cache but didn’t download the data to minimize the invasion of privacy of those listed, he said.
[…]
Unlike a hack, you don’t need to break into a computer system to access an exposed database. You simply need to find the IP address, the numerical code assigned to any given web page.
[…]
Rotem found that the data was stored on a cloud service owned by Microsoft. Securing the data is up to the organization that created the database, and not Microsoft itself.
“We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured,” a Microsoft spokesperson told CNET in a statement Monday.
The server hosting the data came online in February, Rotem found, and he discovered it in April using tools he developed to search for and catalog unsecured databases.
Right on cue, Cisco on Wednesday patched a security vulnerability in some of its network switches that can be exploited by miscreants to commandeer the IT equipment and spy on people.
This comes immediately after panic this week over a hidden Telnet-based diagnostic interface was found in Huawei gateways. Although that vulnerability was real, irritating, and eventually removed at Vodafone’s insistence, it was dubbed by some a hidden backdoor perfect for Chinese spies to exploit to snoop on Western targets.
Which, of course, comes as America continues to pressure the UK and other nations to outlaw the use of Huawei gear from 5G networks over fears Beijing would use backdoors baked into the hardware to snatch Uncle Sam’s intelligence.
Well, if a non-internet-facing undocumented diagnostic Telnet daemon is reason enough to kick Huawei kit out of Western networks, surely this doozy from Cisco is enough to hoof American equipment out of British, European and other non-US infrastructure? Fair’s fair, no?
US tech giant Cisco has issued a free fix for software running on its Nexus 9000 series machines that can be exploited to log in as root and hijack the device for further mischief and eavesdropping. A miscreant just needs to be able to reach the vulnerable box via IPv6. It’s due to a default SSH key pair hardcoded into the software
A vulnerability in the Dell SupportAssist utility exposes Dell laptops and personal computers to a remote attack that can allow hackers to execute code with admin privileges on devices using an older version of this tool and take over users’ systems.
Dell has released a patch for this security flaw on April 23; however, many users are likely to remain vulnerable unless they’ve already updated the tool –which is used for debugging, diagnostics, and Dell drivers auto-updates.
The number of impacted users is believed to be very high, as the SupportAssist tool is one of the apps that Dell will pre-install on all Dell laptops and computers the company ships with a running Windows OS (systems sold without an OS are not impacted).
CVE-2019-3719
According to Bill Demirkapi, a 17-year-old security researcher from the US, the Dell SupportAssist app is vulnerable to a “remote code execution” vulnerability that under certain circumstances can allow attackers an easy way to hijack Dell systems.
The attack relies on luring users on a malicious web page, where JavaScript code can trick the Dell SupportAssist tool into downloading and running files from an attacker-controlled location.
Because the Dell SupportAssist tool runs as admin, attackers will have full access to targeted systems, if they manage to get themselves in the proper position to execute this attack.
Attack requires LAN/router compromise
“The attacker needs to be on the victim’s network in order to perform an ARP Spoofing Attack and a DNS Spoofing Attack on the victim’s machine in order to achieve remote code execution,” Demirkapi told ZDNet today in an email conversation.
This might sound hard, but it isn’t as complicated as it appears.
Two scenarios in which the attack could work include public WiFi networks or large enterprise networks where there’s at least one compromised machine that can be used to launch the ARP and DNS attacks against adjacent Dell systems running the SupportAssist tool.
On Thursday, at just about the same time as the most highly anticipated government document of the decade was released in Washington D.C., Facebook updated a month-old blog post to note that actually a security incident impacted “millions” of Instagram users and not “tens of thousands” as they said at first.
Last month, Facebook announced that hundreds of millions of Facebook and Facebook Lite account passwords were stored in plaintext in a database exposed to over 20,000 employees.
Microsoft says miscreants accessed some of its customers’ webmail inboxes and account data after a support rep’s administrative account was hijacked.
The Redmond software giant has sent Hotmail, MSN, and Outlook cloud users notifications that the unnamed customer support rep’s account was compromised by hackers who would have subsequently gained “limited access” to certain parts of some customer email accounts, including the ability to read messages in particular cases.
In the alert, Microsoft warns its punters that, between January 1 and March 28 of this year, the attacker, or attackers, would have had the ability to extract certain information from their inboxes, including the subject names of messages, folder names, contact lists, and user email address. The intrusion was limited to consumer (read: free) Microsoft email accounts.
While the aforementioned leaked notification claims the hackers would not have been able to read the content of messages, Microsoft would later admit – after media reports over the weekend – that the intruders could have accessed the contents of messages belonging to a subset of those impacted by the admin account hijacking.
