For several years, Eddie Tipton, the former security director of the US Multi-State Lottery Association, installed software code that allowed him to predict winning numbers on specific days of the year, investigators allege. The random-number generators had been erased, but new forensic evidence has revealed how the hack was apparently done.

[…]

The number generator had apparently been hacked to produce predictable numbers on three days of the year, after the machine had gone through a security audit.

All six prizes linked to Tipton were drawn between 2005 and 2011 on either 23 November or 29 December.

Investigators were able to recreate the draws and produce “the very same ‘winning numbers’ from the program that was supposed to produce random numbers,” said the Iowa Division of Criminal Investigation agent Don Smith.

Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt.

The FI9286P, a Foscam camera that includes P2P communication by default.
The FI9286P, a Foscam camera that includes P2P communication by default.

This is the nightmare “Internet of Things” (IoT) scenario for any system administrator: The IP cameras that you bought to secure your physical space suddenly turn into a vast cloud network designed to share your pictures and videos far and wide. The best part? It’s all plug-and-play, no configuration necessary!

The research of Yang Yu, founder of Tencent’s Xuanwu Lab, has helped Microsoft patch a severe security issue in its implementation of the NetBIOS protocol that affected all Windows versions ever released.

Yu says an attacker could leverage this vulnerability to pass as a WPAD or ISATAP server and redirect all the victim’s network traffic through a point controlled by the attacker.

By network traffic, Yu refers to all traffic, not just Web HTTP and HTTPS. This includes OS updates, software upgrades, Certificate Revocation List updates via Microsoft’s Crypto API, and other OS maintenance operations.

Source: BadTunnel Bug Hijacks Network Traffic, Affects All Windows Versions

because nobody regards the vibration sensor as sensitive, smartphones typically leave it with wide-open permissions.

What Nirupam Roy and Romit Roy Choudhury did was to hack an Android phone so its vibration sensor acted as a microphone. Well: a vibration sensor is half-way to being a microphone anyhow, in terms of its basic function.

As they note in this paper, “any vibrating object should respond to air vibrations”. What makes a microphone different is that the diaphragm is very light, and therefore responds well to quiet sounds and high frequencies. The vibration sensor, on the other hand, doesn’t respond much to either.

As the pair says in their paper, “VibraPhone is attempting a different problem altogether – instead of learning a motion signature, it attempts to reconstruct the inherent speech content from the low bandwidth, highly distorted output of the vibra-motor.”

Source: Boffins shake up smartphone with motion-sensor as microphone

Apple’s U.S. web page showed all applications had resumed as of 11:55 p.m.

“There are no reported issues at this time,” the company said a few minutes later on its web page.

The iPhone maker said services related to iCloud and the Photos application have also resumed.

The issues appear to have started just before 4 p.m., according to a timeline provided on the tech giant’s support page.

Source: Apple Offers No Explanation for Outage, but Says All Services Back to Normal – NBC News

Isn’t the cloud great sometimes?

A court or police officer could legally compel you to press your finger onto your smartphone to unlock it, but if your phone is locked with a passcode, no one can legally compel you to open it, says William J. Cook, an attorney and partner at law firm Reed Smith in Chicago, who specializes in information technology, privacy, and data security. Cook explains that the difference between a password and a biometric identifier is great under the law–you have a right not to reveal the contents of your mind, which includes things like a password, but your fingerprints are a part of who you are and you expose them to the public every day. This is why when a person gets arrested, he or she must consent to fingerprinted while retaining the right to remain silent. Thoughts are protected, biometric identifiers (fingerprints, face, hair) are not.

Source: Here’s Why Lawyers Suggest You Stop Using Your Finger to Unlock Your Phone

ERPScan, the ERP security specialist firm which originally discovered the misconfiguration flaw (research pdf here), said that Onapsis’s figures on exposure to the vulnerability are optimistic by more than an order of magnitude.

Alexander Polyakov, CTO at ERPScan, told El Reg that its research suggests as many as 533 organisations are at risk.

“Onapsis said that 36 organizations were actually breached,” Polyakov told El Reg. “Our assumption is that all of them were just examples of vulnerable systems which white-hats publish on their forum.”

“Onapsis’ assumption that those publications on Chinese forum are examples of cyberattacks is wrong. I agree with them is that there are many vulnerably systems (533 at least) and some people probably hacked them for real profit. Not just published a screenshot of potential deface but really performed [a} cyberattack.”

Source: 36 firms at risk from that unpatched 2010 SAP vuln? Try 500+

Millions of people around the world now use ATMs every day to withdraw cash, pay in to their account or make a variety of payments. Unfortunately, ATM manufacturers and their primary customers – banks – don’t pay much attention to the security of cash machines.

Source: Malware and non-malware ways for ATM jackpotting. Extended cut – Securelist

Cisco’s Talos security intelligence and research group has come across a piece of software that installed backdoors on 12 million computers around the world.The software, which exhibits adware and spyware capabilities, was developed by a French online advertising company called Tuto4PC. The firm, previously known as Eorezo Group and apparently linked to another company called Wizzlabs, has been targeted by French authorities over its questionable practices regarding the installation of unwanted software and harvesting of users’ personal details.
[…]
Researchers determined that the application, installed with administrator rights, was capable not only of downloading and installing other software, such as a known scareware called System Healer, but also of harvesting personal information. Furthermore, experts found that the software is designed to detect the presence of sandboxes, antiviruses, security tools, forensic software and remote access doors.

These “features” have led Cisco Talos to classify the Tuto4PC software as a “full backdoor capable of a multitude of undesirable functions on the victim machine.”

Source: Cisco Finds Backdoor Installed on 12 Million PCs | SecurityWeek.Com

A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in a position to have access to any account and data, including emails and files stored in the cloud-based service. Microsoft pushed through a mitigation to the service on Jan. 5, seven hours after being notified by researchers Yiannis Kakavas and Klemen Bratec. “The attack surface was quite big (Outlook Online, OneDrive, Skype for Business, OneNote — depending on what the company has paid for in terms of licensing),” Kakavas and Bratec told Threatpost via email. “And a malicious user exploiting this vulnerability could have gained access to very sensitive private and company information (emails, internal documents etc. ).” Office 365 users who had configured domains as federated were affected. The list includes British Airways, Microsoft, Vodafone, Verizon and many others, as mentioned in a report published late Wednesday.

Source: Office 365 Flaw Allowed Anyone To Log In To Almost Any Business Account – Slashdot

Oops, don’t you love the cloud? 🙂

The issue lies in the wireless USB dongles that the keyboards and mice use to communicate over radio frequencies with the host computer. Bastille says that while communication from most keyboards to the dongle is encrypted, none of the mice it tested encrypt their wireless communication. The dongle, therefore, will accept commands from an attacker in close physical proximity the same way it would from the user.

The attacker can, therefore, transmit malicious packets that generate keystrokes rather than mouse clicks, so long as the victim’s computer is turned on, Bastille said.

“Depending on the speed of the attack and how closely the victim is paying attention, it can happen pretty quickly,” said researcher Marc Newlin, who said that an attack could simulate 1,000 words-per-minute typing and install a rootkit in 10 seconds, or eight milliseconds-per-keystroke.

Bastille founder Chris Rouland said that an attacker could exploit the vulnerability with a $15 USB dongle and 15 lines of Python code against any Windows, Mac or Linux machine and gain full control.

“At this point, they can inject malware, or compromise an air-gapped network by turning on Wi-Fi on the target,” Rouland said. “We have been working with the vendors for more than 90 days. More than half of the mice are not able to be updated and will not be patched. And likely won’t be replaced. There will be vulnerable devices everywhere.”

Source: Mousejack Attacks Abuse Vulnerable Wireless Keyboard, Mouse Dongles | Threatpost | The first stop for security news

The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack. Google has found some mitigations that may help prevent exploitation if you are not able to immediately patch your instance of glibc. The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is fo

Source: Google Online Security Blog: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

More than two months after release, it’s still not possible to pirate Just Cause 3. The same is true for Rise of the Tomb Raider, released for PC in late January. Cracking computer games used to be measured in hours or days, but now, it’s turning into weeks and months. The nature of piracy is changing in a big way.

Source: The Anti-Piracy Tech That’s Giving Hackers Fits

Fraudsters, armed with stolen social security numbers and other personal information on nearly half a million people, used malware to systematically request PINs corresponding to those taxpayers, allowing the crooks to potentially file paperwork on their behalf. The swindlers could put their own bank account details on the tax returns, thus channelling people’s rebates into the thieves’ pockets.

“Using personal data stolen elsewhere outside the IRS, identity thieves used malware in an attempt to generate E-file PINs for stolen social security numbers. An E-file PIN is used in some instances to electronically file a tax return,” the IRS said in a statement today.

“Based on our review, we identified unauthorized attempts involving approximately 464,000 unique SSNs, of which 101,000 SSNs were used to successfully access an E-file PIN.”

Source: Crims unleashed IRS-stabbing malware in bid to rob 464,000 people

Enterprise tech distributor Arrow Inc will take a $13m charge on the chin after a fraudster posing as a company exec transferred money from the corporate bank account to an external one.
[…]
Deloitte has previously highlighted what it reckoned is the growing threat from ‘fake president frauds, “affecting many companies at the moment”.

It involves convincing an employee to make emergency bank transfers to a third party, “in order to obey an alleged order of a leader under the pretext of a debt to pay, a provision in contract or a deposit”.

Organised crims are suspected of perpetrating these scams, “with a complete knowledge regarding the market, structure and customers of the companies they are attacking”.

Source: Arrow: Fraudsters impersonated one of our execs to steal money • The Channel

Rare public appearance from Tailored Access Operations leader

NSA tiger teams follow a six-stage process when attempting to crack a target, he explained. These are reconnaissance, initial exploitation, establish persistence, install tools, move laterally, and then collect, exfiltrate and exploit the data.

Source: NSA’s top hacking boss explains how to protect your network from his attack squads

Maybe not all accurate, considering where it came from, but interesting points anyway.

there are plenty of open source utilities available to offer a look inside the ESE Database on a standalone mode, i.e. without external support required. However, this entirely depends on the state in which the database is present. Being ESE database, in case of a dirty shutdown of the machine, there is high possibility of the extracted artifacts to be found in a dirty dismount state. Therefore, in that case, the examiner would first have to process it with Extensible Storage Engine Utilities provided by Microsoft Windows in order to further parse it in search of evidence.

History being the most majorly important database has been used an example for explaining the exploration of evidence in an ESE Database using a viewer or open source ESE DB reader.

Source: Microsoft Edge Browser Forensics – Exploring Project Spartan

“SNAP” allows an attacker to run arbitrary JavaScript code on the vulnerable LG devices, according to security researchers from Israeli security firms BugSec and Cynet. This might be easily exploited to allow private data leakage, phishing attacks and/or crash a vulnerable device, say the researchers.

The security flaw is rooted in a bug in one of the pre-installed LG applications, Smart Notice, which exists on every new LG G3 device. That’s why this device – but not other Android smartphone and tablets from other manufacturers, or earlier smartphones from LG – is vulnerable. LG debuted its Smart Notice app with the G3.

Source: Built-in LG smartphone app created data hack risk

Centene, based in St Louis, says that the hard drives in question contain personal data about people who received laboratory services between 2009 and 2015. Stored on the drives are details including names, addresses, dates of birth, social security numbers, member ID numbers and health information.

Source: A Health Insurer Lost Six Hard Drives Holding Data About 1 Million Customers

Hard-coded password in Lenovo SHAREit for Windows

[CVE-2016-1491] When Lenovo SHAREit for Windows is configured to receive files, a Wifi HotSpot is set with an easy password (12345678). Any system with a Wifi Network card could connect to that Hotspot by using that password. The password is always the same.

Remote browsing of file system on Lenovo SHAREit for Windows

[CVE-2016-1490] When the WiFi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit

Source: Lenovo ShareIT Multiple Vulnerabilities

It’s not going well with Lenovo security

Skype is fully committed to delivering as safe and secure of an experience as possible to our customers. We have recently introduced the ability to hide a Skype user’s IP address and we’ve set this as a default status in the latest versions of Skype. Starting with this update to Skype and moving forward, your…

Source: To our gamers: IP will now be hidden by default in latest update

About bloody time!

By chaining together a series of known Windows security flaws, researchers from Foxglove Security have discovered a way to break into almost all of Microsoft’s recent versions of Windows.

Source: Hot Potato Exploit Gives Attackers the Upper Hand in Multiple Windows Versions