Find open webcams on Shodan!

Source: Server: SQ-WEBCAM – Shodan Search

Microsoft engineers are struggling to fix a seven-day-old, self-inflicted Office 365 IMAP outage.

IMAP access to Office 365 tanked on January 18, meaning customers could not access emails using Exchange Online via IMAP or connect third-party mail clients via IMAP.

Microsoft told disgruntled Office 365 customers that the problem affected a limited number of licensees – but that those customers hit had a “large number of users.”

The culprit was found to be a botched Microsoft update that stopped the IMAP protocol automatically loading data from Exchange Online databases.

Source: Microsoft struggles against self-inflicted Office 365 IMAP outage

Cloud is a great idea. Not always.

Medicine is world’s worst industry for data security, it seems

Source: Terrible infections, bad practices, unclean kit – welcome to hospital IT

Hospitals running unpatched XP and 95, hardware vendors that ship 36 trojans with their patches, people running around pressing keyboard keys to make sure none of the PCs ever logs out, pacemakers with open debug routines that allow interruption of service, it’s quite an article.

Some ethical hackers still get sued, even though they are following NL gov responsible disclosure guidelines. This was the criticism of the laws when they were introduced two years ago, glad someone is now taking the time to follow up.

Source: D66 wil bescherming ethische hackers – Emerce

In the funniest disclosure I’ve read in some time (well, it would be if it wasn’t so terribly dangerous), it turns out that these teleconferencing units had a hardcoded admin account with extra permissions built in with username BlackWidow. In the first “fix”, AMX basically changed the user to Batman. Poor show.
SEC Consult: Deliberately hidden backdoor account in several AMX (HARMAN Professional) devices

Scores of security bods registering for security outfit RSA’s Executive Security Action Forum (ESAF) have handed over their Twitter account passwords to the company’s website in what is seen something between bad practise and outright compromise.

The registration process for the February 29 event asks delegates to enter their Twitter credentials so that a prefab tweet about their attendance can be sent.

But the page asks for their direct plaintext password, and does not make use of OAUth-enabled single sign-on which is the standard means by which websites can allow Twitter logons without compromising security.

Source: RSA asks for plaintext Twitter passwords on conference reg page

I don’t know what is worse? RSA asking for this, or potential attendees (ie security “experts”) actually filling this in!

Basically the driver updater looks over HTTP and downloads an unencrypted, easily parsable XML file with URLs leading to the files to download and execute as admin. A man in the middle attack could easily exploit this.

Source: Intel Driver Update Utility MiTM

This is a lot like the Drupal update vulnerability.

Over in the multimedia business, users of the company’s D9036 multimedia encoding platform also need to pick up a firmware upgrade, because Cisco devs built the firmware with a static password for both the root account and the guest account.

Source: Cisco patch day fixes CGI script blunder, hard-coded credentials

oh dear

So should we expect a critical mass of consumers to walk away from organizations because their mobile health apps
do not have the level of security protection they expect? Based on these research findings, perhaps. When put to the
test, the majority of mobile health apps failed security tests and could easily be hacked. Among 71 popular mobile
health apps tested for security vulnerabilities, 86% were shown to have at least two OWASP Mobile Top 10 Risks

Such vulnerabilities could allow the apps to be tampered and reverse-engineered, put sensitive health information in the
wrong hands and, even worse, potentially force critical health apps to malfunction. Surprisingly, US Food and Drug
Administration (FDA)-approved apps and formerly UK National Health Service (NHS)-approved apps were among the
vulnerable mobile health apps tested, indicating that there is more work to be done by governing bodies to better
understand the cybersecurity threats to mobile apps and improve the minimum acceptable security standards or
regulations for mobile app development.

Source: State_of_Application_Security_2016_Healthcare_Report.pdf

(pdf)

The French government has rejected an amendment to its forthcoming Digital Republic law that required backdoors in encryption systems.

Axelle Lemaire, the Euro nation’s digital affairs minister, shot down the amendment during the committee stage of the forthcoming omnibus digital bill, saying it would be counterproductive and would leave personal data unprotected.

“Recent events show how the fact of introducing faults deliberately at the request – sometimes even without knowing – the intelligence agencies has an effect that is harming the whole community,” she said according to Numerama.

“Even if the intention [to empower the police] is laudable, it also opens the door to the players who have less laudable intentions, not to mention the potential for economic damage to the credibility of companies planning these flaws. You are right to fuel the debate, but this is not the right solution according to the Government’s opinion.”

Source: French say ‘Non, merci’ to encryption backdoors

Het virus sloeg als eerste toe op de afdeling pathologie en verspreidde zich razendsnel over het ziekenhuis-netwerk. Hierdoor moesten veel medewerkers een hoop handelingen handmatig uitvoeren.

Processen als bloed- en weefselverwerking konden niet meer worden uitgevoerd door de computers en ook de verpleegsters moesten samenwerken met de afdeling die het eten verzorgde om ervoor te zorgen dat alle patiënten de juiste maaltijd kregen aangezien de computers, die alle patiëntdossiers bevatte, ook waren besmet.

Source: Chaos en ellende in ziekenhuis dankzij Windows XP-virus

The information leak is exploitable in the default configuration of the OpenSSH client, and (depending on the client’s version, compiler, and operating system) allows a malicious SSH server to steal the client’s private keys,” Qualys said in its advisory. “This information leak may have already been exploited in the wild by sophisticated attackers, and high-profile sites or users may need to regenerate their SSH keys accordingly.” There was a second vulnerability patched as well, a buffer overflow in the

Source: OpenSSH Private Crypto Key Leak Patch | Threatpost | The first stop for security news

ffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file – for example, KDE Dolphin thumbnail generation is enough. Desktop search indexers (i.e. baloo) could be affected. ffprobe is affected, basically all operations with file that involve ffmpeg reading it are affected

Source: Zero-Day FFmpeg Vulnerability Lets Anyone Steal Files from Remote Machines – Updated

The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015. A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015.The malware was designed to collect payment card data – cardholder name, card number, expiration date and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems

Source: Protecting Customer Information

It’s 2016 and you may have thought we’d all be a little older and wiser than this time last year. But as you read this list of 2015’s most popular passwords, you will shake your head, mumble unmentionables and reach the firm conclusion that, no, we are in fact all still complete and utter morons.

1. 123456 (Unchanged)

2. password (Unchanged)

3. 12345678 (Up 1)

4. qwerty (Up 1)

5. 12345 (Down 2)

6. 123456789 (Unchanged)

7. football (Up 3)

8. 1234 (Down 1)

9. 1234567 (Up 2)

10. baseball (Down 2)

11. welcome (New)

12. 1234567890 (New)

13. abc123 (Up 1)

14. 111111 (Up 1)

15. 1qaz2wsx (New)

16. dragon (Down 7)

17. master (Up 2)

18. monkey (Down 6)

19. letmein (Down 6)

20. login (New)

21. princess (New)

22. qwertyuiop (New)

23. solo (New)

24. passw0rd (New)

25. starwars (New)

Source: The 25 Most Popular Passwords of 2015: We’re All Such Idiots

Someone’s palm is digging a hole into their face at Cisco, which has just admitted it shipped a bunch of servers with the wrong default password.

“A number of C-Series servers have shipped to customers with a non-standard default password which prevents access to the Cisco Integrated Management Controller (CIMC) unless the configured password is provided,” the Borg says in a new Field Notice.

Kit made between between November 17, 2015 and January 6, 2016 was misconfigured. If you get one and try to get it working with Cisco’s default admin password – “password” – you’ll look like a very silly sysadmin indeed.

The fault is all Cisco’s: for reasons it’s not explaining, the firm instead set the default password to “Cisco1234”.

Source: Cisco forgot its own passwords for seven weeks

RedTeam Pentesting discovered that several models of the AVM FRITZ!Box are vulnerable to a stack-based buffer overflow, which allows attackers to execute arbitrary code on the device.

Source: RedTeam Pentesting GmbH – AVM FRITZ!Box: Remote Code Execution via Buffer Overflow

Anyone who uses this script against vulnerable firewalls will gain administrator-level command-line access to the equipment. After some outcry on Twitter and beyond, Fortinet responded by saying it has already killed off the dodgy login system.

“This issue was resolved and a patch was made available in July 2014 as part of Fortinet’s commitment to ensuring the quality and integrity of our codebase,” a spokeswoman told El Reg.

“This was not a ‘backdoor’ vulnerability issue but rather a management authentication issue. The issue was identified by our product security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external.”

In a security advisory dated today, Fortinet explained that the issue affects FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7. This covers FortiOS builds from between November 2012 and July 2014, and it’s certainly possible that some slack IT admins haven’t updated the software since then.

Source: Fortinet tries to explain weird SSH ‘backdoor’ discovered in firewalls

A rose by any other name!

Ormandy, who has made something of a career of late discovering holes in popular security software, analyzed a component in Trend’s software dubbed Password Manager. He found that multiple HTTP RPC ports for handling API requests were accessible.

“It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(),” he wrote in a bug report to Trend.

This means that any webpage could run a script that uses Trend Micro’s AV to run commands on the machine – such as RD C:\ /S /Q to wipe the system drive, or commands to download and install malware. As another example, this code uninstalls Trend Micro’s security software on a PC without the owner’s knowledge or consent.

Then, as Ormandy looked deeper into Trend’s code, more problems were discovered.

Because the password manager was so badly written, Ormandy found that a malicious script could not only execute code remotely, it could also steal all passwords stored in the browser using the flaws in Trend’s software – even if they are encrypted.

Source: Trend Micro AV gave any website command-line access to Windows PCs

Antivirus companies are doing really really well lately. Not.

In a paper [PDF] published in time for a cryptography conference in Silicon Valley this week, the authors from French research institute INRIA note that while MD5 (and its successor SHA1) are being phased out, they continue to be used in “mainstream protocols” like TLS, IKE, and SSH.

This is not exactly news, but the assumption has always been that its continued use doesn’t compromise security due to “pre-image resistance,” meaning it would require far too much computational power to crack. The paper argues this isn’t true and you could crack a code in an hour (given a powerful server) and use it to impersonate an end user – i.e., break into a system.

Source: The sloth is coming! Quick, get MD5 out of our internet protocols

Source: IOActive Labs Research: Drupal – Insecure Update Process

Issue #1: Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning.

Issue #2: An attacker may force an admin to check for updates due to a CSRF vulnerability on the update functionality

Issue #3: Drupal security updates are transferred unencrypted without checking the authenticity, which could lead to code execution and database access.

Around the same time the first database was discovered a second, smaller database was also found by researcher Chris Vickery. This second database contains voter profiles similar to those previously discovered, however, it also includes records that hold targeted demographic information.
MORE ON CSO:Lost in the clouds: Your private data has been indexed by Google

While the overall total of records is lower (56,722,986 compared to 191 million) it’s still a concerning figure, but this discovery took a steep downturn when more than 18 million records containing targeted profile information were added to the mix.

This second database has voter information from states that began with the letters A-I, but excluding Illinois and Iowa. The scattered information suggests the data was being added in stages, and the exposed database wasn’t intended for public disclosure.
What’s in the database?

The second database contains the general voter profile, which includes a voter’s name, address, phone number, date of birth, voting record, etc. In fact, comparing records from both databases confirmed they are essentially the same, but the dates on the second database are newer (April 2015) and some of the field names are different – suggesting the core data came from the same source file.

This source file has been previously identified by political experts as Nation Builder Election Center data. This is further supported by the existence of an nbec_precinct_code and a voter ID code consisting of 32 letters and numbers separated by dashes.

As mentioned in the first story, Nation Builder is under no obligation to identify customers, and once the data has been obtained, they cannot control what happens to it.

While the previously discovered voter database contained more records, this second database, though smaller, contains more information. The standout issue is that these additional data points are targeted towards building an issues-based profile of the voter. While that might be fine for any number of election campaigns, having this data exposed to the public is a goldmine for criminals.

The second database contains several fields for custom text. Depending on the record some of them have answers, while others do not. There’s also fields that flag the profile as being copied from another data source, and those that determine if the voter has been contacted. In addition, there are fields for determining of the voter is active and if they’re a donor.

Other fields include email address, something that wasn’t part of the larger voter database covered last week; as well as records focused on health issues, gun ownership, household values (e.g., religion / social issues), fishing and hunting interests, auto racing interests, longitude and latitude of the voter, income level, and occupation.

When it comes to overlap and additions to the basic voter file, the additional fields in this second database look at gender identification, political party affiliation, political contributions, religious affiliation and if they’re a religious donor, a field denoting bible lifestyle, as well as how many robocall (auto dialed) campaigns they’ve been part of.

Source: 18 million targeted voter records exposed by database error

A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that “the government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands.”

The conclusion comes at the end of a five-page run-through of the arguments for greater encryption and the counter-arguments for allowing the authorities access to the information.

“By introducing a technical input into an encryption product that would give the authorities access would also make encrypted files vulnerable to criminals, terrorists and foreign intelligence services,” the paper noted. “This could have undesirable consequences for the security of information communicated and stored, and the integrity of ICT systems, which are increasingly of importance for the functioning of the society.”

The formal position comes just months after the Dutch government approved a €500,000 ($540,000) grant to OpenSSL, the project developing the widely used open-source encryption software library

Source: Dutch govt says no to backdoors, slides $540k into OpenSSL without breaking eye contact

An independent computer security researcher uncovered a database of information on 191 million voters that is exposed on the open Internet due to an incorrectly configured database, he said on Monday.

The database includes names, addresses, birth dates, party affiliations, phone numbers and emails of voters in all 50 U.S. states and Washington, researcher Chris Vickery said in a phone interview.

Source: Database of 191 million U.S. voters exposed on Internet: researcher

The official Twitter account for myGov – a portal for accessing government services online – told Aussies this week: “Going overseas this summer? If you’re registered for myGov security codes make sure you turn them off before you go.”

The startling tweets come complete with professional cartoon graphics, clearly suggesting that rather than a civil servant going rogue on an idle afternoon, the advice was produced as a matter of policy.

Source: Australian government urges holidaymakers to kill two-factor auth

Because some people can’t receive SMS in foreign countries. This is a bad idea ™