Experts have been warning for years about security blunders in the Signaling System 7 protocol – the magic glue used by cellphone networks to communicate with each other.

These shortcomings can be potentially abused to, for example, redirect people’s calls and text messages to miscreants’ devices. Now we’ve seen the first case of crooks exploiting the design flaws to line their pockets with victims’ cash.

O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.

In other words, thieves exploited SS7 to intercept two-factor authentication codes sent to online banking customers, allowing them to empty their accounts. The thefts occurred over the past few months, according to multiple sources.

Source: After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts

A US online pet store has exposed the details of more than 110,400 credit cards used to make purchases through its website, researchers have found.

In a stunning show of poor security, the Austin, Texas-based company FuturePets.com exposed its entire customer database, including names, postal and email addresses, phone numbers, credit card information, and plain-text passwords
[…]
The database was exposed because of the company’s own insecure server and use of “rsync,” a common protocol used for synchronizing copies of files between two different computers, which wasn’t protected with a password.

Source: A database of thousands of credit cards was left exposed for months

Oh dear, clear text passwords and non-protected rsync transfers 🙁

Bruce66423 brings word that a terrorist’s WhatsApp message has been decrypted “using techniques that ‘cannot be disclosed for security reasons’, though ‘sources said they now have the technical expertise to repeat the process in future.'” The Economic Times reports:
U.K. security services have managed to decode the last message sent out by Khalid Masood before he rammed his high-speed car into pedestrians on Westminster Bridge and stabbed to death a police officer at the gates of Parliament on March 22. The access to Masood’s message was achieved by what has been described by security sources as a use of “human and technical intelligence”…

Slasdot

On Wednesday, large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies were briefly routed through a Russian government-controlled telecom under unexplained circumstances that renew lingering questions about the trust and reliability of some of the most sensitive Internet communications.

Anomalies in the border gateway protocol—which routes large-scale amounts of traffic among Internet backbones, ISPs, and other large networks—are common and usually the result of human error. While it’s possible Wednesday’s five- to seven-minute hijack of 36 large network blocks may also have been inadvertent, the high concentration of technology and financial services companies affected made the incident “curious” to engineers at network monitoring service BGPmon. What’s more, the way some of the affected networks were redirected indicated their underlying prefixes had been manually inserted into BGP tables, most likely by someone at Rostelecom, the Russian government-controlled telecom that improperly announced ownership of the blocks.
“Quite suspicious”

“I would classify this as quite suspicious,” Doug Madory, director of Internet analysis at network management firm Dyn, told Ars. “Typically accidental leaks appear more voluminous and indiscriminate. This would appear to be targeted to financial institutions. A typical cause of these errors [is] in some sort of internal traffic engineering, but it would seem strange that someone would limit their traffic engineering to mostly financial networks.”

Source: Russian-controlled telecom hijacks financial services’ Internet traffic

The bug, CVE-2017-1000353, exists in how Jenkins implements HTTP upload/download requests.

The bug lets an attacker exploit a serialised object in the preamble of commands sent to the CLI. As described by Securiteam, “since Jenkins does not validate the serialised object, any serialise[d] object can be sent.”

The attacker can use the channel to send SignedObject to the CLI. Jenkins deserialises it using a new ObjectInputStream, which the company says bypasses its blacklist-based protection mechanism.

To block it, Cloudbees has added SignedObject to its blacklist.

To test the vulnerability for yourself, the bug report suggests the following:

Create a serialised object whose payload is a command executed by running the payload.jar script;
Change the Python script jenkins_poc1.py to adjust the target target URL, and open your payload file.

Source: Jenkins admin? Get buzzy patching, says Cloudbees

The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.

First a little bit of background. SemiAccurate has known about this vulnerability for literally years now, it came up in research we were doing on hardware backdoors over five years ago. What we found was scary on a level that literally kept us up at night. For obvious reasons we couldn’t publish what we found out but we took every opportunity to beg anyone who could even tangentially influence the right people to do something about this security problem. SemiAccurate explained the problem to literally dozens of “right people” to seemingly no avail. We also strongly hinted that it existed at every chance we had.

Various Intel representatives over the years took my words seriously, told me I was crazy, denied that the problem could exist, and even gave SemiAccurate rather farcical technical reasons why their position wasn’t wrong. Or dangerous. In return we smiled politely, argued technically, and sometimes, usually actually, were not so polite about our viewpoint. Unfortunately it all seems to have been for naught.

The problem is quite simple, the ME controls the network ports and has DMA access to the system. It can arbitrarily read and write to any memory or storage on the system, can bypass disk encryption once it is unlocked (and possibly if it has not, SemiAccurate hasn’t been able to 100% verify this capability yet), read and write to the screen, and do all of this completely unlogged. Due to the network access abilities, it can also send whatever it finds out to wherever it wants, encrypted or not.

Source: Remote security exploit in all 2008+ Intel platforms – SemiAccurate

Oh shit.

You can download a detector here from Intel

Neatgear has cocked up its cloud management service, losing data stored locally on ReadyNAS devices’ shared folders worldwide – and customers have complained to The Register about only being informed four weeks later.

This week, the San Jose-based networking business sent an email to customers, seen by The Register, confirming that an “outage” affecting ReadyCLOUD, the free service for its network attached storage offering, caused the storage systems to disconnect from the cloud service and be marked as deleted at the end of March.

Compounding the issue, as part of a clean-up process, Netgear decided that when a ReadyCloud account is marked as closed, the NAS holding that account’s home folder should be deleted along with all of the data it was holding.

As one user complained to The Register: “In practice, accounts are generally deleted from the NAS admin screen by the user and a big warning flashes up to tell you that all data will be deleted. In this case, as the glitch was server side, no warning was presented and loads of people found that their home folders and data had mysteriously been deleted, by the looks of it, at the command of Netgear.”

Source: Netgear says sorry four weeks after losing customer backups