Two popular smart alarm systems for cars had major security flaws that allowed potential hackers to track the vehicles, unlock their doors and, in some cases, cut off the engine.

The vulnerabilities could be exploited with two simple steps, security researchers from Pen Test Partners, who discovered the flaw, said Friday.

The problems were found in alarm systems made by Viper and Pandora Car Alarm System, two of the largest smart car alarm makers in the world. The two brands have as many as 3 million customers between them and make high-end devices that can cost thousands. Like other smart devices, smart car alarms offer people convenience, allowing owners to find their cars from a distance and unlock their doors from their phones.

Pen Test Partners said it reached out to Viper and Pandora in late February and the companies fixed the security issues in less than a week. They had discovered the flaws last October.

Source: Smart alarms left 3 million cars vulnerable to hackers who could turn off motors – CNET

Freelance developers hired to implement password-based security systems do so about as effectively as computer science students, which is to say not very well at all.

Boffins at the University of Bonn in Germany set out to expand on research in 2017 and 2018 that found computer science students asked to implement a user registration system didn’t do so securely unless asked, and even then didn’t always get it right.

The scientists speculated that because the surveyed students knew they were taking part in a study, then they didn’t make security a priority. So they modified the experiment to test whether developers unaware that they were participating in a study did any better.

The eggheads – Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Emanuel von Zezschwitz, and Matthew Smith – describe their findings in a paper titled, “‘If you want, I can store the encrypted password.’ A Password-Storage Field Study with Freelance Developers.”

Their paper is scheduled to be presented at the CHI Conference on Human Factors in Computing Systems Proceedings, which runs from May 4–9, 2019, in Glasgow, Scotland.

Posing as a client trying to build a social networking site, the researchers hired 43 developers for either €100 (~$112) or €200 (~$225) from Freelancer.com to help them create a portion of the fictitious project, the site’s registration system.

Ethics

The deception was approved by the university’s Research Ethics Board and study participants were told after the conclusion of the research that they could withdraw from the study if they wished. None did and only one declined to answer the post-job questionnaire.

The freelancers were hired to work in Java and took anywhere from one to five days to complete the assigned task. Those hired ranged from 22 to 68 years in age (median: 29; mean: 30.34) and 39 of the 43 reported being male. All but two said they’d been programming for at least two years and in Java for at least one year. Most were not fluent in English.

The study confirms previous findings that if you want security, you won’t get it by default; you have to ask for it. “Our sample shows that freelancers who believe they are creating code for a real company also seldom store passwords securely without prompting,” the paper says.

The boffins also found many of the freelancers misunderstood that encryption, hashing and encoding are different things. “We found a number of freelancers were reducing password storage security to a visual representation and thus using Base64 as their preferred method to ensure security,” the paper says. “Additionally, encryption and hashing were used as synonyms, which was often reflected by the freelancers’ programming code.”

Another finding consistent with the student research is that many freelancers (16 in this instance) submitted code copied from the internet.

Source: Freelance devs: Oh, you wanted the app to be secure? The job spec didn’t mention that • The Register

Eggheads at the University of Michigan in the US, and Zhejiang University in China, have found that hard disk drives (HDDs) can be turned into listening devices, using malicious firmware and signal processing calculations.

For a study titled “Hard Drive of Hearing: Disks that Eavesdrop with a Synthesized Microphone,” computer scientists Andrew Kwong, Wenyuan Xu, and Kevin Fu describe an acoustic side-channel that can be accessed by measuring how sound waves make hard disk parts vibrate.

“Our research demonstrates that the mechanical components in magnetic hard disk drives behave as microphones with sufficient precision to extract and parse human speech,” their paper, obtained by The Register ahead of its formal publication, stated. “These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive.”

The team’s research work, scheduled to be presented in May at the 2019 IEEE Symposium on Security and Privacy, explores how it’s possible to alter HDD firmware to measure the offset of a disk drive’s read/write head from the center of the track it’s seeking.

The offset is referred to as the Positional Error Signal (PES) and hard drives monitor this signal to keep the read/write head in the optimal position for reading and writing data. PES measurements must be very fine because drive heads can only be off by a few nanometers before data errors arise. The sensitivity of the gear, however, means human speech is sufficient to move the needle, so to speak.

“These extremely precise measurements are sensitive to vibrations caused by the slightest fluctuations in air pressure, such as those induced by human vocalizations,” the paper explained.

Vibrations from HDD parts don’t yield particularly good sound, but with digital filtering techniques, human speech can be discerned, given the right conditions.

Flashing HDD firmware is a prerequisite for the snooping, the paper says, because the ATA protocol does not expose the PES. This could be accomplished through traditional attack techniques – binary exploitation, drive-by downloads, or phishing – or by intercepting HDDs somewhere in the supply chain and modifying them. The researchers point to the Grayfish malware attributed to the Equation Group as an example.

[…]

One limiting aspect of the described technique is that it requires a fairly loud conversation in the vicinity of the eavesdropping hard drive. To record comprehensible speech, the conversation had to reach 85 dBA, with 75 dBA being the low threshold for capturing muffled sound. To get Shazam to identify recordings captured through a hard drive, the source file had to be played at 90 dBA. Which is pretty loud. Like lawn mower or food blender loud.

The researchers acknowledge this is louder than most practical scenarios but they say they “expect that an attacker using state of the art filtering and voice recognition algorithms can substantially amplify the channel’s strength.”

While the growing popularity of solid state drives diminish the risk even further, there were still twice as many hard drives sold with PCs in 2017 as there were solid state drives, the researchers claimed.

[…]

They also note that their work may open future research possibilities, such as using a hard disk’s read/write head as a crude sounds generator to issue spoken commands to nearby connected speakers like Alexa, Google Home, and Siri.

Source: From hard drive to over-heard drive: Boffins convert spinning rust into eavesdropping mic • The Register

Further demonstrating the computational risks of looking into the future, boffins have found another way to abuse speculative execution in Intel CPUs to steal secrets and other data from running applications.

This security shortcoming can be potentially exploited by malicious JavaScript within a web browser tab, or malware running on a system, or rogue logged-in users, to extract passwords, keys, and other data from memory. An attacker therefore requires some kind of foothold in your machine in order to pull this off. The vulnerability, it appears, cannot be easily fixed or mitigated without significant redesign work at the silicon level.

Speculative execution, the practice of allowing processors to perform future work that may or may not be needed while they await the completion of other computations, is what enabled the Spectre vulnerabilities revealed early last year.

In a research paper distributed this month through pre-print service ArXiv, “SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks,” computer scientists at Worcester Polytechnic Institute in the US, and the University of Lübeck in Germany, describe a new way to abuse the performance boost.

The researchers – Saad Islam, Ahmad Moghimi, Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth and Berk Sunar – have found that “a weakness in the address speculation of Intel’s proprietary implementation of the memory subsystem” reveals memory layout data, making other attacks like Rowhammer much easier to carry out.

The researchers also examined Arm and AMD processor cores, but found they did not exhibit similar behavior.

“We have discovered a novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes,” the researchers explain.

“The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS and also works from within virtual machines and sandboxed environments.”

 

Source: SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability • The Register

The World Wide Web Consortium (W3C) today declared that the Web Authentication API (WebAuthn) is now an official web standard. First announced by the W3C and the FIDO Alliance in November 2015, WebAuthn is now an open standard for password-free logins on the web. It is supported by W3C contributors, including Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent, and Yubico.

The specification lets users log into online accounts using biometrics, mobile devices, and/or FIDO security keys. WebAuthn is supported by Android and Windows 10. On the browser side, Google Chrome, Mozilla Firefox, and Microsoft Edge all added support last year. Apple has supported WebAuthn in preview versions of Safari since December.

Killing the password

“Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” W3C CEO Jeff Jaffe said in a statement. “W3C’s Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.”

Although the W3C hasn’t adopted its own creation yet, WebAuthn is already implemented on sites such as Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter. Now that WebAuthn is an official standard, the hope is that other sites will jump on board as well, leading to more password-free logins across the web.

But it’s not just the web. The FIDO Alliance wants to kill the password everywhere, a goal it has been working on for years and will likely still be working on for years to come.

FIDO2

W3C’s WebAuthn recommendation is a core component of the FIDO Alliance’s FIDO2 set of specifications. FIDO2 is a standard that supports public key cryptography and multifactor authentication — specifically, the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) protocols. To help spur adoption, the FIDO Alliance provides testing tools and a certification program.

FIDO2 attempts to address traditional authentication issues in four ways:

• Security: FIDO2 cryptographic login credentials are unique across every website; biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft, and replay attacks.
• Convenience: Users log in with simple methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device.
• Privacy: Because FIDO keys are unique for each internet site, they cannot be used to track users across sites.
• Scalability: Websites can enable FIDO2 via an API call across all supported browsers and platforms on billions of devices consumers use every day.

“The Web Authentication component of FIDO2 is now an official web standard from W3C, an important achievement that represents many years of industry collaboration to develop a practical solution for phishing-resistant authentication on the web,” FIDO Alliance executive director Brett McDowell said in a statement. “With this milestone, we’re moving into the next phase of our shared mission to deliver simpler, stronger authentication to everyone using the internet today, and for years to come.”

Source: W3C approves WebAuthn as the web standard for password-free logins

Co-authored by three computer science boffins from the University of Colorado, Boulder in the US – Jack Wampler, Ian Martiny, and Eric Wustrow – the paper, “ExSpectre: Hiding Malware in Speculative Execution,” describes a way to compile malicious code into a seemingly innocuous payload binary, so it can be executed through speculative execution without detection.

Speculative execution is a technique in modern processors that’s used to improve performance, alongside out-of-order execution and branch prediction. CPUs will speculate about future instructions and execute them, keeping the results and saving time if they’ve guessed the program path correctly and discarding them if not.

But last year’s Spectre flaws showed that sensitive transient data arising from these forward-looking calculations can be exfiltrated and abused. Now it turns out that this feature of chip architecture can be used to conceal malicious computation in the “speculative world.”

The Boulder-based boffins have devised a way in which a payload program and a trigger program can interact to perform concealed calculations. The payload and trigger program would be installed through commonly used attack vectors (e.g. trojan code, a remote exploit, or phishing) and need to run on the same CPU. The trigger program can also take the form of special input to the payload or a resident application that interacts with the payload program.

“When a separate trigger program runs on the same machine, it mistrains the CPU’s branch predictor, causing the payload program to speculatively execute its malicious payload, which communicates speculative results back to the rest of the payload program to change its real-world behavior,” the paper explains.

The result is stealth malware. It defies detection through current reverse engineering techniques because it executes in a transient environment not accessible to static or dynamic analysis used by most current security engines. Even if the trigger program is detected and removed the payload code will remain operating.

There are limits to this technique, however. Among other constraints, the malicious code can only consist of somewhere between one hundred and two hundred instructions. And the rate at which data can be obtained isn’t particularly speedy: the researchers devised a speculative primitive that could decrypt 1KB of data and exfiltrate it at a rate of 5.38 Kbps, assuming 20 redundant iterations to ensure data correctness.

Source: Ready for another fright? Spectre flaws in today’s computer chips can be exploited to hide, run stealthy malware • The Register

Plaintext transmission of audio/video footage to the Ring application allows for arbitrary surveillance and injection of counterfeit traffic, effectively compromising home security (CVE-2019-9483).

[…]

We moved over to sniffing the application. Here we see a more sensible SIP/TLS approach, with pretty much all notifications, updates and information being passed via HTTPS. However, the actual RTP traffic seems plain!

The data seems sensible, and therefore we might be able to extract it. Using our handy videosnarf utility, we get a viewable MPEG file. This means anyone with access to incoming packets can see the feed! Similarly, we can also extract the audio G711 encoded stream.

[…]

Capturing the Doorbell feed is already great, but why stop there when we can inject our own? We developed a POC, whereby we first captured real footage in a so-called “recon mode”. Then, in “active mode” we can drop genuine traffic and inject the acquired footage. This hack works smoothly and is undetectable from within the app. In Mobile World Congress 2019, we publicly demonstrated the attack.

                                                Is it really Jesus at the door?

The attack scenarios possible are far too numerous to list, but for example imagine capturing an Amazon delivery and then streaming this feed. It would make for a particularly easy burglary. Spying on the doorbell allows for gathering of sensitive information – household habits, names and details about family members including children, all of which make the target an easy prey for future exploitation. Letting the babysitter in while kids are at home could be a potentially life threatening mistake.

                                 Are you sure about letting this killer clown in ?

The main takeaway from this research is that security is only as strong as its weakest link. Encrypting the upstream RTP traffic will not make forgery any harder if the downstream traffic is not secure, and encrypting the downstream SIP transmission does not thwart stream interception. When dealing with such sensitive data like a doorbell, secure transmission is not a feature but a must, as the average user will not be aware of potential tampering.

Important note: Ring has patched this vulnerability in version 3.4.7 of the ring app (Without notifying users in the patch notes!). Please make sure to upgrade to a newer version ASAP as the affected versions are still backward compatible  and vulnerable.

Source: One Ring to rule them all, and in darkness bind them

In September of 2018, an anonymous independent security researcher (who we’ll call X) noticed that their power company’s website was offering to email—not reset!—lost account passwords to forgetful users. Startled, X fed the online form the utility account number and the last four phone number digits it was asking for. Sure enough, a few minutes later the account password, in plain text, was sitting in X’s inbox.

This was frustrating and insecure, and it shouldn’t have happened at all in 2018. But this turned out to be a flaw common to websites designed by the Atlanta firm SEDC. After finding SEDC’s copyright notices in the footer of the local utility company’s website, X began looking for more customer-facing sites designed by SEDC. X found and confirmed SEDC’s footer—and the same offer to email plain-text passwords—in more than 80 utility company websites.

Those companies service 15 million or so clients (estimated from GIS data and in some cases from PR brags on the utility sites themselves). But the real number of affected Americans could easily be several times that large: SEDC itself claims that more than 250 utility companies use its software.

Source: Plain wrong: Millions of utility customers’ passwords stored in plain text | Ars Technica

A bad security decision by Comcast on the company’s mobile phone service made it easier for attackers to port victims’ cell phone numbers to different carriers.

Comcast in 2017 launched Xfinity Mobile, a cellular service that uses the Verizon Wireless network and Comcast Wi-Fi hotspots. Comcast has signed up 1.2 million mobile subscribers but took a shortcut in the system that lets users switch from Comcast to other carriers.

To port a phone line from Comcast to another wireless carrier, a customer needs to know his or her Comcast mobile account number. Carriers generally use PINs to verify that a customer seeking to port a number actually owns the number. But Comcast reportedly set the PIN to 0000 for all its customers, and there was apparently no way for customers to change it. That means that an attacker who acquired a victim’s Comcast account number could easily port the victim’s phone number to another carrier.

Source: Comcast set mobile pins to “0000,” helping attackers steal phone numbers | Ars Technica

Switzerland made headlines this month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack.

But after source code for the software and technical documentation describing its architecture were leaked online last week, critics are already expressing concern about the system’s design and about the transparency around the public test.

Cryptography experts who spent just a few hours examining the leaked code say the system is a poorly constructed and convoluted maze that makes it difficult to follow what’s going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly.

“It is simply not the standard we would expect.”

“Most of the system is split across hundreds of different files, each configured at various levels,” Sarah Jamie Lewis, a former security engineer for Amazon as well as a former computer scientist for England’s GCHQ intelligence agency, told Motherboard. “I’m used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding.”

She said the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this.

“It is simply not the standard we would expect,” she told Motherboard.

Even if the system is designed securely in principle, for it to operate securely in practice, each of its many parts has to be configured correctly or risk creating vulnerabilities that would let an attacker subvert the system and alter votes.

Source: Experts Find Serious Problems With Switzerland’s Online Voting System

In a Twitter post on Wednesday, those behind the software project said a hand-tuned build of the version 6.0.0 HashCat beta, utilizing eight Nvidia GTX 2080Ti GPUs in an offline attack, exceeded the NTLM cracking speed benchmark of 100GH/s (gigahashes per second).

“Current password cracking benchmarks show that the minimum eight character password, no matter how complex, can be cracked in less than 2.5 hours” using that hardware rig, explained a hacker who goes by the pseudonym Tinker on Twitter in a DM conversation with The Register. “The eight character password is dead.”

Source: Use an 8-char Windows NTLM password? Don’t. Every single one can be cracked in under 2.5hrs • The Register

Network attached storage maker QNAP’s customers have reported being hit by a mystery issue that disables software updates by hijacking entries in host machines’ hosts file.

The full effects are, as yet, unknown – but users have reported that the most visible symptom is that some 700 entries are added to the /etc/hosts file that redirect a bunch of requests to IP address 0.0.0.0.

This, said forlorn QNAP forum user ianch99, stopped his antivirus from updating by sinkholing all of the software’s requests to the vendor’s website. Others reported that the Taiwanese NAS appliance maker’s own MalwareRemover was borked, though it is not known whether these two things are linked.

“If you remove these entries, the update runs fine but they return on after rebooting,” posted ianch99. So far the only cure appeared to be a script provided by QNAP itself, which one helpful Reddit user posted the link to after apparently being given it by one of the storage firm’s techie in live chat.

Other users publicly wondered about the QNAP’s seeming reluctance to say anything about the issue, with a Reg reader telling us: “The wider QNAP-using population could perhaps do with a heads-up from your esteemed organ.”

QNAP failed to respond when The Register asked the company to comment on these goings-on, and has made no public statement at the time of writing.

A couple of years ago firmware from the Taiwanese headquartered biz was discovered to have a catastrophic bug that corrupted data on RAID drives during a rebuild “through faulty calculations”. It was eventually patched.

Source: QNAP NAS user? You’d better check your hosts file for mystery anti-antivirus entries • The Register

Your Android could be pwned by simply viewing an innocent-looking image – be it from browsing the internet or an image received via text – according to the Android Security Bulletin issued this month. While this certainly doesn’t apply to all images, Google discovered that a maliciously crafted PNG image could be used to hijack a wide variety of Androids – those running Android Nougat (7.0), Oreo (8.0), and even the latest Android OS Pie (9.0).

The latest bulletin lists 42 vulnerabilities in total – 11 of which are rated as critical. The most severe critical flaw is in Framework; it “could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.”

Although Google had no report of the security flaws being actively exploited, it remains to be seen if and how long it will take before attackers use the flaw for real-world attacks. Android owners were urged to patch as soon as security updates becomes available. But let’s get real: Even if your Android still receives security updates, there’s no telling how long it will be (weeks or months) before manufacturers and carriers get it together to push out the patches.

Source: Android phones can be hacked remotely by viewing malicious PNG image | CSO Online

The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.

Source: https://source.android.com/security/bulletin/2019-02-01.html

A Dutch security researcher has stumbled upon the Kremlin’s backdoor account that the government had been using to access the servers of local and foreign businesses operating in Russia.

The backdoor account was found inside thousands of MongoDB databases that had been left exposed online without a password.

Any hacker who noticed the account could have used it to gain access to sensitive information from thousands of companies operating in Russia.

“The first time I saw these credentials was in the user table of a Russian Lotto website,” Victor Gevers told ZDNet in an interview today. “I had to do some digging to understand that the Kremlin requires remote access to systems that handle financial transactions.”

The researcher says that after his initial finding, he later found the same “admin@kremlin.ru” account on over 2,000 other MongoDB databases that had been left exposed online, all belonging to local and foreign businesses operating in Russia.

Examples include databases belonging to local banks, financial institutions, big telcos, and even Disney Russia.

Gevers even found this account inside a leaky MongoDB database belonging to Ukraine’s Ministry of Internal Affairs that was holding details about ERDR investigations carried out by the country’s General Prosecutor’s Office into corrupt politicians.

This latter case was very strange because, at the time, the Russian-Ukrainian conflict had already been raging for at least two years.

Gevers, who at the time was the Chairman of the GDI Foundation, is one of the world’s top white-hat hackers. His research didn’t include digging through companies’ logs to see what this account was used for, so it’s currently unknown if the Russian government used this account only to retrieve financial-related information or they actively altered data.

“We have been searching for open MongoDB for years,” Gevers told ZDNet. “When we investigate a MongoDB instance, we try to respect privacy as much as possible by limiting the search for breadcrumbs such as the owner’s email addresses to a minimum.”

“All the systems this password was on were already fully accessible to anyone,” Gevers said. “The MongoDB databases were deployed with default settings. So anyone without authentication had CRUD [Create, Read, Update and Delete] access.”

Source: Unsecured MongoDB databases expose Kremlin’s backdoor into Russian businesses | ZDNet

The latest weekly report includes German firm Enox’s Safe-KID-One watch, which is marketed to parents as a way of keeping tabs on their little ones – ostensibly to keep them safe – and comes with one-click buttons for speed-dialling family members.

However, the commission said the device does not comply with the Radio Equipment Directive and detailed “serious” risks associated with the device.

“The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data,” the directive said.

As a result, data on location history, phone numbers and device serial number can be found and changed.

“A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS,” the alert warned.

Source: European Commission orders mass recall of creepy, leaky child-tracking smartwatch • The Register

Dating-slash-hook-up app Jack’d is exposing to the public internet intimate snaps privately swapped between its users, allowing miscreants to download countless X-rated selfies without permission.

The phone application, installed more than 110,000 times on Android devices and also available for iOS, lets primarily gay and bi men chat each other up, exchange private and public pics, and arrange to meet.

Those photos, public and private, can be accessed by anyone with a web browser and who knows just where to look, though, it appears. As there is no authentication, no need to sign up to the app, and no limits in place, miscreants can therefore download the entire image database for further havoc and potential blackmail.

You may well want to delete your images until this issue is fixed.

We’re told the developers of the application were warned of the security vulnerability three months ago, and yet no fix has been made. We’ve repeatedly tried to contact the programmers to no avail. In the interests of alerting Jack’d users to the fact their highly NSFW pictures are facing the public internet, we’re publishing this story today, although we are withholding details of the flaw to discourage exploitation.

Source: Hi, Jack’d: A little PSA for anyone using this dating-hook-up app… Anyone can slurp your private, public snaps • The Register

The cyber tool allowed the small Gulf country to monitor hundreds of targets beginning in 2016, from the Emir of Qatar and a senior Turkish official to a Nobel Peace laureate human-rights activist in Yemen, according to five former operatives and program documents reviewed by Reuters. The sources interviewed by Reuters were not Emirati citizens.

Karma was used by an offensive cyber operations unit in Abu Dhabi comprised of Emirati security officials and former American intelligence operatives working as contractors for the UAE’s intelligence services. The existence of Karma and of the hacking unit, code named Project Raven, haven’t been previously reported. Raven’s activities are detailed in a separate story published by Reuters today.

The ex-Raven operatives described Karma as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said.

Source: Exclusive: UAE used cyber super-weapon to spy on iPhones of foes | Reuters

In mid-January, Qualys, another security firm, released details about three flaws affecting systemd-journald, a systemd component that handles the collection and storage of log data. Patches for the vulnerabilities – CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 – have been issued by various Linux distributions.

Exploitation of these code flaws allows an attacker to alter system memory in order to commandeer systemd-journal, which permits privilege escalation to the root account of the system running the software. In other words, malware running on a system, or rogue logged-in users, can abuse these bugs to gain administrator-level access over the whole box, which is not great in uni labs and similar environments.

Nick Gregory, research scientists at Capsule8, in a blog post this week explains that his firm developed proof-of-concept exploit code for testing and verification. As in testing whether or not computers are at risk, and verifying the patches work.

“There are some interesting aspects that were not covered by Qualys’ initial publication, such as how to communicate with the affected service to reach the vulnerable component, and how to control the computed hash value that is actually used to corrupt memory,” he said.

Manipulated

The exploit script, written in Python 3, targets the 20180808.0.0 release of the ubuntu/bionic64 Vagrant image, and assumes that address space layout randomization (ASLR) is disabled. Typically, ASLR is not switched off in production systems, making this largely an academic exercise.

The script exploits CVE-2018-16865 via Linux’s alloca() function, which allocates the specified number of bytes of memory space in the stack frame of the caller; it can be used to manipulate the stack pointer.

Basically, by creating a massive number of log entries and appending them to the journal, the attacker can overwrite memory and take control of the vulnerable system.

Source: The D in SystemD stands for Danger, Will Robinson! Defanged exploit code for security holes now out in the wild • The Register

Sophisticated hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world. Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself.

This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts. So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank—the UK’s Metro Bank—that fell victim to such an attack.

The news highlights the gaping holes in the world’s telecommunications infrastructure that the telco industry has known about for years despite ongoing attacks from criminals. The National Cyber Security Centre (NCSC), the defensive arm of the UK’s signals intelligence agency GCHQ, confirmed that SS7 is being used to intercept codes used for banking.

“We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA),” The NCSC told Motherboard in a statement.

Source: Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts – Motherboard

As it turns out, giving every gadget you own access to your personal information and Internet connection can lead to unintended consequences. Who knew, right? But if you need yet another example of why trusting your home appliances with your secrets is potentially a bad idea, [Limited Results] is here to make sure you spend the next few hours doubting your recent tech purchases.

In a series of posts on the [Limited Results] blog, low-cost “smart” bulbs are cracked open and investigated to see what kind of knowledge they’ve managed to collect about their owners. Not only was it discovered that bulbs manufactured by Xiaomi, LIFX, and Tuya stored the WiFi SSID and encryption key in plain-text, but that recovering said information from the bulbs was actually quite simple. So next time one of those cheapo smart bulb starts flickering, you might want to take a hammer to it before tossing it in the trash can; you never know where it, and the knowledge it has of your network, might end up.

Regardless of the manufacturer of the bulb, the process to get one of these devices on your network is more or less the same. An application on your smartphone connects to the bulb and provides it with the network SSID and encryption key. The bulb then disconnects from the phone and reconnects to your home network with the new information. It’s a process that at this point we’re all probably familiar with, and there’s nothing inherently wrong with it.

The trouble comes when the bulb needs to store the connection information it was provided. Rather than obfuscating it in some way, the SSID and encryption key are simply stored in plain-text on the bulb’s WiFi module. Recovering that information is just a process of finding the correct traces on the bulb’s PCB (often there are test points which make this very easy), and dumping the chip’s contents to the computer for analysis.

It’s not uncommon for smart bulbs like these to use the ESP8266 or ESP32, and [Limited Results] found that to be the case here. With the wealth of information and software available for these very popular WiFi modules, dumping the firmware binary was no problem. Once the binary was in hand, a little snooping around with a hex editor was all it took to identify the network login information. The firmware dumps also contained information such as the unique hardware IDs used by the “cloud” platforms the bulbs connect to, and in at least one case, the root certificate and RSA private key were found.

On the plus side, being able to buy cheap smart devices that are running easily hackable modules like the ESP makes it easier for us to create custom firmware for them. Hopefully the community can come up with slightly less suspect software, but really just keeping the things from connecting to anything outside the local network would be a step in the right direction.

Source: Don’t Toss That Bulb, It Knows Your Password | Hackaday

Medical records and contact information belonging to thousands of HIV-positive Singaporeans and foreign visitors to the southeast Asian city state have been leaked online, according to an alert issued by the country’s Ministry of Health (MOH).

In a statement on its website, the ministry said the confidential health information of some 14,200 individuals diagnosed with HIV had been exposed.

“The information has been illegally disclosed online,” it said. “We have worked with the relevant parties to disable access to the information.”

Source: Data Leak in Singapore Exposes HIV Status of 14,000 Locals and Foreign Visitors

This is why we don’t like centralised medical databases

There was chaos on the internet late last night after 9to5Mac discovered a bug in Apple’s FaceTime video calling app that let you hear other person’s voice even before they answered your call. According to the report, a user running iOS 12.1 could potentially exploit the vulnerability to eavesdrop on others through a group FaceTime call.

What’s more, The Verge noted if the recipient ignored or dismissed the call using the power button, their video feed was streamed to the caller.

Source: Apple temporarily disables group FaceTime to fix a bug that lets you eavesdrop on your contacts

De populaire betaal-app Tikkie biedt de mogelijkheid om geld over te boeken naar andere Tikkie-gebruikers op basis van hun 06-nummer. Daardoor was het mogelijk om de IBAN-nummers van vele nietsvermoedende Tikkie-gebruikers te achterhalen, met het gevaar voor identiteitsfraude en phishing.

Dat blijkt uit onderzoek van RTL Nieuws. ABN Amro bevestigt de kwetsbaarheid en heeft de nieuwe functie, Tikkie Pay, tijdelijk offline gehaald. “Bedankt voor de oplettendheid”, aldus de woordvoerder.

IBAN-nummers

Tikkie, dat 4 miljoen gebruikers heeft, toonde met zijn nieuwe functie alle gebruikers uit jouw contactenlijst die hun 06-nummer aan Tikkie hebben gekoppeld. Je kon op een naam drukken, vervolgens een bedrag overmaken en net voor de overboeking de Tikkie annuleren. In de omschrijving van de overboeking zag je dan het IBAN-nummer van de ontvanger, zonder dat diegene daar weet van heeft.

Source: Privacylek bij Tikkie: IBAN-nummers gebruikers in te zien | RTL Nieuws

The Debian Project has patched a security flaw in its software manager Apt that can be exploited by network snoops to execute commands as root on victims’ boxes as they update or install packages.

The Linux distro’s curators have pushed out an fix to address CVE-2019-3462, a vulnerability uncovered and reported by researcher Max Justicz.

The flaw is related to the way Apt and apt-get handle HTTP redirects when downloading packages. Apt fetches packages over plain-old HTTP, rather than a more secure HTTPS connection, and uses cryptographic signatures to check whether the downloaded contents are legit and haven’t been tampered with.

This unfortunately means a man-in-the-middle (MITM) miscreant who was able to intercept and tamper with a victim’s network connection could potentially inject a redirect into the HTTP headers to change the URL used to fetch the package.

And the hacker would be able to control the hashes used by Apt to check the downloaded package, passing the package manager legit values to masquerade the fetched malware as sanctioned software.

All in all, users can be fed malware that’s run as root during installation, allowing it to commandeer the machine.

[…]

As an added wrinkle, Apt is updated by Apt itself. And seeing as the update mechanism is insecure, folks need to take extra steps to install the security fix securely. Admins will want to first disable redirects (see below) and then go through the usual apt update and upgrade steps.

$ sudo apt update -o Acquire::http::AllowRedirect=false
$ sudo apt upgrade -o Acquire::http::AllowRedirect=false

Source: Heads up: Debian’s package manager is APT for root-level malware injection… Fix out now to thwart MITM hijacks • The Register

Last December, a whopping 3 terabytes of unprotected data from the Oklahoma Securities Commission was uncovered by Greg Pollock, a researcher with cybersecurity firm UpGuard. It amounted to millions of files, many on sensitive FBI investigations, all of which were left wide open on a server with no password, accessible to anyone with an internet connection, Forbes can reveal.

“It represents a compromise of the entire integrity of the Oklahoma department of securities’ network,” said Chris Vickery, head of research at UpGuard, which is revealing its technical findings on Wednesday. “It affects an entire state level agency. … It’s massively noteworthy.”

A breach back to the ’80s

The Oklahoma department regulates all financial securities business happening in the state. It may be little surprise there was leaked information on FBI cases. But the amount and variety of data astonished Vickery and Pollock.

Vickery said the FBI files contained “all sorts of archive enforcement actions” dating back seven years (the earliest file creation date was 2012). The documents included spreadsheets with agent-filled timelines of interviews related to investigations, emails from parties involved in myriad cases and bank transaction histories. There were also copies of letters from subjects, witnesses and other parties involved in FBI investigations.

[…]

Just as concerning, the leak also included email archives stretching back 17 years, thousands of social security numbers and data from the 1980s onwards.

[…]

After Vickery and Pollock disclosed the breach, they informed the commission it had mistakenly left open what’s known as an rsync server. Such servers are typically used to back up large batches of data and, if that information is supposed to be secure, should be protected by a username and password.

There were other signs of poor security within the leaked data. For instance, passwords for computers on the Oklahoma government’s network were also revealed. They were “not complicated,” quipped Chris Vickery, head of research on the UpGuard team. In one of the more absurd choices made by the department, it had stored an encrypted version of one document in the same file folder as a decrypted version. Passwords for remote access to agency computers were also leaked.

This is the latest in a series of incidents involving rsync servers. In December, UpGuard revealed that Level One Robotics, a car manufacturing supply chain company, was exposing information in the same way as the Oklahoma government division. Companies with data exposed in that event included Volkswagen, Chrysler, Ford, Toyota, General Motors and Tesla.

For whatever reason, governments and corporate giants alike still aren’t aware how easy it is for hackers to constantly scan the Web for such leaks. Starting with basics like passwords would help them keep their secrets secure.

Source: Massive Oklahoma Government Data Leak Exposes 7 Years of FBI Investigations