Tag Archives: vulnerability

[ISN] Researcher says he can hack GM’s OnStar app, open vehicle, start engine

http://venturebeat.com/2015/07/30/researcher-says-can-hack-gms-onstar-app-open-vehicle-start-engine/ By Bernie Woodall in Detroit and Jim Finkle in Boston Reuters July 30, 2015 BOSTON/DETROIT (Reuters) – A researcher is advising drivers not to use a mobile app for the General Motors OnStar vehicle communications system, saying hackers can exploit a security flaw in the product to unlock cars and start engines remotely. “White-hat” hacker Samy Kamkar posted a video on Thursday saying he had figured out a way to “locate, unlock and remote-start” vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service. Kamkar said he plans to provide technical details on the hack next week in Las Vegas at the Def Con conference, where tens of thousands of hacking aficionados will gather to learn about new cybersecurity vulnerabilities. Kamkar released the video a week after Fiat Chrysler Automobiles recalled some 1.4 million vehicles after hacking experts demonstrated a more serious vulnerability in the Jeep Cherokee. That bug allowed them to gain remote control of a Jeep traveling at 70 miles per hour on a public highway. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Critical BIND denial-of-service flaw could disrupt large portions of the Internet

http://www.computerworld.com/article/2955005/security/critical-bind-denialofservice-flaw-could-disrupt-large-portions-of-the-internet.html By Lucian Constantin IDG News Service July 30, 2015 Attackers could exploit a new vulnerability in BIND, the most popular Domain Name System (DNS) server software, to disrupt the Internet for many users. The vulnerability affects all versions of BIND 9, from BIND 9.1.0 to BIND 9.10.2-P2, and can be exploited to crash DNS servers that are powered by the software. The Domain Name System is the Internet’s phone book. It’s used to convert domain and host names into numerical Internet Protocol (IP) addresses that computers need to communicate with each other. The DNS is made up of a global network of servers and a very large number of them run BIND, a software package developed and maintained by a nonprofit corporation called the Internet Systems Consortium (ISC). The vulnerability, announced and patched by ISC Tuesday, is critical because it can be used to crash both authoritative and recursive DNS servers with a single packet. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] GAO: Defense installation utilities at risk of cyber attack

http://www.militarytimes.com/story/military/2015/07/24/utility-cyber-attack/30615033/ By Andrew Tilghman Staff writer Military Times July 25, 2015 The utility systems that provide water, electricity and other essential services to military installations worldwide have limited defenses against cyber-attacks, putting many bases at risk for a “serious mission-disabling event,” a new Government Accountability Office report says. A recent GAO investigation identified a disturbing vulnerability in the military’s network of “industrial control systems,” the computers that monitor or operate physical utility infrastructure. For example, “most” Navy and Marine Corps industrial control systems (ICS) “have very little in the way of security controls and cybersecurity measures in place,” according to government documents identified by the GAO. That leaves many installations exposed to a “cyber-physical effect” attack that could cause the “physical destruction of utility infrastructure controlled by an ICS,” the GAO said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] GAO: Defense installation utilities at risk of cyber attack

http://www.militarytimes.com/story/military/2015/07/24/utility-cyber-attack/30615033/ By Andrew Tilghman Staff writer Military Times July 25, 2015 The utility systems that provide water, electricity and other essential services to military installations worldwide have limited defenses against cyber-attacks, putting many bases at risk for a “serious mission-disabling event,” a new Government Accountability Office report says. A recent GAO investigation identified a disturbing vulnerability in the military’s network of “industrial control systems,” the computers that monitor or operate physical utility infrastructure. For example, “most” Navy and Marine Corps industrial control systems (ICS) “have very little in the way of security controls and cybersecurity measures in place,” according to government documents identified by the GAO. That leaves many installations exposed to a “cyber-physical effect” attack that could cause the “physical destruction of utility infrastructure controlled by an ICS,” the GAO said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Adobe to patch second Hacking Team Flash zero-day bug

http://www.computerworld.com/article/2947273/malware-vulnerabilities/adobe-to-patch-second-hacking-team-flash-zero-day-bug.html By Gregg Keizer Computerworld July 11, 2015 Adobe next week will patch a second zero-day vulnerability found in the leaked documents from the Hacking Team, a controversial Italian company that sells surveillance software and exploits to governments, Adobe said late Friday. Computerworld’s Best Places to Work in IT 2015: Company Listings The complete listings: Computerworld’s 100 Best Places to Work in IT for 2015 A compact list of the 56 large, 18 midsize and 26 small organizations that ranked as Computerworld’s READ NOW The flaw will be patched this coming week; Adobe did not set a release date for the fix. “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe noted in an advisory. The vulnerability was the second uncovered in the gigabytes of documents leaked after attackers compromised the Hacking Team’s network and pilfered emails, financial information and contracts from the firm’s systems. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Overcoming paralysis – why financial services organisations have to race to update their Windows Server strategy

http://www.bobsguide.com/guide/news/2015/Jul/6/overcoming-paralysis-why-financial-services-organisations-have-to-race-to-update-their-windows-server-strategy.html By Dave Foreman, ECS, Practice Director Bob’s Guide July 6, 2015 Most of the technical support teams we work with know their Microsoft Server operating system inside out and have hardly lifted their phone to call Microsoft support in years. But this well-oiled machine is about to become IT departments’ biggest headache. With the end of Microsoft’s support for Server 2003 on July 14th 2015, migration from this rather old operating system has escalated from being a niggling worry to a high-risk agenda item. Only a handful of businesses have started their migration and even they will have to rely on Microsoft extended support. But this is not a cost-effective or risk-free option in the long term. At some point a new vulnerability in the operating system will be discovered and exploited; businesses will be exposed and the regulators will have a stronger case for non-compliance. According to the credit card industry’s PCI Security Council standards, if an unsupported operating system is Internet-facing, it will be logged as an automatic compliance failure. CIOs are caught between a rock and a hard place. Nobody wants to be caught in a position where they have to answer tough questions about plans to meet compliance and mitigate risk. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Evil Wi-Fi captive portal could spoof Apple Pay to get users’ credit card data

http://arstechnica.com/security/2015/06/evil-wifi-captive-portal-could-fool-users-into-giving-up-apple-pay-data/ By Sean Gallagher Ars Technica June 4, 2015 Researchers at Wandera, a mobile security company, have alerted Apple to a potential security vulnerability in iOS that could be used by attackers to fool users into giving up their credit card data and personal information. The vulnerability, based on the default behavior of iOS devices with Wi-Fi turned on, could be used to inject a fake “captive portal” page that imitates the Apple Pay interface. The attack leverages a well-known issue Ars has reported on in the past: iOS devices with Wi-Fi turned on will attempt by default to connect to any access point with a known SSID. Those SSIDs are broadcast by “probe” messages from the device whenever it’s not connected to a network. A rogue access point could use a probe request capture to masquerade as a known network, and then throw up a pop-up screen masquerading as any web page or app. The Wandera attack uses this behavior to get a mobile device to connect and then presents a pop-up portal page—the type usually used when connecting to a public WiFi service to present a Web-based login screen—that is designed to resemble an Apple Pay screen for entering credit card data. The attack could be launched by someone nearby a customer who has just completed or is conducting an Apple Pay transaction so that the user is fooled into believing Apple Pay itself is requesting that credit card data is reentered. An attacker could loiter near a point-of-sale system with an Apple Pay terminal and continuously launch the attack. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Apple vulnerability could allow firmware modifications, researcher says

http://www.networkworld.com/article/2929173/apple-vulnerability-could-allow-firmware-modifications-researcher-says.html By Jeremy Kirk IDG News Service June 1, 2015 A zero-day software vulnerability in the firmware of older Apple computers could be used to slip hard-to-remove malware onto a computer, according to a security researcher. Pedro Vilaca, who studies Mac security, wrote on his blog that the flaw he found builds on previous ones but this one could be far more dangerous. Apple officials could not be immediately reached for comment. Vilaca found it was possible to tamper with an Apple computer’s UEFI (unified extensible firmware interface). UEFI is firmware designed to improve upon BIOS, which is low-level code that bridges a computer’s hardware and operating system at startup. The UEFI code is typically sealed off from users. But Vilaca wrote that he found the code is unlocked after a computer goes to sleep and reawakens, allowing it to be modified. Apple computers made before mid-2014 appear to be vulnerable. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail