Tag Archives: exploits

[ISN] NIST outlines guidance for security of copiers, scanners

http://gcn.com/articles/2015/02/25/nist-replication-device-security.aspx By GCN Staff Feb 25, 2015 The National Institute of Standards and Technology announced its internal report 8023: Risk Management for Replication Devices is now available. The guidance covers protecting the information processed, stored or transmitted on replication devices (RDs), which are devices that copy, print or scan documents, images or objects. Because today’s RDs have the characteristics of computing devices (storage, operating systems, CPUs and networking) they are vulnerable to a number of exploits, NIST said. Among the threats to RDs are: […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The tooth gnashing you hear is from Flash users installing a new 0day patch

http://arstechnica.com/security/2015/01/those-teeth-gnashings-you-hear-are-flash-users-installing-a-new-0day-patch/ By Dan Goodin Ars Technica Jan 26 2015 Adobe Systems is once again rolling out an emergency Flash update that patches a critical vulnerability under active attack to compromise the computers of unsuspecting users. The latest Flash versions fix a remote code-execution bug that, as Ars reported last week, recently came under attack in the Angler exploit kit. Malware purveyors and other types of online crooks use such kits to seed compromised websites with attack code. Once people visit the sites with vulnerable computers, the booby-trapped pages surreptitiously exploit the vulnerabilities and install backdoors that can be used to log keystrokes, steal passwords, and install new pieces of malware at will. An advisory Adobe published late last week warned that the bug resides in versions running on Windows, Macs, and Linux systems. So far, reports suggest that in-the-wild exploits are limited only to Windows systems. The vulnerability stems from a so-called use-after-free bug that allows attackers to corrupt the memory of affected computers. Trend Micro has additional technical details here. “A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh,” the Adobe advisory stated. “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hacker Says Attacks On ‘Insecure’ Progressive Insurance Dongle In 2 Million US Cars Could Spawn Road Carnage

http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/ By Thomas Fox-Brewster Forbes Staff 1/15/2015 Corey Thuen has been braving the snow and sub-zero temperatures of Idaho nights in recent weeks, though any passerby would have been perplexed by a man, laptop in hand, tinkering with his aptly-named 2013 Toyota Tundra at such an ungodly hour. He hasn’t been doing repairs, however. Quite the opposite. Thuen, a security researcher at Digital Bond Labs who will present his findings at the S4 conference in a talk titled Remote Control Automobiles, has been figuring out how he might hack the vehicle’s on-board network via a dongle that connects to the OBD2 port of his pickup truck. That little device, Snapshot, provided by one of the biggest insurance providers in the US, Progressive Insurance, is supposed to track his driving to determine whether he deserves to pay a little more or less for his cover. It’s used in more than two million vehicles in the US. But it’s wholly lacking in security, meaning it could be exploited to allow a hacker, be they in the car or outside, to take control over core vehicular functions, he claims. It’s long been theorised that such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes. But he hasn’t gone as far to actually mess with the controls of his Toyota. By hooking up his laptop directly to the device he says he would have been able to unlock doors, start the car and gather engine information, but he chose not to “weaponise” his exploits, he told Forbes. “Controlling it wasn’t the focus, finding out if it was possible was the focus.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Ex-Microsoft Bug Bounty dev forced to decrypt laptop for Paris airport official

http://www.theregister.co.uk/2015/01/06/former_ms_bug_bounty_program_developer_forced_into_paris_laptop_decryption/ By John Leyden The Register 6 Jan 2015 Paris airport security went one step further than simply asking a security expert to power up her laptop – they requested she type in her password to decrypt her hard drive and log into the machine. Katie Moussouris, chief policy officer at HackerOne, and best known as the woman behind Microsoft’s Bug Bounty Program, was en route back to the US from the CCC hacking conference. She complied with the request in order not to miss her flight. The computer never left her possession and the security agent never fully explained the request, according to Moussouris, and there’s no question that HackerOne customers’ vulnerability reports were exposed – no exploits were stored on the device. Nonetheless, the incident at Charles de Gaulle airport has sparked a lively debate among privacy and security advocates. Moussouris has put together a blog post explaining her experience: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Meaner POODLE bug that bypasses TLS crypto bites 10 percent of websites

http://arstechnica.com/security/2014/12/meaner-poodle-bug-that-bypasses-tls-crypto-bites-10-percent-of-websites/ By Dan Goodin Ars Technica Dec 8 2014 Some of the world’s leading websites—including those owned or operated by Bank of America, VMware, the US Department of Veteran’s Affairs, and business consultancy Accenture—are vulnerable to simple attacks that bypass the transport layer security encryption designed to thwart eavesdroppers and spoofers. The attacks are a variation on the so-called POODLE exploits disclosed two months ago against secure sockets layer (SSL), an encryption protocol similar to transport layer security (TLS). Short for “Padding Oracle On Downgraded Legacy Encryption,” POODLE allowed attackers monitoring Wi-Fi hotspots and other unsecured Internet connections to decrypt HTTPS traffic encrypted by the ancient SSL version 3. Browser makers quickly responded by limiting or eliminating use of SSLv3, a move that appears to have averted widespread exploitation of the bug. On Monday, word emerged that there’s a variation on the POODLE attack that works against widely used implementations of TLS. At the time this post was being prepared, SSL Server Test, a free service provided by security firm Qualys, showed that some of the Internet’s top websites—again, a list including Bank of America, VMware, the US Department of Veteran’s Affairs, and Accenture—are susceptible. The vulnerability was serious enough to earn all sites found to be affected a failing grade by the Qualys service. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Unscheduled Windows update kills critical security bug under active attack

http://arstechnica.com/security/2014/11/unscheduled-windows-update-kills-critical-security-bug-under-active-attack/ By Dan Goodin Ars Technica Nov 18 2014 Microsoft has released an unscheduled update to patch a critical security hole that is being actively exploited to hack Windows-based servers. A flaw in the Windows implementation of the Kerberos authentication protocol allows attackers with credentials for low-level accounts to remotely hijack extremely sensitive Windows domain controllers that allocate privileges on large corporate or government networks. The privilege elevation bug is already being exploited in highly targeted attacks and gives hackers extraordinary control over vulnerable networks. “The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain,” Microsoft engineer Joe Bialek wrote in a blog post accompanying Thursday’s patch. “An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update immediately.” The patch came on the same day that security research firm NSS Labs reported recently discovering reliable attacks in the wild that exploit security holes patched by MS14-064, an update released last week. The exploits use proof-of-concept code also released last week to install unspecified malware on vulnerable computers, NSS said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] iPhone, Galaxy S5, Nexus 5, and Fire Phone fall like dominoes at Pwn2Own

http://arstechnica.com/security/2014/11/iphone-galaxy-s5-nexus-5-and-fire-phone-fall-like-dominoes-at-pwn2own/ By Dan Goodin Ars Technica Nov 12 2014 An iPhone 5S, Samsung Galaxy S5, LG Nexus 5, and Amazon Fire Phone were all hijacked by whitehats on the first day of an annual hacking contest that pays hefty cash prizes for exploits bypassing security sandbox perimeters. Day one of the Mobile Pwn2Own competition at the PacSec conference in Tokyo repeated a theme struck over and over at previous Pwn2Own events. If a device runs software, it can be hacked—regardless of claims made by marketers or fans. Organized by the Hewlett-Packard-owned Zero Day Initiative and sponsored this year by Google and Blackberry, Mobile Pwn2Own awards as much as $150,000 for the most advanced hacks, with a total prize pool of $425,000. In exchange, contestants agree to turn over technical details to the organizer and keep them confidential until the underlying vulnerabilities have been patched. During the first day, according to this HP blog post, the following hacks took place: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Feds examining medical devices for fatal cybersecurity flaws

http://arstechnica.com/tech-policy/2014/10/feds-examining-medical-devices-for-fatal-cybersecurity-flaws/ By David Kravets Ars Technica Oct 23 2014 It was an eerie tale. Former US Vice President Dick Cheney announced last year that he disabled the wireless function of the implanted heart defibrillator amid fears it could be exploited by terrorists wanting to kill him. Cheney’s announcement put a face to the fear of possible medical-device hacking exploits, and researchers and the federal government were slowly realizing there were genuine vulnerabilities associated with these implanted devices. They are equipped with computerized functions and wireless capabilities that allow the devices to be administered without requiring additional surgery, and therefore they could be vulnerable to hacker exploit. Cheney’s move may have seemed far-fetched, but his paranoia is being confirmed, as the Department of Homeland Security is now probing potential cybersecurity flaws in certain medical devices. “The Department of Homeland Security’s (DHS) Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) works directly with the Food and Drug Administration (FDA) and medical devices manufacturers, health care professionals, and facilities to investigate and address cyber vulnerabilities. DHS actively collaborates with public and private sector partners every day to identify and reduce adverse impacts on the nation’s critical cyber systems,” DHS spokesman S.Y. Lee wrote Thursday to Ars. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail