Bug allows Hackers to open locked Biometric Fingerprint Doors


Researcher has uncovered various flaws in a Taiwan-based Chiyu Technology's fingerprint access controller which could allow hackers to easily open the locked doors.

The researcher, Maxim Rupp has said that the vulnerabilities allow the attacker to view and modify the existing configuration of the device without authentication by directly accessing known paths. 


The path (CVE-2015-2871) varies slightly depending on model and services available.

According to an advisory published on July 31, the paths for accessing communications, fingerprint and other setup pages vary depending on the model and the services that are available, CERT/CC.

“It has identified models BF-660C, BF-630, BF-630W as being vulnerable; other models may also be vulnerable. The CERT/CC has been unable to verify this information with the vendor. The CVSS score below is based on CVE-2015-2871,” the advisory read.

According to a story published in SecurityWeek, the researcher said that by gaining access to the controller’s fingerprint setup page, an attacker could modify settings, such as “security level” and “sensitivity,” to make it easier to open the door protected by the device. An attacker can also change the device’s network settings and disconnect it from the targeted organization’s network.

“The researcher has also found that some of the vulnerable biometric devices are accessible via the Internet, which allows an attacker to exploit the weakness remotely. An attacker might be able to carry out other actions as well once he gains access to the controller’s configuration pages, but the expert says he hasn’t conducted further tests,” the report read.

The researcher said that there were several other companies that which sold the same devices under a different brand.

The flaws were reported by the researcher to Chiyu Technology via CERT/CC on May 29. CERT/CC. However, the company concerned has not managed to get in touch with the manufacturer.

It is still unclear that when the company will fix the flaws in the fingerprint access controller.

Antivirus software maker Bitdefender hacked, customers data leaked


It has been proved that no one is safe here from hackers. Even the security firms, which are supposed to protect us, get hacked.

Recently, an award-winning antivirus software maker and security software company has been hacked.

As per news reports, Bitdefender customers’ usernames and passwords leaked during the attack. It has confirmed that its system was breached following rumors that someone was holding the Romanian firm to ransom. The company has failed to encrypt its customers’ login details.

After getting into the company’s information, the crooks demanded $15,000 in order to keep its customers’ details safe.

They threatened the company that they would reveal the swiped customer records. However, it is said that they have put some information online.

The company has informed that the issue has been solved and additional security measures have been taken to prevent its customers from hacking.

A password reset notice was sent to all potentially affected customers, representing less than 1 per cent of our SMB customers.

“This does not affect our consumer or enterprise customers. Our investigation revealed no other server or services were impacted. Bitdefender takes security of its customers very seriously and any issue that might involve the security of our customers or the security of our servers is treated with the utmost urgency and seriousness,” the company explained.

PagerDuty hacked, update your password by Monday

After almost a month, PagerDuty, which provides alerting, on-call scheduling, escalation policies and incident tracking to increase uptime of your apps, servers, websites and databases, has confirmed that it detected an unauthorized intrusion on July 9 by an attacker who gained access to some information about their customers.

The PagerDuty has asked its users to set new strong passwords at this time. The users that do not reset their password by Monday, August 3rd at 12:00pm Pacific Time will be automatically logged out of the website and will receive an email prompting them to reset their password. At no time will alert delivery be affected by this process.

It posted on July 30 that within a few hours of the intrusion, its team stopped the attack. A leading cyber security forensics firm has been hired to investigate the attack.

“We immediately took steps to mitigate the issue, including enhancing our monitoring and detection capabilities, and further hardening our environment,” the blog read.

According to the company concerned, it has not found any evidence that corporate, technical, financial, or sensitive end user information, including phone numbers, was exposed by this incident.

“We do not collect customers’ social security numbers and we do not store or have access to customer credit card numbers. This incident also had no impact on our ability to provide services to our customers. We also notified law enforcement and are cooperating fully with their investigation into this matter,” the company added.

The company said that as per its investigation, the attacker bypassed multiple layers of authentication and gained unauthorized access to an administrative panel provided by one of our infrastructure providers. With this access, they were able to log into a replica of one of PagerDuty’s databases. The evidence indicates that the attacker gained access to users’ names, email addresses, hashed passwords and public calendar feed URLs.

The company has recommend that its customers to reset calendar feed URLs and revoke and re-add access to any mobile devices linked to their PagerDuty account.

“PagerDuty will never ask for your password or other sensitive information via email,” the company said.

Moonpig hacked, Emial IDs, passwords compromised


The online personalized card company, Moonpig, has blocked an unspecified number of accounts of customers after users’ details were published online.

According to the company’s website, customers’ email addresses, passwords and account balance had been made public. However, they stress that the source of passwords was not their site, but from other online sites where users use similar passwords.

“As a precautionary measure, we promptly closed our Moonpig site and apps to help us investigate and contain this issue. Following these investigations, we now have strong evidence that the customer email addresses and passwords we identified were taken previously from other third party websites, and not directly from Moonpig.com."

"This data was then used to access the account balances of some of our Moonpig.com customers. As a reminder, we do not store full credit card information ourselves so this data was not accessible in any event.”

Moonpig  has contacted affected customers, and advised  them to  reset their passwords and ensure that they are not reusing the same passwords anywhere else on the net

Attackers can crash Your Android Device, says Trend Micro

 
Researchers from TrendLabs Security Intelligence have discovered a vulnerability in Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop) that could help an attacker to turn a phone “dead silent, unable to make calls, with a lifeless screen”.

Researchers have said that the flaw would cause phones to have no ring, text or notification sounds and be unable to make calls.

According to a post in its blog, “This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.”

The researchers said that the vulnerability was similar to the recently discovered Stagefright vulnerability. Both vulnerabilities were triggered when Android handles media files, although the way these files reached the user differs.

Researchers from Zimperium Mobile Security, a security firm, had discovered Stagefright in Android mobile operating system which they said to be the “worst Android vulnerabilities” to the date.

Though, the Google had patched the problem, millions of devices need to be updated. The flaw has affected nearly a billion devices.

 “The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device,” said the company. “The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data,” the blog post read.

Although, the flaw was reported to the Google in May, the company concerned has been able to fix the issue.

Apple fixes a vulnerability in its App store and iTunes store


Apple Inc  has fixed a serious remote vulnerability in its App Store and iTunes Store web app that posed a significant risk to buyers, sellers or Apple website managers/developers.

The flaw, which was first uncovered by a security researcher from Vulnerability Lab, Benjamin Kunz Merjri on June 8, could allow an attacker to inject malicious script into invoices that come from Apple and that lead  to session hijacking, phishing, and redirect.

"The apple itunes and appstore is taking the device cell name of the buying users. Remote attackers can manipulate the name value by an exchange with script code (special chars). After that the attacker buys any article in the appstore or itunes-store." The security advisory reads.

"During that procedure the internal appstore service takes the device value and does encode it with wrong conditions. The seller account context runs since the error with the injected script code occurs and gets this way re-implemented to the invoice. Thus results in an application-side script code execution in the invoice of apple.

Researchers said the vulnerability can be exploited by remote attackers with low privilege web-application user account with low or medium user interaction.

Following the disclosure of the vulnerability, the company fixed the flaw.

Your Android phones can be hacked with a single MMS message

Image Credits : Zimperium
 Researchers from Zimperium Mobile Security, a security firm, have discovered a bug dubbed Stagefright in Android mobile operating system which they said to be the “worst Android vulnerabilities” to the date.

Though, the Google had patched the problem, millions of devices need to be updated. The flaw has affected nearly a billion devices.

“These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Drake’s research, to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7 found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction,” a report posted in its blog.

The flaw can be exploited by sending a photo or video message to a person's smartphone, without any action by the receiver.

“Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” the researchers wrote.

After Stagefright had been invoked, which required no action from the victim, other data and apps on the handset could be accessed by the malicious code.

Once the researchers had discovered the flaw, they reported it to the Google, which produced a patch to fix the problem.

According to a report published in BBC, the Google said in statement that the vulnerability was identified in a laboratory setting on older Android devices, and as far as they know, no-one has been affected.

"As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we'll be releasing it in open source when the details are made public by the researcher at Black Hat," the report read.

United States Census Bureau hacked by Anonymous hacktivists


A group of cyber activists who refer to themselves as 'Anonymous' have taken full credit for a cyber attack on a US Government website, which has led to a leak of several employee data.

Anonymous has taken credit for hacking the United States Census Bureau website and have published the data which includes names, telephone numbers, email addresses, addresses and the ranks of employees within the US Government. The breached and published data also consists of the much difficult but yet not impossible to crack password hashes.

Anonymous claims that the reason behind the hack is the Trans-Pacific Partnership and the Transatlantic Trade and Investment Partnership which stands Numero Uno in the list of priorities for the American administration and claim a progressive reform in the politico-economic platform of the nation, by creating an alliance with the major Atlantic and Pacific nations. Despite of the numerous opposition the twin pact has gathered in this short period of time, Anonymous is the only group that has raised its opposition vocally.

However, the data breach is not one the most feared activities that the government could with at the moment, such as a massive data breach in the Office of Personnel Management; it is nonetheless embarrassing.

The US Census Bureau, in an emailed statement has confirmed the data breach and that a investigation has been initiated by the IT forensics team. The bureau spokesperson has launched a statement that none of the stolen data 'confidential'.

Now a more lucid investigation can only tell if the data that is being published online is a federal threat or not.

Hacked documents: Headache of U.S. officials

United States officials are now worried about the hacked data may put their spies at risk. The hacked documents by the Chinese hackers has become a headache for the U.S. officials as they believe  Chinese government could use the stolen records of millions of federal workers and contractors to piece together the identities of intelligence officers secretly posted in China over the years.

However, some officials in the President Obama administration said that the theft was not as damaging as it might have been because the Chinese hackers did not gain access to the identities of American undercover spies.

Similarly, it is still unclear that how Chinese officials were using or might use the stolen files, which include personal information gathered during background checks of government workers.

According to a news report published in NYTimes, it would be a significant setback for intelligence agencies already concerned that a recent data breach at the Office of Personnel Management is a major windfall for Chinese espionage efforts.

In the days after the breach of records of millions of federal workers and contractors became public last month.

The C.I.A. officials said intelligence agencies were taking steps to try to mitigate the damage however, it is not clear what are they doing.

According to the news report, “The information that was exfiltrated was valuable in its own right,” said Representative Adam B. Schiff of California, the top Democrat on the House Intelligence Committee. “It’s even more compromising when it is used in combination with other information they may hold. It may take years before we’re aware of the full extent of the damage.”

“The C.I.A. and other agencies typically post their spies in American embassies, where the officers pose as diplomats working on political affairs, agricultural policy or other issues,” the report read.

It is said that even if the identities of the agency officers were not in the personnel office’s database, Chinese intelligence operatives could run searches through the database on everyone granted visas to work at American diplomatic outposts in China.

During an interview, the director of the National Security Agency, Adm. Michael S. Rogers, “From an intelligence perspective, it gives you great insight potentially used for counterintelligence purposes,”


 “If I’m interested in trying to identify U.S. persons who may be in my country — and I am trying to figure out why they are there: Are they just tourists? Are they there for some other alternative purpose?  There are interesting insights from the data you take from O.P.M,” he added.

Microsoft provides urgent security fix for Windows

Microsoft has recently provided a security fix for its Windows operating systems to plug a lapse in security that allowed hackers access to a victims computer.

Microsoft has said that the vulnerability present in their operating system would have allowed a hacker to gain complete access to an affected computer.

The vulnerability is present in Windows Vista, Windows 7, Windows 8 and 8.1 and Windows RT. These operating systems represent two out of three computers in the world that run a Microsoft operating system.

The company had previously provided an update like this in November 2014 also.

The flaw is said to exist in the final version of Windows 10 also that will be available to users from July 29.

The security fix will be done through Windows Update