Flaw In the Amazon Echo; Allows Hackers to Listen In To Users’ Conversations





Security researchers from the Chinese tech giant Tencent as of late discovered a rather serious vulnerability in Amazon Echo. The vulnerability is termed serious on the grounds that it enables programmers to furtively tune in to users' conversations without their knowledge.

The researchers in a presentation which was given at the DEF CON security conference, named ' Breaking Smart Speakers: We are Listening to you,' and precisely explained as to how they could assemble a doctored Echo speaker and utilize that to gain access to other Echo devices.

'After several months of research, we successfully break the Amazon Echo by using multiple vulnerabilities in the Amazon Echo system, and [achieve] remote eavesdropping. When the attack [succeeds], we can control Amazon Echo for eavesdropping and send the voice data through network to the attacker.'

Researchers utilized Amazon's Home Audio Daemon, which the device uses to communicate with other Echo devices on a similar Wireless connection, to ultimately control the users' speakers. Through which they could quietly record conversations or even play random sounds.

The attack though, is the first one that the researchers have distinguished a noteworthy security defect in a well-known smart speaker such as the Amazon Echo. The researchers have since informed Amazon of this security imperfection and the firm said it issued a software patch to the users' in July. They likewise note that it requires access to a physical Echo device.


In any case, Amazon and the researchers both warn that the technique distinguished is extremely modern and in all probability is easy for any average hacker to carry out. 'Customers do not need to take any action as their devices have been automatically updated with security fixes,' says an Amazon spokesperson.

Yet, some have brought up that the attack could also be carried out in regions where there are multiple Echo devices being utilized on the same network, the simplest example of it are the Hotels or Restaurants.

Nonetheless prior this year, researchers from University of California, Berkeley too recognized a defect where hackers could not only control prominent voice assistants such as, Alexa, Siri and Google Assistant but could also slip indiscernible voice commands into audio recordings which could further direct a voice assistant to do a wide range of things, that range from taking pictures to launching websites and making phone calls.


A Botnet Compromises 18,000 Huawei Routers




A cyber hacker, by the pseudonym Anarchy, claims to have made a botnet within 24 hours by utilizing an old vulnerability that has reportedly compromised 18, 000 routers of Chinese telecom goliath Huawei.

As indicated by a report in Bleeping Computer, this new botnet was first recognized in this current week by security researchers from a cyber-security organization called Newsky Security.

Following the news, other security firms including Rapid7 and Qihoo 360 Netlab affirmed the presence of the new danger as they saw an immense recent uptick in Huawei device scanning.
The botnet creator contacted NewSky security analyst and researcher Ankit Anubhav who believes that Anarchy may really be a notable danger who was already distinguished as Wicked.

The activity surge was because of outputs looking for devices that are vulnerable against CVE-2017-17215, a critical security imperfection which can be misused through port 37215. These outputs to discover the vulnerable routers against the issue had begun on 18 July.

While the thought processes have still not been clarified, the hacker revealed to Anubhav that they wished to make "the biggest and the baddest botnet in town...”
"It's painfully hilarious how attackers can construct big bot armies with known vulns," the security researcher later added.

The working endeavor code to compromise Huawei routers by utilizing this known defect was made public in January this year. The code was utilized as a part of the Satori and Brickerbot botnets, and also a series of variations which depended on the scandalous Mirai botnet, which is as yet going quite strong.


Vulnerability In HP Takes Into Consideration Remote Code Execution



Vulnerability has been found in HPE Integrated Lights-Out 4 (iLO 4) servers, which could take into consideration remote code execution. In spite of the fact that it was first discovered on February 2017, yet was released with patches in August 2017.

HPE iLO 4 is an embedded server management tool utilized for out-of-band administration. The fruitful exploitation of this vulnerability is said to bring about remote code execution or even at times authentication bypass, as well as extraction of plaintext passwords, addition of an administrator account, execution of malicious code, or replacement of iLO firmware.

This vulnerability in iLO cards can be utilized to break into numerous organizations' networks and perhaps access exceptionally delicate or restrictive data as these devices are, to a great degree prominent among the small and the large enterprises alike.

The trio of security researchers, who found the vulnerability CVE-2017-12542 a year ago, say that it can be exploited remotely, by means of an Internet connection, putting all iLO servers exposed online in danger.

Additionally including later that it is essentially a verification sidestep that permits attackers access to HP iLO consoles and this access can later be utilized to remove cleartext passwords, execute noxious code, and even supplant iLO firmware. Execution of the vulnerability requires the attacker to cURL to the influenced server, trailed by 29 "A" characters.

Researchers published two GIFs showing how easy are to bypass iLO authentication with their method, and how they were able to retrieve a local user's password in cleartext.



Extra subtle elements on the vulnerability and exploit code were as of late distributed in different open-source media reports, and a Metasploit module was also made accessible, altogether expanding the hazard to vulnerable systems.

In any case, iLO server proprietors do not have any reason to panic as since security research team found this vulnerability path back in February 2017 they notified HP with the assistance of the CERT division at Airbus.

What's more, as far as it concerns HP released patches for CVE-2017-12542 in August a year ago, in iLO 4 firmware version 2.54. System administrators who're in the propensity for frequently fixing servers are undoubtedly secured against this bug for quite a long time.


Adobe Patched Zero-Day Vulnerability




Adobe has recently issued a security update for Flash Player in order to fix a zero-day vulnerability that was exploited by attackers in the wild.

The Flash Player vulnerability (CVE-2018-5002), a stack-based buffer over-flow bug that could empower discretionary code execution, was taken care of on the seventh of June.

The weakness was found and independently made public to a few security firms significantly including the ICEBRG, Tencent, and two security divisions from Chinese digital security mammoth Qihoo 360. Tracked as CVE-2018-5002, it effectively impacts Adobe Flash Player 29.0.0.171 and its earlier versions although it was reported to be settled with the timely release of Flash Player 30.0.0.113.

 “It allows for a maliciously crafted Flash object to execute code on victim computers, which enables an attacker to execute a range of payloads and actions,” said the researchers from ICEBRG's Security Research Team, who were the first to report the discovered vulnerability.

The exploit utilizes a cautiously developed Microsoft Office report to download and execute an Adobe Flash exploit to the victims' PC, as per ICEBRG analysts. The documents were sent basically through email, as per Adobe.

Both ICEBRG and Qihoo 360 discovered evidence that proposed that the exploit was focusing on Qatari victims, in light of the geopolitical interests.

“The weaponized document … is an Arabic language themed document that purports to inform the target of employee salary adjustments,” ICEBRG researchers said. “Most of the job titles included in the document is diplomatic in nature, specifically referring to salaries with positions referencing secretaries, ambassadors, diplomats, etc.”

As indicated by Will Dormann of CERT/CC, other than fixing the actual imperfection, Adobe likewise included an extra dialog window that inquires the users as to whether they want to stack remote SWF records inside Office documents or not. The incite relief additionally comes to settle an issue with Office applications, where Flash content is in some cases downloaded consequently, without provoking the user ahead of time.





A Command Injection Critical Vulnerability Discovered In DHCP




The Dynamic Host Configuration Protocol (DHCP) client incorporated in the Red Hat Enterprise Linux has been recently diagnosed with an order infusion vulnerability (command injection ), which is capable enough to  permit a vindictive mime proficient for setting up a DHCP server or generally equipped for satirizing DHCP reactions and responses on a nearby local network to execute summons with root benefits.

The vulnerability - which is denominated as CVE-2018-1111 by Red Hat - was found by Google engineer Felix Wilhelm, who noticed that the proof-of-exploit code is sufficiently little to fit in a tweet. Red Cap thinks of it as a "critical vulnerability", as noted in the bug report, demonstrating that it can be effectively misused by a remote unauthenticated attacker.

DHCP is utilized to appoint an IP address, DNS servers, and other network configuration ascribes to gadgets on a network. DHCP is utilized as a part of both wired and remote systems. Given that the necessities of utilizing this exploit are basically being on a similar network, this vulnerability would be especially concerned on frameworks prone to be associated with distrustful open Wi-Fi systems, which will probably influence Fedora clients on laptops.

Eventually, any non-isolated system that enables gadgets and various other devices to join without explicit administrator approval, which is ostensibly the purpose of empowering DHCP in any case, is at last a hazard.

This bug influences RHEL 6.x and 7x, and in addition to CentOS 6.x and 7.x, and Fedora 26, 27, 28, and Rawhide. Other operating frameworks based over Fedora/RHEL are probably going to be influenced, including HPE's ClearOS and Oracle Linux, as well as the recently interrupted Korora Linux. Since the issue identifies with a Network Manager Combination script, it is probably not going to influence Linux circulations that are not identified with Fedora or RHEL as they aren’t easily influenced.



Meltdown and Spectre: Breakdown of The recent CPU Security Bug




Much like how Icarus flew too close to the sun.In trying to catch up with Moors law the CPU's manufacturers have left open a serious vulnerability that will haunt us for years to come.

Whats the cause for the vulnerability ?

Almost all modern CPU's have a feature called "Speculative execution" which increases speed by predicting the path of a branch which is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed.

What is Meltdown and Spectre?

Both exploits abuse speculative execution to access "privileged memory" and allows a lower privilege user process to read them.

So why is this a big issue ?

One of the core security mechanisms is isolation of programs. Most programs run in an isolated space and they can only access their own data and information. This stops malicious programs from reading/modifying others. This vulnerability breaks this core security principle and since the vulnerability is in the hardware level any software patch is limited in capacity.

Essentially almost all the rules that protect programs in a computer from each other are now null and void.

How does this affect me ?

This would allow for any process in user memory.  For example, JavaScript running on a browser to read sensitive information in memory eg: sessions, passwords etc. This would also allow programs running in lower privileges to read kernel memory. Cloud service providers who heavily rely on isolation are also affected.

There are innumerable combinations of attacks possible due to this vulnerability. We will be seeing many more "exploits" that make use of this vulnerability for specific systems and programs in the future.
POC:







How are they different ?


Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.
Spectre is easier to fix than Meltdown.

Why is it called Meltdown?

The bug basically melts security boundaries which are normally enforced by the hardware.

Why is it called Spectre?

The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.

How do I know if I am vulnerable ?

Almost all Intel processor made since 1995 are vulnerable to Meltdown.

Almost all devices Desktops,Laptops,Smartphones etc are affected by Spectre. Vulnerability has been verified on AMD, Intel and ARM processors.

How do I patch ?

Please have a look at this great list that gizmodo provides:

https://gizmodo.com/check-this-list-to-see-if-you-re-still-vulnerable-to-me-1821780843

System Admins Please have a look at:
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in (Requires powershell v5)

Verify that your AV is compatible with the patches:
https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

There have been reports that the patches have cause 10 - 30% reduction in speeds of systems (Which Intel Denies). We might to wait and watch for at least a week to get clarity on this issue.


A note to the security community:

It would be easy to blame the chipset manufacturers and point fingers at them. But we really dropped the ball on this one. What should have been found much much earlier has taken decades to come to light and now it is gonna affect us for years.

Why is that ?

Have all of us been too concentrated on OS,Application,Networking and Web level vulnerabilities that we have completely forgotten to check the base they all run on ?

I think all of us (Including me) should start to looking into how we can help to identify such vulnerabilities in the future.


We should also have a serious look into disclosure time-lines and practices . Who decides how to approach disclosure of such high impact vulnerabilities ? Yes I understand the logic that the "bigger" tech companies are given first priority so that majority of users are patched. But such a long drawn out time-line (This bug was found in June 2017, 6 months ago) seriously puts the small guys at risk as it increases the chances of one rouge person exploiting such vulnerabilities silently.

While the US CERT might have been aware of this vulnerability.Were regional CERT's like CERT-IN informed ? Why not ?

From reading the first set of advisories I can see that only "WESTERN" companies seems to have been aware of this vulnerability before Jan3rd. Why is that ? Does our industry have a bias ? Think on this.

https://meltdownattack.com/#faq-advisory


This also brings in ethically gray issues like this:
https://www.businessinsider.in/intel-was-aware-of-the-chip-vulnerability-when-its-ceo-sold-off-24-million-in-company-stock/articleshow/62359605.cms

Should our CIOS , CTO's and CEO's be allowed to sell company stock once they know that there is security breach or a vulnerability ? Who watches them and ensures compliance ? Are the current laws against insider trading enough ? All such questions that need to answered sooner or later. ..


References:
https://en.wikipedia.org/wiki/Speculative_execution
https://meltdownattack.com/meltdown.pdf
https://spectreattack.com/spectre.pdf
https://meltdownattack.com/
https://googleprojectzero.blogspot.in/2018/01/reading-privileged-memory-with-side.html
http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html


Security Vulnerability in McDonald's India allows hackers to access Customer data

 
If you are from India and have ordered Burger in McDonald's, your personal details are at risk.

Security researchers from  Fallible found a serious vulnerability McDonald’s India application that allows hackers to access millions of customer data.

There is no authentication or authorization check in API used in the application.   Sending request to "http://services.mcdelivery.co.in/ProcessUser.svc/GetUserProfile" with customer id in the header allows to access customer details.

The customer id is a sequential number.  All an attacker needs to do is create a script and increase the number to dump all customer data.

"The lack of strong data protection and privacy laws or penalties in India, unlike the European Union , United States or Singapore has led to companies ignoring user data protection" The researcher said.

"We have in the past discovered more than 50 instances of data leaks in several Indian organizations." The researcher said.

The vulnerability allows attackers to obtain name, address, email address, phone number,  Date of birth, GPS Co-ordinates and social profile details.

The researchers reported the issue to McDelivery on 4th February, 2017.  After few days(13th Feb), they received an acknowledgement from the McDelivery IT Manager.  From 7th march,  Fallible tried to contact the McDelivery to know the status.  However, there is no response from their side.  The bug is still not fixed, at the time of writing.

In Jan 2017, a researcher Tijme Gommers found two critical bugs "an insecure cryptographic storage vulnerability" and XSS in McDonald.

Hackers could easily bypass SBI's OTP security

One Time Password (OTP) has become the new security feature on most of the websites, including the banks. This feature allows a user to make online transactions after the identity of the customer is verified by putting the OTP password sent to the registered mobile number from the bank. But who knew this security feature could be easily bypassed and lead to huge loss of money.

A white-hat hacker, bug bounty hunter and web application security researcher, Neeraj Edwards shared his research on how he could easily bypass the OTP of one of the most popular bank, State Bank of India (SBI) and could make the transaction with any amount.



While making a transaction, the last page of SBI’s website shows a One Time Password screen where there is a parameter called ‘smartotpflag is set to Y i.e. smartotpflag=Y’.


Smartotpflag parameter is used to generate OTP, and Y represents ‘yes’ to send the code to the registered mobile. However, the risk factor arises if someone changes ‘Y’ to ‘N’ which means ‘No’. The transaction then will be completed without entering the OTP.


Though after Edwards discovery, the vulnerability was patched but it was highly disappointing that the person who could have easily benefited from this vulnerability, but choose not to, was neither rewarded nor acknowledged for his work.

The press too could not make this important news to the papers, thus keeping the public in dark and keeping the discoverer from any achievement.

The POC Video:
https://www.youtube.com/watch?v=2kYm1G2jBcM

DROWN attack risks millions of popular websites

An international team of researchers warned that more than 11 million websites and e-mail services protected by the transport layer security protocol are vulnerable to a new, low-cost attack that decrypts sensitive communications in few hours.

The cybersecurity experts from universities in Israel, Germany and the US as well as a member of Google's security team found that more than 81,000 of top one million popular websites are vulnerable.
The researchers said many popular sites - including ones belonging to Samsung, Yahoo and a leading Indian bank - appeared to be vulnerable.

The DROWN attack works against TLS-protected communications that rely on the RSA cryptosystem when the key is exposed even indirectly through short for secure sockets layer version 2 (SSLv2).

The vulnerability allows everyone on the internet to browse the web, use e-mail, shop online and send instant messages without third-parties being able to read the communication.  It allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Under some common scenarios, an attacker can also impersonate a secure website and intercept or change the content the user sees.

While many security experts believed the removal of SSLv2 support from browser and e-mail clients prevented abuse of the legacy protocol, some misconfigured TLS implementations still tacitly support the legacy protocol when an end-user computer specifically requests its use.

Websites, mail servers, and other TLS-dependent services are at risk for this attack, and many popular sites are affected.

In practice, older email servers would be more likely to have this problem than the newer computers typically used to power websites.

In addition, because many of the servers vulnerable to Drown were also affected by a separate bug, a successful attack could be carried out using a home computer.

Though a fix has been issued but it will take time for many of the website administrators to protect their systems.

The researchers have released a tool that identifies websites that appear to be vulnerable.

The SSLv2 protocol was weakened because, at the time of its creation, the US government wanted to try to restrict the availability of tough encryption standards to other countries.

It has since eased its export limits, but the effects live on.

Researcher discovers flaws in Telekom’s server


Ebrahim Hegazy, an Egyptian researcher, has found another vulnerability that affected the Web servers of Deutsche Telekom, Germany's biggest telecommunications provider.

He discovered the bug on the telekom.de website, on one of the subdomains that displayed a generic landing page. The subdomain umfragen.telekom.de translates to suggestions.telekom.de, and seems to be an abandoned Web page left behind from previous site iterations.

According to the researcher, attackers could have gained full control of the Deutsche Telekom server.
The researcher said that the vulnerability was the most basic example of Remote Code Execution (RCE) vulnerability that allows attackers to gain full control of a Web server just by pinging its ports and open connections with malicious requests.

Having brute-forced the URL, Hegazy came across an upload.php file. The researcher built a tool called Pemburu for pen testing.

He managed to find the URL, which the upload.php file sent user-submitted data. His tool went through a large set of URL variations and eventually discovered that the file sent data to umfragen2.telekom.de/upload.php. This allowed Hegazy to take a closer look at the code.

He came across a mechanism that acquired user input from the HTTP POST request without sanitizing it in any way and then attached the data as parameters to the PHP system function.

This particular function is modeled after the system function in C and allows PHP developers to execute shell commands from inside their PHP app and retrieve the results. Generally, it's considered a good practice not to use this function on any front-facing Web server.

He reported about the flaw to the telco's security team. The flaw has been patched.


As per a report published in Softpedia said that his research was carried out as part of the company's bug bounty program and received a €2,000 / $2,150 reward.

Danske bank fixes several vulnerabilities that could allow hackers to get into bank accounts



Most of us prefer to keep money at our bank accounts than to keep at home as we believe that banks are safer in comparison to our homes. But, you must get panicked, once you read a blog post by Sijmen Ruwhof, Freelance IT Security Consultant and an Ethical Hacker.

He has published a bank review entitled “How I could hack internet bank accounts of Danish largest bank in a few minutes”  in which he revealed that any hacker could easily get into the website of Danske Bank, one of the largest banks of Denmark, and get access to the users accounts.

His in-depth technical post explains the extent to which Danske Bank is vulnerable to hacking.

He discovered the vulnerability in August when he got intrigued with the idea of testing Bank’s security while interacting with a group of Danish hackers at the Chaos Communication Camp (CCC), near Berlin.

During the interacting program, security experts and Whitehat hackers were disappointed with the terrible security implementations adopted by many Danish Banks.

“I opened up the Danske Bank’s website and was curious to see how the HTML code looked like, so opened the code of the customer login screen of the banking environment. I strolled thru the code to get a grasp of the technology used,” the security researcher wrote in the blog.

Then he saw JavaScript comments that seemed to contain internal server information. Not just a few variables, but quite a lot of confidential data.

“It was in URL encoded format, so I decoded it right away. Really wondering what kind of secrets it contained,” he added. I was shocked. Is this happening for real? In less than a minute on their web site, this is just the HTML code of the login screen, one of the most visited pages of Danske Bank’s web site.”

The researcher said that he could see IP address of a probable customer via variable HTTP_CLIENTIP while visiting Danske Bank’s website. Similarly, HTTP_USER_AGENT contains an operating system and web browser details.

He warned that variable HTTP_COOKIE was visible and full of information; credentials of a customer could be hijacked in a very few time.

According to the researcher, Danske Bank doesn’t use a secure HTTPS connection to transport customer banking traffic; as variable HTTPS was OFF and SERVER_PORT carried value 80. The bank is still using COBOL code on their backend; for (Customer Information Control System) CICS and Database handling.

However, the good news is bank has patched all the vulnerabilities only after the researcher had uploaded his findings on his blog.

Starbucks fixes critical flaws that could allow an attacker to steal users’ credit-cards



Mohamed M. Fouad, an Information Security Consultant from SecureMisr, has discovered a critical flaw in Starbucks that allowed an attacker to steal users’ credit-cards and perform Remote Code Execution.

“I discovered a lot of critical security vulnerabilities at (Starbucks) that can lead to very harmful impact on all users by forcing them to change their passwords, add alternative emails or change anything in their store profile settings and steal users’ stored credit-cards. It can also perform phishing attack on users and remote code execution on Starbucks servers,” the Egyptian researcher said in a blog post.

According to the researcher, Remote File Inclusion Vulnerability occurs when a file from any location can be injected into the attacked page and included as source code for parsing and execution. It allowed me to able to perform:

         -  Code execution on the web server.

          - Code execution on the client-side such as JavaScript which can lead to other    attacks   such as cross site scripting (XSS).

         -  Data theft/manipulation via phishing attack to steal users accounts that contain Credit cards and payment orders information.

The researcher started his research a year ago when there was a Zero-Day for Starbucks about iOS Mobile Application and "Insecure Data Storage" vulnerability was detected.

While he was searching about Starbucks hacking news he found another vulnerability two months ago which allowed the attackers to steal Starbucks users gift cards and duplicate funds on Starbucks gift cards.

“I noticed 2 months ago that Starbucks joined bug bounty programs. So my passion lead me to take a look on Starbucks  looking for a vulnerabilities in Starbucks until I found two major vulnerabilities which allow an attacker to perform Remote Code Execution on Starbucks server also phishing attacks via Remote File Inclusion Vulnerability and another one it was critical also about CSRF store account take over by just one-click. Starbucks store account contains payment history,” he added.

However, Starbucks confirmed that it has fixed the vulnerabilities.

Apple claims to have fully fixed a critical iOS Airdrop vulnerability, which researcher says it doesn’t


Some days ago, Mark Dowd, a security researcher, discovered a critical flaw in iOS 9 that allows an attacker within Bluetooth range of an iPhone to install malicious apps using the Airdrop filesharing feature.

A report published in Ars Technica confirms that after that, the researcher privately reported it to Apple.

Then, Apple released a press statement on Wednesday informing that the vulnerability has been mitigated in iOS 9.

However, the researcher did not stop his research and revealed that the bug still hasn't been fixed.

The mitigations available in Wednesday's release of iOS 9 are one more benefit that security-conscious iPhone users should consider when deciding whether to install the update.

The researcher exploited a directory traversal flaw that allows attackers to write and overwrite files of their choice to just about any file location they want.

The researcher used an enterprise certificate that Apple makes available to developers so large organizations can install custom apps on large fleets of iPhones.

During his research, his technique installs did not generate a dialog that warns the end user that the app is signed by a third party and asking for approval to proceed.

“Another method for bypassing iOS code-signing restrictions would be to combine my Airdrop hack with jailbreak exploit, such as the TaiG jailbreak that Apple recently patched with version 8.4 of iOS,” he said.

He posted a video to show how thw bug allows attackers who briefly have physical access to a vulnerable iPhone or who are within Bluetooth range of it, to install an app that the device will trust without prompting the user with a warning dialog.

Security Bug allows Hackers to take Control of Curiosity Rover's OS


Serious security flaws has been discovered in VxWorks, a real-time operating system made by Wind River of Alameda, California, US, in 1987. The OS is used from network  routers to critical instruments like NASA's Curiosity Rover on Mars and Boeing 787 Dreamliners.

A Canadian researcher Yannick Formaggio presented a detailed significant flaw in VxWorks at 44Con, an information security conference in London. He said that, "VxWorks is the world's most widely used real-time operating system deployed in embedded systems. Its market reach spans across all safety critical fields, including the Mars Curiosity rover, Boeing 787 Dreamliner, network routers to name a few." Formaggio added, "In this age of IoT, the issue will have a widespread impact."

The researcher discovered the flaw after an Istuary client requested about the understanding of the critical  infrastructure industry.

The flaw allowed Formaggio “to target a specific part of the operating system and write to memory on the machine running VxWorks. From there, it was possible to set up a backdoor account and control functions of the operating system."

One of the another major finding of his research was that the “FTP server is susceptible to ring buffer overflow when accessed at a high speed” and crashes when sent a “specially crafted username and password”.

The current version of VxWorks is 7, Versions 653 has the problem, which might have affected many millions of devices and they need to be patched. Wind River has acknowledged the flaw and is in the process of providing patches.

WhatsApp fixed a security flaw that could allow attackers to Hack WhatsApp accounts


Hey people! In order to make sure you are protected, update your WhatsApp Web right now.

Kasif Dekel, a security researcher at Check Point, discovered significant vulnerabilities that exploit the WhatsApp Web logic, allowing attackers to trick victims into executing arbitrary code on their machines .

“All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code. Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs, and other malwares,” the researchers wrote in a blog.

As per the researcher, in order to target an individual, the attacker needs is the phone number associated with the WhatsApp account.

According to Kasif, WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application. This includes images, videos, audio files, locations and contact cards.

While doing the research, he found that by manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file. This means, once the victim clicks the downloaded file (which he assumes is a contact card), the code inside the batch file runs on his computer.

The researcher said that they were surprised to find that WhatsApp failed to perform any validation on the vCard format or the contents of the file, and when they crafted an exe file into this request, the WhatsApp web client happily let us download the PE file in all its glory.

WhatsApp verified and have deployed deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client.

Researchers discover flaws in Kaspersky and FireEye

Researchers have disclosed flaws in products from antivirus software vendors like Kaspersky and FireEye that could be exploited by malicious hackers.

Tavis Ormandy, a security researcher at Google’s Project Zero team, made the vulnerabilities public by tweeting about the successful exploitation Kaspersky's anti-virus product in such a way that users could find their systems easily compromised by malicious hackers.

Ormandy last night tweeted, “Alright, sent Kaspersky some more vulnerabilities to investigate, many obviously exploitable. I'll triage the remaining bugs tomorrow.”

Earlier, he tweeted, “Alright, sent Kaspersky some more vulnerabilities to investigate, many obviously exploitable. I'll triage the remaining bugs tomorrow.”

According to a news report published in Graham Cluley, one has to question the timing of Ormandy's announcement just before a long holiday weekend in the United States, which clearly makes it difficult as possible for a corporation to put together a response for concerned users. I supposed we should be grateful that he at least ensured that Ryan Naraine, a reporter at Kaspersky's Threatpost blog, was cc'd on the announcement.

“None of this, of course, is to say that the vulnerability doesn't sound serious, and Kaspersky would be wise to investigate and fix it at the earliest opportunity. Ideally vulnerabilities should be found by a company's internal team, or ironed out before software ever gets released. And it's better that someone like Ormandy finds a flaw rather than a malicious hacking gang,” the news report added.
At the same time, Kristian Erik Hermansen, another security researcher, revealed that he had found flaws in FireEye's software.

As CSO reports, Kristian Erik Hermansen has disclosed details of a zero-day vulnerability, which - if exploited - can result in unauthorised file disclosure.

He published proof-of-concept code showing that how the vulnerability could be triggered, and claimed that he had found three other vulnerabilities in FireEye's product. All are said to be up for sale.


"FireEye appliance, unauthorized remote root file system access. Oh cool, web server runs as root! Now that's excellent security from a _security_ vendor :) Why would you trust these people to have this device on your network," Hermansen said. Just one of many handfuls of FireEye / Mandiant 0day. Been sitting on this for more than 18 months with no fix from those security "experts" at FireEye. Pretty sure Mandiant staff coded this and other bugs into the products. Even more sad, FireEye has no external security researcher reporting process."

Mozilla patches severe vulnerabilities in its Bugzilla bug tracking system


Mozilla confirmed on September 4 that an attacker, stole its security-sensitive vulnerability information from its Bugzilla bug tracking system and then he got accessed to information about unpatched zero-day bugs.

However, Mozilla has now patched all the flaws that allowed the attacker to get the accessed. Similarly, the company concerned said that it would take its own security more seriously than before.

It is also said that the attacker used it to attack Firefox users, the maker of the open-source Firefox browser warned Friday.

“The attacker acquired the password of a privileged Bugzilla user, who had access to security­sensitive information. Information uncovered in our investigation suggests that the user re­used their Bugzilla password with another website, and the password was revealed through a data breach at that site,” Mozilla said in an FAQ on the breach.

The one bug that was exploited in the wild was used to collect private data from Firefox users who visited a Russian news site.

The attacker accessed approximately 185 bugs that were non-public. Among them, 53 were said to be severe vulnerabilities. Mozilla claims that 43 of the severe flaws had already been patched in the Firefox browser by the time the attacker accessed the bug information. That leaves 10 bugs that the attacker had access to before they were patched, and that's where the potential risk to Firefox users lies.

“The earliest confirmed instance of unauthorized access dates to September 2014. There are some indications that the attacker may have had access since September 2013,” the company said.

The company said that during its investigation it found out that the user re­used their Bugzilla password with another website, and the password was revealed through a data breach at that site.
Firefox security lead Richard Barnes detailed what Mozilla is now doing to improve Bugzilla's security.

"We are updating Bugzilla's security practices to reduce the risk of future attacks of this type," Barnes wrote. "As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication."

Ola leaks personal information of its customer, claims a girl

A girl from Chennai claimed that OlaCabs, famous as Ola, a mobile app for personal transportation in India, had sent personal information of more than 100 customers to her via SMS.

Swapnil Midha posted on Facebook that the Ola, which started as an online cab aggregator in Mumbai, now based out of Bangalore and is among the fastest growing businesses in India, leaked personal details such as mobile numbers, locations of users.

However, the company regarded it as a technical fault and confirmed that it has been fixed now.

“About three weeks ago, I booked an Ola cab for a long distance drive. After the ride I received a few garbled texts from "VM-OLACAB" that I didn't think much of and ignored. These messages were alpha-numeric with hashes and made no sense to me whatsoever. I assumed there was some system error and did not anticipate the sleep deprivation that followed,” she wrote on Facebook.

She added, “My phone beeped throughout the night. 1:06, 2:34, 2:37, 2:38, 4:05, 5:17. I couldn't get my head around why these were coming at these times. I then called their call centre the next day to explain that there was probably some sort of bug and my number had somehow gotten into their highly cryptic message transmission systems, whatever secrets they were trying to transmit.”

Although, the Ola assured her to fix the problem soon, she had been receiving SMS after SMS. She received text between 300 and 400.

“I received no further communication from them, no update, no email, just more garbled messages,” she explained. I reached out to them through every channel possible. I called their call centre at least 5 times, demanded to speak to the senior managers, and had to explain my problem each time in great detail, answering the same annoying questions.”

She said that the company shared personal details of their customers throughout the day and throughout the night.

“What scares me the most, is that THIS should be their number one priority. I questioned their lack of concern for privacy and data protection. I threatened to report them to the authorities and TRAI. Nothing seemed to work which makes you think - do they even care about protecting customer information? If they are sending all this to me, who are they sending MY booking details to? Whose number is receiving all of my data? Which creepy criminal knows my full name, my mobile number, my door number, my account details, when I'm home and when I'm out?” she added.

The girl has raised a serious question which the company concerned need to answer as soon as possible. If this, one of the most trusted companies like the Ola does such careless, what do we expect from others?  

PayPal fixes serious vulnerability in its domain

Photo Courtesy: Security Down

A serious flaw in PayPal Holdings Inc, an American company which operates a worldwide online payments system, has been patched. The flaw could have allowed an attacker to trick users into handing over their personal and financial details.

The flaw, which was detected by Ebrahim Hegazy, was caused by a stored cross-site scripting (XSS) bug in the SecurePayments.PayPal.com domain, which is used for PayPal’s hosted solution that enables buyers to pay with a payment card or their PayPal account, eliminating the need to capture or store sensitive payment information

“I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fullfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfere the users fund to his own account,” the researcher posted in his blog.

According to the Egypt-based researcher, a malicious actor could have set up a rogue shopping site or hijacked a legitimate website, and alter the “Checkout” button with a URL designed to exploit the XSS vulnerability.

The flaw could allow the attacker to change the contents of the SecurePayments page and display a phishing page where the victim is instructed to enter personal and financial information. The collected data is then sent back to a server controlled by the attacker, the researcher explained.

The researcher, who had found a serious flaw in Yahoo domain last year, reported about the vulnerability to PayPal on June 19. The payment processor confirmed patching the flaw on August 25.


After that, the company concerned awarded Hegazy $750 for his findings, which is said to be the maximum bug bounty payout for XSS vulnerabilities. 

Samsung smart Fridge vulnerability can expose Gmail Credentials, says experts

(PC- google images)
A recent update by a team of security researchers have identified potential threat to gmail credentials via the Samsung Smart Fridge.

A ‘Man in The Middle’ (MiTM) vulnerability was discovered during an IoT(Internet of Things) hacking challenge in a recent DEF CON conference. Samsung’s RF28HMELBSR smart fridge was targeted for the confirmation of the potential credential breach to gmail accounts. The fridge implemented SSL, it faces trouble in validating SSL certificates thus giving rise to MiTM vulnerabilities.

The Internet connected device has the ability to automatically download the Google calendar to an on-screen interface and the MiTM vulnerability facilitates the hacker to jump into the same network and steal gmail credentials of its neighbours.

Ken Munro, a security researcher at Pen Test Partners stated that "The internet-connected fridge is designed to display Gmail Calendar information on its display," and thus "It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes updates and those changes are then seen on any device that a user can view the calendar on" he added.

"While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbours, for example."

While the research team failed to breach the software update server and the fridge terminal at DEF CON hacking spree, the mobile app had shown glitches that have potential security problems.

(pc- google images)
The coding in the mobile app contains a certificate that enables the encryption of credentials between the fridge and the mobile app. The certificate is correctly passworded, but the credential to the certificate appeared to be stored in the mobile app in an obfuscated form. So, if the codes of the certificates are broken down, it will allow the hacker to send commands to the fridge.

Pedro Venda of Pen Test Partners remarked “We wanted to pull the terminal unit out of the fridge to get physical access to things like a USB port and serial or JTAG interfaces, but ran out of time. However, we still found some interesting bugs that definitely merit further investigation. The MiTM alone is enough to expose a user’s Gmail creds."

This fiasco has created a tensed atmosphere in the Samsung Headquarters. In an open statement, the company ensured that "At Samsung, we understand that our success depends on consumers’ trust in us, and the products and services that we provide. We are investigating into this matter as quickly as possible. Protecting our consumers’ privacy is our top priority, and we work hard every day to safeguard our valued Samsung users.”