Flaws in LTE can allow hackers to spoof presidential alerts

Last year, the United States performed the first public test of the national Wireless Emergency Alert (WEA), an alert system designed to send messages to smartphones, TVs, and other systems simultaneously. The test was specifically for the 'Presidential Alert,' a new category that can't be opted out of (like AMBER alerts). It turns out these types of alerts can be easily spoofed, thanks to various security vulnerabilities with LTE towers.

Researchers figured out a way to exploit the system that sends presidential emergency alerts to our phones, simulating their method on a 50,000 seat football stadium in Colorado with a 90 percent success rate.

A group of researchers at the University of Colorado Boulder released a paper that details how Presidential Alerts can be faked. An attack using a commercially-available radio and various open-source software tools can create an alert with a custom message.

Why it matters: The Wireless Emergency Alert (WEA) system is meant to allow the president to promptly broadcast alert messages to the entire connected US population in case of a nationwide emergency. It can also send out bad weather or AMBER alerts to notify citizens in a particular region or locality, thus making its operation critical. However, the exploitation of LTE networks used in it can enable the transmission of spoofed messages that can cause wide spread of misinformation and panic among the masses.

The researchers didn’t perform an actual attack on a live crowd at the stadium or on actual mobile devices, Eric Wustrow, a researcher on the paper, told Gizmodo in an email. The tests performed were instead done in isolated RF shield boxes, Wustrow said, “and our analysis of Folsom Field was a combination of empirically gathered data and simulation.”

First, alerts come from a specific LTE channel, so malicious alerts can be sent out once that channel is identified. Second, phones have no way of knowing if an alert is genuine or not. Adding digital signatures to alerts could potentially solve the latter problem, but the task would require device manufacturers, carriers, and government agencies to work together.

Mozilla advices its users' to update their web browser to fix critical vulnerability

Mozilla has issued a warning to its users and asked them to upgrade their web browser Firefox, after company found some critical vulnerabilities.

The company has issued an advisory on Tuesday, 18 June, 2019, it includes a details about security vulnerabilities that have been fixed in Firefox 67.0.3 and Firefox ESR 60.7.1.

 The advisory detailed flaws stating, “A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.”

It further read “We are aware of targeted attacks in the wild abusing this flaw.” The company has marked the update as ‘critical’. 

According to reports, the bug is classified as critical because  it allows outside users to remotely execute code on your machine without your permission.

The bug was spotted for the first time by Samuel Groß, who is reportedly a security researcher with Google Project Zero and Coinbase Security.

Security flaw in India Post server revealed by researcher

French security researcher Robert Baptiste who goes by Elliot Anderson on Twitter has been revealing cybersecurity flaws in the Indian scene for a while now. This time, he has reported a vulnerability on the India Post server that allows remote code execution.

Baptiste has in fact reported this flaw in place of an Indian researcher who chose to remain anonymous because of legal implications in face of Indian law.

The subdomain of India Post — digitization.indiapost.gov.in — was vulnerable to an Apache vulnerability i.e. CVE 2017-5638. It meant that the attacker would be able to run code on India Post server, as shown below:

The flaws led to exposed bank details of employees as well as databases of sensitive information. He posted several screenshots of the files he was able to access by exploiting the flaw.

He also revealed that he was not the first person to exploit these flaws and posted screenshots that show activity from almost a year ago on 14th April, 2017.

The vulnerability has since been fixed, leading to Elliot Anderson tweeting out the details of this recent hack.

Hacker breaks into Telangana’s TSPost website, exposes flaw

Indian government sites are often criticized for their lack of cyber security and safety of people’s information. Pointing out a flaw in Telangana government’s NREGA portal, French hacker and independent security researcher Robert Baptiste hacked into the state government’s website.

He reportedly contacted the site owners regarding the issue and after receiving no response for some time, published his results on social media.

The website (http://tspost.aponline.gov.in) was vulnerable to one of the most basic web hacking technique, an SQL injection. It has now gone offline in the wake of this news.

“A basic SQL injection allows an attacker to access the database of the website,” Robert said. “To be clear, all the data on this website can be a dump. Telangana government officials say they are working to fix it. For this website, they have to hire decent web developers to protect it from attacks.”

TSPost, Telangana’s government benefit disbursement portal, contained the account details and Aadhaar numbers of over 56 lakh NREGA beneficiaries and 40 lakh beneficiaries of social security pensions.

Using the SQL injection, Robert was able to access not just the Aadhaar and account details from the website but also the API keys of UIDAI’s Aadhaar database, the access of which can enable anyone capable enough to make a fake Aadhaar app that could be uploaded to Google Playstore for malicious use.

This is one of the many cases pointing out how vulnerable the Aadhaar system is to hacking and security breaches.

Tinder flaw that let hackers break into accounts with just a phone number

According to a report by Anand Prakash from Appsecure, a specialised cybersecurity company, the company had discovered a vulnerability in the Tinder application that could let hackers have access to user accounts using just their phone numbers.

It has been reported that the flaw has since been patched by Tinder and Facebook, and there have been no reports of any previous exploitation of this flaw as yet.

The attack became possible by exploiting a vulnerability in the Account Kit service provided by Facebook, which is used to login into both the web and mobile application using phone numbers.

Prakash said that just by knowing the phone number the user uses to login with, the attacker would have been able to gain access to their account “within seconds” and would gain full access to the account, including personal chats, information, and interaction with other users.

He reported this flaw to Facebook and Tinder and it has since been fixed, earning him a bounty of $5,000 and $1,250 from Facebook and Tinder respectively through their bounty programs.

Anand Prakash has till now earned more than $350,000 as a full-time bounty hunter, finding out and notifying global companies about major security flaws.

Security flaw in uTorrent allows hackers remote access

Tavis Ormandy, a vulnerability researcher at Google and a part of Google Project Zero, a team of security analysts specializing in finding zero-day vulnerabilities, revealed on Wednesday a vulnerability in BitTorrent’s uTorrent Windows and web client that allows hackers to either plant malware on the user’s computer or see their download activity.

Google Project Zero published their research once the 90-day window that it gave to uTorrent to fix the flaw before publicly disclosing it was over.

According to Ormandy, the flaws are easy to exploit and make it possible for hackers to remotely access downloaded files or download malware on their computers using the random token generated upon authentication.

He reported on Twitter that the initial fix that BitTorrent rolled out seemed to only generate a second token, which did not fix the flaw and said, “you just have to fetch that token as well.”

BitTorrent issued a statement on Wednesday regarding the issue:

On December 4, 2017, we were made aware of several vulnerabilities in the uTorrent and BitTorrent Windows desktop clients. We began work immediately to address the issue. Our fix is complete and is available in the most recent beta release (build released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user’s consent (e.g. adding a torrent).

Zero Day Telegram Vulnerability Exploited by Hackers for Cryptomining

Kaspersky Lab has revealed that in October 2017, they had discovered a flaw in Telegram Messenger’s Windows desktop client that was being exploited “in the wild”. According to Kaspersky, the flaw has allegedly been by Russian cybercriminals in a cryptomining campaign.

The Telegram vulnerability involves the use of an RLO (right-to-left override) attack when the user sends a file through the messenger.

RLO Unicode method is primarily used for coding languages that are written right-to-left, such as Hebrew or Arabic, but hackers can use it to trick users into downloading malicious files. When an app is vulnerable to attack, it will display a filename incompletely or in reverse.

Kaspersky has said that it seems that only Russian cybercriminals were aware of this flaw and were exploiting it — not to spread ransomware but cryptomining malware.

The attacks enabled cybercriminals to not just spread the cryptomining malware but also to install a backdoor to remotely control victims’ computers.

“We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017,” read the report Kaspersky published on the flaw.

In the report, Alexey Firsh, cyberthreat researcher at Kaspersky, has outlined several scenarios that show cases of how the vulnerability was actually exploited.

He also wrote that Telegram was informed of this flaw and it no longer occurs in their products.

Amazon denies risk in Amazon Key — while it is working to fix it

Earlier this week, Anonymous researcher and Twitter user, MG, posted a video showing how Amazon Key, the company’s recently launched service which allows delivery staff to unlock a customer’s house and deposit items when no one’s home, can be used to disable customer’s alarm systems and break into their homes using a software.

After a failed attempt at disclosure with Amazon, where it demanded to see a PoC and refused the possibility of any reward or payment, MG took to Twitter and uploaded the video showing how Amazon Key can be exploited by “anyone with a raspberry pie.”

Once the video was posted, Amazon finally reached out to him and is currently working on a fix to the vulnerability.

However, Amazon is still denying any risk associated with its product.

"The security features built into the delivery application technology used for in-home delivery are not being used in the demonstration,” said Kristen Kish, Amazon spokesperson.

She added that, “Safeguards are in place when the driver technology is used: our system monitors 1) that the door is only open for a brief period of time, 2) communication to the camera and lock is not interrupted, and 3) that the door is securely re-locked. The driver does not leave without physically checking that the door is locked. Safety and security is built into every aspect of the service.”

While MG is withholding technical details until Amazon has a chance to fix the issue, the video shows how a hacker can easily enter a house enabled with Amazon Key.

Amazon also told Forbes that the hack involves “disrupting Wi-Fi connections used by the Key system, not Amazon software. The Raspberry Pi does some as yet undisclosed deauthorization, which would indicate a disconnection between the various pieces of the Amazon Key setup.”

MG, in his report, questions this process.

“Why are you using low wage workers to be the last gate in a bad security model? How often has this process been audited for completion rates or holes?” he writes.

He is also concerned about the “fact that they require your house’s alarm to be turned off for a driver to use the Amazon Key without issue,” saying that Amazon doesn’t talk about the consumer use of the app either.

Schneider Electric reveals it was flaw in technology that led to hack

Schneider Electric SE said in a customer advisory released on Thursday that the attack that in December that led to a halt in operations at an undisclosed industrial facility was caused by hackers exploiting a previously unknown vulnerability in its technology.

Schneider said in the notice that the vulnerability was in an older version of the Triconex firmware that allowed hackers to install a remote-access Trojan as "part of a complex malware infection scenario" and advised customers to follow previously recommended security protocols for Triconex.

Reports of the breach surfaced on December 14, when cybersecurity firms disclosed that hackers had breached one of Schneider’s Triconex safety systems and speculated that it was likely an attack by a nation-state.

The target of the attack has not been disclosed till now, however, Dragos, a cybersecurity firm has said it occurred in the Middle East. Others have speculated it was in Saudi Arabia.

The attack is the first of its kind to be reported to happen on this kind of system.

The system itself is used in nuclear facilities, oil and gas plants, mining, water treatment facilities, and other plants to safely shut down industrial processes when hazardous conditions are detected.

Previously, Schneider had said that the attack was not caused by a bug in the Triconex system.

Schneider is reportedly working on tools to identify and remove the malware, expected to be released in February. The Department of Homeland Security is also investigating the attack, according to Schneider.

Gmail Android app flaw allows crooks to send emails pretending to be someone else

Beware people! A bug in Gmail’s Android app would allow people with bad intention to hide their identity and impersonate other people and organizations.

Yan Zhu, a security researcher, discovered the bug in the end of October which Google has said to have fixed.

In order to stay safe, Gmail users should study the email address carefully. Don’t hit reply to ask for verification. Walk over and have a chat, or send a note using what you know is their real email address.

Email spoofing is not a new thing which allowed the hackers sending an email which looks like from another account by hiding their own addresses.  

As per the researcher, the sender’s real email address would be hidden, and the receiver wouldn’t be able to reveal it by even by opening the email and expanding the contents.

Zhu told Motherboard that she had changed her display name to yan “security@google.com” with an extra quotation mark.

She shared a screenshot of the mail with the Motherboard.

According to Motherboard, DomainKeys Identified Mail (DKIM) signature digitally signs emails for a given domain and establishes authenticity.

When John Shier, a security enthusiast, noted that a set of emails to discern whether they were phish or legit, the DKIM was one of the clues that led him to the conclusion that one of the emails in question was for real.

DKIM doesn’t filter or identify spoofed emails, per se, but it can be helpful in approving legitimate email.

In fact, Google has used it to authenticate email coming from eBay and PayPal: both heavily phished properties.

If a message comes in to Gmail purporting to be from either but lacks DKIM, out it goes – it doesn’t even make it into the Spam folder.

Hackers can Record Phone Calls on Modern Samsung Galaxy Handsets

The recent versions of Samsung Galaxy can have all their phone calls recorded using an OpenBTS, a malicious base station.

A base stations work as a fake telephony towers, they  are used for testing and debugging in laboratory.

Two German security researchers, Daniel Komaromy and Nico Golde, showed how base stations can easily fool Samsung Galaxy’s handset and have them connected to their network, at the PacSec security conference  in Tokyo, Japan.

They used  the latest versions of Samsung's Galaxy S6, Galaxy S6 Edge, and Galaxy Note 4 families. The common thing about these phones is Samsung's line of "Shannon" baseband chips, which is used to handle telephony features.

When hacker uses the OpenBTS base  for transmitting malicious firmware update to the baseband chip then it has higher possibility of attack.

This firmware is capable of rerouting all  the phone calls through proxy, and can record   phone calls and spy on their victims without being noticed.

Researchers reported technical details to Samsung's team, and  the company has started work on a patch to fix the issue.

Several serious security bugs in Samsung Galaxy S6 Edge

A dozen of flaws have been found in Samsung's Android operating system running on Samsung Galaxy S6 Edge smartphones by researchers from Google’s Project Zero.  

However, Samsung claims to have patched most of the vulnerabilities.

As per the researchers, the flaws could allow an attacker to manipulate the privilege the device assigns to its apps, and access the victim's emails among other threats.

The research team reported the vulnerabilities to the concerned company in late July and eight of them were addressed by the vendor with its October maintenance release. The company has assured to patch remaining three security bugs later this month.

 Project Zero wanted to put the security of an OEM device to the test to see how it compares against Google’s Nexus, for which the Internet giant has started releasing monthly security updates.

“The majority of Android devices are not made by Google, but by external companies known as Original Equipment Manufacturers or OEMs which use the Android Open-Source Project (AOSP) as the basis for mobile devices which they manufacture. OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers,” Project Zero researcher Natalie Silvanovich said in a blog post.

The researchers, who were asked to find vulnerabilities, looked for three types of issues that can be part of a kernel privilege escalation exploit chain, including gaining remote access to contacts, photos and messages, gaining access to such data from a Google Play application that requires no permissions, and using this access to persistently execute code even after a device wipe.

“Each team worked on three challenges, which we feel are representative of the security boundaries of Android that are typically attacked. They could also be considered components of an exploit chain that escalates to kernel privileges from a remote or local starting point,” Silvanovich said.

Among the eleven high severity issues, the most serious being a path traversal vulnerability (CVE-2015-7888) in the Samsung WifiHs20UtilityService service that can be exploited to write arbitrary files on the system.

The email client installed on Samsung Galaxy S6 Edge devices is also plagued by a serious flaw (CVE-2015-7889), which allows an attacker to forward a user’s emails to a different account via a series of intents from an unprivileged application. Another email client issue (CVE-2015-7893) can be exploited to execute arbitrary JavaScript code embedded in a message.

Google researchers also found issues related to drivers (CVE-2015-7890, CVE-2015-7891, CVE-2015-7892), and image parsing (CVE-2015-7894, CVE-2015-7895, CVE-2015-7896, CVE-2015-7897, CVE-2015-7898).

“Overall, we found a substantial number of high-severity issues, though there were some effective security measures on the device which slowed us down. The weak areas seemed to be device drivers and media processing. We found issues very quickly in these areas through fuzzing and code review. It was also surprising that we found the three logic issues that are trivial to exploit. These types of issues are especially concerning, as the time to find, exploit and use the issue is very short,” Silvanovich explained.

Critical Bug in GnuTLS library affects Linux and hundreds of apps

A critical bug(CVE-2014-0092) in handling the errors in the GNU Security library GnuTLS affects hundreds of software packages including RedHat, Debian and Ubuntu distros.

According to RedHat security advisory, there is a coding error in GnuTLS which fails to handle certain errors that could occur during the verification of an X.509 certificate, results in reporting 'a successful verification'.

"An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker." the advisory reads.

The bug exists in returning the value in the verify.c file (https://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150ccbdf0aec1878a41c17c41d358a3b?diffmode=sidebyside).  It appears the uninitialized variable "result" is causing the problem.  There is also another coding error where it returns value of issuer_version when issuer_version is less than zero, instead of returning zero.  And, when result is less than zero, it goes to 'cleanup' location instead of 'fail'.

Nikos Mavrogiannopoulos from Red Hat Security Technologies Team discovered this security flaw, while doing an audit of GnuTLS for the RedHat.

Users are advised to upgrade to the latest GnuTLS version (3.2.12 or 3.1.22) or apply the patch for GnuTLS 2.12.x.

Hackers can use Google Chrome to spy on your conversations

A Security bug in Google Chrome allows hackers to use computer microphone to surreptitiously listen to your private conversations.

Normally, a website that uses speech recognition technology gets permission from user to access mic.  There will be indication of the speech recognition in chrome.  Once the user leaves the website, chrome will stop listening to Mic.

Israeli developer Tal Ater found a security flaw in this system, while working on Speech Recognition library.

The problem is that once you grant a HTTPS-enabled website permission to use your mic, chrome will remember the choice and start listening in the future without asking permission again.

In a demo video, he showed how an attacker could leverage this functionality by launching a small hidden pop-up window that will start the speech recognition system.

Ater reported the bug to Google's Security team on Sep. 2013.  He has been nominated for the chromium's reward panel.

Security Bugs fixed: Wireshark 1.10.4 and 1.8.12 released

Wireshark latest versions are available here.  The new versions 1.10.4 and 1.8.12 have no special features comparing to previous versions.  However, multiple bugs have been fixed in these versions.

There are three security bugs fixed.  The vulnerability exists in the "SIP dissector", "The BSSGP dissector" and the "NTLMSSP v2 dissector"

An attacker could remotely crash the Wireshark by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

Besides security bugs, there are also some non-security related bugs fixed in these versions such as "Tx MCS set is not interpreted properly in WLAN beacon frame", "Wireshark fails to decode single-line, multiple Contact: URIs in SIP responses".

Download the latest version from here:

Hacked Verizon Femtocell allows hackers to spy on Phone calls made with iPhone & Android

Two Security experts from iSEC Partners have found a way to spy on Verizon wireless mobile phone customers by hacking into devices the U.S. Carrier sells to boos Wireless signals indoors.

In a demonstration for Reuters, researchers Ritter and Doug DePerry show how they are able to spy on phone calls, messages and photos made with iPhone and Android phones by using a Verizon femtocell that they had previously hacked.

"This is not about how the NSA would attack ordinary people. This is about how ordinary people would attack ordinary people," Reuters quoted a senior consultant with the security firm iSEC Partners , Tom Ritter as saying.

Verizon reportedly updated the software on its signal-boosting devices, known as femtocells or network extenders,to thwart hackers from copying the technique of the two experts.

"The Verizon Wireless Network Extender remains a very secure and effective solution for our customers" Verizon spokesperson said in a statement after they fixed the bug.

However, researchers claimed their technique still works because they had modified the device before the company pushed out the software fix. Experts told Reuters that the further details will be shared at the two upcoming hacking conferences : Black Hat and DefCon.

Security Flaw in Samsung allow hackers to bypass Android Lock screen

A Security flaw in the Samsung phones allows hacker to bypass the lock screen and launch apps and dial phone numbers on a locked device. The vulnerability has been discovered by a mobile enthusiast Terence Eden.

To exploit this security flaw, the hacker should activate the screen and press Emergency Call. Then,  Press the "ICE" button on the bottom left and hold down physical home key for a few seconds and then release. Now, you can access the Home screen and launch any app or widget.

Researcher has tested this vulnerability against Galaxy Note II N7100 running 4.1.2.

"This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed." Eden said in his blog post.

The researcher says he tried to contact Samsung regarding this vulnerability but there is no proper response from their side.

Reflected Cross site scripting vulnerability in MTS Mobile website

An Information Security Expert Narendra Bhati, from Sheoganj, India has discovered Reflected Cross site scripting vulnerability in the official website of MTS website(mtsindia.com).

MTS group is an Indian mobile network operator headquartered in New Delhi, that provides wireless voice, messaging and data services in India.

The vulnerability exists in the Search field  of the website.  Injecting the xss code in the Search box will execute successfully the injected code.

For instance, injecting the following code in the search box will display the alert box:

    "><script>alert("E Hacking News")</script>
Narendra also found that the field allows user to run the iframe code also.  So , possibly, a hacker can inject phishing page to scam innocent visitors.

    "/><iframe src="http://www.google.com" width=1000 height=1000></iframe>

One of the twitter "Sign in" forms sends password in plain text

Zohar Alon, the CEO of cloud security company Dome9, discovered a security flaw in the design Twitter. One of the 'Sign in' forms failed to use secure connection and sends the password in plain text.

The main twitter sign in page uses secure connection and encrypts login credentials to prevent hackers from obtaining the data.  But , the drop down sign in menu in the tweet details page failed to utilize the HTTPS(secure) connection.

Vulnerable Twitter sign in form

It means that a malicious hacker can capture the login credentials by sniffing the victims' network traffic.

Afrer being notified by The Next Web about this critical vulnerability, the Twitter security team has addressed the issue. Now it uses HTTPS protocol for the sign in page.

Google webmaster Tools security flaw giving unauthorized access to Old Accounts

A security flaw in Google Webmaster tools results in old user accounts automatically getting re-verified and given access to sites they shouldn’t have access to anymore.

Google Webmaster tools is Google website that helps website owners manage how their site appears in Google, diagnose problems, and optimize traffic.

According to the Search Engine Journal report, users are finding themselves with sudden access to accounts that they once had access to, but no longer do; i.e., ex-employees or even contractors and the like.

webmaster tools security flaw

"For those not aware of the seriousness of this apparent breach of security, " The Search Engine Journal report reads. "The rub is, there’s simply no guarantee those granted renewed access won’t do something malicious. Not only could past access holders change key elements, but spying on the competition for larger entities is definitely a possibility."

"That bug is presumably giving a lot of power to individuals that shouldn’t have it — power to deindex, disavow links, unverify the current/legitimate webmaster’s access, and even redirect sites to other verified domains in the user’s account. It also reveals a lot of link, search, index/crawl and other data to users that shouldn’t be able to see those things." The Search Engine Land report says.

Google has fixed the bug , several hours after the issue.